From: Sascha Hauer <s.hauer@pengutronix.de>
To: linux-mtd@lists.infradead.org
Cc: Richard Weinberger <richard@nod.at>,
Sascha Hauer <s.hauer@pengutronix.de>,
david.oberhollenzer@sigma-star.at
Subject: [PATCH 0/2] mtd-utils: mkfs.ubifs: Add signing support for UBIFS images
Date: Tue, 6 Aug 2019 12:49:26 +0200 [thread overview]
Message-ID: <20190806104928.1224-1-s.hauer@pengutronix.de> (raw)
This series adds the userspace part to mkfs.ubifs to generate signed UBIFS
images. With this a UBIFS image can be cryptographically signed in PKCS
#7 CMS format which is then authenticated in the Kernel before mounting
it. The necessary Kernel bits have been merged with 817aa094842d
("ubifs: support offline signed images").
Here is a quick walkthrough for generating and mounting a signed UBIFS image
using the kernel provided keys used for module signing:
- configure kernel with CONFIG_UBIFS_FS_AUTHENTICATION, CONFIG_MODULE_SIG and
CONFIG_INTEGRITY_ASYMMETRIC_KEYS enabled (assumed to be in ~/linux/ in
this example)
- build kernel, ~/linux/certs/signing_key.x509 and ~/linux/certs/signing_key.pem
will be generated
- generate ubifs image:
mkfs.ubifs --hash-algo=sha256 --auth-cert=~/linux/certs/signing_key.x509 \
-d root -e 126976 -o ~/signed.ubifs -c 1024 -m 2048 \
--auth-key=~/linux/certs/signing_key.pem
- flash UBIFS image onto target and mount:
ubimkvol -N root -s 64MiB /dev/ubi0
ubiupdatevol /dev/ubi0_0 signed.ubifs
cat mysecret | keyctl padd logon ubifs:root @s
mount -t ubifs /dev/ubi0_0 /mnt/ -o auth_hash_name=sha256,auth_key=ubifs:root
Sascha Hauer (2):
ubifs-media: Update to Linux-5.3-rc3
mkfs.ubifs: Add authentication support
include/mtd/ubifs-media.h | 75 ++++-
ubifs-utils/Makemodule.am | 3 +-
ubifs-utils/mkfs.ubifs/lpt.c | 12 +
ubifs-utils/mkfs.ubifs/mkfs.ubifs.c | 172 +++++++++---
ubifs-utils/mkfs.ubifs/mkfs.ubifs.h | 1 +
ubifs-utils/mkfs.ubifs/sign.c | 409 ++++++++++++++++++++++++++++
ubifs-utils/mkfs.ubifs/sign.h | 80 ++++++
ubifs-utils/mkfs.ubifs/ubifs.h | 22 +-
8 files changed, 730 insertions(+), 44 deletions(-)
create mode 100644 ubifs-utils/mkfs.ubifs/sign.c
create mode 100644 ubifs-utils/mkfs.ubifs/sign.h
--
2.20.1
______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/
next reply other threads:[~2019-08-06 10:50 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-06 10:49 Sascha Hauer [this message]
2019-08-06 10:49 ` [PATCH 1/2] ubifs-media: Update to Linux-5.3-rc3 Sascha Hauer
2019-08-06 10:49 ` [PATCH 2/2] mkfs.ubifs: Add authentication support Sascha Hauer
2019-08-19 7:29 ` [PATCH 0/2] mtd-utils: mkfs.ubifs: Add signing support for UBIFS images David Oberhollenzer
2020-02-07 15:25 ` Kevin Raymond
2020-02-07 15:51 ` Sascha Hauer
2020-02-07 17:20 ` Kevin Raymond
2020-02-10 7:57 ` Sascha Hauer
2020-02-10 17:06 ` Kevin Raymond
2020-02-11 8:12 ` Sascha Hauer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190806104928.1224-1-s.hauer@pengutronix.de \
--to=s.hauer@pengutronix.de \
--cc=david.oberhollenzer@sigma-star.at \
--cc=linux-mtd@lists.infradead.org \
--cc=richard@nod.at \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).