How to mount a dm-verity volume?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Dear All,
I'm trying to bring up and running a small read only partition with using of dm-verity. 
A short description of my platform:
- CPU core: ARM Cortex A7
- Kernel version: 3.10.49
- The CONFIG_DM_VERITY is set to "y" in kernel configuration.
- The read only partition is a squashfs on ubiblock. The ubiblock was back-ported from kernel 3.15. 
- The verity_key file was not created in the boot directory.
I followed this description: https://nelenkov.blogspot.hu/2014/05/using-kitkat-verified-boot.html?view=classic 
I could finish the setup procedure successfully.

I tried two usage scenarios:

1. Creating a mapping device on target
I executed the following commands:
- veritysetup --hash-offset=HASH_OFFSET create vrty /dev/ubiblock0_9 /dev/ubiblock0_9 GOOD_ROOT_DIGEST 
- mount -t squashfs -o ro /dev/mapper/vrty /sbro/
I could read the partition as expected.
I repeated the test above with a corrupt partition image (one byte was changed in the data area.) 
I couldn't read the partition, as it was expected.
I did a test with bad digest:
- veritysetup --hash-offset=HASH_OFFSET create vrty /dev/ubiblock0_9 /dev/ubiblock0_9 BAD_ROOT_DIGEST 
- mount -t squashfs -o ro /dev/mapper/vrty /sbro/
I couldn't read the partition, as it was expected.
Summarized, the dm-verity was working as expected.
2. I tried to mount the block device according to description on https://nelenkov.blogspot.hu/2014/05/using-kitkat-verified-boot.html?view=classic page. 
I added the following line to fstab file:
/dev/ubiblock0_9    /sbro    squashfs    ro,wait,verify
I created the ubiblock device with the "ubiblock -c /dev/ubi0_9" command.
After executing the "mount -a" command I could read the content of /sbro directory. But according to the description, without the verity_key file the partition shouldn't be read. 
I repeated my test with a corrupt partition image, and I could read it.

Summarized:
The dm-verity is working fine when I'm mounting a mapping device, but it is not working (allows reading of partition always) when I'm mounting a block device. 

What did I do wrong with the direct mounting? What step(s) did I miss?

Best regards,
Gyula Kovacs

_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
http://www.saout.de/mailman/listinfo/dm-crypt
[Index of Archives]     [Device Mapper Devel]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Packaging]     [Fedora SELinux]     [Yosemite News]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux