Hello, I'd like to use dm-verity as a part of a verified boot process on my embedded device but I'm afraid that I still do not understand it well. I'm able to create a hash verification data for squashfs partition, verify it and mount it veritysetup format rootfs.squashfs rootfs.hash cat rootfs.squashfs rootfs.hash > srootfs.squashfs ubiblock -c /dev/ubi0_2 ubiupdatevol /dev/ubi0_2 srootfs.squashfs veritysetup --hash-offset=17719296 verify /dev/ubiblock0_2 /dev/ubiblock0_2 ROOT_HASH veritysetup --hash-offset=17719296 create srootfs /dev/ubiblock0_2 /dev/ubiblock0_2 ROOT_HASH mount -t squashfs -r /dev/mapper/srootfs /mnt Now I can use the above verification and mount in my initramfs and it needs the ROOT_HASH to be stored inside my bootimage. That's not a problem but I'm thinking about future updates. I would need to change the bootimage with a correct ROOT_HASH each time when I update the rootfs image and it obviously is not a thing that one wants to do. Is there any other way to solve it using dm-verity and cryptsetup? Otherways it is probably easier to use any hash of my squashfs image, sign it using openssl and verify with a stable public key from the bootimage on the device, isn't it? best regards Jan _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx https://www.saout.de/mailman/listinfo/dm-crypt
