This took a little longer than expected.
I had the PoC code for some time on my desk but never found the
time to bring it into upstream shape.
With David's help I've been able to make it finally happen.
With this series applied, mkfs.ubifs is able to produce an encrypted
UBIFS filesystem.
Currently it supports only encrypting the whole filesystem.
Supported ciphers are AES-128-CBC and AES-256-XES.
Example usage:
$ dd if=/dev/urandom of=key.data count=64 bs=1 # XTS needs a 512bit key
$ mkfs.ubifs --cipher AES-256-XTS --key key.data -r /rootfs -m 2048 -e 129024 -c 2048 ubifs.enc.img
$ ubiupdatevol /dev/ubi0_0 ubifs.enc.img
$ fscryptctl insert_key < key.data
$ mount -t ubifs /dev/ubi0_0 /new_root
Thanks,
//richard
David Oberhollenzer (15):
mkfs.ubifs: Add crypto helper functions
mkfs.ubifs: Implement UBIFS_FLG_DOUBLE_HASH
mkfs.ubifs: Move symlink data encryption to helper function
mkfs.ubifs: Seperate path encryption from symlink encryption helper
mkfs.ubifs: Cleanup add_dent_node, user path encryption helper
mkfs.ubifs: Replace constant values with parameters in
init_fscrypt_context
mkfs.ubifs: Make encryption dependend on (not-yet-existant) command
line options
mkfs.ubifs: Get key descriptor from command line and master key from
file
mkfs.ubifs: Specify padding policy via command line
mkfs.ubifs: Initial support for encryption command lines
mkfs.ubifs: Remove cipher implementations from public header
mkfs.ubifs: Move fscrypt definitions and functions out of mkfs.ubifs.c
mkfs.ubifs: Cleanup over-long lines
mkfs.ubifs: Check length of master key
mkfs.ubifs: Accept 0x prefix for key descriptor
Richard Weinberger (27):
Import latest ubifs-media.h
common: Add round functions
mkfs.ubifs: Make r5 hash binary string aware
mkfs.ubifs: Add fscrypto defines
mkfs.ubifs: Add basic fscrypto functions
mkfs.ubifs: Implement UBIFS_FLG_ENCRYPTION
mkfs.ubifs: Implement basic fscrypto context passing
mkfs.ubifs: Implement fscrypto context store as xattr
mkfs.ubifs: Store directory name len in the temporary index
mkfs.ubifs: Implement filename encryption
mkfs.ubifs: Add dummy setup for crypto
mkfs.ubifs: Pass source/dest key len to key derive function
mkfs.ubifs: Add encrypted symlink support
mkfs.ubifs: Implement file contents encryption
mkfs.ubifs: Make sure we catch nodes that should or should not have
name
mkfs.ubifs: Free all index entry names
mkfs.ubifs: Correctly use iv lengths in aes-cts mode
mkfs.ubifs: Enable Cipher selection
mkfs.ubifs: Use correct sizes for keys and hash lengths
mkfs.ubifs: Fixup AES-XTS mode
mkfs.ubifs: Compute encryption key descriptor automatically
mkfs.ubifs: Fix key descriptor printing
mkfs.ubifs: More fscryptctl compatibility
mkfs.ubifs: Move RAND_poll to crypto.c
mkfs.ubifs: Enable support for building without crypto
mkfs.ubifs: Print key descriptor only when generated
mkfs.ubifs: Use AES-256-XTS as default
Makefile.am | 4 +
configure.ac | 26 +-
include/common.h | 10 +
include/mtd/ubifs-media.h | 67 ++++-
ubifs-utils/Makemodule.am | 10 +-
ubifs-utils/mkfs.ubifs/crypto.c | 362 ++++++++++++++++++++++++
ubifs-utils/mkfs.ubifs/crypto.h | 58 ++++
ubifs-utils/mkfs.ubifs/fscrypt.c | 270 ++++++++++++++++++
ubifs-utils/mkfs.ubifs/fscrypt.h | 171 ++++++++++++
ubifs-utils/mkfs.ubifs/key.h | 17 +-
ubifs-utils/mkfs.ubifs/mkfs.ubifs.c | 409 +++++++++++++++++++++++-----
ubifs-utils/mkfs.ubifs/mkfs.ubifs.h | 2 +
ubifs-utils/mkfs.ubifs/ubifs.h | 3 +
13 files changed, 1321 insertions(+), 88 deletions(-)
create mode 100644 ubifs-utils/mkfs.ubifs/crypto.c
create mode 100644 ubifs-utils/mkfs.ubifs/crypto.h
create mode 100644 ubifs-utils/mkfs.ubifs/fscrypt.c
create mode 100644 ubifs-utils/mkfs.ubifs/fscrypt.h
--
2.19.1
______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/
[PATCH 00/42] mtd-utils: Add fscrypt support to mkfs.ubifs
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: [PATCH 00/42] mtd-utils: Add fscrypt support to mkfs.ubifs
- From: Richard Weinberger <richard@xxxxxx>
- Date: Thu, 18 Oct 2018 16:36:36 +0200
- Cc: Richard Weinberger <richard@xxxxxx>, david.oberhollenzer@xxxxxxxxxxxxx
- Follow-Ups:
- [PATCH 00/42] mtd-utils: Add fscrypt support to mkfs.ubifs
- From: David Oberhollenzer
