| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20241202183643.GB2037@sol.localdomain> Date: Mon, 2 Dec 2024 10:36:43 -0800 From: Eric Biggers <ebiggers@...nel.org> To: Bartosz Golaszewski <brgl@...ev.pl> Cc: Jens Axboe <axboe@...nel.dk>, Jonathan Corbet <corbet@....net>, Alasdair Kergon <agk@...hat.com>, Mike Snitzer <snitzer@...nel.org>, Mikulas Patocka <mpatocka@...hat.com>, Adrian Hunter <adrian.hunter@...el.com>, Asutosh Das <quic_asutoshd@...cinc.com>, Ritesh Harjani <ritesh.list@...il.com>, Ulf Hansson <ulf.hansson@...aro.org>, Alim Akhtar <alim.akhtar@...sung.com>, Avri Altman <avri.altman@....com>, Bart Van Assche <bvanassche@....org>, "James E.J. Bottomley" <James.Bottomley@...senpartnership.com>, Gaurav Kashyap <quic_gaurkash@...cinc.com>, Neil Armstrong <neil.armstrong@...aro.org>, Dmitry Baryshkov <dmitry.baryshkov@...aro.org>, "Martin K. Petersen" <martin.petersen@...cle.com>, "Theodore Y. Ts'o" <tytso@....edu>, Jaegeuk Kim <jaegeuk@...nel.org>, Alexander Viro <viro@...iv.linux.org.uk>, Christian Brauner <brauner@...nel.org>, Jan Kara <jack@...e.cz>, Bjorn Andersson <andersson@...nel.org>, Konrad Dybcio <konradybcio@...nel.org>, Manivannan Sadhasivam <manivannan.sadhasivam@...aro.org>, linux-block@...r.kernel.org, linux-doc@...r.kernel.org, linux-kernel@...r.kernel.org, dm-devel@...ts.linux.dev, linux-mmc@...r.kernel.org, linux-scsi@...r.kernel.org, linux-fscrypt@...r.kernel.org, linux-fsdevel@...r.kernel.org, linux-arm-msm@...r.kernel.org, Bartosz Golaszewski <bartosz.golaszewski@...aro.org>, Om Prakash Singh <quic_omprsing@...cinc.com> Subject: Re: [PATCH RESEND v7 00/17] Hardware wrapped key support for QCom ICE and UFS core On Mon, Dec 02, 2024 at 01:02:16PM +0100, Bartosz Golaszewski wrote: > The previous iteration[1] has been on the list for many weeks without > receiving any comments - neither positive nor negative. If there are no > objections - could we start discussing how to make these patches go > upstream for v6.14? The way to do it will be for the block patches to be taken through the block tree first. That will unblock the rest, which can be taken through their respective trees in subsequent cycles. I'm really hoping to be able to test these patches with upstream myself, which I'm not able to do yet. I'll try to leave some review comments on the parts not authored by me the mean time. Anyway, thanks for continuing to work on this. > Tested on sm8650-qrd. > > How to test: > > Use the wip-wrapped-keys branch from https://github.com/ebiggers/fscryptctl > to build a custom fscryptctl that supports generating wrapped keys. > > Enable the following config options: > CONFIG_BLK_INLINE_ENCRYPTION=y > CONFIG_QCOM_INLINE_CRYPTO_ENGINE=m > CONFIG_FS_ENCRYPTION_INLINE_CRYPT=y > CONFIG_SCSI_UFS_CRYPTO=y > > $ mkfs.ext4 -F -O encrypt,stable_inodes /dev/disk/by-partlabel/userdata > $ mount /dev/disk/by-partlabel/userdata -o inlinecrypt /mnt > $ fscryptctl generate_hw_wrapped_key /dev/disk/by-partlabel/userdata > /mnt/key.longterm > $ fscryptctl prepare_hw_wrapped_key /dev/disk/by-partlabel/userdata < /mnt/key.longterm > /tmp/key.ephemeral > $ KEYID=$(fscryptctl add_key --hw-wrapped-key < /tmp/key.ephemeral /mnt) > $ rm -rf /mnt/dir > $ mkdir /mnt/dir > $ fscryptctl set_policy --hw-wrapped-key --iv-ino-lblk-64 "$KEYID" /mnt/dir > $ dmesg > /mnt/dir/test.txt > $ sync > > Reboot the board > > $ mount /dev/disk/by-partlabel/userdata -o inlinecrypt /mnt > $ ls /mnt/dir > $ fscryptctl prepare_hw_wrapped_key /dev/disk/by-partlabel/userdata < /mnt/key.longterm > /tmp/key.ephemeral > $ KEYID=$(fscryptctl add_key --hw-wrapped-key < /tmp/key.ephemeral /mnt) > $ fscryptctl set_policy --hw-wrapped-key --iv-ino-lblk-64 "$KEYID" /mnt/dir > $ cat /mnt/dir/test.txt # File should now be decrypted That doesn't verify that the encryption is being done correctly, which is the most important thing to test. For that we'll need to resurrect the following patchset for xfstests: https://lore.kernel.org/fstests/20220228074722.77008-1-ebiggers@kernel.org/ - Eric
Powered by blists - more mailing lists