Stefano Marinelli Offers a Guide to Building Your Own NetBSD-Powered Read-Only Gadgets

You might have seen it done with Linux, or even FreeBSD — now roll your own read-only filesystem in NetBSD.

Computer scientist and BSD fan Stefano Marinelli has penned a guide to using NetBSD as a secure and stable platform for embedded device projects — by creating a read-only installation.

"One detail that is often overlooked when dealing with embedded (or remote) devices is a key point of vulnerability: the file system.," Marinelli explains. "For non-COW [Copy-On-Write] file systems (like ext4 on Linux, FFS, etc.), there are situations where a crash or a power outage could cause corruption, requiring manual intervention. For certain use cases, it's advisable to set up a read-only root file system, which ensures better reliability in case of system issues. Think of scenarios like a router (critical for network access) or a caching reverse-proxy."

If you're looking to add some security and stability to an embedded NetBSD project, a read-only filesystem could help. (📷: Stefano Marinelli)

Many operating systems, Marinelli explains, already provide a mechanism for read-only root file systems, or alternatives such as an overlay filesystem. NetBSD, however, does not — yet Marinelli recommends it for embedded use anyway, as "it supports nearly all embedded devices, is lightweight, and its stability minimizes the need for frequent updates."

Marinelli's solution for a lack of native support is to build it himself — putting the two directories typically written to in daily operation, /tmp and /var, in-memory so writes never hit the underlying filesystem. If anything gets corrupted, simply reboot and you're back to a working system again.

There is, of course, a catch: if you're running a read-only system, it's read-only for everything — including installing important security updates. While any attack on the system should last only as long as it takes you to reset the device, it's important to stay on top of updates — with Marinelli's solution being as easy as commenting out the mount-in-memory instruction for /var, switching the filesystem back to read-write, rebooting, installing the update, regenerating the /var tarball, restoring the mount instruction, and rebooting again.

The full guide is available on Marinelli's blog.

ghalfacree

Freelance journalist, technical author, hacker, tinkerer, erstwhile sysadmin. For hire: freelance@halfacree.co.uk.

Latest Articles