On Fri, Feb 07, 2020 at 06:20:57PM +0100, Kevin Raymond wrote:
> On Fri, Feb 7, 2020 at 4:51 PM Sascha Hauer <s.hauer@xxxxxxxxxxxxxx> wrote:
> >
> > Hi Kevin,
> >
> > On Fri, Feb 07, 2020 at 04:25:58PM +0100, Kevin Raymond wrote:
> > > Hi there,
> > >
> > > I am testing ubifs authentication for my new board, however I can't
> > > git it to work.
> > > I am not able to have keyctl add my key to the kernel keyring.
> > >
> > > This is by far the most easier documentation I found about ubifs authentication.
> > >
> > > I've got my kernel generating the asymmetric key, I can do the offline
> > > signing with mkfs.ubifs but am not able to mount the ubifs partition.
> > > I always get the following error:
> > > mount: mounting /dev/ubi0_8 on /mnt failed: Required key not available
> > >
> > > I am really not sure about the "keyctl add" part.
> > > From the Sascha example, should we change 'mysecret' by
> > > 'signing_key.pem' ? Should we change its format?
> >
> > There are two different keys involved. One is an asymmetric
> > private/public key pair needed for authenticating offline signed images.
> > That's the one you compile the Kernel with and which you provide to
> > mkfs.ubifs. This key is only used during first mount.
> >
> > The other one is a symmetric key which is used during runtime and that's
> > the one you add with:
> >
> > cat mysecret | keyctl padd logon ubifs:root @s
> >
> > Note that "cat mysecret" is only an example. It obviously doesn't help
> > authenticating having a key stored world readable on the device. The
> > i.MX6 offers ways to generate secrets with the CAAM unit. However,
> > for testing purposes some "echo foobarbaz | keyctl padd logon ubifs:root
> > @s" does it.
>
> Alright I get it, the offline signing key is not the same as the one used at
> runtime (which is definitly a good thing).
>
> >
> > You are trying offline signed images, but maybe you should start without
> > an image and do runtime authentication only. For this create an empty
> > UBI volume and just mount it like this (after doing the keyctl padd as
> > above):
> >
> > mount -t ubifs /dev/ubi0_0 /mnt/ -o auth_hash_name=sha256,auth_key=ubifs:root
> >
> > I am not sure if the kernel can read the key if you put it into the
> > session keyring. Systemd for example influences this and I don't know
> > exactly how. You might have to replace "@s" with "@u".
>
> Ok, using user session keyring is better in my example I can successfully define
> a new symmetric key in order to mount a newly created partition.
> I am not using systemd here, a simple busybox and sysV init.
>
> However if I get the whole idea, If I use ubiupdatevol to update my partition,
> I need the public key used while signing the ubifs at the first mount time
> and then an other symmetric one ("mysecret" identified as 'ubifs:root' in this
> exemple) in order to keep signing the partition.
Yes. You could do without the symmetric key in a readonly environment.
>
> This public key is already present (available to the mount command?) but
> I don't have a way to tell which one to use.
You don't have to, the Kernel will pick the right one automatically.
>
> mount -t ubifs /dev/ubi0_8 -o auth_key=ubifs:root,auth_hash_name=sha256 /mnt/
> mount: mounting /dev/ubi0_8 on /mnt/ failed: Invalid argument
>
> auth_key is the new symmetric key
> my public key used when creating the offline signature is in /proc/keys
>
> 3b1ecf1d I------ 1 perm 1f030000 0 0 asymmetri Build time
> autogenerated kernel key: a21494c43b8859eceedf1c3d6727fd26f51b1bea:
> X509.rsa f51b1bea []
>
> I am not sure what I am missing about the first mount of a signed ubifs.
Me neither currently. I could play it through with a current
Linux/mtd-utils tomorrow to see if there's anything not working.
Sascha
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/
Re: [PATCH 0/2] mtd-utils: mkfs.ubifs: Add signing support for UBIFS images
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Re: [PATCH 0/2] mtd-utils: mkfs.ubifs: Add signing support for UBIFS images
- From: Sascha Hauer <s.hauer@xxxxxxxxxxxxxx>
- Date: Mon, 10 Feb 2020 08:57:36 +0100
- Cc: Richard Weinberger <richard@xxxxxx>, linux-mtd@xxxxxxxxxxxxxxxxxxx, david.oberhollenzer@xxxxxxxxxxxxx
- In-reply-to: <CAPwc7DOa-HzeEv7RsA6OrAwFjUnEOPQvP4bwn2B2vkC_95=n_g@mail.gmail.com>
- References: <20190806104928.1224-1-s.hauer@pengutronix.de> <CAPwc7DMK7RKDUW4Kx4eKVXVJ7y9pmYwCBA+OevN_RdrJvhXb3g@mail.gmail.com> <20200207155128.ouow363tvbg2whqk@pengutronix.de> <CAPwc7DOa-HzeEv7RsA6OrAwFjUnEOPQvP4bwn2B2vkC_95=n_g@mail.gmail.com>
- User-agent: NeoMutt/20170113 (1.7.2)
- Follow-Ups:
- Re: [PATCH 0/2] mtd-utils: mkfs.ubifs: Add signing support for UBIFS images
- From: Kevin Raymond
- Re: [PATCH 0/2] mtd-utils: mkfs.ubifs: Add signing support for UBIFS images
- References:
- [PATCH 0/2] mtd-utils: mkfs.ubifs: Add signing support for UBIFS images
- From: Sascha Hauer
- Re: [PATCH 0/2] mtd-utils: mkfs.ubifs: Add signing support for UBIFS images
- From: Kevin Raymond
- Re: [PATCH 0/2] mtd-utils: mkfs.ubifs: Add signing support for UBIFS images
- From: Sascha Hauer
- Re: [PATCH 0/2] mtd-utils: mkfs.ubifs: Add signing support for UBIFS images
- From: Kevin Raymond
- [PATCH 0/2] mtd-utils: mkfs.ubifs: Add signing support for UBIFS images
- Prev by Date: Re: [PATCH] libubi: remove private kernel header from includes
- Next by Date: Re: [PATCH v3 2/3] mtd: spi-nor: add 4bit block protection support
- Previous by thread: Re: [PATCH 0/2] mtd-utils: mkfs.ubifs: Add signing support for UBIFS images
- Next by thread: Re: [PATCH 0/2] mtd-utils: mkfs.ubifs: Add signing support for UBIFS images
- Index(es):
 |