Hi Pavan, I think there's a bit of a mismatch in the terminology that you're using. I'll try to help: On Wed, Jun 5, 2013 at 10:59 AM, <pavankumar.p@xxxxxxxxxxxxxxxxxx> wrote: > Hi All, > I understand that hash generated by "sha256" is encrypted, sha256 is a type of cryptographic hash algorithm. It is a one-way transformation of some data. In this case, the hash isn't encrypted, it just has desirable properties when acting as a strong checksum over some dataset. The hash passed in during setup (for the table) is the root hash of a hash tree (also called Merkle Trees). It is a checksum over the depth below it in the tree which in turn is a checksum over the depth below it, until the leaf nodes on the tree are the blocks-on-disk themselves. The self-checked tree structure provides transitive integrity assurances verifiable at any time if you have the full data set and the root hash. It is possible to allow partial verification of any path through the tree if the nodes along the path from the leaf to the root are precomputed and made available. dm-verity takes advantage of this property to provide high performance integrity assurances. > but is there any way to corrupt hash value stored in hash device? The hash tree that lives on the hash device is completely untrusted. The hash tree can easily be corrupted with 'dd' just like with the data device. If the hash tree is corrupted, dm-verity will fail to verify the data because it will be unable to create a verifiable path through the hash tree from the block to the root hash that was passed in at device setup. > Can the hash device be protected by a signature? Generally, you will want to protect the dm-verity table line with a signature and not the hash device itself. At any point you can recompute the hash device with veritysetup. However, the "root of trust" for a dm-verity device is always the hash passed in during device mapper setup. It is ideal, then, to ensure that the hash value and device settings are always what was expected when the dm-verity device was created or last updated. I hope that helps, will -- dm-devel mailing list dm-devel@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/dm-devel