Dm verity verification failed что делать

Galaxy S7 dm verity verification Failed Fix —

Dm verity verification failed что делать

In this guide, I have discussed Galaxy S7 dm verity verification failed error solution. This solution can also be used for Samsung Galaxy S6, S9 or any other Galaxy series phone.

Samsung Galaxy S7 and S7 edge are considered the finest phones of 2016. Even after the release of so many phones with better specs and operating system. People don’t want to change their S7 and move to S8. They are completely contented with it. Galaxy S7 is best in almost everything.

From looks to hardware and specs. Everything is optimal. It has great camera quality and great processing power. There are two versions of Samsung Galaxy S7. International model is equipped with Samsung’s own Exynos 8890 processor. Whereas, the USA model is equipped with Snapdragon 820.

Both models have 4 GB of RAM.

Currently, Galaxy S7 and Galaxy S7 edge are running on Android Nougat. But soon they will be getting Android Oreo update.

As Samsung has started a Galaxy Beta programme. Where they are testing Android Oreo so that they can release a bug-free version to their users.

Users of Galaxy S8 can opt for a testing program.

Update: You can install Android Nougat on your Galaxy S7 or Galaxy S7 edge using this guide.

Galaxy S7 dm verity Verification Failed Fix

I got this dm verity verification failed error after I tried to unroot my phone via SuperSU. I should have flashed the stock firmware instead.

Well, I opted for the completely unroot option that is present in the app. It didn’t go well.

My phone rebooted and next thing you see is; Phone is in recovery menu and at the bottom, in red fonts, it was written on S7 dm verity verification failed. 

After spending some time on the internet, I figured out it’s not an uncommon problem. Its solution is also simple. But you will lose all your data most probably. Losing data is still better than a dead phone.

All you have to do is to flash stock firmware via ODIN to get your phone back to normal. As its just a firmware/software error and can be fixed easily. In the following method. We will be flashing stock ROM on Galaxy S7 via Odin.

You can perform the same process using Smart Switch. Which will be convenient if you haven’t used ODIN before.

How to flash stock firmware on Galaxy S7 dm verity verification error solution:

Now let us move on to the guide. It’s easy. iÍf you have any confusion or hesitation at any step. Feel free to ask me in the comments.


  • Download  ODIN V3.12.3. (Click on download through the browser when the window opens).
  • From here Download Stock Firmware for your S7 from SamMobile.
  • Download Samsung Drivers for Windows. (Link to download file is under the main heading)These drivers are to be installed on your PC, they are essential for your PC to recognize your device properly.
  • You will need a computer for this solution.
  • It might delete all the data present in your phone. So its better to backup using this guide.

Important! : Before Moving forward please make sure KIES is not running on your PC or is not present in the system taskbar tray.

Make sure you have got the right ROM according to your phone model and country. If your phone is carrier unlocked and it is not branded, you can use any carrier free (unbranded) ROM from the link above. Now how to check if your phone is branded or not.

If the logo or any carrier name appears when you start your phone then its branded. If only Samsung logo appears when you reboot your phone then it’s clean.

Most important thing is that you make sure that you don’t flash unbranded ROM on a branded phone and vice versa.

Now let’s move on to the guide on how to flash stock ROM (Solution of Galaxy S7 dm verity verification failed error):

  1. First of all, download and extract ODIN on your PC.
  2. Download and Install Samsung USB drivers for windows on your PC.
  3. Download the right ROM for your phone and extract it on your desktop or anywhere
  4. Extract the .zip file to get .

    tar or .tar.md5 file.

  5. Now turn off your Galaxy S7.
  6. Get your phone into Download mode:
    • Press Power button, Volume Down and Home Button simultaneously.
    • Keep on holding buttons till you see a warning.
    • Press Volume up button to continue.
  7. Now open ODIN on your laptop or PC.
  8. Connect your Galaxy S7 to your PC via data cable.

     The ID:COM section on ODIN will turn blue, in the screenshot below. It’s an indication that the PC has recognized your device.

  9. Click on AP on ODIN.
  10. After that, locate and select the stock firmware you downloaded for Galaxy S7.

  11. If the firmware you downloaded extracts more than one file, then select the corresponding section according to file type: BL belongs to Bootloader,AP belongs to PDA, CP belongs to Phone(Modem) and CSC file in CSC tab.

