DM-Verity Tool

DM-Verity Tool

[pavankumar.p]

Hello Mandeep,

I was trying to download the source code to generate the hash from the
following location. But looks like this is moved. Pls share the latest git
hub location of the source.
http://git.chromium.org/cgi-bin/gitweb.cgi?p=dm-verity.git;a=tree


Regards,
Pavan

Re: DM-Verity Tool

[Marian Csontos]

On 05/21/2013 05:11 PM, pavankumar.p@globaledgesoft.com wrote:
> Hello Mandeep,
>
> I was trying to download the source code to generate the hash from the
> following location. But looks like this is moved. Pls share the latest git
> hub location of the source.
> http://git.chromium.org/cgi-bin/gitweb.cgi?p=dm-verity.git;a=tree

Hi Pavan, dm-verity is in upstream kernel tree now:

http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/drivers/md/dm-verity.c

-- Marian

/* Wow! Kudos to Mikulas, the source looks rather neatly! I should print 
it and hang over my bed to get enlightened... */

>
>
> Regards,
> Pavan
>
>
>
> --
> dm-devel mailing list
> dm-devel@redhat.com
> https://www.redhat.com/mailman/listinfo/dm-devel
>

Re: DM-Verity Tool

[pavankumar.p]

Thanks Marian & Mikulas,

I'm able to download & compile veritysetup. Also able to configure verity
target.

I have few queries with respect to dmsetup & veritysetup
1. What are the difference between configuring a verity target using
dmsetup & veritysetup. Can these be used interchangeably?

2. I tried passing the root hash value generated by veritysetup as a
parameter to dmsetup but this doesn't work. On doing dmsetup status, the
output is showing as the target corrupted (C). I examined dmesg & found
the following error

[22885.758996] device-mapper: verity: metadata block 62 is corrupted
[22885.759001] Buffer I/O error on device dm-1, logical block 1

3. After creating a verity target using "veritysetup" how to test the
target for corrupted case (As soon as creating the status is Verified (V))
?

Regards,
Pavan


> On 05/21/2013 05:11 PM, pavankumar.p@globaledgesoft.com wrote:
>> Hello Mandeep,
>>
>> I was trying to download the source code to generate the hash from the
>> following location. But looks like this is moved. Pls share the latest
>> git
>> hub location of the source.
>> http://git.chromium.org/cgi-bin/gitweb.cgi?p=dm-verity.git;a=tree
>
> Hi Pavan, dm-verity is in upstream kernel tree now:
>
> http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/drivers/md/dm-verity.c
>
> -- Marian
>
> /* Wow! Kudos to Mikulas, the source looks rather neatly! I should print
> it and hang over my bed to get enlightened... */
>
>>
>>
>> Regards,
>> Pavan
>>
>>
>>
>> --
>> dm-devel mailing list
>> dm-devel@redhat.com
>> https://www.redhat.com/mailman/listinfo/dm-devel
>>
>

Re: DM-Verity Tool

[Milan Broz]

On 05/22/2013 01:07 PM, Marian Csontos wrote:
> On 05/21/2013 05:11 PM, pavankumar.p@globaledgesoft.com wrote:
>> Hello Mandeep,
>>
>> I was trying to download the source code to generate the hash from the
>> following location. But looks like this is moved. Pls share the latest git
>> hub location of the source.
>> http://git.chromium.org/cgi-bin/gitweb.cgi?p=dm-verity.git;a=tree
> 
> Hi Pavan, dm-verity is in upstream kernel tree now:
> 
> http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/drivers/md/dm-verity.c

I think the question was about tool to generate hash,
not the target itself.

In any case, dm-verity is in kernel and veritysetup tool is part of upstream
cryptsetup package.

Documentation to kernel dm-verity
http://code.google.com/p/cryptsetup/wiki/DMVerity

And some release notes info about veritysetup (see man page as well)
http://code.google.com/p/cryptsetup/wiki/Cryptsetup150

Milan

Re: DM-Verity Tool

[pavankumar.p]

Hi Milan,

Thanks for the reply.

> I think the question was about tool to generate hash,
> not the target itself.

As mentioned by you, I was looking for a tool which generates the root
hash (digest) which can be used as a parameter to dmsetup tool. I used
sha256sum tool to generate the hash but dmsetup is not accepting this
hash.

Thanks to Mikulas for providing the link to veritysetup using which I
could configure verity target. But still I have some doubts regarding
dmsetup & veritysetup

1. What are the difference between configuring a verity target using
dmsetup & veritysetup. Can these be used interchangeably?

2. I tried passing the root hash value generated by veritysetup as a
parameter to dmsetup but this doesn't work. On doing dmsetup status, the
output is showing as the target corrupted (C). I examined dmesg & found
the following error

[22885.758996] device-mapper: verity: metadata block 62 is corrupted
[22885.759001] Buffer I/O error on device dm-1, logical block 1

3. After creating a verity target using "veritysetup" how to test the
target for corrupted case (As soon as creating the status is Verified (V))
?

Thanks in advance
Pavan

> On 05/22/2013 01:07 PM, Marian Csontos wrote:
>> On 05/21/2013 05:11 PM, pavankumar.p@globaledgesoft.com wrote:
>>> Hello Mandeep,
>>> I was trying to download the source code to generate the hash from the
following location. But looks like this is moved. Pls share the latest
git
>>> hub location of the source.
>>> http://git.chromium.org/cgi-bin/gitweb.cgi?p=dm-verity.git;a=tree
>> Hi Pavan, dm-verity is in upstream kernel tree now:
>> http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/drivers/md/dm-verity.c
>
> I think the question was about tool to generate hash,
> not the target itself.
>
> In any case, dm-verity is in kernel and veritysetup tool is part of
upstream
> cryptsetup package.
>
> Documentation to kernel dm-verity
> http://code.google.com/p/cryptsetup/wiki/DMVerity
>
> And some release notes info about veritysetup (see man page as well)
http://code.google.com/p/cryptsetup/wiki/Cryptsetup150
>
> Milan
>
>

Re: DM-Verity Tool

[Milan Broz]

On 05/23/2013 08:41 AM, pavankumar.p@globaledgesoft.com wrote:
> 1. What are the difference between configuring a verity target using
> dmsetup & veritysetup. Can these be used interchangeably?

dmsetup is just low level tool, you need to know all table parameters
while veritysetup will prepare table for you using high level commands
and on-disk metadata (if present).

> 2. I tried passing the root hash value generated by veritysetup as a
> parameter to dmsetup but this doesn't work. On doing dmsetup status, the
> output is showing as the target corrupted (C). I examined dmesg & found
> the following error

Be sure you are using proper parameters, metadata version etc.

Try activate device with veritysetup, then run "dmsetup table" and
check what is different in your dmsetup line.

> 3. After creating a verity target using "veritysetup" how to test the
> target for corrupted case (As soon as creating the status is Verified (V))

By corrupting the image? :) See tests/verity-compat-test in cryptsetup
tree, it is basic regression test which is simulating both data and hash
corruption (it just dd random data to know offset and expects failure.)

Milan

Re: DM-Verity Tool

[pavankumar.p]

Hi All,

Thanks a lot for your support. Now I am able to configure verity target
using both veritysetup & dmsetup.

Regards,
Pavan


>
> On 05/23/2013 08:41 AM, pavankumar.p@globaledgesoft.com wrote:
>> 1. What are the difference between configuring a verity target using
>> dmsetup & veritysetup. Can these be used interchangeably?
>
> dmsetup is just low level tool, you need to know all table parameters
> while veritysetup will prepare table for you using high level commands
> and on-disk metadata (if present).
>
>> 2. I tried passing the root hash value generated by veritysetup as a
>> parameter to dmsetup but this doesn't work. On doing dmsetup status, the
>> output is showing as the target corrupted (C). I examined dmesg & found
>> the following error
>
> Be sure you are using proper parameters, metadata version etc.
>
> Try activate device with veritysetup, then run "dmsetup table" and
> check what is different in your dmsetup line.
>
>> 3. After creating a verity target using "veritysetup" how to test the
>> target for corrupted case (As soon as creating the status is Verified
>> (V))
>
> By corrupting the image? :) See tests/verity-compat-test in cryptsetup
> tree, it is basic regression test which is simulating both data and hash
> corruption (it just dd random data to know offset and expects failure.)
>
> Milan
>

Re: DM-Verity Tool

[pavankumar.p]

Hello Milan,

> By corrupting the image? :) See tests/verity-compat-test in cryptsetup
> tree, it is basic regression test which is simulating both data and hash
> corruption (it just dd random data to know offset and expects failure.)

In tests/verity-compat-test, in the following line
"check_root_hash  512
9de18652fe74edfb9b805aaed72ae2aa48f94333f1ba5c452ac33b1c39325174 $SALT 1
sha256 8388608"

How's the last parameter (hash_offset) calculated? it's hard coded
here(8388608).

Regards,
Pavan


> Hi All,
>
> Thanks a lot for your support. Now I am able to configure verity target
> using both veritysetup & dmsetup.
>
> Regards,
> Pavan
>
>
>>
>> On 05/23/2013 08:41 AM, pavankumar.p@globaledgesoft.com wrote:
>>> 1. What are the difference between configuring a verity target using
>>> dmsetup & veritysetup. Can these be used interchangeably?
>>
>> dmsetup is just low level tool, you need to know all table parameters
>> while veritysetup will prepare table for you using high level commands
>> and on-disk metadata (if present).
>>
>>> 2. I tried passing the root hash value generated by veritysetup as a
>>> parameter to dmsetup but this doesn't work. On doing dmsetup status,
>>> the
>>> output is showing as the target corrupted (C). I examined dmesg & found
>>> the following error
>>
>> Be sure you are using proper parameters, metadata version etc.
>>
>> Try activate device with veritysetup, then run "dmsetup table" and
>> check what is different in your dmsetup line.
>>
>>> 3. After creating a verity target using "veritysetup" how to test the
>>> target for corrupted case (As soon as creating the status is Verified
>>> (V))
>>
>> By corrupting the image? :) See tests/verity-compat-test in cryptsetup
>> tree, it is basic regression test which is simulating both data and hash
>> corruption (it just dd random data to know offset and expects failure.)
>>
>> Milan
>>
>
>

Re: DM-Verity Tool

[pavankumar.p]

Hi All,
   Thanks for your answers to previous questions. I have some more doubts
regarding DM-Verity please clarify it.


1. When dm-verity validation fails, do we lose access to the file?  And how
about accessing the rest of the filesystem?

2. Is there any recovery mechanism for a validation failure?

3. How do we update a DM-Verity filesystem?  Can it be done on a file basis?
I believe that dm-verity works on the blocks & not on the file system, is
that true?

4. Can we use dm-verity for any filesystem (say UBIFS)? Is there any
restriction on filesystem?

5. How to update DM-Veirty device without removing device mapping. I tried
mounting the dm-verity target but it fails



Thanks in advance,
Pavan Kumar P

Re: DM-Verity Tool

[Mikulas Patocka]

On Thu, 30 May 2013, pavankumar.p@globaledgesoft.com wrote:

> Hi All,
>    Thanks for your answers to previous questions. I have some more doubts
> regarding DM-Verity please clarify it.
> 
> 
> 1. When dm-verity validation fails, do we lose access to the file?  And how
> about accessing the rest of the filesystem?

You lose access to the affected files, but the rest of the filesystem is 
still accessible.

> 2. Is there any recovery mechanism for a validation failure?

No.

> 3. How do we update a DM-Verity filesystem?  Can it be done on a file basis?
> I believe that dm-verity works on the blocks & not on the file system, is
> that true?

You don't update it. You create the filesystems, then calculate dm-verity 
checksums and then mount it read only.

Yes, dm-verity works on blocks.

> 4. Can we use dm-verity for any filesystem (say UBIFS)? Is there any
> restriction on filesystem?

You can use it for any filesystem.

> 5. How to update DM-Veirty device without removing device mapping. I tried
> mounting the dm-verity target but it fails

You can't update it.

If you want to update it, you need to unmount the filesystem, unload the 
dm-verity target, mount the underlying device read-write, make changes, 
unmount it, recreate checksums with veritysetup, load the dm-verity target 
and mount it read only.

> Thanks in advance,
> Pavan Kumar P

Mikulas

Re: DM-Verity Tool

[pavankumar.p]

Hi Mikulas,

Thanks for the reply.

Pavan>> 5. How to update DM-Veirty device without removing device mapping.
I tried mounting the dm-verity target but it fails
Mikulas>
Mikulas> You can't update it.
Mikulas>
Mikulas> If you want to update it, you need to unmount the filesystem,
unload the dm-verity target, mount the underlying device read-write, make
changes, unmount it, recreate checksums with veritysetup, load the
dm-verity target and mount it read only.

If the filesystem is mounted as read-only, how the filesystem can be
modified or corrupted (without removing mapping)? How we can test the
dm-verity functionality?

