Discussion:
[dm-devel] DM-Verity Tool
p***@globaledgesoft.com
2013-05-21 15:11:49 UTC
Permalink
Hello Mandeep,

I was trying to download the source code to generate the hash from the
following location. But looks like this is moved. Pls share the latest git
hub location of the source.
http://git.chromium.org/cgi-bin/gitweb.cgi?p=dm-verity.git;a=tree


Regards,
Pavan
Marian Csontos
2013-05-22 11:07:28 UTC
Permalink
Post by p***@globaledgesoft.com
Hello Mandeep,
I was trying to download the source code to generate the hash from the
following location. But looks like this is moved. Pls share the latest git
hub location of the source.
http://git.chromium.org/cgi-bin/gitweb.cgi?p=dm-verity.git;a=tree
Hi Pavan, dm-verity is in upstream kernel tree now:

http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/drivers/md/dm-verity.c

-- Marian

/* Wow! Kudos to Mikulas, the source looks rather neatly! I should print
it and hang over my bed to get enlightened... */
Post by p***@globaledgesoft.com
Regards,
Pavan
--
dm-devel mailing list
https://www.redhat.com/mailman/listinfo/dm-devel
Milan Broz
2013-05-22 16:46:36 UTC
Permalink
Post by Marian Csontos
Post by p***@globaledgesoft.com
Hello Mandeep,
I was trying to download the source code to generate the hash from the
following location. But looks like this is moved. Pls share the latest git
hub location of the source.
http://git.chromium.org/cgi-bin/gitweb.cgi?p=dm-verity.git;a=tree
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/drivers/md/dm-verity.c
I think the question was about tool to generate hash,
not the target itself.

In any case, dm-verity is in kernel and veritysetup tool is part of upstream
cryptsetup package.

Documentation to kernel dm-verity
http://code.google.com/p/cryptsetup/wiki/DMVerity

And some release notes info about veritysetup (see man page as well)
http://code.google.com/p/cryptsetup/wiki/Cryptsetup150

Milan
p***@globaledgesoft.com
2013-05-23 06:41:15 UTC
Permalink
Hi Milan,

Thanks for the reply.
Post by Milan Broz
I think the question was about tool to generate hash,
not the target itself.
As mentioned by you, I was looking for a tool which generates the root
hash (digest) which can be used as a parameter to dmsetup tool. I used
sha256sum tool to generate the hash but dmsetup is not accepting this
hash.

Thanks to Mikulas for providing the link to veritysetup using which I
could configure verity target. But still I have some doubts regarding
dmsetup & veritysetup

1. What are the difference between configuring a verity target using
dmsetup & veritysetup. Can these be used interchangeably?

2. I tried passing the root hash value generated by veritysetup as a
parameter to dmsetup but this doesn't work. On doing dmsetup status, the
output is showing as the target corrupted (C). I examined dmesg & found
the following error

[22885.758996] device-mapper: verity: metadata block 62 is corrupted
[22885.759001] Buffer I/O error on device dm-1, logical block 1

3. After creating a verity target using "veritysetup" how to test the
target for corrupted case (As soon as creating the status is Verified (V))
?

Thanks in advance
Pavan
Post by Milan Broz
Post by Marian Csontos
Post by p***@globaledgesoft.com
Hello Mandeep,
I was trying to download the source code to generate the hash from the
following location. But looks like this is moved. Pls share the latest
git
Post by Milan Broz
Post by Marian Csontos
Post by p***@globaledgesoft.com
hub location of the source.
http://git.chromium.org/cgi-bin/gitweb.cgi?p=dm-verity.git;a=tree
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/drivers/md/dm-verity.c
I think the question was about tool to generate hash,
not the target itself.
In any case, dm-verity is in kernel and veritysetup tool is part of upstream
cryptsetup package.
Documentation to kernel dm-verity
http://code.google.com/p/cryptsetup/wiki/DMVerity
And some release notes info about veritysetup (see man page as well)
http://code.google.com/p/cryptsetup/wiki/Cryptsetup150
Post by Milan Broz
Milan
Milan Broz
2013-05-23 20:47:40 UTC
Permalink
Post by p***@globaledgesoft.com
1. What are the difference between configuring a verity target using
dmsetup & veritysetup. Can these be used interchangeably?
dmsetup is just low level tool, you need to know all table parameters
while veritysetup will prepare table for you using high level commands
and on-disk metadata (if present).
Post by p***@globaledgesoft.com
2. I tried passing the root hash value generated by veritysetup as a
parameter to dmsetup but this doesn't work. On doing dmsetup status, the
output is showing as the target corrupted (C). I examined dmesg & found
the following error
Be sure you are using proper parameters, metadata version etc.

