• Patrik Torstensson's avatar
    dm verity: add 'check_at_most_once' option to only validate hashes once · 843f38d3
    Patrik Torstensson authored
    This allows platforms that are CPU/memory contrained to verify data
    blocks only the first time they are read from the data device, rather
    than every time.  As such, it provides a reduced level of security
    because only offline tampering of the data device's content will be
    detected, not online tampering.
    
    Hash blocks are still verified each time they are read from the hash
    device, since verification of hash blocks is less performance critical
    than data blocks, and a hash block will not be verified any more after
    all the data blocks it covers have been verified anyway.
    
    This option introduces a bitset that is used to check if a block has
    been validated before or not.  A block can be validated more than once
    as there is no thread protection for the bitset.
    
    These changes were developed and tested on entry-level Android Go
    devices.
    Signed-off-by: default avatarPatrik Torstensson <totte@google.com>
    Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
    843f38d3
dm-verity.h 3.59 KB