{ "mode": "man", "parameter": "veritysetup", "section": "8", "url": "https://www.chedong.com/phpMan.php/man/veritysetup/8/json", "generated": "2026-06-14T04:16:28Z", "synopsis": "", "sections": { "NAME": { "content": "veritysetup - manage dm-verity (block level verification) volumes\n", "subsections": [] }, "SYNOPSIS": { "content": "", "subsections": [ { "name": "veritysetup ", "content": "" } ] }, "DESCRIPTION": { "content": "Veritysetup is used to configure dm-verity managed device-mapper mappings.\n\nDevice-mapper verity target provides read-only transparent integrity checking of block de‐\nvices using kernel crypto API.\n\nThe dm-verity devices are always read-only.\n\nVeritysetup supports these operations:\n\nformat \n\nCalculates and permanently stores hash verification data for datadevice. Hash area\ncan be located on the same device after data if specified by --hash-offset option.\n\nNote you need to provide root hash string for device verification or activation. Root\nhash must be trusted.\n\nThe data or hash device argument can be block device or file image. If hash device\npath doesn't exist, it will be created as file.\n\n can be [--hash, --no-superblock, --format, --data-block-size, --hash-block-\nsize, --data-blocks, --hash-offset, --salt, --uuid, --root-hash-file]\n\nIf option --root-hash-file is used, the root hash is stored in hex-encoded text format\nin .\n\nopen \nopen --root-hash-file \ncreate (OBSOLETE syntax)\n\nCreates a mapping with backed by device and using \nfor in-kernel verification.\n\nThe is a hexadecimal string.\n\n can be [--hash-offset, --no-superblock, --ignore-corruption or --restart-on-\ncorruption, --panic-on-corruption, --ignore-zero-blocks, --check-at-most-once, --root-\nhash-signature, --root-hash-file]\n\nIf option --root-hash-file is used, the root hash is read from instead of from\nthe command line parameter. Expects hex-encoded text, without terminating newline.\n\nIf option --no-superblock is used, you have to use as the same options as in initial\nformat operation.\n\nverify \nverify --root-hash-file \n\nVerifies data on datadevice with use of hash blocks stored on hashdevice.\n\nThis command performs userspace verification, no kernel device is created.\n\nThe is a hexadecimal string.\n\nIf option --root-hash-file is used, the root hash is read from instead of from\nthe command line parameter. Expects hex-encoded text, without terminating newline.\n\n can be [--hash-offset, --no-superblock, --root-hash-file]\n\nIf option --no-superblock is used, you have to use as the same options as in initial\nformat operation.\n\nclose \n\nRemoves existing mapping .\n\nFor backward compatibility there is remove command alias for close command.\n\n can be [--deferred] or [--cancel-deferred]\n\n\nstatus \n\nReports status for the active verity mapping .\n\ndump \n\nReports parameters of verity device from on-disk stored superblock.\n\n can be [--hash-offset]\n", "subsections": [] }, "OPTIONS": { "content": "", "subsections": [ { "name": "--verbose, -v", "content": "Print more information on command execution.\n", "flag": "-v", "long": "--verbose" }, { "name": "--debug", "content": "Run in debug mode with full diagnostic logs. Debug output lines are always prefixed by\n'#'.\n", "long": "--debug" }, { "name": "--no-superblock", "content": "Create or use dm-verity without permanent on-disk superblock.\n", "long": "--no-superblock" }, { "name": "--format=number", "content": "Specifies the hash version type. Format type 0 is original Chrome OS version. Format\ntype 1 is current version.\n", "long": "--format", "arg": "number" }, { "name": "--data-block-size=bytes", "content": "Used block size for the data device. (Note kernel supports only page-size as maximum\nhere.)\n", "long": "--data-block-size", "arg": "bytes" }, { "name": "--hash-block-size=bytes", "content": "Used block size for the hash device. (Note kernel supports only page-size as maximum\nhere.)\n", "long": "--hash-block-size", "arg": "bytes" }, { "name": "--data-blocks=blocks", "content": "Size of data device used in verification. If not specified, the whole device is used.\n", "long": "--data-blocks", "arg": "blocks" }, { "name": "--hash-offset=bytes", "content": "Offset of hash area/superblock on hashdevice. Value must be aligned to disk sector\noffset.\n", "long": "--hash-offset", "arg": "bytes" }, { "name": "--salt=hex string", "content": "Salt used for format or verification. Format is a hexadecimal string.