fs-qtd.so

Runs on:

QNX Neutrino

Options:

driver

Any of the devb-* drivers.

The following options can be specified in any order.

key=path

A mandatory option that specifies the filepath of the public key that verifies the QTD signature.

CAUTION:

The key cannot be located in a file provided by the same devb-* process that is used to mount the QTD partition. Like resource managers in general, devb-*-hosted filesystems cannot access files they host themselves.

cache=size

(Optional) Specify the cache size in number of tree hashes or one of the following values:

• 0 — Disable caching.
• max — Cache all blocks. Not recommended.

If ommited, the cache size defaults to either 5% of the total number of hash blocks or the total number of hash blocks if there are less than 20.

qcrypto=tag

(Optional) Forces QTD to use cryptographic algorithms provided by the QNX cryptography library (qcrypto) plugin that is identified by the specified tag. If not specified, an internal, default tag value is used to determine the plugin to use.

For more information on qcrypto and these tags, see “QNX Cryptography Library” in the System Security Guide.

rollback=version

(Optional) A version value to compare with the version value of the image superblock. If the version of the image superblock is less than this value, mounting fails.

stats

(Optional) Print QTD Merkle statistics on mount.

verify

(Optional) Execute a full disk verification on mount.

This option can be used to verify the full integrity of a filesystem before allowing it to be mounted.

Note: Because this option can stall the mount for a very long time if the filesystem size is large, avoid using it if speed matters.

verbose=verbosity_level

(Optional) Print additional information during driver operation.

Note: This option is usually used for debugging. If verbosity_level is omitted, the value is 1.

Description:

The fs-qtd.so shared object provides support for the QNX Trusted Disk feature (QTD). It's loaded by devb-* drivers when mounting a QTD device.

QTD is a read-only device that provides integrity protection of binary data, filesystems or other, through the combination of hash trees and PKI crypto signatures.

A QTD-mounted disk behaves like a block device of the size of the inner filesystem blob that it protects. Because verification of the disk contents is done on disk block access, only blocks that are accessed contribute to performance cost. QTD also boosts performance by caching the internal hash calculation, which reduces the number of hash operations while preserving the security features.

Performance is also affected by the chosen block size and the hash algorithm. The security strength of the hash function has an impact on the digest size, which in turn has an impact on the compactness of the hash tree. Performance is usually optimal if the QTD block size is equal to the block size of the protected filesystem.

You can use QTD as a package container solution by mounting files that are themselves QTD images (see the example below).

This program uses the QNX Cryptography Library (qcrypto) for cryptography services.

For information on how to build a QTD image, see mkqfs.

Capturing integrity verification errors

By default, data that fails the integrity check is not returned to the caller. This error is reported as an EIO code which could also come from the disk driver stack. QTD alternatively reports integrity verification errors through the inotify_qnx_ext() extension as a security event. Because these events can indicate that the data has been corrupted (possibly with malicious intent), systems should listen for and act on them.

Examples:

The following command mounts QTD from a raw partition:

  mount -t qtd -o key=/proc/boot/ec_pub_key.pem /partition /qtd

The following command mounts QTD from an image file. In this case, QTD is used as a package container solution by mounting files that are themselves QTD images:

  mount -t qtd -o key=/proc/boot/ec_pub_key.pem qtd.img /qtd