Lines Matching +full:on +full:- +full:device
2 dm-verity
5 Device-Mapper's "verity" target provides transparent integrity checking of
7 This target is read-only.
21 This is the type of the on-disk hash format.
32 This is the device containing data, the integrity of which needs to be
33 checked. It may be specified as a path, like /dev/sdaX, or a device number,
37 This is the device that supplies the hash tree data. It may be
38 specified similarly to the device path and may be the same device. If the
39 same device is used, the hash_start should be outside the configured
40 dm-verity device.
43 The block size on a data device in bytes.
44 Each block corresponds to one digest on the hash device.
50 The number of data blocks on the data device. Additional blocks are
55 This is the offset, in <hash_block_size>-blocks, from the start of hash_dev
59 The cryptographic hash algorithm used for this device. This should
87 Panic the device when a corrupted block is discovered. This option is
97 verification fails. Use encoding data from the specified device. This
98 may be the same device where data and hash blocks reside, in which case
102 on the hash device after the hash blocks.
110 is M-N.
113 The number of encoding data blocks on the FEC device. The block size for
114 the FEC device is <data_block_size>.
118 FEC device to the beginning of the encoding data.
121 Verify data blocks only the first time they are read from the data device,
122 rather than every time. This reduces the overhead of dm-verity so that it
123 can be used on systems that are memory and/or CPU constrained. However, it
125 data device's content will be detected, not online tampering.
127 Hash blocks are still verified each time they are read from the hash device,
135 the root hash during the creation of the device mapper block device.
136 Verification of roothash depends on the config DM_VERITY_VERIFY_ROOTHASH_SIG
142 dm-verity is meant to be set up as part of a verified boot path. This
144 booting from a known-good device (like a USB drive or CD).
146 When a dm-verity device is configured, it is expected that the caller
148 After instantiation, all hashes will be verified on-demand during
151 tampering with any data on the device and the hash data.
153 Cryptographic hashes are used to assert the integrity of the device on a
154 per-block basis. This allows for a lightweight hash computation on first read
164 ---------
167 of some data block on disk is calculated. If it is an intermediary node,
171 block. The number is determined based on block_size and the size of the
172 selected cryptographic digest algorithm. The hashes are linearly-ordered in
191 On-disk format
194 The verity kernel code does not read the verity metadata on-disk header.
196 It is expected that a user-space tool will verify the integrity of the
200 be passed via the kernel command-line in a rooted chain of trust where
201 the command-line is verified.
207 The full specification of kernel parameters and on-disk metadata format
219 Set up a device::
221 # dmsetup create vroot --readonly --table \
227 the hash tree or activate the kernel device. This is available from
231 Create hash on the device::
237 Activate the device::