1 .. SPDX-License-Identifier: GPL-2.0 1 .. SPDX-License-Identifier: GPL-2.0 2 2 3 .. UBIFS Authentication 3 .. UBIFS Authentication 4 .. sigma star gmbh 4 .. sigma star gmbh 5 .. 2018 5 .. 2018 6 6 7 ============================ 7 ============================ 8 UBIFS Authentication Support 8 UBIFS Authentication Support 9 ============================ 9 ============================ 10 10 11 Introduction 11 Introduction 12 ============ 12 ============ 13 13 14 UBIFS utilizes the fscrypt framework to provid 14 UBIFS utilizes the fscrypt framework to provide confidentiality for file 15 contents and file names. This prevents attacks 15 contents and file names. This prevents attacks where an attacker is able to 16 read contents of the filesystem on a single po 16 read contents of the filesystem on a single point in time. A classic example 17 is a lost smartphone where the attacker is una 17 is a lost smartphone where the attacker is unable to read personal data stored 18 on the device without the filesystem decryptio 18 on the device without the filesystem decryption key. 19 19 20 At the current state, UBIFS encryption however 20 At the current state, UBIFS encryption however does not prevent attacks where 21 the attacker is able to modify the filesystem 21 the attacker is able to modify the filesystem contents and the user uses the 22 device afterwards. In such a scenario an attac 22 device afterwards. In such a scenario an attacker can modify filesystem 23 contents arbitrarily without the user noticing 23 contents arbitrarily without the user noticing. One example is to modify a 24 binary to perform a malicious action when exec 24 binary to perform a malicious action when executed [DMC-CBC-ATTACK]. Since 25 most of the filesystem metadata of UBIFS is st 25 most of the filesystem metadata of UBIFS is stored in plain, this makes it 26 fairly easy to swap files and replace their co 26 fairly easy to swap files and replace their contents. 27 27 28 Other full disk encryption systems like dm-cry 28 Other full disk encryption systems like dm-crypt cover all filesystem metadata, 29 which makes such kinds of attacks more complic 29 which makes such kinds of attacks more complicated, but not impossible. 30 Especially, if the attacker is given access to 30 Especially, if the attacker is given access to the device multiple points in 31 time. For dm-crypt and other filesystems that 31 time. For dm-crypt and other filesystems that build upon the Linux block IO 32 layer, the dm-integrity or dm-verity subsystem 32 layer, the dm-integrity or dm-verity subsystems [DM-INTEGRITY, DM-VERITY] 33 can be used to get full data authentication at 33 can be used to get full data authentication at the block layer. 34 These can also be combined with dm-crypt [CRYP 34 These can also be combined with dm-crypt [CRYPTSETUP2]. 35 35 36 This document describes an approach to get fil 36 This document describes an approach to get file contents _and_ full metadata 37 authentication for UBIFS. Since UBIFS uses fsc 37 authentication for UBIFS. Since UBIFS uses fscrypt for file contents and file 38 name encryption, the authentication system cou 38 name encryption, the authentication system could be tied into fscrypt such that 39 existing features like key derivation can be u 39 existing features like key derivation can be utilized. It should however also 40 be possible to use UBIFS authentication withou 40 be possible to use UBIFS authentication without using encryption. 41 41 42 42 43 MTD, UBI & UBIFS 43 MTD, UBI & UBIFS 44 ---------------- 44 ---------------- 45 45 46 On Linux, the MTD (Memory Technology Devices) 46 On Linux, the MTD (Memory Technology Devices) subsystem provides a uniform 47 interface to access raw flash devices. One of 47 interface to access raw flash devices. One of the more prominent subsystems that 48 work on top of MTD is UBI (Unsorted Block Imag 48 work on top of MTD is UBI (Unsorted Block Images). It provides volume management 49 for flash devices and is thus somewhat similar 49 for flash devices and is thus somewhat similar to LVM for block devices. In 50 addition, it deals with flash-specific wear-le 50 addition, it deals with flash-specific wear-leveling and transparent I/O error 51 handling. UBI offers logical erase blocks (LEB 51 handling. UBI offers logical erase blocks (LEBs) to the layers on top of it 52 and maps them transparently to physical erase 52 and maps them transparently to physical erase blocks (PEBs) on the flash. 