Re: [PATCH 00/11] dm: verity: Add transparent integrity checking target

[Tobias Waldekranz <tobias@waldekranz.com>]

On ons, okt 08, 2025 at 09:30, Ahmad Fatoum <a.fatoum@pengutronix.de> wrote:
> Hi,
>
> On 07.10.25 22:15, Tobias Waldekranz wrote:
>> On tis, okt 07, 2025 at 11:05, Ahmad Fatoum <a.fatoum@pengutronix.de> wrote:
>>>> To avoid having to integrate full ASN.1 + X509 parsing in Barebox, my
>>>> plan is:
>>>
>>> We've been piecewise importing crypto primitives from the Linux kernel
>>> so far, but I've been thinking if we shouldn't take the leap and import
>>> mbedtls, but we haven't had the need so far. Sascha is not opposed, if
>>> there's a good use case for it.
>> 
>> IMO, for this particular feature, it is certainly possible to get by
>> without something like that. I have implemented signature validation by
>> pretty much following the road-map detailed in my original message:
>> 
>> https://github.com/wkz/barebox/commit/4779bd7c766bab704aed982d8fa79d99078633b7#diff-4a7f94e9bbcea0d43614b6f3e7edeedfc0a597a1d284c9ffe4f002ad621f580fR127-R128
>
> Cool. mbedtls will have to wait then...
>
> /me dreams of a future with a network block device on top of a smoltcp
> stack that maps a verity RAUC bundle that's downloaded as needed via
> HTTP range requests and then network booted (after verifying the
> signed root hash with mbedtls of course). Not because we absolutely need
> to, but because we can.
>
>> The work is now stalled on getting
>> https://github.com/pengutronix/genimage/pull/312 merged (yes, I am
>> shamelessly trying to get some attention on this PR :)),
>
> This might turn out to be successful. Let's see..
>
>> 
>> - ...so that can be included in a new release of genimage,
>> 
>> - ...so that I can eventually include that in
>>   ghcr.io/barebox/barebox/barebox-ci,
>
> I have little issue with building our own genimage during container
> creation or even our own Qemu (just thought about it today because of
> https://patchwork.ozlabs.org/project/qemu-devel/list/?series=472897&state=*

Nice feature. It will be great to be able to test that together with
OP-TEE in QEMU!

>> - ...so that I can then use it to generate test images,
>> 
>> - ...so that I can write tests,
>> 
>> - ...so that I can publish v1
>> 
>> ...its...a whole thing :)
>
> IMO, just send patches against the Containerfile and we rebuild it.
> We can create a new subdirectory, move the Containerfile into it and
> put the patches there as well.

So would you like those patches to add a clone+configure+build of
genimage to the Containerfile, or what do you have in mind?

The other option would be to make do without genimage, and create the
DDI using veritysetup+openssl(1)+dd.

Which would you prefer?

>> Anyway, this only works with existing crypto primitives because (a) we
>> can use the certificateFingerprint property to locate the key, without
>> having to parse the PKCS#7 data and (b) because the hash algorithm is
>> specified by DPS to SHA256, again letting us skip over parsing the ASN.1
>> data to determine that.
>> 
>> If we want to support more general operations, e.g. have some
>> lightweight openssl(1)-like command that can validate detached
>> signatures, then I think something like mbedtls is definitely needed.
>
> I see.
>
>>> Jonas (Cc'd) is working right now in a backwards-compatible manner of
>>> attaching meta-data to keys, e.g.:
>>>
>>> export myfitkey="keyring=fit,hint=myhint:pkcs11:token=foo,bar;object=bl"
>>> export myjwtkey="keyring=jwt-myboard:jwt_pub.pem"
>> 
>> Shiny! Being able to have multiple keyrings is a great feature.
>
> Yes, and it would be extensible to associate extra data with a key
> in case you need this, although your fingerprint should probably
> just be generated by keytoc.

Yes, this is the approach I have taken:
https://github.com/wkz/barebox/commit/f2ee4cb4670c32104ac2ef2791c9e525b0d323ff

>>> This makes sense, even if there is no decision yet for
>>> https://github.com/uapi-group/specifications/issues/167
>> 
>> Ehm, yeah. I have lots of thoughts about the response to this
>> issue. Maybe over a beer sometime :)
>
> I might take you up on that if you are at 39c3 or FrOSCon ;)

Unfortunately not - hopefully our paths will cross at some other
conference! :)

>>> I would suggest we hardcode (and document) that in case there are
>>> multiple candidates, the ones closest after the root partition are taken?
>> 
>> I think this is a great approach. Simple, yet seems like it solves all
>> the common setups.
>
> It's a bit magic/implicit, but if we are going to implement it as is some
> way, this would make it at least reproducible.

If you want (a) backwards compatibility and (b) something that does not
require any ACK from the UAPI group, then I think it is the best we can
do.

>>>> - Having a build-time option that limits booting to only be allowed
>>>>   from trusted filesystems.
>>>
>>> Ye, for users without security policies, a build-time option would be apt.
>> 
>> No no, forget that - just I suggested that someone who already owns a
>> 2kW electric nailgun should buy a hammer :)
>
> Heh, I think there is place for both. If something is not needed at all
> in a build, we should still be able to disable it completely with no
> way back (sans exploits).
>
>> I just watched your talk and Security policies sound really great!
>> 
>> Is there any information/examples on how to use JWTs to dynamically
>> switch into a developer/rma mode?
>
> The project for which I upstreamed JWT support hasn't yet switched
> over to security policies (v2025.10.0 will be the first release with them
> expectedly). I will probably add an example to the 32-bit Qemu platform,
> so it's possible to:
>
> pytest --interactive --bootarg barebox.security.token=$(cat common/boards/qemu-virt/devel.token)

Cool. Can you then place a unique ID from a fusebox or something in the
token, so that it is bound to a single device?

> Cheers,
> Ahmad
>
>> 
>>> Cheers,
>>> Ahmad
>>>
>>>>
>>>> Tobias Waldekranz (11):
>>>>   dm: Add helper to manage a lower device
>>>>   dm: linear: Refactor to make use of the generalized cdev management
>>>>   dm: verity: Add transparent integrity checking target
>>>>   dm: verity: Add helper to parse superblock information
>>>>   commands: veritysetup: Create dm-verity devices
>>>>   ci: pytest: Open up testfs to more consumers than the FIT test
>>>>   ci: pytest: Enable testfs feature on malta boards
>>>>   ci: pytest: Generate test data for dm-verity
>>>>   test: pytest: add basic dm-verity test
>>>>   ci: pytest: Centralize feature discovery to a separate step
>>>>   ci: pytest: Enable device-mapper labgrid tests
>>>>
>>>>  .github/workflows/test-labgrid-pytest.yml     |  26 +-
>>>>  arch/mips/configs/qemu-malta_defconfig        |   4 +
>>>>  commands/Kconfig                              |  10 +
>>>>  commands/Makefile                             |   1 +
>>>>  commands/veritysetup.c                        | 123 +++++
>>>>  .../boards/configs/enable_dm_testing.config   |   9 +
>>>>  drivers/block/dm/Kconfig                      |   7 +
>>>>  drivers/block/dm/Makefile                     |   1 +
>>>>  drivers/block/dm/dm-core.c                    | 118 ++++
>>>>  drivers/block/dm/dm-linear.c                  |  64 +--
>>>>  drivers/block/dm/dm-target.h                  |  34 ++
>>>>  drivers/block/dm/dm-verity.c                  | 517 ++++++++++++++++++
>>>>  include/device-mapper.h                       |   5 +
>>>>  scripts/generate_testfs.sh                    |  64 ++-
>>>>  test/mips/be@qemu-malta_defconfig.yaml        |   1 +
>>>>  test/mips/qemu-malta64el_defconfig.yaml       |   1 +
>>>>  test/py/test_dm.py                            |  38 ++
>>>>  test/py/test_fit.py                           |   4 +-
>>>>  test/riscv/qemu-virt64@rv64i_defconfig.yaml   |   1 +
>>>>  test/riscv/qemu@virt32_defconfig.yaml         |   1 +
>>>>  20 files changed, 968 insertions(+), 61 deletions(-)
>>>>  create mode 100644 commands/veritysetup.c
>>>>  create mode 100644 common/boards/configs/enable_dm_testing.config
>>>>  create mode 100644 drivers/block/dm/dm-verity.c
>>>>  create mode 100644 test/py/test_dm.py
>>>>
>>>
>>>
>>> -- 
>>> Pengutronix e.K.                           |                             |
>>> Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
>>> 31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
>>> Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |
>> 
>
>
> -- 
> Pengutronix e.K.                           |                             |
> Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
> 31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
> Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |