Updated: October 28, 2024 |
Shared object that supports the QNX Trusted Disk feature (QNX Neutrino)
driver … qtd key=path,[cache=size], [qcrypto=tag], [rollback=version],[stats],[verify], [verbose=verbosity_level]… &
QNX Neutrino
The following options can be specified in any order.
For more information on qcrypto and these tags, see QNX Cryptography Library in the System Security Guide.
The fs-qtd.so shared object provides support for the QNX Trusted Disk feature (QTD). It's loaded by devb-* drivers when mounting a QTD device.
QTD is a read-only device that provides integrity protection of binary data, filesystems or other, through the combination of hash trees and PKI crypto signatures.
A QTD-mounted disk behaves like a block device of the size of the inner filesystem blob that it protects. Because verification of the disk contents is done on disk block access, only blocks that are accessed contribute to performance cost. QTD also boosts performance by caching the internal hash calculation, which reduces the number of hash operations while preserving the security features.
Performance is also affected by the chosen block size and the hash algorithm. The security strength of the hash function has an impact on the digest size, which in turn has an impact on the compactness of the hash tree. Performance is usually optimal if the QTD block size is equal to the block size of the protected filesystem.
You can use QTD as a package container solution by mounting files that are themselves QTD images (see the example below).
This program uses the QNX Cryptography Library (qcrypto) for cryptography services.
For information on how to build a QTD image, see mkqfs.
By default, data that fails the integrity check is not returned to the caller. This error is reported as an EIO code which could also come from the disk driver stack. QTD alternatively reports integrity verification errors through the inotify_qnx_ext() extension as a security event. Because these events can indicate that the data has been corrupted (possibly with malicious intent), systems should listen for and act on them.
The following command mounts QTD from a raw partition:
mount -t qtd -o key=/proc/boot/ec_pub_key.pem /partition /qtd
The following command mounts QTD from an image file. In this case, QTD is used as a package container solution by mounting files that are themselves QTD images:
mount -t qtd -o key=/proc/boot/ec_pub_key.pem qtd.img /qtd