* [dm-crypt] veritysetup usage question
@ 2020-11-26 11:32 Jan Pohanka
0 siblings, 0 replies; only message in thread
From: Jan Pohanka @ 2020-11-26 11:32 UTC (permalink / raw)
To: dm-crypt
Hello,
I'd like to use dm-verity as a part of a verified boot process on my
embedded device but I'm afraid that I still do not understand it well.
I'm able to create a hash verification data for squashfs partition,
verify it and mount it
veritysetup format rootfs.squashfs rootfs.hash
cat rootfs.squashfs rootfs.hash > srootfs.squashfs
ubiblock -c /dev/ubi0_2
ubiupdatevol /dev/ubi0_2 srootfs.squashfs
veritysetup --hash-offset=17719296 verify /dev/ubiblock0_2
/dev/ubiblock0_2 ROOT_HASH
veritysetup --hash-offset=17719296 create srootfs /dev/ubiblock0_2
/dev/ubiblock0_2 ROOT_HASH
mount -t squashfs -r /dev/mapper/srootfs /mnt
Now I can use the above verification and mount in my initramfs and it
needs the ROOT_HASH to be stored inside my bootimage. That's not a
problem but I'm thinking about future updates.
I would need to change the bootimage with a correct ROOT_HASH each
time when I update the rootfs image and it obviously is not a thing
that one wants to do.
Is there any other way to solve it using dm-verity and cryptsetup?
Otherways it is probably easier to use any hash of my squashfs image,
sign it using openssl and verify with a stable public key from the
bootimage on the device, isn't it?
best regards
Jan
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2020-11-26 11:32 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-11-26 11:32 [dm-crypt] veritysetup usage question Jan Pohanka
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.