This series adds the userspace part to mkfs.ubifs to generate signed UBIFS
images. With this a UBIFS image can be cryptographically signed in PKCS
#7 CMS format which is then authenticated in the Kernel before mounting
it. The necessary Kernel bits have been merged with 817aa094842d
("ubifs: support offline signed images").
Here is a quick walkthrough for generating and mounting a signed UBIFS image
using the kernel provided keys used for module signing:
- configure kernel with CONFIG_UBIFS_FS_AUTHENTICATION, CONFIG_MODULE_SIG and
CONFIG_INTEGRITY_ASYMMETRIC_KEYS enabled (assumed to be in ~/linux/ in
this example)
- build kernel, ~/linux/certs/signing_key.x509 and ~/linux/certs/signing_key.pem
will be generated
- generate ubifs image:
mkfs.ubifs --hash-algo=sha256 --auth-cert=~/linux/certs/signing_key.x509 \
-d root -e 126976 -o ~/signed.ubifs -c 1024 -m 2048 \
--auth-key=~/linux/certs/signing_key.pem
- flash UBIFS image onto target and mount:
ubimkvol -N root -s 64MiB /dev/ubi0
ubiupdatevol /dev/ubi0_0 signed.ubifs
cat mysecret | keyctl padd logon ubifs:root @s
mount -t ubifs /dev/ubi0_0 /mnt/ -o auth_hash_name=sha256,auth_key=ubifs:root
Sascha Hauer (2):
ubifs-media: Update to Linux-5.3-rc3
mkfs.ubifs: Add authentication support
include/mtd/ubifs-media.h | 75 ++++-
ubifs-utils/Makemodule.am | 3 +-
ubifs-utils/mkfs.ubifs/lpt.c | 12 +
ubifs-utils/mkfs.ubifs/mkfs.ubifs.c | 172 +++++++++---
ubifs-utils/mkfs.ubifs/mkfs.ubifs.h | 1 +
ubifs-utils/mkfs.ubifs/sign.c | 409 ++++++++++++++++++++++++++++
ubifs-utils/mkfs.ubifs/sign.h | 80 ++++++
ubifs-utils/mkfs.ubifs/ubifs.h | 22 +-
8 files changed, 730 insertions(+), 44 deletions(-)
create mode 100644 ubifs-utils/mkfs.ubifs/sign.c
create mode 100644 ubifs-utils/mkfs.ubifs/sign.h
--
2.20.1
______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/
[PATCH 0/2] mtd-utils: mkfs.ubifs: Add signing support for UBIFS images
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: [PATCH 0/2] mtd-utils: mkfs.ubifs: Add signing support for UBIFS images
- From: Sascha Hauer <s.hauer@xxxxxxxxxxxxxx>
- Date: Tue, 6 Aug 2019 12:49:26 +0200
- Cc: Richard Weinberger <richard@xxxxxx>, Sascha Hauer <s.hauer@xxxxxxxxxxxxxx>, david.oberhollenzer@xxxxxxxxxxxxx
- Follow-Ups:
- Re: [PATCH 0/2] mtd-utils: mkfs.ubifs: Add signing support for UBIFS images
- From: Kevin Raymond
- Re: [PATCH 0/2] mtd-utils: mkfs.ubifs: Add signing support for UBIFS images
- From: David Oberhollenzer
- [PATCH 2/2] mkfs.ubifs: Add authentication support
- From: Sascha Hauer
- [PATCH 1/2] ubifs-media: Update to Linux-5.3-rc3
- From: Sascha Hauer
- Re: [PATCH 0/2] mtd-utils: mkfs.ubifs: Add signing support for UBIFS images
- Prev by Date: [PATCH 1/2] ubifs-media: Update to Linux-5.3-rc3
- Next by Date: [PATCH 2/2] mkfs.ubifs: Add authentication support
- Previous by thread: [PATCH v5 0/3] Merge m25p80 into spi-nor
- Next by thread: [PATCH 1/2] ubifs-media: Update to Linux-5.3-rc3
- Index(es):
 |