diff options
| author | Luca Boccassi <luca.boccassi@microsoft.com> | 2020-05-29 17:51:20 +0100 |
|---|---|---|
| committer | Luca Boccassi <luca.boccassi@microsoft.com> | 2020-06-09 12:19:21 +0100 |
| commit | e7cbe5cb9e7d246474dcee1d8e759ed3c8786913 (patch) | |
| tree | 79db422f24c020d05f224a86af620321d47ad4d9 /man/systemd-nspawn.xml | |
| parent | b1806441bbf72fb227f41767ceaf2d6330701f51 (diff) | |
| download | systemd-e7cbe5cb9e7d246474dcee1d8e759ed3c8786913.tar.gz | |
dissect: support single-filesystem verity images with external verity hash
dm-verity support in dissect-image at the moment is restricted to GPT
volumes.
If the image a single-filesystem type without a partition table (eg: squashfs)
and a roothash/verity file are passed, set the verity flag and mark as
read-only.
Diffstat (limited to 'man/systemd-nspawn.xml')
| -rw-r--r-- | man/systemd-nspawn.xml | 20 |
1 files changed, 18 insertions, 2 deletions
diff --git a/man/systemd-nspawn.xml b/man/systemd-nspawn.xml index f9cc5a8828..72d2f1e4ba 100644 --- a/man/systemd-nspawn.xml +++ b/man/systemd-nspawn.xml @@ -302,6 +302,10 @@ hash partitions are set up if the root hash for them is specified using the <option>--root-hash=</option> option.</para> + <para>Single file system images (i.e. file systems without a surrounding partition table) can be opened using + dm-verity if the integrity data is passed using the <option>--root-hash=</option> and + <option>--verity-data=</option> options.</para> + <para>Any other partitions, such as foreign partitions or swap partitions are not mounted. May not be specified together with <option>--directory=</option>, <option>--template=</option>.</para></listitem> </varlistentry> @@ -390,8 +394,20 @@ project='man-pages'><refentrytitle>xattr</refentrytitle><manvolnum>7</manvolnum></citerefentry>), then the root hash is read from it, also as formatted hexadecimal characters. If the extended file attribute is not found (or is not supported by the underlying file system), but a file with the <filename>.roothash</filename> suffix is - found next to the image file, bearing otherwise the same name, the root hash is read from it and automatically - used, also as formatted hexadecimal characters.</para></listitem> + found next to the image file, bearing otherwise the same name (except if the image has the + <filename>.raw</filename> suffix, in which case the root hash file must not have it in its name), the root hash + is read from it and automatically used, also as formatted hexadecimal characters.</para></listitem> + </varlistentry> + + <varlistentry> + <term><option>--verity-data=</option></term> + + <listitem><para>Takes the path to a data integrity (dm-verity) file. This option enables data integrity checks + using dm-verity, if a root-hash is passed and if the used image itself does not contains the integrity data. + The integrity data must be matched by the root hash. If this option is not specified, but a file with the + <filename>.verity</filename> suffix is found next to the image file, bearing otherwise the same name (except if + the image has the <filename>.raw</filename> suffix, in which case the verity data file must not have it in its name), + the verity data is read from it and automatically used.</para></listitem> </varlistentry> <varlistentry> |