1ced56a00Sopenharmony_ci% FSVERITY(1) fsverity-utils v1.5 | User Commands
2ced56a00Sopenharmony_ci%
3ced56a00Sopenharmony_ci% February 2022
4ced56a00Sopenharmony_ci
5ced56a00Sopenharmony_ci# NAME
6ced56a00Sopenharmony_ci
7ced56a00Sopenharmony_cifsverity - userspace utility for fs-verity
8ced56a00Sopenharmony_ci
9ced56a00Sopenharmony_ci# SYNOPSIS
10ced56a00Sopenharmony_ci**fsverity digest** [*OPTION*...] *FILE*... \
11ced56a00Sopenharmony_ci**fsverity dump_metadata** [*OPTION*...] *TYPE* *FILE* \
12ced56a00Sopenharmony_ci**fsverity enable** [*OPTION*...] *FILE* \
13ced56a00Sopenharmony_ci**fsverity measure** *FILE*... \
14ced56a00Sopenharmony_ci**fsverity sign** [*OPTION*...] *FILE* *OUT_SIGFILE*
15ced56a00Sopenharmony_ci
16ced56a00Sopenharmony_ci# DESCRIPTION
17ced56a00Sopenharmony_ci
18ced56a00Sopenharmony_ci**fsverity** is a userspace utility for fs-verity.  fs-verity is a Linux kernel
19ced56a00Sopenharmony_cifilesystem feature that does transparent on-demand verification of the contents
20ced56a00Sopenharmony_ciof read-only files using Merkle trees.
21ced56a00Sopenharmony_ci
22ced56a00Sopenharmony_ci**fsverity** can enable fs-verity on files, retrieve the digests of fs-verity
23ced56a00Sopenharmony_cifiles, and sign files for use with fs-verity (among other things).
24ced56a00Sopenharmony_ci**fsverity**'s functionality is divided among various subcommands.
25ced56a00Sopenharmony_ci
26ced56a00Sopenharmony_ciThis manual page focuses on documenting all **fsverity** subcommands and
27ced56a00Sopenharmony_cioptions.  For examples and more information about the fs-verity kernel feature,
28ced56a00Sopenharmony_cisee the references at the end of this page.
29ced56a00Sopenharmony_ci
30ced56a00Sopenharmony_ci# OPTIONS
31ced56a00Sopenharmony_ci
32ced56a00Sopenharmony_ci**fsverity** always accepts the following options:
33ced56a00Sopenharmony_ci
34ced56a00Sopenharmony_ci**\-\-help**
35ced56a00Sopenharmony_ci:   Show the help, for either one subcommand or for all subcommands.
36ced56a00Sopenharmony_ci
37ced56a00Sopenharmony_ci**\-\-version**
38ced56a00Sopenharmony_ci:   Show the version of fsverity-utils.
39ced56a00Sopenharmony_ci
40ced56a00Sopenharmony_ci# SUBCOMMANDS
41ced56a00Sopenharmony_ci
42ced56a00Sopenharmony_ci## **fsverity digest** [*OPTION*...] *FILE*...
43ced56a00Sopenharmony_ci
44ced56a00Sopenharmony_ciCompute the fs-verity digest of the given file(s).  This is mainly intended to
45ced56a00Sopenharmony_ciused in preparation for signing the digest.  In some cases **fsverity sign**
46ced56a00Sopenharmony_cican be used instead to digest and sign the file in one step.
47ced56a00Sopenharmony_ci
48ced56a00Sopenharmony_ciOptions accepted by **fsverity digest**:
49ced56a00Sopenharmony_ci
50ced56a00Sopenharmony_ci**\-\-block-size**=*BLOCK_SIZE*
51ced56a00Sopenharmony_ci:   The Merkle tree block size (in bytes) to use.  This must be a power of 2 and
52ced56a00Sopenharmony_ci    at least twice the size of the hash values.  However, note that currently
53ced56a00Sopenharmony_ci    (as of Linux kernel v5.13), the Linux kernel implementations of fs-verity
54ced56a00Sopenharmony_ci    only support the case where the Merkle tree block size is equal to the
55ced56a00Sopenharmony_ci    system page size, usually 4096 bytes.  The default value of this option is
56ced56a00Sopenharmony_ci    4096.
57ced56a00Sopenharmony_ci
58ced56a00Sopenharmony_ci**\-\-compact**
59ced56a00Sopenharmony_ci:   When printing the file digest, only print the actual digest hex string;
60ced56a00Sopenharmony_ci    don't print the algorithm name and filename.
61ced56a00Sopenharmony_ci
62ced56a00Sopenharmony_ci**\-\-for-builtin-sig**
63ced56a00Sopenharmony_ci:   Format the file digest in a way that is compatible with the Linux kernel's
64ced56a00Sopenharmony_ci    fs-verity built-in signature verification support.  This means formatting it
65ced56a00Sopenharmony_ci    as a `struct fsverity_formatted_digest`.  Use this option if you are using
66ced56a00Sopenharmony_ci    built-in signatures but are not using **fsverity sign** to do the signing.
67ced56a00Sopenharmony_ci
68ced56a00Sopenharmony_ci**\-\-hash-alg**=*HASH_ALG*
69ced56a00Sopenharmony_ci:   The hash algorithm to use to build the Merkle tree.  Valid options are
70ced56a00Sopenharmony_ci    sha256 and sha512.  Default is sha256.
71ced56a00Sopenharmony_ci
72ced56a00Sopenharmony_ci**\-\-out-merkle-tree**=*FILE*
73ced56a00Sopenharmony_ci:   Write the computed Merkle tree to the given file.  The Merkle tree layout
74ced56a00Sopenharmony_ci    will be the same as that used by the Linux kernel's
75ced56a00Sopenharmony_ci    `FS_IOC_READ_VERITY_METADATA` ioctl.
76ced56a00Sopenharmony_ci
77ced56a00Sopenharmony_ci    Normally this option isn't useful, but it can be needed in cases where the
78ced56a00Sopenharmony_ci    fs-verity metadata needs to be consumed by something other than one of the
79ced56a00Sopenharmony_ci    native Linux kernel implementations of fs-verity.  This is not needed for
80ced56a00Sopenharmony_ci    file signing.
81ced56a00Sopenharmony_ci
82ced56a00Sopenharmony_ci**\-\-out-descriptor**=*FILE*
83ced56a00Sopenharmony_ci:   Write the computed fs-verity descriptor to the given file.
84ced56a00Sopenharmony_ci
85ced56a00Sopenharmony_ci    Normally this option isn't useful, but it can be needed in cases where the
86ced56a00Sopenharmony_ci    fs-verity metadata needs to be consumed by something other than one of the
87ced56a00Sopenharmony_ci    native Linux kernel implementations of fs-verity.  This is not needed for
88ced56a00Sopenharmony_ci    file signing.
89ced56a00Sopenharmony_ci
90ced56a00Sopenharmony_ci**\-\-salt**=*SALT*
91ced56a00Sopenharmony_ci:   The salt to use in the Merkle tree, as a hex string.  The salt is a value
92ced56a00Sopenharmony_ci    that is prepended to every hashed block; it can be used to personalize the
93ced56a00Sopenharmony_ci    hashing for a particular file or device.  The default is no salt.
94ced56a00Sopenharmony_ci
95ced56a00Sopenharmony_ci## **fsverity dump_metadata** [*OPTION*...] *TYPE* *FILE*
96ced56a00Sopenharmony_ci
97ced56a00Sopenharmony_ciDump the fs-verity metadata of the given file.  The file must have fs-verity
98ced56a00Sopenharmony_cienabled, and the filesystem must support the `FS_IOC_READ_VERITY_METADATA` ioctl
99ced56a00Sopenharmony_ci(it was added in Linux v5.12).  This subcommand normally isn't useful, but it
100ced56a00Sopenharmony_cican be useful in cases where a userspace server program is serving a verity file
101ced56a00Sopenharmony_cito a client which implements fs-verity compatible verification.
102ced56a00Sopenharmony_ci
103ced56a00Sopenharmony_ci*TYPE* may be "merkle\_tree", "descriptor", or "signature", indicating the type
104ced56a00Sopenharmony_ciof metadata to dump.  "signature" refers to the built-in signature, if present;
105ced56a00Sopenharmony_ciuserspace-managed signatures will not be included.
106ced56a00Sopenharmony_ci
107ced56a00Sopenharmony_ciOptions accepted by **fsverity dump_metadata**:
108ced56a00Sopenharmony_ci
109ced56a00Sopenharmony_ci**\-\-length**=*LENGTH*
110ced56a00Sopenharmony_ci:   Length in bytes to dump from the specified metadata item.  Only accepted in
111ced56a00Sopenharmony_ci    combination with **\-\-offset**.
112ced56a00Sopenharmony_ci
113ced56a00Sopenharmony_ci**\-\-offset**=*offset*
114ced56a00Sopenharmony_ci:   Offset in bytes into the specified metadata item at which to start dumping.
115ced56a00Sopenharmony_ci    Only accepted in combination with **\-\-length**.
116ced56a00Sopenharmony_ci
117ced56a00Sopenharmony_ci## **fsverity enable** [*OPTION*...] *FILE*
118ced56a00Sopenharmony_ci
119ced56a00Sopenharmony_ciEnable fs-verity on the specified file.  This will only work if the filesystem
120ced56a00Sopenharmony_cisupports fs-verity.
121ced56a00Sopenharmony_ci
122ced56a00Sopenharmony_ciOptions accepted by **fsverity enable**:
123ced56a00Sopenharmony_ci
124ced56a00Sopenharmony_ci**\-\-block-size**=*BLOCK_SIZE*
125ced56a00Sopenharmony_ci:   Same as for **fsverity digest**.
126ced56a00Sopenharmony_ci
127ced56a00Sopenharmony_ci**\-\-hash-alg**=*HASH_ALG*
128ced56a00Sopenharmony_ci:   Same as for **fsverity digest**.
129ced56a00Sopenharmony_ci
130ced56a00Sopenharmony_ci**\-\-salt**=*SALT*
131ced56a00Sopenharmony_ci:   Same as for **fsverity digest**.
132ced56a00Sopenharmony_ci
133ced56a00Sopenharmony_ci**\-\-signature**=*SIGFILE*
134ced56a00Sopenharmony_ci:   Specifies the built-in signature to apply to the file.  *SIGFILE* must be a
135ced56a00Sopenharmony_ci    file that contains the signature in PKCS#7 DER format, e.g. as produced by
136ced56a00Sopenharmony_ci    the **fsverity sign** command.
137ced56a00Sopenharmony_ci
138ced56a00Sopenharmony_ci    Note that this option is only needed if the Linux kernel's fs-verity
139ced56a00Sopenharmony_ci    built-in signature verification support is being used.  It is not needed if
140ced56a00Sopenharmony_ci    the signatures will be verified in userspace, as in that case the signatures
141ced56a00Sopenharmony_ci    should be stored separately.
142ced56a00Sopenharmony_ci
143ced56a00Sopenharmony_ci## **fsverity measure** *FILE*...
144ced56a00Sopenharmony_ci
145ced56a00Sopenharmony_ciDisplay the fs-verity digest of the given file(s).  The files must have
146ced56a00Sopenharmony_cifs-verity enabled.  The output will be the same as **fsverity digest** with
147ced56a00Sopenharmony_cithe appropriate parameters, but **fsverity measure** will take constant time
148ced56a00Sopenharmony_cifor each file regardless of the size of the file.
149ced56a00Sopenharmony_ci
150ced56a00Sopenharmony_ci**fsverity measure** does not accept any options.
151ced56a00Sopenharmony_ci
152ced56a00Sopenharmony_ci## **fsverity sign** [*OPTION*...] *FILE* *OUT_SIGFILE*
153ced56a00Sopenharmony_ci
154ced56a00Sopenharmony_ciSign the given file for fs-verity, in a way that is compatible with the Linux
155ced56a00Sopenharmony_cikernel's fs-verity built-in signature verification support.  The signature will
156ced56a00Sopenharmony_cibe written to *OUT_SIGFILE* in PKCS#7 DER format.
157ced56a00Sopenharmony_ci
158ced56a00Sopenharmony_ciThe private key can be specified either by key file or by PKCS#11 token.  To use
159ced56a00Sopenharmony_cia key file, provide **\-\-key** and optionally **\-\-cert**.  To use a PKCS#11
160ced56a00Sopenharmony_citoken, provide **\-\-pkcs11-engine**, **\-\-pkcs11-module**, **\-\-cert**, and
161ced56a00Sopenharmony_cioptionally **\-\-pkcs11-keyid**.  PKCS#11 token support is unavailable when
162ced56a00Sopenharmony_cifsverity-utils was built with BoringSSL rather than OpenSSL.
163ced56a00Sopenharmony_ci
164ced56a00Sopenharmony_ci**fsverity sign** should only be used if you need compatibility with fs-verity
165ced56a00Sopenharmony_cibuilt-in signatures.  It is not the only way to do signatures with fs-verity.
166ced56a00Sopenharmony_ciFor more information, see the fsverity-utils README.
167ced56a00Sopenharmony_ci
168ced56a00Sopenharmony_ciOptions accepted by **fsverity sign**:
169ced56a00Sopenharmony_ci
170ced56a00Sopenharmony_ci**\-\-block-size**=*BLOCK_SIZE*
171ced56a00Sopenharmony_ci:   Same as for **fsverity digest**.
172ced56a00Sopenharmony_ci
173ced56a00Sopenharmony_ci**\-\-cert**=*CERTFILE*
174ced56a00Sopenharmony_ci:   Specifies the file that contains the certificate, in PEM format.  This
175ced56a00Sopenharmony_ci    option is required if *KEYFILE* contains only the private key and not also
176ced56a00Sopenharmony_ci    the certificate, or if a PKCS#11 token is used.
177ced56a00Sopenharmony_ci
178ced56a00Sopenharmony_ci**\-\-hash-alg**=*HASH_ALG*
179ced56a00Sopenharmony_ci:   Same as for **fsverity digest**.
180ced56a00Sopenharmony_ci
181ced56a00Sopenharmony_ci**\-\-key**=*KEYFILE*
182ced56a00Sopenharmony_ci:   Specifies the file that contains the private key, in PEM format.  This
183ced56a00Sopenharmony_ci    option is required when not using a PKCS#11 token.
184ced56a00Sopenharmony_ci
185ced56a00Sopenharmony_ci**\-\-out-descriptor**=*FILE*
186ced56a00Sopenharmony_ci:   Same as for **fsverity digest**.
187ced56a00Sopenharmony_ci
188ced56a00Sopenharmony_ci**\-\-out-merkle-tree**=*FILE*
189ced56a00Sopenharmony_ci:   Same as for **fsverity digest**.
190ced56a00Sopenharmony_ci
191ced56a00Sopenharmony_ci**\-\-pkcs11-engine**=*SOFILE*
192ced56a00Sopenharmony_ci:   Specifies the path to the OpenSSL PKCS#11 engine file.  This typically will
193ced56a00Sopenharmony_ci    be a path to the libp11 .so file.  This option is required when using a
194ced56a00Sopenharmony_ci    PKCS#11 token.
195ced56a00Sopenharmony_ci
196ced56a00Sopenharmony_ci**\-\-pkcs11-keyid**=*KEYID*
197ced56a00Sopenharmony_ci:   Specifies the key identifier in the form of a PKCS#11 URI.  If not provided,
198ced56a00Sopenharmony_ci    the default key associated with the token is used.  This option is only
199ced56a00Sopenharmony_ci    applicable when using a PKCS#11 token.
200ced56a00Sopenharmony_ci
201ced56a00Sopenharmony_ci**\-\-pkcs11-module**=*SOFILE*
202ced56a00Sopenharmony_ci:   Specifies the path to the PKCS#11 token-specific module library.  This
203ced56a00Sopenharmony_ci    option is required when using a PKCS#11 token.
204ced56a00Sopenharmony_ci
205ced56a00Sopenharmony_ci**\-\-salt**=*SALT*
206ced56a00Sopenharmony_ci:   Same as for **fsverity digest**.
207ced56a00Sopenharmony_ci
208ced56a00Sopenharmony_ci# SEE ALSO
209ced56a00Sopenharmony_ci
210ced56a00Sopenharmony_ciFor example commands and more information, see the
211ced56a00Sopenharmony_ci[README file for
212ced56a00Sopenharmony_cifsverity-utils](https://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/fsverity-utils.git/tree/README.md).
213ced56a00Sopenharmony_ci
214ced56a00Sopenharmony_ciAlso see the [kernel documentation for
215ced56a00Sopenharmony_cifs-verity](https://www.kernel.org/doc/html/latest/filesystems/fsverity.html).
216