[RFC] mtd: ubi: UBI Encryption
David Gstir
david at sigma-star.at
Sat Aug 15 04:43:53 PDT 2015
Andrew,
> On 14.08.2015, at 09:48, Andrew Murray <amurray at embedded-bits.co.uk> wrote:
> ESSIV is apparently supported in kernel, I'll take a look and see if I
> can also use this.
Yep. ESSIV is also supported by dm_crypt for instance.
>> Also, how do you handle cases where hdrs_min_io_size is not a multiple of the cipher's block size?
>> I'm not a 100% sure how often this will happen, but in theory it could happen and will cause problems when using modes like CBC (len(ciphertext) >= len(plaintext)).
>
> At present I don't - I don't even have any assertions to guard this. I
> guess this is something I need to further consider - thanks.
The XTS mode is often used for disk encryption, since it is able to handle such cases.
XTS is also supported by the kernel crypto framework.
>>> - Encryption in UBI was preferred as it removed the complexity from userspace,
>>> though I suppose there is no reason why this can't be done within the MTD
>>> layer rather than in UBI and thus benefit all MTD users.
>>
>> Generally speaking, I'd argue for moving encryption to the highest layer possible. So, if you exclusively use UBIFS and need encryption, add it to UBIFS or even your userspace application.
>> The main reason for this is that disk encryption on lower layers (e.g block-level) has fewer security guarantees, like no authentication of encrypted data for example. So it cannot prevent "evil maid" attacks.
>> There is a nice writeup on this topic here: [2], which focuses on the commonly used XTS mode, but makes valid points for disk encryption in general.
>>
>> So, when you do encryption in UBI or MTD, be aware of the security implications and know your thread model.
>
> Thanks for the links. Ultimately it will be up to the
> user/system-designer to determine the best scheme (taking into account
> above considerations) - I'm hoping to provide a kernel based option
> that will be useful to some. There are already good userspace
> facilities for encryption I don't see this deprecating those.
Sure, it depends on the use case.
As Michal noted, FDE is a last resort and always better than no encryption at all. :)
Thanks,
David
More information about the linux-mtd
mailing list