Re: [PATCH 0/2] mtd-utils: mkfs.ubifs: Add signing support for UBIFS images

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi there,

I am testing ubifs authentication for my new board, however I can't
git it to work.
I am not able to have keyctl add my key to the kernel keyring.

This is by far the most easier documentation I found about ubifs authentication.

I've got my kernel generating the asymmetric key, I can do the offline
signing with mkfs.ubifs but am not able to mount the ubifs partition.
I always get the following error:
    mount: mounting /dev/ubi0_8 on /mnt failed: Required key not available

I am really not sure about the "keyctl add" part.
>From the Sascha example, should we change 'mysecret' by
'signing_key.pem' ? Should we change its format?
keyctl return me an identifier who does not appear to exist.
I don't have any new entry with the keyctl show command.

I am using Linux kernel 5.4.18, and mtd-utils from master (revision
95633c4dfe9).

I have the x509 certificate entry in /proc/keys (as asymmetri Build
time autogenerated kernel key)

My kernel config has the following entries:
CONFIG_UBIFS_FS_AUTHENTICATION=y
CONFIG_CRYPTO_AUTHENC=m
CONFIG_KEYS=y
CONFIG_SYSTEM_TRUSTED_KEYS=""
CONFIG_MODULE_SIG_FORMAT=y
CONFIG_MODULE_SIG=y
CONFIG_MODULE_SIG_SHA256=y
CONFIG_MODULE_SIG_HASH="sha256"
CONFIG_MODULE_SIG_KEY="certs/signing_key.pem"

Thanks for your help, I am not sure if ubifs authentication is widely used yet.




On Tue, Aug 6, 2019 at 12:49 PM Sascha Hauer <s.hauer@xxxxxxxxxxxxxx> wrote:
>
> This series adds the userspace part to mkfs.ubifs to generate signed UBIFS
> images. With this a UBIFS image can be cryptographically signed in PKCS
> #7 CMS format which is then authenticated in the Kernel before mounting
> it. The necessary Kernel bits have been merged with 817aa094842d
> ("ubifs: support offline signed images").
>
> Here is a quick walkthrough for generating and mounting a signed UBIFS image
> using the kernel provided keys used for module signing:
>
> - configure kernel with CONFIG_UBIFS_FS_AUTHENTICATION, CONFIG_MODULE_SIG and
>   CONFIG_INTEGRITY_ASYMMETRIC_KEYS enabled (assumed to be in ~/linux/ in
>   this example)
> - build kernel, ~/linux/certs/signing_key.x509 and ~/linux/certs/signing_key.pem
>   will be generated
> - generate ubifs image:
>
>   mkfs.ubifs --hash-algo=sha256 --auth-cert=~/linux/certs/signing_key.x509 \
>         -d root -e  126976 -o ~/signed.ubifs -c 1024 -m 2048 \
>         --auth-key=~/linux/certs/signing_key.pem
>
> - flash UBIFS image onto target and mount:
>
>   ubimkvol -N root -s 64MiB /dev/ubi0
>   ubiupdatevol /dev/ubi0_0 signed.ubifs
>   cat mysecret | keyctl padd logon ubifs:root @s
>   mount -t ubifs /dev/ubi0_0 /mnt/ -o auth_hash_name=sha256,auth_key=ubifs:root
>
>
> Sascha Hauer (2):
>   ubifs-media: Update to Linux-5.3-rc3
>   mkfs.ubifs: Add authentication support
>
>  include/mtd/ubifs-media.h           |  75 ++++-
>  ubifs-utils/Makemodule.am           |   3 +-
>  ubifs-utils/mkfs.ubifs/lpt.c        |  12 +
>  ubifs-utils/mkfs.ubifs/mkfs.ubifs.c | 172 +++++++++---
>  ubifs-utils/mkfs.ubifs/mkfs.ubifs.h |   1 +
>  ubifs-utils/mkfs.ubifs/sign.c       | 409 ++++++++++++++++++++++++++++
>  ubifs-utils/mkfs.ubifs/sign.h       |  80 ++++++
>  ubifs-utils/mkfs.ubifs/ubifs.h      |  22 +-
>  8 files changed, 730 insertions(+), 44 deletions(-)
>  create mode 100644 ubifs-utils/mkfs.ubifs/sign.c
>  create mode 100644 ubifs-utils/mkfs.ubifs/sign.h
>
> --
> 2.20.1
>
>
> ______________________________________________________
> Linux MTD discussion mailing list
> http://lists.infradead.org/mailman/listinfo/linux-mtd/

______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/
[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

  Powered by Linux