[dm-crypt] verity setup on active device.

Shivaramakrishnan Vaidyanathan shivaramakrishnan740 at gmail.com
Sun Apr 6 00:26:18 CEST 2014


Also,
http://lwn.net/Articles/533558/ tells that
 "The key advantage over dm-verity is that the target supports read-write
and requires less hash calculation operations.Device-mapper "integrity"
target provides transparent cryptographic integrity protection of
underlying read-write block device using hash-based message authentication
codes (HMACs), which can be stored on the same or different block device."

I dont understand or get the main purpose of this tool. Could you please
explain in a bit more elaborate way.Thanks



On Sat, Apr 5, 2014 at 6:11 PM, Shivaramakrishnan Vaidyanathan <
shivaramakrishnan740 at gmail.com> wrote:

> Thanks Milan for your reply.
> I have few questions is this regard.I am ready to perform the offline
> integrity check.I can have the image files in the nfs-share archived live
> to another partition that is not mounted.Will I be able to perform the
> integrity check at the block level in this case?Each time virtual machine
> boots up,I need to be able to verify if the image was the same as previous
> boot.
> Is this achievable?
>
> Will these steps work?
> 1. Image file (VM1 - Virtual hard disk file mounted in nfs share
> partition).
> 2.I rsync the directory of nfs-share to another partition.
> 3.Then whether I will be able to tell whether the virtual image file has
> been altered/changed from the previous boot?
>
> Can you please provide some details in regard to the implementations
> required in this case?
>
> If you know any other alternatives,It would be great if you could share
> it.Also I dont get the notion "Dm-verity was designed to provide verification
> of (read-only) device (to provide verified boot path), all IOs must go
> through dm-verity."
>
> So what does this mean?
>
>
> On Sat, Apr 5, 2014 at 2:39 PM, Milan Broz <gmazyland at gmail.com> wrote:
>
>> On 04/04/2014 11:34 PM, Shiva wrote:
>> ...
>> > 5.Used the root hash in this command.
>> > veritysetup --debug create nfs /dev/sdb /dev/sdc "root hash"
>> >
>> > Everything works well.
>> > My problem is I am not able to perform step5 for a mounted partition.
>> >
>> > I require a mounted partition since nfs-share will use this partition.
>> > (For addition and deletion)
>> >
>> > Is there a command switch that needs to be performed in order to
>> achieve this?
>>
>> I am afraid this is not possible. Dm-verity was designed to provide
>> verification of (read-only) device (to provide verified boot path),
>> all IOs must go through dm-verity.
>> (So it must be in the stack from the beginning).
>>
>> You cannot just add it later or run it parallel with mounted partition.
>> And how this can work if some data are already in page/fs cache?
>>
>> Milan
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.saout.de/pipermail/dm-crypt/attachments/20140405/be2fe242/attachment.html>


More information about the dm-crypt mailing list