| Message ID | 20190806104928.1224-1-s.hauer@pengutronix.de |
|---|---|
| Headers | show |
| Series | mtd-utils: mkfs.ubifs: Add signing support for UBIFS images | expand |
Applied to mtd-utils.git master. Thanks, David
Hi there,
I am testing ubifs authentication for my new board, however I can't
git it to work.
I am not able to have keyctl add my key to the kernel keyring.
This is by far the most easier documentation I found about ubifs authentication.
I've got my kernel generating the asymmetric key, I can do the offline
signing with mkfs.ubifs but am not able to mount the ubifs partition.
I always get the following error:
mount: mounting /dev/ubi0_8 on /mnt failed: Required key not available
I am really not sure about the "keyctl add" part.
From the Sascha example, should we change 'mysecret' by
'signing_key.pem' ? Should we change its format?
keyctl return me an identifier who does not appear to exist.
I don't have any new entry with the keyctl show command.
I am using Linux kernel 5.4.18, and mtd-utils from master (revision
95633c4dfe9).
I have the x509 certificate entry in /proc/keys (as asymmetri Build
time autogenerated kernel key)
My kernel config has the following entries:
CONFIG_UBIFS_FS_AUTHENTICATION=y
CONFIG_CRYPTO_AUTHENC=m
CONFIG_KEYS=y
CONFIG_SYSTEM_TRUSTED_KEYS=""
CONFIG_MODULE_SIG_FORMAT=y
CONFIG_MODULE_SIG=y
CONFIG_MODULE_SIG_SHA256=y
CONFIG_MODULE_SIG_HASH="sha256"
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"
Thanks for your help, I am not sure if ubifs authentication is widely used yet.
On Tue, Aug 6, 2019 at 12:49 PM Sascha Hauer <s.hauer@pengutronix.de> wrote:
>
> This series adds the userspace part to mkfs.ubifs to generate signed UBIFS
> images. With this a UBIFS image can be cryptographically signed in PKCS
> #7 CMS format which is then authenticated in the Kernel before mounting
> it. The necessary Kernel bits have been merged with 817aa094842d
> ("ubifs: support offline signed images").
>
> Here is a quick walkthrough for generating and mounting a signed UBIFS image
> using the kernel provided keys used for module signing:
>
> - configure kernel with CONFIG_UBIFS_FS_AUTHENTICATION, CONFIG_MODULE_SIG and
> CONFIG_INTEGRITY_ASYMMETRIC_KEYS enabled (assumed to be in ~/linux/ in
> this example)
> - build kernel, ~/linux/certs/signing_key.x509 and ~/linux/certs/signing_key.pem
> will be generated
> - generate ubifs image:
>
> mkfs.ubifs --hash-algo=sha256 --auth-cert=~/linux/certs/signing_key.x509 \
> -d root -e 126976 -o ~/signed.ubifs -c 1024 -m 2048 \
> --auth-key=~/linux/certs/signing_key.pem
>
> - flash UBIFS image onto target and mount:
>
> ubimkvol -N root -s 64MiB /dev/ubi0
> ubiupdatevol /dev/ubi0_0 signed.ubifs
> cat mysecret | keyctl padd logon ubifs:root @s
> mount -t ubifs /dev/ubi0_0 /mnt/ -o auth_hash_name=sha256,auth_key=ubifs:root
>
>
> Sascha Hauer (2):
> ubifs-media: Update to Linux-5.3-rc3
> mkfs.ubifs: Add authentication support
>
> include/mtd/ubifs-media.h | 75 ++++-
> ubifs-utils/Makemodule.am | 3 +-
> ubifs-utils/mkfs.ubifs/lpt.c | 12 +
> ubifs-utils/mkfs.ubifs/mkfs.ubifs.c | 172 +++++++++---
> ubifs-utils/mkfs.ubifs/mkfs.ubifs.h | 1 +
> ubifs-utils/mkfs.ubifs/sign.c | 409 ++++++++++++++++++++++++++++
> ubifs-utils/mkfs.ubifs/sign.h | 80 ++++++
> ubifs-utils/mkfs.ubifs/ubifs.h | 22 +-
> 8 files changed, 730 insertions(+), 44 deletions(-)
> create mode 100644 ubifs-utils/mkfs.ubifs/sign.c
> create mode 100644 ubifs-utils/mkfs.ubifs/sign.h
>
> --
> 2.20.1
>
>
> ______________________________________________________
> Linux MTD discussion mailing list
> http://lists.infradead.org/mailman/listinfo/linux-mtd/
