[RFC] UBIFS authentication

David Gstir david at sigma-star.at
Thu Jan 25 00:49:32 PST 2018


> On 17.01.2018, at 16:19, David Gstir <david at sigma-star.at> wrote:
> Hi everybody!
> Richard and I have been working on extending UBIFS' security features and came
> up with the following concept to add full file contents and metadata authentication.
> For block devices like eMMCs dm-crypt and dm-verity/dm-integrity can be used to
> get full data confidentiality and authenticity, but for raw flash or more
> specifically UBIFS, existing options are not ideal:
> One option is to use eCryptfs with some out-of-tree patches that add AEAD cipher
> (AES-GCM) support, but does not look like there was much progress recently [1].
> Another option is to use IMA/EVM as described by Marc Kleine-Budde in his
> ELCE 2016 talk [2], but this just protects the file payload and some attributes
> and not the full filesystem data structures.
> A short overview of existing options is also given here [3].
> Due to the design of UBIFS it is actually a bit easier than on other filesystems
> to authenticate its data structures and ensure consistency of on-flash data.
> I've attached the whitepaper below and also published it here [4].
> Comments are welcome. :)


Did anybody get a chance to look at this yet, or is everybody still busy with Meltdown and Spectre? ;D


More information about the linux-mtd mailing list