€• íŒsphinx.addnodes”Œdocument”“”)”}”(Œ rawsource”Œ”Œchildren”]”(Œtranslations”Œ LanguagesNode”“”)”}”(hhh]”(hŒpending_xref”“”)”}”(hhh]”Œdocutils.nodes”ŒText”“”ŒChinese (Simplified)”…””}”Œparent”hsbaŒ attributes”}”(Œids”]”Œclasses”]”Œnames”]”Œdupnames”]”Œbackrefs”]”Œ refdomain”Œstd”Œreftype”Œdoc”Œ reftarget”Œ4/translations/zh_CN/admin-guide/device-mapper/verity”Œmodname”NŒ classname”NŒrefexplicit”ˆuŒtagname”hhhubh)”}”(hhh]”hŒChinese (Traditional)”…””}”hh2sbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ4/translations/zh_TW/admin-guide/device-mapper/verity”Œmodname”NŒ classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒItalian”…””}”hhFsbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ4/translations/it_IT/admin-guide/device-mapper/verity”Œmodname”NŒ classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒJapanese”…””}”hhZsbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ4/translations/ja_JP/admin-guide/device-mapper/verity”Œmodname”NŒ classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒKorean”…””}”hhnsbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ4/translations/ko_KR/admin-guide/device-mapper/verity”Œmodname”NŒ classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒPortuguese (Brazilian)”…””}”hh‚sbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ4/translations/pt_BR/admin-guide/device-mapper/verity”Œmodname”NŒ classname”NŒrefexplicit”ˆuh1hhhubh)”}”(hhh]”hŒSpanish”…””}”hh–sbah}”(h]”h ]”h"]”h$]”h&]”Œ refdomain”h)Œreftype”h+Œ reftarget”Œ4/translations/sp_SP/admin-guide/device-mapper/verity”Œmodname”NŒ classname”NŒrefexplicit”ˆuh1hhhubeh}”(h]”h ]”h"]”h$]”h&]”Œcurrent_language”ŒEnglish”uh1h hhŒ _document”hŒsource”NŒline”NubhŒsection”“”)”}”(hhh]”(hŒtitle”“”)”}”(hŒ dm-verity”h]”hŒ dm-verity”…””}”(hh¼h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hºhh·h²hh³ŒN/var/lib/git/docbuild/linux/Documentation/admin-guide/device-mapper/verity.rst”h´KubhŒ paragraph”“”)”}”(hŒ²Device-Mapper's "verity" target provides transparent integrity checking of block devices using a cryptographic digest provided by the kernel crypto API. This target is read-only.”h]”hŒ¸Device-Mapperâ€™s â€œverityâ€ target provides transparent integrity checking of block devices using a cryptographic digest provided by the kernel crypto API. This target is read-only.”…””}”(hhÍh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´Khh·h²hubh¶)”}”(hhh]”(h»)”}”(hŒConstruction Parameters”h]”hŒConstruction Parameters”…””}”(hhÞh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hºhhÛh²hh³hÊh´K ubhŒ literal_block”“”)”}”(hŒœ [<#opt_params> ]”h]”hŒœ [<#opt_params> ]”…””}”hhîsbah}”(h]”h ]”h"]”h$]”h&]”Œ xml:space”Œpreserve”uh1hìh³hÊh´KhhÛh²hubhŒdefinition_list”“”)”}”(hhh]”(hŒdefinition_list_item”“”)”}”(hX‚ This is the type of the on-disk hash format. 0 is the original format used in the Chromium OS. The salt is appended when hashing, digests are stored continuously and the rest of the block is padded with zeroes. 1 is the current format that should be used for new devices. The salt is prepended when hashing and each digest is padded with zeroes to the power of two. ”h]”(hŒterm”“”)”}”(hŒ ”h]”hŒ ”…””}”(hjh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j h³hÊh´KhjubhŒ definition”“”)”}”(hhh]”(hÌ)”}”(hŒ,This is the type of the on-disk hash format.”h]”hŒ,This is the type of the on-disk hash format.”…””}”(hjh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´Khjubhÿ)”}”(hhh]”(j)”}”(hŒ¦0 is the original format used in the Chromium OS. The salt is appended when hashing, digests are stored continuously and the rest of the block is padded with zeroes. ”h]”(j )”}”(hŒ10 is the original format used in the Chromium OS.”h]”hŒ10 is the original format used in the Chromium OS.”…””}”(hj3h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j h³hÊh´Khj/ubj)”}”(hhh]”hÌ)”}”(hŒsThe salt is appended when hashing, digests are stored continuously and the rest of the block is padded with zeroes.”h]”hŒsThe salt is appended when hashing, digests are stored continuously and the rest of the block is padded with zeroes.”…””}”(hjDh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´KhjAubah}”(h]”h ]”h"]”h$]”h&]”uh1jhj/ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jh³hÊh´Khj,ubj)”}”(hŒ›1 is the current format that should be used for new devices. The salt is prepended when hashing and each digest is padded with zeroes to the power of two. ”h]”(j )”}”(hŒ<1 is the current format that should be used for new devices.”h]”hŒ<1 is the current format that should be used for new devices.”…””}”(hjbh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j h³hÊh´Khj^ubj)”}”(hhh]”hÌ)”}”(hŒ]The salt is prepended when hashing and each digest is padded with zeroes to the power of two.”h]”hŒ]The salt is prepended when hashing and each digest is padded with zeroes to the power of two.”…””}”(hjsh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´Khjpubah}”(h]”h ]”h"]”h$]”h&]”uh1jhj^ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jh³hÊh´Khj,ubeh}”(h]”h ]”h"]”h$]”h&]”uh1hþhjubeh}”(h]”h ]”h"]”h$]”h&]”uh1jhjubeh}”(h]”h ]”h"]”h$]”h&]”uh1jh³hÊh´Khjubj)”}”(hŒ« This is the device containing data, the integrity of which needs to be checked. It may be specified as a path, like /dev/sdaX, or a device number, :. ”h]”(j )”}”(hŒ”h]”hŒ”…””}”(hj£h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j h³hÊh´K"hjŸubj)”}”(hhh]”hÌ)”}”(hŒ¤This is the device containing data, the integrity of which needs to be checked. It may be specified as a path, like /dev/sdaX, or a device number, :.”h]”hŒ¤This is the device containing data, the integrity of which needs to be checked. It may be specified as a path, like /dev/sdaX, or a device number, :.”