Shared object that supports the QNX Trusted Disk feature (QNX Neutrino)
driver … qtd key=path,[cache=size], [rollback=version],[stats],[verify], [verbose=verbosity_level]… &
QNX Neutrino
The following options can be specified in any order.
The fs-qtd.so shared object provides support for the QNX Trusted Disk feature (QTD). It's loaded by devb-* drivers when mounting a QTD partition.
QTD enables integrity protection of read-only filesystem partitions through the combination of hash trees and PKI crypto signatures.
A QTD-mounted disk behaves like a block device of the size of the inner filesystem blob that it protects. Because verification of the disk contents is done on disk block access, only blocks that are accessed contribute to performance cost. QTD also boosts performance by caching the internal hash calculation, which reduces the number of hash operations while preserving the security features.
Performance is also affected by the chosen block size and the hash algorithm. The security strength of the hash function has an impact on the digest size, which in turn has an impact on the compactness of the hash tree. Performance is usually optimal if the QTD block size is equal to the block size of the protected filesystem.
For information on how to build a QTD image, see mkqfs.
By default, data that fails the integrity check is not returned to the caller. This error is reported as an EIO code which could also come from the disk driver stack. QTD alternatively reports integrity verification errors through the inotify_qnx_ext() extension as a security event. Because these events can indicate that the data has been corrupted (possibly with malicious intent), systems should listen for and act on them.
The following command is used to log inotify events such as verification errors happening to a QTD mount point. In this case, /qtd refers to the QTD mount point:
fsnotify /qtd setwatch /qtd /data/home/qnxuser/myfile.txt &
The following command mounts QTD from a raw partition:
mount -t qtd -o key=/proc/boot/ec_pub_key.pem /partition /qtd
The following command mounts QTD from an image file. In this case, QTD is used as a package container solution by mounting files that are themselves QTD images:
mount -t qtd -o key=/proc/boot/ec_pub_key.pem qtd.img /qtd