Build QNX-supported filesystems
Syntax:
Build an image:
mkqfs fstype [-a] -o output [-r paths…] [-s] [-v] fstype_options input_file
Extract an image:
mkqfs fstype [-a] [-f] -o output [-v] [-x] fstype_options input_file
Verify an image:
mkqfs fstype [-a] [-v] [-y] fstype_options input_file
Print general help:
mkqfs -h
Print help for a specified filesystem:
mkqfs fstype -h
Runs on:
Linux, Mac, Microsoft Windows
Options:
- fstype
- The type of filesystem to build, extract, or verify.
- -a
- (Optional) Specify that if a warning is generated, the execution fails.
- -f
- (Optional) Force extraction to occur if the specified target folder already exists. The
target folder is removed before extraction begins. Only valid when
-x is used.
- -h
- (Optional) Print the help menu. If fstype is specified, the help menu
for the specific filesystem is printed, otherwise a general help menu is
printed.
- -o output
- A mandatory option that specifies either the output image file (when
building filesystem images) or the output folder (when extracting filesystem
images).
- -r paths…
- (Optional) A list of paths separated by a colon (:) that are searched in the given order to
resolve objects (files, links, etc.) when building filesystems.
- If not specified, the default search path is the QNX_TARGET
environment variable value. If QNX_TARGET is not set, an
error is returned.
- -s
- (Optional) Print statistics when building filesystems.
- -v
- (Optional) Print additional information when building or extracting filesystems.
- This option is mostly meant for debugging or viewing progress. Specify multiple
-v options to increase the verbosity.
- -x
- (Optional) Extract a filesystem image and dumps the contents to
output.
- Not all filesystems support extraction.
- -y
- (Optional) Verify a filesystem image.
- Not all filesystems support verification.
- fstype_options
- A set of mandatory and optional options for the specific type of filesystem. See
Description for information on the available options.
- input_file
- A mandatory option that specifies one of the following files:
- when building an image, the filesystem buildfile
- when extracting or verifying an image, the filesystem image
file
- when fstype is qtd, the filesystem image
that the QTD image will protect
Description:
The mkqfs utility generates QNX-supported filesystems. Each supported
filesystem can be built and, optionally, verified and extracted. The utility
supports the generic options described in Options as well as
filesystem-specific ones (which always use capital letters). Specific options are
available for the following filesystems:
QTD options:
- -A salt
- (Optional) The cryptographic salt value (hex) to use to create the filesystem. The salt length
must be at least as long as the chosen digest size (see -H)
and a maximum of 128 bytes.
-
If omitted, the salt is randomly generated.
- -B size
- A mandatory option that specifies the input filesystem block size, in bytes. The following
blocksize values are supported: 512, 1024, 2048, 4096, 8192, 16384,
32768.
- -C size
- (Optional) Calculate the size of the metadata tree using the provided image
size in bytes.
- -H hash
- A mandatory option that specifies the cryptographic digest: either sha256 or sha512.
- -K key
- A mandatory option that specifies either the private key (when building a QTD image) or public
key (when verifying a QTD image). The key type must match the type of
signature algorithm (see -S). See QTD-supported crypto
keys.
- -M
- (Optional) Restrict the output to QTD metadata.
- -P size
- (Optional) Build the filesystem image in partition mode, which forces the QTD image to extend to
the size specified by size exactly. When you build an
image or use -C, the statistics output provides the maximum
size of the inner, wrapped filesystem image.
This option is required when
you are building a QTD image to flash to a fixed-size disk
partition.
- -R version
- (Optional) Specify the anti-rollback version as a 64-bit, unsigned integer. When combined with
the filesystem driver rollback mount option, this value
configures the system to deny the mounting of a filesystem image that has a
version that is lower than the value passed to the mount option. This
mechanism allows you to maintain the chain of trust in a secure boot
environment.
- -S signature
- A mandatory option that specifies the cryptographic signature algorithm. The supported signature
algorithms are rsa-sha256 (PKCS#1.5 padding) and ecdsa-sha256.
- -Z sign_cmd
- (Optional) The custom signing command for the cryptographic signature of the QTD image. Custom
signing allows you to use a custom utility that hides the private key while
allowing signing to proceed. This method allows the signing operation to be
done remotely through a utility you specify.
-
The following two tokens need to appear in the signing command. They are
replaced by temporary files when the signing command is called:
- <hashfile>: The path to the file that contains the sha256 digest in binary format
that needs to be signed.
- <sigfile>: The path to the file where the custom utility writes the signature in
binary format.
- For example, using openssl as the signing utility:
openssl pkeyutl -sign -in <hashfile> -inkey private_key.pem -out <sigfile> -pkeyopt digest:sha256
QTD-supported crypto keys
QTD supports EC and RSA keys. The private key must be in the PKCS#8 format and the public key
must be in the X.509 format. All keys must use PEM encoding.
Generate an RSA
key:
openssl genpkey -algorithm RSA -out rsa_private_key.pem -pkeyopt rsa_keygen_bits:2048
openssl pkey -in rsa_private_key.pem -pubout -out rsa_public_key.pem
Generate an EC
key:
openssl ecparam -name prime256v1 -param_enc explicit -no_seed -out ec_params.pem -outform PEM
openssl genpkey -paramfile ec_params.pem -out ec_private_key.pem
openssl pkey -in ec_private_key.pem -pubout -out ec_public_key.pem
Examples
The following command makes a Power-Safe filesystem image (QNX) that is less than 2MB in size:
mkxfs -t qnx6fsimg qnx6.build qnx6.img
The following command builds a QTD image. The -P option specifies an image
of 2 MB exactly:
mkqfs qtd -s -vv -B 4096 -H sha256 -S ecdsa-sha256 -K ec_test_private_key.pem -P 2097152 -o
qtd.img qnx6.img
The following command mounts the QTD image with a full disk verification:
mount -t qtd -o key=/proc/boot/ec_test_public_key.pem,stats,verbose,verify /dev/hd1 /dev/qtd-1
You can then use the following command to mount the Power-Safe filesystem image:
mount -t qnx6 /dev/qtd-1 /fs