[PATCH 05/11] commands: veritysetup: Create dm-verity devices

Thu Sep 18 00:43:15 PDT 2025

For hash devices that contain a superblock, parse it and setup a
dm-verity device based on that information.

Signed-off-by: Tobias Waldekranz <tobias at waldekranz.com>
---
 commands/Kconfig       |  10 ++++
 commands/Makefile      |   1 +
 commands/veritysetup.c | 123 +++++++++++++++++++++++++++++++++++++++++
 3 files changed, 134 insertions(+)
 create mode 100644 commands/veritysetup.c

diff --git a/commands/Kconfig b/commands/Kconfig
index 219f626c3e..1924016756 100644
--- a/commands/Kconfig
+++ b/commands/Kconfig
@@ -789,6 +789,16 @@ config CMD_UMOUNT
 
 	  Unmount a filesystem mounted on a specific MOINTPOINT
 
+config CMD_VERITYSETUP
+	tristate
+	depends on DM_BLK_VERITY
+	prompt "veritysetup"
+	help
+	  veritysetup - manage dm-verity volumes
+
+	  commands:
+	        open <data-dev> <name> <hash-dev> <root-hash>
+
 # end Partition commands
 endmenu
 
diff --git a/commands/Makefile b/commands/Makefile
index 6b010fe30c..62dd8284cd 100644
--- a/commands/Makefile
+++ b/commands/Makefile
@@ -167,4 +167,5 @@ obj-$(CONFIG_CMD_PARTED)	+= parted.o
 obj-$(CONFIG_CMD_EFI_HANDLE_DUMP)	+= efi_handle_dump.o
 obj-$(CONFIG_CMD_HOST)		+= host.o
 obj-$(CONFIG_CMD_DMSETUP)	+= dmsetup.o
+obj-$(CONFIG_CMD_VERITYSETUP)	+= veritysetup.o
 UBSAN_SANITIZE_ubsan.o := y
diff --git a/commands/veritysetup.c b/commands/veritysetup.c
new file mode 100644
index 0000000000..99f27278f8
--- /dev/null
+++ b/commands/veritysetup.c
@@ -0,0 +1,123 @@
+// SPDX-License-Identifier: GPL-2.0-only
+// SPDX-FileCopyrightText: © 2025 Tobias Waldekranz <tobias at waldekranz.com>, Wires
+
+#include <command.h>
+#include <device-mapper.h>
+#include <libfile.h>
+#include <stdio.h>
+
+static int veritysetup_dump(int argc, char *argv[])
+{
+	char *config;
+
+	if (argc != 1)
+		return COMMAND_ERROR_USAGE;
+
+	config = dm_verity_config_from_sb("<data-dev>", argv[0], "<root-hash>");
+	if (IS_ERR(config)) {
+		printf("Invalid or missing superblock: %pe\n", config);
+		return COMMAND_ERROR;
+	}
+
+	puts(config);
+	free(config);
+	return COMMAND_SUCCESS;
+}
+
+static struct dm_device *veritysetup_find(const char *name)
+{
+	struct dm_device *dm;
+
+	dm = dm_find_by_name(name);
+	if (IS_ERR_OR_NULL(dm)) {
+		printf("Found no device named \"%s\"\n", name);
+		return NULL;
+	}
+
+	return dm;
+}
+
+static int veritysetup_close(int argc, char *argv[])
+{
+	struct dm_device *dm;
+
+	if (argc != 1)
+		return COMMAND_ERROR_USAGE;
+
+	dm = veritysetup_find(argv[0]);
+	if (!dm)
+		return COMMAND_ERROR;
+
+	dm_destroy(dm);
+
+	printf("Removed %s\n", argv[0]);
+	return COMMAND_SUCCESS;
+}
+
+static int veritysetup_open(int argc, char *argv[])
+{
+	struct dm_device *dm;
+	char *config;
+
+	if (argc != 4)
+		return COMMAND_ERROR_USAGE;
+
+	config = dm_verity_config_from_sb(argv[0], argv[2], argv[3]);
+	if (IS_ERR(config)) {
+		printf("Invalid or missing superblock: %pe\n", config);
+		return COMMAND_ERROR;
+	}
+
+	dm = dm_create(argv[1], config);
+	free(config);
+	if (IS_ERR_OR_NULL(dm)) {
+		printf("Failed to create %s: %pe\n", argv[1], dm);
+		return COMMAND_ERROR;
+	}
+
+	printf("Created %s\n", argv[1]);
+	return COMMAND_SUCCESS;
+}
+
+static int do_veritysetup(int argc, char *argv[])
+{
+	const char *cmd;
+
+	if (argc < 2)
+		return COMMAND_ERROR_USAGE;
+
+	cmd = argv[1];
+	argc -= 2;
+	argv += 2;
+
+	if (!strcmp(cmd, "open"))
+		return veritysetup_open(argc, argv);
+	else if (!strcmp(cmd, "close"))
+		return veritysetup_close(argc, argv);
+	else if (!strcmp(cmd, "dump"))
+		return veritysetup_dump(argc, argv);
+
+	printf("Unknown command: %s\n", cmd);
+	return -EINVAL;
+}
+
+BAREBOX_CMD_HELP_START(veritysetup)
+BAREBOX_CMD_HELP_TEXT("veritysetup - manage dm-verity volumes")
+BAREBOX_CMD_HELP_TEXT("")
+BAREBOX_CMD_HELP_TEXT("Layers a transparent integrity layer on top of an existing")
+BAREBOX_CMD_HELP_TEXT("device, backed by a Merkle tree whose root hash must be")
+BAREBOX_CMD_HELP_TEXT("verified by an externally provided signature")
+BAREBOX_CMD_HELP_TEXT("")
+BAREBOX_CMD_HELP_TEXT("commands:")
+BAREBOX_CMD_HELP_OPT("open <data-dev> <name> <hash-dev> <root-hash>", "Create new device")
+BAREBOX_CMD_HELP_OPT("close <name>", "Remove device")
+BAREBOX_CMD_HELP_OPT("dump <hash-dev>", "Dump superblock information")
+BAREBOX_CMD_HELP_END
+
+BAREBOX_CMD_START(veritysetup)
+	.cmd = do_veritysetup,
+	BAREBOX_CMD_DESC("manage dm-verity volumes")
+	BAREBOX_CMD_OPTS("<command> [args...]")
+	BAREBOX_CMD_GROUP(CMD_GRP_PART)
+	BAREBOX_CMD_HELP(cmd_veritysetup_help)
+BAREBOX_CMD_END
-- 
2.43.0


