From: Jason Gunthorpe <jgunthorpe@obsidianresearch.com>
To: Boris BREZILLON <boris.brezillon@free-electrons.com>
Cc: devicetree@vger.kernel.org, linux-kernel@vger.kernel.org,
linux-mtd@lists.infradead.org,
Maxime Ripard <maxime.ripard@free-electrons.com>,
Brian Norris <computersforpeace@gmail.com>,
David Woodhouse <dwmw2@infradead.org>,
linux-arm-kernel@lists.infradead.org
Subject: Re: [RFC PATCH 0/3] mtd: nand: add randomizer support
Date: Thu, 1 May 2014 15:31:48 -0600 [thread overview]
Message-ID: <20140501213148.GA1563@obsidianresearch.com> (raw)
In-Reply-To: <5362B4E6.7010009@free-electrons.com>
On Thu, May 01, 2014 at 10:56:06PM +0200, Boris BREZILLON wrote:
> > However, with a synchronous scrambler the security concern boils down
> > to how robust and unpredictable is the PRBS.
>
> I'm not sure security is the main concern here.
> AFAICT, NAND scramblers (note that I stopped using the name "randomizer"
> :-)) is mainly used to avoid large island of identical data, because
> some NAND chips are sensible to such patterns (see [1] page 14).
Right, if you send to the flash 'the wrong data' then some combination of:
1) Retention time till ECC failure is reduced
2) The flash block is permanently damaged early
3) A 'nearby', unrelated flash block has ECC failure due to interference
So, if someone deliberately and maliciously defeats the scrambler and
deliberately sends in wrong data what happens?
1/3) Delibrate, predictable file system corruption
2) Create device damage and significantly early replacement of the device.
All could lead to a DOS attack of some sort, at a minimum.
FWIW, there was a similar attack against a certain communication
system. The line scrambler was statistically predictable, and if an
attacker sent enough packets that were the predictable anti-scramble
then enough would align with the scamble pattern and the
communication channel would fail and retrain creating a DOS vector.
For this reason these days com systems tend to use a 58 bit
self-synchronous LFSR for scrambling purposes.
> And this is exactly what's done in the sunxi HW scrambler
> implementation, or at least you can do it based on what you're
> specifying in your DT (see the "nand-randomizer-seeds" in the 3rd
> patch): you can define a seed table and the seed is selected based on
> the page number you're reading or writing.
Well, re-using fixed (and public) seeds:
state = rnd->seeds[page % rnd->nseeds];
Just changes the probabilities. For instance, some filesystems can be
asked to create extents with a large alignment (like 2M) to speed IOs,
and a small seeds table means the seeds within such a file will be
fully predictable.
If you are already stuck with this, then fine, it can be a driver
specific binding - but if this is a new green-field design, intended
to be broadly used as a core MTD feature:
I'd suggest just seeding with the block number xor some value, and
using a LFSR with a state space larger than the number of blocks in
the device, and don't specify a seeds array in DT.
Regards,
Jason
WARNING: multiple messages have this Message-ID (diff)
From: jgunthorpe@obsidianresearch.com (Jason Gunthorpe)
To: linux-arm-kernel@lists.infradead.org
Subject: [RFC PATCH 0/3] mtd: nand: add randomizer support
Date: Thu, 1 May 2014 15:31:48 -0600 [thread overview]
Message-ID: <20140501213148.GA1563@obsidianresearch.com> (raw)
In-Reply-To: <5362B4E6.7010009@free-electrons.com>
On Thu, May 01, 2014 at 10:56:06PM +0200, Boris BREZILLON wrote:
> > However, with a synchronous scrambler the security concern boils down
> > to how robust and unpredictable is the PRBS.
>
> I'm not sure security is the main concern here.
> AFAICT, NAND scramblers (note that I stopped using the name "randomizer"
> :-)) is mainly used to avoid large island of identical data, because
> some NAND chips are sensible to such patterns (see [1] page 14).
Right, if you send to the flash 'the wrong data' then some combination of:
1) Retention time till ECC failure is reduced
2) The flash block is permanently damaged early
3) A 'nearby', unrelated flash block has ECC failure due to interference
So, if someone deliberately and maliciously defeats the scrambler and
deliberately sends in wrong data what happens?
1/3) Delibrate, predictable file system corruption
2) Create device damage and significantly early replacement of the device.
All could lead to a DOS attack of some sort, at a minimum.
FWIW, there was a similar attack against a certain communication
system. The line scrambler was statistically predictable, and if an
attacker sent enough packets that were the predictable anti-scramble
then enough would align with the scamble pattern and the
communication channel would fail and retrain creating a DOS vector.
For this reason these days com systems tend to use a 58 bit
self-synchronous LFSR for scrambling purposes.
> And this is exactly what's done in the sunxi HW scrambler
> implementation, or at least you can do it based on what you're
> specifying in your DT (see the "nand-randomizer-seeds" in the 3rd
> patch): you can define a seed table and the seed is selected based on
> the page number you're reading or writing.
Well, re-using fixed (and public) seeds:
state = rnd->seeds[page % rnd->nseeds];
Just changes the probabilities. For instance, some filesystems can be
asked to create extents with a large alignment (like 2M) to speed IOs,
and a small seeds table means the seeds within such a file will be
fully predictable.
If you are already stuck with this, then fine, it can be a driver
specific binding - but if this is a new green-field design, intended
to be broadly used as a core MTD feature:
I'd suggest just seeding with the block number xor some value, and
using a LFSR with a state space larger than the number of blocks in
the device, and don't specify a seeds array in DT.
Regards,
Jason
next prev parent reply other threads:[~2014-05-01 21:31 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-05-01 1:09 [RFC PATCH 0/3] mtd: nand: add randomizer support Boris BREZILLON
2014-05-01 1:09 ` Boris BREZILLON
2014-05-01 1:09 ` Boris BREZILLON
2014-05-01 1:09 ` Boris BREZILLON
2014-05-01 1:09 ` [RFC PATCH 1/3] mtd: nand: introduce a randomizer layer in the NAND framework Boris BREZILLON
2014-05-01 1:09 ` Boris BREZILLON
2014-05-01 1:09 ` Boris BREZILLON
2014-05-01 1:09 ` Boris BREZILLON
2014-05-01 1:09 ` [RFC PATCH 2/3] of: mtd: add NAND randomizer mode retrieval Boris BREZILLON
2014-05-01 1:09 ` Boris BREZILLON
2014-05-01 1:09 ` Boris BREZILLON
2014-05-01 13:16 ` Grant Likely
2014-05-01 13:16 ` Grant Likely
2014-05-01 13:16 ` Grant Likely
2014-05-01 17:18 ` Boris BREZILLON
2014-05-01 17:18 ` Boris BREZILLON
2014-05-01 17:18 ` Boris BREZILLON
2014-05-01 17:18 ` Boris BREZILLON
2014-05-01 1:09 ` [RFC PATCH 3/3] mtd: nand: add sunxi randomizer support Boris BREZILLON
2014-05-01 1:09 ` Boris BREZILLON
2014-05-01 1:09 ` Boris BREZILLON
2014-05-01 16:34 ` [RFC PATCH 0/3] mtd: nand: add " Jason Gunthorpe
2014-05-01 16:34 ` Jason Gunthorpe
2014-05-01 16:34 ` Jason Gunthorpe
2014-05-01 16:34 ` Jason Gunthorpe
2014-05-01 17:31 ` Boris BREZILLON
2014-05-01 17:31 ` Boris BREZILLON
2014-05-01 17:31 ` Boris BREZILLON
2014-05-01 17:31 ` Boris BREZILLON
2014-05-01 17:59 ` Jason Gunthorpe
2014-05-01 17:59 ` Jason Gunthorpe
2014-05-01 17:59 ` Jason Gunthorpe
2014-05-01 20:56 ` Boris BREZILLON
2014-05-01 20:56 ` Boris BREZILLON
2014-05-01 20:56 ` Boris BREZILLON
2014-05-01 21:31 ` Jason Gunthorpe [this message]
2014-05-01 21:31 ` Jason Gunthorpe
2014-05-01 18:37 ` Antoine Ténart
2014-05-01 18:37 ` Antoine Ténart
2014-05-01 18:37 ` Antoine Ténart
2014-05-01 18:37 ` Antoine Ténart
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140501213148.GA1563@obsidianresearch.com \
--to=jgunthorpe@obsidianresearch.com \
--cc=boris.brezillon@free-electrons.com \
--cc=computersforpeace@gmail.com \
--cc=devicetree@vger.kernel.org \
--cc=dwmw2@infradead.org \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mtd@lists.infradead.org \
--cc=maxime.ripard@free-electrons.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.