Hi Kevin, On Fri, Feb 07, 2020 at 04:25:58PM +0100, Kevin Raymond wrote: > Hi there, > > I am testing ubifs authentication for my new board, however I can't > git it to work. > I am not able to have keyctl add my key to the kernel keyring. > > This is by far the most easier documentation I found about ubifs authentication. > > I've got my kernel generating the asymmetric key, I can do the offline > signing with mkfs.ubifs but am not able to mount the ubifs partition. > I always get the following error: > mount: mounting /dev/ubi0_8 on /mnt failed: Required key not available > > I am really not sure about the "keyctl add" part. > From the Sascha example, should we change 'mysecret' by > 'signing_key.pem' ? Should we change its format? There are two different keys involved. One is an asymmetric private/public key pair needed for authenticating offline signed images. That's the one you compile the Kernel with and which you provide to mkfs.ubifs. This key is only used during first mount. The other one is a symmetric key which is used during runtime and that's the one you add with: cat mysecret | keyctl padd logon ubifs:root @s Note that "cat mysecret" is only an example. It obviously doesn't help authenticating having a key stored world readable on the device. The i.MX6 offers ways to generate secrets with the CAAM unit. However, for testing purposes some "echo foobarbaz | keyctl padd logon ubifs:root @s" does it. You are trying offline signed images, but maybe you should start without an image and do runtime authentication only. For this create an empty UBI volume and just mount it like this (after doing the keyctl padd as above): mount -t ubifs /dev/ubi0_0 /mnt/ -o auth_hash_name=sha256,auth_key=ubifs:root I am not sure if the kernel can read the key if you put it into the session keyring. Systemd for example influences this and I don't know exactly how. You might have to replace "@s" with "@u". Hope that helps. Regards Sascha
On Fri, Feb 7, 2020 at 4:51 PM Sascha Hauer <s.hauer@pengutronix.de> wrote: > > Hi Kevin, > > On Fri, Feb 07, 2020 at 04:25:58PM +0100, Kevin Raymond wrote: > > Hi there, > > > > I am testing ubifs authentication for my new board, however I can't > > git it to work. > > I am not able to have keyctl add my key to the kernel keyring. > > > > This is by far the most easier documentation I found about ubifs authentication. > > > > I've got my kernel generating the asymmetric key, I can do the offline > > signing with mkfs.ubifs but am not able to mount the ubifs partition. > > I always get the following error: > > mount: mounting /dev/ubi0_8 on /mnt failed: Required key not available > > > > I am really not sure about the "keyctl add" part. > > From the Sascha example, should we change 'mysecret' by > > 'signing_key.pem' ? Should we change its format? > > There are two different keys involved. One is an asymmetric > private/public key pair needed for authenticating offline signed images. > That's the one you compile the Kernel with and which you provide to > mkfs.ubifs. This key is only used during first mount. > > The other one is a symmetric key which is used during runtime and that's > the one you add with: > > cat mysecret | keyctl padd logon ubifs:root @s > > Note that "cat mysecret" is only an example. It obviously doesn't help > authenticating having a key stored world readable on the device. The > i.MX6 offers ways to generate secrets with the CAAM unit. However, > for testing purposes some "echo foobarbaz | keyctl padd logon ubifs:root > @s" does it. Alright I get it, the offline signing key is not the same as the one used at runtime (which is definitly a good thing). > > You are trying offline signed images, but maybe you should start without > an image and do runtime authentication only. For this create an empty > UBI volume and just mount it like this (after doing the keyctl padd as > above): > > mount -t ubifs /dev/ubi0_0 /mnt/ -o auth_hash_name=sha256,auth_key=ubifs:root > > I am not sure if the kernel can read the key if you put it into the > session keyring. Systemd for example influences this and I don't know > exactly how. You might have to replace "@s" with "@u". Ok, using user session keyring is better in my example I can successfully define a new symmetric key in order to mount a newly created partition. I am not using systemd here, a simple busybox and sysV init. However if I get the whole idea, If I use ubiupdatevol to update my partition, I need the public key used while signing the ubifs at the first mount time and then an other symmetric one ("mysecret" identified as 'ubifs:root' in this exemple) in order to keep signing the partition. This public key is already present (available to the mount command?) but I don't have a way to tell which one to use. mount -t ubifs /dev/ubi0_8 -o auth_key=ubifs:root,auth_hash_name=sha256 /mnt/ mount: mounting /dev/ubi0_8 on /mnt/ failed: Invalid argument auth_key is the new symmetric key my public key used when creating the offline signature is in /proc/keys 3b1ecf1d I------ 1 perm 1f030000 0 0 asymmetri Build time autogenerated kernel key: a21494c43b8859eceedf1c3d6727fd26f51b1bea: X509.rsa f51b1bea [] I am not sure what I am missing about the first mount of a signed ubifs. > > Hope that helps. Yes I get most of it now, thanks > > Regards > Sascha > > -- > Pengutronix e.K. | | > Steuerwalder Str. 21 | http://www.pengutronix.de/ | > 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | > Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
On Fri, Feb 07, 2020 at 06:20:57PM +0100, Kevin Raymond wrote: > On Fri, Feb 7, 2020 at 4:51 PM Sascha Hauer <s.hauer@pengutronix.de> wrote: > > > > Hi Kevin, > > > > On Fri, Feb 07, 2020 at 04:25:58PM +0100, Kevin Raymond wrote: > > > Hi there, > > > > > > I am testing ubifs authentication for my new board, however I can't > > > git it to work. > > > I am not able to have keyctl add my key to the kernel keyring. > > > > > > This is by far the most easier documentation I found about ubifs authentication. > > > > > > I've got my kernel generating the asymmetric key, I can do the offline > > > signing with mkfs.ubifs but am not able to mount the ubifs partition. > > > I always get the following error: > > > mount: mounting /dev/ubi0_8 on /mnt failed: Required key not available > > > > > > I am really not sure about the "keyctl add" part. > > > From the Sascha example, should we change 'mysecret' by > > > 'signing_key.pem' ? Should we change its format? > > > > There are two different keys involved. One is an asymmetric > > private/public key pair needed for authenticating offline signed images. > > That's the one you compile the Kernel with and which you provide to > > mkfs.ubifs. This key is only used during first mount. > > > > The other one is a symmetric key which is used during runtime and that's > > the one you add with: > > > > cat mysecret | keyctl padd logon ubifs:root @s > > > > Note that "cat mysecret" is only an example. It obviously doesn't help > > authenticating having a key stored world readable on the device. The > > i.MX6 offers ways to generate secrets with the CAAM unit. However, > > for testing purposes some "echo foobarbaz | keyctl padd logon ubifs:root > > @s" does it. > > Alright I get it, the offline signing key is not the same as the one used at > runtime (which is definitly a good thing). > > > > > You are trying offline signed images, but maybe you should start without > > an image and do runtime authentication only. For this create an empty > > UBI volume and just mount it like this (after doing the keyctl padd as > > above): > > > > mount -t ubifs /dev/ubi0_0 /mnt/ -o auth_hash_name=sha256,auth_key=ubifs:root > > > > I am not sure if the kernel can read the key if you put it into the > > session keyring. Systemd for example influences this and I don't know > > exactly how. You might have to replace "@s" with "@u". > > Ok, using user session keyring is better in my example I can successfully define > a new symmetric key in order to mount a newly created partition. > I am not using systemd here, a simple busybox and sysV init. > > However if I get the whole idea, If I use ubiupdatevol to update my partition, > I need the public key used while signing the ubifs at the first mount time > and then an other symmetric one ("mysecret" identified as 'ubifs:root' in this > exemple) in order to keep signing the partition. Yes. You could do without the symmetric key in a readonly environment. > > This public key is already present (available to the mount command?) but > I don't have a way to tell which one to use. You don't have to, the Kernel will pick the right one automatically. > > mount -t ubifs /dev/ubi0_8 -o auth_key=ubifs:root,auth_hash_name=sha256 /mnt/ > mount: mounting /dev/ubi0_8 on /mnt/ failed: Invalid argument > > auth_key is the new symmetric key > my public key used when creating the offline signature is in /proc/keys > > 3b1ecf1d I------ 1 perm 1f030000 0 0 asymmetri Build time > autogenerated kernel key: a21494c43b8859eceedf1c3d6727fd26f51b1bea: > X509.rsa f51b1bea [] > > I am not sure what I am missing about the first mount of a signed ubifs. Me neither currently. I could play it through with a current Linux/mtd-utils tomorrow to see if there's anything not working. Sascha
On Mon, Feb 10, 2020 at 8:57 AM Sascha Hauer <s.hauer@pengutronix.de> wrote: > > On Fri, Feb 07, 2020 at 06:20:57PM +0100, Kevin Raymond wrote: > > On Fri, Feb 7, 2020 at 4:51 PM Sascha Hauer <s.hauer@pengutronix.de> wrote: > > > > > > Hi Kevin, > > > > > > On Fri, Feb 07, 2020 at 04:25:58PM +0100, Kevin Raymond wrote: > > > > Hi there, > > > > > > > > I am testing ubifs authentication for my new board, however I can't > > > > git it to work. > > > > I am not able to have keyctl add my key to the kernel keyring. > > > > > > > > This is by far the most easier documentation I found about ubifs authentication. > > > > > > > > I've got my kernel generating the asymmetric key, I can do the offline > > > > signing with mkfs.ubifs but am not able to mount the ubifs partition. > > > > I always get the following error: > > > > mount: mounting /dev/ubi0_8 on /mnt failed: Required key not available > > > > > > > > I am really not sure about the "keyctl add" part. > > > > From the Sascha example, should we change 'mysecret' by > > > > 'signing_key.pem' ? Should we change its format? > > > > > > There are two different keys involved. One is an asymmetric > > > private/public key pair needed for authenticating offline signed images. > > > That's the one you compile the Kernel with and which you provide to > > > mkfs.ubifs. This key is only used during first mount. > > > > > > The other one is a symmetric key which is used during runtime and that's > > > the one you add with: > > > > > > cat mysecret | keyctl padd logon ubifs:root @s > > > > > > Note that "cat mysecret" is only an example. It obviously doesn't help > > > authenticating having a key stored world readable on the device. The > > > i.MX6 offers ways to generate secrets with the CAAM unit. However, > > > for testing purposes some "echo foobarbaz | keyctl padd logon ubifs:root > > > @s" does it. > > > > Alright I get it, the offline signing key is not the same as the one used at > > runtime (which is definitly a good thing). > > > > > > > > You are trying offline signed images, but maybe you should start without > > > an image and do runtime authentication only. For this create an empty > > > UBI volume and just mount it like this (after doing the keyctl padd as > > > above): > > > > > > mount -t ubifs /dev/ubi0_0 /mnt/ -o auth_hash_name=sha256,auth_key=ubifs:root > > > > > > I am not sure if the kernel can read the key if you put it into the > > > session keyring. Systemd for example influences this and I don't know > > > exactly how. You might have to replace "@s" with "@u". > > > > Ok, using user session keyring is better in my example I can successfully define > > a new symmetric key in order to mount a newly created partition. > > I am not using systemd here, a simple busybox and sysV init. > > > > However if I get the whole idea, If I use ubiupdatevol to update my partition, > > I need the public key used while signing the ubifs at the first mount time > > and then an other symmetric one ("mysecret" identified as 'ubifs:root' in this > > exemple) in order to keep signing the partition. > > Yes. You could do without the symmetric key in a readonly environment. > > > > > This public key is already present (available to the mount command?) but > > I don't have a way to tell which one to use. > > You don't have to, the Kernel will pick the right one automatically. > > > > > mount -t ubifs /dev/ubi0_8 -o auth_key=ubifs:root,auth_hash_name=sha256 /mnt/ > > mount: mounting /dev/ubi0_8 on /mnt/ failed: Invalid argument > > > > auth_key is the new symmetric key > > my public key used when creating the offline signature is in /proc/keys > > > > 3b1ecf1d I------ 1 perm 1f030000 0 0 asymmetri Build time > > autogenerated kernel key: a21494c43b8859eceedf1c3d6727fd26f51b1bea: > > X509.rsa f51b1bea [] > > > > I am not sure what I am missing about the first mount of a signed ubifs. > > Me neither currently. I could play it through with a current > Linux/mtd-utils tomorrow to see if there's anything not working. Ok, thanks a lot for your help. I tried from scratch (auto generated kernel certificate/key, offline signing using this key+certificate) and I still get the following: # mount -t ubifs /dev/ubi0_6 -o ro /mnt mount: mounting /dev/ubi0_6 on /mnt failed: Invalid argument [ 7961.936787] UBIFS error (ubi0:6 pid 1025): ubifs_read_superblock: authenticated FS found, but no key given Apparently I need the symmetric key, as the following is working now (with or without the read-only option) mount -t ubifs /dev/ubi0_6 -o ro,auth_key=ubifs:rootf,auth_hash_name=sha256 /mnt [ 8390.028045] UBIFS (ubi0:6): Mounting in authenticated mode [ 8618.586641] UBIFS (ubi0:6): background thread "ubifs_bgt0_6" stops [ 8630.039989] UBIFS (ubi0:6): Mounting in authenticated mode [ 8630.098767] UBIFS (ubi0:6): Successfully verified super block signature [ 8630.151322] UBIFS (ubi0:6): UBIFS: mounted UBI device 0, volume 6, name "root", R/O mode [ 8630.159482] UBIFS (ubi0:6): LEB size: 126976 bytes (124 KiB), min./max. I/O unit sizes: 2048 bytes/2048 bytes [ 8630.169370] UBIFS (ubi0:6): FS size: 33267712 bytes (31 MiB, 262 LEBs), journal size 9023488 bytes (8 MiB, 72 LEBs) [ 8630.179784] UBIFS (ubi0:6): reserved for root: 0 bytes (0 KiB) [ 8630.185546] UBIFS (ubi0:6): media format: w4/r0 (latest is w5/r0), UUID 33053EA9-B76E-47A1-BC0B-BB8B97E7F593, small LPT model I don't know what was wrong last Friday, it might be the symmetric key inserted with keyctl in an invalid format. This time a tried with a simple ascii string. I now have a working example, which is enough for me to dig further into the ubifs authentication feature. Thanks a lot for your work and your help. > > Sascha > > -- > Pengutronix e.K. | | > Steuerwalder Str. 21 | http://www.pengutronix.de/ | > 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | > Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
On Mon, Feb 10, 2020 at 06:06:28PM +0100, Kevin Raymond wrote: > On Mon, Feb 10, 2020 at 8:57 AM Sascha Hauer <s.hauer@pengutronix.de> wrote: > > > > On Fri, Feb 07, 2020 at 06:20:57PM +0100, Kevin Raymond wrote: > > > On Fri, Feb 7, 2020 at 4:51 PM Sascha Hauer <s.hauer@pengutronix.de> wrote: > > > > > > > > Hi Kevin, > > > > > > > > On Fri, Feb 07, 2020 at 04:25:58PM +0100, Kevin Raymond wrote: > > > > > Hi there, > > > > > > > > > > I am testing ubifs authentication for my new board, however I can't > > > > > git it to work. > > > > > I am not able to have keyctl add my key to the kernel keyring. > > > > > > > > > > This is by far the most easier documentation I found about ubifs authentication. > > > > > > > > > > I've got my kernel generating the asymmetric key, I can do the offline > > > > > signing with mkfs.ubifs but am not able to mount the ubifs partition. > > > > > I always get the following error: > > > > > mount: mounting /dev/ubi0_8 on /mnt failed: Required key not available > > > > > > > > > > I am really not sure about the "keyctl add" part. > > > > > From the Sascha example, should we change 'mysecret' by > > > > > 'signing_key.pem' ? Should we change its format? > > > > > > > > There are two different keys involved. One is an asymmetric > > > > private/public key pair needed for authenticating offline signed images. > > > > That's the one you compile the Kernel with and which you provide to > > > > mkfs.ubifs. This key is only used during first mount. > > > > > > > > The other one is a symmetric key which is used during runtime and that's > > > > the one you add with: > > > > > > > > cat mysecret | keyctl padd logon ubifs:root @s > > > > > > > > Note that "cat mysecret" is only an example. It obviously doesn't help > > > > authenticating having a key stored world readable on the device. The > > > > i.MX6 offers ways to generate secrets with the CAAM unit. However, > > > > for testing purposes some "echo foobarbaz | keyctl padd logon ubifs:root > > > > @s" does it. > > > > > > Alright I get it, the offline signing key is not the same as the one used at > > > runtime (which is definitly a good thing). > > > > > > > > > > > You are trying offline signed images, but maybe you should start without > > > > an image and do runtime authentication only. For this create an empty > > > > UBI volume and just mount it like this (after doing the keyctl padd as > > > > above): > > > > > > > > mount -t ubifs /dev/ubi0_0 /mnt/ -o auth_hash_name=sha256,auth_key=ubifs:root > > > > > > > > I am not sure if the kernel can read the key if you put it into the > > > > session keyring. Systemd for example influences this and I don't know > > > > exactly how. You might have to replace "@s" with "@u". > > > > > > Ok, using user session keyring is better in my example I can successfully define > > > a new symmetric key in order to mount a newly created partition. > > > I am not using systemd here, a simple busybox and sysV init. > > > > > > However if I get the whole idea, If I use ubiupdatevol to update my partition, > > > I need the public key used while signing the ubifs at the first mount time > > > and then an other symmetric one ("mysecret" identified as 'ubifs:root' in this > > > exemple) in order to keep signing the partition. > > > > Yes. You could do without the symmetric key in a readonly environment. > > > > > > > > This public key is already present (available to the mount command?) but > > > I don't have a way to tell which one to use. > > > > You don't have to, the Kernel will pick the right one automatically. > > > > > > > > mount -t ubifs /dev/ubi0_8 -o auth_key=ubifs:root,auth_hash_name=sha256 /mnt/ > > > mount: mounting /dev/ubi0_8 on /mnt/ failed: Invalid argument > > > > > > auth_key is the new symmetric key > > > my public key used when creating the offline signature is in /proc/keys > > > > > > 3b1ecf1d I------ 1 perm 1f030000 0 0 asymmetri Build time > > > autogenerated kernel key: a21494c43b8859eceedf1c3d6727fd26f51b1bea: > > > X509.rsa f51b1bea [] > > > > > > I am not sure what I am missing about the first mount of a signed ubifs. > > > > Me neither currently. I could play it through with a current > > Linux/mtd-utils tomorrow to see if there's anything not working. > > > Ok, thanks a lot for your help. > I tried from scratch (auto generated kernel certificate/key, offline > signing using this key+certificate) and I still get the following: > > # mount -t ubifs /dev/ubi0_6 -o ro /mnt > mount: mounting /dev/ubi0_6 on /mnt failed: Invalid argument > [ 7961.936787] UBIFS error (ubi0:6 pid 1025): > ubifs_read_superblock: authenticated FS found, but no key given Ok, this is something worth changing. The key is only needed once we go rw. > > Apparently I need the symmetric key, as the following is working now > (with or without the read-only option) > > mount -t ubifs /dev/ubi0_6 -o > ro,auth_key=ubifs:rootf,auth_hash_name=sha256 /mnt > [ 8390.028045] UBIFS (ubi0:6): Mounting in authenticated mode > [ 8618.586641] UBIFS (ubi0:6): background thread "ubifs_bgt0_6" stops > [ 8630.039989] UBIFS (ubi0:6): Mounting in authenticated mode > [ 8630.098767] UBIFS (ubi0:6): Successfully verified super block signature > [ 8630.151322] UBIFS (ubi0:6): UBIFS: mounted UBI device 0, volume > 6, name "root", R/O mode > [ 8630.159482] UBIFS (ubi0:6): LEB size: 126976 bytes (124 KiB), > min./max. I/O unit sizes: 2048 bytes/2048 bytes > [ 8630.169370] UBIFS (ubi0:6): FS size: 33267712 bytes (31 MiB, > 262 LEBs), journal size 9023488 bytes (8 MiB, 72 LEBs) > [ 8630.179784] UBIFS (ubi0:6): reserved for root: 0 bytes (0 KiB) > [ 8630.185546] UBIFS (ubi0:6): media format: w4/r0 (latest is > w5/r0), UUID 33053EA9-B76E-47A1-BC0B-BB8B97E7F593, small LPT model > > I don't know what was wrong last Friday, it might be the symmetric key > inserted with keyctl in an invalid format. This time a tried with a > simple ascii string. > I now have a working example, which is enough for me to dig further > into the ubifs authentication feature. > > Thanks a lot for your work and your help. You're welcome. If anything is still not working don't hesitate to ask. Sascha
This series adds the userspace part to mkfs.ubifs to generate signed UBIFS images. With this a UBIFS image can be cryptographically signed in PKCS #7 CMS format which is then authenticated in the Kernel before mounting it. The necessary Kernel bits have been merged with 817aa094842d ("ubifs: support offline signed images"). Here is a quick walkthrough for generating and mounting a signed UBIFS image using the kernel provided keys used for module signing: - configure kernel with CONFIG_UBIFS_FS_AUTHENTICATION, CONFIG_MODULE_SIG and CONFIG_INTEGRITY_ASYMMETRIC_KEYS enabled (assumed to be in ~/linux/ in this example) - build kernel, ~/linux/certs/signing_key.x509 and ~/linux/certs/signing_key.pem will be generated - generate ubifs image: mkfs.ubifs --hash-algo=sha256 --auth-cert=~/linux/certs/signing_key.x509 \ -d root -e 126976 -o ~/signed.ubifs -c 1024 -m 2048 \ --auth-key=~/linux/certs/signing_key.pem - flash UBIFS image onto target and mount: ubimkvol -N root -s 64MiB /dev/ubi0 ubiupdatevol /dev/ubi0_0 signed.ubifs cat mysecret | keyctl padd logon ubifs:root @s mount -t ubifs /dev/ubi0_0 /mnt/ -o auth_hash_name=sha256,auth_key=ubifs:root Sascha Hauer (2): ubifs-media: Update to Linux-5.3-rc3 mkfs.ubifs: Add authentication support include/mtd/ubifs-media.h | 75 ++++- ubifs-utils/Makemodule.am | 3 +- ubifs-utils/mkfs.ubifs/lpt.c | 12 + ubifs-utils/mkfs.ubifs/mkfs.ubifs.c | 172 +++++++++--- ubifs-utils/mkfs.ubifs/mkfs.ubifs.h | 1 + ubifs-utils/mkfs.ubifs/sign.c | 409 ++++++++++++++++++++++++++++ ubifs-utils/mkfs.ubifs/sign.h | 80 ++++++ ubifs-utils/mkfs.ubifs/ubifs.h | 22 +- 8 files changed, 730 insertions(+), 44 deletions(-) create mode 100644 ubifs-utils/mkfs.ubifs/sign.c create mode 100644 ubifs-utils/mkfs.ubifs/sign.h