| Message ID | 20181018143718.26298-1-richard@nod.at |
|---|---|
| Headers | show |
| Series | mtd-utils: Add fscrypt support to mkfs.ubifs | expand |
Hi! This patch set has been sitting on the ML for more than two weeks now, with no one commenting/complaining/nit-picking/bike-shedding/etc, so I'll push it to mtd-utils.git master. Since I authored some of those commits and already stared at the whole patch set for quite some time before it's been submitted, I'm not sure how helpful it is for me to try and review it now. Nevertheless, I've looked through the patch set again over the last few days, compared it against the latest version I have locally and did some quick tests and it still looks good to me. Thanks, David
David, Am Freitag, 2. November 2018, 17:41:44 CET schrieb David Oberhollenzer: > Hi! > > This patch set has been sitting on the ML for more than two weeks now, with no > one commenting/complaining/nit-picking/bike-shedding/etc, so I'll push it to > mtd-utils.git master. > > Since I authored some of those commits and already stared at the whole patch > set for quite some time before it's been submitted, I'm not sure how helpful > it is for me to try and review it now. Nevertheless, I've looked through the > patch set again over the last few days, compared it against the latest version > I have locally and did some quick tests and it still looks good to me. one thing is to consider, Sascha's UBIFS auth patches for mkfs.ubifs. Not that there are some subtle merge issues. Thanks, //richard
This took a little longer than expected. I had the PoC code for some time on my desk but never found the time to bring it into upstream shape. With David's help I've been able to make it finally happen. With this series applied, mkfs.ubifs is able to produce an encrypted UBIFS filesystem. Currently it supports only encrypting the whole filesystem. Supported ciphers are AES-128-CBC and AES-256-XES. Example usage: $ dd if=/dev/urandom of=key.data count=64 bs=1 # XTS needs a 512bit key $ mkfs.ubifs --cipher AES-256-XTS --key key.data -r /rootfs -m 2048 -e 129024 -c 2048 ubifs.enc.img $ ubiupdatevol /dev/ubi0_0 ubifs.enc.img $ fscryptctl insert_key < key.data $ mount -t ubifs /dev/ubi0_0 /new_root Thanks, //richard David Oberhollenzer (15): mkfs.ubifs: Add crypto helper functions mkfs.ubifs: Implement UBIFS_FLG_DOUBLE_HASH mkfs.ubifs: Move symlink data encryption to helper function mkfs.ubifs: Seperate path encryption from symlink encryption helper mkfs.ubifs: Cleanup add_dent_node, user path encryption helper mkfs.ubifs: Replace constant values with parameters in init_fscrypt_context mkfs.ubifs: Make encryption dependend on (not-yet-existant) command line options mkfs.ubifs: Get key descriptor from command line and master key from file mkfs.ubifs: Specify padding policy via command line mkfs.ubifs: Initial support for encryption command lines mkfs.ubifs: Remove cipher implementations from public header mkfs.ubifs: Move fscrypt definitions and functions out of mkfs.ubifs.c mkfs.ubifs: Cleanup over-long lines mkfs.ubifs: Check length of master key mkfs.ubifs: Accept 0x prefix for key descriptor Richard Weinberger (27): Import latest ubifs-media.h common: Add round functions mkfs.ubifs: Make r5 hash binary string aware mkfs.ubifs: Add fscrypto defines mkfs.ubifs: Add basic fscrypto functions mkfs.ubifs: Implement UBIFS_FLG_ENCRYPTION mkfs.ubifs: Implement basic fscrypto context passing mkfs.ubifs: Implement fscrypto context store as xattr mkfs.ubifs: Store directory name len in the temporary index mkfs.ubifs: Implement filename encryption mkfs.ubifs: Add dummy setup for crypto mkfs.ubifs: Pass source/dest key len to key derive function mkfs.ubifs: Add encrypted symlink support mkfs.ubifs: Implement file contents encryption mkfs.ubifs: Make sure we catch nodes that should or should not have name mkfs.ubifs: Free all index entry names mkfs.ubifs: Correctly use iv lengths in aes-cts mode mkfs.ubifs: Enable Cipher selection mkfs.ubifs: Use correct sizes for keys and hash lengths mkfs.ubifs: Fixup AES-XTS mode mkfs.ubifs: Compute encryption key descriptor automatically mkfs.ubifs: Fix key descriptor printing mkfs.ubifs: More fscryptctl compatibility mkfs.ubifs: Move RAND_poll to crypto.c mkfs.ubifs: Enable support for building without crypto mkfs.ubifs: Print key descriptor only when generated mkfs.ubifs: Use AES-256-XTS as default Makefile.am | 4 + configure.ac | 26 +- include/common.h | 10 + include/mtd/ubifs-media.h | 67 ++++- ubifs-utils/Makemodule.am | 10 +- ubifs-utils/mkfs.ubifs/crypto.c | 362 ++++++++++++++++++++++++ ubifs-utils/mkfs.ubifs/crypto.h | 58 ++++ ubifs-utils/mkfs.ubifs/fscrypt.c | 270 ++++++++++++++++++ ubifs-utils/mkfs.ubifs/fscrypt.h | 171 ++++++++++++ ubifs-utils/mkfs.ubifs/key.h | 17 +- ubifs-utils/mkfs.ubifs/mkfs.ubifs.c | 409 +++++++++++++++++++++++----- ubifs-utils/mkfs.ubifs/mkfs.ubifs.h | 2 + ubifs-utils/mkfs.ubifs/ubifs.h | 3 + 13 files changed, 1321 insertions(+), 88 deletions(-) create mode 100644 ubifs-utils/mkfs.ubifs/crypto.c create mode 100644 ubifs-utils/mkfs.ubifs/crypto.h create mode 100644 ubifs-utils/mkfs.ubifs/fscrypt.c create mode 100644 ubifs-utils/mkfs.ubifs/fscrypt.h