[dm-devel] DM-Verity Tool

Will Drewry redpig at dataspill.org
Mon Jun 3 12:39:16 UTC 2013 

On Fri, May 31, 2013 at 11:15 AM, <pavankumar.p at globaledgesoft.com> wrote:
>
> Hi Mikulas,
>
> Thanks for the reply.
>
> Pavan>> 5. How to update DM-Veirty device without removing device mapping.
> I tried mounting the dm-verity target but it fails
> Mikulas>
> Mikulas> You can't update it.
> Mikulas>
> Mikulas> If you want to update it, you need to unmount the filesystem,
> unload the dm-verity target, mount the underlying device read-write, make
> changes, unmount it, recreate checksums with veritysetup, load the
> dm-verity target and mount it read only.
>
> If the filesystem is mounted as read-only, how the filesystem can be
> modified or corrupted (without removing mapping)? How we can test the
> dm-verity functionality?
>

I believe Milan already pointed out a test example, but the very
easiest way to it is to dd data over part of the underlying block
device, then dd it out via the dm-verity device.  If the system has
already read it, you'll need to drop_caches first.  Something like:

dd if=/dev/zero of=/dev/sdb3 bs=1 count=1 seek=4097 #write somewhere
that was non-zero
echo 3 > /proc/sys/vm/drop_caches
dd if=/dev/dm-0 of=/dev/null bs=1 count=1 skip=4097 #read, get EIO

hth,
will

> >
> > On Thu, 30 May 2013, pavankumar.p at globaledgesoft.com wrote:
> >
> >> Hi All,
> >>    Thanks for your answers to previous questions. I have some more
> >> doubts
> >> regarding DM-Verity please clarify it.
> >> 1. When dm-verity validation fails, do we lose access to the file?  And
> how
> >> about accessing the rest of the filesystem?
> >
> > You lose access to the affected files, but the rest of the filesystem is
> still accessible.
> >
> >> 2. Is there any recovery mechanism for a validation failure?
> >
> > No.
> >
> >> 3. How do we update a DM-Verity filesystem?  Can it be done on a file
> basis?
> >> I believe that dm-verity works on the blocks & not on the file system, is
> >> that true?
> >
> > You don't update it. You create the filesystems, then calculate
> dm-verity
> > checksums and then mount it read only.
> >
> > Yes, dm-verity works on blocks.
> >
> >> 4. Can we use dm-verity for any filesystem (say UBIFS)? Is there any
> restriction on filesystem?
> >
> > You can use it for any filesystem.
> >
> >> 5. How to update DM-Veirty device without removing device mapping. I tried
> >> mounting the dm-verity target but it fails
> >
> > You can't update it.
> >
> > If you want to update it, you need to unmount the filesystem, unload the
> dm-verity target, mount the underlying device read-write, make changes,
> unmount it, recreate checksums with veritysetup, load the dm-verity
> target
> > and mount it read only.
> >
> >> Thanks in advance,
> >> Pavan Kumar P
> >
> > Mikulas
> >
>
>
>
> --
> dm-devel mailing list
> dm-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/dm-devel

More information about the dm-devel mailing list