Build QNX-supported filesystems
Syntax:
Build an image:
mkqfs fstype [-a] -o output [-r paths…] [-s] [-v] fstype_options input_file
Extract an image:
mkqfs fstype [-a] [-f] -o output [-v] [-x] fstype_options input_file
Verify an image:
mkqfs fstype [-a] [-v] [-y] fstype_options input_file
Print general help:
mkqfs -h
Print help for a specified filesystem:
mkqfs fstype -h
Runs on:
Linux, Mac, Microsoft Windows
Options:
- fstype
- The type of filesystem to build, extract, or verify.
- -a
- (Optional) Specify that if a warning is generated, the execution fails.
- -f
- (Optional) Force extraction to occur if the specified target folder already exists. The
target folder is removed before extraction begins. Only valid when
-x is used.
- -h
- (Optional) Print the help menu. If fstype is specified, the help menu
for the specific filesystem is printed, otherwise a general help menu is
printed.
- -o output
- A mandatory option that specifies either the output image file (when
building filesystem images) or the output folder (when extracting filesystem
images).
- -r paths…
- (Optional) A list of paths separated by a colon (:) that are searched in the given order to
resolve objects (files, links, etc.) when building filesystems.
- If not specified, the default search path is the QNX_TARGET
environment variable value. If QNX_TARGET is not set, an
error is returned.
- -s
- (Optional) Print statistics when building filesystems.
- -v
- (Optional) Print additional information when building or extracting filesystems.
- This option is mostly meant for debugging or viewing progress. Specify multiple
-v options to increase the verbosity.
- -x
- (Optional) Extract a filesystem image and dumps the contents to
output.
- Not all filesystems support extraction.
- -y
- (Optional) Verify a filesystem image.
- Not all filesystems support verification.
- fstype_options
- A set of mandatory and optional options for the specific type of filesystem. See
Description for information on the available options.
- input_file
- A mandatory option that specifies one of the following files:
- when building an image, the filesystem buildfile
- when extracting or verifying an image, the filesystem image
file
- when fstype is qtd, the filesystem image
that the QTD image will protect
Description:
The mkqfs utility generates QNX-supported filesystems. Each supported
filesystem can be built and, optionally, verified and extracted. The utility
supports the generic options described in Options as well as
filesystem-specific ones (which always use capital letters). Specific options are
available for the following filesystems:
License checking
The mkqfs utility checks for a valid QNX license key before performing
any operation. If the license check fails, the utility stops running and displays a
diagnostic message. A license check may fail if the license key is expired, missing, or not
currently activated, or if the key doesn’t contain the permissions needed to run the
utility.
QTD options:
- -A salt
- (Optional) The cryptographic salt value (hex) to use to create the filesystem. The salt length
must be at least as long as the chosen digest size (see -H)
and a maximum of 128 bytes.
-
If omitted, the salt is randomly generated.
- -B size
- A mandatory option that specifies, in bytes, the chunk size to use when splitting the source
image into chunks to hash. If the source image is a filesystem, use a size
that is equal to or greater than the block size that the filesystem uses.
Valid values are: 512, 1024, 2048, 4096, 8192, 16384, 32768.
- -C size
- (Optional) Calculate the size of the metadata tree using the provided image
size in bytes.
- -H hash
- A mandatory option that specifies the cryptographic digest. Supported digests: sha256,
sha512, sha512-256, blake2s256, blake2b256, blake2b512, and blake3.
- -K key
- A mandatory option that specifies either the private key (when building a QTD image) or public
key (when verifying a QTD image). The key type must match the type of
signature algorithm (see -S). See QTD-supported crypto
keys.
- -M
- (Optional) Restrict the output to QTD metadata.
- -P size
- (Optional) Build the filesystem image in partition mode, which forces the QTD image to extend to
the size specified by size exactly. When you build an
image or use -C, the statistics output provides the maximum
size of the inner, wrapped filesystem image.
This option is required when
you are building a QTD image to flash to a fixed-size disk
partition.
- -R version
- (Optional) Specify the anti-rollback version as a 64-bit, unsigned integer. When combined with
the filesystem driver rollback mount option, this value
configures the system to deny the mounting of a filesystem image that has a
version that is lower than the value passed to the mount option. This
mechanism allows you to maintain the chain of trust in a secure boot
environment.
- -S signature
- A mandatory option that specifies the cryptographic signature algorithm. The following
signature algorithms are supported:
Signature |
Key type |
rsa‑sha256 |
RSA |
ecdsa‑sha256 |
EC |
eddsa‑25519 |
Ed25519 |
ecdsa‑448 |
Ed448 |
- -Z sign_cmd
- (Optional) The custom signing command for the cryptographic signature of the QTD image. Custom
signing allows you to use a custom utility that hides the private key while
allowing signing to proceed. This method allows the signing operation to be
done remotely through a utility you specify.
-
The following two tokens need to appear in the signing command. They are
replaced by temporary files when the signing command is called:
- <hashfile>: The path to the file that contains the sha256 digest in binary format
that needs to be signed.
- <sigfile>: The path to the file where the custom utility writes the signature in
binary format.
- For example, using openssl as the signing utility:
openssl pkeyutl -sign -in <hashfile> -inkey private_key.pem -out <sigfile> -pkeyopt digest:sha256
QTD-supported crypto keys
QTD supports EC and RSA keys. The private key must be in the PKCS#8 format and the public key
must be in the X.509 format. All keys must use PEM encoding. For RSA, key lengths of up to
16 KiB (kibibits) are supported.
Generate an RSA
key:
openssl genpkey -algorithm RSA -out rsa_private_key.pem -pkeyopt rsa_keygen_bits:2048
openssl pkey -in rsa_private_key.pem -pubout -out rsa_public_key.pem
Generate an EC
key:
openssl ecparam -name prime256v1 -param_enc explicit -no_seed -out ec_params.pem -outform PEM
openssl genpkey -paramfile ec_params.pem -out ec_private_key.pem
openssl pkey -in ec_private_key.pem -pubout -out ec_public_key.pem
Generate an Ed448
key:
openssl genpkey -algorithm ed448 -outform PEM -out ed448_private_key_pkcs8.pem
openssl pkey -outform PEM -pubout -in ed448_private_key_pkcs8.pem -out ed448_public_key_x509.pem
Generate an Ed25519
key:
openssl genpkey -algorithm ed25519 -outform PEM -out ed25519_private_key_pkcs8.pem
openssl pkey -outform PEM -pubout -in ed25519_private_key_pkcs8.pem -out ed25519_public_key_x509.pem
Examples
The following command makes a Power-Safe filesystem image (QNX) that is less than 2MB in size:
mkxfs -t qnx6fsimg qnx6.build qnx6.img
The following command builds a QTD image. The -P option specifies an image
of 2 MB exactly:
mkqfs qtd -s -vv -B 4096 -H sha256 -S ecdsa-sha256 -K ec_test_private_key.pem -P 2097152 -o
qtd.img qnx6.img
The following command mounts the QTD image with a full disk verification:
mount -t qtd -o key=/proc/boot/ec_test_public_key.pem,stats,verbose,verify /dev/hd1 /dev/qtd-1
You can then use the following command to mount the Power-Safe filesystem image:
mount -t qnx6 /dev/qtd-1 /fs