On Thu, May 01, 2014 at 10:56:06PM +0200, Boris BREZILLON wrote: > > However, with a synchronous scrambler the security concern boils down > > to how robust and unpredictable is the PRBS. > > I'm not sure security is the main concern here. > AFAICT, NAND scramblers (note that I stopped using the name "randomizer" > :-)) is mainly used to avoid large island of identical data, because > some NAND chips are sensible to such patterns (see [1] page 14). Right, if you send to the flash 'the wrong data' then some combination of: 1) Retention time till ECC failure is reduced 2) The flash block is permanently damaged early 3) A 'nearby', unrelated flash block has ECC failure due to interference So, if someone deliberately and maliciously defeats the scrambler and deliberately sends in wrong data what happens? 1/3) Delibrate, predictable file system corruption 2) Create device damage and significantly early replacement of the device. All could lead to a DOS attack of some sort, at a minimum. FWIW, there was a similar attack against a certain communication system. The line scrambler was statistically predictable, and if an attacker sent enough packets that were the predictable anti-scramble then enough would align with the scamble pattern and the communication channel would fail and retrain creating a DOS vector. For this reason these days com systems tend to use a 58 bit self-synchronous LFSR for scrambling purposes. > And this is exactly what's done in the sunxi HW scrambler > implementation, or at least you can do it based on what you're > specifying in your DT (see the "nand-randomizer-seeds" in the 3rd > patch): you can define a seed table and the seed is selected based on > the page number you're reading or writing. Well, re-using fixed (and public) seeds: state = rnd->seeds[page % rnd->nseeds]; Just changes the probabilities. For instance, some filesystems can be asked to create extents with a large alignment (like 2M) to speed IOs, and a small seeds table means the seeds within such a file will be fully predictable. If you are already stuck with this, then fine, it can be a driver specific binding - but if this is a new green-field design, intended to be broadly used as a core MTD feature: I'd suggest just seeding with the block number xor some value, and using a LFSR with a state space larger than the number of blocks in the device, and don't specify a seeds array in DT. Regards, Jason -- To unsubscribe from this list: send the line "unsubscribe devicetree" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html