NAME
veritysetup - manage dm-verity (block level verification) volumesSYNOPSIS
veritysetup <action> [<options>] <action args>DESCRIPTION
Veritysetup is used to configure dm-verity managed device-mapper mappings.BASIC ACTIONS
Veritysetup supports these operations:FORMAT
format <data_device> <hash_device>OPEN
open <data_device> <name> <hash_device> <root_hash>VERIFY
verify <data_device> <hash_device> <root_hash>CLOSE
close <name>STATUS
status <name>DUMP
dump <hash_device>OPTIONS
--no-superblockCreate or use dm-verity without permanent
on-disk superblock.
Specifies the hash version type. Format type 0
is original Chrome OS version. Format type 1 is current version.
Used block size for the data device. (Note
kernel supports only page-size as maximum here.)
Used block size for the hash device. (Note
kernel supports only page-size as maximum here.)
Size of data device used in verification. If
not specified, the whole device is used.
Offset of hash area/superblock on hash_device.
Value must be aligned to disk sector offset.
Salt used for format or verification. Format
is a hexadecimal string.
Use the provided UUID for format command
instead of generating new one.
The UUID must be provided in standard UUID format, e.g.
12345678-1234-1234-1234-123456789abc. *--ignore-corruption ,
--restart-on-corruption ,
Defines what to do if data integrity problem
is detected (data corruption).
Without these options kernel fails the IO operation with I/O error. With
--ignore-corruption option the corruption is only logged. With
--restart-on-corruption or --panic-on-corruption the kernel is restarted
(panicked) immediately. (You have to provide way how to avoid restart loops.)
WARNING: Use these options only for very specific cases. These options
are available since Linux kernel version 4.1.
Instruct kernel to not verify blocks that are
expected to contain zeroes and always directly return zeroes instead.
WARNING: Use this option only in very specific cases. This option is
available since Linux kernel version 4.5.
Instruct kernel to verify blocks only the
first time they are read from the data device, rather than every time.
WARNING: It provides a reduced level of security because only offline
tampering of the data device’s content will be detected, not online
tampering. This option is available since Linux kernel version 4.17.
Hash algorithm for dm-verity. For default see
--help option.
Use forward error correction (FEC) to recover
from corruption if hash verification fails. Use encoding data from the
specified device.
The fec device argument can be block device or file image. For format, if fec
device path doesn’t exist, it will be created as file.
Block sizes for data and hash devices must match. Also, if the verity
data_device is encrypted the fec_device should be too.
FEC calculation covers data, hash area, and optional foreign metadata stored on
the same device with the hash tree (additional space after hash area). Size of
this optional additional area protected by FEC is calculated from image sizes,
so you must be sure that you use the same images for activation.
If the hash device is in a separate image, metadata covers the whole rest of the
image after the hash area.
If hash and FEC device is in the image, metadata ends on the FEC area
offset.
This is the offset, in bytes, from the start
of the FEC device to the beginning of the encoding data.
Number of generator roots. This equals to the
number of parity bytes in the encoding data. In RS(M, N) encoding, the number
of roots is M-N. M is 255 and M-N is between 2 and 24 (including).
Path to file with stored root hash in
hex-encoded text.
Path to root hash signature file used to
verify the root hash (in kernel). This feature requires Linux kernel version
5.4 or more recent.
Try to use kernel tasklets in dm-verity driver
for performance reasons. This option is available since Linux kernel version
6.0.
Defers device removal in close command
until the last user closes it.
Removes a previously configured deferred
device removal in close command.
Print more information on command
execution.
Run in debug mode with full diagnostic logs.
Debug output lines are always prefixed by #.
Show the program version.
Do not ask for confirmation.
Show short option help.
Show help text and default parameters.
RETURN CODES
Veritysetup returns 0 on success and a non-zero value on error.EXAMPLES
veritysetup --data-blocks=256 format <data_device> <hash_device>DM-VERITY ON-DISK SPECIFICATION
The on-disk format specification is available at DMVerity <https://gitlab.com/cryptsetup/cryptsetup/wikis/DMVerity> page.AUTHORS
The first implementation of veritysetup was written by Chrome OS authors.REPORTING BUGS
Report bugs at cryptsetup <[email protected]>mailing or in Issues project section <https://gitlab.com/cryptsetup/cryptsetup/-/issues/new>.SEE ALSO
Cryptsetup FAQ <https://gitlab.com/cryptsetup/cryptsetup/wikis/FrequentlyAskedQuestions>CRYPTSETUP
Part of cryptsetup project <https://gitlab.com/cryptsetup/cryptsetup/>.2023-12-18 | veritysetup 2.6.1 |