[PATCH v2 0/4] ubifs: support authentication without hmac
Richard Weinberger
richard at nod.at
Mon Jun 29 06:46:52 EDT 2020
Torben,
----- Ursprüngliche Mail -----
>> The ro mount will fail because UBIFS is no longer able to verify the super block
>> using the system key ring. It was overwritten by they ubifs:authfs key.
>
> Yes. But that is the intended behaviour.
> If the filesystem has been changed, it must not be mounted again.
In your use case.
> I would rather like to make it impossible to mount the filesystem in rw
> mode, because this is an attack scenario. It would refuse to mount upon
> reboot. Making it possible to remount root rw, with a fresh key is
> nice for development, but its not desired in production.
>
>
>>
>> A possible solution is keeping a copy of the offline sign key forever in the fs.
>> But I'm not sure whether this is wise.
>
> Heh ? you mean the private key. NO
No, I used bad wording. :-)
The superblock is signed by the offline key. As soon you switch to the new key
the super block is rewritten and can no longer verified this key.
Instead of rewriting the idea was keeping a copy.
Anyway, like said in the other mail, I think if we change the feature to
"keep offline sign key and imply ro mount" things will be more smooth with less corner
cases.
Thanks,
//richard
More information about the linux-mtd
mailing list