Re: [PATCH 0/2] mtd-utils: mkfs.ubifs: Add signing support for UBIFS images

From: Sascha Hauer <s.hauer@pengutronix.de>
To: Kevin Raymond <kr@shaiton.org>
Cc: Richard Weinberger <richard@nod.at>,
	linux-mtd@lists.infradead.org, david.oberhollenzer@sigma-star.at
Subject: Re: [PATCH 0/2] mtd-utils: mkfs.ubifs: Add signing support for UBIFS images
Date: Fri, 7 Feb 2020 16:51:29 +0100	[thread overview]
Message-ID: <20200207155128.ouow363tvbg2whqk@pengutronix.de> (raw)
In-Reply-To: <CAPwc7DMK7RKDUW4Kx4eKVXVJ7y9pmYwCBA+OevN_RdrJvhXb3g@mail.gmail.com>

Hi Kevin,

On Fri, Feb 07, 2020 at 04:25:58PM +0100, Kevin Raymond wrote:
> Hi there,
> 
> I am testing ubifs authentication for my new board, however I can't
> git it to work.
> I am not able to have keyctl add my key to the kernel keyring.
> 
> This is by far the most easier documentation I found about ubifs authentication.
> 
> I've got my kernel generating the asymmetric key, I can do the offline
> signing with mkfs.ubifs but am not able to mount the ubifs partition.
> I always get the following error:
>     mount: mounting /dev/ubi0_8 on /mnt failed: Required key not available
> 
> I am really not sure about the "keyctl add" part.
> From the Sascha example, should we change 'mysecret' by
> 'signing_key.pem' ? Should we change its format?

There are two different keys involved. One is an asymmetric
private/public key pair needed for authenticating offline signed images.
That's the one you compile the Kernel with and which you provide to
mkfs.ubifs. This key is only used during first mount.

The other one is a symmetric key which is used during runtime and that's
the one you add with:

cat mysecret | keyctl padd logon ubifs:root @s

Note that "cat mysecret" is only an example. It obviously doesn't help
authenticating having a key stored world readable on the device. The
i.MX6 offers ways to generate secrets with the CAAM unit. However,
for testing purposes some "echo foobarbaz | keyctl padd logon ubifs:root
@s" does it.

You are trying offline signed images, but maybe you should start without
an image and do runtime authentication only. For this create an empty
UBI volume and just mount it like this (after doing the keyctl padd as
above):

mount -t ubifs /dev/ubi0_0 /mnt/ -o auth_hash_name=sha256,auth_key=ubifs:root

I am not sure if the kernel can read the key if you put it into the
session keyring. Systemd for example influences this and I don't know
exactly how. You might have to replace "@s" with "@u".

Hope that helps.

Regards
 Sascha

-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/