mount: fix roothash signature extension in manpage
The PKCS7 RFC recommends to use .p7s for detached signatures file extensions, so use that in the example. https://datatracker.ietf.org/doc/html/rfc5751#section-3.2.1
This commit is contained in:
parent
71b98c36d4
commit
6a7194ea23
|
@ -1414,9 +1414,9 @@ mksquashfs /etc /tmp/etc.squashfs
|
|||
dd if=/dev/zero of=/tmp/etc.hash bs=1M count=10
|
||||
veritysetup format /tmp/etc.squashfs /tmp/etc.hash
|
||||
openssl smime -sign -in <hash> -nocerts -inkey private.key \
|
||||
-signer private.crt -noattr -binary -outform der -out /tmp/etc.p7
|
||||
-signer private.crt -noattr -binary -outform der -out /tmp/etc.roothash.p7s
|
||||
mount -o verity.hashdevice=/tmp/etc.hash,verity.roothash=<hash>,\
|
||||
verity.roothashsig=/tmp/etc.p7 /tmp/etc.squashfs /mnt
|
||||
verity.roothashsig=/tmp/etc.roothash.p7s /tmp/etc.squashfs /mnt
|
||||
....
|
||||
|
||||
create squashfs image from _/etc_ directory, verity hash device and mount verified filesystem image to _/mnt_. The kernel will verify that the root hash is signed by a key from the kernel keyring if roothashsig is used.
|
||||
|
|
Loading…
Reference in New Issue