From mboxrd@z Thu Jan 1 00:00:00 1970 From: Lukasz Majewski Date: Mon, 6 Nov 2017 18:30:50 +0100 Subject: [U-Boot] UBI/UBIFS complete integrity check In-Reply-To: References: <4065c00f-1cca-5f1a-dbd9-1ae3a3bc20b7@xiphos.com> <20171104221707.13a62fd7@jawa> Message-ID: <20171106183050.6022d096@jawa> List-Id: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: u-boot@lists.denx.de Hi Liam, > Hi Lukasz, > > Thanks for taking the time to answer. > > On 11/04/2017 05:17 PM, Lukasz Majewski wrote: > > Hi Liam, > > > >> Hi everyone, > >> > >> I'm currently using a UBIFS root file system (stored on SPI-NOR > >> flash) and would like to perform a full integrity check before > >> booting it. The rootfs is read-only and until now, I've been > >> computing an md5sum on the whole mtd device from an initramfs and > >> comparing it to a stored md5sum. If both md5sums don't match, I > >> need to stop the boot process completely. > >> > >> If possible, I was hoping to drop initramfs and do the integrity > >> check from U-Boot. > > > > U-boot has support for crc32 and sha1 (256). It should be possible > > to do the integrity checking in it. > > > > If you have more SDRAM than SPI-NOR, then you can calculate > > sha1/crc32 of the whole memory. > > > >> I know UBI/UBIFS does a CRC-32 of the data it writes to > >> flash but the intent here is to prevent booting an image where > >> even a _single bit_ of flash may have been corrupted. > > > > Ok. I see. > > > >> > >> My question is, does UBI/UBIFS have this kind of complete integrity > >> check built-in? > > > > As fair as I'm aware - not. The only recent improvement was the > > "encryption/decryption" support > > I don't think I have enough time right now but would this integrity > check be an interesting feature to add? It depends how "secure" your project needs to be... It is just one of the options to consider. > > > > >> If not, can I take advantage of these CRC-32, > > > > It may be hard to access UBI metadata (from PEB/LEB). > > > >> to do > >> something equivalent to my md5sum check from U-Boot. > > > > It may be possible to read the whole SPI-NOR Memory content to RAM, > > calculate crc32/sha1 and compare with some stored value (e.g. in > > u-boot envs). This all should be done with u-boot prompt. > > This was my backup plan. I should have enough RAM to do it. Ok. Good. > > > > >> Thanks, > >> > >> Liam Beguin > >> Xiphos Systems Corp. > >> http://xiphos.com > >> _______________________________________________ > >> U-Boot mailing list > >> U-Boot at lists.denx.de > >> https://lists.denx.de/listinfo/u-boot > > > > > > > > Best regards, > > > > Lukasz Majewski > > > > -- > > > > DENX Software Engineering GmbH, Managing Director: Wolfgang > > Denk HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, > > Germany Phone: (+49)-8142-66989-10 Fax: (+49)-8142-66989-80 Email: > > wd at denx.de > > Thanks, > > Liam Beguin > Xiphos Systems Corp. > http://xiphos.com > Best regards, Lukasz Majewski -- DENX Software Engineering GmbH, Managing Director: Wolfgang Denk HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany Phone: (+49)-8142-66989-10 Fax: (+49)-8142-66989-80 Email: wd at denx.de -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 488 bytes Desc: OpenPGP digital signature URL: