[PATCH v2 0/4] ubifs: support authentication without hmac

bigeasy bigeasy at linutronix.de
Fri Jul 3 04:16:27 EDT 2020 

On 2020-07-02 21:03:54 [+0200], Richard Weinberger wrote:
> ----- Ursprüngliche Mail -----
> >>>> Anyway, like said in the other mail, I think if we change the feature to
> >>>> "keep offline sign key and imply ro mount" things will be more smooth with less
> >>>> corner
> >>>> cases.
> >>> 
> >>> I don't think so. The desired mode is to prevent RW mounts for a factory
> >>> signed image which implies the prevention of rewriting the superblock.
> >>
> >> This is exactly what I'm asking for.
> >> Keep the factory signed super block and imply read-only mode.
> > 
> > And that's what Torben implemented unless I'm missing something.
> 
> Torben implemented it the other way around, he allows mounting without
> the HMAC if UBIFS mount is read-only.
> This covers also the proposed use-case but as I stated it has issues with
> remounting and makes the implementation more complicated than it should be.
> 
> That's why I proposed adding a new mount option like "keep_offline_signature" or
> what name fits better. That gives us the following pros:

so you want an extra option instead of setting SB_RDONLY on RO mounts
without the key and not allowing RW mounts in this case?

> 1. Makes the implementation super simple.
>    If keep_offline_signature is set and rw mount requested, reject.
>    RW remount can rejected very easily, store keep_offline_signature in the ubifs context.
> 
> 2. If the super block got already re-written, reject.
>    You can check sub->hmac[] for being non-zero.
>    That way we can give the user a decent error message in case they do stupid things.

re-written as in a prior RW mount with the key?

> 3. Userspace can verify whether the UBIFS fs is pristine by checking
>    for the keep_offline_signature mount flag in /proc/self/mountinfo.

Could this information be dubious if the UBIFS was mounted RW once (with
the key around) and then mounted RO,keep_offline_signature ? So you
would have to only allow keep_offline_signature if your point (2) is
true?

> Thanks,
> //richard

Sebastian

More information about the linux-mtd mailing list