On Tue, Jul 09, 2024 at 12:17:53PM +0100, Peter Griffin wrote: > Hi Eric, > > On Tue, 9 Jul 2024 at 00:55, Eric Biggers <ebiggers@xxxxxxxxxx> wrote: > > > > From: Eric Biggers <ebiggers@xxxxxxxxxx> > > > > Add support for Flash Memory Protector (FMP), which is the inline > > encryption hardware on Exynos and Exynos-based SoCs. > > > > Specifically, add support for the "traditional FMP mode" that works on > > many Exynos-based SoCs including gs101. This is the mode that uses > > "software keys" and is compatible with the upstream kernel's existing > > inline encryption framework in the block and filesystem layers. I plan > > to add support for the wrapped key support on gs101 at a later time. > > > > Tested on gs101 (specifically Pixel 6) by running the 'encrypt' group of > > xfstests on a filesystem mounted with the 'inlinecrypt' mount option. > > > > Signed-off-by: Eric Biggers <ebiggers@xxxxxxxxxx> > > --- > > Reviewed-by: Peter Griffin <peter.griffin@xxxxxxxxxx> > > and > > Tested-by: Peter Griffin <peter.griffin@xxxxxxxxxx> > > Tested by running the encrypt group of xfstests on my Pixel 6, using > the Yocto development env described here > https://git.codelinaro.org/linaro/googlelt/pixelscripts > > Notes on testing, in addition to above README. > > 1. Enabled following additional kernel configs gs101_config.fragment > CONFIG_FS_ENCRYPTION=y > CONFIG_FS_ENCRYPTION_INLINE_CRYPT=y > CONFIG_SCSI_UFS_CRYPTO=y > CONFIG_BLK_INLINE_ENCRYPTION=y > CONFIG_BLK_INLINE_ENCRYPTION_FALLBACK=y > CONFIG_CRYPTO_HCTR2=y > > 2. Add meta-security layer to bblayers.conf and relevant packages to local.conf > BBLAYERS += "/yocto-builds/yocto/meta-security" > IMAGE_INSTALL:append = " xfstests ecryptfs-utils fscryptctl keyutils > cryptmount " > > 3. Rebuild/reflash Yocto rootfs > > bitbake virtual/kernel core-image-full-cmdline > fastboot flash userdata core-image-full-cmdline-google-gs.rootfs.ext4 > > 4. On the device ran the following > > mkfs.ext4 -O encrypt /dev/sda26 > mkfs.ext4 -O encrypt /dev/sda20 > mkdir -p /mnt/scratchdev > mkdir -p /mnt/testdev > mount /dev/sda20 -o inlinecrypt /mnt/testdev > mount /dev/sda26 -o inlinecrypt /mnt/scratchdev > export TEST_DEV=/dev/sda20 > export TEST_DIR=/mnt/testdev > export SCRATCH_DEV=/dev/sda26 > export SCRATCH_MNT=/mnt/scratchdev > cd /usr/xfstests > check -g encrypt > > All 28 tests passed > > <snip> > Ran: ext4/024 generic/395 generic/396 generic/397 generic/398 > generic/399 generic/419 generic/421 generic/429 generic/435 > generic/440 generic/548 generic/549 generic/550 generic/576 > generic/580 gener9 > Not run: generic/399 generic/550 generic/576 generic/584 generic/613 > Passed all 28 tests > > kind regards, > Thanks! This is similar to what I did. But, to get the inlinecrypt mount option to be used during the tests it's necessary to do the following: export EXT_MOUNT_OPTIONS="-o inlinecrypt" The following message will appear in the kernel log: fscrypt: AES-256-XTS using blk-crypto (native) - Eric
