veritysetup

veritysetup

format
    Formats a device for dm-verity use.
Arguments:
device: The device to be formatted.
backing_device: The backing device containing the actual data.
hash_device: The device where hash tree will be stored.
data_blocks: Number of data blocks.
hash_blocks: Number of hash blocks.
offset: Offset of the root hash in hash_device.

enable-verity
    Enables dm-verity protection on a device using the provided root hash.

disable-verity
    Disables dm-verity protection on a device.

--verbose
    Provides more detailed output during command execution.

--hash-offset
    Specifies the offset in the hash device where the root hash is stored.

--data-device
    Specifies the backing device (data source).

--hash-device
    Specifies the device where the hash tree is stored.

--root-hash
    Sets the root hash for verity volume.

--pbkdf2
    Use PBKDF2 to decrypt passphrase with device key.

--salt
    The salt in hex to be used when decrypting the passphrase.

veritysetup is a command-line utility in Linux used to manage dm-verity volumes, which provide read-only integrity checking for block devices.
Dm-verity ensures that a block device (typically a root filesystem) has not been tampered with by comparing each block against a pre-calculated cryptographic hash tree (Merkle tree). This allows for verification of the integrity of the data at runtime, protecting against rootkits and unauthorized modifications.
veritysetup provides functionality to format a block device for dm-verity use, enable or disable dm-verity protection, and verify the integrity of the metadata. It is a crucial tool for securing embedded systems, mobile devices, and other environments where data integrity is paramount. By using dm-verity, one can be certain that the system is running the intended software and has not been compromised.

Using dm-verity requires careful planning and execution. Incorrect configuration can lead to data loss or system unbootability. It is essential to understand the underlying principles of dm-verity and the structure of the Merkle tree before using veritysetup.

Verifying the integrity of the protected volume occurs automatically during read operations. If a block is found to be corrupted or tampered with, the read operation will fail, preventing the use of compromised data. The kernel logs errors related to failed verifications.

Dm-verity adds some overhead due to the need to verify each read operation. The performance impact depends on the size and complexity of the Merkle tree, as well as the underlying storage device. Using a fast storage device for the hash tree can help mitigate performance issues.

veritysetup has been developed as part of the Device Mapper (dm) subsystem in the Linux kernel. It gained prominence with the increasing need for secure boot and system integrity verification in various embedded and mobile platforms. Its usage has expanded with the growing awareness of security vulnerabilities and the need to protect against unauthorized modifications to system software.

dmsetup(8), cryptsetup(8)