fs-qtd.so

Shared object that supports the QNX Trusted Disk feature (QNX Neutrino)

Syntax:

driver … qtd key=path,[cache=size],
                  [rollback=version],[stats],[verify],
                  [verbose=verbosity_level]… &

Runs on:

QNX Neutrino

Options:

driver
Any of the devb-* drivers.

The following options can be specified in any order.

key=path
A mandatory option that specifies the filepath of the public key that verifies the QTD signature.
cache=size
(Optional) Specify the cache size in number of tree hashes or one of the following values:
  • 0 — Disable caching.
  • max — Cache all blocks. Not recommended.
If ommited, the cache size defaults to either 5% of the total number of hash blocks or the total number of hash blocks if there are less than 20.
rollback=version
(Optional) A version value to compare with the version value of the image superblock. If the version of the image superblock is less than this value, mounting fails.
stats
(Optional) Print QTD Merkle statistics on mount.
verify
(Optional) Execute a full disk verification on mount.
This option can be used to verify the full integrity of a filesystem before allowing it to be mounted.
Note: Because this option can stall the mount for a very long time if the filesystem size is large, avoid using it if speed matters.
verbose=verbosity_level
(Optional) Print additional information during driver operation.
Note: This option is usually used for debugging. If verbosity_level is omitted, the value is 1.

Description:

The fs-qtd.so shared object provides support for the QNX Trusted Disk feature (QTD). It's loaded by devb-* drivers when mounting a QTD partition.

QTD enables integrity protection of read-only filesystem partitions through the combination of hash trees and PKI crypto signatures.

A QTD-mounted disk behaves like a block device of the size of the inner filesystem blob that it protects. Because verification of the disk contents is done on disk block access, only blocks that are accessed contribute to performance cost. QTD also boosts performance by caching the internal hash calculation, which reduces the number of hash operations while preserving the security features.

Performance is also affected by the chosen block size and the hash algorithm. The security strength of the hash function has an impact on the digest size, which in turn has an impact on the compactness of the hash tree. Performance is usually optimal if the QTD block size is equal to the block size of the protected filesystem.

For information on how to build a QTD image, see mkqfs.

Capturing integrity verification errors

By default, data that fails the integrity check is not returned to the caller. This error is reported as an EIO code which could also come from the disk driver stack. QTD alternatively reports integrity verification errors through the inotify_qnx_ext() extension as a security event. Because these events can indicate that the data has been corrupted (possibly with malicious intent), systems should listen for and act on them.

Example:

The following command is used to log inotify events such as verification errors happening to a QTD mount point. In this case, /qtd refers to the QTD mount point:

fsnotify /qtd setwatch /qtd /data/home/qnxuser/myfile.txt &

Examples:

The following command mounts QTD from a raw partition:

  mount -t qtd -o key=/proc/boot/ec_pub_key.pem /partition /qtd
  

The following command mounts QTD from an image file. In this case, QTD is used as a package container solution by mounting files that are themselves QTD images:

  mount -t qtd -o key=/proc/boot/ec_pub_key.pem qtd.img /qtd