mkqfs

Runs on:

Linux, Mac, Microsoft Windows

Options:

fstype

The type of filesystem to build, extract, or verify.

-a

(Optional) Specify that if a warning is generated, the execution fails.

-f

(Optional) Force extraction to occur if the specified target folder already exists. The target folder is removed before extraction begins. Only valid when -x is used.

-h

(Optional) Print the help menu. If fstype is specified, the help menu for the specific filesystem is printed, otherwise a general help menu is printed.

-o output

A mandatory option that specifies either the output image file (when building filesystem images) or the output folder (when extracting filesystem images).

-r paths…

(Optional) A list of paths separated by a colon (:) that are searched in the given order to resolve objects (files, links, etc.) when building filesystems.

If not specified, the default search path is the QNX_TARGET environment variable value. If QNX_TARGET is not set, an error is returned.

-s

(Optional) Print statistics when building filesystems.

-v

(Optional) Print additional information when building or extracting filesystems.

This option is mostly meant for debugging or viewing progress. Specify multiple -v options to increase the verbosity.

-x

(Optional) Extract a filesystem image and dumps the contents to output.

Not all filesystems support extraction.

-y

(Optional) Verify a filesystem image.

Not all filesystems support verification.

fstype_options

A set of mandatory and optional options for the specific type of filesystem. See “Description” for information on the available options.

input_file

A mandatory option that specifies one of the following files:

• when building an image, the filesystem buildfile
• when extracting or verifying an image, the filesystem image file
• when fstype is qtd, the filesystem image that the QTD image will protect

Description:

The mkqfs utility generates QNX-supported filesystems. Each supported filesystem can be built and, optionally, verified and extracted. The utility supports the generic options described in “Options” as well as filesystem-specific ones (which always use capital letters). Specific options are available for the following filesystems:

QTD options:

-A salt

(Optional) The cryptographic salt value (hex) to use to create the filesystem. The salt length must be at least as long as the chosen digest size (see -H) and a maximum of 128 bytes.

If omitted, the salt is randomly generated.

-B size

A mandatory option that specifies the input filesystem block size, in bytes. The following blocksize values are supported: 512, 1024, 2048, 4096, 8192, 16384, 32768.

-C size

(Optional) Calculate the size of the metadata tree using the provided image size in bytes.

-H hash

A mandatory option that specifies the cryptographic digest: either sha256 or sha512.

-K key

A mandatory option that specifies either the private key (when building a QTD image) or public key (when verifying a QTD image). The key type must match the type of signature algorithm (see -S). See “QTD-supported crypto keys”.

-M

(Optional) Restrict the output to QTD metadata.

-P size

(Optional) Build the filesystem image in partition mode, which forces the QTD image to extend to the size specified by size exactly. When you build an image or use -C, the statistics output provides the maximum size of the inner, wrapped filesystem image.

This option is required when you are building a QTD image to flash to a fixed-size disk partition.

-R version

(Optional) Specify the anti-rollback version as a 64-bit, unsigned integer. When combined with the filesystem driver rollback mount option, this value configures the system to deny the mounting of a filesystem image that has a version that is lower than the value passed to the mount option. This mechanism allows you to maintain the chain of trust in a secure boot environment.

-S signature

A mandatory option that specifies the cryptographic signature algorithm. The supported signature algorithms are rsa-sha256 (PKCS#1.5 padding) and ecdsa-sha256.

-Z sign_cmd

(Optional) The custom signing command for the cryptographic signature of the QTD image. Custom signing allows you to use a custom utility that hides the private key while allowing signing to proceed. This method allows the signing operation to be done remotely through a utility you specify.

The following two tokens need to appear in the signing command. They are replaced by temporary files when the signing command is called:

• <hashfile>: The path to the file that contains the sha256 digest in binary format that needs to be signed.
• <sigfile>: The path to the file where the custom utility writes the signature in binary format.

For example, using openssl as the signing utility:

openssl pkeyutl -sign -in <hashfile> -inkey private_key.pem -out <sigfile> -pkeyopt digest:sha256

QTD-supported crypto keys

QTD supports EC and RSA keys. The private key must be in the PKCS#8 format and the public key must be in the X.509 format. All keys must use PEM encoding.

openssl genpkey -algorithm RSA -out rsa_private_key.pem -pkeyopt rsa_keygen_bits:2048
openssl pkey -in rsa_private_key.pem -pubout -out rsa_public_key.pem

openssl ecparam -name prime256v1 -param_enc explicit -no_seed -out ec_params.pem -outform PEM
openssl genpkey -paramfile ec_params.pem -out ec_private_key.pem
openssl pkey -in ec_private_key.pem -pubout -out ec_public_key.pem

Examples

The following command makes a Power-Safe filesystem image (QNX) that is less than 2MB in size:

mkxfs -t qnx6fsimg qnx6.build qnx6.img

The following command builds a QTD image. The -P option specifies an image of 2 MB exactly:

mkqfs qtd -s -vv -B 4096 -H sha256 -S ecdsa-sha256 -K ec_test_private_key.pem -P 2097152 -o
        qtd.img qnx6.img

The following command mounts the QTD image with a full disk verification:

mount -t qtd -o key=/proc/boot/ec_test_public_key.pem,stats,verbose,verify /dev/hd1 /dev/qtd-1

You can then use the following command to mount the Power-Safe filesystem image:

mount -t qnx6 /dev/qtd-1 /fs