ishenwei/nexus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fc0dde291fa7c19f90564e88e6a04ed4c26b5ba6
nexus/wiki/concepts/dm-verity.md
weishen fc0dde291f Auto-sync: 2026-04-19 14:51
2026-04-19 14:51:38 +08:00

26 lines
769 B
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
---
title: "dm-verity"
type: concept
tags: [Linux-Kernel, Security, Filesystem]
date: 2026-04-19
---
## Definition
dm-veritydevice-mapper verity是 Linux 内核子系统,用于验证块设备的完整性,通过 cryptographic hash 树实现只读文件系统的完整性保护。
## How It Works
- 在块设备上构建 hash 树结构
- 每个块的数据 hash 与上一级 hash 比对
- 根 hash 存储在信任的存储位置
- 任何块内容变化都会导致验证失败
## Use Cases
- 防止根文件系统被篡改
- 确保容器镜像完整性
- 安全启动链的一部分
## Related Concepts
- [[Bottlerocket-OS]] — 使用 dm-verity 验证根文件系统
- [[Secure-Boot]] — 安全启动机制
- [[Root-Filesystem]] — 根文件系统保护
Reference in New Issue View Git Blame Copy Permalink