Build and verify a Merkle filesystem image
To build a Merkle filesystem:
mkmerklefs -b block_size -h hash [-k hash_block_size] [-o output_image] [-p] [-s salt] -t fstype [-v] [-y private_key] [-z sign_cmd] filesystem_image
To verify a Merkle filesystem:
mkmerklefs [-v] -x -t fstype -y public_key filesystem_image
To calculate Merkle filesystem overhead:
mkmerklefs -c -C size filesystem_image
QNX Neutrino, Linux, Mac, Microsoft Windows
Use sign_cmd for custom signing. Custom signing means using a custom utility that hides the private key while allowing signing to proceed. This method allows the signing operation to be done remotely through a utility. Because the key is implicit with -z, and you do not need to specify it with the -y option.
The following two tokens need to appear in the signing command. They are replaced by temporary files when the signing command is called:
<hashfile>: The path to a file containing the sha256 digest in binary format that needs to be signed.
<sigfile>: The path to a file where the custom utility writes the signature in binary format.
For example:
openssl pkeyutl -sign -in <hashfile> -inkey private_key.pem -out <sigfile> -pkeyopt digest:sha256
The mkmerklefs utility builds a Merkle filesystem by taking as input the original filesystem image (for example, a Power-Safe image that has been created with tools for filesystem building) and generating metadata which is appended to the original filesystem image. This step is usually done offline on a host build machine.
QNX recommends that you replace Merkle filesystems with QNX Trusted Disk (see QNX Trusted Disk in the System Architecture reference).
The metadata is cryptographically signed using the private part of a key pair (see the Merkle filesystem in the System Architecture reference for additional details on keys).
Once built, the Merkle filesystem image contains both the original filesystem as well as the Merkle metadata. How this image is flashed or loaded is device specific.
Refer to fsf-merkle.so in the Utilities Referencefor details on how to mount a Merkle filesystem.
To build a Merkle image:
mkmerklefs -p -b 4096 -t qnx6 -h sha256 -y private_key.pem -o merkle.img fs.img
To verify a Merkle image:
mkmerklefs -x -t qnx6 -y public_key.pem merkle.img