tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
docs: ubifs-authentication.md: convert to ReST
The documentation standard is ReST and not markdown.
Signed-off-by: Mauro Carvalho Chehab <mchehab+samsung@kernel.org>
Acked-by: Rob Herring <robh@kernel.org>
Signed-off-by: Jonathan Corbet <corbet@lwn.net>
authored by
Mauro Carvalho Chehab
and committed by
Jonathan Corbet
09f4c750
eaf7b460
+44
-26
+44
-26
Documentation/filesystems/ubifs-authentication.md
Documentation/filesystems/ubifs-authentication.rst
+44
-26
Documentation/filesystems/ubifs-authentication.md
Documentation/filesystems/ubifs-authentication.rst
···
1
-
% UBIFS Authentication
2
-
% sigma star gmbh
3
-
% 2018
1
+
:orphan:
4
2
5
-
# Introduction
3
+
.. UBIFS Authentication
4
+
.. sigma star gmbh
5
+
.. 2018
6
+
7
+
Introduction
8
+
============
6
9
7
10
UBIFS utilizes the fscrypt framework to provide confidentiality for file
8
11
contents and file names. This prevents attacks where an attacker is able to
···
36
33
be possible to use UBIFS authentication without using encryption.
37
34
38
35
39
-
## MTD, UBI & UBIFS
36
+
MTD, UBI & UBIFS
37
+
----------------
40
38
41
39
On Linux, the MTD (Memory Technology Devices) subsystem provides a uniform
42
40
interface to access raw flash devices. One of the more prominent subsystems that
···
51
47
leveling and some flash specifics are left to UBI, while UBIFS focuses on
52
48
scalability, performance and recoverability.
53
49
54
-
50
+
::
55
51
56
52
+------------+ +*******+ +-----------+ +-----+
57
53
| | * UBIFS * | UBI-BLOCK | | ... |
···
88
84
[UBIFS-WP].
89
85
90
86
91
-
### UBIFS Index & Tree Node Cache
87
+
UBIFS Index & Tree Node Cache
88
+
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
92
89
93
90
Basic on-flash UBIFS entities are called *nodes*. UBIFS knows different types
94
91
of nodes. Eg. data nodes (`struct ubifs_data_node`) which store chunks of file
···
123
118
marked as dirty are written to the flash to update the persisted index.
124
119
125
120
126
-
### Journal
121
+
Journal
122
+
~~~~~~~
127
123
128
124
To avoid wearing out the flash, the index is only persisted (*commited*) when
129
-
certain conditions are met (eg. `fsync(2)`). The journal is used to record
125
+
certain conditions are met (eg. ``fsync(2)``). The journal is used to record
130
126
any changes (in form of inode nodes, data nodes etc.) between commits
131
127
of the index. During mount, the journal is read from the flash and replayed
132
128
onto the TNC (which will be created on-demand from the on-flash index).
133
129
134
130
UBIFS reserves a bunch of LEBs just for the journal called *log area*. The
135
131
amount of log area LEBs is configured on filesystem creation (using
136
-
`mkfs.ubifs`) and stored in the superblock node. The log area contains only
132
+
``mkfs.ubifs``) and stored in the superblock node. The log area contains only
137
133
two types of nodes: *reference nodes* and *commit start nodes*. A commit start
138
134
node is written whenever an index commit is performed. Reference nodes are
139
135
written on every journal update. Each reference node points to the position of
···
158
152
because of a power cut. If the recovery fails, UBIFS will not mount. An error
159
153
for every other LEB will directly cause UBIFS to fail the mount operation.
160
154
155
+
::
161
156
162
157
| ---- LOG AREA ---- | ---------- MAIN AREA ------------ |
163
158
···
179
172
containing their buds
180
173
181
174
182
-
### LEB Property Tree/Table
175
+
LEB Property Tree/Table
176
+
~~~~~~~~~~~~~~~~~~~~~~~
183
177
184
178
The LEB property tree is used to store per-LEB information. This includes the
185
-
LEB type and amount of free and *dirty* (old, obsolete content) space [1] on
179
+
LEB type and amount of free and *dirty* (old, obsolete content) space [1]_ on
186
180
the LEB. The type is important, because UBIFS never mixes index nodes with data
187
181
nodes on a single LEB and thus each LEB has a specific purpose. This again is
188
182
useful for free space calculations. See [UBIFS-WP] for more details.
···
193
185
commit. Thus, saving the LPT is an atomic operation.
194
186
195
187
196
-
[1] Since LEBs can only be appended and never overwritten, there is a
197
-
difference between free space ie. the remaining space left on the LEB to be
198
-
written to without erasing it and previously written content that is obsolete
199
-
but can't be overwritten without erasing the full LEB.
188
+
.. [1] Since LEBs can only be appended and never overwritten, there is a
189
+
difference between free space ie. the remaining space left on the LEB to be
190
+
written to without erasing it and previously written content that is obsolete
191
+
but can't be overwritten without erasing the full LEB.
200
192
201
193
202
-
# UBIFS Authentication
194
+
UBIFS Authentication
195
+
====================
203
196
204
197
This chapter introduces UBIFS authentication which enables UBIFS to verify
205
198
the authenticity and integrity of metadata and file contents stored on flash.
206
199
207
200
208
-
## Threat Model
201
+
Threat Model
202
+
------------
209
203
210
204
UBIFS authentication enables detection of offline data modification. While it
211
205
does not prevent it, it enables (trusted) code to check the integrity and
···
234
224
ensure that only trusted code is executed on a device.
235
225
236
226
237
-
## Authentication
227
+
Authentication
228
+
--------------
238
229
239
230
To be able to fully trust data read from flash, all UBIFS data structures
240
231
stored on flash are authenticated. That is:
···
247
236
- The LPT which stores UBI LEB metadata which UBIFS uses for free space accounting
248
237
249
238
250
-
### Index Authentication
239
+
Index Authentication
240
+
~~~~~~~~~~~~~~~~~~~~
251
241
252
242
Through UBIFS' concept of a wandering tree, it already takes care of only
253
243
updating and persisting changed parts from leaf node up to the root node
···
272
260
the storage overhead which is precious for users of UBIFS (ie. embedded
273
261
devices).
274
262
263
+
::
275
264
276
265
+---------------+
277
266
| Master Node |
···
316
303
atomically together with its respective node.
317
304
318
305
319
-
### Journal Authentication
306
+
Journal Authentication
307
+
~~~~~~~~~~~~~~~~~~~~~~
320
308
321
309
The journal is authenticated too. Since the journal is continuously written
322
310
it is necessary to also add authentication information frequently to the
···
330
316
authentication node. The tail of the journal which may not have a authentication
331
317
node cannot be authenticated and is skipped during journal replay.
332
318
333
-
We get this picture for journal authentication:
319
+
We get this picture for journal authentication::
334
320
335
321
,,,,,,,,
336
322
,......,...........................................
···
366
352
modified on feature flag or similar changes, but never on file changes.
367
353
368
354
369
-
### LPT Authentication
355
+
LPT Authentication
356
+
~~~~~~~~~~~~~~~~~~
370
357
371
358
The location of the LPT root node on the flash is stored in the UBIFS master
372
359
node. Since the LPT is written and read atomically on every commit, there is
···
378
363
LTP hash stored there with the hash computed from the read on-flash LPT.
379
364
380
365
381
-
## Key Management
366
+
Key Management
367
+
--------------
382
368
383
369
For simplicity, UBIFS authentication uses a single key to compute the HMACs
384
370
of superblock, master, commit start and reference nodes. This key has to be
···
415
399
[FSCRYPT-POLICY2].
416
400
417
401
418
-
# Future Extensions
402
+
Future Extensions
403
+
=================
419
404
420
405
In certain cases where a vendor wants to provide an authenticated filesystem
421
406
image to customers, it should be possible to do so without sharing the secret
···
428
411
will then have to be provided beforehand in the normal way.
429
412
430
413
431
-
# References
414
+
References
415
+
==========
432
416
433
417
[CRYPTSETUP2] http://www.saout.de/pipermail/dm-crypt/2017-November/005745.html
434
418