verity type
Specifies the configuration for dm-verity integrity verification.
Note: Currently root partition (/) and usr partition (/usr) are supported.
Note: The filesystem item pointing to this verity device, must
include the ro option in the mountPoint.options.
There are multiple ways to configure a verity enabled image. For recommendations, see Verity Image Recommendations.
Example of enabling root Verity:
storage:
bootType: efi
disks:
- partitionTableType: gpt
partitions:
- id: esp
type: esp
size: 8M
- id: boot
size: 1G
- id: root
size: 2G
- id: roothash
size: 100M
- id: var
size: 2G
verity:
- id: verityroot
name: root
dataDeviceId: root
hashDeviceId: roothash
corruptionOption: panic
filesystems:
- deviceId: esp
type: fat32
mountPoint:
path: /boot/efi
options: umask=0077
- deviceId: boot
type: ext4
mountPoint: /boot
- deviceId: verityroot
type: ext4
mountPoint:
path: /
options: ro
- deviceId: var
type: ext4
mountPoint: /var
os:
bootloader:
resetType: hard-reset
Example of enabling usr Verity:
storage:
bootType: efi
disks:
- partitionTableType: gpt
partitions:
- id: esp
type: esp
size: 8M
- id: boot
size: 1G
- id: root
size: 2G
- id: usr
size: 2G
- id: usrhash
size: 100M
verity:
- id: verityusr
name: usr
dataDeviceId: usr
hashDeviceId: usrhash
corruptionOption: panic
filesystems:
- deviceId: esp
type: fat32
mountPoint:
path: /boot/efi
options: umask=0077
- deviceId: boot
type: ext4
mountPoint: /boot
- deviceId: root
type: ext4
mountPoint: /
- deviceId: verityusr
type: ext4
mountPoint:
path: /usr
options: ro
os:
bootloader:
resetType: hard-reset
Example of enabling verity on existing partitions in the base image:
storage:
verity:
- id: verityusr
name: usr
dataDevice:
idType: part-label
id: usr
hashDevice:
idType: part-label
id: usrhash
corruptionOption: panic
Added in v0.7.
id [string]
Required.
The ID of the verity object. This is used to correlate verity objects with filesystem objects.
Added in v0.7.
name [string]
Required.
The name of the device mapper block device.
The value must be:
-
rootfor root partition (i.e./).Added in v0.7.
-
usrfor the usr partition (i.g./usr).Added in v0.11.0.
Added in v0.7.
dataDevice [verityPartition]
The existing partition within the base image to use as the verity data partition.
Must be used with hashDevice.
Added in v0.13.
dataDeviceId [string]
The ID of the new partition to use as the verity data partition.
Must be used with hashDeviceId.
Added in v0.7.
dataDeviceMountIdType [string]
How the verity data partition is referenced in the OS. For example, within the
/etc/fstab and within the kernel command-line args.
Supported values:
uuid: Identify the partition by filesystem UUID.part-uuid: Identify the partition by partition UUID.part-label: Identify the partition by partition label.
Added in v0.7.
hashDevice [verityPartition]
The existing partition within the base image to use as the verity hash partition.
Must be used with dataDevice.
Added in v0.13.
hashDeviceId [string]
The ID of the new partition to use as the verity hash partition.
Must be used with dataDeviceId.
Added in v0.7.
hashDeviceMountIdType [string]
How the verity hash partition is referenced in the OS. For example, within the
/etc/fstab and within the kernel command-line args.
Supported values:
uuid: Identify the partition by filesystem UUID.part-uuid: Identify the partition by partition UUID.part-label: Identify the partition by partition label.
Added in v0.7.
corruptionOption [string]
Optional.
Specifies how a mismatch between the hash and the data partition is handled.
Supported values:
io-error: Fails the I/O operation with an I/O error.ignore: Ignores the corruption and continues operation.panic: Causes the system to panic (print errors) and then try restarting.restart: Attempts to restart the system.
Default value: io-error.
Added in v0.7.