| parent |
|---|
Configuration |
Specifies the configuration for dm-verity integrity verification.
Note: Currently only root partition (/) is supported. Support for other partitions
(e.g. /usr) may be added in the future.
Note: The filesystem item pointing to this verity device, must
include the ro option in the mountPoint.options.
There are multiple ways to configure a verity enabled image. For recommendations, see Verity Image Recommendations.
Example:
storage:
bootType: efi
disks:
- partitionTableType: gpt
partitions:
- id: esp
type: esp
size: 8M
- id: boot
size: 1G
- id: root
size: 2G
- id: roothash
size: 100M
- id: var
size: 2G
verity:
- id: verityroot
name: root
dataDeviceId: root
hashDeviceId: roothash
corruptionOption: panic
filesystems:
- deviceId: esp
type: fat32
mountPoint:
path: /boot/efi
options: umask=0077
- deviceId: boot
type: ext4
mountPoint: /boot
- deviceId: verityroot
type: ext4
mountPoint:
path: /
options: ro
- deviceId: var
type: ext4
mountPoint: /var
os:
bootloader:
resetType: hard-resetRequired.
The ID of the verity object. This is used to correlate verity objects with filesystem objects.
Required.
The name of the device mapper block device.
The value must be:
rootfor root partition (i.e./)
The ID of the partition to use as the verity data partition.
The ID of the partition to use as the verity hash partition.
Optional.
Specifies how a mismatch between the hash and the data partition is handled.
Supported values:
io-error: Fails the I/O operation with an I/O error.ignore: Ignores the corruption and continues operation.panic: Causes the system to panic (print errors) and then try restarting.restart: Attempts to restart the system.
Default value: io-error.