2016-12-16 14:57:44 +03:00
<?xml version="1.0"?>
<!-- * - nxml - * -->
2019-03-14 16:40:58 +03:00
< !DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
2020-11-09 07:23:58 +03:00
<!-- SPDX - License - Identifier: LGPL - 2.1 - or - later -->
2016-12-16 14:57:44 +03:00
<refentry id= "systemd-veritysetup-generator" conditional= 'HAVE_LIBCRYPTSETUP' >
<refentryinfo >
<title > systemd-veritysetup-generator</title>
<productname > systemd</productname>
</refentryinfo>
<refmeta >
<refentrytitle > systemd-veritysetup-generator</refentrytitle>
<manvolnum > 8</manvolnum>
</refmeta>
<refnamediv >
<refname > systemd-veritysetup-generator</refname>
2021-10-13 22:18:12 +03:00
<refpurpose > Unit generator for verity protected block devices</refpurpose>
2016-12-16 14:57:44 +03:00
</refnamediv>
<refsynopsisdiv >
<para > <filename > /usr/lib/systemd/system-generators/systemd-veritysetup-generator</filename> </para>
</refsynopsisdiv>
<refsect1 >
<title > Description</title>
<para > <filename > systemd-veritysetup-generator</filename> is a generator that translates kernel command line options
2021-10-13 22:18:12 +03:00
configuring verity protected block devices into native systemd units early at boot and when
2016-12-16 14:57:44 +03:00
configuration of the system manager is reloaded. This will create
<citerefentry > <refentrytitle > systemd-veritysetup@.service</refentrytitle> <manvolnum > 8</manvolnum> </citerefentry>
units as necessary.</para>
2021-11-13 21:15:17 +03:00
<para > Currently, only two verity devices may be set up with this generator, backing the root and <filename > /usr</filename> file systems of the
2016-12-16 14:57:44 +03:00
OS.</para>
<para > <filename > systemd-veritysetup-generator</filename> implements
<citerefentry > <refentrytitle > systemd.generator</refentrytitle> <manvolnum > 7</manvolnum> </citerefentry> .</para>
</refsect1>
<refsect1 >
<title > Kernel Command Line</title>
<para > <filename > systemd-veritysetup-generator</filename>
understands the following kernel command line parameters:</para>
<variablelist class= 'kernel-commandline-options' >
<varlistentry >
<term > <varname > systemd.verity=</varname> </term>
<term > <varname > rd.systemd.verity=</varname> </term>
<listitem > <para > Takes a boolean argument. Defaults to <literal > yes</literal> . If <literal > no</literal> ,
disables the generator entirely. <varname > rd.systemd.verity=</varname> is honored only by the initial RAM disk
(initrd) while <varname > systemd.verity=</varname> is honored by both the host system and the
2020-12-31 14:38:49 +03:00
initrd.</para> </listitem>
2016-12-16 14:57:44 +03:00
</varlistentry>
<varlistentry >
<term > <varname > roothash=</varname> </term>
<listitem > <para > Takes a root hash value for the root file system. Expects a hash value formatted in hexadecimal
2019-06-09 00:43:59 +03:00
characters of the appropriate length (i.e. most likely 256 bit/64 characters, or longer). If not specified via
2016-12-16 14:57:44 +03:00
<varname > systemd.verity_root_data=</varname> and <varname > systemd.verity_root_hash=</varname> , the hash and
data devices to use are automatically derived from the specified hash value. Specifically, the data partition
device is looked for under a GPT partition UUID derived from the first 128bit of the root hash, the hash
partition device is looked for under a GPT partition UUID derived from the last 128bit of the root hash. Hence
2021-10-13 22:18:12 +03:00
it is usually sufficient to specify the root hash to boot from a verity protected root file system, as
2016-12-16 14:57:44 +03:00
device paths are automatically determined from it — as long as the partition table is properly set up.</para>
</listitem>
</varlistentry>
<varlistentry >
<term > <varname > systemd.verity_root_data=</varname> </term>
<term > <varname > systemd.verity_root_hash=</varname> </term>
2019-06-09 00:43:59 +03:00
<listitem > <para > These two settings take block device paths as arguments and may be used to explicitly
2021-10-13 22:18:12 +03:00
configure the data partition and hash partition to use for setting up the verity protection for the root file
2016-12-16 14:57:44 +03:00
system. If not specified, these paths are automatically derived from the <varname > roothash=</varname> argument
(see above).</para> </listitem>
</varlistentry>
2020-11-13 14:00:25 +03:00
<varlistentry >
<term > <varname > systemd.verity_root_options=</varname> </term>
<listitem > <para > Takes a comma-separated list of dm-verity options. Expects the following options
<option > ignore-corruption</option> , <option > restart-on-corruption</option> , <option > ignore-zero-blocks</option> ,
<option > check-at-most-once</option> , <option > panic-on-corruption</option> and
<option > root-hash-signature</option> . See
2021-02-19 11:10:15 +03:00
<citerefentry project= 'die-net' > <refentrytitle > veritysetup</refentrytitle> <manvolnum > 8</manvolnum> </citerefentry> for more
2020-11-13 14:00:25 +03:00
details.</para> </listitem>
</varlistentry>
2021-11-13 21:15:17 +03:00
<varlistentry >
<term > <varname > usrhash=</varname> </term>
<term > <varname > systemd.verity_usr_data=</varname> </term>
<term > <varname > systemd.verity_usr_hash=</varname> </term>
<term > <varname > systemd.verity_usr_options=</varname> </term>
<listitem > <para > Equivalent to their counterparts for the root file system as described above, but apply to the <filename > /usr/</filename> file system instead.</para> </listitem>
</varlistentry>
2016-12-16 14:57:44 +03:00
</variablelist>
</refsect1>
<refsect1 >
<title > See Also</title>
<para >
<citerefentry > <refentrytitle > systemd</refentrytitle> <manvolnum > 1</manvolnum> </citerefentry> ,
<citerefentry > <refentrytitle > systemd-veritysetup@.service</refentrytitle> <manvolnum > 8</manvolnum> </citerefentry> ,
<citerefentry project= 'die-net' > <refentrytitle > veritysetup</refentrytitle> <manvolnum > 8</manvolnum> </citerefentry> ,
<citerefentry > <refentrytitle > systemd-fstab-generator</refentrytitle> <manvolnum > 8</manvolnum> </citerefentry>
</para>
</refsect1>
</refentry>