QTD option

When you enable QNX Trusted Disk (QTD), the Power-Safe filesystem (fs-qnx6.so) filesystem that is used for the system partition is contained in a QTD partition. The two options --pathrust=yes and --qtd=yes are often used together.

Because the QTD partition is protected by a digital signature, the file qtd_public_key.pem that contains the public key of the signer is added to the IFS. The private key used by mkqnximage to sign the partition is contained in the file local/misc_files/qtd_private_key.pem. In a real system, the private key would be securely protected as its disclosure would compromise the security provided by QTD and pathtrust.

The mount script, output/build/mount_fs.sh is also affected by use of QTD. Without QTD, the system partition is mounted in one step, using:

mount -t qnx6 -o sync=optional,mntperms=755,noatime  /dev/hd0t178 /system

As the Power-Safe filesystem is contained in a QTD partition, the QTD partition must be mounted first. The commands are now:

mount -t qtd -o key=/proc/boot/qtd_public_key.pem -o trusted /dev/hd0t185 /dev/hd0t185-qnx6 
mount -t qnx6 -o sync=optional,mntperms=755,noatime -o trusted /dev/hd0t185-qnx6 /system 

A final change is in the start-up of devb-eide, the resource manager that provides the filesystems. The command to start it is now:

on -A allow,all,lock,path_trust  devb-eide cam user=20:20 blk . . .

For a filesystem to be treated as trusted (see the pathtrust option above), the resource manager that provides it must have the PROCMGR_AID_PATH_TRUST ability. Locking the ability forces devb-eide to retain the ability after it switches to a non-root UID during startup. Dropping the ability would revoke trust in the QTD filesystem.

If you run the image and log into it as root, you can see the effect of these options.

The first change is to make the system partition is read-only:

# touch /system/xbin/new_file 
/system/xbin/new_file: Read-only file system 

Any attempt by an offline attack to make changes to the filesystem by modifying the virtual image (or flash memory, on a real filesystem) is detected by QTD. If a change is detected, QTD refuses to return the modified block, which generates a filesystem IO error.