Idan kun damu da amincin tsarin ku, dm-verity yana ɗaya daga cikin maɓalli na tsarin yanayin Linux don yin kora lafiya da gano ɓarna a cikin ajiya. Ya samo asali ne a matsayin wani ɓangare na taswirar na'urar kernel kuma yanzu shine tushen tabbatar da booting a cikin Android, OpenWrt, da rarrabawa don neman ingantaccen tsaro.
Nisa daga zama abstract concept, dm-verity an saita kuma ana amfani dashi tare da kayan aiki na gaske kamar veritysetup da systemd-veritysetupYana tabbatar da tubalan kan tashi ta amfani da bishiyar zanta kuma zai iya mayar da martani ga cin hanci da rashawa tare da manufofin da suka kama daga shiga taron zuwa sake kunnawa ko rushe tsarin. Bari mu dubi a hankali, ba tare da barin wani sako-sako da ƙare ba.
Menene dm-gaskiya kuma me yasa zaku damu
dm-verity shine makasudin na'urar-mapper a cikin kwaya wanda yana tabbatar da ingancin na'urar toshewa yayin da ake karanta bayanaiYana aiki ta ƙididdigewa da tabbatar da hashes na kowane toshe (yawanci 4K) akan bishiyar hash da aka riga aka ƙididdige, yawanci ta amfani da SHA-256.
Wannan zane yana ba da damar Ba za a iya canza fayiloli cikin shiru tsakanin sake yi ko lokacin aiwatarwa baYana da maɓalli don ƙaddamar da sarkar amana zuwa tsarin aiki, iyakance dagewar malware, ƙarfafa manufofin tsaro, da tabbatar da ɓoyayyen ɓoyewa da hanyoyin MAC yayin taya.
A kan Android (tun 4.4) da Linux gabaɗaya, Amintacciya ta dogara a cikin tushen zanta na bishiyar, wanda aka sanya hannu kuma an inganta shi tare da maɓalli na jama'a da ke cikin wuri mai kariya (misali, akan ɓangaren taya ko a cikin Ƙararren Boot mai sa hannun UCI). Karye duk wani katafaren zai buƙaci karya hash ɗin da ke ƙasa.
Ana yin tabbaci ta hanyar toshewa kuma akan buƙata: Ƙarar jinkiri kadan ne idan aka kwatanta da farashin I/OIdan cak ɗin ya gaza, kernel ɗin zai dawo da kuskuren I/O kuma tsarin fayil ɗin ya bayyana ya lalace, wanda ake tsammanin lokacin da bayanan ba su da aminci. Apps na iya yanke shawarar ko za a ci gaba ko a'a bisa la'akari da haƙurin kuskurensu.
Yadda bishiyar tabbatarwa ke aiki a ciki
An gina bishiyar tabbatarwa a cikin yadudduka. Layer 0 shine danyen bayanai daga na'urar, wanda aka raba zuwa tubalan 4K; Ana ƙididdige zantan SHA-256 (gishiri) don kowane toshe. Daga nan sai a hada wadannan hashes su zama Layer 1. Layer 1 sai a hade shi a cikin blocks sannan a sake gyara shi ya zama Layer 2, haka nan har sai komai ya shiga bulogi guda: wannan toshe idan aka yi tonon yana fitar da tushen zanta.
Idan kowane Layer bai cika daidai toshe ba, Ana lullube shi da sifili har sai ya kai 4K don kauce wa shubuha. Jimlar girman bishiyar ya dogara da girman ɓangaren da ake dubawa; a aikace, yawanci kasa da 30 MB ne ga sassan tsarin na yau da kullun.
Babban tsari shine: zaɓi gishiri bazuwar, zanta zuwa 4K, ƙididdige SHA-256 tare da kowane-block gishiri, yana haɗawa don samar da matakan, ya rufe iyakokin toshe tare da sifili, kuma yana maimaita tare da matakin da ya gabata har sai an bar zanta guda ɗaya. Wannan tushen zanta, tare da gishirin da aka yi amfani da shi, yana ciyar da teburin dm-verity da sa hannu.
Sigar tsarin diski da algorithm
Tsarin hash blocks akan faifai yana da siga. Sigar 0 ita ce sigar asali da aka yi amfani da ita a cikin Chromium OS: Ana ƙara gishiri a ƙarshen aikin hashing, ana adana abubuwan narkewar abinci akai-akai, sauran toshe kuma an cika shi da sifili.
La Ana ba da shawarar sigar 1 don sababbin na'urori: Gishirin an riga an shirya shi zuwa zanta, kuma kowane narke yana cike da sifili har zuwa iko na biyu, yana inganta daidaitawa da ƙarfi. Teburin dm-verity kuma yana ƙayyadaddun algorithm (misali, sha1 ko sha256), kodayake don tsaro na yanzu, ana amfani da sha256.
dm-verity tebur da mahimman sigogi
Teburin manufa dm-gaskiya ya bayyana inda bayanai suke, inda itacen zanta yake, da yadda ake tantancewaFilayen tebur na yau da kullun:
- dev: na'urar tare da bayanan da za a tabbatar (nau'in hanyar / dev/sdXN ko mafi girma: ƙasa).
- hash_dev: na'urar da itacen zanta (zai iya zama iri ɗaya; idan haka ne, hash_start dole ne ya kasance a waje da kewayon da aka bincika).
- size_block_size: girman toshe bayanai a cikin bytes (misali 4096).
- girman_block: girman toshe hash a cikin bytes.
- num_data_blocks: adadin tubalan bayanan da za a iya tabbatarwa.
- hash_start_block: biya diyya (a cikin hash_block_size blocks) zuwa tushen tushen bishiyar.
- algorithm: hash algorithm (misali sha256).
- narke: hexadecimal encoding na tushen toshe hash (ciki har da gishiri bisa ga sigar sigar); wannan darajar ita ce aminta.
- gishiri: gishiri hexadecimal.
Bugu da kari, akwai sigogi na zaɓi yana da amfani sosai don daidaita ɗabi'a:
- watsi da_cin hanci da rashawa: Yana rikodin ɓarna ɓarna, amma yana ba da damar karatu don ci gaba.
- sake farawa_kan_cin hanci da rashawa: sake farawa akan gano cin hanci da rashawa (bai dace da watsi_corruption ba kuma yana buƙatar tallafin sararin samaniya don guje wa madaukai).
- firgita_kan_cin hanci da rashawa: : yana haifar da firgici yayin gano cin hanci da rashawa (bai dace da sigogin baya ba).
- sake farawa_kan_kuskure y firgita_kan_kuskure: halayen iri ɗaya amma don kurakuran I/O.
- watsi da_sifiri: baya duba tubalan da ake sa ran a matsayin sifili da dawo da sifili.
- amfani da_fec_daga na'urar + tushen_fec + fec_blocks + fec_faraKunna Reed-Solomon (FEC) don dawo da bayanai lokacin da tabbatarwa ta gaza; bayanan, hash, da wuraren FEC ba dole ba ne su zoba, kuma dole ne girman toshe ya dace.
- duba_mafi_sau daya: Yana bincika kowane katangar bayanai kawai a farkon lokacin da aka karanta shi (yana rage sama da ƙimar tsaro a cikin hare-haren kai tsaye).
- tushen_hash_sig_key_desc: Nuna maɓalli a cikin maɓalli don tabbatar da sa hannun PKCS7 na tushen zanta lokacin ƙirƙirar taswira (yana buƙatar daidaitawar kernel da amintattun maɓallai).
- gwada_tabbatar_cikin_tasklet: Idan an adana hashes kuma girman I/O ya ba da izini, bincika rabin ƙasa don rage latency; daidaitawa tare da /sys/module/dm_verity/parameters/use_bh_bytes kowane aji na I/O.
Sa hannu, metadata da ƙulla amana
Domin dm-gaskiya ta zama abin dogaro, Dole ne a amince da tushen zanta kuma yawanci sanya hannuA cikin Android na gargajiya, ana haɗa maɓallin jama'a a cikin ɓangaren taya, wanda masana'anta ke tabbatar da shi a waje; yana tabbatar da sa hannun tushen hash kuma yana tabbatar da cewa ba a canza sashin tsarin ba.
Metadata na gaskiya yana ƙara tsari da sarrafa sigar. Toshe metadata ya ƙunshi lambar sihiri 0xb001b001 (bytes b0 01 b0 01), sigar (a halin yanzu 0), sa hannun tebur a cikin PKCS1.5 (yawanci 256 bytes don RSA-2048), tsayin tebur, teburin da kansa da sifili padding har zuwa 32K.
A cikin aiwatar da Android, tabbatarwa ya dogara fs_mgr da fstab: Ƙara alamar rajistan shiga daidai da shigar da maɓalli a /boot/verity_key. Idan lambar sihirin ba ta inda yakamata ta kasance, tabbatarwa yana tsayawa don gujewa bincika abin da bai dace ba.
An tabbatar da fara aiki
Kariya yana rayuwa a cikin kwaya: Idan an daidaita kafin takalmin kwaya, maharin yana riƙe da ikoShi ya sa masana'antun ke tabbatar da ingancin kowane mataki: maɓalli da aka ƙone a cikin na'urar yana tabbatar da bootloader na farko, wanda ke tabbatar da na gaba, bootloader na app, kuma a ƙarshe, kernel.
Tare da tabbatar da kernel, Ana kunna dm-verity lokacin hawa ingantacciyar na'urar tosheMaimakon hashing gaba ɗaya na'urar (wanda zai kasance a hankali da ɓarna makamashi), an tabbatar da toshe ta ta hanyar toshe yayin da ake shiga. Rashin gazawa yana haifar da kuskuren I/O, kuma ayyuka da ƙa'idodi suna amsawa gwargwadon juriyarsu: ko dai ci gaba ba tare da wannan bayanan ba ko faɗuwa gaba ɗaya.
Gyara Kuskuren Gaba (FEC)
Tun daga Android 7.0, FEC (Reed-Solomon) an haɗa shi tare da dabarun haɗin gwiwa don rage sararin samaniya da haɓaka ikon dawo da tubalan da suka lalace. Wannan yana aiki tare da dm-verity: idan cak ɗin ya gaza, tsarin tsarin na iya ƙoƙarin gyara shi kafin ayyana shi ba zai iya murmurewa ba.
Ayyuka da ingantawa
Don rage tasiri: Kunna hanzarin SHA-2 ta NEON akan kari na ARMv7 da SHA-2 akan ARMv8 daga kernel. Daidaita karanta-gaba da prefetch_cluster sigogi don kayan aikin ku; Tabbatar da katanga yawanci yana ƙara kaɗan zuwa farashin I/O, amma waɗannan saitunan suna yin bambanci.
Farawa akan Linux (systemd, veritysetup) da Android
A kan Linux na zamani tare da tsarin, dm-gaskiya yana ba da damar ingantaccen tushen karantawa kawai ta amfani da veritysetup (bangaren cryptsetup), systemd-veritysetup.generator, da systemd-veritysetup@.service. Ana ba da shawarar haɗa Secure Boot da UCI da aka sa hannu (haɗin kai hoton kwaya), kodayake ba a buƙatar su sosai.
Shiri da shawarar rabuwa
Sashe na tsarin aiki da daidaitacce. Ajiye ƙara don bishiyar zanta (8-10% na girman tushen yawanci ya isa) kuma la'akari da rabuwa / gida da / var idan kana buƙatar rubuta. Tsarin tsari ya haɗa da: ESP (na bootloader), XBOOTLDR (na UKIs), tushen (tare da ko ba tare da boye-boye ba), VERITY partition, da na zaɓi / gida da / var.
A matsayin tushen, EROFS wani zaɓi ne mai ban sha'awa sosai ga ext4 ko squashfs: Ana karanta shi kawai ta ƙira, tare da kyakkyawan aiki akan flash/SSD, matsawa lz4 ta tsohuwa, kuma ana amfani da shi sosai akan wayoyin Android tare da dm-verity.
Fayilolin da dole ne a rubuta su
Tare da tushen ro, wasu shirye-shirye suna tsammanin rubutawa zuwa /da sauransu ko lokacin initKuna iya matsar da shi zuwa /var/da sauransu kuma ku haɗa duk wani abu da ke buƙatar canzawa (misali, NetworkManager haɗe-haɗe a /etc/NetworkManager/system-connections). Lura cewa systemd-journald yana buƙatar /etc/machine-id don wanzuwa a cikin tushen directory (ba symlink) don guje wa karya farkon farawa.
Don gano abin da canje-canje a cikin kisa, amfani da dracut-overlayroot: ya rufe tmpfs akan tushen, kuma duk abin da aka rubuta yana bayyana a /run/overlayroot/u. Ƙara tsarin zuwa /usr/lib/dracut/modules.d/, haɗa da overlayroot a cikin dracut, kuma saita overlayroot=1 akan layin kwaya; ta wannan hanyar za ku ga abin da za ku yi ƙaura zuwa /var.
Misalai masu amfani: pacman da NetworkManager
A cikin Arch, ya dace Matsar da bayanan Pacman zuwa /usr/lib/pacman ta yadda rootfs ko da yaushe madubi shigar kunshe-kunshe. Sannan, tura cache ɗin zuwa /var/lib/pacman da mahaɗin. Don canza lissafin madubi ba tare da taɓa tushen ba, matsar da shi zuwa /var/da sauransu kuma ku haɗa shi ta wata hanya.
Tare da NetworkManager, matsar da tsarin-haɗin zuwa /var/etc/NetworkManager da haɗi daga /etc/NetworkManager/system-connections. Wannan yana kiyaye tushen baya canzawa kuma tsarin yana rayuwa inda yakamata a rubuta shi.
Gina gaskiya da gwaji
Daga rayuwa kuma tare da komai cikakke kuma an saka shi a cikin ro, ƙirƙirar itacen da roothash tare da veritysetup format: Lokacin da kake aiki, yana buga layin Tushen Hash, wanda zaka iya ajiyewa zuwa roothash.txt. Guda shi don gwaji tare da saitin tabbatarwa buɗe tushen-na'urar tushen gaskiyar-na'urar $(cat roothash.txt) da mount /dev/mapper/root.
Idan kun fi so, na farko ya haifar da itacen zuwa fayil (verity.bin) sa'an nan kuma rubuta shi zuwa ga VERITY partition. Saitin da aka samo shine: hoton tushen, bishiyar gaskiya, da tushen zanta da zaku saka a taya.
Sanya layin kwaya
Ƙara waɗannan sigogi: systemd.verity=1, roothash=abun ciki_roothash.txt, systemd.verity_root_data=ROOT-PATH (misali LABEL=OS), da systemd.verity_root_hash=VERITY-PATH (misali LABEL=VERITY). Saita systemd.verity_root_options don sake farawa-kan-cin hanci da rashawa ko firgita-kan-cin hanci da rashawa don tsauraran manufofi.
Sauran shawarwarin zaɓuɓɓuka: ro (idan ba ku amfani da EROFS / squashfs), rd.emergency=sake yi y rd.shell=0 (hana harsashi mara izini idan boot ya kasa), kuma kullewa = sirri don kare ƙwaƙwalwar kernel daga samun dama.
