Provided by: cryptsetup-bin_1.6.6-5ubuntu2_amd64 bug

NAME

       veritysetup - manage dm-verity (block level verification) volumes

SYNOPSIS

       veritysetup <options> <action> <action args>

DESCRIPTION

       Veritysetup is used to configure dm-verity managed device-mapper mappings.

       Device-mapper  verity  target  provides  read-only transparent integrity checking of block
       devices using kernel crypto API.

       The dm-verity devices are always read-only.

       Veritysetup supports these operations:

       format <data_device> <hash_device>

              Calculates and permanently stores hash verification  data  for  data_device.   Hash
              area  can  be  located  on the same device after data if specified by --hash-offset
              option.

              Note you need to provide root hash string for device  verification  or  activation.
              Root hash must be trusted.

              The data or hash device argument can be block device or file image.  If hash device
              path doesn't exist, it will be created as file.

              <options> can be [--hash,  --no-superblock,  --format,  --data-block-size,  --hash-
              block-size, --data-blocks, --hash-offset, --salt, --uuid]

       create <name> <data_device> <hash_device> <root_hash>

              Creates   a   mapping   with  <name>  backed  by  device  <data_device>  and  using
              <hash_device> for in-kernel verification.

              The <root_hash> is a hexadecimal string.

              <options> can be [--hash-offset, --no-superblock]

              If option --no-superblock is used, you have to  use  as  the  same  options  as  in
              initial format operation.

       verify <data_device> <hash_device> <root_hash>

              Verifies data on data_device with use of hash blocks stored on hash_device.

              This command performs userspace verification, no kernel device is created.

              The <root_hash> is a hexadecimal string.

              <options> can be [--hash-offset, --no-superblock]

              If  option  --no-superblock  is  used,  you  have  to use as the same options as in
              initial format operation.

       remove <name>

              Removes existing mapping <name>.

       status <name>

              Reports status for the active verity mapping <name>.

       dump <hash_device>

              Reports parameters of verity device from on-disk stored superblock.

              <options> can be [--no-superblock]

OPTIONS

       --verbose, -v
              Print more information on command execution.

       --debug
              Run in debug mode with full diagnostic logs. Debug output lines are always prefixed
              by '#'.

       --no-superblock
              Create or use dm-verity without permanent on-disk superblock.

       --format=number
              Specifies  the  hash  version  type.   Format  type 0 is original Chrome OS verion.
              Format type 1 is current version.

       --data-block-size=bytes
              Used block size for the data device.   (Note  kernel  supports  only  page-size  as
              maximum here.)

       --hash-block-size=bytes
              Used  block  size  for  the  hash  device.  (Note kernel supports only page-size as
              maximum here.)

       --data-blocks=blocks
              Size of data device used in verification.  If not specified, the  whole  device  is
              used.

       --hash-offset=bytes
              Offset  of  hash  area/superblock  on  hash_device.   Value must be aligned to disk
              sector offset.

       --salt=hex string
              Salt used for format or verification.  Format is a hexadecimal string.

       --uuid=UUID
              Use the provided UUID for format command instead of generating new one.

              The    UUID    must    be    provided    in    standard    UUID    format,     e.g.
              12345678-1234-1234-1234-123456789abc.

       --version
              Show the program version.

RETURN CODES

       Veritysetup returns 0 on success and a non-zero value on error.

       Error  codes  are:  1  wrong  parameters, 2 no permission, 3 out of memory, 4 wrong device
       specified, 5 device already exists or device is busy.

REPORTING BUGS

       Report bugs, including ones in the documentation, on the cryptsetup mailing list  at  <dm-
       crypt@saout.de>  or  in the 'Issues' section on LUKS website.  Please attach the output of
       the failed command with the --debug option added.

AUTHORS

       The first implementation of veritysetup was written by Chrome OS authors.

       This   version   is   based   on   verification   code   written   by   Mikulas    Patocka
       <mpatocka@redhat.com> and rewritten for libcryptsetup by Milan Broz <gmazyland@gmail.com>.

COPYRIGHT

       Copyright © 2012-2013 Red Hat, Inc.
       Copyright © 2012-2014 Milan Broz

       This  is  free software; see the source for copying conditions.  There is NO warranty; not
       even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

SEE ALSO

       The project website at http://code.google.com/p/cryptsetup/

       The       verity       on-disk       format       specification        available        at
       http://code.google.com/p/cryptsetup/wiki/DMVerity