OpenBMC Image Management
Rick Altherr
raltherr at google.com
Wed Feb 1 05:33:07 AEDT 2017
dm-verity works by hashing each 4k block of the raw block device. The
resulting tree of hashes is stored on the block device outside the
filesystem. That should work fine for MTD. I suspect it will work with
UBI as well since UBI is just another block device type. So, we can
probably store FIT+squashfs+dm-verity(of squashfs)+UBIFS(r/w) in UBI.
It'll take some experimentation.
Rick
On Tue, Jan 31, 2017 at 10:16 AM, Patrick Williams <patrick at stwcx.xyz>
wrote:
> On Mon, Jan 30, 2017 at 04:47:13PM +1100, Stewart Smith wrote:
> > dm-verity (a device-mapper target taht cryptographically verifies each
> > filesystem block) could be a way to very easily get most of what's
> > needed here.
> >
> > https://lwn.net/Articles/459420/
> >
> > https://source.android.com/security/verifiedboot/
> >
>
> Any ideas on how nicely that plays with mtd/ubi? I don't see anything
> about it. I do see some dm-verity presentations claiming that IMA is
> slow and dm-verity is much faster.
>
> We should have all code in a SquashFS image anyhow. Signing / verifying
> that whole image might be reasonable as well.
>
> --
> Patrick Williams
>
> _______________________________________________
> openbmc mailing list
> openbmc at lists.ozlabs.org
> https://lists.ozlabs.org/listinfo/openbmc
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ozlabs.org/pipermail/openbmc/attachments/20170131/9766f5cb/attachment.html>
More information about the openbmc
mailing list