| /openbmc/linux/Documentation/filesystems/ |
| H A D | fsverity.rst | 6 fs-verity: read-only file-based authenticity protection
12 fs-verity (``fs/verity/``) is a support layer that filesystems can
16 code is needed to support fs-verity.
18 fs-verity is similar to `dm-verity
19 <https://www.kernel.org/doc/Documentation/device-mapper/verity.txt>`_
21 filesystems supporting fs-verity, userspace can execute an ioctl that
30 the "fs-verity file digest", which is a hash that includes the Merkle
31 tree root hash) that fs-verity is enforcing for the file. This ioctl
34 fs-verity is essentially a way to hash a file in constant time,
41 By itself, fs-verity only provides integrity protection, i.e.
[all …]
|
| /openbmc/openbmc/meta-openembedded/meta-oe/classes/ |
| H A D | image_types_verity.bbclass | 6 # Support generating a dm-verity image and the parameters required to assemble
8 # stored in the file ${DEPLOY_DIR_IMAGE}/<IMAGE_LINK_NAME>.verity-params. Note
17 # . <IMAGE_LINK_NAME>.verity-params
19 # verity 1 <dev> <hash_dev> \
27 # is the name of the to be created dm-verity-device.
44 VERITY_IMAGE_SUFFIX ?= ".verity"
47 IMAGE_TYPEDEP:verity = "${VERITY_IMAGE_FSTYPE}"
48 IMAGE_TYPES_MASKED += "verity"
51 if 'verity' not in d.getVar('IMAGE_FSTYPES'):
67 verity = '{}{}'.format(image, verity_image_suffix)
[all …]
|
| /openbmc/openbmc/meta-security/classes/ |
| H A D | dm-verity-img.bbclass | 6 # This bbclass allows creating of dm-verity protected partition images. It
7 # generates a device image file with dm-verity hash data appended at the end
20 # IMAGE_CLASSES += "dm-verity-img"
26 # DM_VERITY_RHASH_GUID = <UUID for your architecture and verity-hash>
32 # Define the location where the DM_VERITY_IMAGE specific dm-verity root hash
34 STAGING_VERITY_DIR ?= "${TMPDIR}/work-shared/${MACHINE}/dm-verity"
37 # if non-verity images want to embed the .wks and verity image.
66 local ENV="${STAGING_VERITY_DIR}/${DM_VERITY_IMAGE}.$TYPE.verity.env"
93 # Craft up the UUIDs that are part of the verity standard for root & hash
117 …{DM_VERITY_IMAGE}-${MACHINE}${IMAGE_NAME_SUFFIX}.${DM_VERITY_IMAGE_TYPE}.verity" --part-name verit…
[all …]
|
| /openbmc/openbmc/meta-security/docs/ |
| H A D | dm-verity.txt | 1 dm-verity and Yocto/OE
3 The dm-verity feature provides a level of data integrity and resistance to
9 https://docs.kernel.org/admin-guide/device-mapper/verity.html
12 capture the Yocto/OE specifics of the dm-verity infrastructure used here.
20 Largely everything is driven off of a dm-verity image class; a typical
23 INITRAMFS_IMAGE = "dm-verity-image-initramfs"
26 IMAGE_CLASSES += "dm-verity-img"
31 Kernel configuration for dm-verity happens automatically via IMAGE_CLASSES
32 which will source features/device-mapper/dm-verity.scc when dm-verity-img
35 DISTRO_FEATURES, or else you won't get the dm-verity kernel settings.
[all …]
|
| H A D | dm-verity-systemd-x86-64.txt | 1 dm-verity and x86-64 and systemd
3 In this example, we'll target combining qemux86-64 with dm-verity and
4 also systemd - systemd has dm-verity bindings and is more likely to be
7 While dm-verity in a qemu environment doesn't make practial sense as a
21 In addition to the basic dm-verity settings, choose systemd in local.conf:
29 for enabling systemd. It is important for dm-verity, since it triggers
64 verity image needing to be specified, i.e.
