diff options
author | Gaël PORTAY <gael.portay@collabora.com> | 2020-11-14 09:21:39 -0500 |
---|---|---|
committer | Gaël PORTAY <gael.portay@collabora.com> | 2021-01-15 11:06:11 -0500 |
commit | 08b04ec7e72b7327b4803809732b1b8fce8dd069 (patch) | |
tree | 178f69b3a8fcd6b85604ac1f92fe2add48be1fed /man/systemd.special.xml | |
parent | 0141102f104cbb2e469b0e8b946681887e2495f2 (diff) | |
download | systemd-08b04ec7e72b7327b4803809732b1b8fce8dd069.tar.gz |
veritysetup-generator: add support for veritytab
This adds the support for veritytab.
The veritytab file contains at most five fields, the first four are
mandatory, the last one is optional:
- The first field contains the name of the resulting verity volume; its
block device is set up /dev/mapper/</filename>.
- The second field contains a path to the underlying block data device,
or a specification of a block device via UUID= followed by the UUID.
- The third field contains a path to the underlying block hash device,
or a specification of a block device via UUID= followed by the UUID.
- The fourth field is the roothash in hexadecimal.
- The fifth field, if present, is a comma-delimited list of options.
The following options are recognized only: ignore-corruption,
restart-on-corruption, panic-on-corruption, ignore-zero-blocks,
check-at-most-once and root-hash-signature. The others options will
be implemented later.
Also, this adds support for the new kernel verity command line boolean
option "veritytab" which enables the read for veritytab, and the new
environment variable SYSTEMD_VERITYTAB which sets the path to the file
veritytab to read.
Diffstat (limited to 'man/systemd.special.xml')
-rw-r--r-- | man/systemd.special.xml | 37 |
1 files changed, 35 insertions, 2 deletions
diff --git a/man/systemd.special.xml b/man/systemd.special.xml index e731c9ced2..ce1e8655f5 100644 --- a/man/systemd.special.xml +++ b/man/systemd.special.xml @@ -25,6 +25,8 @@ <filename>bluetooth.target</filename>, <filename>cryptsetup-pre.target</filename>, <filename>cryptsetup.target</filename>, + <filename>veritysetup-pre.target</filename>, + <filename>veritysetup.target</filename>, <filename>ctrl-alt-del.target</filename>, <filename>blockdev@.target</filename>, <filename>boot-complete.target</filename>, @@ -60,6 +62,7 @@ <filename>printer.target</filename>, <filename>reboot.target</filename>, <filename>remote-cryptsetup.target</filename>, + <filename>remote-veritysetup.target</filename>, <filename>remote-fs-pre.target</filename>, <filename>remote-fs.target</filename>, <filename>rescue.target</filename>, @@ -187,6 +190,13 @@ </listitem> </varlistentry> <varlistentry> + <term><filename>veritysetup.target</filename></term> + <listitem> + <para>A target that pulls in setup services for all + verity integrity protected block devices.</para> + </listitem> + </varlistentry> + <varlistentry> <term><filename>dbus.service</filename></term> <listitem> <para>A special unit for the D-Bus bus daemon. As soon as @@ -553,6 +563,15 @@ </listitem> </varlistentry> <varlistentry> + <term><filename>remote-veritysetup.target</filename></term> + <listitem> + <para>Similar to <filename>veritysetup.target</filename>, but for verity + integrity protected devices which are accessed over the network. It is used for + <citerefentry><refentrytitle>veritytab</refentrytitle><manvolnum>8</manvolnum></citerefentry> + entries marked with <option>_netdev</option>.</para> + </listitem> + </varlistentry> + <varlistentry> <term><filename>remote-fs.target</filename></term> <listitem> <para>Similar to <filename>local-fs.target</filename>, but @@ -855,7 +874,8 @@ <listitem><para>This template unit is used to order mount units and other consumers of block devices after services that synthesize these block devices. In particular, this is intended to be used with storage services (such as - <citerefentry><refentrytitle>systemd-cryptsetup@.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>) + <citerefentry><refentrytitle>systemd-cryptsetup@.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>/ + <citerefentry><refentrytitle>systemd-veritysetup@.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>) that allocate and manage a virtual block device. Storage services are ordered before an instance of <filename>blockdev@.target</filename>, and the consumer units after it. The ordering is particularly relevant during shutdown, as it ensures that the mount is deactivated first and the @@ -880,6 +900,19 @@ </listitem> </varlistentry> <varlistentry> + <term><filename>veritysetup-pre.target</filename></term> + <listitem> + <para>This passive target unit may be pulled in by services + that want to run before any verity integrity protected block + device is set up. All verity integrity protected block + devices are set up after this target has been reached. Since + the shutdown order is implicitly the reverse start-up order + between units, this target is particularly useful to ensure + that a service is shut down only after all verity integrity + protected block devices are fully stopped.</para> + </listitem> + </varlistentry> + <varlistentry> <term><filename>first-boot-complete.target</filename></term> <listitem> <para>This passive target is intended as a synchronization point for units that need to run once @@ -972,7 +1005,7 @@ <term><filename>remote-fs-pre.target</filename></term> <listitem> <para>This target unit is automatically ordered before all - mount point units (see above) and cryptsetup devices + mount point units (see above) and cryptsetup/veritysetup devices marked with the <option>_netdev</option>. It can be used to run certain units before remote encrypted devices and mounts are established. Note that this unit is generally not part of the initial |