| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 25 Jan 2018 09:49:32 +0100
From: David Gstir <david@...ma-star.at>
To: linux-fscrypt@...r.kernel.org, linux-fsdevel@...r.kernel.org,
linux-mtd@...ts.infradead.org
Cc: Richard Weinberger <richard@....at>, linux-kernel@...r.kernel.org,
kernel@...gutronix.de
Subject: Re: [RFC] UBIFS authentication
Hi!
> On 17.01.2018, at 16:19, David Gstir <david@...ma-star.at> wrote:
>
> Hi everybody!
>
> Richard and I have been working on extending UBIFS' security features and came
> up with the following concept to add full file contents and metadata authentication.
>
> For block devices like eMMCs dm-crypt and dm-verity/dm-integrity can be used to
> get full data confidentiality and authenticity, but for raw flash or more
> specifically UBIFS, existing options are not ideal:
>
> One option is to use eCryptfs with some out-of-tree patches that add AEAD cipher
> (AES-GCM) support, but does not look like there was much progress recently [1].
>
> Another option is to use IMA/EVM as described by Marc Kleine-Budde in his
> ELCE 2016 talk [2], but this just protects the file payload and some attributes
> and not the full filesystem data structures.
>
> A short overview of existing options is also given here [3].
>
> Due to the design of UBIFS it is actually a bit easier than on other filesystems
> to authenticate its data structures and ensure consistency of on-flash data.
>
> I've attached the whitepaper below and also published it here [4].
>
> Comments are welcome. :)
*ping*
Did anybody get a chance to look at this yet, or is everybody still busy with Meltdown and Spectre? ;D
Thanks,
David
Powered by blists - more mailing lists