[PATCH v2 0/4] ubifs: support authentication without hmac

[Richard Weinberger]

Sebastian,

----- Ursprüngliche Mail -----
>> > And that's what Torben implemented unless I'm missing something.
>> 
>> Torben implemented it the other way around, he allows mounting without
>> the HMAC if UBIFS mount is read-only.
>> This covers also the proposed use-case but as I stated it has issues with
>> remounting and makes the implementation more complicated than it should be.
>> 
>> That's why I proposed adding a new mount option like "keep_offline_signature" or
>> what name fits better. That gives us the following pros:
> 
> so you want an extra option instead of setting SB_RDONLY on RO mounts
> without the key and not allowing RW mounts in this case?

Yes.

>> 1. Makes the implementation super simple.
>>    If keep_offline_signature is set and rw mount requested, reject.
>>    RW remount can rejected very easily, store keep_offline_signature in the ubifs
>>    context.
>> 
>> 2. If the super block got already re-written, reject.
>>    You can check sub->hmac[] for being non-zero.
>>    That way we can give the user a decent error message in case they do stupid
>>    things.
> 
> re-written as in a prior RW mount with the key?

Yes.

>> 3. Userspace can verify whether the UBIFS fs is pristine by checking
>>    for the keep_offline_signature mount flag in /proc/self/mountinfo.
> 
> Could this information be dubious if the UBIFS was mounted RW once (with
> the key around) and then mounted RO,keep_offline_signature ? So you
> would have to only allow keep_offline_signature if your point (2) is
> true?

No. Because as soon you mount once RW the super block is re-written with
the provided HMAC. You can detect this and refuse the mount option.

Thanks,
//richard