\n", "long": "--salt", "arg": "hex" }, { "name": "--uuid=UUID", "content": "Use the provided UUID for format command instead of generating new one.\n\nThe UUID must be provided in standard UUID format, e.g.\n12345678-1234-1234-1234-123456789abc.\n", "long": "--uuid", "arg": "UUID" }, { "name": "--ignore-corruption , --restart-on-corruption , --panic-on-corruption", "content": "Defines what to do if data integrity problem is detected (data corruption).\n\nWithout these options kernel fails the IO operation with I/O error. With --ignore-\ncorruption option the corruption is only logged. With --restart-on-corruption or\n--panic-on-corruption the kernel is restarted (panicked) immediately. (You have to\nprovide way how to avoid restart loops.)\n\nWARNING: Use these options only for very specific cases. These options are available\nsince Linux kernel version 4.1.\n", "long": "--panic-on-corruption" }, { "name": "--ignore-zero-blocks", "content": "Instruct kernel to not verify blocks that are expected to contain zeroes and always\ndirectly return zeroes instead.\n\nWARNING: Use this option only in very specific cases. This option is available since\nLinux kernel version 4.5.\n", "long": "--ignore-zero-blocks" }, { "name": "--check-at-most-once", "content": "Instruct kernel to verify blocks only the first time they are read from the data de‐\nvice, rather than every time.\n\nWARNING: It provides a reduced level of security because only offline tampering of the\ndata device's content will be detected, not online tampering. This option is avail‐\nable since Linux kernel version 4.17.\n", "long": "--check-at-most-once" }, { "name": "--hash=hash", "content": "Hash algorithm for dm-verity. For default see --help option.\n", "long": "--hash", "arg": "hash" }, { "name": "--version", "content": "Show the program version.\n\n--fec-device=fecdevice\nUse forward error correction (FEC) to recover from corruption if hash verification\nfails. Use encoding data from the specified device.\n\nThe fec device argument can be block device or file image. For format, if fec device\npath doesn't exist, it will be created as file.\n\nBlock sizes for data and hash devices must match. Also, if the verity datadevice is\nencrypted the fecdevice should be too.\n\nFEC calculation covers data, hash area, and optional foreign metadata stored on the\nsame device with the hash tree (additional space after hash area). Size of this op‐\ntional additional area protected by FEC is calculated from image sizes, so you must be\nsure that you use the same images for activation.\n\nIf the hash device is in a separate image, metadata covers the whole rest of the image\nafter the hash area.\n\nIf hash and FEC device is in the image, metadata ends on the FEC area offset.\n\n", "long": "--version" }, { "name": "--fec-offset=bytes", "content": "This is the offset, in bytes, from the start of the FEC device to the beginning of the\nencoding data.\n", "long": "--fec-offset", "arg": "bytes" }, { "name": "--fec-roots=num", "content": "Number of generator roots. This equals to the number of parity bytes in the encoding\ndata. In RS(M, N) encoding, the number of roots is M-N. M is 255 and M-N is between 2\nand 24 (including).\n", "long": "--fec-roots", "arg": "num" }, { "name": "--root-hash-file=FILE", "content": "Path to file with stored root hash in hex-encoded text.\n", "long": "--root-hash-file", "arg": "FILE" }, { "name": "--root-hash-signature=FILE", "content": "Path to roothash signature file used to verify the root hash (in kernel). This fea‐\nture requires Linux kernel version 5.4 or more recent.\n", "long": "--root-hash-signature", "arg": "FILE" }, { "name": "--deferred", "content": "Defers device removal in close command until the last user closes it.\n", "long": "--deferred" }, { "name": "--cancel-deferred", "content": "Removes a previously configured deferred device removal in close command.\n\n\nRETURN CODES\nVeritysetup returns 0 on success and a non-zero value on error.\n\nError codes are:\n1 wrong parameters\n2 no permission\n3 out of memory\n4 wrong device specified\n5 device already exists or device is busy.\n\n", "long": "--cancel-deferred" } ] }, "EXAMPLES": { "content": "veritysetup --data-blocks=256 format \n\nCalculates and stores verification data on hashdevice for the first 256 blocks (of block-\nsize). If hashdevice does not exist, it is created (as file image).