Re: [PATCH 0/2] mtd-utils: mkfs.ubifs: Add signing support for UBIFS images

[Kevin Raymond <kr@shaiton.org>]

On Fri, Feb 7, 2020 at 4:51 PM Sascha Hauer <s.hauer@pengutronix.de> wrote:
>
> Hi Kevin,
>
> On Fri, Feb 07, 2020 at 04:25:58PM +0100, Kevin Raymond wrote:
> > Hi there,
> >
> > I am testing ubifs authentication for my new board, however I can't
> > git it to work.
> > I am not able to have keyctl add my key to the kernel keyring.
> >
> > This is by far the most easier documentation I found about ubifs authentication.
> >
> > I've got my kernel generating the asymmetric key, I can do the offline
> > signing with mkfs.ubifs but am not able to mount the ubifs partition.
> > I always get the following error:
> >     mount: mounting /dev/ubi0_8 on /mnt failed: Required key not available
> >
> > I am really not sure about the "keyctl add" part.
> > From the Sascha example, should we change 'mysecret' by
> > 'signing_key.pem' ? Should we change its format?
>
> There are two different keys involved. One is an asymmetric
> private/public key pair needed for authenticating offline signed images.
> That's the one you compile the Kernel with and which you provide to
> mkfs.ubifs. This key is only used during first mount.
>
> The other one is a symmetric key which is used during runtime and that's
> the one you add with:
>
> cat mysecret | keyctl padd logon ubifs:root @s
>
> Note that "cat mysecret" is only an example. It obviously doesn't help
> authenticating having a key stored world readable on the device. The
> i.MX6 offers ways to generate secrets with the CAAM unit. However,
> for testing purposes some "echo foobarbaz | keyctl padd logon ubifs:root
> @s" does it.

Alright I get it, the offline signing key is not the same as the one used at
runtime (which is definitly a good thing).

>
> You are trying offline signed images, but maybe you should start without
> an image and do runtime authentication only. For this create an empty
> UBI volume and just mount it like this (after doing the keyctl padd as
> above):
>
> mount -t ubifs /dev/ubi0_0 /mnt/ -o auth_hash_name=sha256,auth_key=ubifs:root
>
> I am not sure if the kernel can read the key if you put it into the
> session keyring. Systemd for example influences this and I don't know
> exactly how. You might have to replace "@s" with "@u".

Ok, using user session keyring is better in my example I can successfully define
a new symmetric key in order to mount a newly created partition.
I am not using systemd here, a simple busybox and sysV init.

However if I get the whole idea, If I use ubiupdatevol to update my partition,
I need the public key used while signing the ubifs at the first mount time
and then an other symmetric one ("mysecret" identified as 'ubifs:root' in this
exemple) in order to keep signing the partition.

This public key is already present (available to the mount command?) but
I don't have a way to tell which one to use.

mount -t ubifs /dev/ubi0_8 -o auth_key=ubifs:root,auth_hash_name=sha256 /mnt/
mount: mounting /dev/ubi0_8 on /mnt/ failed: Invalid argument

auth_key is the new symmetric key
my public key used when creating the offline signature is in /proc/keys

3b1ecf1d I------     1 perm 1f030000     0     0 asymmetri Build time
autogenerated kernel key: a21494c43b8859eceedf1c3d6727fd26f51b1bea:
X509.rsa f51b1bea []

I am not sure what I am missing about the first mount of a signed ubifs.

>
> Hope that helps.

Yes I get most of it now, thanks

>
> Regards
>  Sascha
>
> --
> Pengutronix e.K.                           |                             |
> Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
> 31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
> Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/