From: Murali Karicheri <m-karicheri2@ti.com>
To: Andrew Murray <amurray@embedded-bits.co.uk>,
Michal Suchanek <hramrach@gmail.com>
Cc: David Gstir <david@sigma-star.at>,
MTD Maling List <linux-mtd@lists.infradead.org>
Subject: Re: [RFC] mtd: ubi: UBI Encryption
Date: Fri, 14 Aug 2015 10:11:55 -0400 [thread overview]
Message-ID: <55CDF72B.9060309@ti.com> (raw)
In-Reply-To: <CAPcvp5Ee8=mpPcw+nsNfwyw9-ojyNB7cZk9ygrJj-rZWQ4qwkw@mail.gmail.com>
Andrew,
> This implementation provides a balance between
> implementation/integration complexity and protection. If other users
> can benefit from this then it's something they can just switch on -
> rather than having to add a variety of userspace components to their
> distribution, etc.
>
> At present my implementation makes an assumption that the key is
> stored in another MTD partition, I took this approach because it was
Did you looked into how to use the encryption key from secure storage in
SoC itself such as one from OTP memory? In such case, is there an API
retrieve the key from such storage?
Murali
> easy. However I'm not sure if this is useful to the general case - or
> if the general case is in fact users on SOMs protecting external flash
> with keys on internal flash. It would be possible to extend the
> UBI/MTD API to add ioctl's (or similar) such that a user can provide a
> key during mount/attach time. This makes it slightly more complex for
> a user to use - as rather than updating a .config they now have to add
> an initramfs that reads a key from one MTD partition and provides it
> to the kernel.
>
>>
>> Adding encryption to UBIFS itself is much more difficult.
>
> Whilst experimenting with this stuff, I actually was successful in
> adding encryption to UBIFS.
>
> To support compression, UBIFS provides functions thats get called when
> data needs to be compressed. This calls use a crypto framework, e.g.
> crypto_comp_compress. I extended this to actually use encryption. This
> worked - though it only encrypted the data and not file names etc, I
> also recall that compression can be turned off or not always applied.
>
> Much like the UBI encryption - I could have also tried to provided
> UBIFS encryption by intercepting the ubi_leb_write and ubi_write
> calls.
>
>>
>> Adding encryption to every application is not really feasible unless
>> you have a single-purpose device with one application.
>
>
> Thanks,
>
> Andrew Murray
>
>>
>> Thanks
>>
>> Michal
>
> ______________________________________________________
> Linux MTD discussion mailing list
> http://lists.infradead.org/mailman/listinfo/linux-mtd/
>
--
Murali Karicheri
Linux Kernel, Keystone
next prev parent reply other threads:[~2015-08-14 14:12 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-08-10 19:56 [RFC] mtd: ubi: UBI Encryption Andrew Murray
2015-08-11 5:38 ` Timo Ketola
2015-08-11 6:22 ` Richard Weinberger
2015-08-11 6:35 ` Timo Ketola
2015-08-11 6:30 ` Richard Weinberger
2015-08-11 9:47 ` Andrew Murray
2015-08-11 10:23 ` Michal Suchanek
2015-08-11 11:03 ` Andrew Murray
2015-08-11 11:39 ` Michal Suchanek
2015-08-11 12:40 ` Andrew Murray
2015-08-11 13:24 ` Michal Suchanek
2015-08-12 9:39 ` Andrew Murray
2015-08-12 17:19 ` David Gstir
2015-08-14 7:25 ` Michal Suchanek
2015-08-14 8:08 ` Andrew Murray
2015-08-14 14:11 ` Murali Karicheri [this message]
2015-08-14 14:28 ` Richard Weinberger
2015-08-14 7:48 ` Andrew Murray
2015-08-15 11:43 ` David Gstir
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=55CDF72B.9060309@ti.com \
--to=m-karicheri2@ti.com \
--cc=amurray@embedded-bits.co.uk \
--cc=david@sigma-star.at \
--cc=hramrach@gmail.com \
--cc=linux-mtd@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox