... | ... | @@ -145,6 +145,20 @@ _Available since: 1.4.0 (kernel 5.5)_ |
|
|
The default is to ignore discard requests.
|
|
|
_Available since: 1.6.0 (kernel 5.7)_
|
|
|
|
|
|
* **fix_hmac**
|
|
|
Uses new more secure HMAC calculation for internal_hash and journal_mac.
|
|
|
The section journal number is mixed to the MAC to detect copy of sectors
|
|
|
from one journal section to another journal section; the superblock is
|
|
|
protected by journal_mac and a 16-byte salt stored in the superblock
|
|
|
is mixed to the mac.
|
|
|
_Available since: 1.7.0 (kernel 5.11)_
|
|
|
|
|
|
* **legacy_recalculate**
|
|
|
Allow recalculating of volumes with HMAC keys. This is disabled by
|
|
|
default for security reasons - an attacker could modify the volume,
|
|
|
set recalc_sector to zero, and the kernel would not detect the modification.
|
|
|
_Available since: 1.7.0 (kernel 5.11)_
|
|
|
|
|
|
### Optional Journal encryption parameters
|
|
|
The encryption of journal should be used only in combination with data encryption.
|
|
|
|
... | ... | @@ -211,8 +225,7 @@ Note that for all device-mapper operations is required root privilege (CAP_SYSAD |
|
|
The newly created device then appears as **/dev/mapper/name**.
|
|
|
|
|
|
## Configuration using integritysetup
|
|
|
Note: the integritysetup tool is not yet released, it is part of master branch of
|
|
|
[cryptsetup project](https://gitlab.com/cryptsetup/cryptsetup).
|
|
|
The integritysetup tool is part of [cryptsetup project](https://gitlab.com/cryptsetup/cryptsetup).
|
|
|
|
|
|
Preparing the device (formatting) with default parameters (CRC32)
|
|
|
`integritysetup format /dev/sdb`
|
... | ... | @@ -238,7 +251,7 @@ The current on-disk dm-integrity specification (size of superblock is always 512 |
|
|
```
|
|
|
struct integrity_sb {
|
|
|
uint8_t magic[8]; /* "integrt" */
|
|
|
uint8_t version; /* superblock version, 1,2 or 3 */
|
|
|
uint8_t version; /* superblock version, 1,2,3,4 or 5 */
|
|
|
int8_t log2_interleave_sectors; /* interleave sectors */
|
|
|
uint16_t integrity_tag_size; /* tag size per-sector */
|
|
|
uint32_t journal_sections; /* size of journal */
|
... | ... | @@ -250,6 +263,13 @@ struct integrity_sb { |
|
|
uint64_t recalc_sector; /* current recalculate sector, V2 superblock only */
|
|
|
} __attribute__ ((packed));
|
|
|
|
|
|
Flags can include:
|
|
|
SB_FLAG_HAVE_JOURNAL_MAC (1 << 0)
|
|
|
SB_FLAG_RECALCULATING (1 << 1) /* V2 only */
|
|
|
SB_FLAG_DIRTY_BITMAP (1 << 2) /* V3 only */
|
|
|
SB_FLAG_FIXED_PADDING (1 << 3) /* V4 only */
|
|
|
SB_FLAG_FIXED_HMAC (1 << 4) /* V5 only */
|
|
|
|
|
|
```
|
|
|
____
|
|
|
The DMIntegrity page is written and maintained by Milan Broz (with help of other project users and developers).
|
... | ... | |