Re: [PATCH 0/2] mtd-utils: mkfs.ubifs: Add signing support for UBIFS images

[Kevin Raymond <kr@shaiton.org>]

On Mon, Feb 10, 2020 at 8:57 AM Sascha Hauer <s.hauer@pengutronix.de> wrote:
>
> On Fri, Feb 07, 2020 at 06:20:57PM +0100, Kevin Raymond wrote:
> > On Fri, Feb 7, 2020 at 4:51 PM Sascha Hauer <s.hauer@pengutronix.de> wrote:
> > >
> > > Hi Kevin,
> > >
> > > On Fri, Feb 07, 2020 at 04:25:58PM +0100, Kevin Raymond wrote:
> > > > Hi there,
> > > >
> > > > I am testing ubifs authentication for my new board, however I can't
> > > > git it to work.
> > > > I am not able to have keyctl add my key to the kernel keyring.
> > > >
> > > > This is by far the most easier documentation I found about ubifs authentication.
> > > >
> > > > I've got my kernel generating the asymmetric key, I can do the offline
> > > > signing with mkfs.ubifs but am not able to mount the ubifs partition.
> > > > I always get the following error:
> > > >     mount: mounting /dev/ubi0_8 on /mnt failed: Required key not available
> > > >
> > > > I am really not sure about the "keyctl add" part.
> > > > From the Sascha example, should we change 'mysecret' by
> > > > 'signing_key.pem' ? Should we change its format?
> > >
> > > There are two different keys involved. One is an asymmetric
> > > private/public key pair needed for authenticating offline signed images.
> > > That's the one you compile the Kernel with and which you provide to
> > > mkfs.ubifs. This key is only used during first mount.
> > >
> > > The other one is a symmetric key which is used during runtime and that's
> > > the one you add with:
> > >
> > > cat mysecret | keyctl padd logon ubifs:root @s
> > >
> > > Note that "cat mysecret" is only an example. It obviously doesn't help
> > > authenticating having a key stored world readable on the device. The
> > > i.MX6 offers ways to generate secrets with the CAAM unit. However,
> > > for testing purposes some "echo foobarbaz | keyctl padd logon ubifs:root
> > > @s" does it.
> >
> > Alright I get it, the offline signing key is not the same as the one used at
> > runtime (which is definitly a good thing).
> >
> > >
> > > You are trying offline signed images, but maybe you should start without
> > > an image and do runtime authentication only. For this create an empty
> > > UBI volume and just mount it like this (after doing the keyctl padd as
> > > above):
> > >
> > > mount -t ubifs /dev/ubi0_0 /mnt/ -o auth_hash_name=sha256,auth_key=ubifs:root
> > >
> > > I am not sure if the kernel can read the key if you put it into the
> > > session keyring. Systemd for example influences this and I don't know
> > > exactly how. You might have to replace "@s" with "@u".
> >
> > Ok, using user session keyring is better in my example I can successfully define
> > a new symmetric key in order to mount a newly created partition.
> > I am not using systemd here, a simple busybox and sysV init.
> >
> > However if I get the whole idea, If I use ubiupdatevol to update my partition,
> > I need the public key used while signing the ubifs at the first mount time
> > and then an other symmetric one ("mysecret" identified as 'ubifs:root' in this
> > exemple) in order to keep signing the partition.
>
> Yes. You could do without the symmetric key in a readonly environment.
>
> >
> > This public key is already present (available to the mount command?) but
> > I don't have a way to tell which one to use.
>
> You don't have to, the Kernel will pick the right one automatically.
>
> >
> > mount -t ubifs /dev/ubi0_8 -o auth_key=ubifs:root,auth_hash_name=sha256 /mnt/
> > mount: mounting /dev/ubi0_8 on /mnt/ failed: Invalid argument
> >
> > auth_key is the new symmetric key
> > my public key used when creating the offline signature is in /proc/keys
> >
> > 3b1ecf1d I------     1 perm 1f030000     0     0 asymmetri Build time
> > autogenerated kernel key: a21494c43b8859eceedf1c3d6727fd26f51b1bea:
> > X509.rsa f51b1bea []
> >
> > I am not sure what I am missing about the first mount of a signed ubifs.
>
> Me neither currently. I could play it through with a current
> Linux/mtd-utils tomorrow to see if there's anything not working.


Ok, thanks a lot for your help.
I tried from scratch (auto generated kernel certificate/key, offline
signing using this key+certificate) and I still get the following:

    # mount -t ubifs /dev/ubi0_6 -o ro /mnt
    mount: mounting /dev/ubi0_6 on /mnt failed: Invalid argument
    [ 7961.936787] UBIFS error (ubi0:6 pid 1025):
ubifs_read_superblock: authenticated FS found, but no key given

Apparently I need the symmetric key, as the following is working now
(with or without the read-only option)

    mount -t ubifs /dev/ubi0_6 -o
ro,auth_key=ubifs:rootf,auth_hash_name=sha256  /mnt
    [ 8390.028045] UBIFS (ubi0:6): Mounting in authenticated mode
    [ 8618.586641] UBIFS (ubi0:6): background thread "ubifs_bgt0_6" stops
    [ 8630.039989] UBIFS (ubi0:6): Mounting in authenticated mode
    [ 8630.098767] UBIFS (ubi0:6): Successfully verified super block signature
    [ 8630.151322] UBIFS (ubi0:6): UBIFS: mounted UBI device 0, volume
6, name "root", R/O mode
    [ 8630.159482] UBIFS (ubi0:6): LEB size: 126976 bytes (124 KiB),
min./max. I/O unit sizes: 2048 bytes/2048 bytes
    [ 8630.169370] UBIFS (ubi0:6): FS size: 33267712 bytes (31 MiB,
262 LEBs), journal size 9023488 bytes (8 MiB, 72 LEBs)
    [ 8630.179784] UBIFS (ubi0:6): reserved for root: 0 bytes (0 KiB)
    [ 8630.185546] UBIFS (ubi0:6): media format: w4/r0 (latest is
w5/r0), UUID 33053EA9-B76E-47A1-BC0B-BB8B97E7F593, small LPT model

I don't know what was wrong last Friday, it might be the symmetric key
inserted with keyctl in an invalid format. This time a tried with a
simple ascii string.
I now have a working example, which is enough for me to dig further
into the ubifs authentication feature.

Thanks a lot for your work and your help.

>
> Sascha
>
> --
> Pengutronix e.K.                           |                             |
> Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
> 31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
> Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/