From: Lukasz Majewski <lukma@denx.de>
To: u-boot@lists.denx.de
Subject: [U-Boot] UBI/UBIFS complete integrity check
Date: Sat, 4 Nov 2017 22:17:07 +0100 [thread overview]
Message-ID: <20171104221707.13a62fd7@jawa> (raw)
In-Reply-To: <4065c00f-1cca-5f1a-dbd9-1ae3a3bc20b7@xiphos.com>
Hi Liam,
> Hi everyone,
>
> I'm currently using a UBIFS root file system (stored on SPI-NOR flash)
> and would like to perform a full integrity check before booting it.
> The rootfs is read-only and until now, I've been computing an md5sum
> on the whole mtd device from an initramfs and comparing it to a stored
> md5sum. If both md5sums don't match, I need to stop the boot process
> completely.
>
> If possible, I was hoping to drop initramfs and do the integrity check
> from U-Boot.
U-boot has support for crc32 and sha1 (256). It should be possible to
do the integrity checking in it.
If you have more SDRAM than SPI-NOR, then you can calculate sha1/crc32
of the whole memory.
> I know UBI/UBIFS does a CRC-32 of the data it writes to
> flash but the intent here is to prevent booting an image where
> even a _single bit_ of flash may have been corrupted.
Ok. I see.
>
> My question is, does UBI/UBIFS have this kind of complete integrity
> check built-in?
As fair as I'm aware - not. The only recent improvement was the
"encryption/decryption" support.
> If not, can I take advantage of these CRC-32,
It may be hard to access UBI metadata (from PEB/LEB).
> to do
> something equivalent to my md5sum check from U-Boot.
It may be possible to read the whole SPI-NOR Memory content to RAM,
calculate crc32/sha1 and compare with some stored value (e.g. in u-boot
envs). This all should be done with u-boot prompt.
> Thanks,
>
> Liam Beguin
> Xiphos Systems Corp.
> http://xiphos.com
> _______________________________________________
> U-Boot mailing list
> U-Boot at lists.denx.de
> https://lists.denx.de/listinfo/u-boot
Best regards,
Lukasz Majewski
--
DENX Software Engineering GmbH, Managing Director: Wolfgang Denk
HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
Phone: (+49)-8142-66989-10 Fax: (+49)-8142-66989-80 Email: wd at denx.de
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.denx.de/pipermail/u-boot/attachments/20171104/547e7711/attachment.sig>
next prev parent reply other threads:[~2017-11-04 21:17 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-31 15:01 [U-Boot] UBI/UBIFS complete integrity check Liam Beguin
2017-11-04 21:17 ` Lukasz Majewski [this message]
2017-11-06 16:34 ` Liam Beguin
2017-11-06 17:30 ` Lukasz Majewski
2017-11-05 8:37 ` Ladislav Michl
2017-11-06 17:31 ` Liam Beguin
2017-11-06 17:57 ` Ladislav Michl
2017-11-06 18:29 ` Liam Beguin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171104221707.13a62fd7@jawa \
--to=lukma@denx.de \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox