From mboxrd@z Thu Jan 1 00:00:00 1970 From: Lukasz Majewski Date: Sat, 4 Nov 2017 22:17:07 +0100 Subject: [U-Boot] UBI/UBIFS complete integrity check In-Reply-To: <4065c00f-1cca-5f1a-dbd9-1ae3a3bc20b7@xiphos.com> References: <4065c00f-1cca-5f1a-dbd9-1ae3a3bc20b7@xiphos.com> Message-ID: <20171104221707.13a62fd7@jawa> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: u-boot@lists.denx.de Hi Liam, > Hi everyone, > > I'm currently using a UBIFS root file system (stored on SPI-NOR flash) > and would like to perform a full integrity check before booting it. > The rootfs is read-only and until now, I've been computing an md5sum > on the whole mtd device from an initramfs and comparing it to a stored > md5sum. If both md5sums don't match, I need to stop the boot process > completely. > > If possible, I was hoping to drop initramfs and do the integrity check > from U-Boot. U-boot has support for crc32 and sha1 (256). It should be possible to do the integrity checking in it. If you have more SDRAM than SPI-NOR, then you can calculate sha1/crc32 of the whole memory. > I know UBI/UBIFS does a CRC-32 of the data it writes to > flash but the intent here is to prevent booting an image where > even a _single bit_ of flash may have been corrupted. Ok. I see. > > My question is, does UBI/UBIFS have this kind of complete integrity > check built-in? As fair as I'm aware - not. The only recent improvement was the "encryption/decryption" support. > If not, can I take advantage of these CRC-32, It may be hard to access UBI metadata (from PEB/LEB). > to do > something equivalent to my md5sum check from U-Boot. It may be possible to read the whole SPI-NOR Memory content to RAM, calculate crc32/sha1 and compare with some stored value (e.g. in u-boot envs). This all should be done with u-boot prompt. > Thanks, > > Liam Beguin > Xiphos Systems Corp. > http://xiphos.com > _______________________________________________ > U-Boot mailing list > U-Boot at lists.denx.de > https://lists.denx.de/listinfo/u-boot Best regards, Lukasz Majewski -- DENX Software Engineering GmbH, Managing Director: Wolfgang Denk HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany Phone: (+49)-8142-66989-10 Fax: (+49)-8142-66989-80 Email: wd at denx.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: