[PATCH 00/11] dm: verity: Add transparent integrity checking target

Tobias Waldekranz tobias at waldekranz.com
Thu Sep 18 00:43:10 PDT 2025 

This series adds initial support for dm-verity. Notably, it does not
include any support for validation of any root hash signature. As
such, practical use in a production setting is still limited, unless
you have some other way of securely determining that the root hash is
valid.

3/11 is where the action is.

TL;DR: What follows is just a discussion about the future - it has
       nothing to do with the contents of this series.


Once this is in place, signature validation is next on my TODO. The
kernel accepts a PKCS7 signature for this purpose. This is therefore
also what Discoverable Partitions Specification (DPS) provides in its
<arch>-<part>-verity-sig partitions, which contain a NUL-padded JSON
document like this:

{
	"roothash": "0123456789abcdef...",
	"certificateFingerprint": "0123456789abcdef..",
	"signature": "MIIINQYJKo..."
}

To avoid having to integrate full ASN.1 + X509 parsing in Barebox, my
plan is:

1. Add support for (optionally) storing a certificate fingerprint
   along with a `struct public_key`. So at build time, we can note the
   fingerprint of keys that we include in the builtin keystore.

   We could also support parsing fingerprints from a DT. Not sure if
   this is needed.

2. Add a simplified PKCS7 validation function that relies on:
   a. Knowing which public key to use in advance, rather than
      determining it by walking the ASN.1 data.
   b. The last $KEY_LEN_BYTES of the PKCS7 blob holds the raw
      RFC4880§5.2.2 signature bytes that Barebox already knows how to
      verify.

3. Add a "dps-open" subcommand to veritysetup that only requires the
   partition to open and a name for the dm-verity device:

   veritysetup dps-open /dev/disk0.root os

   Based on the partition type UUID, we would then locate the
   corresponding -verity and -verity-sig partitions, parse the verity
   superblock, validate the signature and then create the dm-verity
   device.

Some other thoughts for the future (I have done no research here, so
some of this might already exist in Barebox and I just haven't
stumbled across it):

- Similar to the automounter, it would be good to have an
  "auto-dps-verityer" that will do the equivalent of `veritysetup
  dps-open` on the DPS partitions matching the current architecture.

- Having the ability to tag a partition as trusted, which could then
  be used to tag filesystems as such.

- Having a build-time option that limits booting to only be allowed
  from trusted filesystems.

Tobias Waldekranz (11):
  dm: Add helper to manage a lower device
  dm: linear: Refactor to make use of the generalized cdev management
  dm: verity: Add transparent integrity checking target
  dm: verity: Add helper to parse superblock information
  commands: veritysetup: Create dm-verity devices
  ci: pytest: Open up testfs to more consumers than the FIT test
  ci: pytest: Enable testfs feature on malta boards
  ci: pytest: Generate test data for dm-verity
  test: pytest: add basic dm-verity test
  ci: pytest: Centralize feature discovery to a separate step
  ci: pytest: Enable device-mapper labgrid tests

 .github/workflows/test-labgrid-pytest.yml     |  26 +-
 arch/mips/configs/qemu-malta_defconfig        |   4 +
 commands/Kconfig                              |  10 +
 commands/Makefile                             |   1 +
 commands/veritysetup.c                        | 123 +++++
 .../boards/configs/enable_dm_testing.config   |   9 +
 drivers/block/dm/Kconfig                      |   7 +
 drivers/block/dm/Makefile                     |   1 +
 drivers/block/dm/dm-core.c                    | 118 ++++
 drivers/block/dm/dm-linear.c                  |  64 +--
 drivers/block/dm/dm-target.h                  |  34 ++
 drivers/block/dm/dm-verity.c                  | 517 ++++++++++++++++++
 include/device-mapper.h                       |   5 +
 scripts/generate_testfs.sh                    |  64 ++-
 test/mips/be at qemu-malta_defconfig.yaml        |   1 +
 test/mips/qemu-malta64el_defconfig.yaml       |   1 +
 test/py/test_dm.py                            |  38 ++
 test/py/test_fit.py                           |   4 +-
 test/riscv/qemu-virt64 at rv64i_defconfig.yaml   |   1 +
 test/riscv/qemu at virt32_defconfig.yaml         |   1 +
 20 files changed, 968 insertions(+), 61 deletions(-)
 create mode 100644 commands/veritysetup.c
 create mode 100644 common/boards/configs/enable_dm_testing.config
 create mode 100644 drivers/block/dm/dm-verity.c
 create mode 100644 test/py/test_dm.py

-- 
2.43.0

More information about the barebox mailing list