\n\nveritysetup format --root-hash-file \n\nCalculates and stores verification data on hashdevice for the whole datadevice, and store\nthe root hash as hex-encoded text in .\n", "subsections": [ { "name": "veritysetup --data-blocks=256 --hash-offset=1052672 format ", "content": "Verification data (hashes) is stored on the same device as data (starting at hash-offset).\nHash-offset must be greater than number of blocks in data-area.\n" }, { "name": "veritysetup --data-blocks=256 --hash-offset=1052672 create test-device ", "content": "\n\nActivates the verity device named test-device. Options --data-blocks and --hash-offset are\nthe same as in the format command. The was calculated in format command.\n\nveritysetup --data-blocks=256 --hash-offset=1052672 verify \n\n\nVerifies device without activation (in userspace).\n\nveritysetup --data-blocks=256 --hash-offset=1052672 --root-hash-file verify \n\nVerifies device without activation (in userspace). Root hash passed via a file rather than\ninline.\n\nveritysetup --fec-device= --fec-roots=10 format \n\nCalculates and stores verification and encoding data for datadevice.\n\n" } ] }, "REPORTING BUGS": { "content": "Report bugs, including ones in the documentation, on the cryptsetup mailing list at or in the 'Issues' section on LUKS website. Please attach the output of the\nfailed command with the --debug option added.\n", "subsections": [] }, "AUTHORS": { "content": "The first implementation of veritysetup was written by Chrome OS authors.\n\nThis version is based on verification code written by Mikulas Patocka \nand rewritten for libcryptsetup by Milan Broz .\n", "subsections": [] }, "COPYRIGHT": { "content": "Copyright © 2012-2021 Red Hat, Inc.\nCopyright © 2012-2021 Milan Broz\n\nThis is free software; see the source for copying conditions. There is NO warranty; not even\nfor MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.\n", "subsections": [] }, "SEE ALSO": { "content": "The project website at https://gitlab.com/cryptsetup/cryptsetup\n\nThe verity on-disk format specification available at https://gitlab.com/cryptsetup/crypt‐‐", "subsections": [ { "name": "setup/wikis/DMVerity", "content": "veritysetup January 2021 VERITYSETUP(8)" } ] } }, "summary": "veritysetup - manage dm-verity (block level verification) volumes", "flags": [ { "flag": "-v", "long": "--verbose", "arg": null, "description": "Print more information on command execution." }, { "flag": "", "long": "--debug", "arg": null, "description": "Run in debug mode with full diagnostic logs. Debug output lines are always prefixed by '#'." }, { "flag": "", "long": "--no-superblock", "arg": null, "description": "Create or use dm-verity without permanent on-disk superblock." }, { "flag": "", "long": "--format", "arg": "number", "description": "Specifies the hash version type. Format type 0 is original Chrome OS version. Format type 1 is current version." }, { "flag": "", "long": "--data-block-size", "arg": "bytes", "description": "Used block size for the data device. (Note kernel supports only page-size as maximum here.)" }, { "flag": "", "long": "--hash-block-size", "arg": "bytes", "description": "Used block size for the hash device. (Note kernel supports only page-size as maximum here.)" }, { "flag": "", "long": "--data-blocks", "arg": "blocks", "description": "Size of data device used in verification. If not specified, the whole device is used." }, { "flag": "", "long": "--hash-offset", "arg": "bytes", "description": "Offset of hash area/superblock on hashdevice. Value must be aligned to disk sector offset." }, { "flag": "", "long": "--salt", "arg": "hex", "description": "Salt used for format or verification. Format is a hexadecimal string." }, { "flag": "", "long": "--uuid", "arg": "UUID", "description": "Use the provided UUID for format command instead of generating new one. The UUID must be provided in standard UUID format, e.g. 12345678-1234-1234-1234-123456789abc." }, { "flag": "", "long": "--panic-on-corruption", "arg": null, "description": "Defines what to do if data integrity problem is detected (data corruption). Without these options kernel fails the IO operation with I/O error. With --ignore- corruption option the corruption is only logged. With --restart-on-corruption or --panic-on-corruption the kernel is restarted (panicked) immediately. (You have to provide way how to avoid restart