Also, http://lwn.net/Articles/533558/ tells that "The key advantage over dm-verity is that the target supports read-write and requires less hash calculation operations.Device-mapper "integrity" target provides transparent cryptographic integrity protection of underlying read-write block device using hash-based message authentication codes (HMACs), which can be stored on the same or different block device." I dont understand or get the main purpose of this tool. Could you please explain in a bit more elaborate way.Thanks On Sat, Apr 5, 2014 at 6:11 PM, Shivaramakrishnan Vaidyanathan < shivaramakrishnan740@gmail.com> wrote: > Thanks Milan for your reply. > I have few questions is this regard.I am ready to perform the offline > integrity check.I can have the image files in the nfs-share archived live > to another partition that is not mounted.Will I be able to perform the > integrity check at the block level in this case?Each time virtual machine > boots up,I need to be able to verify if the image was the same as previous > boot. > Is this achievable? > > Will these steps work? > 1. Image file (VM1 - Virtual hard disk file mounted in nfs share > partition). > 2.I rsync the directory of nfs-share to another partition. > 3.Then whether I will be able to tell whether the virtual image file has > been altered/changed from the previous boot? > > Can you please provide some details in regard to the implementations > required in this case? > > If you know any other alternatives,It would be great if you could share > it.Also I dont get the notion "Dm-verity was designed to provide verification > of (read-only) device (to provide verified boot path), all IOs must go > through dm-verity." > > So what does this mean? > > > On Sat, Apr 5, 2014 at 2:39 PM, Milan Broz wrote: > >> On 04/04/2014 11:34 PM, Shiva wrote: >> ... >> > 5.Used the root hash in this command. >> > veritysetup --debug create nfs /dev/sdb /dev/sdc "root hash" >> > >> > Everything works well. >> > My problem is I am not able to perform step5 for a mounted partition. >> > >> > I require a mounted partition since nfs-share will use this partition. >> > (For addition and deletion) >> > >> > Is there a command switch that needs to be performed in order to >> achieve this? >> >> I am afraid this is not possible. Dm-verity was designed to provide >> verification of (read-only) device (to provide verified boot path), >> all IOs must go through dm-verity. >> (So it must be in the stack from the beginning). >> >> You cannot just add it later or run it parallel with mounted partition. >> And how this can work if some data are already in page/fs cache? >> >> Milan >> > >