Home
last modified time | relevance | path

Searched refs:verity (Results 1 – 25 of 54) sorted by relevance

123

/openbmc/linux/Documentation/filesystems/
H A Dfsverity.rst6 fs-verity: read-only file-based authenticity protection
12 fs-verity (``fs/verity/``) is a support layer that filesystems can
16 code is needed to support fs-verity.
18 fs-verity is similar to `dm-verity
19 <https://www.kernel.org/doc/Documentation/device-mapper/verity.txt>`_
21 filesystems supporting fs-verity, userspace can execute an ioctl that
30 the "fs-verity file digest", which is a hash that includes the Merkle
31 tree root hash) that fs-verity is enforcing for the file. This ioctl
34 fs-verity is essentially a way to hash a file in constant time,
41 By itself, fs-verity only provides integrity protection, i.e.
[all …]
/openbmc/openbmc/meta-openembedded/meta-oe/classes/
H A Dimage_types_verity.bbclass6 # Support generating a dm-verity image and the parameters required to assemble
8 # stored in the file ${DEPLOY_DIR_IMAGE}/<IMAGE_LINK_NAME>.verity-params. Note
17 # . <IMAGE_LINK_NAME>.verity-params
19 # verity 1 <dev> <hash_dev> \
27 # is the name of the to be created dm-verity-device.
44 VERITY_IMAGE_SUFFIX ?= ".verity"
47 IMAGE_TYPEDEP:verity = "${VERITY_IMAGE_FSTYPE}"
48 IMAGE_TYPES_MASKED += "verity"
51 if 'verity' not in d.getVar('IMAGE_FSTYPES'):
67 verity = '{}{}'.format(image, verity_image_suffix)
[all …]
/openbmc/openbmc/meta-security/classes/
H A Ddm-verity-img.bbclass6 # This bbclass allows creating of dm-verity protected partition images. It
7 # generates a device image file with dm-verity hash data appended at the end
20 # IMAGE_CLASSES += "dm-verity-img"
26 # DM_VERITY_RHASH_GUID = <UUID for your architecture and verity-hash>
32 # Define the location where the DM_VERITY_IMAGE specific dm-verity root hash
34 STAGING_VERITY_DIR ?= "${TMPDIR}/work-shared/${MACHINE}/dm-verity"
37 # if non-verity images want to embed the .wks and verity image.
66 local ENV="${STAGING_VERITY_DIR}/${DM_VERITY_IMAGE}.$TYPE.verity.env"
93 # Craft up the UUIDs that are part of the verity standard for root & hash
117 …{DM_VERITY_IMAGE}-${MACHINE}${IMAGE_NAME_SUFFIX}.${DM_VERITY_IMAGE_TYPE}.verity" --part-name verit…
[all …]
/openbmc/openbmc/meta-security/docs/
H A Ddm-verity.txt1 dm-verity and Yocto/OE
3 The dm-verity feature provides a level of data integrity and resistance to
9 https://docs.kernel.org/admin-guide/device-mapper/verity.html
12 capture the Yocto/OE specifics of the dm-verity infrastructure used here.
20 Largely everything is driven off of a dm-verity image class; a typical
23 INITRAMFS_IMAGE = "dm-verity-image-initramfs"
26 IMAGE_CLASSES += "dm-verity-img"
31 Kernel configuration for dm-verity happens automatically via IMAGE_CLASSES
32 which will source features/device-mapper/dm-verity.scc when dm-verity-img
35 DISTRO_FEATURES, or else you won't get the dm-verity kernel settings.
[all …]
H A Ddm-verity-systemd-x86-64.txt1 dm-verity and x86-64 and systemd
3 In this example, we'll target combining qemux86-64 with dm-verity and
4 also systemd - systemd has dm-verity bindings and is more likely to be
7 While dm-verity in a qemu environment doesn't make practial sense as a
21 In addition to the basic dm-verity settings, choose systemd in local.conf:
29 for enabling systemd. It is important for dm-verity, since it triggers
64 verity image needing to be specified, i.e.
69 tmp/deploy/images/qemux86-64/core-image-minimal-qemux86-64-*.rootfs.ext4.verity
H A Ddm-verity-beaglebone.txt1 dm-verity and beaglebone-black
5 In addition to the basic dm-verity settings, you'll also want in local.conf:
9 WKS_FILES = "${MACHINE}-verity.wks.in"
29 After running "wic create -e core-image-minimal beaglebone-yocto-verity"
H A Ddm-verity-systemd-hash-x86-64.txt1 dm-verity and x86-64 and systemd - separate hash device
4 Everything said in "dm-verity-systemd-x86-64.txt" applies here.
/openbmc/linux/security/loadpin/
H A DKconfig12 dm-verity or a CDROM.
23 bool "Allow reading files from certain other filesystems that use dm-verity"
27 that use dm-verity. LoadPin maintains a list of verity root
28 digests it considers trusted. A verity backed filesystem is
32 The list of trusted verity can be populated through an ioctl
33 on the LoadPin securityfs entry 'dm-verity'. The ioctl
34 expects a file descriptor of a file with verity digests as
40 This is followed by the verity digests, with one digest per
/openbmc/linux/Documentation/filesystems/ext4/
H A Dverity.rst6 ext4 supports fs-verity, which is a filesystem feature that provides
8 fs-verity is common to all filesystems that support it; see
10 fs-verity documentation. However, the on-disk layout of the verity
11 metadata is filesystem-specific. On ext4, the verity metadata is
25 - The verity descriptor, as documented in
