From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-ej1-x62a.google.com (mail-ej1-x62a.google.com [IPv6:2a00:1450:4864:20::62a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mail.server123.net (Postfix) with ESMTPS for ; Thu, 26 Nov 2020 12:32:39 +0100 (CET) Received: by mail-ej1-x62a.google.com with SMTP id 7so2498956ejm.0 for ; Thu, 26 Nov 2020 03:32:39 -0800 (PST) MIME-Version: 1.0 From: Jan Pohanka Date: Thu, 26 Nov 2020 12:32:27 +0100 Message-ID: Content-Type: text/plain; charset="UTF-8" Subject: [dm-crypt] veritysetup usage question List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: dm-crypt@saout.de Hello, I'd like to use dm-verity as a part of a verified boot process on my embedded device but I'm afraid that I still do not understand it well. I'm able to create a hash verification data for squashfs partition, verify it and mount it veritysetup format rootfs.squashfs rootfs.hash cat rootfs.squashfs rootfs.hash > srootfs.squashfs ubiblock -c /dev/ubi0_2 ubiupdatevol /dev/ubi0_2 srootfs.squashfs veritysetup --hash-offset=17719296 verify /dev/ubiblock0_2 /dev/ubiblock0_2 ROOT_HASH veritysetup --hash-offset=17719296 create srootfs /dev/ubiblock0_2 /dev/ubiblock0_2 ROOT_HASH mount -t squashfs -r /dev/mapper/srootfs /mnt Now I can use the above verification and mount in my initramfs and it needs the ROOT_HASH to be stored inside my bootimage. That's not a problem but I'm thinking about future updates. I would need to change the bootimage with a correct ROOT_HASH each time when I update the rootfs image and it obviously is not a thing that one wants to do. Is there any other way to solve it using dm-verity and cryptsetup? Otherways it is probably easier to use any hash of my squashfs image, sign it using openssl and verify with a stable public key from the bootimage on the device, isn't it? best regards Jan