    ( Mostly you just need to select AP/PDA file in the screenshot above)

  12. Make sure only Auto Reboot and F. Reset Time are checked in the options. DO NOT CHECK REPARTITION.
  13. Click on Start.

  14. Now, wait for 4-5 minutes. Don’t disconnect your Galaxy S7 from your PC while ODIN is flashing because it can brick your phone. Wait even if it takes time.
  15. Finally, when the flashing will complete your S7 phone will reboot.

Once your phone is rebooted.

It will be running on factory settings. It won’t get stuck on Samsung logo or it won’t give s7 dm-verity verification failed error. Furthermore, Your phone might take some time at first boot.

If you have any questions regarding the above guide on how to flash stock firmware on Galaxy S7. Which also serves as Galaxy S7 dm verity verification failed error solution. Do ask us in the comments. If you have some other solution for this problem. Please share with us.


Dm-Verity Verification Failed on Samsung Phones [FIX]

A lot of people have started facing this very strange error on their Samsung Galaxy smartphones. Previously I thought that this error is affecting a very small batch of phones but recently I started receiving more and more requests for this error.

Basically, Samsung Galaxy smartphones go in a bootloop and when you boot it up, it shows dm-verity Verification failed error on the screen.

If you are also facing this issue on your android phone, today I will answer all your queries regarding this error once and for all.

What is DM-Verity Verification failed Error?

This error mainly comes if you try to flash some recovery or ROM that is not built for your phone on your Samsung Galaxy phone. A lot of people tried installing ROMs that were meant for some other variant or another phone altogether and ended up with this dm-verity Verification failed error.

If your phone is not rooted and you don’t install any custom recovery or ROM on your phone, you should not have this error.

How to Fix dm-verity verification failed error

There are a couple of things that you will need before starting this process and your phone’s warranty is already void. It is not because of this fix, it is because of the cause of dm-verity verification failed error which is rooting.


  1. A windows computer, You might be able to do it on a MAC but I don’t have any idea about that because I have fixed this on a Windows Computer multiple times without any problem.
  2. A decent internet connection.

    If you have a decent internet connection then the time required for this fix could be decreased by a lot.

  3. USB cable to connect your phone to the computer.
  4. Odin flash tool.

    This flash tool is used to flash almost all on Samsung phones and it is essential in this procedure as well. Download it from here.

  5. USB drivers for your phone will also be needed. Download the Samsung USB drivers from here and install them on your PC.

    After installation, don’t forget to restart your computer.

  6. You will need to download some files, but those files will make more sense to you during the actual procedure.

Fixing dm-verity verification failed error

  1. First of all, You will need to download the official Samsung Firmware for your phone. This is a very important step and I would recommend you to get the correct firmware for your phone from

    If you don’t know what model number your phone is, try looking at the box of your phone.

  2. Next, You will need to put your Samsung Galaxy in download mode. For that, you will need to press and hold VolUp + Power + Home key for 5 seconds and you will see a warning screen.

    This is normal, don’t worry.

  3. Here you can see that to enter Download mode, we will need to select Continue which is selected with the VolUp key. Press VolUp key and you should now be in the Download mode.
  4. Now connect your phone to your computer using the USB cable.

    I recommend that you should use the original Samsung USB cable and avoid using 3rd-party cables.

  5. After your phone is detected by your computer, extract the firmware of your phone and also extract the Odin zip file.

    The firmware is usually a big file so it might take some time, be patient.

  6. Once done, open Odin folder and there you will be able to find a file called odin3.exe, as soon as you will open the Odin file, you should be able to find your phone detected by it in the first box.

    If your phone is not detected by Odin, trying re-installing USB drivers. 

  7. Click on AP button and select the tar.md5 file which you found after extracting the firmware. Usually, AP file is quite a massive file and it takes a couple of minutes for Odin to respond.

    Don’t worry if Odin starts showing “Not Responding” It’s normal.

  8. The last and final step is to click on the “Start” button. This will initiate the flashing process and if you want to have your phone back to normal, don’t disconnect your phone and don’t power off your PC.

    It will be a disaster if that happens.

  9. After a couple of minutes, you will see ‘PASS’ status in Odin window with green color. This is the time when you can disconnect your phone from the computer and boot it just normal.

If everything went right, you will be able to boot into your phone normally. Don’t worry if it takes up to 15 minutes to start because this is the very first start of the phone after the firmware refresh and it takes that much time to build all the data for the built in apps.

This part of the tutorial is only for those whose phone is stuck at “Samsung” logo and it is not proceeding even after 15 minutes of wait.

  1. Press and hold VolUp + Power + Home key together for 5 seconds and your phone should reboot into recovery mode.
  2. This is the mode where you can factory reset your phone. Navigate the recovery mode by using the volume keys and press the power button to select the “Wipe data/Factory Reset” option from the list.

This will eliminate any kinks and conflicts that the fresh firmware might have on your phone. After you have successfully factory reset your phone, just reboot it and wait for 10 minutes and it should start working a brand new phone.

That is it for this tutorial, I hope that you were able to fix that dm-verity verification failed, Need to check DRK first error and if you found this tutorial helpful then please make sure to share it with your friends at social media and also follow us on .


Fix DM-Verity Warning on OnePlus 3/3T in 5 Minutes

A lot of OnePlus 3/3T users has recently been facing this strange issue where when they reboot their phones, an error/warning message is presented to them stating ‘dm-verity verification failed’ or something of that sorts.

A lot of users has been affected by this issue as per the reports from XDA Forums. Though this is not a very serious issue or problem(if you know what you are doing), it could get really annoying to see some kind of warning message stating negative stuff about the device you own.

But thanks to the XDA Forum member th3g1z, we have a fix for DM-Verity warning on OnePlus 3/3T.

Recommended for you: Enjoy Dual Boot on OnePlus 3T

What is DM-Verity?

Before heading the solution, let us first try to understand the problem first.

 Verity is a security feature, originally found in ChromeOS, designed to provide assured and trustworthy computing devices, preventing malicious software from modifying a device.

It was announced all the way back in Android 4.4 KitKat, but, no one really seemed to care about it until recently when Google started to implement it strongly starting Android 6.0.

Above screenshots show a typical dm-verity warning.

The primary purpose of this security measure is to prevent the software on a device from being modified without the user’s knowledge.

If you are a flashaholic, then rooting is no big deal for you because you do it all the time. But for an average user, it is a big deal.

Don’t miss: Download and Install OnePlus 3/3T Control Center

With Verity in place, any changes made to the system partition will be detected on boot.

So if you have recently made any changes to your system partition, then you’d probably see one of the messages displayed above.

While this very good for non-geeky Android users, it is not a very good news for people who aspire to root their phone in future. Google might crack down hard on rooting methods in a not so distant feature.

How to Fix DM-Verity Warning on OnePlus 3/3T:

Now that you have a fair idea of what exactly this warning/error is, let us see how we can eradicate this warning message on our beloved OnePlus 3/3T.

If you have come this far, this means your device is rooted with a custom recovery installed possibly running a custom ROM. Because there is no way, you’d get this error without root!

The best thing about this method is, you don’t have to flash anything!

The only prerequisite for this method to work is you have a working Fastboot environment.

Must read: Enable System-wide Round Icon Support on OnePlus 3/3T

That said, follow the steps below get rid of this error message:

  • Step 1: Reboot your phone into fastboot mode:

Stock recovery: It is highly unly that you will be on stock recovery, but, if you are – follow the below steps:

  1. Power Down the OnePlus 3.
  2. When the phone is completely switched off, Press and Hold the Power Button and Volume Down Buttons at the Same Time.
  3. Continue Holding these two buttons past the OnePlus/Android Splash Screen that appears.
  4. When the phone boots into Recovery Mode, release the power and volume down buttons.
  5. Tap on the English Option.
  6. Now, Tap on the ‘Advanced’ Option.
  7. Then, Tap on the ‘Reboot to Fastboot’ Option.
  8. Then Tap on the ‘Reboot to Fastboot’ Option Again.
  9. Your phone will now be in fastboot mode.

