Re: [dm-crypt] verity setup on active device.

From: Shivaramakrishnan Vaidyanathan <shivaramakrishnan740@gmail.com>
To: Milan Broz <gmazyland@gmail.com>
Cc: dm-crypt@saout.de
Subject: Re: [dm-crypt] verity setup on active device.
Date: Sun, 6 Apr 2014 23:11:58 -0400	[thread overview]
Message-ID: <CAAQucXYUT_5fV3L_xb+LPzNqGvNN7QtCqkTW9DzpUeG=mYdd4A@mail.gmail.com> (raw)
In-Reply-To: <534105C6.3060305@gmail.com>

[-- Attachment #1: Type: text/plain, Size: 2259 bytes --]

I had a question here..So if I sign a image file for a virtual machine
using the command,How do I verify that image file has not changed?
gpg --output web-test.img.sig --sign web-test.img

Executing the above gives me a "web-test.img.sig" file.Whether verifying
this would be sufficient?

gpg --verify web-test.img.sig

gpg: Signature made Sun 06 Apr 2014 09:57:16 PM EDT using RSA key ID
3D3AC480

gpg: Good signature from "shiva (test) <abc.@outlook.com>

Should I boot the image now using the .sig file?Looking forward to your
reply.

On Sun, Apr 6, 2014 at 3:44 AM, Milan Broz <gmazyland@gmail.com> wrote:

> On 04/06/2014 12:11 AM, Shivaramakrishnan Vaidyanathan wrote:
> > I have few questions is this regard.I am ready to perform the offline
> > integrity check.I can have the image files in the nfs-share archived
> > live to another partition that is not mounted.Will I be able to
> > perform the integrity check at the block level in this case?Each time
> > virtual machine boots up,I need to be able to verify if the image was
> > the same as previous boot.> Is this achievable?
> >
> > Will these steps work?
> > 1. Image file (VM1 - Virtual hard disk file mounted in nfs share
> partition).
> > 2.I rsync the directory of nfs-share to another partition.
> > 3.Then whether I will be able to tell whether the virtual image file has
> been altered/changed from the previous boot?
>
> I am not sure if I understand what you are trying to do here but if it
> is file image (full device image shared on nfs) why not use simple gpg
> file signature and verify it before the VM boot?
>
> ...
>
> > Also I dont get the notion "Dm-verity was designed to provide
> verification of (read-only) device (to provide verified boot path), all IOs
> must go through dm-verity."
>
> The dm-verity was designed for ChromeOS for verified boot, IOW it verifies
> blocks on underlying block device on-the-fly (when system reads them
> through
> verity mapped device).
> This means, that the dm-verity must be underlying device for all read
> operations (to allow it stop reads once it detect wrong hash).
>
> I know documentation is terse but at least something is here
> http://code.google.com/p/cryptsetup/wiki/DMVerity (see Theory of
> operation).
>
> Milan
>

[-- Attachment #2: Type: text/html, Size: 3174 bytes --]