--- keywords: - IT - filesystem integritiy - authentic filesystem --- # secureboot Most of the distributions are delievered with a microsoft-signed SHIM bootloader, which should allow the boot with active secureboot without deleting OEM keys. the SHIM bootloader gets controlled with mokutil. - systemctl reboot --firmware - bootctl - efibootmgr -v - mokutil --sb-state - mokutil --list-enrolled - mokutil --enable-validation ## ubuntu ubuntu provides a update-secureboot-policy script to generate and enroll a secureboot mok, but this needs an already active secureboot with MS keys and this needs to be active through booting the installer # cryptsetup luks crypsetup luksDump /dev/sdaX cryptsetup luksChangeKey /dev/sdaX cryptsetup luksErase ressource: http://jk.ozlabs.org/docs/sbkeysync-maintaing-uefi-key-databases/ ## lkrg - linux kernel runtime guard archlinux can build with AUR, debian/ubuntu can use the *.deb precompiled package. It should be available for x64, arm64 and arm ## data integrity aka bitrot ref: https://github.com/rfjakob/cshatag General kernel awareness: https://github.com/torvalds/linux/blob/master/Documentation/block/data-integrity.rst the solution so far to omit endusers hardware limitations (like ECC RAM *grml*) https://github.com/torvalds/linux/blob/master/Documentation/admin-guide/device-mapper/dm-integrity.rst So it should be more or less equal to use integrity with or without encryption: - RAID1 preferred - heavily perfomance issues caused by the journal ( none or bitmap as dangerous alternative) https://github.com/torvalds/linux/blob/master/Documentation/admin-guide/device-mapper/dm-crypt.rst and maybe this gets into production - T13/ATA External Path Protection the used strcuture to get this done: block device -> dm-integrity -> mdadm/lvm2 (RAID1) -> btrfs block device -> dm-integrity -> cryptsetup(mdadm/lvm2 (RAID1)) -> btrfs - [ ] cryptsetup benchmark - [ ] GPT formatted block devices to get recognized properly under windows - [ ] complete header backup - [ ] block device sector size - [ ] block device support for SCT/ERC `smartctl -l scterc /dev/sdX` - [ ] Block device support for write-verify `hdparm -R1 /dev/sdX` - [ ] block device support ``hdparm --dco-identify /dev/sdX` Western Digital Time Limited Error Recovery (TLER) Seagate Error Recovery Control (ERC) Samsung/Hitachi Command Completion Time Limit (CCTL) Odroid HC1 HDD ``` smartctl -a /dev/sda | grep SCT Model Family: Seagate Samsung SpinPoint M9T Device Model: ST1500LM006 HN-M151RAD Serial Number: S34QJ9CG700688 LU WWN Device Id: 5 0004cf 210088b47 Firmware Version: 2BC10008 User Capacity: 1.500.301.910.016 bytes [1,50 TB] Sector Sizes: 512 bytes logical, 4096 bytes physical Rotation Rate: 5400 rpm Form Factor: 2.5 inches Device is: In smartctl database [for details use: -P show] ATA Version is: ATA8-ACS T13/1699-D revision 6 SATA Version is: SATA 3.0, 6.0 Gb/s (current: 6.0 Gb/s) Local Time is: Thu Jun 9 21:48:00 2022 CEST SMART support is: Available - device has SMART capability. SMART support is: Enabled [..] SCT capabilities: (0x003f) SCT Status supported. SCT Error Recovery Control supported. SCT Feature Control supported. SCT Data Table supported. hdparm --dco-identify /dev/sda /dev/sda: DCO Checksum verified. DCO Revision: 0x0002 The following features can be selectively disabled via DCO: Transfer modes: mdma0 mdma1 mdma2 udma0 udma1 udma2 udma3 udma4 udma5 udma6 Real max sectors: 18446744072344861488 ATA command/feature sets: SMART self_test error_log security PUIS AAM HPA 48_bit selective_test WRITE_UNC_EXT SATA command/feature sets: NCQ interface_power_management SSP hdparm -R1 /dev/sda /dev/sda: setting write-read-verify to 1 HDIO_DRIVE_CMD:WRV failed: Input/output error write-read-verify = not supported smartctl -l scterc /dev/sda smartctl 7.2 2020-12-30 r5155 [armv7l-linux-5.4.199-odroidxu4] (local build) SCT Error Recovery Control: Read: Disabled Write: Disabled ``` Lenovo S440 HDD ``` === START OF INFORMATION SECTION === Model Family: Seagate Laptop SSHD Device Model: ST500LM000-SSHD-8GB Serial Number: W762L1TL LU WWN Device Id: 5 000c50 07cb8f1cc Firmware Version: LIV5 User Capacity: 500.107.862.016 bytes [500 GB] Sector Sizes: 512 bytes logical, 4096 bytes physical Rotation Rate: 5400 rpm Form Factor: 2.5 inches Device is: In smartctl database 7.3/5319 ATA Version is: ATA8-ACS, ACS-3 T13/2161-D revision 3b SATA Version is: SATA 3.0, 6.0 Gb/s (current: 6.0 Gb/s) Local Time is: Thu Jun 9 22:02:40 2022 CEST SMART support is: Available - device has SMART capability. SMART support is: Enabled sudo smartctl -a /dev/sda | grep SCT SCT capabilities: (0x1081) SCT Status supported. hdparm --dco-identify /dev/sda /dev/sda: DCO Checksum verified. DCO Revision: 0x0002 The following features can be selectively disabled via DCO: Transfer modes: mdma0 mdma1 mdma2 udma0 udma1 udma2 udma3 udma4 udma5 udma6 Real max sectors: 976773168 ATA command/feature sets: SMART self_test error_log security PUIS HPA selective_test conveyance_test WRITE_UNC_EXT SATA command/feature sets: interface_power_management SSP hdparm -I /dev/sda /dev/sda: ATA device, with non-removable media Model Number: ST500LM000-SSHD-8GB Serial Number: W762L1TL Firmware Revision: LIV5 Transport: Serial, ATA8-AST, SATA 1.0a, SATA II Extensions, SATA Rev 2.5, SATA Rev 2.6, SATA Rev 3.0 Standards: Used: unknown (minor revision code 0x001f) Supported: 8 7 6 5 Likely used: 8 Configuration: Logical max current cylinders 16383 16383 heads 15 16 sectors/track 63 63 -- CHS current addressable sectors: 16514064 LBA user addressable sectors: 268435455 LBA48 user addressable sectors: 976773168 Logical Sector size: 512 bytes Physical Sector size: 4096 bytes Logical Sector-0 offset: 0 bytes device size with M = 1024*1024: 476940 MBytes device size with M = 1000*1000: 500107 MBytes (500 GB) cache/buffer size = unknown Form Factor: 2.5 inch Nominal Media Rotation Rate: 5400 Capabilities: LBA, IORDY(can be disabled) Queue depth: 32 Standby timer values: spec'd by Standard, no device specific minimum R/W multiple sector transfer: Max = 16 Current = 16 Advanced power management level: disabled Recommended acoustic management value: 254, current value: 0 DMA: mdma0 mdma1 mdma2 udma0 udma1 udma2 udma3 udma4 udma5 *udma6 Cycle time: min=120ns recommended=120ns PIO: pio0 pio1 pio2 pio3 pio4 Cycle time: no flow control=120ns IORDY flow control=120ns Commands/features: Enabled Supported: * SMART feature set Security Mode feature set * Power Management feature set * Write cache * Look-ahead * Host Protected Area feature set * WRITE_BUFFER command * READ_BUFFER command * DOWNLOAD_MICROCODE Advanced Power Management feature set Power-Up In Standby feature set * SET_FEATURES required to spinup after power up SET_MAX security extension * 48-bit Address feature set * Device Configuration Overlay feature set * Mandatory FLUSH_CACHE * FLUSH_CACHE_EXT * SMART error logging * SMART self-test * General Purpose Logging feature set * 64-bit World wide name * IDLE_IMMEDIATE with UNLOAD * Write-Read-Verify feature set * WRITE_UNCORRECTABLE_EXT command * {READ,WRITE}_DMA_EXT_GPL commands * Segmented DOWNLOAD_MICROCODE * Gen1 signaling speed (1.5Gb/s) * Gen2 signaling speed (3.0Gb/s) * Gen3 signaling speed (6.0Gb/s) * Native Command Queueing (NCQ) * Host-initiated interface power management * Phy event counters * Idle-Unload when NCQ is active * READ_LOG_DMA_EXT equivalent to READ_LOG_EXT * DMA Setup Auto-Activate optimization * Device-initiated interface power management * Software settings preservation * SMART Command Transport (SCT) feature set unknown 206[7] unknown 206[12] (vendor specific) Security: Master password revision code = 65534 supported not enabled not locked not frozen not expired: security count supported: enhanced erase 98min for SECURITY ERASE UNIT. 98min for ENHANCED SECURITY ERASE UNIT. Logical Unit WWN Device Identifier: 5000c5007cb8f1cc NAA : 5 IEEE OUI : 000c50 Unique ID : 07cb8f1cc Checksum: correct sudo hdparm -R1 /dev/sda Touch HW dongle /dev/sda: setting write-read-verify to 1 write-read-verify = 2 ``` m.2 SATA SSD ``` ATA device, with non-removable media Model Number: TS256GMTS430S Serial Number: F129080156 Firmware Revision: S0423A Transport: Serial, ATA8-AST, SATA 1.0a, SATA II Extensions, SATA Rev 2.5, SATA Rev 2.6, SATA Rev 3.0 Standards: Supported: 9 8 7 6 5 Likely used: 9 Configuration: Logical max current cylinders 16383 16383 heads 16 16 sectors/track 63 63 -- CHS current addressable sectors: 16514064 LBA user addressable sectors: 268435455 LBA48 user addressable sectors: 500118192 Logical Sector size: 512 bytes Physical Sector size: 512 bytes Logical Sector-0 offset: 0 bytes device size with M = 1024*1024: 244198 MBytes device size with M = 1000*1000: 256060 MBytes (256 GB) cache/buffer size = unknown Nominal Media Rotation Rate: Solid State Device Capabilities: LBA, IORDY(can be disabled) Queue depth: 32 Standby timer values: spec'd by Standard, no device specific minimum R/W multiple sector transfer: Max = 2 Current = 1 DMA: mdma0 mdma1 mdma2 udma0 udma1 udma2 udma3 udma4 udma5 *udma6 Cycle time: min=120ns recommended=120ns PIO: pio0 pio1 pio2 pio3 pio4 Cycle time: no flow control=120ns IORDY flow control=120ns Commands/features: Enabled Supported: * SMART feature set Security Mode feature set * Power Management feature set * Write cache * Look-ahead * Host Protected Area feature set * WRITE_BUFFER command * READ_BUFFER command * NOP cmd * DOWNLOAD_MICROCODE SET_MAX security extension * 48-bit Address feature set * Mandatory FLUSH_CACHE * FLUSH_CACHE_EXT * SMART error logging * SMART self-test * General Purpose Logging feature set * WRITE_{DMA|MULTIPLE}_FUA_EXT * 64-bit World wide name * WRITE_UNCORRECTABLE_EXT command * {READ,WRITE}_DMA_EXT_GPL commands * Segmented DOWNLOAD_MICROCODE * unknown 119[6] unknown 119[9] * Gen1 signaling speed (1.5Gb/s) * Gen2 signaling speed (3.0Gb/s) * Gen3 signaling speed (6.0Gb/s) * Native Command Queueing (NCQ) * READ_LOG_DMA_EXT equivalent to READ_LOG_EXT * DMA Setup Auto-Activate optimization * Software settings preservation * SANITIZE feature set * BLOCK_ERASE_EXT command * DOWNLOAD MICROCODE DMA command * WRITE BUFFER DMA command * READ BUFFER DMA command * Data Set Management TRIM supported (limit 8 blocks) * Deterministic read ZEROs after TRIM Security: Master password revision code = 65534 supported not enabled not locked not frozen not expired: security count supported: enhanced erase 2min for SECURITY ERASE UNIT. 2min for ENHANCED SECURITY ERASE UNIT. Logical Unit WWN Device Identifier: 57c354816d52575c NAA : 5 IEEE OUI : 7c3548 Unique ID : 16d52575c Checksum: correct DCO Checksum verified. DCO Revision: 0x0002 The following features can be selectively disabled via DCO: Transfer modes: mdma0 mdma1 mdma2 udma0 udma1 udma2 udma3 udma4 udma5 udma6 Real max sectors: 500118192 ATA command/feature sets: SMART security HPA 48_bit FUA selective_test conveyance_test SATA command/feature sets: NCQ interface_power_management async_notification SSP ``` deskimini proxmox ``` Model Family: Toshiba 2.5" HDD MQ01ABD... Device Model: TOSHIBA MQ01ABD100 Serial Number: 24RNSMGLS LU WWN Device Id: 5 000039 55610b282 Firmware Version: AX001U User Capacity: 1.000.204.886.016 bytes [1,00 TB] Sector Sizes: 512 bytes logical, 4096 bytes physical Rotation Rate: 5400 rpm Form Factor: 2.5 inches Device is: In smartctl database 7.3/5319 ATA Version is: ATA8-ACS (minor revision not indicated) SATA Version is: SATA 2.6, 3.0 Gb/s (current: 3.0 Gb/s) Local Time is: Fri Jun 10 19:12:49 2022 CEST SMART support is: Available - device has SMART capability. SMART support is: Enabled AAM feature is: Unavailable APM level is: 128 (minimum power consumption without standby) Rd look-ahead is: Enabled Write cache is: Enabled DSN feature is: Unavailable ATA Security is: Disabled, NOT FROZEN [SEC1] Wt Cache Reorder: Unknown hdparm --dco-identify /dev/sda /dev/sda: SG_IO: bad/missing sense data, sb[]: 70 00 05 00 00 00 00 0a 04 51 40 01 21 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 DCO Checksum verified. DCO Revision: 0x0000 -- unknown, treating as 0002 The following features can be selectively disabled via DCO: Transfer modes: Real max sectors: 1 ATA command/feature sets: hdparm -I /dev/sda /dev/sda: ATA device, with non-removable media Model Number: TOSHIBA HDWJ110 Serial Number: 81KZTN3TT Firmware Revision: AX1T1A Transport: Serial, ATA8-AST, SATA 1.0a, SATA II Extensions, SATA Rev 2.5, SATA Rev 2.6 Standards: Supported: 8 7 6 5 Likely used: 8 Configuration: Logical max current cylinders 16383 16383 heads 16 16 sectors/track 63 63 -- CHS current addressable sectors: 16514064 LBA user addressable sectors: 268435455 LBA48 user addressable sectors: 1953525168 Logical Sector size: 512 bytes Physical Sector size: 4096 bytes Logical Sector-0 offset: 0 bytes device size with M = 1024*1024: 953869 MBytes device size with M = 1000*1000: 1000204 MBytes (1000 GB) cache/buffer size = 8192 KBytes Form Factor: 2.5 inch Nominal Media Rotation Rate: 5400 Capabilities: LBA, IORDY(can be disabled) Queue depth: 32 Standby timer values: spec'd by Standard, no device specific minimum R/W multiple sector transfer: Max = 16 Current = 16 Advanced power management level: 254 DMA: sdma0 sdma1 sdma2 mdma0 mdma1 mdma2 udma0 udma1 udma2 udma3 udma4 *udma5 Cycle time: min=120ns recommended=120ns PIO: pio0 pio1 pio2 pio3 pio4 Cycle time: no flow control=120ns IORDY flow control=120ns Commands/features: Enabled Supported: * SMART feature set Security Mode feature set * Power Management feature set * Write cache * Look-ahead * Host Protected Area feature set * WRITE_BUFFER command * READ_BUFFER command * NOP cmd * DOWNLOAD_MICROCODE * Advanced Power Management feature set Power-Up In Standby feature set * SET_FEATURES required to spinup after power up SET_MAX security extension * 48-bit Address feature set * Device Configuration Overlay feature set * Mandatory FLUSH_CACHE * FLUSH_CACHE_EXT * SMART error logging * SMART self-test * General Purpose Logging feature set * WRITE_{DMA|MULTIPLE}_FUA_EXT * 64-bit World wide name * IDLE_IMMEDIATE with UNLOAD * WRITE_UNCORRECTABLE_EXT command * {READ,WRITE}_DMA_EXT_GPL commands * Segmented DOWNLOAD_MICROCODE * Gen1 signaling speed (1.5Gb/s) * Gen2 signaling speed (3.0Gb/s) * Native Command Queueing (NCQ) * Host-initiated interface power management * Phy event counters * Idle-Unload when NCQ is active * DMA Setup Auto-Activate optimization * Device-initiated interface power management * Software settings preservation * SMART Command Transport (SCT) feature set * SCT Write Same (AC2) * SCT Error Recovery Control (AC3) * SCT Features Control (AC4) * SCT Data Tables (AC5) * DOWNLOAD MICROCODE DMA command Security: Master password revision code = 65534 supported not enabled not locked frozen not expired: security count supported: enhanced erase 218min for SECURITY ERASE UNIT. 218min for ENHANCED SECURITY ERASE UNIT. Logical Unit WWN Device Identifier: 5000039af21081db NAA : 5 IEEE OUI : 000039 Unique ID : af21081db Checksum: correct hdparm -R1 /dev/sda /dev/sda: setting write-read-verify to 1 write-read-verify = 2 ``` ``` === START OF INFORMATION SECTION === Model Family: Crucial/Micron Client SSDs Device Model: CT1000MX500SSD1 Serial Number: 2211E619654F LU WWN Device Id: 5 00a075 1e619654f Firmware Version: M3CR043 User Capacity: 1.000.204.886.016 bytes [1,00 TB] Sector Sizes: 512 bytes logical, 4096 bytes physical Rotation Rate: Solid State Device Form Factor: 2.5 inches TRIM Command: Available Device is: In smartctl database 7.3/5319 ATA Version is: ACS-3 T13/2161-D revision 5 SATA Version is: SATA 3.3, 6.0 Gb/s (current: 3.0 Gb/s) Local Time is: Fri Jun 10 19:20:34 2022 CEST SMART support is: Available - device has SMART capability. SMART support is: Enabled AAM feature is: Unavailable APM level is: 254 (maximum performance) Rd look-ahead is: Enabled Write cache is: Enabled DSN feature is: Unavailable ATA Security is: Disabled, NOT FROZEN [SEC1] Wt Cache Reorder: Unknown ``` RPI2 ``` === START OF INFORMATION SECTION === Model Family: Western Digital Blue Mobile (SMR) Device Model: WDC WD10SPZX-24Z10T0 Serial Number: WD-WX41A485FYC1 LU WWN Device Id: 5 0014ee 6b3473413 Firmware Version: 01.01A01 User Capacity: 1,000,204,886,016 bytes [1.00 TB] Sector Sizes: 512 bytes logical, 4096 bytes physical Rotation Rate: 5400 rpm Form Factor: 2.5 inches TRIM Command: Available, deterministic Device is: In smartctl database [for details use: -P show] ATA Version is: ACS-3 T13/2161-D revision 5 SATA Version is: SATA 3.1, 6.0 Gb/s (current: 6.0 Gb/s) Local Time is: Tue Jun 14 21:25:10 2022 CEST SMART support is: Available - device has SMART capability. SMART support is: Enabled AAM feature is: Unavailable APM level is: 254 (maximum performance) Rd look-ahead is: Enabled Write cache is: Enabled DSN feature is: Unavailable ATA Security is: Disabled, NOT FROZEN [SEC1] Wt Cache Reorder: Enabled smartctl -a /dev/sda | grep SCT SCT capabilities: (0x303d) SCT Status supported. SCT Error Recovery Control supported. SCT Feature Control supported. SCT Data Table supported. smartctl -l scterc /dev/sda smartctl 7.2 2020-12-30 r5155 [armv7l-linux-5.10.63-v7+] (local build) SCT Error Recovery Control: Read: 85 (8.5 seconds) Write: 85 (8.5 seconds) hdparm -R1 /dev/sda /dev/sda: setting write-read-verify to 1 HDIO_DRIVE_CMD:WRV failed: Input/output error write-read-verify = not supported ``` ``` root@cubietruck:~# smartctl -l scterc /dev/sda smartctl 7.2 2020-12-30 r5155 [armv7l-linux-5.15.25-sunxi] (local build) SCT Error Recovery Control: Read: Disabled Write: Disabled root@cubietruck:~# hdparm --dco-identify /dev/sda /dev/sda: DCO Checksum verified. DCO Revision: 0x0001 The following features can be selectively disabled via DCO: Transfer modes: mdma0 mdma1 mdma2 udma0 udma1 udma2 udma3 udma4 udma5 udma6(?) Real max sectors: 1465149168 ATA command/feature sets: SMART self_test error_log security AAM HPA 48_bit (?): FUA selective_test conveyance_test write_read_verify (?): WRITE_UNC_EXT SATA command/feature sets: (?): NCQ interface_power_management SSP * SCT Features Control (AC4) * SCT Data Tables (AC5) unknown 206[12] (vendor specific) unknown 206[13] (vendor specific) Security: Master password revision code = 65534 supported not enabled not locked not frozen not expired: security count supported: enhanced erase 182min for SECURITY ERASE UNIT. 182min for ENHANCED SECURITY ERASE UNIT. Logical Unit WWN Device Identifier: 5000c5002e9f2ea1 NAA : 5 IEEE OUI : 000c50 Unique ID : 02e9f2ea1 root@cubietruck:~# hdparm -I /dev/sda [82/121] /dev/sda: ATA device, with non-removable media Model Number: ST9750423AS Serial Number: 5WS06X8A Firmware Revision: 0001SDM1 Transport: Serial Standards: Used: unknown (minor revision code 0x0029) Supported: 8 7 6 5 Likely used: 8 Configuration: Logical max current cylinders 16383 16383 heads 16 16 sectors/track 63 63 CHS current addressable sectors: 16514064 LBA user addressable sectors: 268435455 LBA48 user addressable sectors: 1465149168 Logical Sector size: 512 bytes Physical Sector size: 4096 bytes Logical Sector-0 offset: 0 bytes device size with M = 1024*1024: 715404 MBytes device size with M = 1000*1000: 750156 MBytes (750 GB) cache/buffer size = 16384 KBytes Nominal Media Rotation Rate: 5466 Capabilities: LBA, IORDY(can be disabled) Queue depth: 32 Standby timer values: spec'd by Standard, no device specific minimum R/W multiple sector transfer: Max = 16 Current = 16 Advanced power management level: 192 Recommended acoustic management value: 208, current value: 254 DMA: mdma0 mdma1 mdma2 udma0 udma1 udma2 udma3 udma4 udma5 *udma6 Cycle time: min=120ns recommended=120ns PIO: pio0 pio1 pio2 pio3 pio4 Cycle time: no flow control=120ns IORDY flow control=120ns Commands/features: Enabled Supported: * SMART feature set Security Mode feature set * Power Management feature set * Write cache * Look-ahead * Host Protected Area feature set * WRITE_BUFFER command * READ_BUFFER command * NOP cmd * DOWNLOAD_MICROCODE * Advanced Power Management feature set SET_MAX security extension * Automatic Acoustic Management feature set * 48-bit Address feature set * Device Configuration Overlay feature set * Mandatory FLUSH_CACHE * FLUSH_CACHE_EXT * SMART error logging * SMART self-test * General Purpose Logging feature set * WRITE_{DMA|MULTIPLE}_FUA_EXT * WRITE_DMA_QUEUED_FUA_EXT * 64-bit World wide name * IDLE_IMMEDIATE with UNLOAD Write-Read-Verify feature set * WRITE_UNCORRECTABLE_EXT command * {READ,WRITE}_DMA_EXT_GPL commands * Segmented DOWNLOAD_MICROCODE * {READ,WRITE}_DMA_EXT_GPL commands * Segmented DOWNLOAD_MICROCODE * Gen1 signaling speed (1.5Gb/s) * Gen2 signaling speed (3.0Gb/s) * Native Command Queueing (NCQ) * Host-initiated interface power management * Phy event counters * Idle-Unload when NCQ is active Device-initiated interface power management * Software settings preservation * SMART Command Transport (SCT) feature set * SCT Read/Write Long (AC1), obsolete * SCT Write Same (AC2) * SCT Error Recovery Control (AC3) * SCT Features Control (AC4) * SCT Data Tables (AC5) unknown 206[12] (vendor specific) unknown 206[13] (vendor specific) Security: Master password revision code = 65534 supported not enabled not locked not frozen not expired: security count supported: enhanced erase 182min for SECURITY ERASE UNIT. 182min for ENHANCED SECURITY ERASE UNIT. Logical Unit WWN Device Identifier: 5000c5002e9f2ea1 NAA : 5 IEEE OUI : 000c50 Unique ID : 02e9f2ea1 Checksum: correct hdparm -R1 /dev/sda /dev/sda: setting write-read-verify to 1 write-read-verify = 2 ``` ERC settings: `smartctl -l scterc /dev/sda` or setting `smartctl -l scterc,150,150 /dev/sda` #### related issues - https://cateee.net/lkddb/web-lkddb/BLK_DEV_INTEGRITY.html ##### cryptsetup - https://gitlab.com/cryptsetup/cryptsetup/-/issues/632 xxHASH64 support, needs separate `--tag-size 8` - https://gitlab.com/cryptsetup/cryptsetup/-/issues/668 dm-integrity documentation with setting recommendation - https://gitlab.com/cryptsetup/cryptsetup/-/issues/620 systemd LUKS key mgmnt integration - https://gitlab.com/cryptsetup/cryptsetup/-/issues/573 issues with caching the flag "recalculating" ###### ATA background - https://raid.wiki.kernel.org/index.php/Drive_Data_Sheets#Non-Raid_drives - https://www.smartmontools.org/wiki/FAQ#WhatiserrorrecoverycontrolERCandwhyitisimportanttoenableitfortheSATAdisksinRAID ##### dm-integrity - https://www.kernel.org/doc/html/latest/admin-guide/device-mapper/dm-integrity.html - https://man7.org/linux/man-pages/man8/integritysetup.8.html ### package manager integrity ##### pacman based integrity check ``` pacutils: sudo paccheck --md5sum --quiet AUR: sudo check-pacman-mtree.lua -a ``` ##### apt based integrity check ``` (https://askubuntu.com/posts/891158/timeline) For checking the integrity of an individual file in a package against the repositories, there's no easy way short of downloading the package. The repositories typically provide these files: * `Release{,.gpg}`, `InRelease` \- these provide the hashes of the `Packages` files. * The `Packages` file provides hashes of the packages. * The `Contents` file, where present, provides filelists of packages. There's no file which provides the hashes of individual files - these are contained in the packages (`DEBIAN/md5sums` in the `control` archive). So, if you don't trust the local system: 1. You'll have to download the `Contents` file (if available). 2. Match the file to the package using that file and download the package. 3. Then use the `md5sums` to verify the file. If a `Contents` file is not available, and you don't trust the local system, have fun downloading _every_ package to see what provided the file. This does not scale. ``` ``` debsums --silent -a ``` ``` #!/usr/bin/bash sed -n '/Conffiles/,/Description/p' /var/lib/dpkg/status | grep -v Conffiles | grep -v Description | awk '{print $2 " " $1}' > dpkg_hash.md5sum md5sum -c --quiet dpkg_hash.md5sum echo $? ``` ``` cd /; for sumfile in /var****/lib/dpkg/info/*.md5sums; do /usr/bin/md5sum --quiet -c "$sumfile"; done; ``` At least this gets you a step in front of someone.