…””}”(hj´h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´K hj±ubah}”(h]”h ]”h"]”h$]”h&]”uh1jhjŸubeh}”(h]”h ]”h"]”h$]”h&]”uh1jh³hÊh´K"hjh²hubj)”}”(hŒí This is the device that supplies the hash tree data. It may be specified similarly to the device path and may be the same device. If the same device is used, the hash_start should be outside the configured dm-verity device. ”h]”(j )”}”(hŒ ”h]”hŒ ”…””}”(hjÒh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j h³hÊh´K(hjÎubj)”}”(hhh]”hÌ)”}”(hŒáThis is the device that supplies the hash tree data. It may be specified similarly to the device path and may be the same device. If the same device is used, the hash_start should be outside the configured dm-verity device.”h]”hŒáThis is the device that supplies the hash tree data. It may be specified similarly to the device path and may be the same device. If the same device is used, the hash_start should be outside the configured dm-verity device.”…””}”(hjãh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´K%hjàubah}”(h]”h ]”h"]”h$]”h&]”uh1jhjÎubeh}”(h]”h ]”h"]”h$]”h&]”uh1jh³hÊh´K(hjh²hubj)”}”(hŒu The block size on a data device in bytes. Each block corresponds to one digest on the hash device. ”h]”(j )”}”(hŒ”h]”hŒ”…””}”(hjh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j h³hÊh´K,hjýubj)”}”(hhh]”hÌ)”}”(hŒbThe block size on a data device in bytes. Each block corresponds to one digest on the hash device.”h]”hŒbThe block size on a data device in bytes. Each block corresponds to one digest on the hash device.”…””}”(hjh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´K+hjubah}”(h]”h ]”h"]”h$]”h&]”uh1jhjýubeh}”(h]”h ]”h"]”h$]”h&]”uh1jh³hÊh´K,hjh²hubj)”}”(hŒ5 The size of a hash block in bytes. ”h]”(j )”}”(hŒ”h]”hŒ”…””}”(hj0h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j h³hÊh´K/hj,ubj)”}”(hhh]”hÌ)”}”(hŒ"The size of a hash block in bytes.”h]”hŒ"The size of a hash block in bytes.”…””}”(hjAh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´K/hj>ubah}”(h]”h ]”h"]”h$]”h&]”uh1jhj,ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jh³hÊh´K/hjh²hubj)”}”(hŒÒ The number of data blocks on the data device. Additional blocks are inaccessible. You can place hashes to the same partition as data, in this case hashes are placed after . ”h]”(j )”}”(hŒ”h]”hŒ”…””}”(hj_h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j h³hÊh´K4hj[ubj)”}”(hhh]”hÌ)”}”(hŒ¿The number of data blocks on the data device. Additional blocks are inaccessible. You can place hashes to the same partition as data, in this case hashes are placed after .”h]”hŒ¿The number of data blocks on the data device. Additional blocks are inaccessible. You can place hashes to the same partition as data, in this case hashes are placed after .”…””}”(hjph²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´K2hjmubah}”(h]”h ]”h"]”h$]”h&]”uh1jhj[ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jh³hÊh´K4hjh²hubj)”}”(hŒƒ This is the offset, in -blocks, from the start of hash_dev to the root block of the hash tree. ”h]”(j )”}”(hŒ”h]”hŒ”…””}”(hjŽh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j h³hÊh´K8hjŠubj)”}”(hhh]”hÌ)”}”(hŒoThis is the offset, in -blocks, from the start of hash_dev to the root block of the hash tree.”h]”hŒoThis is the offset, in -blocks, from the start of hash_dev to the root block of the hash tree.”…””}”(hjŸh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´K7hjœubah}”(h]”h ]”h"]”h$]”h&]”uh1jhjŠubeh}”(h]”h ]”h"]”h$]”h&]”uh1jh³hÊh´K8hjh²hubj)”}”(hŒ{ The cryptographic hash algorithm used for this device. This should be the name of the algorithm, like "sha1". ”h]”(j )”}”(hŒ”h]”hŒ”…””}”(hj½h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j h³hÊh´K The hexadecimal encoding of the cryptographic hash of the root hash block and the salt. This hash should be trusted as there is no other authenticity beyond this point. ”h]”(j )”}”(hŒ”h]”hŒ”…””}”(hjìh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j h³hÊh´KAhjèubj)”}”(hhh]”hÌ)”}”(hŒ©The hexadecimal encoding of the cryptographic hash of the root hash block and the salt. This hash should be trusted as there is no other authenticity beyond this point.”h]”hŒ©The hexadecimal encoding of the cryptographic hash of the root hash block and the salt. This hash should be trusted as there is no other authenticity beyond this point.”…””}”(hjýh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´K?hjúubah}”(h]”h ]”h"]”h$]”h&]”uh1jhjèubeh}”(h]”h ]”h"]”h$]”h&]”uh1jh³hÊh´KAhjh²hubj)”}”(hŒ3 The hexadecimal encoding of the salt value. ”h]”(j )”}”(hŒ”h]”hŒ”…””}”(hjh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j h³hÊh´KDhjubj)”}”(hhh]”hÌ)”}”(hŒ+The hexadecimal encoding of the salt value.”h]”hŒ+The hexadecimal encoding of the salt value.”