From: Eric Biggers <ebiggers@kernel.org>
To: Peter Griffin <peter.griffin@linaro.org>
Cc: linux-scsi@vger.kernel.org, linux-samsung-soc@vger.kernel.org,
linux-fscrypt@vger.kernel.org,
"Alim Akhtar" <alim.akhtar@samsung.com>,
"Avri Altman" <avri.altman@wdc.com>,
"Bart Van Assche" <bvanassche@acm.org>,
"Martin K . Petersen" <martin.petersen@oracle.com>,
"André Draszik" <andre.draszik@linaro.org>,
"William McVicker" <willmcvicker@google.com>
Subject: Re: [PATCH v3 6/6] scsi: ufs: exynos: Add support for Flash Memory Protector (FMP)
Date: Tue, 9 Jul 2024 11:14:04 -0700 [thread overview]
Message-ID: <20240709181404.GA1945@sol.localdomain> (raw)
In-Reply-To: <CADrjBPq4sEamwD3+wT2p481en-J2Ee7G0f+UbXG3g3RqUMiv3w@mail.gmail.com>
On Tue, Jul 09, 2024 at 12:17:53PM +0100, Peter Griffin wrote:
> Hi Eric,
>
> On Tue, 9 Jul 2024 at 00:55, Eric Biggers <ebiggers@kernel.org> wrote:
> >
> > From: Eric Biggers <ebiggers@google.com>
> >
> > Add support for Flash Memory Protector (FMP), which is the inline
> > encryption hardware on Exynos and Exynos-based SoCs.
> >
> > Specifically, add support for the "traditional FMP mode" that works on
> > many Exynos-based SoCs including gs101. This is the mode that uses
> > "software keys" and is compatible with the upstream kernel's existing
> > inline encryption framework in the block and filesystem layers. I plan
> > to add support for the wrapped key support on gs101 at a later time.
> >
> > Tested on gs101 (specifically Pixel 6) by running the 'encrypt' group of
> > xfstests on a filesystem mounted with the 'inlinecrypt' mount option.
> >
> > Signed-off-by: Eric Biggers <ebiggers@google.com>
> > ---
>
> Reviewed-by: Peter Griffin <peter.griffin@linaro.org>
>
> and
>
> Tested-by: Peter Griffin <peter.griffin@linaro.org>
>
> Tested by running the encrypt group of xfstests on my Pixel 6, using
> the Yocto development env described here
> https://git.codelinaro.org/linaro/googlelt/pixelscripts
>
> Notes on testing, in addition to above README.
>
> 1. Enabled following additional kernel configs gs101_config.fragment
> CONFIG_FS_ENCRYPTION=y
> CONFIG_FS_ENCRYPTION_INLINE_CRYPT=y
> CONFIG_SCSI_UFS_CRYPTO=y
> CONFIG_BLK_INLINE_ENCRYPTION=y
> CONFIG_BLK_INLINE_ENCRYPTION_FALLBACK=y
> CONFIG_CRYPTO_HCTR2=y
>
> 2. Add meta-security layer to bblayers.conf and relevant packages to local.conf
> BBLAYERS += "/yocto-builds/yocto/meta-security"
> IMAGE_INSTALL:append = " xfstests ecryptfs-utils fscryptctl keyutils
> cryptmount "
>
> 3. Rebuild/reflash Yocto rootfs
>
> bitbake virtual/kernel core-image-full-cmdline
> fastboot flash userdata core-image-full-cmdline-google-gs.rootfs.ext4
>
> 4. On the device ran the following
>
> mkfs.ext4 -O encrypt /dev/sda26
> mkfs.ext4 -O encrypt /dev/sda20
> mkdir -p /mnt/scratchdev
> mkdir -p /mnt/testdev
> mount /dev/sda20 -o inlinecrypt /mnt/testdev
> mount /dev/sda26 -o inlinecrypt /mnt/scratchdev
> export TEST_DEV=/dev/sda20
> export TEST_DIR=/mnt/testdev
> export SCRATCH_DEV=/dev/sda26
> export SCRATCH_MNT=/mnt/scratchdev
> cd /usr/xfstests
> check -g encrypt
>
> All 28 tests passed
>
> <snip>
> Ran: ext4/024 generic/395 generic/396 generic/397 generic/398
> generic/399 generic/419 generic/421 generic/429 generic/435
> generic/440 generic/548 generic/549 generic/550 generic/576
> generic/580 gener9
> Not run: generic/399 generic/550 generic/576 generic/584 generic/613
> Passed all 28 tests
>
> kind regards,
>
Thanks! This is similar to what I did. But, to get the inlinecrypt mount
option to be used during the tests it's necessary to do the following:
export EXT_MOUNT_OPTIONS="-o inlinecrypt"
The following message will appear in the kernel log:
fscrypt: AES-256-XTS using blk-crypto (native)
- Eric
next prev parent reply other threads:[~2024-07-09 18:14 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-08 23:53 [PATCH v3 0/6] Basic inline encryption support for ufs-exynos Eric Biggers
2024-07-08 23:53 ` [PATCH v3 1/6] scsi: ufs: core: Add UFSHCD_QUIRK_CUSTOM_CRYPTO_PROFILE Eric Biggers
2024-07-10 6:06 ` Alim Akhtar
2024-07-08 23:53 ` [PATCH v3 2/6] scsi: ufs: core: fold ufshcd_clear_keyslot() into its caller Eric Biggers
2024-07-10 6:22 ` Alim Akhtar
2024-07-08 23:53 ` [PATCH v3 3/6] scsi: ufs: core: Add UFSHCD_QUIRK_BROKEN_CRYPTO_ENABLE Eric Biggers
2024-07-10 7:42 ` Alim Akhtar
2024-07-08 23:53 ` [PATCH v3 4/6] scsi: ufs: core: Add fill_crypto_prdt variant op Eric Biggers
2024-07-10 8:12 ` Alim Akhtar
2024-07-08 23:53 ` [PATCH v3 5/6] scsi: ufs: core: Add UFSHCD_QUIRK_KEYS_IN_PRDT Eric Biggers
2024-07-10 8:16 ` Alim Akhtar
2024-07-08 23:53 ` [PATCH v3 6/6] scsi: ufs: exynos: Add support for Flash Memory Protector (FMP) Eric Biggers
2024-07-09 11:17 ` Peter Griffin
2024-07-09 18:14 ` Eric Biggers [this message]
2024-07-10 14:40 ` Peter Griffin
2024-07-10 9:04 ` Alim Akhtar
2024-07-11 2:35 ` [PATCH v3 0/6] Basic inline encryption support for ufs-exynos Martin K. Petersen
2024-07-16 2:29 ` Martin K. Petersen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240709181404.GA1945@sol.localdomain \
--to=ebiggers@kernel.org \
--cc=alim.akhtar@samsung.com \
--cc=andre.draszik@linaro.org \
--cc=avri.altman@wdc.com \
--cc=bvanassche@acm.org \
--cc=linux-fscrypt@vger.kernel.org \
--cc=linux-samsung-soc@vger.kernel.org \
--cc=linux-scsi@vger.kernel.org \
--cc=martin.petersen@oracle.com \
--cc=peter.griffin@linaro.org \
--cc=willmcvicker@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox