On Mon, Feb 10, 2020 at 8:57 AM Sascha Hauer <s.hauer@xxxxxxxxxxxxxx> wrote: > > On Fri, Feb 07, 2020 at 06:20:57PM +0100, Kevin Raymond wrote: > > On Fri, Feb 7, 2020 at 4:51 PM Sascha Hauer <s.hauer@xxxxxxxxxxxxxx> wrote: > > > > > > Hi Kevin, > > > > > > On Fri, Feb 07, 2020 at 04:25:58PM +0100, Kevin Raymond wrote: > > > > Hi there, > > > > > > > > I am testing ubifs authentication for my new board, however I can't > > > > git it to work. > > > > I am not able to have keyctl add my key to the kernel keyring. > > > > > > > > This is by far the most easier documentation I found about ubifs authentication. > > > > > > > > I've got my kernel generating the asymmetric key, I can do the offline > > > > signing with mkfs.ubifs but am not able to mount the ubifs partition. > > > > I always get the following error: > > > > mount: mounting /dev/ubi0_8 on /mnt failed: Required key not available > > > > > > > > I am really not sure about the "keyctl add" part. > > > > From the Sascha example, should we change 'mysecret' by > > > > 'signing_key.pem' ? Should we change its format? > > > > > > There are two different keys involved. One is an asymmetric > > > private/public key pair needed for authenticating offline signed images. > > > That's the one you compile the Kernel with and which you provide to > > > mkfs.ubifs. This key is only used during first mount. > > > > > > The other one is a symmetric key which is used during runtime and that's > > > the one you add with: > > > > > > cat mysecret | keyctl padd logon ubifs:root @s > > > > > > Note that "cat mysecret" is only an example. It obviously doesn't help > > > authenticating having a key stored world readable on the device. The > > > i.MX6 offers ways to generate secrets with the CAAM unit. However, > > > for testing purposes some "echo foobarbaz | keyctl padd logon ubifs:root > > > @s" does it. > > > > Alright I get it, the offline signing key is not the same as the one used at > > runtime (which is definitly a good thing). > > > > > > > > You are trying offline signed images, but maybe you should start without > > > an image and do runtime authentication only. For this create an empty > > > UBI volume and just mount it like this (after doing the keyctl padd as > > > above): > > > > > > mount -t ubifs /dev/ubi0_0 /mnt/ -o auth_hash_name=sha256,auth_key=ubifs:root > > > > > > I am not sure if the kernel can read the key if you put it into the > > > session keyring. Systemd for example influences this and I don't know > > > exactly how. You might have to replace "@s" with "@u". > > > > Ok, using user session keyring is better in my example I can successfully define > > a new symmetric key in order to mount a newly created partition. > > I am not using systemd here, a simple busybox and sysV init. > > > > However if I get the whole idea, If I use ubiupdatevol to update my partition, > > I need the public key used while signing the ubifs at the first mount time > > and then an other symmetric one ("mysecret" identified as 'ubifs:root' in this > > exemple) in order to keep signing the partition. > > Yes. You could do without the symmetric key in a readonly environment. > > > > > This public key is already present (available to the mount command?) but > > I don't have a way to tell which one to use. > > You don't have to, the Kernel will pick the right one automatically. > > > > > mount -t ubifs /dev/ubi0_8 -o auth_key=ubifs:root,auth_hash_name=sha256 /mnt/ > > mount: mounting /dev/ubi0_8 on /mnt/ failed: Invalid argument > > > > auth_key is the new symmetric key > > my public key used when creating the offline signature is in /proc/keys > > > > 3b1ecf1d I------ 1 perm 1f030000 0 0 asymmetri Build time > > autogenerated kernel key: a21494c43b8859eceedf1c3d6727fd26f51b1bea: > > X509.rsa f51b1bea [] > > > > I am not sure what I am missing about the first mount of a signed ubifs. > > Me neither currently. I could play it through with a current > Linux/mtd-utils tomorrow to see if there's anything not working. Ok, thanks a lot for your help. I tried from scratch (auto generated kernel certificate/key, offline signing using this key+certificate) and I still get the following: # mount -t ubifs /dev/ubi0_6 -o ro /mnt mount: mounting /dev/ubi0_6 on /mnt failed: Invalid argument [ 7961.936787] UBIFS error (ubi0:6 pid 1025): ubifs_read_superblock: authenticated FS found, but no key given Apparently I need the symmetric key, as the following is working now (with or without the read-only option) mount -t ubifs /dev/ubi0_6 -o ro,auth_key=ubifs:rootf,auth_hash_name=sha256 /mnt [ 8390.028045] UBIFS (ubi0:6): Mounting in authenticated mode [ 8618.586641] UBIFS (ubi0:6): background thread "ubifs_bgt0_6" stops [ 8630.039989] UBIFS (ubi0:6): Mounting in authenticated mode [ 8630.098767] UBIFS (ubi0:6): Successfully verified super block signature [ 8630.151322] UBIFS (ubi0:6): UBIFS: mounted UBI device 0, volume 6, name "root", R/O mode [ 8630.159482] UBIFS (ubi0:6): LEB size: 126976 bytes (124 KiB), min./max. I/O unit sizes: 2048 bytes/2048 bytes [ 8630.169370] UBIFS (ubi0:6): FS size: 33267712 bytes (31 MiB, 262 LEBs), journal size 9023488 bytes (8 MiB, 72 LEBs) [ 8630.179784] UBIFS (ubi0:6): reserved for root: 0 bytes (0 KiB) [ 8630.185546] UBIFS (ubi0:6): media format: w4/r0 (latest is w5/r0), UUID 33053EA9-B76E-47A1-BC0B-BB8B97E7F593, small LPT model I don't know what was wrong last Friday, it might be the symmetric key inserted with keyctl in an invalid format. This time a tried with a simple ascii string. I now have a working example, which is enough for me to dig further into the ubifs authentication feature. Thanks a lot for your work and your help. > > Sascha > > -- > Pengutronix e.K. | | > Steuerwalder Str. 21 | http://www.pengutronix.de/ | > 31137 Hildesheim, Germany | Phone: +49-5121-206917-0 | > Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 | ______________________________________________________ Linux MTD discussion mailing list http://lists.infradead.org/mailman/listinfo/linux-mtd/