…””}”(hj,h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´KDhj)ubah}”(h]”h ]”h"]”h$]”h&]”uh1jhjubeh}”(h]”h ]”h"]”h$]”h&]”uh1jh³hÊh´KDhjh²hubj)”}”(hX<#opt_params> Number of optional parameters. If there are no optional parameters, the optional parameters section can be skipped or #opt_params can be zero. Otherwise #opt_params is the number of following arguments. Example of optional parameters section: 1 ignore_corruption ”h]”(j )”}”(hŒ <#opt_params>”h]”hŒ <#opt_params>”…””}”(hjJh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j h³hÊh´KLhjFubj)”}”(hhh]”(hÌ)”}”(hŒÊNumber of optional parameters. If there are no optional parameters, the optional parameters section can be skipped or #opt_params can be zero. Otherwise #opt_params is the number of following arguments.”h]”hŒÊNumber of optional parameters. If there are no optional parameters, the optional parameters section can be skipped or #opt_params can be zero. Otherwise #opt_params is the number of following arguments.”…””}”(hj[h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´KGhjXubhÿ)”}”(hhh]”j)”}”(hŒh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j h³hÊh´K\hj:ubj)”}”(hhh]”hÌ)”}”(hŒtRestart the system when an I/O error is detected. This option can be combined with the restart_on_corruption option.”h]”hŒtRestart the system when an I/O error is detected. This option can be combined with the restart_on_corruption option.”…””}”(hjOh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´K[hjLubah}”(h]”h ]”h"]”h$]”h&]”uh1jhj:ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jh³hÊh´K\hjh²hubj)”}”(hŒ·panic_on_error Panic the device when an I/O error is detected. This option is not compatible with the restart_on_error option but can be combined with the panic_on_corruption option. ”h]”(j )”}”(hŒpanic_on_error”h]”hŒpanic_on_error”…””}”(hjmh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j h³hÊh´Kahjiubj)”}”(hhh]”hÌ)”}”(hŒ§Panic the device when an I/O error is detected. This option is not compatible with the restart_on_error option but can be combined with the panic_on_corruption option.”h]”hŒ§Panic the device when an I/O error is detected. This option is not compatible with the restart_on_error option but can be combined with the panic_on_corruption option.”…””}”(hj~h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´K_hj{ubah}”(h]”h ]”h"]”h$]”h&]”uh1jhjiubeh}”(h]”h ]”h"]”h$]”h&]”uh1jh³hÊh´Kahjh²hubj)”}”(hŒÔignore_zero_blocks Do not verify blocks that are expected to contain zeroes and always return zeroes instead. This may be useful if the partition contains unused blocks that are not guaranteed to contain zeroes. ”h]”(j )”}”(hŒignore_zero_blocks”h]”hŒignore_zero_blocks”…””}”(hjœh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j h³hÊh´Kfhj˜ubj)”}”(hhh]”hÌ)”}”(hŒÀDo not verify blocks that are expected to contain zeroes and always return zeroes instead. This may be useful if the partition contains unused blocks that are not guaranteed to contain zeroes.”h]”hŒÀDo not verify blocks that are expected to contain zeroes and always return zeroes instead. This may be useful if the partition contains unused blocks that are not guaranteed to contain zeroes.”…””}”(hjh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´Kdhjªubah}”(h]”h ]”h"]”h$]”h&]”uh1jhj˜ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jh³hÊh´Kfhjh²hubj)”}”(hXŠuse_fec_from_device Use forward error correction (FEC) parity data from the specified device to try to automatically recover from corruption and I/O errors. If this option is given, then and must also be given. must also be equal to . can be the same as , in which case must be outside the data area. It can also be the same as , in which case must be outside the hash and optional additional metadata areas. If the data is encrypted, the should be too. For more information, see `Forward error correction`_. ”h]”(j )”}”(hŒuse_fec_from_device ”h]”hŒuse_fec_from_device ”…””}”(hjËh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j h³hÊh´KuhjÇubj)”}”(hhh]”(hÌ)”}”(hŒˆUse forward error correction (FEC) parity data from the specified device to try to automatically recover from corruption and I/O errors.”h]”hŒˆUse forward error correction (FEC) parity data from the specified device to try to automatically recover from corruption and I/O errors.”…””}”(hjÜh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´KihjÙubhÌ)”}”(hŒŠIf this option is given, then and must also be given. must also be equal to .”h]”hŒŠIf this option is given, then and must also be given. must also be equal to .”…””}”(hjêh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´KlhjÙubhÌ)”}”(hŒß can be the same as , in which case must be outside the data area. It can also be the same as , in which case must be outside the hash and optional additional metadata areas.”h]”hŒß can be the same as , in which case must be outside the data area. It can also be the same as , in which case must be outside the hash and optional additional metadata areas.”…””}”(hjøh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´KohjÙubhÌ)”}”(hŒ is encrypted, the should be too.”h]”hŒ is encrypted, the should be too.”…””}”(hjh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´KshjÙubhÌ)”}”(hŒ6For more information, see `Forward error correction`_.”h]”(hŒFor more information, see ”…””}”(hjh²hh³Nh´NubhŒ reference”“”)”}”(hŒ`Forward error correction`_”h]”hŒForward error correction”…””}”(hjh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”Œname”ŒForward error correction”Œrefid”Œforward-error-correction”uh1jhjŒresolved”KubhŒ.”