53 53 54 UBIFS is a filesystem for raw flash which oper 54 UBIFS is a filesystem for raw flash which operates on top of UBI. Thus, wear 55 leveling and some flash specifics are left to 55 leveling and some flash specifics are left to UBI, while UBIFS focuses on 56 scalability, performance and recoverability. 56 scalability, performance and recoverability. 57 57 58 :: 58 :: 59 59 60 +------------+ +*******+ +-----------+ 60 +------------+ +*******+ +-----------+ +-----+ 61 | | * UBIFS * | UBI-BLOCK | 61 | | * UBIFS * | UBI-BLOCK | | ... | 62 | JFFS/JFFS2 | +*******+ +-----------+ 62 | JFFS/JFFS2 | +*******+ +-----------+ +-----+ 63 | | +---------------------- 63 | | +-----------------------------+ +-----------+ +-----+ 64 | | | UBI 64 | | | UBI | | MTD-BLOCK | | ... | 65 +------------+ +---------------------- 65 +------------+ +-----------------------------+ +-----------+ +-----+ 66 +------------------------------------- 66 +------------------------------------------------------------------+ 67 | MEMORY TECHNOLOGY D 67 | MEMORY TECHNOLOGY DEVICES (MTD) | 68 +------------------------------------- 68 +------------------------------------------------------------------+ 69 +-----------------------------+ +----- 69 +-----------------------------+ +--------------------------+ +-----+ 70 | NAND DRIVERS | | 70 | NAND DRIVERS | | NOR DRIVERS | | ... | 71 +-----------------------------+ +----- 71 +-----------------------------+ +--------------------------+ +-----+ 72 72 73 Figure 1: Linux kernel subsystems 73 Figure 1: Linux kernel subsystems for dealing with raw flash 74 74 75 75 76 76 77 Internally, UBIFS maintains multiple data stru 77 Internally, UBIFS maintains multiple data structures which are persisted on 78 the flash: 78 the flash: 79 79 80 - *Index*: an on-flash B+ tree where the leaf 80 - *Index*: an on-flash B+ tree where the leaf nodes contain filesystem data 81 - *Journal*: an additional data structure to c 81 - *Journal*: an additional data structure to collect FS changes before updating 82 the on-flash index and reduce flash wear. 82 the on-flash index and reduce flash wear. 83 - *Tree Node Cache (TNC)*: an in-memory B+ tre 83 - *Tree Node Cache (TNC)*: an in-memory B+ tree that reflects the current FS 84 state to avoid frequent flash reads. It is b 84 state to avoid frequent flash reads. It is basically the in-memory 85 representation of the index, but contains ad 85 representation of the index, but contains additional attributes. 86 - *LEB property tree (LPT)*: an on-flash B+ tr 86 - *LEB property tree (LPT)*: an on-flash B+ tree for free space accounting per 87 UBI LEB. 87 UBI LEB. 88 88 89 In the remainder of this section we will cover 89 In the remainder of this section we will cover the on-flash UBIFS data 90 structures in more detail. The TNC is of less 90 structures in more detail. The TNC is of less importance here since it is never 91 persisted onto the flash directly. More detail 91 persisted onto the flash directly. More details on UBIFS can also be found in 92 [UBIFS-WP]. 92 [UBIFS-WP]. 93 93 94 94 95 UBIFS Index & Tree Node Cache 95 UBIFS Index & Tree Node Cache 96 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 96 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 97 97 98 Basic on-flash UBIFS entities are called *node 98 Basic on-flash UBIFS entities are called *nodes*. UBIFS knows different types 99 of nodes. Eg. data nodes (``struct ubifs_data_ 99 of nodes. Eg. data nodes (``struct ubifs_data_node``) which store chunks of file 100 contents or inode nodes (``struct ubifs_ino_no 100 contents or inode nodes (``struct ubifs_ino_node``) which represent VFS inodes. 101 Almost all types of nodes share a common heade 101 Almost all types of nodes share a common header (``ubifs_ch``) containing basic 102 information like node type, node length, a seq 102 information like node type, node length, a sequence number, etc. (see 103 ``fs/ubifs/ubifs-media.h`` in kernel source). 103 ``fs/ubifs/ubifs-media.h`` in kernel source). Exceptions are entries of the LPT 104 and some less important node types like paddin 104 and some less important node types like padding nodes which are used to pad 105 unusable content at the end of LEBs. 105 unusable content at the end of LEBs. 106 106 107 To avoid re-writing the whole B+ tree on every 107 To avoid re-writing the whole B+ tree on every single change, it is implemented 108 as *wandering tree*, where only the changed no 108 as *wandering tree*, where only the changed nodes are re-written and previous 109 versions of them are obsoleted without erasing 109 versions of them are obsoleted without erasing them right away. As a result, 110 the index is not stored in a single place on t 110 the index is not stored in a single place on the flash, but *wanders* around 111 and there are obsolete parts on the flash as l 111 and there are obsolete parts on the flash as long as the LEB containing them is 112 not reused by UBIFS. To find the most recent v 112 not reused by UBIFS. To find the most recent version of the index, UBIFS stores 113 a special node called *master node* into UBI L 113 a special node called *master node* into UBI LEB 1 which always points to the 114 most recent root node of the UBIFS index. For 114 most recent root node of the UBIFS index. For recoverability, the master node 115 is additionally duplicated to LEB 2. Mounting 115 is additionally duplicated to LEB 2. Mounting UBIFS is thus a simple read of 116 LEB 1 and 2 to get the current master node and 116 LEB 1 and 2 to get the current master node and from there get the location of 117 the most recent on-flash index. 117 the most recent on-flash index. 118 118 119 The TNC is the in-memory representation of the 119 The TNC is the in-memory representation of the on-flash index. It contains some 120 additional runtime attributes per node which a 120 additional runtime attributes per node which are not persisted. One of these is 121 a dirty-flag which marks nodes that have to be 121 a dirty-flag which marks nodes that have to be persisted the next time the 122 index is written onto the flash. The TNC acts 122 index is written onto the flash. The TNC acts as a write-back cache and all 123 modifications of the on-flash index are done t 123 modifications of the on-flash index are done through the TNC. Like other caches, 124 the TNC does not have to mirror the full index 124 the TNC does not have to mirror the full index into memory, but reads parts of 125 it from flash whenever needed. A *commit* is t 125 it from flash whenever needed. A *commit* is the UBIFS operation of updating the 126 on-flash filesystem structures like the index. 126 on-flash filesystem structures like the index. On every commit, the TNC nodes 127 marked as dirty are written to the flash to up 127 marked as dirty are written to the flash to update the persisted index. 128 128 129 129 130 Journal 130 Journal 131 ~~~~~~~ 131 ~~~~~~~ 132 132 133 To avoid wearing out the flash, the index is o 133 To avoid wearing out the flash, the index is only persisted (*committed*) when 134 certain conditions are met (eg. ``fsync(2)``). 134 certain conditions are met (eg. ``fsync(2)``). The journal is used to record 135 any changes (in form of inode nodes, data node 135 any changes (in form of inode nodes, data nodes etc.) between commits 136 of the index. During mount, the journal is rea 136 of the index. During mount, the journal is read from the flash and replayed 137 onto the TNC (which will be created on-demand 137 onto the TNC (which will be created on-demand from the on-flash index). 138 138 139 UBIFS reserves a bunch of LEBs just for the jo 139 UBIFS reserves a bunch of LEBs just for the journal called *log area*. The 140 amount of log area LEBs is configured on files 140 amount of log area LEBs is configured on filesystem creation (using 141 ``mkfs.ubifs``) and stored in the superblock n 141 ``mkfs.ubifs``) and stored in the superblock node. The log area contains only 142 two types of nodes: *reference nodes* and *com 142 two types of nodes: *reference nodes* and *commit start nodes*. A commit start 143 node is written whenever an index commit is pe 143 node is written whenever an index commit is performed. Reference nodes are 144 written on every journal update. Each referenc 144 written on every journal update. Each reference node points to the position of 145 other nodes (inode nodes, data nodes etc.) on 145 other nodes (inode nodes, data nodes etc.) on the flash that are part of this 146 journal entry. These nodes are called *buds* a 146 journal entry. These nodes are called *buds* and describe the actual filesystem 147 changes including their data. 147 changes including their data. 148 148 149 The log area is maintained as a ring. Whenever 149 The log area is maintained as a ring. Whenever the journal is almost full, 150 a commit is initiated. This also writes a comm 150 a commit is initiated. This also writes a commit start node so that during 151 mount, UBIFS will seek for the most recent com 151 mount, UBIFS will seek for the most recent commit start node and just replay 152 every reference node after that. Every referen 152 every reference node after that. Every reference node before the commit start 153 node will be ignored as they are already part 153 node will be ignored as they are already part of the on-flash index. 154 154 155 When writing a journal entry, UBIFS first ensu 155 When writing a journal entry, UBIFS first ensures that enough space is 156 available to write the reference node and buds 156 available to write the reference node and buds part of this entry. Then, the 157 reference node is written and afterwards the b 157 reference node is written and afterwards the buds describing the file changes. 158 On replay, UBIFS will record every reference n 158 On replay, UBIFS will record every reference node and inspect the location of 159 the referenced LEBs to discover the buds. If t 159 the referenced LEBs to discover the buds. If these are corrupt or missing, 160 UBIFS will attempt to recover them by re-readi 160 UBIFS will attempt to recover them by re-reading the LEB. This is however only 161 done for the last referenced LEB of the journa 161 done for the last referenced LEB of the journal. Only this can become corrupt 162 because of a power cut. If the recovery fails, 162 because of a power cut. If the recovery fails, UBIFS will not mount. An error 163 for every other LEB will directly cause UBIFS 163 for every other LEB will directly cause UBIFS to fail the mount operation. 164 164 165 :: 165 :: 166 166 167 | ---- LOG AREA ---- | --------- 167 | ---- LOG AREA ---- | ---------- MAIN AREA ------------ | 168 168 169 -----+------+-----+--------+---- --- 169 -----+------+-----+--------+---- ------+-----+-----+--------------- 170 \ | | | | / / 170 \ | | | | / / | | | \ 171 / CS | REF | REF | | \ \ DE 171 / CS | REF | REF | | \ \ DENT | INO | INO | / 172 \ | | | | / / 172 \ | | | | / / | | | \ 173 ----+------+-----+--------+--- ---- 173 ----+------+-----+--------+--- -------+-----+-----+---------------- 174 | | ^ 174 | | ^ ^ 175 | | | 175 | | | | 176 +------------------------+ 176 +------------------------+ | 177 | 177 | | 178 +---------------------- 178 +-------------------------------+ 179 179 180 180 181 Figure 2: UBIFS flash layout o 181 Figure 2: UBIFS flash layout of log area with commit start nodes 182 (CS) and reference n 182 (CS) and reference nodes (REF) pointing to main area 183 containing their bud 183 containing their buds 184 184 185 185 186 LEB Property Tree/Table 186 LEB Property Tree/Table 187 ~~~~~~~~~~~~~~~~~~~~~~~ 187 ~~~~~~~~~~~~~~~~~~~~~~~ 188 188 189 The LEB property tree is used to store per-LEB 189 The LEB property tree is used to store per-LEB information. This includes the 190 LEB type and amount of free and *dirty* (old, 190 LEB type and amount of free and *dirty* (old, obsolete content) space [1]_ on 191 the LEB. The type is important, because UBIFS 191 the LEB. The type is important, because UBIFS never mixes index nodes with data 192 nodes on a single LEB and thus each LEB has a 192 nodes on a single LEB and thus each LEB has a specific purpose. This again is 193 useful for free space calculations. See [UBIFS 193 useful for free space calculations. See [UBIFS-WP] for more details. 194 194 195 The LEB property tree again is a B+ tree, but 195 The LEB property tree again is a B+ tree, but it is much smaller than the 196 index. Due to its smaller size it is always wr 196 index. Due to its smaller size it is always written as one chunk on every 197 commit. Thus, saving the LPT is an atomic oper 197 commit. Thus, saving the LPT is an atomic operation. 198 198 199 199 200 .. [1] Since LEBs can only be appended and nev 200 .. [1] Since LEBs can only be appended and never overwritten, there is a 201 difference between free space ie. the remai 201 difference between free space ie. the remaining space left on the LEB to be 202 written to without erasing it and previousl 202 written to without erasing it and previously written content that is obsolete 203 but can't be overwritten without erasing th 203 but can't be overwritten without erasing the full LEB. 204 204 205 205 206 UBIFS Authentication 206 UBIFS Authentication 207 ==================== 207 ==================== 208 208 209 This chapter introduces UBIFS authentication w 209 This chapter introduces UBIFS authentication which enables UBIFS to verify 210 the authenticity and integrity of metadata and 210 the authenticity and integrity of metadata and file contents stored on flash. 211 211 212 212 213 Threat Model 213 Threat Model 214 ------------ 214 ------------ 215 215 216 UBIFS authentication enables detection of offl 216 UBIFS authentication enables detection of offline data modification. While it 217 does not prevent it, it enables (trusted) code 217 does not prevent it, it enables (trusted) code to check the integrity and 218 authenticity of on-flash file contents and fil 218 authenticity of on-flash file contents and filesystem metadata. This covers 219 attacks where file contents are swapped. 219 attacks where file contents are swapped. 220 220 221 UBIFS authentication will not protect against 221 UBIFS authentication will not protect against rollback of full flash contents. 222 Ie. an attacker can still dump the flash and r 222 Ie. an attacker can still dump the flash and restore it at a later time without 223 detection. It will also not protect against pa 223 detection. It will also not protect against partial rollback of individual 224 index commits. That means that an attacker is 224 index commits. That means that an attacker is able to partially undo changes. 225 This is possible because UBIFS does not immedi 225 This is possible because UBIFS does not immediately overwrites obsolete 226 versions of the index tree or the journal, but 226 versions of the index tree or the journal, but instead marks them as obsolete 227 and garbage collection erases them at a later 227 and garbage collection erases them at a later time. An attacker can use this by 228 erasing parts of the current tree and restorin 228 erasing parts of the current tree and restoring old versions that are still on 229 the flash and have not yet been erased. This i 229 the flash and have not yet been erased. This is possible, because every commit 230 will always write a new version of the index r 230 will always write a new version of the index root node and the master node 231 without overwriting the previous version. This 231 without overwriting the previous version. This is further helped by the 232 wear-leveling operations of UBI which copies c 232 wear-leveling operations of UBI which copies contents from one physical 233 eraseblock to another and does not atomically 233 eraseblock to another and does not atomically erase the first eraseblock. 234 234 235 UBIFS authentication does not cover attacks wh 235 UBIFS authentication does not cover attacks where an attacker is able to 236 execute code on the device after the authentic 236 execute code on the device after the authentication key was provided. 237 Additional measures like secure boot and trust 237 Additional measures like secure boot and trusted boot have to be taken to 238 ensure that only trusted code is executed on a 238 ensure that only trusted code is executed on a device. 239 239 240 240 241 Authentication 241 Authentication 242 -------------- 242 -------------- 243 243 244 To be able to fully trust data read from flash 244 To be able to fully trust data read from flash, all UBIFS data structures 245 stored on flash are authenticated. That is: 245 stored on flash are authenticated. That is: 246 246 247 - The index which includes file contents, file 247 - The index which includes file contents, file metadata like extended 248 attributes, file length etc. 248 attributes, file length etc. 249 - The journal which also contains file content 249 - The journal which also contains file contents and metadata by recording changes 250 to the filesystem 250 to the filesystem 251 - The LPT which stores UBI LEB metadata which 251 - The LPT which stores UBI LEB metadata which UBIFS uses for free space accounting 252 252 253 253 254 Index Authentication 254 Index Authentication 255 ~~~~~~~~~~~~~~~~~~~~ 255 ~~~~~~~~~~~~~~~~~~~~ 256 256 257 Through UBIFS' concept of a wandering tree, it 257 Through UBIFS' concept of a wandering tree, it already takes care of only 258 updating and persisting changed parts from lea 258 updating and persisting changed parts from leaf node up to the root node 259 of the full B+ tree. This enables us to augmen 259 of the full B+ tree. This enables us to augment the index nodes of the tree 260 with a hash over each node's child nodes. As a 260 with a hash over each node's child nodes. As a result, the index basically also 261 a Merkle tree. Since the leaf nodes of the ind 261 a Merkle tree. Since the leaf nodes of the index contain the actual filesystem 262 data, the hashes of their parent index nodes t 262 data, the hashes of their parent index nodes thus cover all the file contents 263 and file metadata. When a file changes, the UB 263 and file metadata. When a file changes, the UBIFS index is updated accordingly 264 from the leaf nodes up to the root node includ 264 from the leaf nodes up to the root node including the master node. This process 265 can be hooked to recompute the hash only for e 265 can be hooked to recompute the hash only for each changed node at the same time. 266 Whenever a file is read, UBIFS can verify the 266 Whenever a file is read, UBIFS can verify the hashes from each leaf node up to 267 the root node to ensure the node's integrity. 267 the root node to ensure the node's integrity. 268 268 269 To ensure the authenticity of the whole index, 269 To ensure the authenticity of the whole index, the UBIFS master node stores a 270 keyed hash (HMAC) over its own contents and a 270 keyed hash (HMAC) over its own contents and a hash of the root node of the index 271 tree. As mentioned above, the master node is a 271 tree. As mentioned above, the master node is always written to the flash whenever 272 the index is persisted (ie. on index commit). 272 the index is persisted (ie. on index commit). 273 273 274 Using this approach only UBIFS index nodes and 274 Using this approach only UBIFS index nodes and the master node are changed to 275 include a hash. All other types of nodes will 275 include a hash. All other types of nodes will remain unchanged. This reduces 276 the storage overhead which is precious for use 276 the storage overhead which is precious for users of UBIFS (ie. embedded 277 devices). 277 devices). 278 278 279 :: 279 :: 280 280 281 +---------------+ 281 +---------------+ 282 | Master Node | 282 | Master Node | 283 | (hash) | 283 | (hash) | 284 +---------------+ 284 +---------------+ 285 | 285 | 286 v 286 v 287 +----------------- 287 +-------------------+ 288 | Index Node #1 288 | Index Node #1 | 289 | 289 | | 290 | branch0 branch 290 | branch0 branchn | 291 | (hash) (hash) 291 | (hash) (hash) | 292 +----------------- 292 +-------------------+ 293 | ... | ( 293 | ... | (fanout: 8) 294 | | 294 | | 295 +-------+ +--- 295 +-------+ +------+ 296 | 296 | | 297 v 297 v v 298 +-------------------+ +----- 298 +-------------------+ +-------------------+ 299 | Index Node #2 | | Ind 299 | Index Node #2 | | Index Node #3 | 300 | | | 300 | | | | 301 | branch0 branchn | | bran 301 | branch0 branchn | | branch0 branchn | 302 | (hash) (hash) | | (has 302 | (hash) (hash) | | (hash) (hash) | 303 +-------------------+ +----- 303 +-------------------+ +-------------------+ 304 | ... | 304 | ... | ... | 305 v v 305 v v v 306 +-----------+ +-------- 306 +-----------+ +----------+ +-----------+ 307 | Data Node | | INO Nod 307 | Data Node | | INO Node | | DENT Node | 308 +-----------+ +-------- 308 +-----------+ +----------+ +-----------+ 309 309 310 310 311 Figure 3: Coverage areas of index n 311 Figure 3: Coverage areas of index node hash and master node HMAC 312 312 313 313 314 314 315 The most important part for robustness and pow 315 The most important part for robustness and power-cut safety is to atomically 316 persist the hash and file contents. Here the e 316 persist the hash and file contents. Here the existing UBIFS logic for how 317 changed nodes are persisted is already designe 317 changed nodes are persisted is already designed for this purpose such that 318 UBIFS can safely recover if a power-cut occurs 318 UBIFS can safely recover if a power-cut occurs while persisting. Adding 319 hashes to index nodes does not change this sin 319 hashes to index nodes does not change this since each hash will be persisted 320 atomically together with its respective node. 320 atomically together with its respective node. 321 321 322 322 323 Journal Authentication 323 Journal Authentication 324 ~~~~~~~~~~~~~~~~~~~~~~ 324 ~~~~~~~~~~~~~~~~~~~~~~ 325 325 326 The journal is authenticated too. Since the jo 326 The journal is authenticated too. Since the journal is continuously written 327 it is necessary to also add authentication inf 327 it is necessary to also add authentication information frequently to the 328 journal so that in case of a powercut not too 328 journal so that in case of a powercut not too much data can't be authenticated. 329 This is done by creating a continuous hash beg 329 This is done by creating a continuous hash beginning from the commit start node 330 over the previous reference nodes, the current 330 over the previous reference nodes, the current reference node, and the bud 331 nodes. From time to time whenever it is suitab 331 nodes. From time to time whenever it is suitable authentication nodes are added 332 between the bud nodes. This new node type cont 332 between the bud nodes. This new node type contains a HMAC over the current state 333 of the hash chain. That way a journal can be a 333 of the hash chain. That way a journal can be authenticated up to the last 334 authentication node. The tail of the journal w 334 authentication node. The tail of the journal which may not have a authentication 335 node cannot be authenticated and is skipped du 335 node cannot be authenticated and is skipped during journal replay. 336 336 337 We get this picture for journal authentication 337 We get this picture for journal authentication:: 338 338 339 ,,,,,,,, 339 ,,,,,,,, 340 ,......,.................................. 340 ,......,........................................... 341 ,. CS , hash1.----. 341 ,. CS , hash1.----. hash2.----. 342 ,. | , . |hmac 342 ,. | , . |hmac . |hmac 343 ,. v , . v 343 ,. v , . v . v 344 ,.REF#0,-> bud -> bud -> bud.-> auth -> bu 344 ,.REF#0,-> bud -> bud -> bud.-> auth -> bud -> bud.-> auth ... 345 ,..|...,.................................. 345 ,..|...,........................................... 346 , | , 346 , | , 347 , | ,,,,,,,,,,,,,,, 347 , | ,,,,,,,,,,,,,,, 348 . | hash3,----. 348 . | hash3,----. 349 , | , |hmac 349 , | , |hmac 350 , v , v 350 , v , v 351 , REF#1 -> bud -> bud,-> auth ... 351 , REF#1 -> bud -> bud,-> auth ... 352 ,,,|,,,,,,,,,,,,,,,,,, 352 ,,,|,,,,,,,,,,,,,,,,,, 353 v 353 v 354 REF#2 -> ... 354 REF#2 -> ... 355 | 355 | 356 V 356 V 357 ... 357 ... 358 358 359 Since the hash also includes the reference nod 359 Since the hash also includes the reference nodes an attacker cannot reorder or 360 skip any journal heads for replay. An attacker 360 skip any journal heads for replay. An attacker can only remove bud nodes or 361 reference nodes from the end of the journal, e 361 reference nodes from the end of the journal, effectively rewinding the 362 filesystem at maximum back to the last commit. 362 filesystem at maximum back to the last commit. 363 363 364 The location of the log area is stored in the 364 The location of the log area is stored in the master node. Since the master 365 node is authenticated with a HMAC as described 365 node is authenticated with a HMAC as described above, it is not possible to 366 tamper with that without detection. The size o 366 tamper with that without detection. The size of the log area is specified when 367 the filesystem is created using `mkfs.ubifs` a 367 the filesystem is created using `mkfs.ubifs` and stored in the superblock node. 368 To avoid tampering with this and other values 368 To avoid tampering with this and other values stored there, a HMAC is added to 369 the superblock struct. The superblock node is 369 the superblock struct. The superblock node is stored in LEB 0 and is only 370 modified on feature flag or similar changes, b 370 modified on feature flag or similar changes, but never on file changes. 371 371 372 372 373 LPT Authentication 373 LPT Authentication 374 ~~~~~~~~~~~~~~~~~~ 374 ~~~~~~~~~~~~~~~~~~ 375 375 376 The location of the LPT root node on the flash 376 The location of the LPT root node on the flash is stored in the UBIFS master 377 node. Since the LPT is written and read atomic 377 node. Since the LPT is written and read atomically on every commit, there is 378 no need to authenticate individual nodes of th 378 no need to authenticate individual nodes of the tree. It suffices to 379 protect the integrity of the full LPT by a sim 379 protect the integrity of the full LPT by a simple hash stored in the master 380 node. Since the master node itself is authenti 380 node. Since the master node itself is authenticated, the LPTs authenticity can 381 be verified by verifying the authenticity of t 381 be verified by verifying the authenticity of the master node and comparing the 382 LTP hash stored there with the hash computed f 382 LTP hash stored there with the hash computed from the read on-flash LPT. 383 383 384 384 385 Key Management 385 Key Management 386 -------------- 386 -------------- 387 387 388 For simplicity, UBIFS authentication uses a si 388 For simplicity, UBIFS authentication uses a single key to compute the HMACs 389 of superblock, master, commit start and refere 389 of superblock, master, commit start and reference nodes. This key has to be 390 available on creation of the filesystem (`mkfs 390 available on creation of the filesystem (`mkfs.ubifs`) to authenticate the 391 superblock node. Further, it has to be availab 391 superblock node. Further, it has to be available on mount of the filesystem 392 to verify authenticated nodes and generate new 392 to verify authenticated nodes and generate new HMACs for changes. 393 393 394 UBIFS authentication is intended to operate si 394 UBIFS authentication is intended to operate side-by-side with UBIFS encryption 395 (fscrypt) to provide confidentiality and authe 395 (fscrypt) to provide confidentiality and authenticity. Since UBIFS encryption 396 has a different approach of encryption policie 396 has a different approach of encryption policies per directory, there can be 397 multiple fscrypt master keys and there might b 397 multiple fscrypt master keys and there might be folders without encryption. 398 UBIFS authentication on the other hand has an 398 UBIFS authentication on the other hand has an all-or-nothing approach in the 399 sense that it either authenticates everything 399 sense that it either authenticates everything of the filesystem or nothing. 400 Because of this and because UBIFS authenticati 400 Because of this and because UBIFS authentication should also be usable without 401 encryption, it does not share the same master 401 encryption, it does not share the same master key with fscrypt, but manages 402 a dedicated authentication key. 402 a dedicated authentication key. 403 403 404 The API for providing the authentication key h 404 The API for providing the authentication key has yet to be defined, but the 405 key can eg. be provided by userspace through a 405 key can eg. be provided by userspace through a keyring similar to the way it 406 is currently done in fscrypt. It should howeve 406 is currently done in fscrypt. It should however be noted that the current 407 fscrypt approach has shown its flaws and the u 407 fscrypt approach has shown its flaws and the userspace API will eventually 408 change [FSCRYPT-POLICY2]. 408 change [FSCRYPT-POLICY2]. 409 409 410 Nevertheless, it will be possible for a user t 410 Nevertheless, it will be possible for a user to provide a single passphrase 411 or key in userspace that covers UBIFS authenti 411 or key in userspace that covers UBIFS authentication and encryption. This can 412 be solved by the corresponding userspace tools 412 be solved by the corresponding userspace tools which derive a second key for 413 authentication in addition to the derived fscr 413 authentication in addition to the derived fscrypt master key used for 414 encryption. 414 encryption. 415 415 416 To be able to check if the proper key is avail 416 To be able to check if the proper key is available on mount, the UBIFS 417 superblock node will additionally store a hash 417 superblock node will additionally store a hash of the authentication key. This 418 approach is similar to the approach proposed f 418 approach is similar to the approach proposed for fscrypt encryption policy v2 419 [FSCRYPT-POLICY2]. 419 [FSCRYPT-POLICY2]. 420 420 421 421 422 Future Extensions 422 Future Extensions 423 ================= 423 ================= 424 424 425 In certain cases where a vendor wants to provi 425 In certain cases where a vendor wants to provide an authenticated filesystem 426 image to customers, it should be possible to d 426 image to customers, it should be possible to do so without sharing the secret 427 UBIFS authentication key. Instead, in addition 427 UBIFS authentication key. Instead, in addition the each HMAC a digital 428 signature could be stored where the vendor sha 428 signature could be stored where the vendor shares the public key alongside the 429 filesystem image. In case this filesystem has 429 filesystem image. In case this filesystem has to be modified afterwards, 430 UBIFS can exchange all digital signatures with 430 UBIFS can exchange all digital signatures with HMACs on first mount similar 431 to the way the IMA/EVM subsystem deals with su 431 to the way the IMA/EVM subsystem deals with such situations. The HMAC key 432 will then have to be provided beforehand in th 432 will then have to be provided beforehand in the normal way. 433 433 434 434 435 References 435 References 436 ========== 436 ========== 437 437 438 [CRYPTSETUP2] https://www.saout.de/pipe 438 [CRYPTSETUP2] https://www.saout.de/pipermail/dm-crypt/2017-November/005745.html 439 439 440 [DMC-CBC-ATTACK] https://www.jakoblell.com 440 [DMC-CBC-ATTACK] https://www.jakoblell.com/blog/2013/12/22/practical-malleability-attack-against-cbc-encrypted-luks-partitions/ 441 441 442 [DM-INTEGRITY] https://www.kernel.org/do 442 [DM-INTEGRITY] https://www.kernel.org/doc/Documentation/device-mapper/dm-integrity.rst 443 443 444 [DM-VERITY] https://www.kernel.org/do 444 [DM-VERITY] https://www.kernel.org/doc/Documentation/device-mapper/verity.rst 445 445 446 [FSCRYPT-POLICY2] https://www.spinics.net/l 446 [FSCRYPT-POLICY2] https://www.spinics.net/lists/linux-ext4/msg58710.html 447 447 448 [UBIFS-WP] http://www.linux-mtd.infr 448 [UBIFS-WP] http://www.linux-mtd.infradead.org/doc/ubifs_whitepaper.pdf
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.