Updated: April 19, 2023

Build QNX-supported filesystems


Build an image:

mkqfs fstype [-a] -o output [-r paths…] [-s] [-v] fstype_options input_file

Extract an image:

mkqfs fstype [-a] [-f] -o output [-v] [-x] fstype_options input_file

Verify an image:

mkqfs fstype [-a] [-v] [-y] fstype_options input_file

Print general help:

mkqfs -h

Print help for a specified filesystem:

mkqfs fstype -h

Runs on:

Linux, Mac, Microsoft Windows


The type of filesystem to build, extract, or verify.
(Optional) Specify that if a warning is generated, the execution fails.
(Optional) Force extraction to occur if the specified target folder already exists. The target folder is removed before extraction begins. Only valid when -x is used.
(Optional) Print the help menu. If fstype is specified, the help menu for the specific filesystem is printed, otherwise a general help menu is printed.
-o output
A mandatory option that specifies either the output image file (when building filesystem images) or the output folder (when extracting filesystem images).
-r paths…
(Optional) A list of paths separated by a colon (:) that are searched in the given order to resolve objects (files, links, etc.) when building filesystems.
If not specified, the default search path is the QNX_TARGET environment variable value. If QNX_TARGET is not set, an error is returned.
(Optional) Print statistics when building filesystems.
(Optional) Print additional information when building or extracting filesystems.
This option is mostly meant for debugging or viewing progress. Specify multiple -v options to increase the verbosity.
(Optional) Extract a filesystem image and dumps the contents to output.
Not all filesystems support extraction.
(Optional) Verify a filesystem image.
Not all filesystems support verification.
A set of mandatory and optional options for the specific type of filesystem. See “Description” for information on the available options.
A mandatory option that specifies one of the following files:
  • when building an image, the filesystem buildfile
  • when extracting or verifying an image, the filesystem image file
  • when fstype is qtd, the filesystem image that the QTD image will protect


The mkqfs utility generates QNX-supported filesystems. Each supported filesystem can be built and, optionally, verified and extracted. The utility supports the generic options described in “Options” as well as filesystem-specific ones (which always use capital letters). Specific options are available for the following filesystems:

fstype See:
qtd QTD options

License checking

The mkqfs utility checks for a valid QNX license key before performing any operation. If the license check fails, the utility stops running and displays a diagnostic message. A license check may fail if the license key is expired, missing, or not currently activated, or if the key doesn’t contain the permissions needed to run the utility.

QTD options:

-A salt
(Optional) The cryptographic salt value (hex) to use to create the filesystem. The salt length must be at least as long as the chosen digest size (see -H) and a maximum of 128 bytes.

If omitted, the salt is randomly generated.

-B size
A mandatory option that specifies, in bytes, the chunk size to use when splitting the source image into chunks to hash. If the source image is a filesystem, use a size that is equal to or greater than the block size that the filesystem uses. Valid values are: 512, 1024, 2048, 4096, 8192, 16384, 32768.
-C size
(Optional) Calculate the size of the metadata tree using the provided image size in bytes.
-H hash
A mandatory option that specifies the cryptographic digest. Supported digests: sha256, sha512, sha512-256, blake2s256, blake2b256, blake2b512, and blake3.
-K key
A mandatory option that specifies either the private key (when building a QTD image) or public key (when verifying a QTD image). The key type must match the type of signature algorithm (see -S). See QTD-supported crypto keys.
(Optional) Restrict the output to QTD metadata.
-P size
(Optional) Build the filesystem image in partition mode, which forces the QTD image to extend to the size specified by size exactly. When you build an image or use -C, the statistics output provides the maximum size of the inner, wrapped filesystem image.

This option is required when you are building a QTD image to flash to a fixed-size disk partition.

-R version
(Optional) Specify the anti-rollback version as a 64-bit, unsigned integer. When combined with the filesystem driver rollback mount option, this value configures the system to deny the mounting of a filesystem image that has a version that is lower than the value passed to the mount option. This mechanism allows you to maintain the chain of trust in a secure boot environment.
-S signature
A mandatory option that specifies the cryptographic signature algorithm. The following signature algorithms are supported:
Signature Key type
rsa‑sha256 RSA
ecdsa‑sha256 EC
eddsa‑25519 Ed25519
ecdsa‑448 Ed448
-Z sign_cmd
(Optional) The custom signing command for the cryptographic signature of the QTD image. Custom signing allows you to use a custom utility that hides the private key while allowing signing to proceed. This method allows the signing operation to be done remotely through a utility you specify.

The following two tokens need to appear in the signing command. They are replaced by temporary files when the signing command is called:

  • <hashfile>: The path to the file that contains the sha256 digest in binary format that needs to be signed.
  • <sigfile>: The path to the file where the custom utility writes the signature in binary format.
For example, using openssl as the signing utility:
openssl pkeyutl -sign -in <hashfile> -inkey private_key.pem -out <sigfile> -pkeyopt digest:sha256

QTD-supported crypto keys

QTD supports EC and RSA keys. The private key must be in the PKCS#8 format and the public key must be in the X.509 format. All keys must use PEM encoding. For RSA, key lengths of up to 16 KiB (kibibits) are supported.

Generate an RSA key:
openssl genpkey -algorithm RSA -out rsa_private_key.pem -pkeyopt rsa_keygen_bits:2048
openssl pkey -in rsa_private_key.pem -pubout -out rsa_public_key.pem
Generate an EC key:
openssl ecparam -name prime256v1 -param_enc explicit -no_seed -out ec_params.pem -outform PEM
openssl genpkey -paramfile ec_params.pem -out ec_private_key.pem
openssl pkey -in ec_private_key.pem -pubout -out ec_public_key.pem
Generate an Ed448 key:
openssl genpkey -algorithm ed448 -outform PEM -out ed448_private_key_pkcs8.pem
openssl pkey -outform PEM -pubout -in ed448_private_key_pkcs8.pem -out ed448_public_key_x509.pem
Generate an Ed25519 key:
openssl genpkey -algorithm ed25519 -outform PEM -out ed25519_private_key_pkcs8.pem
openssl pkey -outform PEM -pubout -in ed25519_private_key_pkcs8.pem -out ed25519_public_key_x509.pem


The following command makes a Power-Safe filesystem image (QNX) that is less than 2MB in size:

mkxfs -t qnx6fsimg qnx6.img

The following command builds a QTD image. The -P option specifies an image of 2 MB exactly:

mkqfs qtd -s -vv -B 4096 -H sha256 -S ecdsa-sha256 -K ec_test_private_key.pem -P 2097152 -o
        qtd.img qnx6.img

The following command mounts the QTD image with a full disk verification:

mount -t qtd -o key=/proc/boot/ec_test_public_key.pem,stats,verbose,verify /dev/hd1 /dev/qtd-1

You can then use the following command to mount the Power-Safe filesystem image:

mount -t qnx6 /dev/qtd-1 /fs