Hi, so this is an on-the-fly encryption issue and it gies away as soon as the device is fully encrypted. Hmm. You should still have any staus-blocks outside of the container. And for safety against interruptions, you will probably need some kind of transaction journal. Quite a project. Arno On Thu, Jan 19, 2012 at 08:45:45AM -0800, FAN ZHANG wrote: > Arno: > ?We?need to do background SD card encryption. When encryption is enabled, we start to encrypt SD card and allow apps to access file system at same time. > ? > Since it may take hours to encrypt?entire SD card, we need virtually partition SD card to two parts, > ? > First partition is encrypted by kernel encryption thread. When?bio request hits this part, all read requests should be decrypted and write should encrypted. > ? > Second partition is not encrypted yet. When?bio request hits this part, all read/write?requests should be?redirected to underneath bio operation directly. > ? > The most challenge part is?when?bio request crosses both part, we need handle split bio request. > ? > If?a specific page contained in bio crosses encrypted/unencrypted boundary, the first few sectors are located in encrypted area, > ? > The remaining sectors are located in unencrypted area. > ? > Therefore we need to do decrypt/encrypt for read/write associating with first few sectors and?pass through remaining sectors request to underneath block device directly. > ? > ? > Please let me know if you need more explanations. > ? > ? > Thanks > ? > Fan? > ? > ? > ? > ? > > From: "dm-crypt-request@xxxxxxxx" <dm-crypt-request@xxxxxxxx> > To: dm-crypt@xxxxxxxx > Sent: Thursday, January 19, 2012 5:00 AM > Subject: dm-crypt Digest, Vol 31, Issue 17 > > Send dm-crypt mailing list submissions to > ??? dm-crypt@xxxxxxxx > > To subscribe or unsubscribe via the World Wide Web, visit > ??? http://www.saout.de/mailman/listinfo/dm-crypt > or, via email, send a message with subject or body 'help' to > ??? dm-crypt-request@xxxxxxxx > > You can reach the person managing the list at > ??? dm-crypt-owner@xxxxxxxx > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of dm-crypt digest..." > > > Today's Topics: > > ? 1. Bypass encrypt and decrypt data in dm-crypt (FAN ZHANG) > ? 2. Re: Bypass encrypt and decrypt data in dm-crypt (Arno Wagner) > ? 3. test mail list (FAN ZHANG) > ? 4. Re: Bypass encrypt and decrypt data in dm-crypt (Milan Broz) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Wed, 18 Jan 2012 07:56:38 -0800 (PST) > From: FAN ZHANG <fzhangcsc@xxxxxxxxx> > To: "dm-crypt@xxxxxxxx" <dm-crypt@xxxxxxxx> > Subject: Bypass encrypt and decrypt data in dm-crypt > Message-ID: > ??? <1326902198.77527.YahooMailNeo@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> > Content-Type: text/plain; charset="iso-8859-1" > > All: > ? > ? > We are using dm-crypt for Android device encryption.? However, we need reserve some sectors in block device for status and integration check and do not want to encrypt/decrypt some sectors when using dm-crypt. > ? > So in crypt_convert_block() > ? > When > offset sector of ctx +? sector number of bio_in? is the range of bypass sector list. > ? > ? > instead call > if (bio_data_dir(ctx->bio_in) == WRITE) > ?r = crypt_copy_write_data(bv_in, bv_out, offset, 1 << SECTOR_SHIFT); else? r = crypt_copy_read_data(bv_in, bv_out, offset, 1 << SECTOR_SHIFT); > ? > I want to call another function to copy data of a sector from > ctx->bio_in to > ctx->bio_out directly. > ? > ? > I tried the following implementation > ? > in ps_copy_write_data() > ? > ? > struct bio_vec *bv_in = bio_iovec_idx(ctx->bio_in, ctx->idx_in); > struct bio_vec *bv_out = bio_iovec_idx(ctx->bio_out, ctx->idx_out); > struct page * page_in = bv_in->bv_page; > struct page * page_out = bv_out->bv_page; > ? > void * addr1 = kmap_atomic(page_in, KM_USER0); > void * addr2 = kmap_atomic(page_out, KM_USER1); > ? > unsigned int offset = ctx->offset_in; > ? > memcpy(addr2 + offset, addr1 + offset, 1 << SECTOR_SHIFT); > ? > kunmap_atomic(addr2, KM_USER1); > kunmap_atomic(addr1, KM_USER0); > ? > but above implementation works for read (since bv_in and bv_out are same for decryption) but does not work for write. > ? > It seems that > memcpy(addr2 + offset, addr1 + offset, 1 << SECTOR_SHIFT); > ? > fails to copy page associated with bv_in? to page associated with bv_out > ? > ? > ? > Could you give me a?hint to reslove this issue? > ? > Thanks > ? > Fan > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: <http://www.saout.de/pipermail/dm-crypt/attachments/20120118/5b77916d/attachment-0001.html> > > ------------------------------ > > Message: 2 > Date: Wed, 18 Jan 2012 17:24:19 +0100 > From: Arno Wagner <arno@xxxxxxxxxxx> > To: dm-crypt@xxxxxxxx > Subject: Re: Bypass encrypt and decrypt data in dm-crypt > Message-ID: <20120118162419.GA27569@xxxxxxxxx> > Content-Type: text/plain; charset=us-ascii > > Hi, > > while I do not know what the issue you encounter is, > it would be better to have your status block before the > encrypted part and simply map with an offset, e.g. > "-p 1" to skip the first sector. Thsi would not break > layering, as your approach seems to do. > > Is there a specific reason you want the non-encrypted > block somewhere in the middle? (if I understand this correctly...) > I cannot see any security reason, as a non-encrypted block > will allways stick out and can be found automatically > anyways. > > Arno > > On Wed, Jan 18, 2012 at 07:56:38AM -0800, FAN ZHANG wrote: > > All: > > ? > > ? > > > > We are using dm-crypt for Android device encryption.? However, we need > > reserve some sectors in block device for status and integration check and > > do not want to encrypt/decrypt some sectors when using dm-crypt. > > > > ? > > So in crypt_convert_block() > > ? > > When > > offset sector of ctx +? sector number of bio_in? is the range of bypass sector list. > > ? > > ? > > instead call > > if (bio_data_dir(ctx->bio_in) == WRITE) > > ?r = crypt_copy_write_data(bv_in, bv_out, offset, 1 << SECTOR_SHIFT); else? r = crypt_copy_read_data(bv_in, bv_out, offset, 1 << SECTOR_SHIFT); > > ? > > I want to call another function to copy data of a sector from > > ctx->bio_in to > > ctx->bio_out directly. > > ? > > ? > > I tried the following implementation > > ? > > in ps_copy_write_data() > > ? > > ? > > struct bio_vec *bv_in = bio_iovec_idx(ctx->bio_in, ctx->idx_in); > > struct bio_vec *bv_out = bio_iovec_idx(ctx->bio_out, ctx->idx_out); > > struct page * page_in = bv_in->bv_page; > > struct page * page_out = bv_out->bv_page; > > ? > > void * addr1 = kmap_atomic(page_in, KM_USER0); > > void * addr2 = kmap_atomic(page_out, KM_USER1); > > ? > > unsigned int offset = ctx->offset_in; > > ? > > memcpy(addr2 + offset, addr1 + offset, 1 << SECTOR_SHIFT); > > ? > > kunmap_atomic(addr2, KM_USER1); > > kunmap_atomic(addr1, KM_USER0); > > ? > > but above implementation works for read (since bv_in and bv_out are same for decryption) but does not work for write. > > ? > > It seems that > > memcpy(addr2 + offset, addr1 + offset, 1 << SECTOR_SHIFT); > > ? > > fails to copy page associated with bv_in? to page associated with bv_out > > ? > > ? > > ? > > Could you give me a?hint to reslove this issue? > > ? > > Thanks > > ? > > Fan > > > _______________________________________________ > > dm-crypt mailing list > > dm-crypt@xxxxxxxx > > http://www.saout.de/mailman/listinfo/dm-crypt > > > -- > Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@xxxxxxxxxxx > GnuPG:? ID: 1E25338F? FP: 0C30 5782 9D93 F785 E79C? 0296 797F 6B50 1E25 338F > ---- > One of the painful things about our time is that those who feel certainty > are stupid, and those with any imagination and understanding are filled > with doubt and indecision. -- Bertrand Russell > > > ------------------------------ > > Message: 3 > Date: Wed, 18 Jan 2012 11:24:14 -0800 (PST) > From: FAN ZHANG <fzhangcsc@xxxxxxxxx> > To: "dm-crypt@xxxxxxxx" <dm-crypt@xxxxxxxx> > Cc: Fan Zhang <fzhangcsc@xxxxxxxxx> > Subject: test mail list > Message-ID: > ??? <1326914654.68613.YahooMailNeo@xxxxxxxxxxxxxxxxxxxxxxxxxxxx> > Content-Type: text/plain; charset="us-ascii" > > My previous mail did not go through, I just want to test this mail list again > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: <http://www.saout.de/pipermail/dm-crypt/attachments/20120118/f773637f/attachment-0001.html> > > ------------------------------ > > Message: 4 > Date: Wed, 18 Jan 2012 21:19:58 +0100 > From: Milan Broz <mbroz@xxxxxxxxxx> > To: FAN ZHANG <fzhangcsc@xxxxxxxxx> > Cc: "dm-crypt@xxxxxxxx" <dm-crypt@xxxxxxxx> > Subject: Re: Bypass encrypt and decrypt data in dm-crypt > Message-ID: <4F17296E.5050702@xxxxxxxxxx> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > On 01/18/2012 04:56 PM, FAN ZHANG wrote: > > All: > > We are using dm-crypt for Android device encryption.However, we need > > reserve some sectors in block device for status and integration check > > and do not want to encrypt/decrypt some sectors when using dm-crypt. > > Please can you describe exactly what you need? > > I will not accept any patch in dmcrypt which bypass encryption, > but I think the problem is solvable using combination > of dm targets, or? using some trick. > > But I still have no idea what problem you are trying to solve... > (Please do not describe implementation, describe the problem.) > > Thanks, > Milan > > > > ------------------------------ > > _______________________________________________ > dm-crypt mailing list > dm-crypt@xxxxxxxx > http://www.saout.de/mailman/listinfo/dm-crypt > > > End of dm-crypt Digest, Vol 31, Issue 17 > **************************************** > _______________________________________________ > dm-crypt mailing list > dm-crypt@xxxxxxxx > http://www.saout.de/mailman/listinfo/dm-crypt -- Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno@xxxxxxxxxxx GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- One of the painful things about our time is that those who feel certainty are stupid, and those with any imagination and understanding are filled with doubt and indecision. -- Bertrand Russell _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
