* DM-Verity Tool @ 2013-05-21 15:11 pavankumar.p 2013-05-22 11:07 ` Marian Csontos 0 siblings, 1 reply; 12+ messages in thread From: pavankumar.p @ 2013-05-21 15:11 UTC (permalink / raw) To: msb; +Cc: dm-devel Hello Mandeep, I was trying to download the source code to generate the hash from the following location. But looks like this is moved. Pls share the latest git hub location of the source. http://git.chromium.org/cgi-bin/gitweb.cgi?p=dm-verity.git;a=tree Regards, Pavan ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: DM-Verity Tool 2013-05-21 15:11 DM-Verity Tool pavankumar.p @ 2013-05-22 11:07 ` Marian Csontos 2013-05-22 16:00 ` pavankumar.p 2013-05-22 16:46 ` Milan Broz 0 siblings, 2 replies; 12+ messages in thread From: Marian Csontos @ 2013-05-22 11:07 UTC (permalink / raw) To: dm-devel, pavankumar.p On 05/21/2013 05:11 PM, pavankumar.p@globaledgesoft.com wrote: > Hello Mandeep, > > I was trying to download the source code to generate the hash from the > following location. But looks like this is moved. Pls share the latest git > hub location of the source. > http://git.chromium.org/cgi-bin/gitweb.cgi?p=dm-verity.git;a=tree Hi Pavan, dm-verity is in upstream kernel tree now: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/drivers/md/dm-verity.c -- Marian /* Wow! Kudos to Mikulas, the source looks rather neatly! I should print it and hang over my bed to get enlightened... */ > > > Regards, > Pavan > > > > -- > dm-devel mailing list > dm-devel@redhat.com > https://www.redhat.com/mailman/listinfo/dm-devel > ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: DM-Verity Tool 2013-05-22 11:07 ` Marian Csontos @ 2013-05-22 16:00 ` pavankumar.p 2013-05-22 16:46 ` Milan Broz 1 sibling, 0 replies; 12+ messages in thread From: pavankumar.p @ 2013-05-22 16:00 UTC (permalink / raw) To: Marian Csontos; +Cc: dm-devel, pavankumar.p Thanks Marian & Mikulas, I'm able to download & compile veritysetup. Also able to configure verity target. I have few queries with respect to dmsetup & veritysetup 1. What are the difference between configuring a verity target using dmsetup & veritysetup. Can these be used interchangeably? 2. I tried passing the root hash value generated by veritysetup as a parameter to dmsetup but this doesn't work. On doing dmsetup status, the output is showing as the target corrupted (C). I examined dmesg & found the following error [22885.758996] device-mapper: verity: metadata block 62 is corrupted [22885.759001] Buffer I/O error on device dm-1, logical block 1 3. After creating a verity target using "veritysetup" how to test the target for corrupted case (As soon as creating the status is Verified (V)) ? Regards, Pavan > On 05/21/2013 05:11 PM, pavankumar.p@globaledgesoft.com wrote: >> Hello Mandeep, >> >> I was trying to download the source code to generate the hash from the >> following location. But looks like this is moved. Pls share the latest >> git >> hub location of the source. >> http://git.chromium.org/cgi-bin/gitweb.cgi?p=dm-verity.git;a=tree > > Hi Pavan, dm-verity is in upstream kernel tree now: > > http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/drivers/md/dm-verity.c > > -- Marian > > /* Wow! Kudos to Mikulas, the source looks rather neatly! I should print > it and hang over my bed to get enlightened... */ > >> >> >> Regards, >> Pavan >> >> >> >> -- >> dm-devel mailing list >> dm-devel@redhat.com >> https://www.redhat.com/mailman/listinfo/dm-devel >> > ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: DM-Verity Tool 2013-05-22 11:07 ` Marian Csontos 2013-05-22 16:00 ` pavankumar.p @ 2013-05-22 16:46 ` Milan Broz 2013-05-23 6:41 ` pavankumar.p 1 sibling, 1 reply; 12+ messages in thread From: Milan Broz @ 2013-05-22 16:46 UTC (permalink / raw) To: device-mapper development; +Cc: pavankumar.p, Marian Csontos On 05/22/2013 01:07 PM, Marian Csontos wrote: > On 05/21/2013 05:11 PM, pavankumar.p@globaledgesoft.com wrote: >> Hello Mandeep, >> >> I was trying to download the source code to generate the hash from the >> following location. But looks like this is moved. Pls share the latest git >> hub location of the source. >> http://git.chromium.org/cgi-bin/gitweb.cgi?p=dm-verity.git;a=tree > > Hi Pavan, dm-verity is in upstream kernel tree now: > > http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/drivers/md/dm-verity.c I think the question was about tool to generate hash, not the target itself. In any case, dm-verity is in kernel and veritysetup tool is part of upstream cryptsetup package. Documentation to kernel dm-verity http://code.google.com/p/cryptsetup/wiki/DMVerity And some release notes info about veritysetup (see man page as well) http://code.google.com/p/cryptsetup/wiki/Cryptsetup150 Milan ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: DM-Verity Tool 2013-05-22 16:46 ` Milan Broz @ 2013-05-23 6:41 ` pavankumar.p 2013-05-23 20:47 ` Milan Broz 0 siblings, 1 reply; 12+ messages in thread From: pavankumar.p @ 2013-05-23 6:41 UTC (permalink / raw) To: Milan Broz, mpatocka Cc: device-mapper development, Marian Csontos, pavankumar.p Hi Milan, Thanks for the reply. > I think the question was about tool to generate hash, > not the target itself. As mentioned by you, I was looking for a tool which generates the root hash (digest) which can be used as a parameter to dmsetup tool. I used sha256sum tool to generate the hash but dmsetup is not accepting this hash. Thanks to Mikulas for providing the link to veritysetup using which I could configure verity target. But still I have some doubts regarding dmsetup & veritysetup 1. What are the difference between configuring a verity target using dmsetup & veritysetup. Can these be used interchangeably? 2. I tried passing the root hash value generated by veritysetup as a parameter to dmsetup but this doesn't work. On doing dmsetup status, the output is showing as the target corrupted (C). I examined dmesg & found the following error [22885.758996] device-mapper: verity: metadata block 62 is corrupted [22885.759001] Buffer I/O error on device dm-1, logical block 1 3. After creating a verity target using "veritysetup" how to test the target for corrupted case (As soon as creating the status is Verified (V)) ? Thanks in advance Pavan > On 05/22/2013 01:07 PM, Marian Csontos wrote: >> On 05/21/2013 05:11 PM, pavankumar.p@globaledgesoft.com wrote: >>> Hello Mandeep, >>> I was trying to download the source code to generate the hash from the following location. But looks like this is moved. Pls share the latest git >>> hub location of the source. >>> http://git.chromium.org/cgi-bin/gitweb.cgi?p=dm-verity.git;a=tree >> Hi Pavan, dm-verity is in upstream kernel tree now: >> http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/drivers/md/dm-verity.c > > I think the question was about tool to generate hash, > not the target itself. > > In any case, dm-verity is in kernel and veritysetup tool is part of upstream > cryptsetup package. > > Documentation to kernel dm-verity > http://code.google.com/p/cryptsetup/wiki/DMVerity > > And some release notes info about veritysetup (see man page as well) http://code.google.com/p/cryptsetup/wiki/Cryptsetup150 > > Milan > > ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: DM-Verity Tool 2013-05-23 6:41 ` pavankumar.p @ 2013-05-23 20:47 ` Milan Broz 2013-05-24 16:10 ` pavankumar.p 2013-05-30 16:28 ` pavankumar.p 0 siblings, 2 replies; 12+ messages in thread From: Milan Broz @ 2013-05-23 20:47 UTC (permalink / raw) To: pavankumar.p; +Cc: Marian Csontos, device-mapper development, mpatocka On 05/23/2013 08:41 AM, pavankumar.p@globaledgesoft.com wrote: > 1. What are the difference between configuring a verity target using > dmsetup & veritysetup. Can these be used interchangeably? dmsetup is just low level tool, you need to know all table parameters while veritysetup will prepare table for you using high level commands and on-disk metadata (if present). > 2. I tried passing the root hash value generated by veritysetup as a > parameter to dmsetup but this doesn't work. On doing dmsetup status, the > output is showing as the target corrupted (C). I examined dmesg & found > the following error Be sure you are using proper parameters, metadata version etc. Try activate device with veritysetup, then run "dmsetup table" and check what is different in your dmsetup line. > 3. After creating a verity target using "veritysetup" how to test the > target for corrupted case (As soon as creating the status is Verified (V)) By corrupting the image? :) See tests/verity-compat-test in cryptsetup tree, it is basic regression test which is simulating both data and hash corruption (it just dd random data to know offset and expects failure.) Milan ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: DM-Verity Tool 2013-05-23 20:47 ` Milan Broz @ 2013-05-24 16:10 ` pavankumar.p 2013-05-27 15:52 ` pavankumar.p 2013-05-30 16:28 ` pavankumar.p 1 sibling, 1 reply; 12+ messages in thread From: pavankumar.p @ 2013-05-24 16:10 UTC (permalink / raw) To: Milan Broz Cc: Marian Csontos, pavankumar.p, mpatocka, device-mapper development Hi All, Thanks a lot for your support. Now I am able to configure verity target using both veritysetup & dmsetup. Regards, Pavan > > On 05/23/2013 08:41 AM, pavankumar.p@globaledgesoft.com wrote: >> 1. What are the difference between configuring a verity target using >> dmsetup & veritysetup. Can these be used interchangeably? > > dmsetup is just low level tool, you need to know all table parameters > while veritysetup will prepare table for you using high level commands > and on-disk metadata (if present). > >> 2. I tried passing the root hash value generated by veritysetup as a >> parameter to dmsetup but this doesn't work. On doing dmsetup status, the >> output is showing as the target corrupted (C). I examined dmesg & found >> the following error > > Be sure you are using proper parameters, metadata version etc. > > Try activate device with veritysetup, then run "dmsetup table" and > check what is different in your dmsetup line. > >> 3. After creating a verity target using "veritysetup" how to test the >> target for corrupted case (As soon as creating the status is Verified >> (V)) > > By corrupting the image? :) See tests/verity-compat-test in cryptsetup > tree, it is basic regression test which is simulating both data and hash > corruption (it just dd random data to know offset and expects failure.) > > Milan > ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: DM-Verity Tool 2013-05-24 16:10 ` pavankumar.p @ 2013-05-27 15:52 ` pavankumar.p 0 siblings, 0 replies; 12+ messages in thread From: pavankumar.p @ 2013-05-27 15:52 UTC (permalink / raw) To: Milan Broz, mpatocka, device-mapper development, Marian Csontos Hello Milan, > By corrupting the image? :) See tests/verity-compat-test in cryptsetup > tree, it is basic regression test which is simulating both data and hash > corruption (it just dd random data to know offset and expects failure.) In tests/verity-compat-test, in the following line "check_root_hash 512 9de18652fe74edfb9b805aaed72ae2aa48f94333f1ba5c452ac33b1c39325174 $SALT 1 sha256 8388608" How's the last parameter (hash_offset) calculated? it's hard coded here(8388608). Regards, Pavan > Hi All, > > Thanks a lot for your support. Now I am able to configure verity target > using both veritysetup & dmsetup. > > Regards, > Pavan > > >> >> On 05/23/2013 08:41 AM, pavankumar.p@globaledgesoft.com wrote: >>> 1. What are the difference between configuring a verity target using >>> dmsetup & veritysetup. Can these be used interchangeably? >> >> dmsetup is just low level tool, you need to know all table parameters >> while veritysetup will prepare table for you using high level commands >> and on-disk metadata (if present). >> >>> 2. I tried passing the root hash value generated by veritysetup as a >>> parameter to dmsetup but this doesn't work. On doing dmsetup status, >>> the >>> output is showing as the target corrupted (C). I examined dmesg & found >>> the following error >> >> Be sure you are using proper parameters, metadata version etc. >> >> Try activate device with veritysetup, then run "dmsetup table" and >> check what is different in your dmsetup line. >> >>> 3. After creating a verity target using "veritysetup" how to test the >>> target for corrupted case (As soon as creating the status is Verified >>> (V)) >> >> By corrupting the image? :) See tests/verity-compat-test in cryptsetup >> tree, it is basic regression test which is simulating both data and hash >> corruption (it just dd random data to know offset and expects failure.) >> >> Milan >> > > ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: DM-Verity Tool 2013-05-23 20:47 ` Milan Broz 2013-05-24 16:10 ` pavankumar.p @ 2013-05-30 16:28 ` pavankumar.p 2013-05-31 12:31 ` Mikulas Patocka 1 sibling, 1 reply; 12+ messages in thread From: pavankumar.p @ 2013-05-30 16:28 UTC (permalink / raw) To: Milan Broz; +Cc: Marian Csontos, device-mapper development, mpatocka Hi All, Thanks for your answers to previous questions. I have some more doubts regarding DM-Verity please clarify it. 1. When dm-verity validation fails, do we lose access to the file? And how about accessing the rest of the filesystem? 2. Is there any recovery mechanism for a validation failure? 3. How do we update a DM-Verity filesystem? Can it be done on a file basis? I believe that dm-verity works on the blocks & not on the file system, is that true? 4. Can we use dm-verity for any filesystem (say UBIFS)? Is there any restriction on filesystem? 5. How to update DM-Veirty device without removing device mapping. I tried mounting the dm-verity target but it fails Thanks in advance, Pavan Kumar P ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: DM-Verity Tool 2013-05-30 16:28 ` pavankumar.p @ 2013-05-31 12:31 ` Mikulas Patocka 2013-05-31 16:15 ` pavankumar.p 0 siblings, 1 reply; 12+ messages in thread From: Mikulas Patocka @ 2013-05-31 12:31 UTC (permalink / raw) To: pavankumar.p; +Cc: device-mapper development, Marian Csontos, Milan Broz On Thu, 30 May 2013, pavankumar.p@globaledgesoft.com wrote: > Hi All, > Thanks for your answers to previous questions. I have some more doubts > regarding DM-Verity please clarify it. > > > 1. When dm-verity validation fails, do we lose access to the file? And how > about accessing the rest of the filesystem? You lose access to the affected files, but the rest of the filesystem is still accessible. > 2. Is there any recovery mechanism for a validation failure? No. > 3. How do we update a DM-Verity filesystem? Can it be done on a file basis? > I believe that dm-verity works on the blocks & not on the file system, is > that true? You don't update it. You create the filesystems, then calculate dm-verity checksums and then mount it read only. Yes, dm-verity works on blocks. > 4. Can we use dm-verity for any filesystem (say UBIFS)? Is there any > restriction on filesystem? You can use it for any filesystem. > 5. How to update DM-Veirty device without removing device mapping. I tried > mounting the dm-verity target but it fails You can't update it. If you want to update it, you need to unmount the filesystem, unload the dm-verity target, mount the underlying device read-write, make changes, unmount it, recreate checksums with veritysetup, load the dm-verity target and mount it read only. > Thanks in advance, > Pavan Kumar P Mikulas ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: DM-Verity Tool 2013-05-31 12:31 ` Mikulas Patocka @ 2013-05-31 16:15 ` pavankumar.p 2013-06-03 12:39 ` Will Drewry 0 siblings, 1 reply; 12+ messages in thread From: pavankumar.p @ 2013-05-31 16:15 UTC (permalink / raw) To: Mikulas Patocka Cc: pavankumar.p, Marian Csontos, Milan Broz, device-mapper development Hi Mikulas, Thanks for the reply. Pavan>> 5. How to update DM-Veirty device without removing device mapping. I tried mounting the dm-verity target but it fails Mikulas> Mikulas> You can't update it. Mikulas> Mikulas> If you want to update it, you need to unmount the filesystem, unload the dm-verity target, mount the underlying device read-write, make changes, unmount it, recreate checksums with veritysetup, load the dm-verity target and mount it read only. If the filesystem is mounted as read-only, how the filesystem can be modified or corrupted (without removing mapping)? How we can test the dm-verity functionality? Thanks, Pavan > > > On Thu, 30 May 2013, pavankumar.p@globaledgesoft.com wrote: > >> Hi All, >> Thanks for your answers to previous questions. I have some more >> doubts >> regarding DM-Verity please clarify it. >> 1. When dm-verity validation fails, do we lose access to the file? And how >> about accessing the rest of the filesystem? > > You lose access to the affected files, but the rest of the filesystem is still accessible. > >> 2. Is there any recovery mechanism for a validation failure? > > No. > >> 3. How do we update a DM-Verity filesystem? Can it be done on a file basis? >> I believe that dm-verity works on the blocks & not on the file system, is >> that true? > > You don't update it. You create the filesystems, then calculate dm-verity > checksums and then mount it read only. > > Yes, dm-verity works on blocks. > >> 4. Can we use dm-verity for any filesystem (say UBIFS)? Is there any restriction on filesystem? > > You can use it for any filesystem. > >> 5. How to update DM-Veirty device without removing device mapping. I tried >> mounting the dm-verity target but it fails > > You can't update it. > > If you want to update it, you need to unmount the filesystem, unload the dm-verity target, mount the underlying device read-write, make changes, unmount it, recreate checksums with veritysetup, load the dm-verity target > and mount it read only. > >> Thanks in advance, >> Pavan Kumar P > > Mikulas > ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: DM-Verity Tool 2013-05-31 16:15 ` pavankumar.p @ 2013-06-03 12:39 ` Will Drewry 0 siblings, 0 replies; 12+ messages in thread From: Will Drewry @ 2013-06-03 12:39 UTC (permalink / raw) To: device-mapper development Cc: Marian Csontos, pavankumar.p, Mikulas Patocka, Milan Broz On Fri, May 31, 2013 at 11:15 AM, <pavankumar.p@globaledgesoft.com> wrote: > > Hi Mikulas, > > Thanks for the reply. > > Pavan>> 5. How to update DM-Veirty device without removing device mapping. > I tried mounting the dm-verity target but it fails > Mikulas> > Mikulas> You can't update it. > Mikulas> > Mikulas> If you want to update it, you need to unmount the filesystem, > unload the dm-verity target, mount the underlying device read-write, make > changes, unmount it, recreate checksums with veritysetup, load the > dm-verity target and mount it read only. > > If the filesystem is mounted as read-only, how the filesystem can be > modified or corrupted (without removing mapping)? How we can test the > dm-verity functionality? > I believe Milan already pointed out a test example, but the very easiest way to it is to dd data over part of the underlying block device, then dd it out via the dm-verity device. If the system has already read it, you'll need to drop_caches first. Something like: dd if=/dev/zero of=/dev/sdb3 bs=1 count=1 seek=4097 #write somewhere that was non-zero echo 3 > /proc/sys/vm/drop_caches dd if=/dev/dm-0 of=/dev/null bs=1 count=1 skip=4097 #read, get EIO hth, will > > > > On Thu, 30 May 2013, pavankumar.p@globaledgesoft.com wrote: > > > >> Hi All, > >> Thanks for your answers to previous questions. I have some more > >> doubts > >> regarding DM-Verity please clarify it. > >> 1. When dm-verity validation fails, do we lose access to the file? And > how > >> about accessing the rest of the filesystem? > > > > You lose access to the affected files, but the rest of the filesystem is > still accessible. > > > >> 2. Is there any recovery mechanism for a validation failure? > > > > No. > > > >> 3. How do we update a DM-Verity filesystem? Can it be done on a file > basis? > >> I believe that dm-verity works on the blocks & not on the file system, is > >> that true? > > > > You don't update it. You create the filesystems, then calculate > dm-verity > > checksums and then mount it read only. > > > > Yes, dm-verity works on blocks. > > > >> 4. Can we use dm-verity for any filesystem (say UBIFS)? Is there any > restriction on filesystem? > > > > You can use it for any filesystem. > > > >> 5. How to update DM-Veirty device without removing device mapping. I tried > >> mounting the dm-verity target but it fails > > > > You can't update it. > > > > If you want to update it, you need to unmount the filesystem, unload the > dm-verity target, mount the underlying device read-write, make changes, > unmount it, recreate checksums with veritysetup, load the dm-verity > target > > and mount it read only. > > > >> Thanks in advance, > >> Pavan Kumar P > > > > Mikulas > > > > > > -- > dm-devel mailing list > dm-devel@redhat.com > https://www.redhat.com/mailman/listinfo/dm-devel ^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~2013-06-03 12:39 UTC | newest] Thread overview: 12+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2013-05-21 15:11 DM-Verity Tool pavankumar.p 2013-05-22 11:07 ` Marian Csontos 2013-05-22 16:00 ` pavankumar.p 2013-05-22 16:46 ` Milan Broz 2013-05-23 6:41 ` pavankumar.p 2013-05-23 20:47 ` Milan Broz 2013-05-24 16:10 ` pavankumar.p 2013-05-27 15:52 ` pavankumar.p 2013-05-30 16:28 ` pavankumar.p 2013-05-31 12:31 ` Mikulas Patocka 2013-05-31 16:15 ` pavankumar.p 2013-06-03 12:39 ` Will Drewry
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.