Try activate device with veritysetup, then run "dmsetup table" and
check what is different in your dmsetup line.
Post by p***@globaledgesoft.com
3. After creating a verity target using "veritysetup" how to test the
target for corrupted case (As soon as creating the status is Verified (V))
By corrupting the image? :) See tests/verity-compat-test in cryptsetup
tree, it is basic regression test which is simulating both data and hash
corruption (it just dd random data to know offset and expects failure.)

Milan
p***@globaledgesoft.com
2013-05-24 16:10:18 UTC
Permalink
Hi All,

Thanks a lot for your support. Now I am able to configure verity target
using both veritysetup & dmsetup.

Regards,
Pavan
Post by Milan Broz
Post by p***@globaledgesoft.com
1. What are the difference between configuring a verity target using
dmsetup & veritysetup. Can these be used interchangeably?
dmsetup is just low level tool, you need to know all table parameters
while veritysetup will prepare table for you using high level commands
and on-disk metadata (if present).
Post by p***@globaledgesoft.com
2. I tried passing the root hash value generated by veritysetup as a
parameter to dmsetup but this doesn't work. On doing dmsetup status, the
output is showing as the target corrupted (C). I examined dmesg & found
the following error
Be sure you are using proper parameters, metadata version etc.
Try activate device with veritysetup, then run "dmsetup table" and
check what is different in your dmsetup line.
Post by p***@globaledgesoft.com
3. After creating a verity target using "veritysetup" how to test the
target for corrupted case (As soon as creating the status is Verified (V))
By corrupting the image? :) See tests/verity-compat-test in cryptsetup
tree, it is basic regression test which is simulating both data and hash
corruption (it just dd random data to know offset and expects failure.)
Milan
p***@globaledgesoft.com
2013-05-27 15:52:59 UTC
Permalink
Hello Milan,
Post by Milan Broz
By corrupting the image? :) See tests/verity-compat-test in cryptsetup
tree, it is basic regression test which is simulating both data and hash
corruption (it just dd random data to know offset and expects failure.)
In tests/verity-compat-test, in the following line
"check_root_hash 512
9de18652fe74edfb9b805aaed72ae2aa48f94333f1ba5c452ac33b1c39325174 $SALT 1
sha256 8388608"

How's the last parameter (hash_offset) calculated? it's hard coded
here(8388608).

Regards,
Pavan
Post by Milan Broz
Hi All,
Thanks a lot for your support. Now I am able to configure verity target
using both veritysetup & dmsetup.
Regards,
Pavan
Post by Milan Broz
Post by p***@globaledgesoft.com
1. What are the difference between configuring a verity target using
dmsetup & veritysetup. Can these be used interchangeably?
dmsetup is just low level tool, you need to know all table parameters
while veritysetup will prepare table for you using high level commands
and on-disk metadata (if present).
Post by p***@globaledgesoft.com
2. I tried passing the root hash value generated by veritysetup as a
parameter to dmsetup but this doesn't work. On doing dmsetup status, the
output is showing as the target corrupted (C). I examined dmesg & found
the following error
Be sure you are using proper parameters, metadata version etc.
Try activate device with veritysetup, then run "dmsetup table" and
check what is different in your dmsetup line.
Post by p***@globaledgesoft.com
3. After creating a verity target using "veritysetup" how to test the
target for corrupted case (As soon as creating the status is Verified (V))
By corrupting the image? :) See tests/verity-compat-test in cryptsetup
tree, it is basic regression test which is simulating both data and hash
corruption (it just dd random data to know offset and expects failure.)
Milan
p***@globaledgesoft.com
2013-05-30 16:28:35 UTC
Permalink
Hi All,
Thanks for your answers to previous questions. I have some more doubts
regarding DM-Verity please clarify it.


1. When dm-verity validation fails, do we lose access to the file? And how
about accessing the rest of the filesystem?

2. Is there any recovery mechanism for a validation failure?

3. How do we update a DM-Verity filesystem? Can it be done on a file basis?
I believe that dm-verity works on the blocks & not on the file system, is
that true?

