[dm-crypt] verity setup on active device.

Shivaramakrishnan Vaidyanathan shivaramakrishnan740 at gmail.com
Mon Apr 7 05:11:58 CEST 2014


I had a question here..So if I sign a image file for a virtual machine
using the command,How do I verify that image file has not changed?
gpg --output web-test.img.sig --sign web-test.img

Executing the above gives me a "web-test.img.sig" file.Whether verifying
this would be sufficient?

gpg --verify web-test.img.sig

gpg: Signature made Sun 06 Apr 2014 09:57:16 PM EDT using RSA key ID
3D3AC480

gpg: Good signature from "shiva (test) <abc. at outlook.com>


Should I boot the image now using the .sig file?Looking forward to your
reply.





On Sun, Apr 6, 2014 at 3:44 AM, Milan Broz <gmazyland at gmail.com> wrote:

> On 04/06/2014 12:11 AM, Shivaramakrishnan Vaidyanathan wrote:
> > I have few questions is this regard.I am ready to perform the offline
> > integrity check.I can have the image files in the nfs-share archived
> > live to another partition that is not mounted.Will I be able to
> > perform the integrity check at the block level in this case?Each time
> > virtual machine boots up,I need to be able to verify if the image was
> > the same as previous boot.> Is this achievable?
> >
> > Will these steps work?
> > 1. Image file (VM1 - Virtual hard disk file mounted in nfs share
> partition).
> > 2.I rsync the directory of nfs-share to another partition.
> > 3.Then whether I will be able to tell whether the virtual image file has
> been altered/changed from the previous boot?
>
> I am not sure if I understand what you are trying to do here but if it
> is file image (full device image shared on nfs) why not use simple gpg
> file signature and verify it before the VM boot?
>
> ...
>
> > Also I dont get the notion "Dm-verity was designed to provide
> verification of (read-only) device (to provide verified boot path), all IOs
> must go through dm-verity."
>
> The dm-verity was designed for ChromeOS for verified boot, IOW it verifies
> blocks on underlying block device on-the-fly (when system reads them
> through
> verity mapped device).
> This means, that the dm-verity must be underlying device for all read
> operations (to allow it stop reads once it detect wrong hash).
>
> I know documentation is terse but at least something is here
> http://code.google.com/p/cryptsetup/wiki/DMVerity (see Theory of
> operation).
>
> Milan
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.saout.de/pipermail/dm-crypt/attachments/20140406/5599b3d7/attachment.html>


More information about the dm-crypt mailing list