veritysetup


SYNOPSIS
       veritysetup <options> <action> <action args>

DESCRIPTION
       Veritysetup  is  used to configure dm-verity managed device-mapper map-
       pings.

       Device-mapper verity target provides  read-only  transparent  integrity
       checking of block devices using kernel crypto API.

       The dm-verity devices are always read-only.

       Veritysetup supports these operations:

       format <data_device> <hash_device>

              Calculates  and  permanently  stores  hash verification data for
              data_device.  Hash area can be located on the same device  after
              data if specified by --hash-offset option.

              Note  you  need to provide root hash string for device verifica-
              tion or activation. Root hash must be trusted.

              The data or hash device argument can be  block  device  or  file
              image.  If hash device path doesn't exist, it will be created as
              file.

              <options> can be  [--hash,  --no-superblock,  --format,  --data-
              block-size,   --hash-block-size,  --data-blocks,  --hash-offset,
              --salt, --uuid]

       create <name> <data_device> <hash_device> <root_hash>

              Creates a mapping with <name> backed by device <data_device> and
              using <hash_device> for in-kernel verification.

              The <root_hash> is a hexadecimal string.

              <options> can be [--hash-offset, --no-superblock]

              If  option  --no-superblock is used, you have to use as the same
              options as in initial format operation.

       verify <data_device> <hash_device> <root_hash>

              Verifies data on data_device with use of hash blocks  stored  on
              hash_device.

              This  command  performs userspace verification, no kernel device
              is created.

              The <root_hash> is a hexadecimal string.


       dump <hash_device>

              Reports   parameters   of  verity  device  from  on-disk  stored
              superblock.

              <options> can be [--no-superblock]

OPTIONS
       --verbose, -v
              Print more information on command execution.

       --debug
              Run in debug mode with full diagnostic logs. Debug output  lines
              are always prefixed by '#'.

       --no-superblock
              Create or use dm-verity without permanent on-disk superblock.

       --format=number
              Specifies  the  hash  version  type.   Format type 0 is original
              Chrome OS verion. Format type 1 is current version.

       --data-block-size=bytes
              Used block size for the data device.  (Note kernel supports only
              page-size as maximum here.)

       --hash-block-size=bytes
              Used block size for the hash device.  (Note kernel supports only
              page-size as maximum here.)

       --data-blocks=blocks
              Size of data device used in verification.  If not specified, the
              whole device is used.

       --hash-offset=bytes
              Offset  of  hash  area/superblock on hash_device.  Value must be
              aligned to disk sector offset.

       --salt=hex string
              Salt used for format or verification.  Format is  a  hexadecimal
              string.

       --uuid=UUID
              Use  the  provided UUID for format command instead of generating
              new one.

              The  UUID  must  be  provided  in  standard  UUID  format,  e.g.
              12345678-1234-1234-1234-123456789abc.

       --version
              Show the program version.

RETURN CODES
       The  first  implementation  of  veritysetup  was  written  by Chrome OS
       authors.

       This version is based on verification code written by  Mikulas  Patocka
       <mpatocka@redhat.com>  and  rewritten  for  libcryptsetup by Milan Broz
       <gmazyland@gmail.com>.

COPYRIGHT
       Copyright (C) 2012 Red Hat, Inc.

       This is free software; see the source for copying conditions.  There is
       NO  warranty;  not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR
       PURPOSE.

SEE ALSO
       The project website at http://code.google.com/p/cryptsetup/

       The    verity    on-disk    format    specification    available     at
       http://code.google.com/p/cryptsetup/wiki/DMVerity



veritysetup                        June 2012                    VERITYSETUP(8)
Man Pages Copyright Respective Owners. Site Copyright (C) 1994 - 2017 Hurricane Electric. All Rights Reserved.