69 tmp/deploy/images/qemux86-64/core-image-minimal-qemux86-64-*.rootfs.ext4.verity
|
| H A D | dm-verity-beaglebone.txt | 1 dm-verity and beaglebone-black
5 In addition to the basic dm-verity settings, you'll also want in local.conf:
9 WKS_FILES = "${MACHINE}-verity.wks.in"
29 After running "wic create -e core-image-minimal beaglebone-yocto-verity"
|
| H A D | dm-verity-systemd-hash-x86-64.txt | 1 dm-verity and x86-64 and systemd - separate hash device
4 Everything said in "dm-verity-systemd-x86-64.txt" applies here.
|
| /openbmc/linux/security/loadpin/ |
| H A D | Kconfig | 12 dm-verity or a CDROM.
23 bool "Allow reading files from certain other filesystems that use dm-verity"
27 that use dm-verity. LoadPin maintains a list of verity root
28 digests it considers trusted. A verity backed filesystem is
32 The list of trusted verity can be populated through an ioctl
33 on the LoadPin securityfs entry 'dm-verity'. The ioctl
34 expects a file descriptor of a file with verity digests as
40 This is followed by the verity digests, with one digest per
|
| /openbmc/linux/Documentation/filesystems/ext4/ |
| H A D | verity.rst | 6 ext4 supports fs-verity, which is a filesystem feature that provides
8 fs-verity is common to all filesystems that support it; see
10 fs-verity documentation. However, the on-disk layout of the verity
11 metadata is filesystem-specific. On ext4, the verity metadata is
25 - The verity descriptor, as documented in
32 - The size of the verity descriptor in bytes, as a 4-byte little
37 They can have EXT4_ENCRYPT_FL set, in which case the verity metadata
40 Verity files cannot have blocks allocated past the end of the verity
|
| /openbmc/linux/fs/verity/ |
| H A D | Kconfig | 15 This option enables fs-verity. fs-verity is the dm-verity
18 use an ioctl to enable verity for a file, which causes the
30 fs-verity is especially useful on large files where not all
31 the contents may actually be needed. Also, fs-verity verifies
43 fs-verity builtin signatures.
46 the only way to do signatures with fs-verity, and the
|
| /openbmc/openbmc/meta-security/wic/ |
| H A D | systemd-bootdisk-dmverity.wks.in | 1 # short-description: Create an EFI disk image with systemd-boot and dm-verity
2 # A dm-verity variant of the regular wks for IA machines. We need to fetch
6 # Based on OE-core's systemd-bootdisk.wks and meta-security's beaglebone-yocto-verity.wks.in file
8 # This .wks only works with the dm-verity-img class.
13 …OYDIR}/${DM_VERITY_IMAGE}-${MACHINE}${IMAGE_NAME_SUFFIX}.${DM_VERITY_IMAGE_TYPE}.verity" --use-uuid
|
| H A D | beaglebone-yocto-verity.wks.in | 6 # short-description: Create a u-SD image for beaglebone-black with dm-verity
7 # A dm-verity variant of the regular wks for beaglebone black. We need to fetch
12 # This .wks only works with the dm-verity-img class.
15 …e=${IMGDEPLOYDIR}/${DM_VERITY_IMAGE}-${MACHINE}${IMAGE_NAME_SUFFIX}.${DM_VERITY_IMAGE_TYPE}.verity"
|
| H A D | systemd-bootdisk-dmverity-hash.wks.in | 1 # short-description: Create an EFI disk image with systemd-boot and separate hash dm-verity
2 # A dm-verity variant of the regular wks for IA machines. We need to fetch
6 # Based on OE-core's systemd-bootdisk.wks and meta-security's beaglebone-yocto-verity.wks.in file
8 # This .wks only works with the dm-verity-img class and separate hash data. (DM_VERITY_SEPARATE_HAS…
|
| /openbmc/openbmc/meta-security/recipes-core/images/ |
| H A D | dm-verity-image-initramfs.bb | 1 DESCRIPTION = "Simple initramfs image for mounting the rootfs over the verity device mapper."
33 # Ensure dm-verity.env is updated also when rebuilding DM_VERITY_IMAGE
40 ${STAGING_VERITY_DIR}/${DM_VERITY_IMAGE}.${DM_VERITY_IMAGE_TYPE}.verity.env \
41 ${IMAGE_ROOTFS}${datadir}/misc/dm-verity.env
|
| /openbmc/linux/drivers/md/ |
| H A D | Makefile | 27 dm-verity-y += dm-verity-target.o
76 obj-$(CONFIG_DM_VERITY) += dm-verity.o
86 obj-$(CONFIG_SECURITY_LOADPIN_VERITY) += dm-verity-loadpin.o
105 dm-verity-objs += dm-verity-fec.o
109 dm-verity-objs += dm-verity-verify-sig.o
|
| /openbmc/linux/Documentation/admin-guide/device-mapper/ |
| H A D | dm-init.rst | 32 <target_type> ::= "verity" | "linear" | ... (see list below)
61 `verity` allowed
85 dm-verity,,3,ro,
86 0 1638400 verity 1 /dev/sdc1 /dev/sdc2 4096 4096 204800 1 sha256
120 "verity"::
122 dm-verity,,4,ro,
123 0 1638400 verity 1 8:1 8:2 4096 4096 204800 1 sha256
|
| H A D | verity.rst | 2 dm-verity
5 Device-Mapper's "verity" target provides transparent integrity checking of
40 dm-verity device.
105 verity <dev> is encrypted the <fec_dev> should be too.
122 rather than every time. This reduces the overhead of dm-verity so that it
145 If verity hashes are in cache, verify data blocks in kernel tasklet instead
151 dm-verity is meant to be set up as part of a verified boot path. This
155 When a dm-verity device is configured, it is expected that the caller
203 The verity kernel code does not read the verity metadata on-disk header.
206 verity header.
[all …]
|
| H A D | index.rst | 37 verity
|
| /openbmc/linux/Documentation/ABI/testing/ |
| H A D | ima_policy | 58 specifying "digest_type=verity" first.)
63 digest_type:= verity
64 Require fs-verity's file digest instead of the
165 Example of a 'measure' rule requiring fs-verity's digests
168 measure func=FILE_CHECK digest_type=verity \
171 Example of 'measure' and 'appraise' rules requiring fs-verity
178 measure func=BPRM_CHECK digest_type=verity \
185 appraise func=BPRM_CHECK digest_type=verity \
|
| /openbmc/openbmc/meta-openembedded/meta-oe/recipes-crypto/fsverity-utils/ |
| H A D | fsverity-utils_1.5.bb | 1 SUMMARY = "Userspace utilities for fs-verity"
2 DESCRIPTION = "fs-verity is a Linux kernel feature that does transparent \
5 mechanism is similar to dm-verity, but implemented at the file level rather \
|
| /openbmc/openbmc/meta-security/recipes-core/initrdscripts/ |
| H A D | initramfs-framework.inc | 8 # dm-verity
14 SUMMARY:initramfs-module-dmverity = "initramfs dm-verity rootfs support"
|
| H A D | initramfs-framework_1.0.bbappend | 1 require ${@bb.utils.contains('IMAGE_CLASSES', 'dm-verity-img', 'initramfs-framework.inc', '', d)}
|
| /openbmc/openbmc/meta-security/recipes-kernel/linux/ |
| H A D | linux-yocto_security.inc | 5 …append = " ${@bb.utils.contains("IMAGE_CLASSES", "dm-verity-img", " features/device-mapper/dm-veri…
|
| /openbmc/linux/fs/f2fs/ |
| H A D | Makefile | 10 f2fs-$(CONFIG_FS_VERITY) += verity.o
|
| /openbmc/linux/fs/ext4/ |
| H A D | Makefile | 19 ext4-$(CONFIG_FS_VERITY) += verity.o
|