loops.) WARNING: Use these options only for very specific cases. These options are available since Linux kernel version 4.1." }, { "flag": "", "long": "--ignore-zero-blocks", "arg": null, "description": "Instruct kernel to not verify blocks that are expected to contain zeroes and always directly return zeroes instead. WARNING: Use this option only in very specific cases. This option is available since Linux kernel version 4.5." }, { "flag": "", "long": "--check-at-most-once", "arg": null, "description": "Instruct kernel to verify blocks only the first time they are read from the data de‐ vice, rather than every time. WARNING: It provides a reduced level of security because only offline tampering of the data device's content will be detected, not online tampering. This option is avail‐ able since Linux kernel version 4.17." }, { "flag": "", "long": "--hash", "arg": "hash", "description": "Hash algorithm for dm-verity. For default see --help option." }, { "flag": "", "long": "--version", "arg": null, "description": "Show the program version. --fec-device=fecdevice Use forward error correction (FEC) to recover from corruption if hash verification fails. Use encoding data from the specified device. The fec device argument can be block device or file image. For format, if fec device path doesn't exist, it will be created as file. Block sizes for data and hash devices must match. Also, if the verity datadevice is encrypted the fecdevice should be too. FEC calculation covers data, hash area, and optional foreign metadata stored on the same device with the hash tree (additional space after hash area). Size of this op‐ tional additional area protected by FEC is calculated from image sizes, so you must be sure that you use the same images for activation. If the hash device is in a separate image, metadata covers the whole rest of the image after the hash area. If hash and FEC device is in the image, metadata ends on the FEC area offset." }, { "flag": "", "long": "--fec-offset", "arg": "bytes", "description": "This is the offset, in bytes, from the start of the FEC device to the beginning of the encoding data." }, { "flag": "", "long": "--fec-roots", "arg": "num", "description": "Number of generator roots. This equals to the number of parity bytes in the encoding data. In RS(M, N) encoding, the number of roots is M-N. M is 255 and M-N is between 2 and 24 (including)." }, { "flag": "", "long": "--root-hash-file", "arg": "FILE", "description": "Path to file with stored root hash in hex-encoded text." }, { "flag": "", "long": "--root-hash-signature", "arg": "FILE", "description": "Path to roothash signature file used to verify the root hash (in kernel). This fea‐ ture requires Linux kernel version 5.4 or more recent." }, { "flag": "", "long": "--deferred", "arg": null, "description": "Defers device removal in close command until the last user closes it." }, { "flag": "", "long": "--cancel-deferred", "arg": null, "description": "Removes a previously configured deferred device removal in close command. RETURN CODES Veritysetup returns 0 on success and a non-zero value on error. Error codes are: 1 wrong parameters 2 no permission 3 out of memory 4 wrong device specified 5 device already exists or device is busy." } ], "examples": [ "veritysetup --data-blocks=256 format ", "Calculates and stores verification data on hashdevice for the first 256 blocks (of block-", "size). If hashdevice does not exist, it is created (as file image).", "veritysetup format --root-hash-file ", "Calculates and stores verification data on hashdevice for the whole datadevice, and store", "the root hash as hex-encoded text in .", "Verification data (hashes) is stored on the same device as data (starting at hash-offset).", "Hash-offset must be greater than number of blocks in data-area.", "", "Activates the verity device named test-device. Options --data-blocks and --hash-offset are", "the same as in the format command. The was calculated in format command.", "veritysetup --data-blocks=256 --hash-offset=1052672 verify ", "", "Verifies device without activation (in userspace).", "veritysetup --data-blocks=256 --hash-offset=1052672 --root-hash-file verify ", "Verifies device without activation (in userspace). Root hash passed via a file rather than", "inline.", "veritysetup --fec-device= --fec-roots=10 format ", "Calculates and stores verification and encoding data for datadevice." ], "see_also": [] }