Hi Eric, On Tue, 9 Jul 2024 at 19:14, Eric Biggers <ebiggers@xxxxxxxxxx> wrote: > > On Tue, Jul 09, 2024 at 12:17:53PM +0100, Peter Griffin wrote: > > Hi Eric, > > > > On Tue, 9 Jul 2024 at 00:55, Eric Biggers <ebiggers@xxxxxxxxxx> wrote: > > > > > > From: Eric Biggers <ebiggers@xxxxxxxxxx> > > > > > > Add support for Flash Memory Protector (FMP), which is the inline > > > encryption hardware on Exynos and Exynos-based SoCs. > > > > > > Specifically, add support for the "traditional FMP mode" that works on > > > many Exynos-based SoCs including gs101. This is the mode that uses > > > "software keys" and is compatible with the upstream kernel's existing > > > inline encryption framework in the block and filesystem layers. I plan > > > to add support for the wrapped key support on gs101 at a later time. > > > > > > Tested on gs101 (specifically Pixel 6) by running the 'encrypt' group of > > > xfstests on a filesystem mounted with the 'inlinecrypt' mount option. > > > > > > Signed-off-by: Eric Biggers <ebiggers@xxxxxxxxxx> > > > --- > > > > Reviewed-by: Peter Griffin <peter.griffin@xxxxxxxxxx> > > > > and > > > > Tested-by: Peter Griffin <peter.griffin@xxxxxxxxxx> > > > > Tested by running the encrypt group of xfstests on my Pixel 6, using > > the Yocto development env described here > > https://git.codelinaro.org/linaro/googlelt/pixelscripts > > > > Notes on testing, in addition to above README. > > > > 1. Enabled following additional kernel configs gs101_config.fragment > > CONFIG_FS_ENCRYPTION=y > > CONFIG_FS_ENCRYPTION_INLINE_CRYPT=y > > CONFIG_SCSI_UFS_CRYPTO=y > > CONFIG_BLK_INLINE_ENCRYPTION=y > > CONFIG_BLK_INLINE_ENCRYPTION_FALLBACK=y > > CONFIG_CRYPTO_HCTR2=y > > > > 2. Add meta-security layer to bblayers.conf and relevant packages to local.conf > > BBLAYERS += "/yocto-builds/yocto/meta-security" > > IMAGE_INSTALL:append = " xfstests ecryptfs-utils fscryptctl keyutils > > cryptmount " > > > > 3. Rebuild/reflash Yocto rootfs > > > > bitbake virtual/kernel core-image-full-cmdline > > fastboot flash userdata core-image-full-cmdline-google-gs.rootfs.ext4 > > > > 4. On the device ran the following > > > > mkfs.ext4 -O encrypt /dev/sda26 > > mkfs.ext4 -O encrypt /dev/sda20 > > mkdir -p /mnt/scratchdev > > mkdir -p /mnt/testdev > > mount /dev/sda20 -o inlinecrypt /mnt/testdev > > mount /dev/sda26 -o inlinecrypt /mnt/scratchdev > > export TEST_DEV=/dev/sda20 > > export TEST_DIR=/mnt/testdev > > export SCRATCH_DEV=/dev/sda26 > > export SCRATCH_MNT=/mnt/scratchdev > > cd /usr/xfstests > > check -g encrypt > > > > All 28 tests passed > > > > <snip> > > Ran: ext4/024 generic/395 generic/396 generic/397 generic/398 > > generic/399 generic/419 generic/421 generic/429 generic/435 > > generic/440 generic/548 generic/549 generic/550 generic/576 > > generic/580 gener9 > > Not run: generic/399 generic/550 generic/576 generic/584 generic/613 > > Passed all 28 tests > > > > kind regards, > > > > Thanks! This is similar to what I did. But, to get the inlinecrypt mount > option to be used during the tests it's necessary to do the following: > > export EXT_MOUNT_OPTIONS="-o inlinecrypt" > OK great, thanks Eric! I will update my notes to include that. That was actually one reason to include all the test instructions in the email to check I was running this correctly :) > The following message will appear in the kernel log: > > fscrypt: AES-256-XTS using blk-crypto (native) I just ran the tests again setting EXT_MOUNT_OPTIONS and I see root@google-gs:/usr/xfstests# dmesg | grep "fscrypt: AES-256-XTS" [ 1319.539742] fscrypt: AES-256-XTS using blk-crypto (native) I also added in fsverity-utils and xz which are required by a couple of the skipped tests. Thanks, Peter
