Support activation options for error handling modes in dm-verity.

This patch adds veritysetup support for these Linux kernel dm-verity options: --ignore-corruption - dm-verity just logs detected corruption --restart-on-corruption - dm-verity restarts the kernel if corruption is detected If the options above are not specified, default behaviour for dm-verity remains. Default is that I/O operation fails with I/O error if corrupted block is detected. --ignore-zero-blocks - Instructs dm-verity to not verify blocks that are expected to contain zeroes and always return zeroes directly instead. NOTE that these options could have serious security or functional impacts, do not use them without assessing the risks!
2025-12-12 11:20:10 +01:00 · 2016-05-04 10:07:47 +02:00
parent a89e6e6e89
commit 8030bd0593
7 changed files with 181 additions and 24 deletions
--- a/lib/libcryptsetup.h
+++ b/lib/libcryptsetup.h
@@ -3,8 +3,8 @@
 *
 * Copyright (C) 2004, Jana Saout <jana@saout.de>
 * Copyright (C) 2004-2007, Clemens Fruhwirth <clemens@endorphin.org>
- * Copyright (C) 2009-2015, Red Hat, Inc. All rights reserved.
- * Copyright (C) 2009-2015, Milan Broz
+ * Copyright (C) 2009-2016, Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2009-2016, Milan Broz
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License
@@ -752,6 +752,12 @@ int crypt_keyslot_destroy(struct crypt_device *cd, int keyslot);
 #define CRYPT_ACTIVATE_SAME_CPU_CRYPT (1 << 6)
 /** use submit_from_crypt_cpus for dm-crypt */
 #define CRYPT_ACTIVATE_SUBMIT_FROM_CRYPT_CPUS (1 << 7)
+/** dm-verity: ignore_corruption flag - ignore corruption, log it only */
+#define CRYPT_ACTIVATE_IGNORE_CORRUPTION (1 << 8)
+/** dm-verity: restart_on_corruption flag - restart kernel on corruption */
+#define CRYPT_ACTIVATE_RESTART_ON_CORRUPTION (1 << 9)
+/** dm-verity: ignore_zero_blocks - do not verify zero blocks */
+#define CRYPT_ACTIVATE_IGNORE_ZERO_BLOCKS (1 << 10)


 /**