[RFC PATCH 0/3] mtd: nand: add randomizer support

Jason Gunthorpe jgunthorpe at obsidianresearch.com
Thu May 1 14:31:48 PDT 2014

On Thu, May 01, 2014 at 10:56:06PM +0200, Boris BREZILLON wrote:

> > However, with a synchronous scrambler the security concern boils down
> > to how robust and unpredictable is the PRBS.
> I'm not sure security is the main concern here.
> AFAICT, NAND scramblers (note that I stopped using the name "randomizer"
> :-)) is mainly used to avoid large island of identical data, because
> some NAND chips are sensible to such patterns (see [1] page 14).

Right, if you send to the flash 'the wrong data' then some combination of:
1) Retention time till ECC failure is reduced
2) The flash block is permanently damaged early
3) A 'nearby', unrelated flash block has ECC failure due to interference

So, if someone deliberately and maliciously defeats the scrambler and
deliberately sends in wrong data what happens?
 1/3) Delibrate, predictable file system corruption
 2) Create device damage and significantly early replacement of the device.
All could lead to a DOS attack of some sort, at a minimum.

FWIW, there was a similar attack against a certain communication
system. The line scrambler was statistically predictable, and if an
attacker sent enough packets that were the predictable anti-scramble
then enough would align with the scamble pattern and the
communication channel would fail and retrain creating a DOS vector.

For this reason these days com systems tend to use a 58 bit
self-synchronous LFSR for scrambling purposes.

> And this is exactly what's done in the sunxi HW  scrambler
> implementation, or at least you can do it based on what you're
> specifying in your DT (see the "nand-randomizer-seeds" in the 3rd
> patch): you can define a seed table and the seed is selected based on
> the page number you're reading or writing.

Well, re-using fixed (and public) seeds:

 state = rnd->seeds[page % rnd->nseeds];

Just changes the probabilities. For instance, some filesystems can be
asked to create extents with a large alignment (like 2M) to speed IOs,
and a small seeds table means the seeds within such a file will be
fully predictable.

If you are already stuck with this, then fine, it can be a driver
specific binding - but if this is a new green-field design, intended
to be broadly used as a core MTD feature:

I'd suggest just seeding with the block number xor some value, and
using a LFSR with a state space larger than the number of blocks in
the device, and don't specify a seeds array in DT.


More information about the linux-arm-kernel mailing list