[U-Boot] UBI/UBIFS complete integrity check

Liam Beguin lvb at xiphos.com
Mon Nov 6 16:34:47 UTC 2017 

Hi Lukasz,

Thanks for taking the time to answer.

On 11/04/2017 05:17 PM, Lukasz Majewski wrote:
> Hi Liam,
> 
>> Hi everyone,
>>
>> I'm currently using a UBIFS root file system (stored on SPI-NOR flash)
>> and would like to perform a full integrity check before booting it.
>> The rootfs is read-only and until now, I've been computing an md5sum
>> on the whole mtd device from an initramfs and comparing it to a stored
>> md5sum. If both md5sums don't match, I need to stop the boot process
>> completely.
>>
>> If possible, I was hoping to drop initramfs and do the integrity check
>> from U-Boot.
> 
> U-boot has support for crc32 and sha1 (256). It should be possible to
> do the integrity checking in it.
> 
> If you have more SDRAM than SPI-NOR, then you can calculate sha1/crc32
> of the whole memory.
> 
>> I know UBI/UBIFS does a CRC-32 of the data it writes to
>> flash but the intent here is to prevent booting an image where
>> even a _single bit_ of flash may have been corrupted.
> 
> Ok. I see.
> 
>>
>> My question is, does UBI/UBIFS have this kind of complete integrity
>> check built-in?
> 
> As fair as I'm aware - not. The only recent improvement was the
> "encryption/decryption" support

I don't think I have enough time right now but would this integrity check
be an interesting feature to add?

> 
>> If not, can I take advantage of these CRC-32,
> 
> It may be hard to access UBI metadata (from PEB/LEB).
> 
>> to do
>> something equivalent to my md5sum check from U-Boot.
> 
> It may be possible to read the whole SPI-NOR Memory content to RAM,
> calculate crc32/sha1 and compare with some stored value (e.g. in u-boot
> envs). This all should be done with u-boot prompt.

This was my backup plan. I should have enough RAM to do it.

> 
>> Thanks,
>>
>> Liam Beguin
>> Xiphos Systems Corp.
>> http://xiphos.com
>> _______________________________________________
>> U-Boot mailing list
>> U-Boot at lists.denx.de
>> https://lists.denx.de/listinfo/u-boot
> 
> 
> 
> Best regards,
> 
> Lukasz Majewski
> 
> --
> 
> DENX Software Engineering GmbH,      Managing Director: Wolfgang Denk
> HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany
> Phone: (+49)-8142-66989-10 Fax: (+49)-8142-66989-80 Email: wd at denx.de
> 

Thanks,

Liam Beguin
Xiphos Systems Corp.
http://xiphos.com

More information about the U-Boot mailing list