Re: [PATCH v3 6/6] scsi: ufs: exynos: Add support for Flash Memory Protector (FMP)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Jul 09, 2024 at 12:17:53PM +0100, Peter Griffin wrote:
> Hi Eric,
> 
> On Tue, 9 Jul 2024 at 00:55, Eric Biggers <ebiggers@xxxxxxxxxx> wrote:
> >
> > From: Eric Biggers <ebiggers@xxxxxxxxxx>
> >
> > Add support for Flash Memory Protector (FMP), which is the inline
> > encryption hardware on Exynos and Exynos-based SoCs.
> >
> > Specifically, add support for the "traditional FMP mode" that works on
> > many Exynos-based SoCs including gs101.  This is the mode that uses
> > "software keys" and is compatible with the upstream kernel's existing
> > inline encryption framework in the block and filesystem layers.  I plan
> > to add support for the wrapped key support on gs101 at a later time.
> >
> > Tested on gs101 (specifically Pixel 6) by running the 'encrypt' group of
> > xfstests on a filesystem mounted with the 'inlinecrypt' mount option.
> >
> > Signed-off-by: Eric Biggers <ebiggers@xxxxxxxxxx>
> > ---
> 
> Reviewed-by: Peter Griffin <peter.griffin@xxxxxxxxxx>
> 
> and
> 
> Tested-by: Peter Griffin <peter.griffin@xxxxxxxxxx>
> 
> Tested by running the encrypt group of xfstests on my Pixel 6, using
> the Yocto development env described here
> https://git.codelinaro.org/linaro/googlelt/pixelscripts
> 
> Notes on testing, in addition to above README.
> 
> 1. Enabled following additional kernel configs gs101_config.fragment
> CONFIG_FS_ENCRYPTION=y
> CONFIG_FS_ENCRYPTION_INLINE_CRYPT=y
> CONFIG_SCSI_UFS_CRYPTO=y
> CONFIG_BLK_INLINE_ENCRYPTION=y
> CONFIG_BLK_INLINE_ENCRYPTION_FALLBACK=y
> CONFIG_CRYPTO_HCTR2=y
> 
> 2. Add meta-security layer to bblayers.conf and relevant packages to local.conf
> BBLAYERS += "/yocto-builds/yocto/meta-security"
> IMAGE_INSTALL:append = " xfstests ecryptfs-utils fscryptctl keyutils
> cryptmount "
> 
> 3. Rebuild/reflash Yocto rootfs
> 
> bitbake virtual/kernel core-image-full-cmdline
> fastboot flash userdata core-image-full-cmdline-google-gs.rootfs.ext4
> 
> 4. On the device ran the following
> 
> mkfs.ext4 -O encrypt /dev/sda26
> mkfs.ext4 -O encrypt /dev/sda20
> mkdir -p /mnt/scratchdev
> mkdir -p /mnt/testdev
> mount /dev/sda20 -o inlinecrypt /mnt/testdev
> mount /dev/sda26 -o inlinecrypt /mnt/scratchdev
> export TEST_DEV=/dev/sda20
> export TEST_DIR=/mnt/testdev
> export SCRATCH_DEV=/dev/sda26
> export SCRATCH_MNT=/mnt/scratchdev
> cd /usr/xfstests
> check -g encrypt
> 
> All 28 tests passed
> 
> <snip>
> Ran: ext4/024 generic/395 generic/396 generic/397 generic/398
> generic/399 generic/419 generic/421 generic/429 generic/435
> generic/440 generic/548 generic/549 generic/550 generic/576
> generic/580 gener9
> Not run: generic/399 generic/550 generic/576 generic/584 generic/613
> Passed all 28 tests
> 
> kind regards,
> 

Thanks!  This is similar to what I did.  But, to get the inlinecrypt mount
option to be used during the tests it's necessary to do the following:

    export EXT_MOUNT_OPTIONS="-o inlinecrypt"

The following message will appear in the kernel log:

    fscrypt: AES-256-XTS using blk-crypto (native)

- Eric




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [SCSI Target Devel]     [Linux SCSI Target Infrastructure]     [Kernel Newbies]     [IDE]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Linux ATA RAID]     [Linux IIO]     [Samba]     [Device Mapper]

  Powered by Linux