[PATCH v2 0/4] ubifs: support authentication without hmac
Richard Weinberger
richard at nod.at
Thu Jul 2 15:03:54 EDT 2020
----- Ursprüngliche Mail -----
>>>> Anyway, like said in the other mail, I think if we change the feature to
>>>> "keep offline sign key and imply ro mount" things will be more smooth with less
>>>> corner
>>>> cases.
>>>
>>> I don't think so. The desired mode is to prevent RW mounts for a factory
>>> signed image which implies the prevention of rewriting the superblock.
>>
>> This is exactly what I'm asking for.
>> Keep the factory signed super block and imply read-only mode.
>
> And that's what Torben implemented unless I'm missing something.
Torben implemented it the other way around, he allows mounting without
the HMAC if UBIFS mount is read-only.
This covers also the proposed use-case but as I stated it has issues with
remounting and makes the implementation more complicated than it should be.
That's why I proposed adding a new mount option like "keep_offline_signature" or
what name fits better. That gives us the following pros:
1. Makes the implementation super simple.
If keep_offline_signature is set and rw mount requested, reject.
RW remount can rejected very easily, store keep_offline_signature in the ubifs context.
2. If the super block got already re-written, reject.
You can check sub->hmac[] for being non-zero.
That way we can give the user a decent error message in case they do stupid things.
3. Userspace can verify whether the UBIFS fs is pristine by checking
for the keep_offline_signature mount flag in /proc/self/mountinfo.
Thanks,
//richard
More information about the linux-mtd
mailing list