Filesystem security

Updated: October 26, 2022

File systems and mount points

Best practices for securing file systems and mount points include the following:

QNX Trusted Disk

QNX Trusted Disk (QTD) devices provide integrity protection of the underlying disk data in secure boot environments. They can extend the secure boot chain up to the core operating system filesystem that stores additional system binaries and configuration files.

Note: mkqnximage supports the --qtd option, which demonstrates how to enable this feature.

QTD can also be used as a protected container format (app model).

For complete information, see “QNX Trusted Disk” in the System Architecture guide.

File-based encryption

The Power-Safe filesystem supports file-based encryption where files and folders are aggregated into encryption domains. Each domain has a unique encryption key which encrypts the unique file encryption key. Access to the files require that some external actor unlock the domain, providing the domain encryption key to the filesystem driver, allowing it to decrypt the file encryption key and granting access to the encrypted file contents.

For more information, see “Encryption” in the “Filesystems” chapter of the System Architecture guide.

Unioned filesystems

Although QNX Neutrino supports unioned filesystems, they are generally a bad idea and only useful in a limited number of situations that you are unlikely to encounter. Further, unioned filesystems incur a performance penalty when searching for files that may reside on any of the unioned filesystems.

The QNX Neutrino IFS is unioned by default and mounted at "/'"and all files in the IFS are prefixed with proc/boot. This incurs a performance penalty on object path lookup starting with /proc because the /proc filesystem (procfs) is always mounted first at startup time by procnto. Add these lines to your IFS build file to mount the IFS at its own mount point (/ifs) and also gain a minor performance boost.

Note: mkqnximage supports the --union option, which demonstrates how to enable this feature.