[PATCH v2 0/4] ubifs: support authentication without hmac
Richard Weinberger
richard at nod.at
Fri Jun 26 10:16:51 EDT 2020
Torben,
----- Ursprüngliche Mail -----
> Von: "Torben Hohn" <torben.hohn at linutronix.de>
> An: "richard" <richard at nod.at>
> CC: "bigeasy" <bigeasy at linutronix.de>, "tglx" <tglx at linutronix.de>, "linux-mtd" <linux-mtd at lists.infradead.org>, "Sascha
> Hauer" <s.hauer at pengutronix.de>
> Gesendet: Freitag, 26. Juni 2020 13:29:03
> Betreff: [PATCH v2 0/4] ubifs: support authentication without hmac
> This PQ adds support for ubifs authentication without HMAC,
> which obviously only works for a read-only mount.
>
> ubiblock and dm-verity are not supported by u-boot, and
> the kernel on the target is loaded by u-boot out of the RFS.
>
> This is a first try to implement this.
> It boots fine, and the WARN_ON is not triggered.
>
> I plan to update the docs also, but i would like to have
> some positive comments on this before.
>
> Changes since v1:
>
> - apply comments from Sascha an revert the
> ubifs_authicated_(read|write) stuff.
> Use ubifs_assert(c, !c->ro_mount) instead.
> - Prevent remount rw, when hmac-less authentication is used
> - add missing check, for ro mode, when no auth_key_name is specified.
I didn't dig deep into the code so far, I'm still checking the concept.
Your approach works only on pristine offline signed images from mkfs.ubifs.
So, if somebody does this, it won't work:
$ keyctl padd logon ubifs:authfs @s < secret.key
$ mount -t ubifs /dev/ubi0_0 /mnt/ -o auth_hash_name=sha256,auth_key=ubifs:authfs
... change the fs ...
$ umount /mnt
$ mount -t ubifs /dev/ubi0_0 /mnt/ -o auth_hash_name=sha256,ro
The ro mount will fail because UBIFS is no longer able to verify the super block
using the system key ring. It was overwritten by they ubifs:authfs key.
A possible solution is keeping a copy of the offline sign key forever in the fs.
But I'm not sure whether this is wise.
Thanks,
//richard
More information about the linux-mtd
mailing list