Thanks,
Pavan
>
>
> On Thu, 30 May 2013, pavankumar.p@globaledgesoft.com wrote:
>
>> Hi All,
>>    Thanks for your answers to previous questions. I have some more
>> doubts
>> regarding DM-Verity please clarify it.
>> 1. When dm-verity validation fails, do we lose access to the file?  And
how
>> about accessing the rest of the filesystem?
>
> You lose access to the affected files, but the rest of the filesystem is
still accessible.
>
>> 2. Is there any recovery mechanism for a validation failure?
>
> No.
>
>> 3. How do we update a DM-Verity filesystem?  Can it be done on a file
basis?
>> I believe that dm-verity works on the blocks & not on the file system, is
>> that true?
>
> You don't update it. You create the filesystems, then calculate
dm-verity
> checksums and then mount it read only.
>
> Yes, dm-verity works on blocks.
>
>> 4. Can we use dm-verity for any filesystem (say UBIFS)? Is there any
restriction on filesystem?
>
> You can use it for any filesystem.
>
>> 5. How to update DM-Veirty device without removing device mapping. I tried
>> mounting the dm-verity target but it fails
>
> You can't update it.
>
> If you want to update it, you need to unmount the filesystem, unload the
dm-verity target, mount the underlying device read-write, make changes,
unmount it, recreate checksums with veritysetup, load the dm-verity
target
> and mount it read only.
>
>> Thanks in advance,
>> Pavan Kumar P
>
> Mikulas
>

Re: DM-Verity Tool

[Will Drewry]

On Fri, May 31, 2013 at 11:15 AM, <pavankumar.p@globaledgesoft.com> wrote:
>
> Hi Mikulas,
>
> Thanks for the reply.
>
> Pavan>> 5. How to update DM-Veirty device without removing device mapping.
> I tried mounting the dm-verity target but it fails
> Mikulas>
> Mikulas> You can't update it.
> Mikulas>
> Mikulas> If you want to update it, you need to unmount the filesystem,
> unload the dm-verity target, mount the underlying device read-write, make
> changes, unmount it, recreate checksums with veritysetup, load the
> dm-verity target and mount it read only.
>
> If the filesystem is mounted as read-only, how the filesystem can be
> modified or corrupted (without removing mapping)? How we can test the
> dm-verity functionality?
>

I believe Milan already pointed out a test example, but the very
easiest way to it is to dd data over part of the underlying block
device, then dd it out via the dm-verity device.  If the system has
already read it, you'll need to drop_caches first.  Something like:

dd if=/dev/zero of=/dev/sdb3 bs=1 count=1 seek=4097 #write somewhere
that was non-zero
echo 3 > /proc/sys/vm/drop_caches
dd if=/dev/dm-0 of=/dev/null bs=1 count=1 skip=4097 #read, get EIO

hth,
will

> >
> > On Thu, 30 May 2013, pavankumar.p@globaledgesoft.com wrote:
> >
> >> Hi All,
> >>    Thanks for your answers to previous questions. I have some more
> >> doubts
> >> regarding DM-Verity please clarify it.
> >> 1. When dm-verity validation fails, do we lose access to the file?  And
> how
> >> about accessing the rest of the filesystem?
> >
> > You lose access to the affected files, but the rest of the filesystem is
> still accessible.
> >
> >> 2. Is there any recovery mechanism for a validation failure?
> >
> > No.
> >
> >> 3. How do we update a DM-Verity filesystem?  Can it be done on a file
> basis?
> >> I believe that dm-verity works on the blocks & not on the file system, is
> >> that true?
> >
> > You don't update it. You create the filesystems, then calculate
> dm-verity
> > checksums and then mount it read only.
> >
> > Yes, dm-verity works on blocks.
> >
> >> 4. Can we use dm-verity for any filesystem (say UBIFS)? Is there any
> restriction on filesystem?
> >
> > You can use it for any filesystem.
> >
> >> 5. How to update DM-Veirty device without removing device mapping. I tried
> >> mounting the dm-verity target but it fails
> >
> > You can't update it.
> >
> > If you want to update it, you need to unmount the filesystem, unload the
> dm-verity target, mount the underlying device read-write, make changes,
> unmount it, recreate checksums with veritysetup, load the dm-verity
> target
> > and mount it read only.
> >
> >> Thanks in advance,
> >> Pavan Kumar P
> >
> > Mikulas
> >
>
>
>
> --
> dm-devel mailing list
> dm-devel@redhat.com
> https://www.redhat.com/mailman/listinfo/dm-devel