From: Eric Biggers <ebiggers@kernel.org>
To: Peter Griffin <peter.griffin@linaro.org>
Cc: linux-scsi@vger.kernel.org, linux-samsung-soc@vger.kernel.org,
linux-fscrypt@vger.kernel.org,
"Alim Akhtar" <alim.akhtar@samsung.com>,
"Avri Altman" <avri.altman@wdc.com>,
"Bart Van Assche" <bvanassche@acm.org>,
"Martin K . Petersen" <martin.petersen@oracle.com>,
"André Draszik" <andre.draszik@linaro.org>,
"William McVicker" <willmcvicker@google.com>
Subject: Re: [PATCH v3 6/6] scsi: ufs: exynos: Add support for Flash Memory Protector (FMP)
Date: Tue, 9 Jul 2024 11:14:04 -0700 [thread overview]
Message-ID: <20240709181404.GA1945@sol.localdomain> (raw)
In-Reply-To: <CADrjBPq4sEamwD3+wT2p481en-J2Ee7G0f+UbXG3g3RqUMiv3w@mail.gmail.com>
On Tue, Jul 09, 2024 at 12:17:53PM +0100, Peter Griffin wrote:
> Hi Eric,
>
> On Tue, 9 Jul 2024 at 00:55, Eric Biggers <ebiggers@kernel.org> wrote:
> >
> > From: Eric Biggers <ebiggers@google.com>
> >
> > Add support for Flash Memory Protector (FMP), which is the inline
> > encryption hardware on Exynos and Exynos-based SoCs.
> >
> > Specifically, add support for the "traditional FMP mode" that works on
> > many Exynos-based SoCs including gs101. This is the mode that uses
> > "software keys" and is compatible with the upstream kernel's existing
> > inline encryption framework in the block and filesystem layers. I plan
> > to add support for the wrapped key support on gs101 at a later time.
> >
> > Tested on gs101 (specifically Pixel 6) by running the 'encrypt' group of
> > xfstests on a filesystem mounted with the 'inlinecrypt' mount option.
> >
> > Signed-off-by: Eric Biggers <ebiggers@google.com>
> > ---
>
> Reviewed-by: Peter Griffin <peter.griffin@linaro.org>
>
> and
>
> Tested-by: Peter Griffin <peter.griffin@linaro.org>
>
> Tested by running the encrypt group of xfstests on my Pixel 6, using
> the Yocto development env described here
> https://git.codelinaro.org/linaro/googlelt/pixelscripts
>
> Notes on testing, in addition to above README.
>
> 1. Enabled following additional kernel configs gs101_config.fragment
> CONFIG_FS_ENCRYPTION=y
> CONFIG_FS_ENCRYPTION_INLINE_CRYPT=y
> CONFIG_SCSI_UFS_CRYPTO=y
> CONFIG_BLK_INLINE_ENCRYPTION=y
> CONFIG_BLK_INLINE_ENCRYPTION_FALLBACK=y
> CONFIG_CRYPTO_HCTR2=y
>
> 2. Add meta-security layer to bblayers.conf and relevant packages to local.conf
> BBLAYERS += "/yocto-builds/yocto/meta-security"
> IMAGE_INSTALL:append = " xfstests ecryptfs-utils fscryptctl keyutils
> cryptmount "
>
> 3. Rebuild/reflash Yocto rootfs
>
> bitbake virtual/kernel core-image-full-cmdline
> fastboot flash userdata core-image-full-cmdline-google-gs.rootfs.ext4
>
> 4. On the device ran the following
>
> mkfs.ext4 -O encrypt /dev/sda26
> mkfs.ext4 -O encrypt /dev/sda20
> mkdir -p /mnt/scratchdev
> mkdir -p /mnt/testdev
> mount /dev/sda20 -o inlinecrypt /mnt/testdev
> mount /dev/sda26 -o inlinecrypt /mnt/scratchdev
> export TEST_DEV=/dev/sda20
> export TEST_DIR=/mnt/testdev
> export SCRATCH_DEV=/dev/sda26
> export SCRATCH_MNT=/mnt/scratchdev
> cd /usr/xfstests
> check -g encrypt
>
> All 28 tests passed
>
> <snip>
> Ran: ext4/024 generic/395 generic/396 generic/397 generic/398
> generic/399 generic/419 generic/421 generic/429 generic/435
> generic/440 generic/548 generic/549 generic/550 generic/576
> generic/580 gener9
> Not run: generic/399 generic/550 generic/576 generic/584 generic/613
> Passed all 28 tests
>
> kind regards,
>
Thanks! This is similar to what I did. But, to get the inlinecrypt mount
option to be used during the tests it's necessary to do the following:
export EXT_MOUNT_OPTIONS="-o inlinecrypt"
The following message will appear in the kernel log:
fscrypt: AES-256-XTS using blk-crypto (native)
- Eric
next prev parent reply other threads:[~2024-07-09 18:14 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-08 23:53 [PATCH v3 0/6] Basic inline encryption support for ufs-exynos Eric Biggers
2024-07-08 23:53 ` [PATCH v3 1/6] scsi: ufs: core: Add UFSHCD_QUIRK_CUSTOM_CRYPTO_PROFILE Eric Biggers
2024-07-10 6:06 ` Alim Akhtar
2024-07-08 23:53 ` [PATCH v3 2/6] scsi: ufs: core: fold ufshcd_clear_keyslot() into its caller Eric Biggers
2024-07-10 6:22 ` Alim Akhtar
2024-07-08 23:53 ` [PATCH v3 3/6] scsi: ufs: core: Add UFSHCD_QUIRK_BROKEN_CRYPTO_ENABLE Eric Biggers
2024-07-10 7:42 ` Alim Akhtar
2024-07-08 23:53 ` [PATCH v3 4/6] scsi: ufs: core: Add fill_crypto_prdt variant op Eric Biggers
2024-07-10 8:12 ` Alim Akhtar
2024-07-08 23:53 ` [PATCH v3 5/6] scsi: ufs: core: Add UFSHCD_QUIRK_KEYS_IN_PRDT Eric Biggers
2024-07-10 8:16 ` Alim Akhtar
2024-07-08 23:53 ` [PATCH v3 6/6] scsi: ufs: exynos: Add support for Flash Memory Protector (FMP) Eric Biggers
2024-07-09 11:17 ` Peter Griffin
2024-07-09 18:14 ` Eric Biggers [this message]
2024-07-10 14:40 ` Peter Griffin
2024-07-10 9:04 ` Alim Akhtar
2024-07-11 2:35 ` [PATCH v3 0/6] Basic inline encryption support for ufs-exynos Martin K. Petersen
2024-07-16 2:29 ` Martin K. Petersen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240709181404.GA1945@sol.localdomain \
--to=ebiggers@kernel.org \
--cc=alim.akhtar@samsung.com \
--cc=andre.draszik@linaro.org \
--cc=avri.altman@wdc.com \
--cc=bvanassche@acm.org \
--cc=linux-fscrypt@vger.kernel.org \
--cc=linux-samsung-soc@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=peter.griffin@linaro.org \
--cc=willmcvicker@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.