SYSTEMD-VERITYSETUP-GENERATOR(8) SYSTEMD-VERITYSETUP-GENERATOR(8)

     NAME
          systemd-veritysetup-generator - Unit generator for integrity
          protected block devices

     SYNOPSIS
          /lib/systemd/system-generators/systemd-veritysetup-generator

     DESCRIPTION
          systemd-veritysetup-generator is a generator that translates
          kernel command line options configuring integrity-protected
          block devices (verity) into native systemd units early at
          boot and when configuration of the system manager is
          reloaded. This will create systemd-veritysetup@.service(8)
          units as necessary.

          Currently, only a single verity device may be set up with
          this generator, backing the root file system of the OS.

          systemd-veritysetup-generator implements
          systemd.generator(7).

     KERNEL COMMAND LINE
          systemd-veritysetup-generator understands the following
          kernel command line parameters:

          systemd.verity=, rd.systemd.verity=
              Takes a boolean argument. Defaults to "yes". If "no",
              disables the generator entirely.  rd.systemd.verity= is
              honored only by the initial RAM disk (initrd) while
              systemd.verity= is honored by both the host system and
              the initrd.

          roothash=
              Takes a root hash value for the root file system.
              Expects a hash value formatted in hexadecimal characters
              of the appropriate length (i.e. most likely 256 bit/64
              characters, or longer). If not specified via
              systemd.verity_root_data= and systemd.verity_root_hash=,
              the hash and data devices to use are automatically
              derived from the specified hash value. Specifically, the
              data partition device is looked for under a GPT
              partition UUID derived from the first 128bit of the root
              hash, the hash partition device is looked for under a
              GPT partition UUID derived from the last 128bit of the
              root hash. Hence it is usually sufficient to specify the
              root hash to boot from an integrity protected root file
              system, as device paths are automatically determined
              from it - as long as the partition table is properly set
              up.

     Page 1                     systemd 247          (printed 5/23/22)

     SYSTEMD-VERITYSETUP-GENERATOR(8) SYSTEMD-VERITYSETUP-GENERATOR(8)

          systemd.verity_root_data=, systemd.verity_root_hash=
              These two settings take block device paths as arguments
              and may be used to explicitly configure the data
              partition and hash partition to use for setting up the
              integrity protection for the root file system. If not
              specified, these paths are automatically derived from
              the roothash= argument (see above).

     SEE ALSO
          systemd(1), systemd-veritysetup@.service(8), veritysetup(8),
          systemd-fstab-generator(8)

     Page 2                     systemd 247          (printed 5/23/22)