From 0dc87d45a8f49a0b8b8d0ce8b8be23658516ae4d Mon Sep 17 00:00:00 2001 From: Milan Broz Date: Mon, 11 Jun 2012 14:56:17 +0200 Subject: [PATCH] Version 1.5.0-rc1. --- ChangeLog | 3 +- configure.in | 2 +- docs/v1.5.0-ReleaseNotes | 141 +++++++++++++++++++++++++++++++++++++++++++++++ man/veritysetup.8 | 13 +++++ 4 files changed, 157 insertions(+), 2 deletions(-) create mode 100644 docs/v1.5.0-ReleaseNotes diff --git a/ChangeLog b/ChangeLog index 71d64ac..e01a57a 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,6 @@ -2012-06-10 Milan Broz +2012-06-11 Milan Broz * Introduce veritysetup for dm-verity target management. + * Version 1.5.0-rc1. 2012-06-10 Milan Broz * Both data and header device can now be a file. diff --git a/configure.in b/configure.in index 3595e2d..3345f0e 100644 --- a/configure.in +++ b/configure.in @@ -1,5 +1,5 @@ AC_PREREQ([2.67]) -AC_INIT([cryptsetup],[1.5.0-git]) +AC_INIT([cryptsetup],[1.5.0-rc1]) dnl library version from ..[-] LIBCRYPTSETUP_VERSION=$(echo $PACKAGE_VERSION | cut -f1 -d-) diff --git a/docs/v1.5.0-ReleaseNotes b/docs/v1.5.0-ReleaseNotes new file mode 100644 index 0000000..fcf356f --- /dev/null +++ b/docs/v1.5.0-ReleaseNotes @@ -0,0 +1,141 @@ +Cryptsetup 1.5.0 RC1 Release Notes +================================== + +This testing release candidate version covers mainly +inclusion of new veritysetup tool (and related libcryptsetup extensions). + +Please note that API extension and on-disk superblock can change in next +1.5.0 release candidate (despite it is not expected). + +Changes since version 1.4.3 +~~~~~~~~~~~~~~~~~~~~~~~~~~~ +Introduce veritysetup tool for dm-verity target management. + +The dm-verity device-mapper target was added to Linux kernel 3.4 and +provides transparent integrity checking of block devices using a cryptographic +digest provided by the kernel crypto API. This target is read-only. + +It is meant to be setup as part of a verified boot path (it was originally +developed by Chrome OS authors as part of verified boot infrastructure). + +For deeper description please see http://code.google.com/p/cryptsetup/wiki/DMVerity +and kernel dm-verity documentation. + +The libcryptsetup library was extended to support manipulation +with dm-verity kernel module and new veritysetup CLI tool is added. + +There are no additional library requirements (it uses the same crypto +backend as cryptsetup). + +If you want compile cryptsetup without veritysetup toop, +use --disable-veritysetup configure option. +For other configuration option see configure --help and veritysetup --help +(e.g. default parameters). + +Supported libcryptsetup functions new CRYPT_VERITY type: + crypt_init + crypt_init_by_name + crypt_set_data device + crypt_get_type + crypt_format + crypt_load + crypt_get_active_device + crypt_activate_by_volume_key (volume key == root hash here) + crypt_dump +and new introduced function + crypt_get_verity_info + +Please see comments in libcryptsetup.h and veritysetup.c as an code example +how to use CRYPT_VERITY API. + +The veritysetup tool supports these operations: + + veritysetup format + Formats (calculates all hash areas according to ). + This is initial command to prepare device for later verification. + + veritysetup create + Creates (activates) a dm-verity mapping with backed by device + and using for in-kernel verification. + + veritysetup verify + Verifies data in userspace (no kernel device is activated). + + veritysetup remove + Removes activated device from kernel (similar to dmsetup remove). + + veritysetup status + Reports status for the active kernel dm-verity device. + + veritysetup dump + Reports parameters of verity device from on-disk stored superblock. + +For more info see veritysetup --help and veritysetup man page. + +Other changes +~~~~~~~~~~~~~ + + * Both data and header device can now be a file and + loop device is automatically allocated. + + * Require only up to last keyslot area for header device, previously + backup (and activation) required device/file of size up to data start + offset (data payload). + + * Fix header backup and restore to work on files with large data offset. + Backup and restore now works even if backup file is smaller than data offset. + +Appendix: Examples of veritysetup use +~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + + Format device using default parameters, info and final root hash is printed: + # veritysetup format /dev/sdb /dev/sdc + VERITY header information for /dev/sdc + UUID: fad30431-0c59-4fa6-9b57-732a90501f75 + Hash type: 1 + Data blocks: 52224 + Data block size: 4096 + Hash block size: 4096 + Hash algorithm: sha256 + Salt: 5cc52759af76a092e0c21829cd0ef6938f69831bf86926525106f92a7e9e3aa9 + Root hash: 7aefa4506f7af497ac491a27f862cf8005ea782a5d97f6426945a6896ab557a1 + + Activation of device in-kernel: + # veritysetup create vr /dev/sdb /dev/sdc 7aefa4506f7af497ac491a27f862cf8005ea782a5d97f6426945a6896ab557a1 + Note - if device is corrupted, kernel mapping is created but will report failure: + Verity device detected corruption after activation. + + Userspace verification: + # veritysetup verify /dev/sdb /dev/sdc 7aefa4506f7af497ac491a27f862cf8005ea782a5d97f6426945a6896ab557a1 + Verification failed at position 8192. + Verification of data area failed. + + Active device status report: + # veritysetup status vr + /dev/mapper/vr is active. + type: VERITY + status: verified + hash type: 1 + data block: 4096 + hash block: 4096 + hash name: sha256 + salt: 5cc52759af76a092e0c21829cd0ef6938f69831bf86926525106f92a7e9e3aa9 + data device: /dev/sdb + size: 417792 sectors + mode: readonly + hash device: /dev/sdc + hash offset: 8 sectors + + Dump of on-disk superblock information: + # veritysetup dump /dev/sdc + VERITY header information for /dev/sdc + UUID: fad30431-0c59-4fa6-9b57-732a90501f75 + Hash type: 1 + Data blocks: 52224 + Data block size: 4096 + Hash block size: 4096 + Hash algorithm: sha256 + Salt: 5cc52759af76a092e0c21829cd0ef6938f69831bf86926525106f92a7e9e3aa9 + + Remove mapping: + # veritysetup remove vr diff --git a/man/veritysetup.8 b/man/veritysetup.8 index bc8fad9..c81e64f 100644 --- a/man/veritysetup.8 +++ b/man/veritysetup.8 @@ -43,6 +43,19 @@ The is a hexadecimal string. If option \-\-no-superblock is used, you have to use as the same options as in initial format operation. .PP +\fIverify\fR +.IP +Verifies data on data_device with use of hash blocks stored on hash_device. + +This command performs userspace verification, no kernel device is created. + +The is a hexadecimal string. + +\fB\fR can be [\-\-hash-offset, \-\-no-superblock] + +If option \-\-no-superblock is used, you have to use as the same options +as in initial format operation. +.PP \fIremove\fR .IP Removes existing mapping . -- 2.7.4