Allow to pass the root hash via a file, rather than verbatim on
the command line, for the open/verify/format actions.
It is much more convenient when using veritysetup in scripts.
[some modifications by mbroz:]
- Add additional syntax and option description to man page.
- Fix a segfault with non-existing path.
- Do not read full file.
- Small refactor for argc handling and option processing.
Optional parameter root hash signature is added that can be added to
veritysetup.
The signature file is opened and the signature is added to the keyring.
The kernel will use the signature to validate the roothash.
Usage: veritysetup open <data_device> name <hash_device> <root_hash> --root-hash-signature=<roothash_p7_sig_file>
Signed-off-by: Jaskaran Khurana <jaskarankhurana@linux.microsoft.com>
Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com>
[Original patch rewritten by Milan Broz]
The kernel 4.17 will include a new dm-verity flag that
instructs kernel to verify data blocks only once.
This patch adds support for it to libcryptsetup and veritysetup.
This flag can be dangerous; if you can control underlying device
(you can change its content after it was verified) it will no longer
prevent reading tampered data and also it does not prevent to silent
data corrruptions that appears after the block was once read.
This patch adds veritysetup support for these Linux kernel dm-verity options:
--ignore-corruption - dm-verity just logs detected corruption
--restart-on-corruption - dm-verity restarts the kernel if corruption is detected
If the options above are not specified, default behaviour for dm-verity remains.
Default is that I/O operation fails with I/O error if corrupted block is detected.
--ignore-zero-blocks - Instructs dm-verity to not verify blocks that are expected
to contain zeroes and always return zeroes directly instead.
NOTE that these options could have serious security or functional impacts,
do not use them without assessing the risks!
