diff --git a/lib/verity/verity_hash.c b/lib/verity/verity_hash.c
index 2f10f54e..13b4c531 100644
--- a/lib/verity/verity_hash.c
+++ b/lib/verity/verity_hash.c
@@ -373,7 +373,7 @@ out:
 			log_err(cd, _("Verification of data area failed."));
 		else {
 			log_dbg(cd, "Verification of data area succeeded.");
-			r = memcmp(root_hash, calculated_digest, digest_size) ? -EPERM : 0;
+			r = memcmp(root_hash, calculated_digest, digest_size) ? -EINVAL : 0;
 			if (r)
 				log_err(cd, _("Verification of root hash failed."));
 			else
diff --git a/tests/verity-compat-test b/tests/verity-compat-test
index 23052bc8..f41a4f52 100755
--- a/tests/verity-compat-test
+++ b/tests/verity-compat-test
@@ -86,6 +86,30 @@ function compare_out() # $1 what, $2 expected
 	[ $OPT != $2 ] && fail "$1 differs ($2)"
 }
 
+function check_root_hash_fail()
+{
+	echo -n "Root hash check "
+	ARR=(`$VERITYSETUP format $IMG $IMG_HASH --fec-device $FEC_DEV --fec-roots 2 -h sha256`)
+	ROOT_HASH=${ARR[28]}
+	ROOT_HASH_BAD=abcdef0000000000000000000000000000000000000000000000000000000000
+
+	$VERITYSETUP verify $IMG $IMG_HASH $ROOT_HASH || fail
+	$VERITYSETUP verify $IMG $IMG_HASH $ROOT_HASH_BAD >/dev/null 2>&1 && fail
+	$VERITYSETUP verify $IMG $IMG_HASH $ROOT_HASH_BAD --fec-device $FEC_DEV --fec-roots 2 >/dev/null 2>&1 && fail
+
+	$VERITYSETUP open $IMG $DEV_NAME $IMG_HASH $ROOT_HASH || fail
+	check_exists
+	dmsetup status $DEV_NAME | grep "verity V" >/dev/null || fail
+	$VERITYSETUP close $DEV_NAME >/dev/null 2>&1 || fail
+
+	$VERITYSETUP open $IMG $DEV_NAME $IMG_HASH $ROOT_HASH_BAD >/dev/null 2>&1 || fail
+	check_exists
+	dmsetup status $DEV_NAME | grep "verity C" >/dev/null || fail
+	$VERITYSETUP close $DEV_NAME >/dev/null 2>&1 || fail
+
+	echo "[OK]"
+}
+
 function check_root_hash() # $1 size, $2 hash, $3 salt, $4 version, $5 hash, [$6 offset]
 {
 	if [ -z "$LOOPDEV2" ] ; then
@@ -390,6 +414,8 @@ SALT=e48da609055204e89ae53b655ca2216dd983cf3cb829f34f63a297d106d53e2d
 
 echo "Verity tests [separate devices]"
 prepare 8192 1024
+check_root_hash_fail
+
 check_root_hash  512 9de18652fe74edfb9b805aaed72ae2aa48f94333f1ba5c452ac33b1c39325174 $SALT 1 sha256
 check_root_hash 1024 54d92778750495d1f80832b486ebd007617d746271511bbf0e295e143da2b3df $SALT 1 sha256
 check_root_hash 4096 e522df0f97da4febb882ac40f30b37dc0b444bf6df418929463fa25280f09d5c $SALT 1 sha256