[dm-crypt] verity setup on active device.
shivaramakrishnan740 at gmail.com
Mon Apr 7 05:11:58 CEST 2014
I had a question here..So if I sign a image file for a virtual machine
using the command,How do I verify that image file has not changed?
gpg --output web-test.img.sig --sign web-test.img
Executing the above gives me a "web-test.img.sig" file.Whether verifying
this would be sufficient?
gpg --verify web-test.img.sig
gpg: Signature made Sun 06 Apr 2014 09:57:16 PM EDT using RSA key ID
gpg: Good signature from "shiva (test) <abc. at outlook.com>
Should I boot the image now using the .sig file?Looking forward to your
On Sun, Apr 6, 2014 at 3:44 AM, Milan Broz <gmazyland at gmail.com> wrote:
> On 04/06/2014 12:11 AM, Shivaramakrishnan Vaidyanathan wrote:
> > I have few questions is this regard.I am ready to perform the offline
> > integrity check.I can have the image files in the nfs-share archived
> > live to another partition that is not mounted.Will I be able to
> > perform the integrity check at the block level in this case?Each time
> > virtual machine boots up,I need to be able to verify if the image was
> > the same as previous boot.> Is this achievable?
> > Will these steps work?
> > 1. Image file (VM1 - Virtual hard disk file mounted in nfs share
> > 2.I rsync the directory of nfs-share to another partition.
> > 3.Then whether I will be able to tell whether the virtual image file has
> been altered/changed from the previous boot?
> I am not sure if I understand what you are trying to do here but if it
> is file image (full device image shared on nfs) why not use simple gpg
> file signature and verify it before the VM boot?
> > Also I dont get the notion "Dm-verity was designed to provide
> verification of (read-only) device (to provide verified boot path), all IOs
> must go through dm-verity."
> The dm-verity was designed for ChromeOS for verified boot, IOW it verifies
> blocks on underlying block device on-the-fly (when system reads them
> verity mapped device).
> This means, that the dm-verity must be underlying device for all read
> operations (to allow it stop reads once it detect wrong hash).
> I know documentation is terse but at least something is here
> http://code.google.com/p/cryptsetup/wiki/DMVerity (see Theory of
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the dm-crypt