<div dir="ltr">dm-verity works by hashing each 4k block of the raw block device. The resulting tree of hashes is stored on the block device outside the filesystem. That should work fine for MTD. I suspect it will work with UBI as well since UBI is just another block device type. So, we can probably store FIT+squashfs+dm-verity(of squashfs)+UBIFS(r/w) in UBI. It'll take some experimentation.<div><br></div><div>Rick</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Jan 31, 2017 at 10:16 AM, Patrick Williams <span dir="ltr"><<a href="mailto:patrick@stwcx.xyz" target="_blank">patrick@stwcx.xyz</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On Mon, Jan 30, 2017 at 04:47:13PM +1100, Stewart Smith wrote:<br>
> dm-verity (a device-mapper target taht cryptographically verifies each<br>
> filesystem block) could be a way to very easily get most of what's<br>
> needed here.<br>
><br>
> <a href="https://lwn.net/Articles/459420/" rel="noreferrer" target="_blank">https://lwn.net/Articles/<wbr>459420/</a><br>
><br>
> <a href="https://source.android.com/security/verifiedboot/" rel="noreferrer" target="_blank">https://source.android.com/<wbr>security/verifiedboot/</a><br>
><br>
<br>
</span>Any ideas on how nicely that plays with mtd/ubi? I don't see anything<br>
about it. I do see some dm-verity presentations claiming that IMA is<br>
slow and dm-verity is much faster.<br>
<br>
We should have all code in a SquashFS image anyhow. Signing / verifying<br>
that whole image might be reasonable as well.<br>
<span class="HOEnZb"><font color="#888888"><br>
--<br>
Patrick Williams<br>
</font></span><br>______________________________<wbr>_________________<br>
openbmc mailing list<br>
<a href="mailto:openbmc@lists.ozlabs.org">openbmc@lists.ozlabs.org</a><br>
<a href="https://lists.ozlabs.org/listinfo/openbmc" rel="noreferrer" target="_blank">https://lists.ozlabs.org/<wbr>listinfo/openbmc</a><br>
<br></blockquote></div><br></div>