[dm-devel] dm-verity with GPT

[dm-devel] dm-verity with GPT

[Pra.. Dew..]

[-- Attachment #1.1: Type: text/plain, Size: 948 bytes --]

We have a scenario for a VM where a VM is running in the host Linux using KVM. We want to expose verity protected rootfs to the VM. This rootfs clearly needs to be RO. However, we also want to expose it as a GPT partition. In order to do this we are attaching two small files before and after the rootfs. The files use linear mapping and get mapped to the same /dev/mapper/XX device that has a verity partition. These two files contain the partition mappings (primary and backup) for GPT. From the VMs perspective, it sees one device (/dev/mapper/xx) as a GPT device with rootfs.

The challenge we are getting into is that dm-verity kernel implementation explicitly prohibits mixing linear and verity mapping and forces the /dev/mapper/xx device to be RO and our needs are exactly the opposite.

Has anyone seen this scenario before? Any suggestions?

Thanks


Sent from Mail<https://go.microsoft.com/fwlink/?LinkId=550986> for Windows


[-- Attachment #1.2: Type: text/html, Size: 2441 bytes --]

[-- Attachment #2: Type: text/plain, Size: 98 bytes --]

--
dm-devel mailing list
dm-devel@redhat.com
https://listman.redhat.com/mailman/listinfo/dm-devel

Re: [dm-devel] dm-verity with GPT

[Mikulas Patocka]

On Sat, 17 Sep 2022, Pra.. Dew.. wrote:

> 
> We have a scenario for a VM where a VM is running in the host Linux 
> using KVM. We want to expose verity protected rootfs to the VM. This 
> rootfs clearly needs to be RO. However, we also want to expose it as a 
> GPT partition. In order to do this we are attaching two small files 
> before and after the rootfs. The files use linear mapping and get mapped 
> to the same /dev/mapper/XX device that has a verity partition. These two 
> files contain the partition mappings (primary and backup) for GPT. From 
> the VMs perspective, it sees one device (/dev/mapper/xx) as a GPT device 
> with rootfs.
> 
> The challenge we are getting into is that dm-verity kernel 
> implementation explicitly prohibits mixing linear and verity mapping and 
> forces the /dev/mapper/xx device to be RO and our needs are exactly the 
> opposite.
> 
> Has anyone seen this scenario before? Any suggestions?
> 
> Thanks

Hi

I think that you can create dm-verity target, put dm-linear on the top of 
it and insert that dm-linear into the table with the other two dm-linear 
targets.

Would it work this way?

Mikulas
--
dm-devel mailing list
dm-devel@redhat.com
https://listman.redhat.com/mailman/listinfo/dm-devel

Re: [dm-devel] dm-verity with GPT

[Pra.. Dew..]

[-- Attachment #1.1: Type: text/plain, Size: 1749 bytes --]

Thank you Mikulas. I just want to make sure I understand what you are saying. Currently we making a dm-linear, dm-verity, dm-linear target; if I understand you right you are suggesting to make it a dm-veriy, dm-linear, dm-linear target? Of course the 2nd dm-linear target will have LBAs before dm-verity target. Did I get this right?


From: Mikulas Patocka<mailto:mpatocka@redhat.com>
Sent: Sunday, September 18, 2022 3:10 AM
To: Pra.. Dew..<mailto:linux_learner@outlook.com>
Cc: dm-devel@redhat.com<mailto:dm-devel@redhat.com>
Subject: Re: [dm-devel] dm-verity with GPT



On Sat, 17 Sep 2022, Pra.. Dew.. wrote:

>
> We have a scenario for a VM where a VM is running in the host Linux
> using KVM. We want to expose verity protected rootfs to the VM. This
> rootfs clearly needs to be RO. However, we also want to expose it as a
> GPT partition. In order to do this we are attaching two small files
> before and after the rootfs. The files use linear mapping and get mapped
> to the same /dev/mapper/XX device that has a verity partition. These two
> files contain the partition mappings (primary and backup) for GPT. From
> the VMs perspective, it sees one device (/dev/mapper/xx) as a GPT device
> with rootfs.
>
> The challenge we are getting into is that dm-verity kernel
> implementation explicitly prohibits mixing linear and verity mapping and
> forces the /dev/mapper/xx device to be RO and our needs are exactly the
> opposite.
>
> Has anyone seen this scenario before? Any suggestions?
>
> Thanks

Hi

I think that you can create dm-verity target, put dm-linear on the top of
it and insert that dm-linear into the table with the other two dm-linear
targets.

Would it work this way?

Mikulas


[-- Attachment #1.2: Type: text/html, Size: 3584 bytes --]

[-- Attachment #2: Type: text/plain, Size: 98 bytes --]

--
dm-devel mailing list
dm-devel@redhat.com
https://listman.redhat.com/mailman/listinfo/dm-devel

Re: [dm-devel] dm-verity with GPT

[Mikulas Patocka]

[-- Attachment #1: Type: TEXT/PLAIN, Size: 959 bytes --]



On Mon, 19 Sep 2022, Pra.. Dew.. wrote:

> 
> Thank you Mikulas. I just want to make sure I understand what you are 
> saying. Currently we making a dm-linear, dm-verity, dm-linear target; if 
> I understand you right you are suggesting to make it a dm-veriy, 
> dm-linear, dm-linear target? Of course the 2nd dm-linear target will 
> have LBAs before dm-verity target. Did I get this right?

I mean this: create a first dm device with only the dm-verity target in 
the table.

Then, create a second dm device that has only the dm-linear target that 
points to the first device in the table.

Then, create a third device that has three linear devices in the table - a 
GPT beginning, a second dm device, and a GPT end.

Mikulas


> Hi
> 
> I think that you can create dm-verity target, put dm-linear on the top of
> it and insert that dm-linear into the table with the other two dm-linear
> targets.
> 
> Would it work this way?
> 
> Mikulas
> 
>  
> 
> 
> 

[-- Attachment #2: Type: text/plain, Size: 98 bytes --]

--
dm-devel mailing list
dm-devel@redhat.com
https://listman.redhat.com/mailman/listinfo/dm-devel