From: Luca Boccassi Date: Thu, 10 Aug 2023 23:19:16 +0000 (+0100) Subject: verity: modernize example in manpage X-Git-Tag: v2.40-rc1~286^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=013bf9e3d0080a977dad5f4ce5fbfc77d46049f4;p=thirdparty%2Futil-linux.git verity: modernize example in manpage These days it's no longer necessary to create the verity hash device with dd, and to transcribe the roothash by hand. Update the example, also using the file extensions that are used by systemd for verity autodiscovery (e.g.: RootImage=img.raw will automatically use img.verity and img.roothash from the same directory, if present). Signed-off-by: Luca Boccassi --- diff --git a/sys-utils/mount.8.adoc b/sys-utils/mount.8.adoc index 8739628202..eadbaf666a 100644 --- a/sys-utils/mount.8.adoc +++ b/sys-utils/mount.8.adoc @@ -1542,13 +1542,12 @@ Supported since util-linux v2.35. For example commands: .... -mksquashfs /etc /tmp/etc.squashfs -dd if=/dev/zero of=/tmp/etc.hash bs=1M count=10 -veritysetup format /tmp/etc.squashfs /tmp/etc.hash -openssl smime -sign -in -nocerts -inkey private.key \ +mksquashfs /etc /tmp/etc.raw +veritysetup format /tmp/etc.raw /tmp/etc.verity --root-hash-file=/tmp/etc.roothash +openssl smime -sign -in /tmp/etc.roothash -nocerts -inkey private.key \ -signer private.crt -noattr -binary -outform der -out /tmp/etc.roothash.p7s -mount -o verity.hashdevice=/tmp/etc.hash,verity.roothash=,\ -verity.roothashsig=/tmp/etc.roothash.p7s /tmp/etc.squashfs /mnt +mount -o verity.hashdevice=/tmp/etc.verity,verity.roothashfile=/tmp/etc.roothash,\ +verity.roothashsig=/tmp/etc.roothash.p7s /tmp/etc.raw /mnt .... create squashfs image from _/etc_ directory, verity hash device and mount verified filesystem image to _/mnt_. The kernel will verify that the root hash is signed by a key from the kernel keyring if roothashsig is used.