From: Lukasz Majewski <lukma@denx.de>
To: u-boot@lists.denx.de
Subject: [U-Boot] UBI/UBIFS complete integrity check
Date: Sat, 4 Nov 2017 22:17:07 +0100 [thread overview]
Message-ID: <20171104221707.13a62fd7@jawa> (raw)
In-Reply-To: <4065c00f-1cca-5f1a-dbd9-1ae3a3bc20b7@xiphos.com>
Hi Liam,
> Hi everyone,
>
> I'm currently using a UBIFS root file system (stored on SPI-NOR flash)
> and would like to perform a full integrity check before booting it.
> The rootfs is read-only and until now, I've been computing an md5sum
> on the whole mtd device from an initramfs and comparing it to a stored
> md5sum. If both md5sums don't match, I need to stop the boot process
> completely.
>
> If possible, I was hoping to drop initramfs and do the integrity check
> from U-Boot.
U-boot has support for crc32 and sha1 (256). It should be possible to
do the integrity checking in it.
If you have more SDRAM than SPI-NOR, then you can calculate sha1/crc32
of the whole memory.
> I know UBI/UBIFS does a CRC-32 of the data it writes to
> flash but the intent here is to prevent booting an image where
> even a _single bit_ of flash may have been corrupted.
Ok. I see.
>
> My question is, does UBI/UBIFS have this kind of complete integrity
> check built-in?
As fair as I'm aware - not. The only recent improvement was the
"encryption/decryption" support.
> If not, can I take advantage of these CRC-32,
It may be hard to access UBI metadata (from PEB/LEB).
> to do
> something equivalent to my md5sum check from U-Boot.
It may be possible to read the whole SPI-NOR Memory content to RAM,
calculate crc32/sha1 and compare with some stored value (e.g. in u-boot
envs). This all should be done with u-boot prompt.
> Thanks,
>
> Liam Beguin
> Xiphos Systems Corp.
> http://xiphos.com
> _______________________________________________
> U-Boot mailing list
> U-Boot at lists.denx.de
> https://lists.denx.de/listinfo/u-boot
Best regards,
Lukasz Majewski
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-10 Fax: (+49)-8142-66989-80 Email: wd at denx.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20171104/547e7711/attachment.sig>
next prev parent reply other threads:[~2017-11-04 21:17 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-31 15:01 [U-Boot] UBI/UBIFS complete integrity check Liam Beguin
2017-11-04 21:17 ` Lukasz Majewski [this message]
2017-11-06 16:34 ` Liam Beguin
2017-11-06 17:30 ` Lukasz Majewski
2017-11-05 8:37 ` Ladislav Michl
2017-11-06 17:31 ` Liam Beguin
2017-11-06 17:57 ` Ladislav Michl
2017-11-06 18:29 ` Liam Beguin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171104221707.13a62fd7@jawa \
--to=lukma@denx.de \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.