Ƙarin ɓangarori tare da gaskiya
Ba tushen kawai ba: Kuna iya ayyana wasu taswira a /etc/veritytab da systemd-veritysetup@.sabis zai tara su a taya. Ka tuna: yana da sauƙi don hawa RW ɓangaren ɓangaren da ba tushen tushe ba, kuma tushen mai amfani zai iya kashe Verity akan waɗannan ɓangarorin, don haka ƙimar tsaro a wurin tana da ƙasa.
Tsaro: Secure Boot, UKI da sa hannu na kayayyaki
dm-gaskiya ba harsashi na azurfa ba ne. Shiga UCI kuma kunna Secure Boot tare da maɓallan ku don hana kowa ƙetare kernel/initramfs/cmdline (wanda ya haɗa da tushen zanta). Kayan aiki kamar sbupdate-git ko sbctl suna taimakawa ci gaba da sanya hannu kan hotuna da sarkar boot ɗin daidai.
Idan kun kunna kulle kernel ko tabbatar da sa hannun module, Dole ne a sanya hannu a kan tsarin DKMS ko daga itace ko kuma ba za su yi lodi ba. Yi la'akari da kernel na al'ada tare da sa hannu kan tallafin bututun ku (duba sa hannu kan samfuran kwaya).
Encryption, TPM da mita
dm-gaskiya yana kare mutunci, rashin sirriKuna iya barin tushen ba a ɓoye idan bai ƙunshi kowane sirri ba kuma ana kiyaye sarkar taya. Idan kuna amfani da maɓalli daga tushen don buɗe wasu kundin, to yana da kyau a ɓoye shi.
Tare da TPM 2.0, systemd-cryptenroll yana ba da damar maɓallan ɗaure zuwa PCRs 0,1,5,7 (firmware, zažužžukan, GPT, amintaccen matsayin taya). Ƙara rd.luks.options=LUKS_UUID=tpm2-na'urar=autoto kuma tabbatar kun haɗa da tallafin TPM2 a cikin initramfs. systemd-boot yana auna kernel.efi a cikin PCR4, mai amfani don bata maɓalli idan UKI ko cmdline ta canza.
Sabuntawa da samfuran turawa
Tushen karantawa kawai tabbatacce Ba a sabunta shi tare da mai sarrafa kunshin a cikin hanyar gargajiya. Manufar ita ce gina sabbin hotuna tare da kayan aiki kamar aikin Yocto da buga su. systemd yana da systemd-sysupdate da systemd-repart don ƙaƙƙarfan zazzage hoto da walƙiya.
Wata dabara ita ce A/B tsarin: Kuna kiyaye tushen biyu da gaskiya guda biyu. Kwafi tushen aiki zuwa tushen da ba ya aiki, yi amfani da canje-canje, kuma sake gyara gaskiya. Canja baya kan taya na gaba. Idan kana amfani da UKI, tuna don sabunta tushen zanta a cikin layin cmd ko sake gina UCI da aka sanya hannu.
Don dagewa na zaɓi, Yi amfani da OverlayFS akan tushen da aka tabbatar tare da babba a cikin tmpfs ko faifai. Hakanan zaka iya wuce systemd.volatile=overlay don dagewar wucin gadi. Flatpak yana sauƙaƙe shigar da apps a / var da / gida ba tare da taɓa / ba.
Akwai fakiti na atomatik (misali verity-squash-root a cikin AUR) waɗanda ke gina tushen squashfs da sanya hannu kan roothash tare da kernel da initramfs, ba ka damar zaɓar tsakanin naci ko ephemeral yanayin da kuma adana sabon rootfs a matsayin madadin. Lura: ƙara dagewa zuwa tushen tabbatarwa yana da ƙananan lokuta na amfani; gwada dagewar bayanan app akan ɓangarori daban-daban.