32 - The size of the verity descriptor in bytes, as a 4-byte little
37 They can have EXT4_ENCRYPT_FL set, in which case the verity metadata
40 Verity files cannot have blocks allocated past the end of the verity
/openbmc/linux/fs/verity/
H A DKconfig15 This option enables fs-verity. fs-verity is the dm-verity
18 use an ioctl to enable verity for a file, which causes the
30 fs-verity is especially useful on large files where not all
31 the contents may actually be needed. Also, fs-verity verifies
43 fs-verity builtin signatures.
46 the only way to do signatures with fs-verity, and the
/openbmc/openbmc/meta-security/wic/
H A Dsystemd-bootdisk-dmverity.wks.in1 # short-description: Create an EFI disk image with systemd-boot and dm-verity
2 # A dm-verity variant of the regular wks for IA machines. We need to fetch
6 # Based on OE-core's systemd-bootdisk.wks and meta-security's beaglebone-yocto-verity.wks.in file
8 # This .wks only works with the dm-verity-img class.
13 …OYDIR}/${DM_VERITY_IMAGE}-${MACHINE}${IMAGE_NAME_SUFFIX}.${DM_VERITY_IMAGE_TYPE}.verity" --use-uuid
H A Dbeaglebone-yocto-verity.wks.in6 # short-description: Create a u-SD image for beaglebone-black with dm-verity
7 # A dm-verity variant of the regular wks for beaglebone black. We need to fetch
12 # This .wks only works with the dm-verity-img class.
15 …e=${IMGDEPLOYDIR}/${DM_VERITY_IMAGE}-${MACHINE}${IMAGE_NAME_SUFFIX}.${DM_VERITY_IMAGE_TYPE}.verity"
H A Dsystemd-bootdisk-dmverity-hash.wks.in1 # short-description: Create an EFI disk image with systemd-boot and separate hash dm-verity
2 # A dm-verity variant of the regular wks for IA machines. We need to fetch
6 # Based on OE-core's systemd-bootdisk.wks and meta-security's beaglebone-yocto-verity.wks.in file
8 # This .wks only works with the dm-verity-img class and separate hash data. (DM_VERITY_SEPARATE_HAS…
/openbmc/openbmc/meta-security/recipes-core/images/
H A Ddm-verity-image-initramfs.bb1 DESCRIPTION = "Simple initramfs image for mounting the rootfs over the verity device mapper."
33 # Ensure dm-verity.env is updated also when rebuilding DM_VERITY_IMAGE
40 ${STAGING_VERITY_DIR}/${DM_VERITY_IMAGE}.${DM_VERITY_IMAGE_TYPE}.verity.env \
41 ${IMAGE_ROOTFS}${datadir}/misc/dm-verity.env
/openbmc/linux/drivers/md/
H A DMakefile27 dm-verity-y += dm-verity-target.o
76 obj-$(CONFIG_DM_VERITY) += dm-verity.o
86 obj-$(CONFIG_SECURITY_LOADPIN_VERITY) += dm-verity-loadpin.o
105 dm-verity-objs += dm-verity-fec.o
109 dm-verity-objs += dm-verity-verify-sig.o
/openbmc/linux/Documentation/admin-guide/device-mapper/
H A Ddm-init.rst32 <target_type> ::= "verity" | "linear" | ... (see list below)
61 `verity` allowed
85 dm-verity,,3,ro,
86 0 1638400 verity 1 /dev/sdc1 /dev/sdc2 4096 4096 204800 1 sha256
120 "verity"::
122 dm-verity,,4,ro,
123 0 1638400 verity 1 8:1 8:2 4096 4096 204800 1 sha256
H A Dverity.rst2 dm-verity
5 Device-Mapper's "verity" target provides transparent integrity checking of
40 dm-verity device.
105 verity <dev> is encrypted the <fec_dev> should be too.
122 rather than every time. This reduces the overhead of dm-verity so that it
145 If verity hashes are in cache, verify data blocks in kernel tasklet instead
151 dm-verity is meant to be set up as part of a verified boot path. This
155 When a dm-verity device is configured, it is expected that the caller
203 The verity kernel code does not read the verity metadata on-disk header.
206 verity header.
[all …]
H A Dindex.rst37 verity
/openbmc/linux/Documentation/ABI/testing/
H A Dima_policy58 specifying "digest_type=verity" first.)
63 digest_type:= verity
64 Require fs-verity's file digest instead of the
165 Example of a 'measure' rule requiring fs-verity's digests
168 measure func=FILE_CHECK digest_type=verity \
171 Example of 'measure' and 'appraise' rules requiring fs-verity
178 measure func=BPRM_CHECK digest_type=verity \
185 appraise func=BPRM_CHECK digest_type=verity \
/openbmc/openbmc/meta-openembedded/meta-oe/recipes-crypto/fsverity-utils/
H A Dfsverity-utils_1.5.bb1 SUMMARY = "Userspace utilities for fs-verity"
2 DESCRIPTION = "fs-verity is a Linux kernel feature that does transparent \
5 mechanism is similar to dm-verity, but implemented at the file level rather \
/openbmc/openbmc/meta-security/recipes-core/initrdscripts/
H A Dinitramfs-framework.inc8 # dm-verity
14 SUMMARY:initramfs-module-dmverity = "initramfs dm-verity rootfs support"
H A Dinitramfs-framework_1.0.bbappend1 require ${@bb.utils.contains('IMAGE_CLASSES', 'dm-verity-img', 'initramfs-framework.inc', '', d)}
/openbmc/openbmc/meta-security/recipes-kernel/linux/
H A Dlinux-yocto_security.inc5 …append = " ${@bb.utils.contains("IMAGE_CLASSES", "dm-verity-img", " features/device-mapper/dm-veri…
/openbmc/linux/fs/f2fs/
H A DMakefile10 f2fs-$(CONFIG_FS_VERITY) += verity.o
/openbmc/linux/fs/ext4/
H A DMakefile19 ext4-$(CONFIG_FS_VERITY) += verity.o

123