[U-Boot] UBI/UBIFS complete integrity check
Ladislav Michl
ladis at linux-mips.org
Mon Nov 6 17:57:46 UTC 2017
On Mon, Nov 06, 2017 at 12:31:32PM -0500, Liam Beguin wrote:
> Hi,
>
> Thanks for taking the time to answer.
>
> On 11/05/2017 03:37 AM, Ladislav Michl wrote:
> > On Tue, Oct 31, 2017 at 11:01:21AM -0400, Liam Beguin wrote:
> > > Hi everyone,
> > >
> > > I'm currently using a UBIFS root file system (stored on SPI-NOR flash)
> > > and would like to perform a full integrity check before booting it.
> > > The rootfs is read-only and until now, I've been computing an md5sum on
> > > the whole mtd device from an initramfs and comparing it to a stored
> > > md5sum. If both md5sums don't match, I need to stop the boot process
> > > completely.
> >
> > Above doesn't sound right even in theory as UBI layer is free to correct
> > bit-flips (unlikely on SPI-NOR) and shuffle eraseblocks around even
> > if read only filesystem is sitting on top of it. See this faq:
> > http://www.linux-mtd.infradead.org/doc/ubi.html#L_ubiblock> So, if you
> > are computing md5sum of underlaying mtd device you might get
> > different checksum even for the same UBI content.
> >
>
> I forgot to mention that the flash I use has a hardware lock which is enabled
> after the filesystem is first written (the flash is locked during boot).
> I'm quite confident this works as I've been using the md5sum mechanism for
> some time now.
I see. Btw, have you considered using for example squashfs on top of static UBI
volume? Given the fact your fs is read only you get:
- CRC32 checksum of you volume for free
- filesystem compression
- you can easily compute mtd5sum of volume content
- check filesystem consistency using already provided tools (probably overkill).
> As the UBI layer is able to detect/fix bit-flips, what happens if a bit-flip is
> detected and UBI cannot write to flash? does it fail to attach?
No, it just logs it. It fails once there is enough bitflips that ECC is unable
to correct them. But again, it is not case of NOR, I mentioned it just for
completeness.
> > > If possible, I was hoping to drop initramfs and do the integrity check
> > > from U-Boot. I know UBI/UBIFS does a CRC-32 of the data it writes to
> > > flash but the intent here is to prevent booting an image where
> > > even a _single bit_ of flash may have been corrupted.
Above mentioned solution should fail instantly in case of CRC error. Not sure if
that's what you want as kernel already took over, so either watchdog will kick in
or machine will reboot, if configured to do so after panics.
> > > My question is, does UBI/UBIFS have this kind of complete integrity
> > > check built-in? If not, can I take advantage of these CRC-32, to do
> > > something equivalent to my md5sum check from U-Boot.
> > > Thanks,
> >
> > There is md5sum command, question is whenever you UBI volume fits
> > into RAM to do calculation at once.
> >
> > > Liam Beguin
> > > Xiphos Systems Corp.
> > > http://xiphos.com
> > > _______________________________________________
> > > U-Boot mailing list
> > > U-Boot at lists.denx.de
> > > https://lists.denx.de/listinfo/u-boot
>
> Thanks,
>
> Liam Beguin
> Xiphos Systems Corp.
> http://xiphos.com
More information about the U-Boot
mailing list