mkqfs

Build QNX-supported filesystems

Syntax:

Build an image:

mkqfs fstype [-a] -o output [-r paths…] [-s] [-v] fstype_options input_file

Extract an image:

mkqfs fstype [-a] [-f] -o output [-v] [-x] fstype_options input_file

Verify an image:

mkqfs fstype [-a] [-v] [-y] fstype_options input_file

Print general help:

mkqfs -h

Print help for a specified filesystem:

mkqfs fstype -h

Runs on:

Linux, Mac, Microsoft Windows

Options:

fstype
The type of filesystem to build, extract, or verify.
-a
(Optional) Specify that if a warning is generated, the execution fails.
-f
(Optional) Force extraction to occur if the specified target folder already exists. The target folder is removed before extraction begins. Only valid when -x is used.
-h
(Optional) Print the help menu. If fstype is specified, the help menu for the specific filesystem is printed, otherwise a general help menu is printed.
-o output
A mandatory option that specifies either the output image file (when building filesystem images) or the output folder (when extracting filesystem images).
-r paths…
(Optional) A list of paths separated by a colon (:) that are searched in the given order to resolve objects (files, links, etc.) when building filesystems.
If not specified, the default search path is the QNX_TARGET environment variable value. If QNX_TARGET is not set, an error is returned.
-s
(Optional) Print statistics when building filesystems.
-v
(Optional) Print additional information when building or extracting filesystems.
This option is mostly meant for debugging or viewing progress. Specify multiple -v options to increase the verbosity.
-x
(Optional) Extract a filesystem image and dumps the contents to output.
Not all filesystems support extraction.
-y
(Optional) Verify a filesystem image.
Not all filesystems support verification.
fstype_options
A set of mandatory and optional options for the specific type of filesystem. See “Description” for information on the available options.
input_file
A mandatory option that specifies one of the following files:
  • when building an image, the filesystem buildfile
  • when extracting or verifying an image, the filesystem image file
  • when fstype is qtd, the filesystem image that the QTD image will protect

Description:

The mkqfs utility generates QNX-supported filesystems. Each supported filesystem can be built and, optionally, verified and extracted. The utility supports the generic options described in “Options” as well as filesystem-specific ones (which always use capital letters). Specific options are available for the following filesystems:

fstype See:
qtd QTD options

QTD options:

-A salt
(Optional) The cryptographic salt value (hex) to use to create the filesystem. The salt length must be at least as long as the chosen digest size (see -H) and a maximum of 128 bytes.

If omitted, the salt is randomly generated.

-B size
A mandatory option that specifies the input filesystem block size, in bytes. The following blocksize values are supported: 512, 1024, 2048, 4096, 8192, 16384, 32768.
-C size
(Optional) Calculate the size of the metadata tree using the provided image size in bytes.
-H hash
A mandatory option that specifies the cryptographic digest: either sha256 or sha512.
-K key
A mandatory option that specifies either the private key (when building a QTD image) or public key (when verifying a QTD image). The key type must match the type of signature algorithm (see -S). See QTD-supported crypto keys.
-M
(Optional) Restrict the output to QTD metadata.
-P size
(Optional) Build the filesystem image in partition mode, which forces the QTD image to extend to the size specified by size exactly. When you build an image or use -C, the statistics output provides the maximum size of the inner, wrapped filesystem image.

This option is required when you are building a QTD image to flash to a fixed-size disk partition.

-R version
(Optional) Specify the anti-rollback version as a 64-bit, unsigned integer. When combined with the filesystem driver rollback mount option, this value configures the system to deny the mounting of a filesystem image that has a version that is lower than the value passed to the mount option. This mechanism allows you to maintain the chain of trust in a secure boot environment.
-S signature
A mandatory option that specifies the cryptographic signature algorithm. The supported signature algorithms are rsa-sha256 (PKCS#1.5 padding) and ecdsa-sha256.
-Z sign_cmd
(Optional) The custom signing command for the cryptographic signature of the QTD image. Custom signing allows you to use a custom utility that hides the private key while allowing signing to proceed. This method allows the signing operation to be done remotely through a utility you specify.

The following two tokens need to appear in the signing command. They are replaced by temporary files when the signing command is called:

  • <hashfile>: The path to the file that contains the sha256 digest in binary format that needs to be signed.
  • <sigfile>: The path to the file where the custom utility writes the signature in binary format.
For example, using openssl as the signing utility:
openssl pkeyutl -sign -in <hashfile> -inkey private_key.pem -out <sigfile> -pkeyopt digest:sha256

QTD-supported crypto keys

QTD supports EC and RSA keys. The private key must be in the PKCS#8 format and the public key must be in the X.509 format. All keys must use PEM encoding.

Generate an RSA key:
openssl genpkey -algorithm RSA -out rsa_private_key.pem -pkeyopt rsa_keygen_bits:2048
openssl pkey -in rsa_private_key.pem -pubout -out rsa_public_key.pem
Generate an EC key:
openssl ecparam -name prime256v1 -param_enc explicit -no_seed -out ec_params.pem -outform PEM
openssl genpkey -paramfile ec_params.pem -out ec_private_key.pem
openssl pkey -in ec_private_key.pem -pubout -out ec_public_key.pem

Examples

The following command makes a Power-Safe filesystem image (QNX) that is less than 2MB in size:

mkxfs -t qnx6fsimg qnx6.build qnx6.img

The following command builds a QTD image. The -P option specifies an image of 2 MB exactly:

mkqfs qtd -s -vv -B 4096 -H sha256 -S ecdsa-sha256 -K ec_test_private_key.pem -P 2097152 -o
        qtd.img qnx6.img

The following command mounts the QTD image with a full disk verification:

mount -t qtd -o key=/proc/boot/ec_test_public_key.pem,stats,verbose,verify /dev/hd1 /dev/qtd-1

You can then use the following command to mount the Power-Safe filesystem image:

mount -t qnx6 /dev/qtd-1 /fs