Android: tsarin-as-tushen, AVB da overlays mai siyarwa
Tun daga Android 10, RootFS yana daina aiki akan faifan RAM kuma yana haɗawa da system.img. (tsarin-as-tushen). Na'urorin ƙaddamar da Android 10 koyaushe suna amfani da wannan makirci kuma suna buƙatar ramdisk don dm-linear. An saita BOARD_BUILD_SYSTEM_ROOT_IMAGE zuwa karya a cikin wannan ginin don bambanta tsakanin amfani da ramdisk da tsarin kunnawa kai tsaye.img.
Android 10 ya haɗa tsauri partitions da farko-mataki init wanda ke kunna sashin tsarin ma'ana; kwaya baya hawa shi kai tsaye. OTA-tsari-kawai yana buƙatar ƙirar tsarin-kamar tushen, wanda ya zama tilas akan na'urorin Android 10.
Babu A/B, kiyaye farfadowa daban da tayaBa kamar A/B ba, babu boot_a/boot_b madadin, don haka cire farfadowa a cikin waɗanda ba A/B ba na iya barin ku ba tare da yanayin dawo da idan sabuntawar taya ya gaza ba.
kernel mounts system.img zuwa /converity ta hanyoyi biyu: vboot 1.0 (faci don kernel don rarraba metadata na Android a cikin / tsarin kuma ya samo sigogin dm-verity; cmdline ya haɗa da tushen =/dev/dm-0, skip_initramfs da init=/init tare da dm=…) ko vboot 2.0/AVB, inda bootloader ya haɗa libavb, karanta bayanin hashtree (a cikin vbmeta ko tsarin), yana gina sigogi kuma ya wuce su zuwa kernel a cikin cmdline, tare da goyon bayan FEC da tutoci kamar restart_on_corruption.
Tare da tsarin-as-tushen, kar a yi amfani da BOARD_ROOT_EXTRA_FOLDERS don takamaiman manyan fayilolin tushen na'urar: waɗannan za su ɓace lokacin kunna GSI. Ƙayyade ƙayyadaddun tudu a ƙarƙashin /mnt/mai siyarwa/ , wanda fs_mgr ke ƙirƙira ta atomatik, kuma a nuna su a cikin fstab na itacen na'urar.
Android yana ba da damar a overlay dillali daga /samfurin/mai sayar da_overlay/: init zai hau / mai siyar da ƙananan bayanan da suka dace da buƙatun mahallin SELinux da kasancewar / mai siyarwa / . Yana buƙatar CONFIG_OVERLAY_FS=yy, akan tsofaffin kernels, override_creds=off patch.
Aiki na yau da kullun: yana shigar da fayilolin da aka riga aka tattara a cikin na'ura/ / /mai rufewa_, ƙara su zuwa PRODUCT_COPY_FILES tare da nemo-kwafin-subdir-files zuwa $(TARGET_COPY_OUT_PRODUCT)/vendor_overlay, ayyana mahallin cikin file_contexts don sauransu da app (misali vendor_configs_file da vendor_app_file) sannan a ba da izinin hawa kan waɗannan mahallin a cikin. Gwada tare da vfs_mgr_vendor_overlay_test a cikin mai amfani debug.
Shirya matsala: saƙon cin hanci da rashawa dm-gaskiya akan Android
A kan na'urori masu ramin A/B, canza ramummuka ko vbmeta/boot mai walƙiya ba tare da daidaito tare da roothash ba Wannan na iya haifar da gargaɗin: dm-gaskiya cin hanci da rashawa, na'urarka ba ta da amana. Umarni kamar fastboot flash –disable-verity –disable-verification vbmeta vbmeta.img musaki tabbaci, amma barin tsarin ba tare da wani garantin mutunci ba.
