Hi Kevin, On Fri, Feb 07, 2020 at 04:25:58PM +0100, Kevin Raymond wrote: > Hi there, > > I am testing ubifs authentication for my new board, however I can't > git it to work. > I am not able to have keyctl add my key to the kernel keyring. > > This is by far the most easier documentation I found about ubifs authentication. > > I've got my kernel generating the asymmetric key, I can do the offline > signing with mkfs.ubifs but am not able to mount the ubifs partition. > I always get the following error: > mount: mounting /dev/ubi0_8 on /mnt failed: Required key not available > > I am really not sure about the "keyctl add" part. > From the Sascha example, should we change 'mysecret' by > 'signing_key.pem' ? Should we change its format? There are two different keys involved. One is an asymmetric private/public key pair needed for authenticating offline signed images. That's the one you compile the Kernel with and which you provide to mkfs.ubifs. This key is only used during first mount. The other one is a symmetric key which is used during runtime and that's the one you add with: cat mysecret | keyctl padd logon ubifs:root @s Note that "cat mysecret" is only an example. It obviously doesn't help authenticating having a key stored world readable on the device. The i.MX6 offers ways to generate secrets with the CAAM unit. However, for testing purposes some "echo foobarbaz | keyctl padd logon ubifs:root @s" does it. You are trying offline signed images, but maybe you should start without an image and do runtime authentication only. For this create an empty UBI volume and just mount it like this (after doing the keyctl padd as above): mount -t ubifs /dev/ubi0_0 /mnt/ -o auth_hash_name=sha256,auth_key=ubifs:root I am not sure if the kernel can read the key if you put it into the session keyring. Systemd for example influences this and I don't know exactly how. You might have to replace "@s" with "@u". Hope that helps. Regards Sascha -- Pengutronix e.K. | | Steuerwalder Str. 21 | http://www.pengutronix.de/ | 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | ______________________________________________________ Linux MTD discussion mailing list http://lists.infradead.org/mailman/listinfo/linux-mtd/
Re: [PATCH 0/2] mtd-utils: mkfs.ubifs: Add signing support for UBIFS images
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Re: [PATCH 0/2] mtd-utils: mkfs.ubifs: Add signing support for UBIFS images
- From: Sascha Hauer <s.hauer@xxxxxxxxxxxxxx>
- Date: Fri, 7 Feb 2020 16:51:29 +0100
- Cc: Richard Weinberger <richard@xxxxxx>, linux-mtd@xxxxxxxxxxxxxxxxxxx, david.oberhollenzer@xxxxxxxxxxxxx
- In-reply-to: <CAPwc7DMK7RKDUW4Kx4eKVXVJ7y9pmYwCBA+OevN_RdrJvhXb3g@mail.gmail.com>
- References: <20190806104928.1224-1-s.hauer@pengutronix.de> <CAPwc7DMK7RKDUW4Kx4eKVXVJ7y9pmYwCBA+OevN_RdrJvhXb3g@mail.gmail.com>
- User-agent: NeoMutt/20170113 (1.7.2)
- Follow-Ups:
- Re: [PATCH 0/2] mtd-utils: mkfs.ubifs: Add signing support for UBIFS images
- From: Kevin Raymond
- Re: [PATCH 0/2] mtd-utils: mkfs.ubifs: Add signing support for UBIFS images
- References:
- [PATCH 0/2] mtd-utils: mkfs.ubifs: Add signing support for UBIFS images
- From: Sascha Hauer
- Re: [PATCH 0/2] mtd-utils: mkfs.ubifs: Add signing support for UBIFS images
- From: Kevin Raymond
- [PATCH 0/2] mtd-utils: mkfs.ubifs: Add signing support for UBIFS images
- Prev by Date: Re: [PATCH 0/2] mtd-utils: mkfs.ubifs: Add signing support for UBIFS images
- Next by Date: Re: [PATCH] ubi: fix memory leak from ubi->fm_anchor
- Previous by thread: Re: [PATCH 0/2] mtd-utils: mkfs.ubifs: Add signing support for UBIFS images
- Next by thread: Re: [PATCH 0/2] mtd-utils: mkfs.ubifs: Add signing support for UBIFS images
- Index(es):
 |