* [Buildroot] [PATCH] fs/iso9660: md5 checksum boot dir files
@ 2016-11-11 17:13 Matt Weber
2016-11-11 20:24 ` Thomas Petazzoni
0 siblings, 1 reply; 4+ messages in thread
From: Matt Weber @ 2016-11-11 17:13 UTC (permalink / raw)
To: buildroot
From: Paresh Chaudhary <paresh.chaudhary@rockwellcollins.com>
Generate md5 checksum for all files of boot directory
to allow runtime validation of boot images.
Signed-off-by: Paresh Chaudhary <paresh.chaudhary@rockwellcollins.com>
Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
---
fs/iso9660/iso9660.mk | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fs/iso9660/iso9660.mk b/fs/iso9660/iso9660.mk
index d1d9cbf..d805465 100644
--- a/fs/iso9660/iso9660.mk
+++ b/fs/iso9660/iso9660.mk
@@ -144,6 +144,8 @@ endif # ROOTFS_ISO9660_USE_INITRD
define ROOTFS_ISO9660_CMD
+ $(RM) -rf $(ROOTFS_ISO9660_TARGET_DIR)/boot/checksums.md5
+ cd $(ROOTFS_ISO9660_TARGET_DIR)/boot/ && md5sum * > $(ROOTFS_ISO9660_TARGET_DIR)/boot/checksums.md5
$(HOST_DIR)/usr/bin/genisoimage -J -R -b $(ROOTFS_ISO9660_BOOT_IMAGE) \
-no-emul-boot -boot-load-size 4 -boot-info-table \
-o $@ $(ROOTFS_ISO9660_TARGET_DIR)
--
1.9.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [Buildroot] [PATCH] fs/iso9660: md5 checksum boot dir files
2016-11-11 17:13 [Buildroot] [PATCH] fs/iso9660: md5 checksum boot dir files Matt Weber
@ 2016-11-11 20:24 ` Thomas Petazzoni
2016-11-11 20:54 ` Matthew Weber
0 siblings, 1 reply; 4+ messages in thread
From: Thomas Petazzoni @ 2016-11-11 20:24 UTC (permalink / raw)
To: buildroot
Hello,
On Fri, 11 Nov 2016 11:13:39 -0600, Matt Weber wrote:
> From: Paresh Chaudhary <paresh.chaudhary@rockwellcollins.com>
>
> Generate md5 checksum for all files of boot directory
> to allow runtime validation of boot images.
>
> Signed-off-by: Paresh Chaudhary <paresh.chaudhary@rockwellcollins.com>
> Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
Why specifically for those images, and not all files of the filesystem?
This really looks like a very use-case specific problem, we certainly
can't handle it in generic code like this the patch you're proposing.
Best regards,
Thomas
--
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux and Kernel engineering
http://free-electrons.com
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Buildroot] [PATCH] fs/iso9660: md5 checksum boot dir files
2016-11-11 20:24 ` Thomas Petazzoni
@ 2016-11-11 20:54 ` Matthew Weber
2016-11-11 21:00 ` Thomas Petazzoni
0 siblings, 1 reply; 4+ messages in thread
From: Matthew Weber @ 2016-11-11 20:54 UTC (permalink / raw)
To: buildroot
Thomas,
On Fri, Nov 11, 2016 at 2:24 PM, Thomas Petazzoni <
thomas.petazzoni@free-electrons.com> wrote:
> Hello,
>
> On Fri, 11 Nov 2016 11:13:39 -0600, Matt Weber wrote:
> > From: Paresh Chaudhary <paresh.chaudhary@rockwellcollins.com>
> >
> > Generate md5 checksum for all files of boot directory
> > to allow runtime validation of boot images.
> >
> > Signed-off-by: Paresh Chaudhary <paresh.chaudhary@rockwellcollins.com>
> > Signed-off-by: Matt Weber <matthew.weber@rockwellcollins.com>
>
> Why specifically for those images, and not all files of the filesystem?
>
>
We thought for a iso9600 formatted iso, this was a way to add a quick
integrity check capability to the images used for kernel/rootfs. Since the
bzimage and initrd are both present in this boot folder. This allows a
product's install process to check the integrity of a disk after flashing
the iso to a bare drive (mount the new boot partition and run md5sum -c).
It also opens up the option for runtime verifying the images you booted
from if you add scripting in your rootfs.
--
Matthew L Weber / Pr Software Engineer
Airborne Information Systems / Security Systems and Software / Secure
Platforms
MS 131-100, C Ave NE, Cedar Rapids, IA, 52498, USA
www.rockwellcollins.com
Note: Any Export License Required Information and License Restricted Third
Party Intellectual Property (TPIP) content must be encrypted and sent to
matthew.weber at corp.rockwellcollins.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.busybox.net/pipermail/buildroot/attachments/20161111/11879620/attachment.html>
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Buildroot] [PATCH] fs/iso9660: md5 checksum boot dir files
2016-11-11 20:54 ` Matthew Weber
@ 2016-11-11 21:00 ` Thomas Petazzoni
0 siblings, 0 replies; 4+ messages in thread
From: Thomas Petazzoni @ 2016-11-11 21:00 UTC (permalink / raw)
To: buildroot
Hello,
On Fri, 11 Nov 2016 14:54:06 -0600, Matthew Weber wrote:
> We thought for a iso9600 formatted iso, this was a way to add a quick
> integrity check capability to the images used for kernel/rootfs. Since the
> bzimage and initrd are both present in this boot folder. This allows a
> product's install process to check the integrity of a disk after flashing
> the iso to a bare drive (mount the new boot partition and run md5sum -c).
> It also opens up the option for runtime verifying the images you booted
> from if you add scripting in your rootfs.
This all seems interesting, but if we want to solve this problem, we
want to solve it globally for all filesystems, and the entire contents
of the filesystem, not just the specific /boot directory of the
specific iso9660 filesystem.
Thomas
--
Thomas Petazzoni, CTO, Free Electrons
Embedded Linux and Kernel engineering
http://free-electrons.com
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2016-11-11 21:00 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-11-11 17:13 [Buildroot] [PATCH] fs/iso9660: md5 checksum boot dir files Matt Weber
2016-11-11 20:24 ` Thomas Petazzoni
2016-11-11 20:54 ` Matthew Weber
2016-11-11 21:00 ` Thomas Petazzoni
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.