- [PATCH 36/42] mkfs.ubifs: Compute encryption key descriptor automatically
- From: Richard Weinberger
- [PATCH 18/42] mkfs.ubifs: Make sure we catch nodes that should or should not have name
- From: Richard Weinberger
- [PATCH 25/42] mkfs.ubifs: Specify padding policy via command line
- From: Richard Weinberger
- [PATCH 41/42] mkfs.ubifs: Print key descriptor only when generated
- From: Richard Weinberger
- [PATCH 42/42] mkfs.ubifs: Use AES-256-XTS as default
- From: Richard Weinberger
- [PATCH 39/42] mkfs.ubifs: Move RAND_poll to crypto.c
- From: Richard Weinberger
- [PATCH 27/42] mkfs.ubifs: Remove cipher implementations from public header
- From: Richard Weinberger
- [PATCH 32/42] mkfs.ubifs: Correctly use iv lengths in aes-cts mode
- From: Richard Weinberger
- [PATCH 34/42] mkfs.ubifs: Use correct sizes for keys and hash lengths
- From: Richard Weinberger
- [PATCH 40/42] mkfs.ubifs: Enable support for building without crypto
- From: Richard Weinberger
- [PATCH 24/42] mkfs.ubifs: Get key descriptor from command line and master key from file
- From: Richard Weinberger
- [PATCH 31/42] mkfs.ubifs: Accept 0x prefix for key descriptor
- From: Richard Weinberger
- [PATCH 21/42] mkfs.ubifs: Cleanup add_dent_node, user path encryption helper
- From: Richard Weinberger
- [PATCH 23/42] mkfs.ubifs: Make encryption dependend on (not-yet-existant) command line options
- From: Richard Weinberger
- [PATCH 20/42] mkfs.ubifs: Seperate path encryption from symlink encryption helper
- From: Richard Weinberger
- [PATCH 22/42] mkfs.ubifs: Replace constant values with parameters in init_fscrypt_context
- From: Richard Weinberger
- [PATCH 30/42] mkfs.ubifs: Check length of master key
- From: Richard Weinberger
- [PATCH 19/42] mkfs.ubifs: Free all index entry names
- From: Richard Weinberger
- [PATCH 26/42] mkfs.ubifs: Initial support for encryption command lines
- From: Richard Weinberger
- [PATCH 29/42] mkfs.ubifs: Cleanup over-long lines
- From: Richard Weinberger
- [PATCH 28/42] mkfs.ubifs: Move fscrypt definitions and functions out of mkfs.ubifs.c
- From: Richard Weinberger
- [PATCH 35/42] mkfs.ubifs: Fixup AES-XTS mode
- From: Richard Weinberger
- [PATCH 37/42] mkfs.ubifs: Fix key descriptor printing
- From: Richard Weinberger
- [PATCH 33/42] mkfs.ubifs: Enable Cipher selection
- From: Richard Weinberger
- [PATCH 38/42] mkfs.ubifs: More fscryptctl compatibility
- From: Richard Weinberger
- [PATCH 17/42] mkfs.ubifs: Move symlink data encryption to helper function
- From: Richard Weinberger
- [PATCH 15/42] mkfs.ubifs: Add encrypted symlink support
- From: Richard Weinberger
- [PATCH 16/42] mkfs.ubifs: Implement file contents encryption
- From: Richard Weinberger
- [PATCH 09/42] mkfs.ubifs: Implement basic fscrypto context passing
- From: Richard Weinberger
- [PATCH 10/42] mkfs.ubifs: Implement fscrypto context store as xattr
- From: Richard Weinberger
- [PATCH 11/42] mkfs.ubifs: Store directory name len in the temporary index
- From: Richard Weinberger
- [PATCH 14/42] mkfs.ubifs: Pass source/dest key len to key derive function
- From: Richard Weinberger
- [PATCH 12/42] mkfs.ubifs: Implement filename encryption
- From: Richard Weinberger
- [PATCH 07/42] mkfs.ubifs: Add basic fscrypto functions
- From: Richard Weinberger
- [PATCH 06/42] mkfs.ubifs: Add fscrypto defines
- From: Richard Weinberger
- [PATCH 05/42] mkfs.ubifs: Make r5 hash binary string aware
- From: Richard Weinberger
- [PATCH 08/42] mkfs.ubifs: Implement UBIFS_FLG_ENCRYPTION
- From: Richard Weinberger
- [PATCH 13/42] mkfs.ubifs: Add dummy setup for crypto
- From: Richard Weinberger
- [PATCH 03/42] mkfs.ubifs: Add crypto helper functions
- From: Richard Weinberger
- [PATCH 01/42] Import latest ubifs-media.h
- From: Richard Weinberger
- [PATCH 04/42] mkfs.ubifs: Implement UBIFS_FLG_DOUBLE_HASH
- From: Richard Weinberger
- [PATCH 02/42] common: Add round functions
- From: Richard Weinberger
- [PATCH 00/42] mtd-utils: Add fscrypt support to mkfs.ubifs
- Prev by Date: [PATCH 04/42] mkfs.ubifs: Implement UBIFS_FLG_DOUBLE_HASH
- Next by Date: [PATCH 01/42] Import latest ubifs-media.h
- Previous by thread: [PATCH] mtd: rawnand: r852: use generic DMA API
- Next by thread: [PATCH 02/42] common: Add round functions
- Index(es):
 |