Pantavisor Persistent Storage

# Pantavisor Persistent Storage A list of on-disk persistent files and directories that Pantavisor as well as some actions that could be taken to reduce the attack surface on a compromised device. ## /storage/boot/uboot.txt Pantavisor reads and writes. File with information about which revision to boot. Along /proc/cmdline, it serves as the communication betwen Pantavisor and bootloader. Pantavisor expects uboot.txt to be formatted as a set of keys=value pairs (pv_rev and/or pv_try) separated by the character '\0'. **Potential malfunctions:** * logs not progressing to next revision after non-reboot updates * garbage collector removing DONE revision * bootloader cannot bootup the right revision **Actions to take:** * make Pantavisor only get revision info from /proc/cmdline or memory (needs implementation) * use storage.gc.keep_factory if we have enough disk space * make bootloader to always bootup to revision 0 if uboot.txt cannot be parsed (needs implementation and only makes sense with storage.gc.keep_factory) ## /storage/cache/devmeta/ Pantavisor reads and writes. Directory that contains device metadata key-value pairs. Produced and saved by Pantavisor, then loaded again during bootups by Pantavisor to make them persistent. Can be consulted via pvcontrol. **Potential malfunctions:** * pvcontrol returns bad devmeta to platforms **Actions to take:** * New config key to make devmeta non-persistent so we avoid reading (needs implementation if needed) * Enable pvcontrol devmeta operations for non-mgmt role so more platforms can be set to non-mgmt (needs implementation) ## /storage/cache/dropbear/ Pantavisor mounts. Just mounted in /etc/dropbear during bootup and user by Dropbear thereafter. **Potential malfunctions:** **Actions to take:** ## /storage/cache/meta Pantavisor reads and writes. Directory that contains user metadata key-value pairs. Produced by platforms and saved by Pantavisor, then loaded by Pantavisor during bootups to make them persistent. **Potential malfunctions:** * pvcontrol returns bad usrmeta to platforms * SSH denies access because of bad public key **Actions to take:** * New config key to make usrmeta non-persistent so we avoid reading when someone don't need that (needs implementation if needed) * Enable pvcontrol usrmeta operations for non-mgmt role so more platforms can be set to non-mgmt (needs implementation) ## /storage/config/ Pantavisor reads and writes. Contains the pantahub.config and unclaimed.config. Read and wrote on rev 0 if control.remote=1. We also check if pantahub.config exists to verify /storage is mounted at some point. **Potential malfunctions:** * Misconfiguration of pantahub.config keys (including deprecated ones) * Boot loop if removed **Actions to take:** * Use control.remote=1 to avoid reading these files * Move all possible keys to pantavisor.config and deprecate them (needs implementation) * Move rest of values to a new .config in intrd excepts creds (needs implementation) * Remove checking pantahub.config to verify /storage is mounted (needs implementation) ## /storage/disks/ Pantavisor reads. Used to store permanent or revision disk overlays. It is not used when the platform persistence is set to boot. **Potential malfunctions:** * Platform side malfunction **Actions to take:** * Make sure non-encrypted disks are only used with boot persistence ## /storage/dm-crypt-file/ Pantavisor reads. Encrypted. Used to store dm disks. **Potential malfunctions:** **Actions to take:** ## /storage/logs/ Pantavisor writes. Where Pantavisor logserver stores the logs. Can be modified via pv-ctrl-log and pv-fd-log. **Potential malfunctions:** * Logs modified or removed **Actions to take:** * Is it worth it to check who is sending to pv-ctrl-log and pv-fd-log and verify if that is possible? (needs implementation) ## /storage/objects/ Pantavisor reads and writes. Signature and checksum validation. Where Pantavisor update system stores the revision objects. On-disk info can be directly consulted and modified with pv-ctrl. **Potential malfunctions:** * boot loop if object is missing **Actions to take:** * Use strict secureboot mode preferably * Make sure non-mgmt roles are set to all platforms that don't need that ## /storage/trails/ Pantavisor reads and writes. Signature and checksum validation. Where Pantavisor update system stores the revision JSON state. On-disk info can be directly consulted and modified with pv-ctrl. **Potential malfunctions:** * boot loop if revision is missing **Actions to take:** * Use strict secureboot mode preferably * Make sure non-mgmt roles are set to all platforms that don't need that