diff --git a/verity-sign b/verity-sign new file mode 100755 index 0000000..1f1e202 --- /dev/null +++ b/verity-sign @@ -0,0 +1,92 @@ +#!/usr/bin/perl +# Generate dm-verity hashes and sign the root hash +# +# Output looks like +# +# VERITY header information for hdd.img +# UUID: 73532888-a3e9-4f16-a50a-1d03a265b94f +# Hash type: 1 +# Data blocks: 7680 +# Data block size: 4096 +# Hash block size: 4096 +# Hash algorithm: sha256 +# Salt: 3d0cd593d29715005794c4e1cd5164c14ba6456c3dbd2c6d8a26007c01ca9937 +# Root hash: 91beda90d7fa1ab92463344966eb56ec9706f4f26063933a86d701a02a961a10 +# +my $usage = <<""; +Usage: +size=32 +dd if=/dev/zero of=hdd.img bs=1M count=$size +mkfs.ext4 -b 4096 ./hdd.img +mkdir /tmp/loop +sudo mount -o loop hdd.img /tmp/loop +(populate /tmp/loop) +sudo umount /tmp/loop +veritysetup \ + --hash-offset $[$size*1024*1024] \ + --data-blocks $[$size*1024*1024/4096] \ + format hdd.img hdd.img \ +| ./verity-sign /dev/sda1 \ +| tee hdd.table + + +use warnings; +use strict; + +my $dev = shift; + +local $_ = ; +chomp; + +my ($orig_device) = /^VERITY header information for (.*)/ + or die "Missing VERITY header\n"; + +my %params; + +$dev ||= $orig_device; + +while(<>) +{ + chomp; + my ($key,$value) = split /:\s+/; + $params{$key} = $value; +} + +my @missing; + + +# All the necessary parameters were in the header, generate +# the command to mount the filesystem +my $data_blocks = $params{'Data blocks'} + or push @missing, 'Data blocks'; +my $data_block_size = $params{'Data block size'} + or push @missing, 'Data block size'; +my $hash_block_size = $params{'Hash block size'} + or push @missing, 'Hash block size'; +my $salt = $params{'Salt'} + or push @missing, 'Salt'; +my $root_hash = $params{'Root hash'} + or push @missing, 'Root hash'; +my $hash_type = $params{'Hash type'} + or push @missing, 'Hash type'; +my $hash_algorithm = $params{'Hash algorithm'} + or push @missing, 'Hash algorithm'; + +# Check for any missing parameters +die "Missing parameter: ", join(', ', @missing), "\n" + if @missing; + +my $data_size = $data_blocks * $data_block_size; +my $data_size_512b = $data_size / 512; +my $first_hash_block = $data_blocks + 1; + +print <<""; +0 $data_size_512b verity $hash_type +$dev $dev +$data_block_size $hash_block_size +$data_blocks $first_hash_block +$hash_algorithm +$root_hash +$salt + +__END__