TWRP Recovery:

  1. Follow the steps 1 through 4 from above, to boot into TWRP recovery.
  2. Tap on the ‘Reboot’ option.
  3. Now tap on ‘Bootloader’ to boot into fastboot mode.
  • Step 2: Connect your device to your PC or laptop with the USB cable.
  • Step 3: Download ADB and fastboot and extract the downloaded zip on your desktop.
  • Step 4: Open fastboot window from the folder where ADB and fastboot files are present.
    1. Go to the folder where fastboot is installed.
    2. Right-click on the empty space of the folder while pressing ‘Shift’ key on your keyboard.
    3. Select the ‘Open command window here’ option.
  •  Step 5: Check if fastboot is properly working. Type ‘fastboot devices’ and press enter.  You should see your device listed there. Refer screenshot below:
  • Step 6: Enter the below commands in the command prompt, one by one (and press enter after each one, of course).fastboot oem disable_dm_verityfastboot oem enable_dm_verity

Now you can reboot your device, and everything should be back to normal. There will not be any dm-verity warnings anymore!

You may also : How to Double Your Wi-Fi Speed on OnePlus 3/3T

Do let us know if this method worked for you (or even if it didn’t). Any problems with the procedure or need any help? Drop a comment below, and we’ll do what we can to get the issue resolved for you.


How To Remove Dm-Verity Verification Failed Error On Oneplus 3

Remove Dm-Verity Verification Failed Error On Oneplus 3 : When Oneplus launched their first device Oneplus One back in 2014 with a motto Never Settle , it was tremendous hit among everyone who was looking for pretty good device with great specs but within the price budget. Since then Oneplus has launched 5 Smartphones in total of which one being Oneplus 3. Remove Dm-Verity Verification Failed Error On Oneplus 3.

Oneplus 3 was launched on June 14, 2016 with the specs to compete with every premium smartphone out in the market then and that too with the price half of that of the other flagships smartphones from s of Samsung, HTC, LG and others.

 Oneplus 3 comes equipped with Qualcomm Snapdragon 820 processor,  6 GB of RAM, 64 GB of internal storage, Optic Amoled Display, Dash Charging, NFC chip and came with Android Marshmallow (now running Android Nougat).

Remove Dm-Verity Verification Failed Error On Oneplus 3 )With this spec and price that of a mediocre smartphone Oneplus 3 was a instant hit throughout the world.

Oneplus at the launch of the device promised to deliver Android Update at regular basis and they have stayed on their promise by delivering Android Nougat 7.0 within the provided time interval.

But after updating Oneplus 3 on the latest build has brought in a new error called Dm-Verity, so today we will be looking to Remove Dm-Verity Verification Failed Error On Oneplus 3.

How to find rare Pokemon in Pokemon Go

Remove Dm-Verity Verification Failed Error On Oneplus 3

Oneplus 3 was updated to Android Nougat in late December of 2016.

People who tried updating their device by downloading Android Nougat build for their Oneplus 3 with the means of custom recovery started seeing Dm-Verity verification failed error on their device.

So today we will be solving or rather say Remove Dm-Verity Verification Failed Error On Oneplus 3 with step by step method that too with ease. So let’s start with it.

Once you have downloaded this, let’s move ahead to Remove Dm-Verity Verification Failed Error On Oneplus 3.

  • First of all create a whole backup of your device and shift it to your PC as all your data will be erased during this process.
  • Make sure you have installed your Oneplus driver along with adb driver you have just downloaded.
  • Now unzip and install 15 seconds adb installer on your PC. (Remove Dm-Verity Verification Failed Error On Oneplus 3 ).
  • Once installed, go to Local Disk C/adb, hold shift and right click your mouse and select Open command window here and also shift all the prerequisite downloaded files to this location.
  • Now on your Oneplus 3 go to developer option if you can’t see developer option then go to about phone and click 7 times on Build Number option, once in Developer Option turn on USB Debugging. ( Remove Dm-Verity Verification Failed Error On Oneplus 3 ).
  • Now connect your Oneplus 3 to your PC and type ” adb devices ” to confirm your Oneplus 3 is being detected by your PC.
  • Once that’s confirmed type ” adb reboot bootloader “, this command will reboot your device to fastboot menu.
  • Now type ” fastboot devices ” to make sure your Oneplus 3 is being recognised, once that’s confirmed move ahead to next step.
  • Type ” fastboot flash recovery recovery_op3.img “, this command will flash stock recovery on your Oneplus 3. ( Remove Dm-Verity Verification Failed Error On Oneplus 3 ).
  • Now boot into recovery by holding power button and volume down button for few seconds.
  • Once in official recovery click on ” Wipe data and cache ” and then select Erase Everything option.
  • Reboot your device back to recovery and after selecting your language click on ” Install from ADB ” and click OK.
  • Connect your device to PC again. ( Remove Dm-Verity Verification Failed Error On Oneplus 3 ).
  • Now on command prompt type ” adb sideload ” (this command is for Oxygen OS OB11 for Oxygen OS 4.0.2 just copy and paste the zip file name ), wait for few minutes to complete once done reboot your device.
  • If you want to root your device then copy and paste SuperSU to your Oneplus 3.
  • Turn on Developer option with the same process and turn on USB Debugging option.
  • Connect your device to PC again and type ” adb devices ” to confirm your device is being recognised.
  • Type ” adb reboot bootloader ” to reboot to fastboot menu.
  • Now type “ fastboot flash recovery twrp-3.0.3-x_blu_spark_v15-op3_op3t.img ” to flash twrp recovery.
  • Once that’s done reboot to recovery by pressing volume down key along with power button for few seconds.
  • Once in the recovery, press install and select SuperSU file and install it, done.
  • Congratulations you have Remove Dm-Verity Verification Failed Error On Oneplus 3.

