Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
From:   Sascha Hauer <s.hauer@pengutronix.de>
To:     linux-mtd@lists.infradead.org
Cc:     David Gstir <david@sigma-star.at>,
        Richard Weinberger <richard@nod.at>, kernel@pengutronix.de,
        linux-kernel@vger.kernel.org, Sascha Hauer <s.hauer@pengutronix.de>
Subject: [PATCH v2 00/25] UBIFS authentication support
Date:   Fri,  7 Sep 2018 14:36:21 +0200
Message-Id: <20180907123646.12688-1-s.hauer@pengutronix.de>
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk

Hi all,

This patchset introduces UBIFS authentication support. With authentication
enabled UBIFS is fully protected against offline changes. This is done by
hashing the different parts of UBIFS and protecting the toplevel hashes with
HMACs. The parts that are protected are:

* the index tree
* the journal
* the LPT
* the master nodes
* the superblock node

A detailed overview how the different parts are authenticated can be found
here:

https://github.com/sigma-star/ubifs-authentication/blob/master/ubifs-authentication-whitepaper.md

However, some details still had to be changed, so an updated version of that
document is part of this patchset.

Usage:
======

First add an authentication key to the kernel keyring. It must be of type
'logon'. The description can be freely chosen, it must be passed as mount
option later:

# keyctl add logon ubifs:foo 12345678901234567890123456789012 @s

Attach the UBI device and mount with auth_key=$description and
auth_hash_name=$algo:

# mount -t ubifs /dev/ubi0_0 -o auth_key=ubifs:foo,auth_hash_name=sha256 /mnt/

This mounts the UBIFS in authenticated mode. The hash algorithm can be freely
chosen from include/uapi/linux/hash_info.h as long as the digest is at maximum
64 bytes which is the space we reserved in the UBIFS structures. We always use
the same algorithms for creating HMACs, so using sha256 for hashing means that
we also use hmac(sha256) for creating authentication data.

When the authentication_key mount option is given, a UBIFS image which can be
authenticated with that key is mandatory, no unauthenticated image will be
accepted. Likewise, when the option is not given, no authenticated image can be
accepted since that couldn't be authenticated. We could skip authentication in
this case, but we couldn't create any valid HMACs when writing new data. We
could make it an option to mount in readonly mode for debugging purposes when
we do not have a key (or we already know that parts of the UBIFS image are
corrupted), but that is not implemented yet.

Offline signed images
=====================

Currently UBIFS authentication is only supported on the default filesystem the
kernel creates when an empty UBI volume is found. Support for offline signed
images is in the makings. Preliminary patches for the Kernel and mtd-utils are
ready and can be shared on request, otherwise I'll continue on them once
this basic patchset is ready and merged.

Testing
=======

I've gone through various tests including powercut tests over the weekend and
running xfstests. It is tested on real hardware (i.MX6 based) on a 2k page NAND
and in nandsim on a simulated 512b page NAND in big LPT mode. Basic testing has
been done with all chk_* ubifs flags set to 1, lockdep enabled.

This patchset is based on v4.19-rc2 and can be obtained here:

git://git.pengutronix.de/sha/linux ubifs-authentication-v2

Changes since v1:

- rebase onto v4.19-rc2
- Add missing ubifs_copy_hash() in make_idx_node to make in-the-gaps method work
  with authentication
- Return error codes from all crypto related functions and forward error
- Remove VLAs
- rename c->superblock to c->sup_node
- use UBIFS_HASH_ARR_SZ for array sizes. UBIFS_HASH_ARR_SZ is set to 0
  for non authenticated fs and to UBIFS_MAX_HASH_LEN for authenticated fs
- Add common bad-hash report handler
- fix various comments
- Add missing ubifs_add_dirt() in the garbage collectors move_nodes() function
- add ubifs_add_auth_dirt() to add dirt for an authentication node

/Sascha

Sascha Hauer (25):
  ARM: imx_v6_v7_defconfig: update
  ubifs: refactor create_default_filesystem()
  ubifs: pass ubifs_zbranch to try_read_node()
  ubifs: pass ubifs_zbranch to read_znode()
  ubifs: export pnode_lookup as ubifs_pnode_lookup
  ubifs: implement ubifs_lpt_lookup using ubifs_pnode_lookup
  ubifs: drop write_node
  ubifs: Store read superblock node
  ubifs: Format changes for authentication support
  ubifs: add separate functions to init/crc a node
  ubifs: add helper functions for authentication support
  ubifs: Create functions to embed a HMAC in a node
  ubifs: Add hashes to the tree node cache
  ubifs: authentication: Add hashes to index nodes
  ubifs: Add authentication nodes to journal
  ubifs: Add auth nodes to garbage collector journal head
  ubifs: authenticate replayed journal
  ubifs: authentication: authenticate LPT
  ubfis: authentication: authenticate master node
  ubifs: Create hash for default LPT
  ubifs: authentication: Authenticate super block node
  ubifs: Add hashes and HMACs to default filesystem
  ubifs: do not update inode size in-place in authenticated mode
  ubifs: Enable authentication support
  Documentation: ubifs: Add authentication whitepaper

 .../filesystems/ubifs-authentication.md       | 426 +++++++++++++++
 Documentation/filesystems/ubifs.txt           |   7 +
 arch/arm/configs/imx_v6_v7_defconfig          |  15 +-
 fs/ubifs/Kconfig                              |  11 +
 fs/ubifs/Makefile                             |   1 +
 fs/ubifs/auth.c                               | 502 ++++++++++++++++++
 fs/ubifs/debug.c                              |   6 +
 fs/ubifs/gc.c                                 |  49 +-
 fs/ubifs/io.c                                 | 110 +++-
 fs/ubifs/journal.c                            | 289 +++++++---
 fs/ubifs/log.c                                |  24 +
 fs/ubifs/lpt.c                                | 184 ++++++-
 fs/ubifs/lpt_commit.c                         |  44 +-
 fs/ubifs/master.c                             |  64 ++-
 fs/ubifs/misc.h                               |   5 +-
 fs/ubifs/recovery.c                           | 120 +++--
 fs/ubifs/replay.c                             | 177 +++++-
 fs/ubifs/sb.c                                 | 207 +++++---
 fs/ubifs/super.c                              |  91 +++-
 fs/ubifs/tnc.c                                |  36 +-
 fs/ubifs/tnc_commit.c                         |  27 +
 fs/ubifs/tnc_misc.c                           |  26 +-
 fs/ubifs/ubifs-media.h                        |  46 +-
 fs/ubifs/ubifs.h                              | 253 ++++++++-
 24 files changed, 2422 insertions(+), 298 deletions(-)
 create mode 100644 Documentation/filesystems/ubifs-authentication.md
 create mode 100644 fs/ubifs/auth.c

-- 
2.18.0