[RFC] mtd: ubi: UBI Encryption

Murali Karicheri m-karicheri2 at ti.com
Fri Aug 14 07:11:55 PDT 2015 

Andrew,

> This implementation provides a balance between
> implementation/integration complexity and protection. If other users
> can benefit from this then it's something they can just switch on -
> rather than having to add a variety of userspace components to their
> distribution, etc.
>
> At present my implementation makes an assumption that the key is
> stored in another MTD partition, I took this approach because it was
Did you looked into how to use the encryption key from secure storage in 
SoC itself such as one from OTP memory?  In such case, is there an API 
retrieve the key from such storage?

Murali

> easy. However I'm not sure if this is useful to the general case - or
> if the general case is in fact users on SOMs protecting external flash
> with keys on internal flash. It would be possible to extend the
> UBI/MTD API to add ioctl's (or similar) such that a user can provide a
> key during mount/attach time. This makes it slightly more complex for
> a user to use - as rather than updating a .config they now have to add
> an initramfs that reads a key from one MTD partition and provides it
> to the kernel.
>
>>
>> Adding encryption to UBIFS itself is much more difficult.
>
> Whilst experimenting with this stuff, I actually was successful in
> adding encryption to UBIFS.
>
> To support compression, UBIFS provides functions thats get called when
> data needs to be compressed. This calls use a crypto framework, e.g.
> crypto_comp_compress. I extended this to actually use encryption. This
> worked - though it only encrypted the data and not file names etc, I
> also recall that compression can be turned off or not always applied.
>
> Much like the UBI encryption - I could have also tried to provided
> UBIFS encryption by intercepting the ubi_leb_write and ubi_write
> calls.
>
>>
>> Adding encryption to every application is not really feasible unless
>> you have a single-purpose device with one application.
>
>
> Thanks,
>
> Andrew Murray
>
>>
>> Thanks
>>
>> Michal
>
> ______________________________________________________
> Linux MTD discussion mailing list
> http://lists.infradead.org/mailman/listinfo/linux-mtd/
>


-- 
Murali Karicheri
Linux Kernel, Keystone

More information about the linux-mtd mailing list