I hope and wish that this method did work for you to Remove Dm-Verity Verification Failed Error On Oneplus 3 , if not you can contact us through our comment section or you can even ask us your doubts or suggest us anything on our  page. Please dont forget to & share our post on , or Google Plus as it will surely help us to grow and clicking on those ads you see too as it is the main source of our income.

How To Play In Background Without Red Subscription

Thanks For Reading How To Remove Dm-Verity Verification Failed Error On Oneplus 3.


android nougat dm-verity Error how to oneplus 3 Tips & Tricks


Dm Verity Verification Failed- An Easy Fix! — Tech Inside

Many people who have purchased Samsung Galaxy smartphones have begun facing a strange error in their devices.

Previously it was seen that this strange error is occurring in a handful of devices but recently more and more complaints have emerged.

What happens in this error is that the Samsung Galaxy smartphones enter into a boot loop and when you boot your device, all you see is the Dm Verity Verification failed error on your display screen. If you are seeing this trouble on your Android device then no need to be bothered by it anymore because in this post we are bringing an easy fix for this annoying trouble.

How to fix Dm Verity verification failed error?

Before we proceed ahead to the fix for the Dm Verity Verification Failed error let’s get in order all the pre-requisites you need to arrange for this to work. You will require the following.

  1. A Windows installed PC. You may be able to work out this fix using a Mac device as well but we haven’t really tried Mac for this.
  2. Reliable internet access because if you don’t have a stable internet network then the time taken for this solution to work will be way too long.
  3. A USB cable for connecting your Android phone to your PC.
  4. You will also need an Odin flash tool which is used as a flash for Samsung phones and you can Download it from here.
  5. USB drivers will also be required for your phone. You can install the Samsung USB drivers from here on your charged PC. When the installation is done, reboot your PC.
  6. You should also download some files but we will get to those in the detailed process described below.

Fixing the Dm Verity Verification Failed Error :

  1. You must complete the downloading process for the Samsung Firmware for your Android device. This is extremely essential and we advise you to fix firmware for your device by visiting this website

    If you aren’t aware of your model number then you can search it on your device’s box.

  2. Then you must put your Samsung Galaxy phone on the Download Mode. In order to do this you must click and keep holding the VolUp + Power + Home key for at least 5 seconds and a warning display will appear.

    Don’t panic, this is normal!

  3. In order to go into the Download mode, you must choose the option that says Continue which can be chosen using the key for VolUp. Tap the VolUp key and your phone will go into Download mode.

  4. In the next step get your phone connected to your PC through the USB cable. You should try using the original Samsung USB cable and stay away from other second hand or copies of cables.

  5. When your device gets detected by your PC, start extracting your firmware from your device and here you must complete the extraction for the Odin zip file as well. This is the firmware which would occupy a big file but it will require a lot of time so you must stay put.

  6. When you are done with this, in the Odin folder you can locate the file under the name for odin3.exe and the moment you launch the Odin file, you will be able to locate your device that has been detected by the firmware previously.

    If your phone doesn’t get detected by Odin, re-install the USB drivers.

  7. Tap on the AP button and choose the file which is saved under the name tar.md5 which would be saved after you have completed the extraction of the firmware.

