1 .TH VERITYSETUP "8" "June 2012" "veritysetup" "Maintenance Commands"
3 veritysetup - manage dm-verity (block level verification) volumes
5 .B veritysetup <options> <action> <action args>
8 veritysetup is used to configure dm-verity managed device-mapper mappings.
10 Device-mapper verity target provides read-only transparent integrity
11 checking of block devices using kernel crypto API.
13 The dm-verity devices are always read-only.
15 veritysetup supports these operations:
17 \fIformat\fR <data_device> <hash_device>
19 Calculates and permanently stores hash verification data for data_device.
20 Hash area can be located on the smae device after data if specified
21 by \-\-hash\-start option.
22 Note you need to provide reported roo hash for device verification
23 or activation. This hash must be trusted.
25 \fB<options>\fR can be [\-\-hash, \-\-no-superblock, \-\-format,
26 \-\-data-block-size, \-\-hash-block-size, \-\-data-blocks, \-\-hash-start,
29 \fIcreate\fR <name> <data_device> <hash_device> <root_hash>
31 Creates a mapping with <name> backed by device <data_device> and using
32 <hash_device> for in-kernel verification.
34 The <root_hash> is a hexadecimal string.
36 \fB<options>\fR can be [\-\-hash-start, \-\-no-superblock]
38 If option \-\-no-superblock is used, you have to use the same options
39 as in format operation.
43 Removes the existing mapping <name>.
47 Reports the status for the active verity mapping <name>.
49 \fIdump\fR <hash_device>
51 Reports the parameters of verity device from on-disk stored superblock.
52 \fB<options>\fR can be [\-\-no-superblock]
56 Print more information on command execution.
59 Run in debug mode with full diagnostic logs. Debug output
60 lines are always prefixed by '#'.
63 Create or use dm-verity without permanent on-disk superblock.
66 Specifies the hash version type.
67 Format type 0 is original Chrome OS verion. Format type 1 si default.
69 .B "\-\-data-block-size=bytes
70 Used block size for the data device.
71 (Note kernel supports only page-size as maximum here.)
73 .B "\-\-hash-block-size=bytes
74 Used block size for the hash device.
75 (Note kernel supports only page-size as maximum here.)
77 .B "\-\-data-blocks=blocks
78 Size of data device used in verification.
79 If not specified, the whole device is used.
81 .B "\-\-hash-start=512-bytes sectors
82 Offset of hash area/superblock on hash_device.
84 .B "\-\-salt=hex string
85 Salt used for format or verification.
86 Format is hexadecimal string.
89 Show the program version.
91 Veritysetup returns 0 on success and a non-zero value on error.
93 Error codes are: 1 wrong parameters, 2 no permission,
94 3 out of memory, 4 wrong device specified, 5 device already exists
97 Report bugs, including ones in the documentation, on
98 the cryptsetup mailing list at <dm-crypt@saout.de>
99 or in the 'Issues' section on LUKS website.
100 Please attach the output of the failed command with the
101 \-\-debug option added.
103 The first implementation of veritysetup was written by Chromium OS authors.
105 This version is based on verification code written by Mikulas Patocka <mpatocka@redhat.com>
106 and rewritten for libcryptsetup by Milan Broz <gmazyland@gmail.com>.
108 Copyright \(co 2012 Red Hat, Inc.
110 This is free software; see the source for copying conditions. There is NO
111 warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
113 The project website at \fBhttp://code.google.com/p/cryptsetup/\fR
115 The verity on-disk format specification available at
116 \fBhttp://code.google.com/p/cryptsetup/wiki/DMCrypt\fR