public inbox for linux-mmc@vger.kernel.org
 help / color / mirror / Atom feed
From: "John Stoffel" <john@stoffel.org>
To: Adrian Vovk <adrianvovk@gmail.com>
Cc: Geoff Back <geoff@demonlair.co.uk>,
	Christoph Hellwig <hch@infradead.org>,
	Eric Biggers <ebiggers@kernel.org>,
	Md Sadre Alam <quic_mdalam@quicinc.com>,
	axboe@kernel.dk, song@kernel.org, yukuai3@huawei.com,
	agk@redhat.com, snitzer@kernel.org,
	Mikulas Patocka <mpatocka@redhat.com>,
	adrian.hunter@intel.com, quic_asutoshd@quicinc.com,
	ritesh.list@gmail.com, ulf.hansson@linaro.org,
	andersson@kernel.org, konradybcio@kernel.org, kees@kernel.org,
	gustavoars@kernel.org, linux-block@vger.kernel.org,
	linux-kernel@vger.kernel.org, linux-raid@vger.kernel.org,
	dm-devel@lists.linux.dev, linux-mmc@vger.kernel.org,
	linux-arm-msm@vger.kernel.org, linux-hardening@vger.kernel.org,
	quic_srichara@quicinc.com, quic_varada@quicinc.com
Subject: Re: [PATCH v2 1/3] dm-inlinecrypt: Add inline encryption support
Date: Thu, 24 Oct 2024 15:21:37 -0400	[thread overview]
Message-ID: <26394.40513.57614.718772@quad.stoffel.home> (raw)
In-Reply-To: <CAAdYy_=n19fT2U1KUcF+etvbLGiOgdVZ7DceBQiHqEtXcOa-Ow@mail.gmail.com>

>>>>> "Adrian" == Adrian Vovk <adrianvovk@gmail.com> writes:

> On Thu, Oct 24, 2024 at 4:11 AM Geoff Back <geoff@demonlair.co.uk> wrote:
>> 
>> 
>> On 24/10/2024 03:52, Adrian Vovk wrote:
>> > On Wed, Oct 23, 2024 at 2:57 AM Christoph Hellwig <hch@infradead.org> wrote:
>> >> On Fri, Oct 18, 2024 at 11:03:50AM -0400, Adrian Vovk wrote:
>> >>> Sure, but then this way you're encrypting each partition twice. Once by the dm-crypt inside of the partition, and again by the dm-crypt that's under the partition table. This double encryption is ruinous for performance, so it's just not a feasible solution and thus people don't do this. Would be nice if we had the flexibility though.
>> 
>> As an encrypted-systems administrator, I would actively expect and
>> require that stacked encryption layers WOULD each encrypt.  If I have
>> set up full disk encryption, then as an administrator I expect that to
>> be obeyed without exception, regardless of whether some higher level
>> file system has done encryption already.
>> 
>> Anything that allows a higher level to bypass the full disk encryption
>> layer is, in my opinion, a bug and a serious security hole.

> Sure I'm sure there's usecases where passthrough doesn't make sense.
> It should absolutely be an opt-in flag on the dm target, so you the
> administrator at setup time can choose whether or not you perform
> double-encryption (and it defaults to doing so). Because there are
> usecases where it doesn't matter, and for those usecases we'd set
> the flag and allow passthrough for performance reasons.

If you're so concerend about security that you're double or triple
encrypting data at various layers, then obviously skipping encryption
at a lower layer just because an upper layer says "He, I already
encrypted this!" just doesn't make any sense.  

So how does your scheme defend against bad actors?  I'm on a system
with an encrypted disk.  I make a file and mount it with loop, and the
encrypt it.  But it's slow!  So I turn off encryption.  Now I shutdown
the loop device cleanly, unmount, and reboot the system.  So what
should I be seing in those blocks if I examine the plain file that's
now not mounted?  

Could this be a way to smuggle data out because now the data written
to the low level disk is encypted with a much weaker algorithm?  So I
can just take the system disk and read the raw data and find the data?  

I'm not saying it's going to be easy or simple, but is it possible?  

John



  reply	other threads:[~2024-10-24 19:21 UTC|newest]

Thread overview: 30+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-09-16  8:57 [PATCH v2 0/3] Add inline encryption support Md Sadre Alam
2024-09-16  8:57 ` [PATCH v2 1/3] dm-inlinecrypt: " Md Sadre Alam
2024-09-17  5:05   ` kernel test robot
2024-09-17  6:38   ` kernel test robot
2024-09-18  5:08   ` kernel test robot
2024-09-21 18:55   ` Eric Biggers
2024-09-24  7:44     ` Christoph Hellwig
2024-09-24 22:04       ` Eric Biggers
2024-10-01  8:37         ` Christoph Hellwig
2024-10-18  3:26       ` Adrian Vovk
2024-10-18  5:22         ` Christoph Hellwig
     [not found]           ` <CAAdYy_mVy3uXPqWbjPzK_i8w7Okq73wKBQyc95TbnonE36rPgQ@mail.gmail.com>
2024-10-18  5:56             ` Christoph Hellwig
2024-10-18 15:03               ` Adrian Vovk
2024-10-23  6:57                 ` Christoph Hellwig
2024-10-24  2:52                   ` Adrian Vovk
2024-10-24  3:17                     ` Adrian Vovk
2024-10-24  6:14                     ` Christoph Hellwig
2024-10-24  7:52                       ` Adrian Vovk
2024-10-24  9:04                         ` Christoph Hellwig
2024-10-24 15:32                           ` Adrian Vovk
2024-10-24 15:59                             ` Christoph Hellwig
2024-10-24 16:23                               ` Adrian Vovk
2024-10-29 11:08                         ` Mikulas Patocka
2024-10-24  8:11                     ` Geoff Back
2024-10-24 15:28                       ` Adrian Vovk
2024-10-24 19:21                         ` John Stoffel [this message]
2024-10-24 20:45                           ` Adrian Vovk
2024-10-15 10:59   ` Mikulas Patocka
2024-09-16  8:57 ` [PATCH v2 2/3] mmc: cqhci: Add additional algo mode for inline encryption Md Sadre Alam
2024-09-16  8:57 ` [PATCH v2 3/3] mmc: sdhci-msm: " Md Sadre Alam

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=26394.40513.57614.718772@quad.stoffel.home \
    --to=john@stoffel.org \
    --cc=adrian.hunter@intel.com \
    --cc=adrianvovk@gmail.com \
    --cc=agk@redhat.com \
    --cc=andersson@kernel.org \
    --cc=axboe@kernel.dk \
    --cc=dm-devel@lists.linux.dev \
    --cc=ebiggers@kernel.org \
    --cc=geoff@demonlair.co.uk \
    --cc=gustavoars@kernel.org \
    --cc=hch@infradead.org \
    --cc=kees@kernel.org \
    --cc=konradybcio@kernel.org \
    --cc=linux-arm-msm@vger.kernel.org \
    --cc=linux-block@vger.kernel.org \
    --cc=linux-hardening@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mmc@vger.kernel.org \
    --cc=linux-raid@vger.kernel.org \
    --cc=mpatocka@redhat.com \
    --cc=quic_asutoshd@quicinc.com \
    --cc=quic_mdalam@quicinc.com \
    --cc=quic_srichara@quicinc.com \
    --cc=quic_varada@quicinc.com \
    --cc=ritesh.list@gmail.com \
    --cc=snitzer@kernel.org \
    --cc=song@kernel.org \
    --cc=ulf.hansson@linaro.org \
    --cc=yukuai3@huawei.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox