我们将 dm-verity 用于 squashfs 根文件系统。
使用内核 4.8.4 一切正常,升级到内核 4.14.14 后挂载失败,即使该veritysetup verify
命令验证了映像。
# veritysetup verify /dev/mmcblk0p5 /dev/mmcblk0p6 --hash-offset 4096 d35f95a4
b47c92332fbcf5aced9c4ed58eb2d5115bad4aa52bd9d64cc0ee676b --debug
# cryptsetup 1.7.4 processing "veritysetup verify /dev/mmcblk0p5 /dev/mmcblk0p6 --hash-offset 4096 d35f95a4b47c92332fbcf5aced9c4ed58eb2d5115bad4aa52bd9d64cc0ee676b --debug"
# Running command verify.
# Allocating crypt device /dev/mmcblk0p6 context.
# Trying to open and read device /dev/mmcblk0p6 with direct-io.
# Initialising device-mapper backend library.
# Trying to load VERITY crypt type from device /dev/mmcblk0p6.
# Crypto backend (OpenSSL 1.0.2m 2 Nov 2017) initialized in cryptsetup library version 1.7.4.
# Detected kernel Linux 4.14.14-yocto-standard armv7l.
# Reading VERITY header of size 512 on device /dev/mmcblk0p6, offset 4096.
# Setting ciphertext data device to /dev/mmcblk0p5.
# Trying to open and read device /dev/mmcblk0p5 with direct-io.
# Activating volume [none] by volume key.
# Trying to activate VERITY device [none] using hash sha256.
# Verification of data in userspace required.
# Hash verification sha256, data device /dev/mmcblk0p5, data blocks 10462, hash_device /dev/mmcblk0p6, offset 2.
# Using 2 hash levels.
# Data device size required: 42852352 bytes.
# Hash device size required: 348160 bytes.
# Verification of data area succeeded.
# Verification of root hash succeeded.
# Releasing crypt device /dev/mmcblk0p6 context.
# Releasing device-mapper backend.
Command successful.
# veritysetup create vroot /dev/mmcblk0p5 /dev/mmcblk0p6 --hash-offset 4096 d3
5f95a4b47c92332fbcf5aced9c4ed58eb2d5115bad4aa52bd9d64cc0ee676b --debug
# mount -o ro /dev/mapper/vroot /mnt/
device-mapper: verity: 179:5: metadata block 2 is corrupted
EXT4-fs (dm-0): unable to read superblock
device-mapper: verity: 179:5: metadata block 2 is corrupted
EXT4-fs (dm-0): unable to read superblock
device-mapper: verity: 179:5: metadata block 2 is corrupted
EXT4-fs (dm-0): unable to read superblock
device-mapper: verity: 179:5: metadata block 2 is corrupted
SQUASHFS error: squashfs_read_data failed to read block 0x0
squashfs: SQUASHFS error: unable to read squashfs_super_block
device-mapper: verity: 179:5: metadata block 2 is corrupted
FAT-fs (dm-0): unable to read boot sector
mount: mounting /dev/mapper/vroot on /mnt/ failed: Input/output error
dmesg 中出现相同的错误消息。以上命令在目标设备上运行。
在我的主机Debian 8(内核 3.16.0-5)上,使用最终位于 /dev/mmcblk0p5 和 /dev/mmcblk0p6 中的文件,我能够设置一切正常工作:
# veritysetup create vroot rootfs-image.squashfs rootfs-image.hashtbl --hash-offset 4096 d35f95a4b47c92332fbcf5aced9c4ed58eb2d5115bad4aa52bd9d64cc0ee676b
# mount /dev/mapper/vroot /tmp/mnt
通过查看,
/proc/crypto
我发现有两个提供 sha256 的模块:一个来自 Atmel,一个来自通用:通过禁用内核中的 Atmel SHA 硬件加速器
CONFIG_CRYPTO_DEV_ATMEL_SHA=n
,它将使用通用实现,然后一切正常。似乎从 Kernel 4.8.4 到 Kernel 4.14.14 发生了一些改变,这会破坏事情。那是另一个问题...