From: Richard Weinberger <richard@nod.at>
To: tglx <tglx@linutronix.de>
Cc: bigeasy <bigeasy@linutronix.de>,
linux-mtd <linux-mtd@lists.infradead.org>,
Sascha Hauer <s.hauer@pengutronix.de>,
david <david@sigma-star.at>,
Torben Hohn <torben.hohn@linutronix.de>
Subject: Re: [PATCH v2 0/4] ubifs: support authentication without hmac
Date: Thu, 2 Jul 2020 21:03:54 +0200 (CEST) [thread overview]
Message-ID: <1162063436.84431.1593716634407.JavaMail.zimbra@nod.at> (raw)
In-Reply-To: <87wo3lsqg6.fsf@nanos.tec.linutronix.de>
----- Ursprüngliche Mail -----
>>>> Anyway, like said in the other mail, I think if we change the feature to
>>>> "keep offline sign key and imply ro mount" things will be more smooth with less
>>>> corner
>>>> cases.
>>>
>>> I don't think so. The desired mode is to prevent RW mounts for a factory
>>> signed image which implies the prevention of rewriting the superblock.
>>
>> This is exactly what I'm asking for.
>> Keep the factory signed super block and imply read-only mode.
>
> And that's what Torben implemented unless I'm missing something.
Torben implemented it the other way around, he allows mounting without
the HMAC if UBIFS mount is read-only.
This covers also the proposed use-case but as I stated it has issues with
remounting and makes the implementation more complicated than it should be.
That's why I proposed adding a new mount option like "keep_offline_signature" or
what name fits better. That gives us the following pros:
1. Makes the implementation super simple.
If keep_offline_signature is set and rw mount requested, reject.
RW remount can rejected very easily, store keep_offline_signature in the ubifs context.
2. If the super block got already re-written, reject.
You can check sub->hmac[] for being non-zero.
That way we can give the user a decent error message in case they do stupid things.
3. Userspace can verify whether the UBIFS fs is pristine by checking
for the keep_offline_signature mount flag in /proc/self/mountinfo.
Thanks,
//richard
______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/
next prev parent reply other threads:[~2020-07-02 19:04 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-25 15:59 [PATCH 0/1] ubifs: support authentication without hmac Torben Hohn
2020-06-25 15:59 ` [PATCH 1/1] ubifs: support authentication, for ro mount, when no key is given Torben Hohn
2020-06-26 4:31 ` Sascha Hauer
2020-06-26 7:27 ` Torben Hohn
2020-06-26 7:53 ` Richard Weinberger
2020-06-26 8:10 ` Sascha Hauer
2020-06-26 9:39 ` Torben Hohn
2020-06-26 8:09 ` [PATCH 0/1] ubifs: support authentication without hmac Richard Weinberger
2020-06-29 6:46 ` Alexander Dahl
2020-06-29 7:04 ` Richard Weinberger
2020-06-29 7:48 ` Wolfgang Denk
2020-06-29 7:51 ` Richard Weinberger
2020-06-30 5:50 ` Wolfgang Denk
2020-06-30 13:36 ` Richard Weinberger
2020-06-30 14:36 ` Alexander Dahl
2020-06-26 11:29 ` [PATCH v2 0/4] " Torben Hohn
2020-06-26 11:29 ` [PATCH v2 1/4] ubifs: move #include "debug.h" above auth.c Torben Hohn
2020-06-26 11:29 ` [PATCH v2 2/4] ubifs: support authentication, for ro mount, when no key is given Torben Hohn
2020-06-26 11:29 ` [PATCH v2 3/4] ubifs: sprinkle ubifs_assert(c, !c->ro_mount) in hmac auth Torben Hohn
2020-06-26 11:29 ` [PATCH v2 4/4] ubifs: prevent remounting rw when no hmac key was given Torben Hohn
2020-06-26 12:27 ` Richard Weinberger
2020-06-29 8:53 ` Torben Hohn
2020-06-29 10:52 ` Richard Weinberger
2020-06-26 14:16 ` [PATCH v2 0/4] ubifs: support authentication without hmac Richard Weinberger
2020-06-26 14:36 ` Richard Weinberger
2020-06-29 9:13 ` Torben Hohn
2020-06-29 9:07 ` Torben Hohn
2020-06-29 10:46 ` Richard Weinberger
2020-07-02 14:40 ` Thomas Gleixner
2020-07-02 15:00 ` Richard Weinberger
2020-07-02 18:48 ` Thomas Gleixner
2020-07-02 19:03 ` Richard Weinberger [this message]
2020-07-03 8:16 ` bigeasy
2020-07-03 8:20 ` Richard Weinberger
2020-07-03 9:12 ` Thomas Gleixner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1162063436.84431.1593716634407.JavaMail.zimbra@nod.at \
--to=richard@nod.at \
--cc=bigeasy@linutronix.de \
--cc=david@sigma-star.at \
--cc=linux-mtd@lists.infradead.org \
--cc=s.hauer@pengutronix.de \
--cc=tglx@linutronix.de \
--cc=torben.hohn@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).