/openbmc/linux/Documentation/filesystems/ |
H A D | fsverity.rst | 6 fs-verity: read-only file-based authenticity protection 12 fs-verity (``fs/verity/``) is a support layer that filesystems can 16 code is needed to support fs-verity. 18 fs-verity is similar to `dm-verity 19 <https://www.kernel.org/doc/Documentation/device-mapper/verity.txt>`_ 21 filesystems supporting fs-verity, userspace can execute an ioctl that 30 the "fs-verity file digest", which is a hash that includes the Merkle 31 tree root hash) that fs-verity is enforcing for the file. This ioctl 34 fs-verity is essentially a way to hash a file in constant time, 41 By itself, fs-verity only provides integrity protection, i.e. [all …]
|
/openbmc/openbmc/meta-openembedded/meta-oe/classes/ |
H A D | image_types_verity.bbclass | 6 # Support generating a dm-verity image and the parameters required to assemble 8 # stored in the file ${DEPLOY_DIR_IMAGE}/<IMAGE_LINK_NAME>.verity-params. Note 17 # . <IMAGE_LINK_NAME>.verity-params 19 # verity 1 <dev> <hash_dev> \ 27 # is the name of the to be created dm-verity-device. 44 VERITY_IMAGE_SUFFIX ?= ".verity" 47 IMAGE_TYPEDEP:verity = "${VERITY_IMAGE_FSTYPE}" 48 IMAGE_TYPES_MASKED += "verity" 51 if 'verity' not in d.getVar('IMAGE_FSTYPES'): 67 verity = '{}{}'.format(image, verity_image_suffix) [all …]
|
/openbmc/openbmc/meta-security/classes/ |
H A D | dm-verity-img.bbclass | 6 # This bbclass allows creating of dm-verity protected partition images. It 7 # generates a device image file with dm-verity hash data appended at the end 20 # IMAGE_CLASSES += "dm-verity-img" 26 # DM_VERITY_RHASH_GUID = <UUID for your architecture and verity-hash> 32 # Define the location where the DM_VERITY_IMAGE specific dm-verity root hash 34 STAGING_VERITY_DIR ?= "${TMPDIR}/work-shared/${MACHINE}/dm-verity" 37 # if non-verity images want to embed the .wks and verity image. 66 local ENV="${STAGING_VERITY_DIR}/${DM_VERITY_IMAGE}.$TYPE.verity.env" 93 # Craft up the UUIDs that are part of the verity standard for root & hash 117 …{DM_VERITY_IMAGE}-${MACHINE}${IMAGE_NAME_SUFFIX}.${DM_VERITY_IMAGE_TYPE}.verity" --part-name verit… [all …]
|
/openbmc/openbmc/meta-security/docs/ |
H A D | dm-verity.txt | 1 dm-verity and Yocto/OE 3 The dm-verity feature provides a level of data integrity and resistance to 9 https://docs.kernel.org/admin-guide/device-mapper/verity.html 12 capture the Yocto/OE specifics of the dm-verity infrastructure used here. 20 Largely everything is driven off of a dm-verity image class; a typical 23 INITRAMFS_IMAGE = "dm-verity-image-initramfs" 26 IMAGE_CLASSES += "dm-verity-img" 31 Kernel configuration for dm-verity happens automatically via IMAGE_CLASSES 32 which will source features/device-mapper/dm-verity.scc when dm-verity-img 35 DISTRO_FEATURES, or else you won't get the dm-verity kernel settings. [all …]
|
H A D | dm-verity-systemd-x86-64.txt | 1 dm-verity and x86-64 and systemd 3 In this example, we'll target combining qemux86-64 with dm-verity and 4 also systemd - systemd has dm-verity bindings and is more likely to be 7 While dm-verity in a qemu environment doesn't make practial sense as a 21 In addition to the basic dm-verity settings, choose systemd in local.conf: 29 for enabling systemd. It is important for dm-verity, since it triggers 64 verity image needing to be specified, i.e. 69 tmp/deploy/images/qemux86-64/core-image-minimal-qemux86-64-*.rootfs.ext4.verity
|
H A D | dm-verity-beaglebone.txt | 1 dm-verity and beaglebone-black 5 In addition to the basic dm-verity settings, you'll also want in local.conf: 9 WKS_FILES = "${MACHINE}-verity.wks.in" 29 After running "wic create -e core-image-minimal beaglebone-yocto-verity"
|
H A D | dm-verity-systemd-hash-x86-64.txt | 1 dm-verity and x86-64 and systemd - separate hash device 4 Everything said in "dm-verity-systemd-x86-64.txt" applies here.
