Dm-verity for debian/whonix?


I would like to say if dm-verity is still helpful to have for verified boot. There is a guide on how to do it on alpine linux, but it can be used for debian, because dracut is available on multiple distros.

Also, is it already implemented on whonix yet? Because I see it in discussion but it was thought of years ago. Also I see it in Kicksecure verified boot page.

With dm-verity on boot, you need to use Dracut. Reason is because dracut is one of the only initramfs generators to let you import your own modules and files into its initramfs.

Also remember, mount your ROOT_PARTITION as read only, since any changes will cause dm-verity to detect it as “corrupt”

[ This guide was done with FULL disk encryption, so this might not work perfectly on Non encrypted disk setup, also done on UEFI using gummiboot (now called systemd-boot) efistub and generating a UKI ]

Install basic stuff:

apk add dracut dracut-core cryptsetup gummiboot gummiboot-efistub

Create a new partition for your DM-verity:

TODO: add command for new verity partition with fdisk (should require 8-10% the size of Root partition)

Edit “/usr/lib/dracut/modules.d/90crypt/” and add these lines right BEFORE “exit 0” (add your ROOT_PARTITION directory and VERITY_PARTITION directory):

### DM-Verity
mount /dev/mapper/[ROOT_PARTITION] /var/tmp
cryptsetup open --key-file /var/tmp/[Keyfile_dir] /dev/[Verity_partition] [verity dm name]
umount /var/tmp
veritysetup open /dev/[ROOT_PARTITION] /dev/[VERITY_PARTITION] $(cat /usr/lib/dracut/roothash.txt)

To setup dm-verity (borrowed from archlinux wiki):

veritysetup format /dev/[ROOT_PARTITION] /dev/[VERITY_PARTITION] | grep Root | cut -f2 >> /usr/lib/dracut/roothash.txt

/etc/dracut.conf (put whatever your boot parameters are in “kernel_cmdline”):

add_dracutdrivers+=" busybox crypt crypt-gpg dm rootfs-block kernel-modules kernel-modules-extra "

/etc/dracut.conf.d/secureboot.conf (do this if you have your own secureboot keys, or want to use secureboot):


/etc/dracut.conf.d/files.conf (this is what will import veritysetup binary file into dracut initramfs):

install_items+=" /sbin/veritysetup "

Finally, generate UKI using dracut (replace 6.X.X-X-lts with your kernel version) (also replace /boot/efi/EFI/Linux/alpine-linux.efi with your mount efi partition):

dracut --include /usr/lib/dracut/roothash.txt /usr/lib/dracut/roothash.txt --host-only --kernel-image /boot/vmlinuz-lts --kmoddir /lib/modules/6.X.X-X-lts --kver 6.X.X-X-lts --uefi --uefi-stub /usr/lib/gummiboot/linuxx64.efi.stub --force --compress lz4 /boot/efi/EFI/Linux/alpine-linux.efi /boot/efi/EFI/Linux/alpine-linux.efi


efibootmgr --create --disk /dev/[efi_partition] --part 1 --label alpine-linux --loader EFI/Linux/alpine-linux.efi

Unfortunately, using the default alpine linux kernel didn’t work so download another distributions root system (like debians or devuan), and replace 6.X.X-X-lts, and vmlinuz-lts with anothers distributions kernel modules and kernel image.

If you want to test if DM-verity fully works, change the ROOT_PARTITION’s files and it should say it is “corrupt”, and not continue the boot process.

Also, this should work for other linux distributions, since dracut is available on multiple distros.

1 Like

I don’t see any Linux distribution (desktop) having verified boot default. You? Seems very difficult and incompatible with how Linux distributions work.

Android has it but these are pushing root images and the user cannot modify them except through use of overlays if they have root access.

Debian would neee something similar to Androids A/B update engine? The filesystem would contain two images. The old root image and the updated root image.

Kicksecure / Whonix would need to distribute read-only images, not the files in the filesystem?

Not seen in source code and not claimed so no.

How would this be used in practice?

How could users install additional packages using APT? Using persistent overlay?

Doable in practice but seems highly complex.

Maybe Fedora Silverblue which is basically an image afaik could do this?

1 Like

I would make edits in a writable file system first, then if I am sure I want to lock it down I just use mkfs.erofs/mkfs.squashfs to make a read only filesystem.

Yes this gets complicated

1 Like

This feature absolutely isn’t coming anytime soon unless contributed.

There is folder:


Does that help?

For dm-verity it might be required to contribute to dracut. I don’t know yet.

Is EFI booting a hard requirement for dm-verity being useful? In that case: → add EFI boot support for VM creation --vmfile --efi · Issue #134 · grml/grml-debootstrap · GitHub

Verified boot would ideally best be implemented upstream such as in Debian and/or grml-debootstrap (the root image creation tool used for Kicksecure / Whonix VM images).

Don’t know yet what this is let alone how to use it but it might be helpful:

mkosi supports:

Updated images could perhaps be deployed through an A/B update engine: systemd-sysupdate

But first thing first. Learning, feasibility and porting to mkosi (initially without dm-verity as this isn’t a simple “enable in the config” thing) will take time, is part of derivative-maker, not security-misc.