4. Can we use dm-verity for any filesystem (say UBIFS)? Is there any
restriction on filesystem?

5. How to update DM-Veirty device without removing device mapping. I tried
mounting the dm-verity target but it fails



Thanks in advance,
Pavan Kumar P
Mikulas Patocka
2013-05-31 12:31:50 UTC
Permalink
Post by p***@globaledgesoft.com
Hi All,
Thanks for your answers to previous questions. I have some more doubts
regarding DM-Verity please clarify it.
1. When dm-verity validation fails, do we lose access to the file? And how
about accessing the rest of the filesystem?
You lose access to the affected files, but the rest of the filesystem is
still accessible.
Post by p***@globaledgesoft.com
2. Is there any recovery mechanism for a validation failure?
No.
Post by p***@globaledgesoft.com
3. How do we update a DM-Verity filesystem? Can it be done on a file basis?
I believe that dm-verity works on the blocks & not on the file system, is
that true?
You don't update it. You create the filesystems, then calculate dm-verity
checksums and then mount it read only.

Yes, dm-verity works on blocks.
Post by p***@globaledgesoft.com
4. Can we use dm-verity for any filesystem (say UBIFS)? Is there any
restriction on filesystem?
You can use it for any filesystem.
Post by p***@globaledgesoft.com
5. How to update DM-Veirty device without removing device mapping. I tried
mounting the dm-verity target but it fails
You can't update it.

If you want to update it, you need to unmount the filesystem, unload the
dm-verity target, mount the underlying device read-write, make changes,
unmount it, recreate checksums with veritysetup, load the dm-verity target
and mount it read only.
Post by p***@globaledgesoft.com
Thanks in advance,
Pavan Kumar P
Mikulas
p***@globaledgesoft.com
2013-05-31 16:15:39 UTC
Permalink
Hi Mikulas,

Thanks for the reply.

Pavan>> 5. How to update DM-Veirty device without removing device mapping.
I tried mounting the dm-verity target but it fails
Mikulas>
Mikulas> You can't update it.
Mikulas>
Mikulas> If you want to update it, you need to unmount the filesystem,
unload the dm-verity target, mount the underlying device read-write, make
changes, unmount it, recreate checksums with veritysetup, load the
dm-verity target and mount it read only.

If the filesystem is mounted as read-only, how the filesystem can be
modified or corrupted (without removing mapping)? How we can test the
dm-verity functionality?

Thanks,
Pavan
Post by Mikulas Patocka
Post by p***@globaledgesoft.com
Hi All,
Thanks for your answers to previous questions. I have some more doubts
regarding DM-Verity please clarify it.
1. When dm-verity validation fails, do we lose access to the file? And how
about accessing the rest of the filesystem?
You lose access to the affected files, but the rest of the filesystem is
still accessible.
Post by Mikulas Patocka
Post by p***@globaledgesoft.com
2. Is there any recovery mechanism for a validation failure?
No.
Post by p***@globaledgesoft.com
3. How do we update a DM-Verity filesystem? Can it be done on a file basis?
I believe that dm-verity works on the blocks & not on the file system, is
that true?
You don't update it. You create the filesystems, then calculate dm-verity
checksums and then mount it read only.
Yes, dm-verity works on blocks.
Post by p***@globaledgesoft.com
4. Can we use dm-verity for any filesystem (say UBIFS)? Is there any
restriction on filesystem?
Post by Mikulas Patocka
You can use it for any filesystem.
Post by p***@globaledgesoft.com
5. How to update DM-Veirty device without removing device mapping. I tried
mounting the dm-verity target but it fails
You can't update it.
If you want to update it, you need to unmount the filesystem, unload the
dm-verity target, mount the underlying device read-write, make changes,
unmount it, recreate checksums with veritysetup, load the dm-verity
target
Post by Mikulas Patocka
and mount it read only.
Post by p***@globaledgesoft.com
Thanks in advance,
Pavan Kumar P
Mikulas
Will Drewry
2013-06-03 12:39:16 UTC
Permalink
Post by p***@globaledgesoft.com
Hi Mikulas,
Thanks for the reply.
Pavan>> 5. How to update DM-Veirty device without removing device mapping.
I tried mounting the dm-verity target but it fails
Mikulas>
Mikulas> You can't update it.
Mikulas>
Mikulas> If you want to update it, you need to unmount the filesystem,
unload the dm-verity target, mount the underlying device read-write, make
changes, unmount it, recreate checksums with veritysetup, load the
dm-verity target and mount it read only.
If the filesystem is mounted as read-only, how the filesystem can be
modified or corrupted (without removing mapping)? How we can test the
dm-verity functionality?
I believe Milan already pointed out a test example, but the very
easiest way to it is to dd data over part of the underlying block
device, then dd it out via the dm-verity device. If the system has
already read it, you'll need to drop_caches first. Something like:

dd if=/dev/zero of=/dev/sdb3 bs=1 count=1 seek=4097 #write somewhere
that was non-zero
echo 3 > /proc/sys/vm/drop_caches
dd if=/dev/dm-0 of=/dev/null bs=1 count=1 skip=4097 #read, get EIO

hth,
will
Post by p***@globaledgesoft.com
Post by Mikulas Patocka
Post by p***@globaledgesoft.com
Hi All,
Thanks for your answers to previous questions. I have some more doubts
regarding DM-Verity please clarify it.
1. When dm-verity validation fails, do we lose access to the file? And
how
Post by Mikulas Patocka
Post by p***@globaledgesoft.com
about accessing the rest of the filesystem?
You lose access to the affected files, but the rest of the filesystem is
still accessible.
Post by Mikulas Patocka
Post by p***@globaledgesoft.com
2. Is there any recovery mechanism for a validation failure?
No.
Post by p***@globaledgesoft.com
3. How do we update a DM-Verity filesystem? Can it be done on a file
basis?
Post by Mikulas Patocka
Post by p***@globaledgesoft.com
I believe that dm-verity works on the blocks & not on the file system, is
that true?
You don't update it. You create the filesystems, then calculate
dm-verity
Post by Mikulas Patocka
checksums and then mount it read only.
Yes, dm-verity works on blocks.
Post by p***@globaledgesoft.com
4. Can we use dm-verity for any filesystem (say UBIFS)? Is there any
restriction on filesystem?
Post by Mikulas Patocka
You can use it for any filesystem.
Post by p***@globaledgesoft.com
5. How to update DM-Veirty device without removing device mapping. I tried
mounting the dm-verity target but it fails
You can't update it.
If you want to update it, you need to unmount the filesystem, unload the
dm-verity target, mount the underlying device read-write, make changes,
unmount it, recreate checksums with veritysetup, load the dm-verity target
Post by Mikulas Patocka
and mount it read only.
Post by p***@globaledgesoft.com
Thanks in advance,
Pavan Kumar P
Mikulas
--
dm-devel mailing list
https://www.redhat.com/mailman/listinfo/dm-devel
p***@globaledgesoft.com
2013-05-22 16:00:03 UTC
Permalink
Thanks Marian & Mikulas,

I'm able to download & compile veritysetup. Also able to configure verity
target.

I have few queries with respect to dmsetup & veritysetup
1. What are the difference between configuring a verity target using
dmsetup & veritysetup. Can these be used interchangeably?

2. I tried passing the root hash value generated by veritysetup as a
parameter to dmsetup but this doesn't work. On doing dmsetup status, the
output is showing as the target corrupted (C). I examined dmesg & found
the following error

[22885.758996] device-mapper: verity: metadata block 62 is corrupted
[22885.759001] Buffer I/O error on device dm-1, logical block 1

3. After creating a verity target using "veritysetup" how to test the
target for corrupted case (As soon as creating the status is Verified (V))
?

Regards,
Pavan
Post by Marian Csontos
Post by p***@globaledgesoft.com
Hello Mandeep,
I was trying to download the source code to generate the hash from the
following location. But looks like this is moved. Pls share the latest git
hub location of the source.
http://git.chromium.org/cgi-bin/gitweb.cgi?p=dm-verity.git;a=tree
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/drivers/md/dm-verity.c
-- Marian
/* Wow! Kudos to Mikulas, the source looks rather neatly! I should print
it and hang over my bed to get enlightened... */
Post by p***@globaledgesoft.com
Regards,
Pavan
--
dm-devel mailing list
https://www.redhat.com/mailman/listinfo/dm-devel
Loading...