|
/openbmc/linux/security/loadpin/ |
H A D | Kconfig | 12 dm-verity or a CDROM. 23 bool "Allow reading files from certain other filesystems that use dm-verity" 27 that use dm-verity. LoadPin maintains a list of verity root 28 digests it considers trusted. A verity backed filesystem is 32 The list of trusted verity can be populated through an ioctl 33 on the LoadPin securityfs entry 'dm-verity'. The ioctl 34 expects a file descriptor of a file with verity digests as 40 This is followed by the verity digests, with one digest per
|
/openbmc/linux/Documentation/filesystems/ext4/ |
H A D | verity.rst | 6 ext4 supports fs-verity, which is a filesystem feature that provides 8 fs-verity is common to all filesystems that support it; see 10 fs-verity documentation. However, the on-disk layout of the verity 11 metadata is filesystem-specific. On ext4, the verity metadata is 25 - The verity descriptor, as documented in 32 - The size of the verity descriptor in bytes, as a 4-byte little 37 They can have EXT4_ENCRYPT_FL set, in which case the verity metadata 40 Verity files cannot have blocks allocated past the end of the verity
|
/openbmc/linux/fs/verity/ |
H A D | Kconfig | 15 This option enables fs-verity. fs-verity is the dm-verity 18 use an ioctl to enable verity for a file, which causes the 30 fs-verity is especially useful on large files where not all 31 the contents may actually be needed. Also, fs-verity verifies 43 fs-verity builtin signatures. 46 the only way to do signatures with fs-verity, and the
|
/openbmc/openbmc/meta-security/wic/ |
H A D | systemd-bootdisk-dmverity.wks.in | 1 # short-description: Create an EFI disk image with systemd-boot and dm-verity 2 # A dm-verity variant of the regular wks for IA machines. We need to fetch 6 # Based on OE-core's systemd-bootdisk.wks and meta-security's beaglebone-yocto-verity.wks.in file 8 # This .wks only works with the dm-verity-img class. 13 …OYDIR}/${DM_VERITY_IMAGE}-${MACHINE}${IMAGE_NAME_SUFFIX}.${DM_VERITY_IMAGE_TYPE}.verity" --use-uuid
|
H A D | beaglebone-yocto-verity.wks.in | 6 # short-description: Create a u-SD image for beaglebone-black with dm-verity 7 # A dm-verity variant of the regular wks for beaglebone black. We need to fetch 12 # This .wks only works with the dm-verity-img class. 15 …e=${IMGDEPLOYDIR}/${DM_VERITY_IMAGE}-${MACHINE}${IMAGE_NAME_SUFFIX}.${DM_VERITY_IMAGE_TYPE}.verity"
|
H A D | systemd-bootdisk-dmverity-hash.wks.in | 1 # short-description: Create an EFI disk image with systemd-boot and separate hash dm-verity 2 # A dm-verity variant of the regular wks for IA machines. We need to fetch 6 # Based on OE-core's systemd-bootdisk.wks and meta-security's beaglebone-yocto-verity.wks.in file 8 # This .wks only works with the dm-verity-img class and separate hash data. (DM_VERITY_SEPARATE_HAS…
|
/openbmc/openbmc/meta-security/recipes-core/images/ |
H A D | dm-verity-image-initramfs.bb | 1 DESCRIPTION = "Simple initramfs image for mounting the rootfs over the verity device mapper." 33 # Ensure dm-verity.env is updated also when rebuilding DM_VERITY_IMAGE 40 ${STAGING_VERITY_DIR}/${DM_VERITY_IMAGE}.${DM_VERITY_IMAGE_TYPE}.verity.env \ 41 ${IMAGE_ROOTFS}${datadir}/misc/dm-verity.env
|
/openbmc/linux/drivers/md/ |
H A D | Makefile | 27 dm-verity-y += dm-verity-target.o 76 obj-$(CONFIG_DM_VERITY) += dm-verity.o 86 obj-$(CONFIG_SECURITY_LOADPIN_VERITY) += dm-verity-loadpin.o 105 dm-verity-objs += dm-verity-fec.o 109 dm-verity-objs += dm-verity-verify-sig.o
|
/openbmc/linux/Documentation/admin-guide/device-mapper/ |
H A D | dm-init.rst | 32 <target_type> ::= "verity" | "linear" | ... (see list below) 61 `verity` allowed 85 dm-verity,,3,ro, 86 0 1638400 verity 1 /dev/sdc1 /dev/sdc2 4096 4096 204800 1 sha256 120 "verity":: 122 dm-verity,,4,ro, 123 0 1638400 verity 1 8:1 8:2 4096 4096 204800 1 sha256
|
H A D | verity.rst | 2 dm-verity 5 Device-Mapper's "verity" target provides transparent integrity checking of 40 dm-verity device. 105 verity <dev> is encrypted the <fec_dev> should be too. 122 rather than every time. This reduces the overhead of dm-verity so that it 145 If verity hashes are in cache, verify data blocks in kernel tasklet instead 151 dm-verity is meant to be set up as part of a verified boot path. This 155 When a dm-verity device is configured, it is expected that the caller 203 The verity kernel code does not read the verity metadata on-disk header. 206 verity header. [all …]
|
H A D | index.rst | 37 verity
|
/openbmc/linux/Documentation/ABI/testing/ |
H A D | ima_policy | 58 specifying "digest_type=verity" first.) 63 digest_type:= verity 64 Require fs-verity's file digest instead of the 165 Example of a 'measure' rule requiring fs-verity's digests 168 measure func=FILE_CHECK digest_type=verity \ 171 Example of 'measure' and 'appraise' rules requiring fs-verity 178 measure func=BPRM_CHECK digest_type=verity \ 185 appraise func=BPRM_CHECK digest_type=verity \
|
/openbmc/openbmc/meta-openembedded/meta-oe/recipes-crypto/fsverity-utils/ |
H A D | fsverity-utils_1.5.bb | 1 SUMMARY = "Userspace utilities for fs-verity" 2 DESCRIPTION = "fs-verity is a Linux kernel feature that does transparent \ 5 mechanism is similar to dm-verity, but implemented at the file level rather \
|
/openbmc/openbmc/meta-security/recipes-core/initrdscripts/ |
H A D | initramfs-framework.inc | 8 # dm-verity 14 SUMMARY:initramfs-module-dmverity = "initramfs dm-verity rootfs support"
|
H A D | initramfs-framework_1.0.bbappend | 1 require ${@bb.utils.contains('IMAGE_CLASSES', 'dm-verity-img', 'initramfs-framework.inc', '', d)}
|
/openbmc/openbmc/meta-security/recipes-kernel/linux/ |
H A D | linux-yocto_security.inc | 5 …append = " ${@bb.utils.contains("IMAGE_CLASSES", "dm-verity-img", " features/device-mapper/dm-veri…
|
/openbmc/linux/fs/f2fs/ |
H A D | Makefile | 10 f2fs-$(CONFIG_FS_VERITY) += verity.o
|
/openbmc/linux/fs/ext4/ |
H A D | Makefile | 19 ext4-$(CONFIG_FS_VERITY) += verity.o
|