Overview

The QFS is a read-only, integrity-protected filesystem solution.

Read only — the filesystem only supports read operations
Integrity protected — checks are performed on every read operation to ensure the integrity of the returned data

The QFS is suitable for storing critical files like executables, libraries, configuration files, and safety critical data. It allows you to separate safety-critical data from application and user data that is stored, for example, in an adjacent writeable filesystem.

It is compatible with QNX SDP 8.0.

A QFS implementation is comprised of:

a read-only filesystem image, built using the QNX OS filesystems build tool (mkqfs), and
the QFS driver (qtsafefsd).

The QFS driver uses the QNX cryptography library to support its integrity checking mechanism. A QNX cryptography library plugin allows it to access cryptographic primitives offered by third-party libraries.

Filesystem image

You create a QFS filesystem image using mkqfs.

To implement the QFS, you deploy this image to your target system (for example, to a specified disk partition) and mount it using the QFS driver (qtsafefsd).

In addition to creating QFS filesystem images, you can use the mkqfs tool to extract or verify an existing image.

For details about QFS filesystem image creation options, go to mkqfs (for QFS).

Integrity protection

Like QNX Trusted Disk, the QFS protection mechanism is based on a Merkle tree.

Because the application of Merkle trees happens at the filesystem image level, the entire contents of the filesystem is integrity verified: data and metadata.

For a description of the metadata hash tree that mkqfs constructs from the blocks of the source filesystem image, go to QNX Trusted Disk in the QNX OS System Architecture Guide.

A standalone filesystem driver

Unlike other QNX Neutrino filesystems, which are fs-*.so shared objects that are loaded by io-blk.so, the QNX Filesystem for Safety filesystem driver (qtsafefsd) is its own process entirely. It mounts the filesystem image on the QNX system to a specified path. Client programs must use this path to access the contents of the filesystem image.

Figure 2Accessing a QFS filesystem image

Unlike other QNX filesystems, you can't mount a QFS image via the mount utility. You must invoke the qtsafefsd driver directly.

The QFS metadata packaged in the filesystem image is signed and verified using a key pair. The QFS driver verifies the signature to ensure that the root hash of the tree is valid and hasn't been tampered with.

For additional safety, you can also configure the QFS driver to check for the minimum version that is safe to use before it mounts the filesystem image (rollback protection).

Optionally, qtsafefsd can verify the full filesystem content as part of the mounting process.

For details about qtsafefsd options, go to qtsafefsd.