Re: [PATCH 0/2] mtd-utils: mkfs.ubifs: Add signing support for UBIFS images

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Mon, Feb 10, 2020 at 06:06:28PM +0100, Kevin Raymond wrote:
> On Mon, Feb 10, 2020 at 8:57 AM Sascha Hauer <s.hauer@xxxxxxxxxxxxxx> wrote:
> >
> > On Fri, Feb 07, 2020 at 06:20:57PM +0100, Kevin Raymond wrote:
> > > On Fri, Feb 7, 2020 at 4:51 PM Sascha Hauer <s.hauer@xxxxxxxxxxxxxx> wrote:
> > > >
> > > > Hi Kevin,
> > > >
> > > > On Fri, Feb 07, 2020 at 04:25:58PM +0100, Kevin Raymond wrote:
> > > > > Hi there,
> > > > >
> > > > > I am testing ubifs authentication for my new board, however I can't
> > > > > git it to work.
> > > > > I am not able to have keyctl add my key to the kernel keyring.
> > > > >
> > > > > This is by far the most easier documentation I found about ubifs authentication.
> > > > >
> > > > > I've got my kernel generating the asymmetric key, I can do the offline
> > > > > signing with mkfs.ubifs but am not able to mount the ubifs partition.
> > > > > I always get the following error:
> > > > >     mount: mounting /dev/ubi0_8 on /mnt failed: Required key not available
> > > > >
> > > > > I am really not sure about the "keyctl add" part.
> > > > > From the Sascha example, should we change 'mysecret' by
> > > > > 'signing_key.pem' ? Should we change its format?
> > > >
> > > > There are two different keys involved. One is an asymmetric
> > > > private/public key pair needed for authenticating offline signed images.
> > > > That's the one you compile the Kernel with and which you provide to
> > > > mkfs.ubifs. This key is only used during first mount.
> > > >
> > > > The other one is a symmetric key which is used during runtime and that's
> > > > the one you add with:
> > > >
> > > > cat mysecret | keyctl padd logon ubifs:root @s
> > > >
> > > > Note that "cat mysecret" is only an example. It obviously doesn't help
> > > > authenticating having a key stored world readable on the device. The
> > > > i.MX6 offers ways to generate secrets with the CAAM unit. However,
> > > > for testing purposes some "echo foobarbaz | keyctl padd logon ubifs:root
> > > > @s" does it.
> > >
> > > Alright I get it, the offline signing key is not the same as the one used at
> > > runtime (which is definitly a good thing).
> > >
> > > >
> > > > You are trying offline signed images, but maybe you should start without
> > > > an image and do runtime authentication only. For this create an empty
> > > > UBI volume and just mount it like this (after doing the keyctl padd as
> > > > above):
> > > >
> > > > mount -t ubifs /dev/ubi0_0 /mnt/ -o auth_hash_name=sha256,auth_key=ubifs:root
> > > >
> > > > I am not sure if the kernel can read the key if you put it into the
> > > > session keyring. Systemd for example influences this and I don't know
> > > > exactly how. You might have to replace "@s" with "@u".
> > >
> > > Ok, using user session keyring is better in my example I can successfully define
> > > a new symmetric key in order to mount a newly created partition.
> > > I am not using systemd here, a simple busybox and sysV init.
> > >
> > > However if I get the whole idea, If I use ubiupdatevol to update my partition,
> > > I need the public key used while signing the ubifs at the first mount time
> > > and then an other symmetric one ("mysecret" identified as 'ubifs:root' in this
> > > exemple) in order to keep signing the partition.
> >
> > Yes. You could do without the symmetric key in a readonly environment.
> >
> > >
> > > This public key is already present (available to the mount command?) but
> > > I don't have a way to tell which one to use.
> >
> > You don't have to, the Kernel will pick the right one automatically.
> >
> > >
> > > mount -t ubifs /dev/ubi0_8 -o auth_key=ubifs:root,auth_hash_name=sha256 /mnt/
> > > mount: mounting /dev/ubi0_8 on /mnt/ failed: Invalid argument
> > >
> > > auth_key is the new symmetric key
> > > my public key used when creating the offline signature is in /proc/keys
> > >
> > > 3b1ecf1d I------     1 perm 1f030000     0     0 asymmetri Build time
> > > autogenerated kernel key: a21494c43b8859eceedf1c3d6727fd26f51b1bea:
> > > X509.rsa f51b1bea []
> > >
> > > I am not sure what I am missing about the first mount of a signed ubifs.
> >
> > Me neither currently. I could play it through with a current
> > Linux/mtd-utils tomorrow to see if there's anything not working.
> 
> 
> Ok, thanks a lot for your help.
> I tried from scratch (auto generated kernel certificate/key, offline
> signing using this key+certificate) and I still get the following:
> 
>     # mount -t ubifs /dev/ubi0_6 -o ro /mnt
>     mount: mounting /dev/ubi0_6 on /mnt failed: Invalid argument
>     [ 7961.936787] UBIFS error (ubi0:6 pid 1025):
> ubifs_read_superblock: authenticated FS found, but no key given

Ok, this is something worth changing. The key is only needed once we go
rw.

> 
> Apparently I need the symmetric key, as the following is working now
> (with or without the read-only option)
> 
>     mount -t ubifs /dev/ubi0_6 -o
> ro,auth_key=ubifs:rootf,auth_hash_name=sha256  /mnt
>     [ 8390.028045] UBIFS (ubi0:6): Mounting in authenticated mode
>     [ 8618.586641] UBIFS (ubi0:6): background thread "ubifs_bgt0_6" stops
>     [ 8630.039989] UBIFS (ubi0:6): Mounting in authenticated mode
>     [ 8630.098767] UBIFS (ubi0:6): Successfully verified super block signature
>     [ 8630.151322] UBIFS (ubi0:6): UBIFS: mounted UBI device 0, volume
> 6, name "root", R/O mode
>     [ 8630.159482] UBIFS (ubi0:6): LEB size: 126976 bytes (124 KiB),
> min./max. I/O unit sizes: 2048 bytes/2048 bytes
>     [ 8630.169370] UBIFS (ubi0:6): FS size: 33267712 bytes (31 MiB,
> 262 LEBs), journal size 9023488 bytes (8 MiB, 72 LEBs)
>     [ 8630.179784] UBIFS (ubi0:6): reserved for root: 0 bytes (0 KiB)
>     [ 8630.185546] UBIFS (ubi0:6): media format: w4/r0 (latest is
> w5/r0), UUID 33053EA9-B76E-47A1-BC0B-BB8B97E7F593, small LPT model
> 
> I don't know what was wrong last Friday, it might be the symmetric key
> inserted with keyctl in an invalid format. This time a tried with a
> simple ascii string.
> I now have a working example, which is enough for me to dig further
> into the ubifs authentication feature.
> 
> Thanks a lot for your work and your help.

You're welcome. If anything is still not working don't hesitate to ask.

Sascha

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/
[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

  Powered by Linux