…””}”(hjh²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´KuhjÙubeh}”(h]”h ]”h"]”h$]”h&]”uh1jhjÇubeh}”(h]”h ]”h"]”h$]”h&]”uh1jh³hÊh´Kuhjh²hubj)”}”(hXýfec_roots The number of parity bytes in each 255-byte Reed-Solomon codeword. The Reed-Solomon code used will be an RS(255, k) code where k = 255 - fec_roots. The supported values are 2 through 24 inclusive. Higher values provide stronger error correction. However, the minimum value of 2 already provides strong error correction due to the use of interleaving, so 2 is the recommended value for most users. fec_roots=2 corresponds to an RS(255, 253) code, which has a space overhead of about 0.8%. ”h]”(j )”}”(hŒfec_roots ”h]”hŒfec_roots ”…””}”(hjKh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j h³hÊh´KhjGubj)”}”(hhh]”(hÌ)”}”(hŒ”The number of parity bytes in each 255-byte Reed-Solomon codeword. The Reed-Solomon code used will be an RS(255, k) code where k = 255 - fec_roots.”h]”hŒ”The number of parity bytes in each 255-byte Reed-Solomon codeword. The Reed-Solomon code used will be an RS(255, k) code where k = 255 - fec_roots.”…””}”(hj\h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´KxhjYubhÌ)”}”(hXVThe supported values are 2 through 24 inclusive. Higher values provide stronger error correction. However, the minimum value of 2 already provides strong error correction due to the use of interleaving, so 2 is the recommended value for most users. fec_roots=2 corresponds to an RS(255, 253) code, which has a space overhead of about 0.8%.”h]”hXVThe supported values are 2 through 24 inclusive. Higher values provide stronger error correction. However, the minimum value of 2 already provides strong error correction due to the use of interleaving, so 2 is the recommended value for most users. fec_roots=2 corresponds to an RS(255, 253) code, which has a space overhead of about 0.8%.”…””}”(hjjh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´K{hjYubeh}”(h]”h ]”h"]”h$]”h&]”uh1jhjGubeh}”(h]”h ]”h"]”h$]”h&]”uh1jh³hÊh´Khjh²hubj)”}”(hXÔfec_blocks The total number of blocks that are error-checked using FEC. This must be at least the sum of and the number of blocks needed by the hash tree. It can include additional metadata blocks, which are assumed to be accessible on following the hash blocks. Note that this is *not* the number of parity blocks. The number of parity blocks is inferred from , , and . ”h]”(j )”}”(hŒfec_blocks ”h]”hŒfec_blocks ”…””}”(hjˆh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j h³hÊh´Kˆhj„ubj)”}”(hhh]”(hÌ)”}”(hX,The total number of blocks that are error-checked using FEC. This must be at least the sum of and the number of blocks needed by the hash tree. It can include additional metadata blocks, which are assumed to be accessible on following the hash blocks.”h]”hX,The total number of blocks that are error-checked using FEC. This must be at least the sum of and the number of blocks needed by the hash tree. It can include additional metadata blocks, which are assumed to be accessible on following the hash blocks.”…””}”(hj™h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´K‚hj–ubhÌ)”}”(hŒ”Note that this is *not* the number of parity blocks. The number of parity blocks is inferred from , , and .”h]”(hŒNote that this is ”…””}”(hj§h²hh³Nh´NubhŒemphasis”“”)”}”(hŒ*not*”h]”hŒnot”…””}”(hj±h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j¯hj§ubhŒ} the number of parity blocks. The number of parity blocks is inferred from , , and .”…””}”(hj§h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´K‡hj–ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jhj„ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jh³hÊh´Kˆhjh²hubj)”}”(hŒ…fec_start This is the offset, in blocks, from the start of to the beginning of the parity data. ”h]”(j )”}”(hŒfec_start ”h]”hŒfec_start ”…””}”(hjÙh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j h³hÊh´KŒhjÕubj)”}”(hhh]”hÌ)”}”(hŒqThis is the offset, in blocks, from the start of to the beginning of the parity data.”h]”hŒqThis is the offset, in blocks, from the start of to the beginning of the parity data.”…””}”(hjêh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´K‹hjçubah}”(h]”h ]”h"]”h$]”h&]”uh1jhjÕubeh}”(h]”h ]”h"]”h$]”h&]”uh1jh³hÊh´KŒhjh²hubj)”}”(hX‹check_at_most_once Verify data blocks only the first time they are read from the data device, rather than every time. This reduces the overhead of dm-verity so that it can be used on systems that are memory and/or CPU constrained. However, it provides a reduced level of security because only offline tampering of the data device's content will be detected, not online tampering. Hash blocks are still verified each time they are read from the hash device, since verification of hash blocks is less performance critical than data blocks, and a hash block will not be verified any more after all the data blocks it covers have been verified anyway. ”h]”(j )”}”(hŒcheck_at_most_once”h]”hŒcheck_at_most_once”…””}”(hjh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j h³hÊh´K˜hjubj)”}”(hhh]”(hÌ)”}”(hXjVerify data blocks only the first time they are read from the data device, rather than every time. This reduces the overhead of dm-verity so that it can be used on systems that are memory and/or CPU constrained. However, it provides a reduced level of security because only offline tampering of the data device's content will be detected, not online tampering.”h]”hXlVerify data blocks only the first time they are read from the data device, rather than every time. This reduces the overhead of dm-verity so that it can be used on systems that are memory and/or CPU constrained. However, it provides a reduced level of security because only offline tampering of the data deviceâ€™s content will be detected, not online tampering.”…””}”(hjh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´KhjubhÌ)”}”(hXHash blocks are still verified each time they are read from the hash device, since verification of hash blocks is less performance critical than data blocks, and a hash block will not be verified any more after all the data blocks it covers have been verified anyway.”h]”hXHash blocks are still verified each time they are read from the hash device, since verification of hash blocks is less performance critical than data blocks, and a hash block will not be verified any more after all the data blocks it covers have been verified anyway.”…””}”(hj'h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´K•hjubeh}”(h]”h ]”h"]”h$]”h&]”uh1jhjubeh}”(h]”h ]”h"]”h$]”h&]”uh1jh³hÊh´K˜hjh²hubj)”}”(hXäroot_hash_sig_key_desc This is the description of the USER_KEY that the kernel will lookup to get the pkcs7 signature of the roothash. The pkcs7 signature is used to validate the root hash during the creation of the device mapper block device. Verification of roothash depends on the config DM_VERITY_VERIFY_ROOTHASH_SIG being set in the kernel. The signatures are checked against the builtin trusted keyring by default, or the secondary trusted keyring if DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING is set. The secondary trusted keyring includes by default the builtin trusted keyring, and it can also gain new certificates at run time if they are signed by a certificate already in the secondary trusted keyring. ”h]”(j )”}”(hŒ(root_hash_sig_key_desc ”h]”hŒ(root_hash_sig_key_desc ”…””}”(hjEh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j h³hÊh´K¤hjAubj)”}”(hhh]”hÌ)”}”(hXºThis is the description of the USER_KEY that the kernel will lookup to get the pkcs7 signature of the roothash. The pkcs7 signature is used to validate the root hash during the creation of the device mapper block device. Verification of roothash depends on the config DM_VERITY_VERIFY_ROOTHASH_SIG being set in the kernel. The signatures are checked against the builtin trusted keyring by default, or the secondary trusted keyring if DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING is set. The secondary trusted keyring includes by default the builtin trusted keyring, and it can also gain new certificates at run time if they are signed by a certificate already in the secondary trusted keyring.”h]”hXºThis is the description of the USER_KEY that the kernel will lookup to get the pkcs7 signature of the roothash. The pkcs7 signature is used to validate the root hash during the creation of the device mapper block device. Verification of roothash depends on the config DM_VERITY_VERIFY_ROOTHASH_SIG being set in the kernel. The signatures are checked against the builtin trusted keyring by default, or the secondary trusted keyring if DM_VERITY_VERIFY_ROOTHASH_SIG_SECONDARY_KEYRING is set. The secondary trusted keyring includes by default the builtin trusted keyring, and it can also gain new certificates at run time if they are signed by a certificate already in the secondary trusted keyring.”…””}”(hjVh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´K›hjSubah}”(h]”h ]”h"]”h$]”h&]”uh1jhjAubeh}”(h]”h ]”h"]”h$]”h&]”uh1jh³hÊh´K¤hjh²hubj)”}”(hXÈtry_verify_in_tasklet If verity hashes are in cache and the IO size does not exceed the limit, verify data blocks in bottom half instead of workqueue. This option can reduce IO latency. The size limits can be configured via /sys/module/dm_verity/parameters/use_bh_bytes. The four parameters correspond to limits for IOPRIO_CLASS_NONE, IOPRIO_CLASS_RT, IOPRIO_CLASS_BE and IOPRIO_CLASS_IDLE in turn. For example: ,,, 4096,4096,4096,4096 ”h]”(j )”}”(hŒtry_verify_in_tasklet”h]”hŒtry_verify_in_tasklet”…””}”(hjth²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j h³hÊh´K¯hjpubj)”}”(hhh]”hÌ)”}”(hX±If verity hashes are in cache and the IO size does not exceed the limit, verify data blocks in bottom half instead of workqueue. This option can reduce IO latency. The size limits can be configured via /sys/module/dm_verity/parameters/use_bh_bytes. The four parameters correspond to limits for IOPRIO_CLASS_NONE, IOPRIO_CLASS_RT, IOPRIO_CLASS_BE and IOPRIO_CLASS_IDLE in turn. For example: ,,, 4096,4096,4096,4096”h]”hX±If verity hashes are in cache and the IO size does not exceed the limit, verify data blocks in bottom half instead of workqueue. This option can reduce IO latency. The size limits can be configured via /sys/module/dm_verity/parameters/use_bh_bytes. The four parameters correspond to limits for IOPRIO_CLASS_NONE, IOPRIO_CLASS_RT, IOPRIO_CLASS_BE and IOPRIO_CLASS_IDLE in turn. For example: ,,, 4096,4096,4096,4096”…””}”(hj…h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´K§hj‚ubah}”(h]”h ]”h"]”h$]”h&]”uh1jhjpubeh}”(h]”h ]”h"]”h$]”h&]”uh1jh³hÊh´K¯hjh²hubeh}”(h]”h ]”h"]”h$]”h&]”uh1hþhhÛh²hh³Nh´Nubeh}”(h]”Œconstruction-parameters”ah ]”h"]”Œconstruction parameters”ah$]”h&]”uh1hµhh·h²hh³hÊh´K ubh¶)”}”(hhh]”(h»)”}”(hŒTheory of operation”h]”hŒTheory of operation”…””}”(hj°h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hºhjh²hh³hÊh´K²ubhÌ)”}”(hŒÈdm-verity is meant to be set up as part of a verified boot path. This may be anything ranging from a boot using tboot or trustedgrub to just booting from a known-good device (like a USB drive or CD).”h]”hŒÈdm-verity is meant to be set up as part of a verified boot path. This may be anything ranging from a boot using tboot or trustedgrub to just booting from a known-good device (like a USB drive or CD).”…””}”(hj¾h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´K´hjh²hubhÌ)”}”(hX‰When a dm-verity device is configured, it is expected that the caller has been authenticated in some way (cryptographic signatures, etc). After instantiation, all hashes will be verified on-demand during disk access. If they cannot be verified up to the root node of the tree, the root hash, then the I/O will fail. This should detect tampering with any data on the device and the hash data.”h]”hX‰When a dm-verity device is configured, it is expected that the caller has been authenticated in some way (cryptographic signatures, etc). After instantiation, all hashes will be verified on-demand during disk access. If they cannot be verified up to the root node of the tree, the root hash, then the I/O will fail. This should detect tampering with any data on the device and the hash data.”…””}”(hjÌh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´K¸hjh²hubhÌ)”}”(hŒðCryptographic hashes are used to assert the integrity of the device on a per-block basis. This allows for a lightweight hash computation on first read into the page cache. Block hashes are stored linearly, aligned to the nearest block size.”h]”hŒðCryptographic hashes are used to assert the integrity of the device on a per-block basis. This allows for a lightweight hash computation on first read into the page cache. Block hashes are stored linearly, aligned to the nearest block size.”…””}”(hjÚh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´K¿hjh²hubh¶)”}”(hhh]”(h»)”}”(hŒ Hash Tree”h]”hŒ Hash Tree”…””}”(hjëh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hºhjèh²hh³hÊh´KÅubhÌ)”}”(hŒÊEach node in the tree is a cryptographic hash. If it is a leaf node, the hash of some data block on disk is calculated. If it is an intermediary node, the hash of a number of child nodes is calculated.”h]”hŒÊEach node in the tree is a cryptographic hash. If it is a leaf node, the hash of some data block on disk is calculated. If it is an intermediary node, the hash of a number of child nodes is calculated.”…””}”(hjùh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´KÇhjèh²hubhÌ)”}”(hXGEach entry in the tree is a collection of neighboring nodes that fit in one block. The number is determined based on block_size and the size of the selected cryptographic digest algorithm. The hashes are linearly-ordered in this entry and any unaligned trailing space is ignored but included when calculating the parent node.”h]”hXGEach entry in the tree is a collection of neighboring nodes that fit in one block. The number is determined based on block_size and the size of the selected cryptographic digest algorithm. The hashes are linearly-ordered in this entry and any unaligned trailing space is ignored but included when calculating the parent node.”…””}”(hjh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´KËhjèh²hubhÌ)”}”(hŒThe tree looks something like:”h]”hŒThe tree looks something like:”…””}”(hjh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´KÑhjèh²hubhŒblock_quote”“”)”}”(hŒ4alg = sha256, num_blocks = 32768, block_size = 4096 ”h]”hÌ)”}”(hŒ3alg = sha256, num_blocks = 32768, block_size = 4096”h]”hŒ3alg = sha256, num_blocks = 32768, block_size = 4096”…””}”(hj)h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´KÓhj%ubah}”(h]”h ]”h"]”h$]”h&]”uh1j#h³hÊh´KÓhjèh²hubhí)”}”(hX‡ [ root ] / . . . \ [entry_0] [entry_1] / . . . \ . . . \ [entry_0_0] . . . [entry_0_127] . . . . [entry_1_127] / ... \ / . . . \ / \ blk_0 ... blk_127 blk_16256 blk_16383 blk_32640 . . . blk_32767”h]”hX‡ [ root ] / . . . \ [entry_0] [entry_1] / . . . \ . . . \ [entry_0_0] . . . [entry_0_127] . . . . [entry_1_127] / ... \ / . . . \ / \ blk_0 ... blk_127 blk_16256 blk_16383 blk_32640 . . . blk_32767”…””}”hj=sbah}”(h]”h ]”h"]”h$]”h&]”hühýuh1hìh³hÊh´K×hjèh²hubeh}”(h]”Œ hash-tree”ah ]”h"]”Œ hash tree”ah$]”h&]”uh1hµhjh²hh³hÊh´KÅubh¶)”}”(hhh]”(h»)”}”(hŒForward error correction”h]”hŒForward error correction”…””}”(hjVh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hºhjSh²hh³hÊh´KàubhÌ)”}”(hŒêdm-verity's optional forward error correction (FEC) support adds strong error correction capabilities to dm-verity. It allows systems that would be rendered inoperable by errors to continue operating, albeit with reduced performance.”h]”hŒìdm-verityâ€™s optional forward error correction (FEC) support adds strong error correction capabilities to dm-verity. It allows systems that would be rendered inoperable by errors to continue operating, albeit with reduced performance.”…””}”(hjdh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´KâhjSh²hubhÌ)”}”(hŒ˜FEC uses Reed-Solomon (RS) codes that are interleaved across the entire device(s), allowing long bursts of corrupt or unreadable blocks to be recovered.”h]”hŒ˜FEC uses Reed-Solomon (RS) codes that are interleaved across the entire device(s), allowing long bursts of corrupt or unreadable blocks to be recovered.”…””}”(hjrh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´KæhjSh²hubhÌ)”}”(hŒ™dm-verity validates any FEC-corrected block against the wanted hash before using it. Therefore, FEC doesn't affect the security properties of dm-verity.”h]”hŒ›dm-verity validates any FEC-corrected block against the wanted hash before using it. Therefore, FEC doesnâ€™t affect the security properties of dm-verity.”…””}”(hj€h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´KéhjSh²hubhÌ)”}”(hŒkThe integration of FEC with dm-verity provides significant benefits over a separate error correction layer:”h]”hŒkThe integration of FEC with dm-verity provides significant benefits over a separate error correction layer:”…””}”(hjŽh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´KìhjSh²hubhŒbullet_list”“”)”}”(hhh]”(hŒ list_item”“”)”}”(hŒÂdm-verity invokes FEC only when a block's hash doesn't match the wanted hash or the block cannot be read at all. As a result, FEC doesn't add overhead to the common case where no error occurs. ”h]”hÌ)”}”(hŒÁdm-verity invokes FEC only when a block's hash doesn't match the wanted hash or the block cannot be read at all. As a result, FEC doesn't add overhead to the common case where no error occurs.”h]”hŒÇdm-verity invokes FEC only when a blockâ€™s hash doesnâ€™t match the wanted hash or the block cannot be read at all. As a result, FEC doesnâ€™t add overhead to the common case where no error occurs.”…””}”(hj§h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´Kïhj£ubah}”(h]”h ]”h"]”h$]”h&]”uh1j¡hjžh²hh³hÊh´Nubj¢)”}”(hŒ{dm-verity hashes are also used to identify erasure locations for RS decoding. This allows correcting twice as many errors. ”h]”hÌ)”}”(hŒzdm-verity hashes are also used to identify erasure locations for RS decoding. This allows correcting twice as many errors.”h]”hŒzdm-verity hashes are also used to identify erasure locations for RS decoding. This allows correcting twice as many errors.”…””}”(hj¿h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´Kóhj»ubah}”(h]”h ]”h"]”h$]”h&]”uh1j¡hjžh²hh³hÊh´Nubeh}”(h]”h ]”h"]”h$]”h&]”Œbullet”Œ-”uh1jœh³hÊh´KïhjSh²hubhÌ)”}”(hXzFEC uses an RS(255, k) code where k = 255 - fec_roots. fec_roots is usually 2. This means that each k (usually 253) message bytes have fec_roots (usually 2) bytes of parity data added to get a 255-byte codeword. (Many external sources call RS codewords "blocks". Since dm-verity already uses the term "block" to mean something else, we'll use the clearer term "RS codeword".)”h]”hXˆFEC uses an RS(255, k) code where k = 255 - fec_roots. fec_roots is usually 2. This means that each k (usually 253) message bytes have fec_roots (usually 2) bytes of parity data added to get a 255-byte codeword. (Many external sources call RS codewords â€œblocksâ€. Since dm-verity already uses the term â€œblockâ€ to mean something else, weâ€™ll use the clearer term â€œRS codewordâ€.)”…””}”(hjÛh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´KöhjSh²hubhÌ)”}”(hŒEFEC checks fec_blocks blocks of message data in total, consisting of:”h]”hŒEFEC checks fec_blocks blocks of message data in total, consisting of:”…””}”(hjéh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´KühjSh²hubhŒenumerated_list”“”)”}”(hhh]”(j¢)”}”(hŒ$The data blocks from the data device”h]”hÌ)”}”(hjþh]”hŒ$The data blocks from the data device”…””}”(hjh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´Kþhjüubah}”(h]”h ]”h"]”h$]”h&]”uh1j¡hjùh²hh³hÊh´Nubj¢)”}”(hŒ$The hash blocks from the hash device”h]”hÌ)”}”(hjh]”hŒ$The hash blocks from the hash device”…””}”(hjh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´Kÿhjubah}”(h]”h ]”h"]”h$]”h&]”uh1j¡hjùh²hh³hÊh´Nubj¢)”}”(hŒMOptional additional metadata that follows the hash blocks on the hash device ”h]”hÌ)”}”(hŒLOptional additional metadata that follows the hash blocks on the hash device”h]”hŒLOptional additional metadata that follows the hash blocks on the hash device”…””}”(hj.h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´Mhj*ubah}”(h]”h ]”h"]”h$]”h&]”uh1j¡hjùh²hh³hÊh´Nubeh}”(h]”h ]”h"]”h$]”h&]”Œenumtype”Œarabic”Œprefix”hŒsuffix”Œ.”uh1j÷hjSh²hh³hÊh´KþubhÌ)”}”(hŒddm-verity assumes that the FEC parity data was computed as if the following procedure were followed:”h]”hŒddm-verity assumes that the FEC parity data was computed as if the following procedure were followed:”…””}”(hjMh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´MhjSh²hubjø)”}”(hhh]”(j¢)”}”(hŒ4Concatenate the message data from the above sources.”h]”hÌ)”}”(hj`h]”hŒ4Concatenate the message data from the above sources.”…””}”(hjbh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´Mhj^ubah}”(h]”h ]”h"]”h$]”h&]”uh1j¡hj[h²hh³hÊh´Nubj¢)”}”(hŒpZero-pad to the next multiple of k blocks. Let msg be the resulting byte array, and msglen its length in bytes.”h]”hÌ)”}”(hŒpZero-pad to the next multiple of k blocks. Let msg be the resulting byte array, and msglen its length in bytes.”h]”hŒpZero-pad to the next multiple of k blocks. Let msg be the resulting byte array, and msglen its length in bytes.”…””}”(hjyh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´Mhjuubah}”(h]”h ]”h"]”h$]”h&]”uh1j¡hj[h²hh³hÊh´Nubj¢)”}”(hX%For 0 <= i < msglen / k (for each RS codeword): a. Select msg[i + j * msglen / k] for 0 <= j < k. Consider these to be the 'k' message bytes of an RS codeword. b. Compute the corresponding 'fec_roots' parity bytes of the RS codeword, and concatenate them to the FEC parity data. ”h]”hÿ)”}”(hhh]”j)”}”(hXFor 0 <= i < msglen / k (for each RS codeword): a. Select msg[i + j * msglen / k] for 0 <= j < k. Consider these to be the 'k' message bytes of an RS codeword. b. Compute the corresponding 'fec_roots' parity bytes of the RS codeword, and concatenate them to the FEC parity data. ”h]”(j )”}”(hŒ/For 0 <= i < msglen / k (for each RS codeword):”h]”hŒ/For 0 <= i < msglen / k (for each RS codeword):”…””}”(hj˜h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1j h³hÊh´Mhj”ubj)”}”(hhh]”jø)”}”(hhh]”(j¢)”}”(hŒlSelect msg[i + j * msglen / k] for 0 <= j < k. Consider these to be the 'k' message bytes of an RS codeword.”h]”hÌ)”}”(hŒlSelect msg[i + j * msglen / k] for 0 <= j < k. Consider these to be the 'k' message bytes of an RS codeword.”h]”hŒpSelect msg[i + j * msglen / k] for 0 <= j < k. Consider these to be the â€˜kâ€™ message bytes of an RS codeword.”…””}”(hj°h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´M hj¬ubah}”(h]”h ]”h"]”h$]”h&]”uh1j¡hj©ubj¢)”}”(hŒtCompute the corresponding 'fec_roots' parity bytes of the RS codeword, and concatenate them to the FEC parity data. ”h]”hÌ)”}”(hŒsCompute the corresponding 'fec_roots' parity bytes of the RS codeword, and concatenate them to the FEC parity data.”h]”hŒwCompute the corresponding â€˜fec_rootsâ€™ parity bytes of the RS codeword, and concatenate them to the FEC parity data.”…””}”(hjÈh²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´MhjÄubah}”(h]”h ]”h"]”h$]”h&]”uh1j¡hj©ubeh}”(h]”h ]”h"]”h$]”h&]”jHŒ loweralpha”jJhjKjLuh1j÷hj¦ubah}”(h]”h ]”h"]”h$]”h&]”uh1jhj”ubeh}”(h]”h ]”h"]”h$]”h&]”uh1jh³hÊh´Mhj‘ubah}”(h]”h ]”h"]”h$]”h&]”uh1hþhjubah}”(h]”h ]”h"]”h$]”h&]”uh1j¡hj[h²hh³Nh´Nubeh}”(h]”h ]”h"]”h$]”h&]”jHjIjJhjKjLuh1j÷hjSh²hh³hÊh´MubhÌ)”}”(hXStep 3a interleaves the RS codewords across the entire device using an interleaving degree of data_block_size * ceil(fec_blocks / k). This is the maximal interleaving, such that the message data consists of a region containing byte 0 of all the RS codewords, then a region containing byte 1 of all the RS codewords, and so on up to the region for byte 'k - 1'. Note that the number of codewords is set to a multiple of data_block_size; thus, the regions are block-aligned, and there is an implicit zero padding of up to 'k - 1' blocks.”h]”hX!Step 3a interleaves the RS codewords across the entire device using an interleaving degree of data_block_size * ceil(fec_blocks / k). This is the maximal interleaving, such that the message data consists of a region containing byte 0 of all the RS codewords, then a region containing byte 1 of all the RS codewords, and so on up to the region for byte â€˜k - 1â€™. Note that the number of codewords is set to a multiple of data_block_size; thus, the regions are block-aligned, and there is an implicit zero padding of up to â€˜k - 1â€™ blocks.”…””}”(hj h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´MhjSh²hubhÌ)”}”(hŒ¹This interleaving allows long bursts of errors to be corrected. It provides much stronger error correction than storage devices typically provide, while keeping the space overhead low.”h]”hŒ¹This interleaving allows long bursts of errors to be corrected. It provides much stronger error correction than storage devices typically provide, while keeping the space overhead low.”…””}”(hj h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´MhjSh²hubhÌ)”}”(hŒàThe cost is slow decoding: correcting a single block usually requires reading 254 extra blocks spread evenly across the device(s). However, that is acceptable because dm-verity uses FEC only when there is actually an error.”h]”hŒàThe cost is slow decoding: correcting a single block usually requires reading 254 extra blocks spread evenly across the device(s). However, that is acceptable because dm-verity uses FEC only when there is actually an error.”…””}”(hj h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´MhjSh²hubhÌ)”}”(hŒËThe list below contains additional details about the RS codes used by dm-verity's FEC. Userspace programs that generate the parity data need to use these parameters for the parity data to match exactly:”h]”hŒÍThe list below contains additional details about the RS codes used by dm-verityâ€™s FEC. Userspace programs that generate the parity data need to use these parameters for the parity data to match exactly:”…””}”(hj+ h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´MhjSh²hubj)”}”(hhh]”(j¢)”}”(hŒField used is GF(256)”h]”hÌ)”}”(hj> h]”hŒField used is GF(256)”…””}”(hj@ h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´M"hj< ubah}”(h]”h ]”h"]”h$]”h&]”uh1j¡hj9 h²hh³hÊh´Nubj¢)”}”(hŒ™Bytes are mapped to/from GF(256) elements in the natural way, where bits 0 through 7 (low-order to high-order) map to the coefficients of x^0 through x^7”h]”hÌ)”}”(hŒ™Bytes are mapped to/from GF(256) elements in the natural way, where bits 0 through 7 (low-order to high-order) map to the coefficients of x^0 through x^7”h]”hŒ™Bytes are mapped to/from GF(256) elements in the natural way, where bits 0 through 7 (low-order to high-order) map to the coefficients of x^0 through x^7”…””}”(hjW h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´M#hjS ubah}”(h]”h ]”h"]”h$]”h&]”uh1j¡hj9 h²hh³hÊh´Nubj¢)”}”(hŒ7Field generator polynomial is x^8 + x^4 + x^3 + x^2 + 1”h]”hÌ)”}”(hjm h]”hŒ7Field generator polynomial is x^8 + x^4 + x^3 + x^2 + 1”…””}”(hjo h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´M%hjk ubah}”(h]”h ]”h"]”h$]”h&]”uh1j¡hj9 h²hh³hÊh´Nubj¢)”}”(hŒ-The codes used are systematic, BCH-view codes”h]”hÌ)”}”(hj„ h]”hŒ-The codes used are systematic, BCH-view codes”…””}”(hj† h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´M&hj‚ ubah}”(h]”h ]”h"]”h$]”h&]”uh1j¡hj9 h²hh³hÊh´Nubj¢)”}”(hŒPrimitive element alpha is 'x'”h]”hÌ)”}”(hj› h]”hŒ"Primitive element alpha is â€˜xâ€™”…””}”(hj h²hh³Nh´Nubah}”(h]”h ]”h"]”h$]”h&]”uh1hËh³hÊh´M'hj™ ubah}”(h]”h ]”h"]”h$]”h&]”uh1j¡hj9 h²hh³hÊh´Nubj¢)”}”(hŒ=First consecutive root of code generator polynomial is 'x^0' ”h]”hÌ)”}”(hŒ