[PATCH 05/11] commands: veritysetup: Create dm-verity devices

Thu, 18 Sep 2025 00:45:55 -0700 

For hash devices that contain a superblock, parse it and setup a
dm-verity device based on that information.

Signed-off-by: Tobias Waldekranz <tob...@waldekranz.com>
---
 commands/Kconfig       |  10 ++++
 commands/Makefile      |   1 +
 commands/veritysetup.c | 123 +++++++++++++++++++++++++++++++++++++++++
 3 files changed, 134 insertions(+)
 create mode 100644 commands/veritysetup.c

diff --git a/commands/Kconfig b/commands/Kconfig
index 219f626c3e..1924016756 100644
--- a/commands/Kconfig
+++ b/commands/Kconfig
@@ -789,6 +789,16 @@ config CMD_UMOUNT
 
          Unmount a filesystem mounted on a specific MOINTPOINT
 
+config CMD_VERITYSETUP
+       tristate
+       depends on DM_BLK_VERITY
+       prompt "veritysetup"
+       help
+         veritysetup - manage dm-verity volumes
+
+         commands:
+               open <data-dev> <name> <hash-dev> <root-hash>
+
 # end Partition commands
 endmenu
 
diff --git a/commands/Makefile b/commands/Makefile
index 6b010fe30c..62dd8284cd 100644
--- a/commands/Makefile
+++ b/commands/Makefile
@@ -167,4 +167,5 @@ obj-$(CONFIG_CMD_PARTED)    += parted.o
 obj-$(CONFIG_CMD_EFI_HANDLE_DUMP)      += efi_handle_dump.o
 obj-$(CONFIG_CMD_HOST)         += host.o
 obj-$(CONFIG_CMD_DMSETUP)      += dmsetup.o
+obj-$(CONFIG_CMD_VERITYSETUP)  += veritysetup.o
 UBSAN_SANITIZE_ubsan.o := y
diff --git a/commands/veritysetup.c b/commands/veritysetup.c
new file mode 100644
index 0000000000..99f27278f8
--- /dev/null
+++ b/commands/veritysetup.c
@@ -0,0 +1,123 @@
+// SPDX-License-Identifier: GPL-2.0-only
+// SPDX-FileCopyrightText: © 2025 Tobias Waldekranz <tob...@waldekranz.com>, 
Wires
+
+#include <command.h>
+#include <device-mapper.h>
+#include <libfile.h>
+#include <stdio.h>
+
+static int veritysetup_dump(int argc, char *argv[])
+{
+       char *config;
+
+       if (argc != 1)
+               return COMMAND_ERROR_USAGE;
+
+       config = dm_verity_config_from_sb("<data-dev>", argv[0], "<root-hash>");
+       if (IS_ERR(config)) {
+               printf("Invalid or missing superblock: %pe\n", config);
+               return COMMAND_ERROR;
+       }
+
+       puts(config);
+       free(config);
+       return COMMAND_SUCCESS;
+}
+
+static struct dm_device *veritysetup_find(const char *name)
+{
+       struct dm_device *dm;
+
+       dm = dm_find_by_name(name);
+       if (IS_ERR_OR_NULL(dm)) {
+               printf("Found no device named \"%s\"\n", name);
+               return NULL;
+       }
+
+       return dm;
+}
+
+static int veritysetup_close(int argc, char *argv[])
+{
+       struct dm_device *dm;
+
+       if (argc != 1)
+               return COMMAND_ERROR_USAGE;
+
+       dm = veritysetup_find(argv[0]);
+       if (!dm)
+               return COMMAND_ERROR;
+
+       dm_destroy(dm);
+
+       printf("Removed %s\n", argv[0]);
+       return COMMAND_SUCCESS;
+}
+
+static int veritysetup_open(int argc, char *argv[])
+{
+       struct dm_device *dm;
+       char *config;
+
+       if (argc != 4)
+               return COMMAND_ERROR_USAGE;
+
+       config = dm_verity_config_from_sb(argv[0], argv[2], argv[3]);
+       if (IS_ERR(config)) {
+               printf("Invalid or missing superblock: %pe\n", config);
+               return COMMAND_ERROR;
+       }
+
+       dm = dm_create(argv[1], config);
+       free(config);
+       if (IS_ERR_OR_NULL(dm)) {
+               printf("Failed to create %s: %pe\n", argv[1], dm);
+               return COMMAND_ERROR;
+       }
+
+       printf("Created %s\n", argv[1]);
+       return COMMAND_SUCCESS;
+}
+
+static int do_veritysetup(int argc, char *argv[])
+{
+       const char *cmd;
+
+       if (argc < 2)
+               return COMMAND_ERROR_USAGE;
+
+       cmd = argv[1];
+       argc -= 2;
+       argv += 2;
+
+       if (!strcmp(cmd, "open"))
+               return veritysetup_open(argc, argv);
+       else if (!strcmp(cmd, "close"))
+               return veritysetup_close(argc, argv);
+       else if (!strcmp(cmd, "dump"))
+               return veritysetup_dump(argc, argv);
+
+       printf("Unknown command: %s\n", cmd);
+       return -EINVAL;
+}
+
+BAREBOX_CMD_HELP_START(veritysetup)
+BAREBOX_CMD_HELP_TEXT("veritysetup - manage dm-verity volumes")
+BAREBOX_CMD_HELP_TEXT("")
+BAREBOX_CMD_HELP_TEXT("Layers a transparent integrity layer on top of an 
existing")
+BAREBOX_CMD_HELP_TEXT("device, backed by a Merkle tree whose root hash must 
be")
+BAREBOX_CMD_HELP_TEXT("verified by an externally provided signature")
+BAREBOX_CMD_HELP_TEXT("")
+BAREBOX_CMD_HELP_TEXT("commands:")
+BAREBOX_CMD_HELP_OPT("open <data-dev> <name> <hash-dev> <root-hash>", "Create 
new device")
+BAREBOX_CMD_HELP_OPT("close <name>", "Remove device")
+BAREBOX_CMD_HELP_OPT("dump <hash-dev>", "Dump superblock information")
+BAREBOX_CMD_HELP_END
+
+BAREBOX_CMD_START(veritysetup)
+       .cmd = do_veritysetup,
+       BAREBOX_CMD_DESC("manage dm-verity volumes")
+       BAREBOX_CMD_OPTS("<command> [args...]")
+       BAREBOX_CMD_GROUP(CMD_GRP_PART)
+       BAREBOX_CMD_HELP(cmd_veritysetup_help)
+BAREBOX_CMD_END
-- 
2.43.0

Reply via email to