UBIFS Index & Tree Node Cache¶

Basic on-flash UBIFS entities are callednodes. UBIFS knows different typesof nodes. Eg. data nodes (structubifs_data_node) which store chunks of filecontents or inode nodes (structubifs_ino_node) which represent VFS inodes.Almost all types of nodes share a common header (ubifs_ch) containing basicinformation like node type, node length, a sequence number, etc. (seefs/ubifs/ubifs-media.h in kernel source). Exceptions are entries of the LPTand some less important node types like padding nodes which are used to padunusable content at the end of LEBs.

To avoid re-writing the whole B+ tree on every single change, it is implementedaswandering tree, where only the changed nodes are re-written and previousversions of them are obsoleted without erasing them right away. As a result,the index is not stored in a single place on the flash, butwanders aroundand there are obsolete parts on the flash as long as the LEB containing them isnot reused by UBIFS. To find the most recent version of the index, UBIFS storesa special node calledmaster node into UBI LEB 1 which always points to themost recent root node of the UBIFS index. For recoverability, the master nodeis additionally duplicated to LEB 2. Mounting UBIFS is thus a simple read ofLEB 1 and 2 to get the current master node and from there get the location ofthe most recent on-flash index.

The TNC is the in-memory representation of the on-flash index. It contains someadditional runtime attributes per node which are not persisted. One of these isa dirty-flag which marks nodes that have to be persisted the next time theindex is written onto the flash. The TNC acts as a write-back cache and allmodifications of the on-flash index are done through the TNC. Like other caches,the TNC does not have to mirror the full index into memory, but reads parts ofit from flash whenever needed. Acommit is the UBIFS operation of updating theon-flash filesystem structures like the index. On every commit, the TNC nodesmarked as dirty are written to the flash to update the persisted index.

Journal¶

To avoid wearing out the flash, the index is only persisted (committed) whencertain conditions are met (eg.fsync(2)). The journal is used to recordany changes (in form of inode nodes, data nodes etc.) between commitsof the index. During mount, the journal is read from the flash and replayedonto the TNC (which will be created on-demand from the on-flash index).

UBIFS reserves a bunch of LEBs just for the journal calledlog area. Theamount of log area LEBs is configured on filesystem creation (usingmkfs.ubifs) and stored in the superblock node. The log area contains onlytwo types of nodes:reference nodes andcommit start nodes. A commit startnode is written whenever an index commit is performed. Reference nodes arewritten on every journal update. Each reference node points to the position ofother nodes (inode nodes, data nodes etc.) on the flash that are part of thisjournal entry. These nodes are calledbuds and describe the actual filesystemchanges including their data.

The log area is maintained as a ring. Whenever the journal is almost full,a commit is initiated. This also writes a commit start node so that duringmount, UBIFS will seek for the most recent commit start node and just replayevery reference node after that. Every reference node before the commit startnode will be ignored as they are already part of the on-flash index.

When writing a journal entry, UBIFS first ensures that enough space isavailable to write the reference node and buds part of this entry. Then, thereference node is written and afterwards the buds describing the file changes.On replay, UBIFS will record every reference node and inspect the location ofthe referenced LEBs to discover the buds. If these are corrupt or missing,UBIFS will attempt to recover them by re-reading the LEB. This is however onlydone for the last referenced LEB of the journal. Only this can become corruptbecause of a power cut. If the recovery fails, UBIFS will not mount. An errorfor every other LEB will directly cause UBIFS to fail the mount operation.

| ----    LOG AREA     ---- | ----------    MAIN AREA    ------------ | -----+------+-----+--------+----   ------+-----+-----+--------------- \    |      |     |        |   /  /      |     |     |               \ / CS |  REF | REF |        |   \  \ DENT | INO | INO |               / \    |      |     |        |   /  /      |     |     |               \  ----+------+-----+--------+---   -------+-----+-----+----------------          |     |                  ^            ^          |     |                  |            |          +------------------------+            |                |                               |                +-------------------------------+         Figure 2: UBIFS flash layout of log area with commit start nodes                   (CS) and reference nodes (REF) pointing to main area                   containing their buds

LEB Property Tree/Table¶

The LEB property tree is used to store per-LEB information. This includes theLEB type and amount of free anddirty (old, obsolete content) space[1] onthe LEB. The type is important, because UBIFS never mixes index nodes with datanodes on a single LEB and thus each LEB has a specific purpose. This again isuseful for free space calculations. See [UBIFS-WP] for more details.

The LEB property tree again is a B+ tree, but it is much smaller than theindex. Due to its smaller size it is always written as one chunk on everycommit. Thus, saving the LPT is an atomic operation.

Since LEBs can only be appended and never overwritten, there is adifference between free space ie. the remaining space left on the LEB to bewritten to without erasing it and previously written content that is obsoletebut can’t be overwritten without erasing the full LEB.

Index Authentication¶

Through UBIFS’ concept of a wandering tree, it already takes care of onlyupdating and persisting changed parts from leaf node up to the root nodeof the full B+ tree. This enables us to augment the index nodes of the treewith a hash over each node’s child nodes. As a result, the index basically alsoa Merkle tree. Since the leaf nodes of the index contain the actual filesystemdata, the hashes of their parent index nodes thus cover all the file contentsand file metadata. When a file changes, the UBIFS index is updated accordinglyfrom the leaf nodes up to the root node including the master node. This processcan be hooked to recompute the hash only for each changed node at the same time.Whenever a file is read, UBIFS can verify the hashes from each leaf node up tothe root node to ensure the node’s integrity.

To ensure the authenticity of the whole index, the UBIFS master node stores akeyed hash (HMAC) over its own contents and a hash of the root node of the indextree. As mentioned above, the master node is always written to the flash wheneverthe index is persisted (ie. on index commit).

Using this approach only UBIFS index nodes and the master node are changed toinclude a hash. All other types of nodes will remain unchanged. This reducesthe storage overhead which is precious for users of UBIFS (ie. embeddeddevices).

                  +---------------+                  |  Master Node  |                  |    (hash)     |                  +---------------+                          |                          v                 +-------------------+                 |  Index Node #1    |                 |                   |                 | branch0   branchn |                 | (hash)    (hash)  |                 +-------------------+                    |    ...   |  (fanout: 8)                    |          |            +-------+          +------+            |                         |            v                         v +-------------------+       +-------------------+ |  Index Node #2    |       |  Index Node #3    | |                   |       |                   | | branch0   branchn |       | branch0   branchn | | (hash)    (hash)  |       | (hash)    (hash)  | +-------------------+       +-------------------+      |   ...                     |   ...   |      v                           v         v    +-----------+         +----------+  +-----------+    | Data Node |         | INO Node |  | DENT Node |    +-----------+         +----------+  +-----------+Figure 3: Coverage areas of index node hash and master node HMAC

The most important part for robustness and power-cut safety is to atomicallypersist the hash and file contents. Here the existing UBIFS logic for howchanged nodes are persisted is already designed for this purpose such thatUBIFS can safely recover if a power-cut occurs while persisting. Addinghashes to index nodes does not change this since each hash will be persistedatomically together with its respective node.

Journal Authentication¶

The journal is authenticated too. Since the journal is continuously writtenit is necessary to also add authentication information frequently to thejournal so that in case of a powercut not too much data can’t be authenticated.This is done by creating a continuous hash beginning from the commit start nodeover the previous reference nodes, the current reference node, and the budnodes. From time to time whenever it is suitable authentication nodes are addedbetween the bud nodes. This new node type contains a HMAC over the current stateof the hash chain. That way a journal can be authenticated up to the lastauthentication node. The tail of the journal which may not have a authenticationnode cannot be authenticated and is skipped during journal replay.

We get this picture for journal authentication:

,,,,,,,,,......,...........................................,. CS  ,               hash1.----.           hash2.----.,.  |  ,                    .    |hmac            .    |hmac,.  v  ,                    .    v                .    v,.REF#0,-> bud -> bud -> bud.-> auth -> bud -> bud.-> auth ...,..|...,...........................................,  |   ,,  |   ,,,,,,,,,,,,,,,.  |            hash3,----.,  |                 ,    |hmac,  v                 ,    v, REF#1 -> bud -> bud,-> auth ...,,,|,,,,,,,,,,,,,,,,,,   v  REF#2 -> ...   |   V  ...

Since the hash also includes the reference nodes an attacker cannot reorder orskip any journal heads for replay. An attacker can only remove bud nodes orreference nodes from the end of the journal, effectively rewinding thefilesystem at maximum back to the last commit.

The location of the log area is stored in the master node. Since the masternode is authenticated with a HMAC as described above, it is not possible totamper with that without detection. The size of the log area is specified whenthe filesystem is created usingmkfs.ubifs and stored in the superblock node.To avoid tampering with this and other values stored there, a HMAC is added tothe superblock struct. The superblock node is stored in LEB 0 and is onlymodified on feature flag or similar changes, but never on file changes.

LPT Authentication¶

The location of the LPT root node on the flash is stored in the UBIFS masternode. Since the LPT is written and read atomically on every commit, there isno need to authenticate individual nodes of the tree. It suffices toprotect the integrity of the full LPT by a simple hash stored in the masternode. Since the master node itself is authenticated, the LPTs authenticity canbe verified by verifying the authenticity of the master node and comparing theLTP hash stored there with the hash computed from the read on-flash LPT.