# DM-verity

Source: [https://docs.qualcomm.com/doc/80-88500-4/topic/80_DM_verity.html](https://docs.qualcomm.com/doc/80-88500-4/topic/80_DM_verity.html)

The device mapper (DM) is an infrastructure in the Linux kernel that provides a generic
    way to create virtual layers of block devices. The dm-verity target provides read-only
    transparent integrity checking of block devices using kernel crypto API.

DM-verity uses a tree of hashes to sign the entire system partition with a single
      signature.

The DM-verity scheme allows data to be verified as it is read, rather than requiring the entire
      partition to be verified before it can be used. If the block of data is verified, the read
      succeeds and if the data is not verified, an input/output (I/O) error is generated as if the
      block was physically corrupt.

The DM-verity documentation can be found at
        KERNEL\_SRC/Documentation/device-mapper/verity.txt. For more
      information, see [https://gitlab.com/cryptsetup/cryptsetup/wikis/DMVerity](https://gitlab.com/cryptsetup/cryptsetup/wikis/DMVerity).

## Feature delivery

The following combinations are supported by DM-verity feature:

DM-verity feature is delivered as a distro feature DISTRO\_FEATURES += "dm-verity”.

- LEPDK + UEFI bootloader combination
    For this combination, choose the DM-verity kernel driver
            and pass the driver-specific parameters as required.
- In the kernel configurations file, dm-verity kernel driver is added by using the configuration CONFIG\_DM\_VERITY=y.
- By default, the system partition is signed with a private key, that is in PKCS #8 syntax, which
          is a standard syntax for storing private key information.
- Private Key that is in PKCS #8 syntax is available at
            poky/meta-qti-bsp/recipes-devtools/verity-utils/verity.pk8.

## Mandatory checkpoint

Do the following:

- LEPDK and UEFI bootloader combination
    - Generate the private key that is in PKCS #8 syntax: `verity.pk8`
    - Replace the existing private key at
                poky/meta-qti-bsp/recipes-devtools/verity-utils/verity.pk8

## Impact of storage, memory, and performance

- Storage: 32 KB (metadata) + around 3 MB (for hash storage of 3 GB system partition)
- Memory: Recovery of lost memory up to 16 GB to 24 MB of consecutive blocks anywhere on a typical
          2 GB to 3 GB. System partition is 0.8%. Memory overhead and no performance impact unless
          corruption is detected.
- Performance (only if corruption is detected): On a 2 GB partition, performance impact includes reading extra 2000 blocks that have encoded (corrected) data.

## Generate verity keys

To generate the verity keys, do the following:

- Generate the verity.priv private
            key.

        openssl genrsa -f4 2048 > verity.privCopy to clipboard

    Do
            not disclose or distribute this key.

- Generate the verity.priv public key
          certificate.

        openssl req -new -x509 -sha256 -key verity.priv -out verity.x509.pem -days 10000 -subj "/C=US/ST=California/L=Mountain View/O=ubuntu/OU=ubuntu/CN=ubuntu/emailAddress=ubuntu@ubuntu.com"Copy to clipboard

Note:  Customize the `-subj `option as per the string.

- Create the verity.pk8 file in the PKCS #8 syntax of the verity.priv private
          key.

        openssl pkcs8 -in verity.priv -topk8 -outform DER -out verity.pk8 -nocryptCopy to clipboard

**Parent Topic:** [HLOS security](https://docs.qualcomm.com/doc/80-88500-4/topic/79_HLOS_security.html)

Last Published: Aug 18, 2023

[Previous Topic
HLOS security](https://docs.qualcomm.com/bundle/publicresource/80-88500-4/topics/79_HLOS_security.md) [Next Topic
SElinux](https://docs.qualcomm.com/bundle/publicresource/80-88500-4/topics/81_SElinux.md)