Re: verity setup on active device.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I had a question here..So if I sign a image file for a virtual machine using the command,How do I verify that image file has not changed? 
gpg --output web-test.img.sig --sign web-test.img 

Executing the above gives me a "web-test.img.sig" file.Whether verifying this would be sufficient?

gpg --verify web-test.img.sig 

gpg: Signature made Sun 06 Apr 2014 09:57:16 PM EDT using RSA key ID 3D3AC480

gpg: Good signature from "shiva (test) <abc.@xxxxxxxxxxx>


Should I boot the image now using the .sig file?Looking forward to your reply.





On Sun, Apr 6, 2014 at 3:44 AM, Milan Broz <gmazyland@xxxxxxxxx> wrote:
On 04/06/2014 12:11 AM, Shivaramakrishnan Vaidyanathan wrote:
> I have few questions is this regard.I am ready to perform the offline
> integrity check.I can have the image files in the nfs-share archived
> live to another partition that is not mounted.Will I be able to
> perform the integrity check at the block level in this case?Each time
> virtual machine boots up,I need to be able to verify if the image was
> the same as previous boot.> Is this achievable?
>
> Will these steps work?
> 1. Image file (VM1 - Virtual hard disk file mounted in nfs share partition).
> 2.I rsync the directory of nfs-share to another partition.
> 3.Then whether I will be able to tell whether the virtual image file has been altered/changed from the previous boot?

I am not sure if I understand what you are trying to do here but if it
is file image (full device image shared on nfs) why not use simple gpg
file signature and verify it before the VM boot?

...

> Also I dont get the notion "Dm-verity was designed to provide verification of (read-only) device (to provide verified boot path), all IOs must go through dm-verity."

The dm-verity was designed for ChromeOS for verified boot, IOW it verifies
blocks on underlying block device on-the-fly (when system reads them through
verity mapped device).
This means, that the dm-verity must be underlying device for all read
operations (to allow it stop reads once it detect wrong hash).

I know documentation is terse but at least something is here
http://code.google.com/p/cryptsetup/wiki/DMVerity (see Theory of operation).

Milan

_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
http://www.saout.de/mailman/listinfo/dm-crypt
[Index of Archives]     [Device Mapper Devel]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Packaging]     [Fedora SELinux]     [Yosemite News]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux