Re: dm-crypt Digest, Vol 31, Issue 17

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Arno:
 
We need to do background SD card encryption. When encryption is enabled, we start to encrypt SD card and allow apps to access file system at same time.
 
Since it may take hours to encrypt entire SD card, we need virtually partition SD card to two parts,
 
First partition is encrypted by kernel encryption thread. When bio request hits this part, all read requests should be decrypted and write should encrypted.
 
Second partition is not encrypted yet. When bio request hits this part, all read/write requests should be redirected to underneath bio operation directly.
 
The most challenge part is when bio request crosses both part, we need handle split bio request.
 
If a specific page contained in bio crosses encrypted/unencrypted boundary, the first few sectors are located in encrypted area,
 
The remaining sectors are located in unencrypted area.
 
Therefore we need to do decrypt/encrypt for read/write associating with first few sectors and pass through remaining sectors request to underneath block device directly.
 
 
Please let me know if you need more explanations.
 
 
Thanks
 
Fan 
 
 
 
 

From: "dm-crypt-request@xxxxxxxx" <dm-crypt-request@xxxxxxxx>
To: dm-crypt@xxxxxxxx
Sent: Thursday, January 19, 2012 5:00 AM
Subject: dm-crypt Digest, Vol 31, Issue 17

Send dm-crypt mailing list submissions to
    dm-crypt@xxxxxxxx

To subscribe or unsubscribe via the World Wide Web, visit
    http://www.saout.de/mailman/listinfo/dm-crypt
or, via email, send a message with subject or body 'help' to
    dm-crypt-request@xxxxxxxx

You can reach the person managing the list at
    dm-crypt-owner@xxxxxxxx

When replying, please edit your Subject line so it is more specific
than "Re: Contents of dm-crypt digest..."


Today's Topics:

  1. Bypass encrypt and decrypt data in dm-crypt (FAN ZHANG)
  2. Re: Bypass encrypt and decrypt data in dm-crypt (Arno Wagner)
  3. test mail list (FAN ZHANG)
  4. Re: Bypass encrypt and decrypt data in dm-crypt (Milan Broz)


----------------------------------------------------------------------

Message: 1
Date: Wed, 18 Jan 2012 07:56:38 -0800 (PST)
From: FAN ZHANG <fzhangcsc@xxxxxxxxx>
To: "dm-crypt@xxxxxxxx" <dm-crypt@xxxxxxxx>
Subject: [dm-crypt] Bypass encrypt and decrypt data in dm-crypt
Message-ID:
    <1326902198.77527.YahooMailNeo@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Content-Type: text/plain; charset="iso-8859-1"

All:
?
?
We are using dm-crypt for Android device encryption.? However, we need reserve some sectors in block device for status and integration check and do not want to encrypt/decrypt some sectors when using dm-crypt.
?
So in crypt_convert_block()
?
When
offset sector of ctx +? sector number of bio_in? is the range of bypass sector list.
?
?
instead call
if (bio_data_dir(ctx->bio_in) == WRITE)
?r = crypt_copy_write_data(bv_in, bv_out, offset, 1 << SECTOR_SHIFT); else? r = crypt_copy_read_data(bv_in, bv_out, offset, 1 << SECTOR_SHIFT);
?
I want to call another function to copy data of a sector from
ctx->bio_in to
ctx->bio_out directly.
?
?
I tried the following implementation
?
in ps_copy_write_data()
?
?
struct bio_vec *bv_in = bio_iovec_idx(ctx->bio_in, ctx->idx_in);
struct bio_vec *bv_out = bio_iovec_idx(ctx->bio_out, ctx->idx_out);
struct page * page_in = bv_in->bv_page;
struct page * page_out = bv_out->bv_page;
?
void * addr1 = kmap_atomic(page_in, KM_USER0);
void * addr2 = kmap_atomic(page_out, KM_USER1);
?
unsigned int offset = ctx->offset_in;
?
memcpy(addr2 + offset, addr1 + offset, 1 << SECTOR_SHIFT);
?
kunmap_atomic(addr2, KM_USER1);
kunmap_atomic(addr1, KM_USER0);
?
but above implementation works for read (since bv_in and bv_out are same for decryption) but does not work for write.
?
It seems that
memcpy(addr2 + offset, addr1 + offset, 1 << SECTOR_SHIFT);
?
fails to copy page associated with bv_in? to page associated with bv_out
?
?
?
Could you give me a?hint to reslove this issue?
?
Thanks
?
Fan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.saout.de/pipermail/dm-crypt/attachments/20120118/5b77916d/attachment-0001.html>

------------------------------

Message: 2
Date: Wed, 18 Jan 2012 17:24:19 +0100
From: Arno Wagner <arno@xxxxxxxxxxx>
To: dm-crypt@xxxxxxxx
Subject: Re: Bypass encrypt and decrypt data in dm-crypt
Message-ID: <20120118162419.GA27569@xxxxxxxxx>
Content-Type: text/plain; charset=us-ascii

Hi,

while I do not know what the issue you encounter is,
it would be better to have your status block before the
encrypted part and simply map with an offset, e.g.
"-p 1" to skip the first sector. Thsi would not break
layering, as your approach seems to do.

Is there a specific reason you want the non-encrypted
block somewhere in the middle? (if I understand this correctly...)
I cannot see any security reason, as a non-encrypted block
will allways stick out and can be found automatically
anyways.

Arno

On Wed, Jan 18, 2012 at 07:56:38AM -0800, FAN ZHANG wrote:
> All:
> ?
> ?
>
> We are using dm-crypt for Android device encryption.? However, we need
> reserve some sectors in block device for status and integration check and
> do not want to encrypt/decrypt some sectors when using dm-crypt.
>
> ?
> So in crypt_convert_block()
> ?
> When
> offset sector of ctx +? sector number of bio_in? is the range of bypass sector list.
> ?
> ?
> instead call
> if (bio_data_dir(ctx->bio_in) == WRITE)
> ?r = crypt_copy_write_data(bv_in, bv_out, offset, 1 << SECTOR_SHIFT); else? r = crypt_copy_read_data(bv_in, bv_out, offset, 1 << SECTOR_SHIFT);
> ?
> I want to call another function to copy data of a sector from
> ctx->bio_in to
> ctx->bio_out directly.
> ?
> ?
> I tried the following implementation
> ?
> in ps_copy_write_data()
> ?
> ?
> struct bio_vec *bv_in = bio_iovec_idx(ctx->bio_in, ctx->idx_in);
> struct bio_vec *bv_out = bio_iovec_idx(ctx->bio_out, ctx->idx_out);
> struct page * page_in = bv_in->bv_page;
> struct page * page_out = bv_out->bv_page;
> ?
> void * addr1 = kmap_atomic(page_in, KM_USER0);
> void * addr2 = kmap_atomic(page_out, KM_USER1);
> ?
> unsigned int offset = ctx->offset_in;
> ?
> memcpy(addr2 + offset, addr1 + offset, 1 << SECTOR_SHIFT);
> ?
> kunmap_atomic(addr2, KM_USER1);
> kunmap_atomic(addr1, KM_USER0);
> ?
> but above implementation works for read (since bv_in and bv_out are same for decryption) but does not work for write.
> ?
> It seems that
> memcpy(addr2 + offset, addr1 + offset, 1 << SECTOR_SHIFT);
> ?
> fails to copy page associated with bv_in? to page associated with bv_out
> ?
> ?
> ?
> Could you give me a?hint to reslove this issue?
> ?
> Thanks
> ?
> Fan

> _______________________________________________
> dm-crypt mailing list
> dm-crypt@xxxxxxxx
> http://www.saout.de/mailman/listinfo/dm-crypt


--
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@xxxxxxxxxxx
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
One of the painful things about our time is that those who feel certainty
are stupid, and those with any imagination and understanding are filled
with doubt and indecision. -- Bertrand Russell


------------------------------

Message: 3
Date: Wed, 18 Jan 2012 11:24:14 -0800 (PST)
From: FAN ZHANG <fzhangcsc@xxxxxxxxx>
To: "dm-crypt@xxxxxxxx" <dm-crypt@xxxxxxxx>
Cc: Fan Zhang <fzhangcsc@xxxxxxxxx>
Subject: test mail list
Message-ID:
    <1326914654.68613.YahooMailNeo@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Content-Type: text/plain; charset="us-ascii"

My previous mail did not go through, I just want to test this mail list again
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.saout.de/pipermail/dm-crypt/attachments/20120118/f773637f/attachment-0001.html>

------------------------------

Message: 4
Date: Wed, 18 Jan 2012 21:19:58 +0100
From: Milan Broz <mbroz@xxxxxxxxxx>
To: FAN ZHANG <fzhangcsc@xxxxxxxxx>
Cc: "dm-crypt@xxxxxxxx" <dm-crypt@xxxxxxxx>
Subject: Re: Bypass encrypt and decrypt data in dm-crypt
Message-ID: <4F17296E.5050702@xxxxxxxxxx>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed

On 01/18/2012 04:56 PM, FAN ZHANG wrote:
> All:
> We are using dm-crypt for Android device encryption.However, we need
> reserve some sectors in block device for status and integration check
> and do not want to encrypt/decrypt some sectors when using dm-crypt.

Please can you describe exactly what you need?

I will not accept any patch in dmcrypt which bypass encryption,
but I think the problem is solvable using combination
of dm targets, or  using some trick.

But I still have no idea what problem you are trying to solve...
(Please do not describe implementation, describe the problem.)

Thanks,
Milan



------------------------------

_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
http://www.saout.de/mailman/listinfo/dm-crypt


End of dm-crypt Digest, Vol 31, Issue 17
****************************************


_______________________________________________
dm-crypt mailing list
dm-crypt@xxxxxxxx
http://www.saout.de/mailman/listinfo/dm-crypt
[Index of Archives]     [Device Mapper Devel]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Packaging]     [Fedora SELinux]     [Yosemite News]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux