VERITYSETUP

Section: Maintenance Commands (8)
Updated: March 2017
Page Index

NAME

veritysetup - manage dm-verity (block level verification) volumes

SYNOPSIS

veritysetup <options> <action> <action args>

DESCRIPTION

Veritysetup is used to configure dm-verity managed device-mapper mappings.

Device-mapper verity target provides read-only transparent integrity checking of block devices using kernel crypto API.

The dm-verity devices are always read-only.

Veritysetup supports these operations:

format <data_device> <hash_device>

Calculates and permanently stores hash verification data for data_device. Hash area can be located on the same device after data if specified by --hash-offset option.

Note you need to provide root hash string for device verification or activation. Root hash must be trusted.

The data or hash device argument can be block device or file image. If hash device path doesn't exist, it will be created as file.

<options> can be [--hash, --no-superblock, --format, --data-block-size, --hash-block-size, --data-blocks, --hash-offset, --salt, --uuid]

create <name> <data_device> <hash_device> <root_hash>

Creates a mapping with <name> backed by device <data_device> and using <hash_device> for in-kernel verification.

The <root_hash> is a hexadecimal string.

<options> can be [--hash-offset, --no-superblock, --ignore-corruption or --restart-on-corruption, --ignore-zero-blocks]

If option --no-superblock is used, you have to use as the same options as in initial format operation.

verify <data_device> <hash_device> <root_hash>

Verifies data on data_device with use of hash blocks stored on hash_device.

This command performs userspace verification, no kernel device is created.

The <root_hash> is a hexadecimal string.

<options> can be [--hash-offset, --no-superblock]

If option --no-superblock is used, you have to use as the same options as in initial format operation.

remove <name>

: Removes existing mapping <name>.

status <name>

: Reports status for the active verity mapping <name>.

dump <hash_device>

: Reports parameters of verity device from on-disk stored superblock.
<options> can be [--no-superblock]

OPTIONS

--verbose, -v

Print more information on command execution.

--debug

Run in debug mode with full diagnostic logs. Debug output lines are always prefixed by '#'.

--no-superblock

Create or use dm-verity without permanent on-disk superblock.

--format=number

Specifies the hash version type. Format type 0 is original Chrome OS version. Format type 1 is current version.

--data-block-size=bytes

Used block size for the data device. (Note kernel supports only page-size as maximum here.)

--hash-block-size=bytes

Used block size for the hash device. (Note kernel supports only page-size as maximum here.)

--data-blocks=blocks

Size of data device used in verification. If not specified, the whole device is used.

--hash-offset=bytes

Offset of hash area/superblock on hash_device. Value must be aligned to disk sector offset.

--salt=hex string

Salt used for format or verification. Format is a hexadecimal string.

--uuid=UUID

Use the provided UUID for format command instead of generating new one.

The UUID must be provided in standard UUID format, e.g. 12345678-1234-1234-1234-123456789abc.

--ignore-corruption, --restart-on-corruption

Defines what to do if data integrity problem is detected (data corruption).

Without these options kernel fails the IO operation with I/O error. With --ignore-corruption option the corruption is only logged. With --restart-on-corruption the kernel is restarted immediatelly. (You have to provide way how to avoid restart loops.)

WARNING: Use these options only for very specific cases. These options are available since Linux kernel version 4.1.

--ignore-zero-blocks

Instruct kernel to not verify blocks that are expected to contain zeroes and always directly return zeroes instead.

WARNING: Use this option only in very specific cases. This option is available since Linux kernel version 4.5.

--hash=hash

Hash algorithm for dm-verity. For default see --help option.

--version

Show the program version.

RETURN CODES

Veritysetup returns 0 on success and a non-zero value on error.

Error codes are:
    1 wrong parameters
    2 no permission
    3 out of memory
    4 wrong device specified
    5 device already exists or device is busy.

EXAMPLES

veritysetup --data-blocks=256 format <data_device> <hash_device>

Calculates and stores verification data on hash_device for the first 256 blocks (of block-size). If hash_device does not exist, it is created (as file image).

veritysetup format <data_device> <hash_device>

Calculates and stores verification data on hash_device for the whole data_device.

veritysetup --data-blocks=256 --hash-offset=1052672 format <device> <device>

Verification data (hashes) is stored on the same device as data (starting at hash-offset). Hash-offset must be greater than number of blocks in data-area.

veritysetup --data-blocks=256 --hash-offset=1052672 create test-device <device> <device> <root_hash>

Acivatees the verity device named test-device. Options --data-blocks and --hash-offset are the same as in the format command. The <root_hash> was calculated in format command.

veritysetup --data-blocks=256 --hash-offset=1052672 verify <data_device> <hash_device> <root_hash>

Verifies device without activation (in userspace).

REPORTING BUGS

Report bugs, including ones in the documentation, on the cryptsetup mailing list at <dm-crypt@saout.de> or in the 'Issues' section on LUKS website. Please attach the output of the failed command with the --debug option added.

AUTHORS

The first implementation of veritysetup was written by Chrome OS authors.

This version is based on verification code written by Mikulas Patocka <mpatocka@redhat.com> and rewritten for libcryptsetup by Milan Broz <gmazyland@gmail.com>.

COPYRIGHT

This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.