You are not logged in.
Pages: 1
Hi. I can't setup dm-verity.
I've tried for weeks, with hypothethical setups piling up. I've scraped the web for info, without finding a single tutorial though some slightly useful logs of unrelated issues from those who succeeded.
Arch has been my daily driver for 6 months. I've read the wiki multiple times. I've never needed to ask for help before. I can setup erofs, fs-verity, or a non-root dm-verity partition with /etc/veritycrypt just fine.
I think there's something elusive in my setup, leading to dm-verity not attaching the root to /dev/mapper/root, it consequently not finding it.
Logs mention missing dependencies, but it should work out-of-the-box with Arch. I've still tried adding some modules to mkinitcpio. I'm not including any logs because I don't even know if my setup is correct.
Am I missing something? Is something conflicting? /etc/kernel/cmdline has root=, and systemd.verity_root_data=, while /etc/fstab has root too, are they conflicting?
I suppose not, I've tried them in almost every combination, alone, together, and letting the roothash derive root.
I've created a mock tutorial that fails. In it, dm-verity is implemented in archiso but that can easily be changed so the veritysetup step is done in the finished system. It still fails.
I include some #comments where relevant.
# setup your emulator of choice
# Four partitions are created. efi, root, verity hash device, home partition. I've tried creating them as files instead, but the end result is the same.
fdisk /dev/sda
g
n
1
<enter>
+512M
this
1
new
2
<enter>
+10G
new
3
<enter>
+1G
new
4
<enter>
<enter>
print
write
# btrfs will need additional steps so ext4 is quicker
mkfs.fat -F32 /dev/sda1
mkfs.ext4 /dev/sda2
mkfs.ext4 /dev/sda3
mkfs.ext4 /dev/sda4
mount /dev/sda2 /mnt
mkdir -p /mnt/efi/EFI
mount --options umask=0077 /dev/sda1 /mnt/efi/EFI
mkdir /mnt/efi/EFI/Linux
mkdir /mnt/home
mount /dev/sda4 /mnt/home
pacstrap /mnt base linux linux-firmware linux-headers nano sudo efibootmgr
# I don't know if fstab should be used, I've tried with and without it.
genfstab -U /mnt >> /mnt/etc/fstab
arch-chroot /mnt
nano /etc/kernel/cmdline
# add the following to cmdline. Some might be unecessary.
root=/dev/sda2
rootfstype=ext4
ro
rd.shell=0
rd.emergency=reboot
oops=panic
systemd.verity=1
roothash=
systemd.verity_root_data=/dev/sda2
systemd.verity_root_hash=/dev/sda3
systemd.verity_root_options=panic-on-corruption
# and done.
# specifying modules shouldn't be necessary, but I do and it makes no difference
nano /etc/mkinitcpio.conf
>MODULES=(vfat dm_verity dm_crypt dm_mod)
>HOOKS=(systemd autodetect microcode keyboard block filesystems fsck)
nano /etc/mkinitcpio.d/linux.preset
>comment out default_image
>uncomment default_uki
>comment rest
mkinitcpio --kernel /boot/vmlinuz-linux --uki /efi/EFI/Linux/arch-linux.efi
efibootmgr --create --disk /dev/sda --part 1 --label "Arch Linux" --loader /Linux/arch-linux.efi
# you could also add a user
passwd root
# Since we can't edit the root after veritysetup is done, we symlink these. It's suppose to make editing easier.
cat /etc/fstab > /home/user/fstab
rm -r /etc/fstab
ln -s /home/user/fstab /etc/fstab
cat /etc/kernel/cmdline > /home/user/cmdline
rm -r /etc/kernel/cmdline
ln -s /home/user/cmdline /etc/kernel/cmdline
#being happy with the system, we lock it in. Otherwise veritysetup format will fail 3 in 4 times, and we have to verify it to know. daemon reload won't work after so don't bother.
mount -o remount,ro /
veritysetup format /dev/sda2 /dev/sda3 | grep Root | cut -f2 > /home/user/roothash.txt
# I recommend running verify to make sure it's alright
veritysetup verify /dev/sda2 /dev/sda3 $(cat /home/user/roothash.txt
cat /home/user/roothash.txt >> /etc/kernel/cmdline
nano /etc/kernel/cmdline
# put hash in roothash
mkinitcpio --kernel /boot/vmlinuz-linux --uki /efi/EFI/Linux/arch-linux.efi
# see it work in action before leaving archiso
exit
cat /mnt/home/user/roothash.txt > roothash.txt
umount -R /mnt
veritysetup open /dev/sda2 root /dev/sda3 $(cat roothash.txt)
mount /dev/mapper/root /mnt
# and explore to your hearts content.
umount -R /mnt
reboot
# doing genfstab again will reveal /dev/mapper/root has the same UUID as /dev/sda2, /etc/fstab should therefore be correct.After rebooting, the login screen presents itself. It's possible to remount / as rw and make edits, the kernel doesn't panic. Reboot and the machine is still usable.
I simply want to add dm-verity for /. I don't get how, unless I cheat and create a verity partition and switch_root into it. What am I missing?
Offline
Logs mention missing dependencies, but it should work out-of-the-box with Arch. I've still tried adding some modules to mkinitcpio. I'm not including any logs because I don't even know if my setup is correct.
Am I missing something?
how is anyone supposed to help without logs?
Offline
how is anyone supposed to help without logs?
Hi. I don't know how to set it up, so any logs I give is me guessing out a a dozen installations I have.
I did create dmesq and journal -xe logs. I completed the tutorial. Then started the installation normally.
/dev/sda2 is root, which means it is in use and veritysetup can't open it as /dev/mapper/root.
journal: https://pastebin.com/1fFWfJAX
dmesq: https://pastebin.com/kcX9EpLA
edit: including journal -b too. someone would eventually have asked for it: https://pastebin.com/sjTrMmZW
Last edited by justtheonequestionthanks (2025-04-04 23:18:11)
Offline
Pages: 1