[dm-crypt] How to mount a dm-verity volume?

Gyula Kovács gyula.kovacs.kkb.tech at gmail.com
Thu Jul 14 19:19:38 CEST 2016


Dear All,

I'm trying to bring up and running a small read only partition with 
using of dm-verity.
A short description of my platform:
- CPU core: ARM Cortex A7
- Kernel version: 3.10.49
- The CONFIG_DM_VERITY is set to "y" in kernel configuration.
- The read only partition is a squashfs on ubiblock. The ubiblock was 
back-ported from kernel 3.15.
- The verity_key file was not created in the boot directory.
I followed this description: 
https://nelenkov.blogspot.hu/2014/05/using-kitkat-verified-boot.html?view=classic
I could finish the setup procedure successfully.

I tried two usage scenarios:

1. Creating a mapping device on target
I executed the following commands:
- veritysetup --hash-offset=HASH_OFFSET create vrty /dev/ubiblock0_9 
/dev/ubiblock0_9 GOOD_ROOT_DIGEST
- mount -t squashfs -o ro /dev/mapper/vrty /sbro/
I could read the partition as expected.
I repeated the test above with a corrupt partition image (one byte was 
changed in the data area.)
I couldn't read the partition, as it was expected.
I did a test with bad digest:
- veritysetup --hash-offset=HASH_OFFSET create vrty /dev/ubiblock0_9 
/dev/ubiblock0_9 BAD_ROOT_DIGEST
- mount -t squashfs -o ro /dev/mapper/vrty /sbro/
I couldn't read the partition, as it was expected.
Summarized, the dm-verity was working as expected.

2. I tried to mount the block device according to description on 
https://nelenkov.blogspot.hu/2014/05/using-kitkat-verified-boot.html?view=classic 
page.
I added the following line to fstab file:
/dev/ubiblock0_9    /sbro    squashfs    ro,wait,verify
I created the ubiblock device with the "ubiblock -c /dev/ubi0_9" command.
After executing the "mount -a" command I could read the content of /sbro 
directory.
But according to the description, without the verity_key file the 
partition shouldn't be read.
I repeated my test with a corrupt partition image, and I could read it.

Summarized:
The dm-verity is working fine when I'm mounting a mapping device, but it 
is not working (allows reading of partition always) when I'm mounting a 
block device.

What did I do wrong with the direct mounting? What step(s) did I miss?

Best regards,
Gyula Kovacs



More information about the dm-crypt mailing list