    AP file size usually is huge and it would take Odin a few minutes to respond to your command so you shouldn’t panic if Odin is displaying the “Not Responding” sign because this is normal.

  8. The ultimate task is to press the “Start” button which will begin the flashing procedure and if you wish to get your device back to normal mode, don’t disconnect your device from your PC yet neither should you switch off your PC. If you do this then there will be a disaster waiting to happen.
  9. After a few minutes have elapsed, you will be looking at a PASS status from the Odin Window in green color. This is the moment when you should remove your phone from your PC and reboot it just a normal device in a normal routine.

This section of the post is only for those users who have their devices stuck at the “Samsung” logo and the phone isn’t moving ahead even after 15 minutes has elapsed.

  1. Click and keep holding the VolUp + Power + Home keys altogether for at least 5 seconds and your device will reboot into the recovery mode.
  2. This is that mode where you will be able to factory reset your device. Go to the Recovery Mode through the Volume Keys and click the Power Button to choose the option for “Wipe data/Factory Reset” from the displayed options in the list.

This will remove all kinds of kinks and troubles in the firmware.


Implementing dm-verity | Android Open Source Project

Android 4.4 and higher supports Verified Boot through the optionaldevice-mapper-verity (dm-verity) kernel feature, which provides transparentintegrity checking of block devices.

dm-verity helps prevent persistent rootkitsthat can hold onto root privileges and compromise devices.

Thisfeature helps Android users be sure when booting a device it is in the samestate as when it was last used.

Potentially Harmful Applications (PHAs) with root privileges can hide fromdetection programs and otherwise mask themselves. The rooting software can dothis because it is often more privileged than the detectors, enabling thesoftware to «lie» to the detection programs.

The dm-verity feature lets you look at a block device, the underlying storagelayer of the file system, and determine if it matches its expectedconfiguration. It does this using a cryptographic hash tree. For every block(typically 4k), there is a SHA256 hash.

Because the hash values are stored in a tree of pages, only the top-level»root» hash must be trusted to verify the rest of the tree. The ability tomodify any of the blocks would be equivalent to breaking the cryptographic hash.See the following diagram for a depiction of this structure.

Figure 1. dm-verity hash table

A public key is included on the boot partition, which must be verifiedexternally by the device manufacturer. That key is used to verify the signaturefor that hash and confirm the device's system partition is protected andunchanged.


dm-verity protection lives in the kernel. So if rooting software compromises thesystem before the kernel comes up, it will retain that access.

To mitigate thisrisk, most manufacturers verify the kernel using a key burned into the device.

That key is not changeable once the device leaves the factory.

Manufacturers use that key to verify the signature on the first-levelbootloader, which in turn verifies the signature on subsequent levels, theapplication bootloader and eventually the kernel.

Each manufacturer wishing totake advantage of verifiedboot should have a method for verifying the integrity of the kernel.

Assuming the kernel has been verified, the kernel can look at a block deviceand verify it as it is mounted.

One way of verifying a block device is to directly hash its contents and comparethem to a stored value.

However, attempting to verify an entire block device cantake an extended period and consume much of a device's power.

Devices would takelong periods to boot and then be significantly drained prior to use.

Instead, dm-verity verifies blocks individually and only when each one isaccessed. When read into memory, the block is hashed in parallel.

The hash isthen verified up the tree.

And since reading the block is such an expensiveoperation, the latency introduced by this block-level verification iscomparatively nominal.

As an optimization for Android Go and similar low-RAM devices, dm-verity can beconfigured to validate pages only the first time they are read from the datadevice, rather than every time. After the first validation, a bit is set toindicate successful validation. Because this optimization providesa slightly reduced level of integrity guarantees, it should not be used forhigher-RAM devices. To learn more, see these kernel patches.

If verification fails, the device generates an I/O error indicating the blockcannot be read. It will appear as if the filesystem has been corrupted, as isexpected.

Applications may choose to proceed without the resulting data, such as whenthose results are not required to the application's primary function. However,if the application cannot continue without the data, it will fail.

Forward error correction

Android 7.0 and higher improves dm-verity robustness with forward errorcorrection (FEC).

The AOSP implementation starts with the the commonReed-Solomon error-correcting code and applies atechnique called interleaving to reduce space overhead and increase thenumber of corrupted blocks that can be recovered. For more details on FEC, seeStrictly Enforced Verified Boot with Error Correction.


