Secure deletion for UBIFS

Joel Reardon joel at clambassador.com
Tue Jan 24 06:31:59 EST 2012 

This patch provides efficient secure deletion for UBIFS. In short, every 
data node is stored encrypted on the flash memory, each with a different 
key. Encryption/decryption are handled in the compression/decompression 
functions immediately before writing the data node to the flash memory. 
The keys are all colocated in a logically-fixed set of UBI LEBs, 
which are filled with random data before actually being assigned as 
keys. Key management maintains the state of each key: unused, used, and 
deleted. An unused key can be assigned for a new data node, a used key 
will remain available, and a deleted key will be securely deleted 
from the file system at the next purging operation. Purging occurs 
during commiting and using UBI's atomic update to write a new version of 
each key storage block, where all unused and deleted keys are replaced 
with fresh unused random data. Atomic update ensures that no used key is 
lost during this update. Key states are controlled via the TNC: the znode 
maintains a logical key reference and when a node is added/updated/removed 
from the TNC, the keystate is updated accordingly. The TNC's 
exsiting replay mechanism correctly constructs the state of each 
key: a checkpoint is written during commit, and as the znodes are 
replayed into the TNC, the existing key management code performs 
the replay for keystate automatically. The data node header 
also stores the key storage position. Atomic update also thus also ensures 
that key positions are logically fixed despite physically moving on the 
medium. Therefore, by periodically erasing a small number of LEBs 
used to store keys, all deleted data nodes are removed from the 
storage medium---this also ensures that data is deleted at the 
smallest granularity, including truncations and overwrites. Flash wear is 
arbitrarily small (viz. controlled by the commit interval), and thanks to 
UBI, evenly levelled over the device.

This is my first attempt to provide a kernel patch. Apologies for any 
grievous errors in protocol.

Signed-off-by: Joel Reardon <reardonj at inf.ethz.ch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ubifsec.patch
Type: text/x-diff
Size: 84656 bytes
Desc: 
URL: <http://lists.infradead.org/pipermail/linux-mtd/attachments/20120124/95bcdbad/attachment-0001.bin>

More information about the linux-mtd mailing list