mount: fix roothash signature extension in manpage
The PKCS7 RFC recommends to use .p7s for detached signatures file extensions, so use that in the example. https://datatracker.ietf.org/doc/html/rfc5751#section-3.2.1
This commit is contained in:
parent
71b98c36d4
commit
6a7194ea23
|
@ -1414,9 +1414,9 @@ mksquashfs /etc /tmp/etc.squashfs
|
||||||
dd if=/dev/zero of=/tmp/etc.hash bs=1M count=10
|
dd if=/dev/zero of=/tmp/etc.hash bs=1M count=10
|
||||||
veritysetup format /tmp/etc.squashfs /tmp/etc.hash
|
veritysetup format /tmp/etc.squashfs /tmp/etc.hash
|
||||||
openssl smime -sign -in <hash> -nocerts -inkey private.key \
|
openssl smime -sign -in <hash> -nocerts -inkey private.key \
|
||||||
-signer private.crt -noattr -binary -outform der -out /tmp/etc.p7
|
-signer private.crt -noattr -binary -outform der -out /tmp/etc.roothash.p7s
|
||||||
mount -o verity.hashdevice=/tmp/etc.hash,verity.roothash=<hash>,\
|
mount -o verity.hashdevice=/tmp/etc.hash,verity.roothash=<hash>,\
|
||||||
verity.roothashsig=/tmp/etc.p7 /tmp/etc.squashfs /mnt
|
verity.roothashsig=/tmp/etc.roothash.p7s /tmp/etc.squashfs /mnt
|
||||||
....
|
....
|
||||||
|
|
||||||
create squashfs image from _/etc_ directory, verity hash device and mount verified filesystem image to _/mnt_. The kernel will verify that the root hash is signed by a key from the kernel keyring if roothashsig is used.
|
create squashfs image from _/etc_ directory, verity hash device and mount verified filesystem image to _/mnt_. The kernel will verify that the root hash is signed by a key from the kernel keyring if roothashsig is used.
|
||||||
|
|
Loading…
Reference in New Issue