See the The Chromium Projects — Verified Bootfor a detailed description of the hash tree and dm-verity table.

Generating the hash tree

As described in the introduction, the hash tree is integral to dm-verity. Thecryptsetup tool willgenerate a hash tree for you. Alternatively, a compatible one is defined here:

To form the hash, the system image is split at layer 0 into 4k blocks, eachassigned a SHA256 hash. Layer 1 is formed by joining only those SHA256 hashesinto 4k blocks, resulting in a much smaller image. Layer 2 is formedidentically, with the SHA256 hashes of Layer 1.

This is done until the SHA256 hashes of the previous layer can fit in a singleblock. When get the SHA256 of that block, you have the root hash of the tree.

The size of the hash tree (and corresponding disk space usage) varies with thesize of the verified partition. In practice, the size of hash trees tends to besmall, often less than 30 MB.

If you have a block in a layer that isn't completely filled naturally by thehashes of the previous layer, you should pad it with zeroes to achieve theexpected 4k. This allows you to know the hash tree hasn't been removed and isinstead completed with blank data.

To generate the hash tree, concatenate the layer 2 hashes onto those for layer1, the layer 3 the hashes onto those of layer 2, and so on. Write all of thisout to disk. Note that this doesn't reference layer 0 of the root hash.

To recap, the general algorithm to construct the hash tree is as follows:

  1. Choose a random salt (hexadecimal encoding).
  2. Unsparse your system image into 4k blocks.
  3. For each block, get its (salted) SHA256 hash.
  4. Concatenate these hashes to form a level
  5. Pad the level with 0s to a 4k block boundary.
  6. Concatenate the level to your hash tree.
  7. Repeat steps 2-6 using the previous level as the source for the next untilyou have only a single hash.

The result of this is a single hash, which is your root hash. This and your saltare used during the construction of your dm-verity mapping table.

Building the dm-verity mapping table

Build the dm-verity mapping table, which identifies the block device (or target)for the kernel and the location of the hash tree (which is the same value.

) Thismapping is used for fstab generation and booting.

The table also identifiesthe size of the blocks and the hash_start, the start location of the hash tree(specifically, its block number from the beginning of the image).

See cryptsetup for adetailed description of the verity target mapping table fields.

Signing the dm-verity table

Sign the dm-verity table to produce a table signature. When verifying apartition, the table signature is validated first.

This is done against a key onyour boot image in a fixed location.

Keys are typically included in themanufacturers' build systems for automatic inclusion on devices in a fixedlocation.

To verify the partition with this signature and key combination:

  1. Add an RSA-2048 key in libmincrypt-compatible format to the /boot partitionat /verity_key. Identify the location of the key used to verify the hashtree.
  2. In the fstab for the relevant entry, add 'verify' to the fs_mgr flags.

Bundle the table signature and dm-verity table into verity metadata. The entireblock of metadata is versioned so it may be extended, such as to add a secondkind of signature or change some ordering.

As a sanity check, a magic number is associated with each set of table metadatathat helps identify the table. Since the length is included in the ext4 systemimage header, this provides a way to search for the metadata without knowing thecontents of the data itself.

This makes sure you haven't elected to verify an unverified partition. If so,the absence of this magic number will halt the verification process. This numberresembles:

The byte values in hex are:

  • first byte = b0
  • second byte = 01
  • third byte = b0
  • fourth byte = 01

The following diagram depicts the breakdown of the verity metadata:



|\——————————————————————-/\———————————————————-/ | | | | 32K block content

And this table describes those metadata fields.

Table 1. Verity metadata fields

magic number used by fs_mgr as a sanity check 4 bytes 0xb001b001
version used to version the metadata block 4 bytes currently 0
signature the signature of the table in PKCS1.5 padded form 256 bytes
table length the length of the dm-verity table in bytes 4 bytes
table the dm-verity table described earlier `table length` bytes
padding this structure is 0-padded to 32k in length

Optimizing dm-verity

To get the best performance dm-verity, you should:

  • In the kernel, turn on NEON SHA-2 for ARMv7 and the SHA-2 extensions for ARMv8.
  • Experiment with different read-ahead and prefetch_cluster settings to find the best configuration for your device.


Понравилась статья? Поделить с друзьями: