[PATCH v2 0/4] ubifs: support authentication without hmac

Torben Hohn torben.hohn at linutronix.de
Mon Jun 29 05:07:34 EDT 2020


On Fri, Jun 26, 2020 at 04:16:51PM +0200, Richard Weinberger wrote:
> Torben,
> 
> ----- Ursprüngliche Mail -----
> > Von: "Torben Hohn" <torben.hohn at linutronix.de>
> > An: "richard" <richard at nod.at>
> > CC: "bigeasy" <bigeasy at linutronix.de>, "tglx" <tglx at linutronix.de>, "linux-mtd" <linux-mtd at lists.infradead.org>, "Sascha
> > Hauer" <s.hauer at pengutronix.de>
> > Gesendet: Freitag, 26. Juni 2020 13:29:03
> > Betreff: [PATCH v2 0/4] ubifs: support authentication without hmac
> 
> > This PQ adds support for ubifs authentication without HMAC,
> > which obviously only works for a read-only mount.
> > 
> > ubiblock and dm-verity are not supported by u-boot, and
> > the kernel on the target is loaded by u-boot out of the RFS.
> > 
> > This is a first try to implement this.
> > It boots fine, and the WARN_ON is not triggered.
> > 
> > I plan to update the docs also, but i would like to have
> > some positive comments on this before.
> > 
> > Changes since v1:
> > 
> > - apply comments from Sascha an revert the
> >  ubifs_authicated_(read|write) stuff.
> >  Use ubifs_assert(c, !c->ro_mount) instead.
> > - Prevent remount rw, when hmac-less authentication is used
> > - add missing check, for ro mode, when no auth_key_name is specified.
> 
> I didn't dig deep into the code so far, I'm still checking the concept.
> 
> Your approach works only on pristine offline signed images from mkfs.ubifs.
> So, if somebody does this, it won't work:
> 
> $ keyctl padd logon ubifs:authfs @s < secret.key 
> $ mount -t ubifs /dev/ubi0_0 /mnt/ -o auth_hash_name=sha256,auth_key=ubifs:authfs
> 
> ... change the fs ...
> 
> $ umount /mnt
> $ mount -t ubifs /dev/ubi0_0 /mnt/ -o auth_hash_name=sha256,ro
> 
> The ro mount will fail because UBIFS is no longer able to verify the super block
> using the system key ring. It was overwritten by they ubifs:authfs key.

Yes. But that is the intended behaviour.
If the filesystem has been changed, it must not be mounted again.

I would rather like to make it impossible to mount the filesystem in rw
mode, because this is an attack scenario. It would refuse to mount upon
reboot. Making it possible to remount root rw, with a fresh key is
nice for development, but its not desired in production. 


> 
> A possible solution is keeping a copy of the offline sign key forever in the fs.
> But I'm not sure whether this is wise.

Heh ? you mean the private key. NO

When its not possible to store a secret on the h/w then the only
option we have is asymmetric sigatures, with the private key never
being on the device.

This obviously means, that the device is not able to write to RFS.




> 
> Thanks,
> //richard

-- 
Torben Hohn
Linutronix GmbH | Bahnhofstrasse 3 | D-88690 Uhldingen-Mühlhofen
Phone: +49 7556 25 999 18; Fax.: +49 7556 25 999 99

Hinweise zum Datenschutz finden Sie hier (Informations on data privacy 
can be found here): https://linutronix.de/kontakt/Datenschutz.php

Linutronix GmbH | Firmensitz (Registered Office): Uhldingen-Mühlhofen | 
Registergericht (Registration Court): Amtsgericht Freiburg i.Br., HRB700 
806 | Geschäftsführer (Managing Directors): Heinz Egger, Thomas Gleixner



More information about the linux-mtd mailing list