Wasu bootloaders suna goyan bayan fastboot OEM disable_dm_verity kuma akasin sa, kunna_dm_verity. Yana aiki akan wasu samfura, amma ba akan wasu ba; kuma yana iya buƙatar kernel/magisk tare da ingantattun tutoci. Yi amfani da haɗarin ku: tsarin aiki mai hankali shine daidaita boot, vbmeta, da tsarin, sa hannu ko sabunta itacen kuma tabbatar da cewa tushen hash ɗin da ake sa ran yayi daidai da wanda aka tsara.
Idan bayan gargadin za ku iya ci gaba da danna wuta, tsarin yana farawa, amma ba ku da cikakkiyar sarkar amanaDon cire saƙon ba tare da sadaukar da tsaro ba, mayar da ainihin hotuna da aka sanya hannu ko sake ginawa/tabbatar da vbmeta tare da madaidaicin hashtree, maimakon musaki gaskiyar.
i.MX da OpenWrt dandamali
A kan i.MX6 (misali sabresd), saita kernel tare da tallafin DM_VERITY da FEC, samar da bishiyar tare da saiti na gaskiya, adana tushen zanta amintacce, kuma ku wuce sigogin da suka dace a cikin layin cmd ko haɗa ta intramfs tare da tsarin tsarin-veritysetup. Idan ba ku yi amfani da dm-crypt ba, ba kwa buƙatar CAAM don gaskiya; mayar da hankali a kan mutunci.
A cikin OpenWrt da in shigar Linux tsarin tare da OpenEmbedded, Akwai ƙoƙarin haɗa dm-verity da SELinux (Ayyukan Bootlin da aka bita tare da niyyar haɗa tallafi). Daidaitawar dabi'a ce: masu amfani da hanyoyin sadarwa da kayan aikin cibiyar sadarwa suna amfana daga tushen da ba za a iya canzawa ba, tabbatarwa, da taurin MAC.
Gina bishiyar da hannu da ginin metadata (cikakken gani)
cryptsetup na iya samar muku da itacen, amma idan kun fi son fahimtar tsarin, ƙaramin layin layin tebur ya haɗa da: Sunan taswira, na'urar bayanai, toshe bayanai da girman hash, girman hoto a cikin tubalan, matsayi na hash_start (toshe hoto + 8 idan an haɗa shi), tushen zanta, da gishiri. Bayan ƙirƙirar yadudduka masu haɗaka (daga sama zuwa ƙasa, ban da Layer 0), kuna rubuta bishiyar zuwa faifai.
Don shirya komai, shirya tebur dm-verity, sa hannu (na al'ada RSA-2048) da sa hannun rukuni + tebur a cikin metadata tare da sigar rubutun kai da lambar sihiri. Sannan, yana haɗa hoton tsarin, metadata na gaskiya, da bishiyar zanta. A cikin fstab, yana yiwa fs_mgr alama a matsayin tabbatarwa kuma yana sanya maɓallin jama'a a /boot/verity_key don tabbatar da sa hannun.
Inganta da SHA-2 masu saurin gudu don CPU ɗin ku kuma daidaita karanta-gaba/prefetch_cluster. A kan kayan aikin ARM, NEON SHA-2 (ARMv7) da kari na SHA-2 (ARMv8) suna rage yawan tabbatarwa.
A cikin kowane turawa, tuna cewa dole ne a kiyaye ƙimar zantan tushen: ko an haɗa shi cikin sa hannun UCI, a cikin ɓangaren taya da aka sanya hannu, ko mai ɗaukar kaya ya inganta ta amfani da AVB. Komai bayan wannan batu ya gaji wannan amana.
Tare da duk abubuwan da ke sama a wurin, dm-gaskiya ya zama ƙwaƙƙwaran tushe don tsarin da ba a iya canzawa, wayar hannu da tsarin da aka saka, Goyan bayan sabuntawar ma'amala, daidaitawar daidaitawa, da tsarin tsaro na zamani wanda ke rage girman kai hari kuma yana hana dagewa ba tare da sadaukar da aikin ba.
