[dm-crypt] dm-crypt Digest, Vol 31, Issue 17

Arno Wagner arno at wagner.name
Thu Jan 19 17:52:33 CET 2012


Hi,

so this is an on-the-fly encryption issue and it gies away as
soon as the device is fully encrypted. Hmm. You should still have
any staus-blocks outside of the container. And for safety against
interruptions, you will probably need some kind of transaction
journal. Quite a project.

Arno

On Thu, Jan 19, 2012 at 08:45:45AM -0800, FAN ZHANG wrote:
> Arno:
> ?We?need to do background SD card encryption. When encryption is enabled, we start to encrypt SD card and allow apps to access file system at same time.
> ?
> Since it may take hours to encrypt?entire SD card, we need virtually partition SD card to two parts,
> ?
> First partition is encrypted by kernel encryption thread. When?bio request hits this part, all read requests should be decrypted and write should encrypted.
> ?
> Second partition is not encrypted yet. When?bio request hits this part, all read/write?requests should be?redirected to underneath bio operation directly.
> ?
> The most challenge part is?when?bio request crosses both part, we need handle split bio request.
> ?
> If?a specific page contained in bio crosses encrypted/unencrypted boundary, the first few sectors are located in encrypted area,
> ?
> The remaining sectors are located in unencrypted area.
> ?
> Therefore we need to do decrypt/encrypt for read/write associating with first few sectors and?pass through remaining sectors request to underneath block device directly.
> ?
> ?
> Please let me know if you need more explanations.
> ?
> ?
> Thanks
> ?
> Fan?
> ?
> ?
> ?
> ?
> 
> From: "dm-crypt-request at saout.de" <dm-crypt-request at saout.de>
> To: dm-crypt at saout.de 
> Sent: Thursday, January 19, 2012 5:00 AM
> Subject: dm-crypt Digest, Vol 31, Issue 17
> 
> Send dm-crypt mailing list submissions to
> ??? dm-crypt at saout.de
> 
> To subscribe or unsubscribe via the World Wide Web, visit
> ??? http://www.saout.de/mailman/listinfo/dm-crypt
> or, via email, send a message with subject or body 'help' to
> ??? dm-crypt-request at saout.de
> 
> You can reach the person managing the list at
> ??? dm-crypt-owner at saout.de
> 
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of dm-crypt digest..."
> 
> 
> Today's Topics:
> 
> ? 1. Bypass encrypt and decrypt data in dm-crypt (FAN ZHANG)
> ? 2. Re: Bypass encrypt and decrypt data in dm-crypt (Arno Wagner)
> ? 3. test mail list (FAN ZHANG)
> ? 4. Re: Bypass encrypt and decrypt data in dm-crypt (Milan Broz)
> 
> 
> ----------------------------------------------------------------------
> 
> Message: 1
> Date: Wed, 18 Jan 2012 07:56:38 -0800 (PST)
> From: FAN ZHANG <fzhangcsc at yahoo.com>
> To: "dm-crypt at saout.de" <dm-crypt at saout.de>
> Subject: [dm-crypt] Bypass encrypt and decrypt data in dm-crypt
> Message-ID:
> ??? <1326902198.77527.YahooMailNeo at web161402.mail.bf1.yahoo.com>
> Content-Type: text/plain; charset="iso-8859-1"
> 
> All:
> ?
> ?
> We are using dm-crypt for Android device encryption.? However, we need reserve some sectors in block device for status and integration check and do not want to encrypt/decrypt some sectors when using dm-crypt.
> ?
> So in crypt_convert_block()
> ?
> When
> offset sector of ctx +? sector number of bio_in? is the range of bypass sector list.
> ?
> ?
> instead call
> if (bio_data_dir(ctx->bio_in) == WRITE)
> ?r = crypt_copy_write_data(bv_in, bv_out, offset, 1 << SECTOR_SHIFT); else? r = crypt_copy_read_data(bv_in, bv_out, offset, 1 << SECTOR_SHIFT);
> ?
> I want to call another function to copy data of a sector from 
> ctx->bio_in to
> ctx->bio_out directly.
> ?
> ?
> I tried the following implementation 
> ?
> in ps_copy_write_data()
> ?
> ?
> struct bio_vec *bv_in = bio_iovec_idx(ctx->bio_in, ctx->idx_in); 
> struct bio_vec *bv_out = bio_iovec_idx(ctx->bio_out, ctx->idx_out); 
> struct page * page_in = bv_in->bv_page; 
> struct page * page_out = bv_out->bv_page;
> ?
> void * addr1 = kmap_atomic(page_in, KM_USER0); 
> void * addr2 = kmap_atomic(page_out, KM_USER1);
> ?
> unsigned int offset = ctx->offset_in;
> ?
> memcpy(addr2 + offset, addr1 + offset, 1 << SECTOR_SHIFT);
> ?
> kunmap_atomic(addr2, KM_USER1);
> kunmap_atomic(addr1, KM_USER0);
> ?
> but above implementation works for read (since bv_in and bv_out are same for decryption) but does not work for write. 
> ?
> It seems that 
> memcpy(addr2 + offset, addr1 + offset, 1 << SECTOR_SHIFT);
> ?
> fails to copy page associated with bv_in? to page associated with bv_out 
> ?
> ?
> ?
> Could you give me a?hint to reslove this issue?
> ?
> Thanks
> ?
> Fan
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://www.saout.de/pipermail/dm-crypt/attachments/20120118/5b77916d/attachment-0001.html>
> 
> ------------------------------
> 
> Message: 2
> Date: Wed, 18 Jan 2012 17:24:19 +0100
> From: Arno Wagner <arno at wagner.name>
> To: dm-crypt at saout.de
> Subject: Re: [dm-crypt] Bypass encrypt and decrypt data in dm-crypt
> Message-ID: <20120118162419.GA27569 at tansi.org>
> Content-Type: text/plain; charset=us-ascii
> 
> Hi,
> 
> while I do not know what the issue you encounter is,
> it would be better to have your status block before the
> encrypted part and simply map with an offset, e.g.
> "-p 1" to skip the first sector. Thsi would not break
> layering, as your approach seems to do.
> 
> Is there a specific reason you want the non-encrypted 
> block somewhere in the middle? (if I understand this correctly...)
> I cannot see any security reason, as a non-encrypted block
> will allways stick out and can be found automatically 
> anyways.
> 
> Arno
> 
> On Wed, Jan 18, 2012 at 07:56:38AM -0800, FAN ZHANG wrote:
> > All:
> > ?
> > ?
> >
> > We are using dm-crypt for Android device encryption.? However, we need
> > reserve some sectors in block device for status and integration check and
> > do not want to encrypt/decrypt some sectors when using dm-crypt.
> >
> > ?
> > So in crypt_convert_block()
> > ?
> > When
> > offset sector of ctx +? sector number of bio_in? is the range of bypass sector list.
> > ?
> > ?
> > instead call
> > if (bio_data_dir(ctx->bio_in) == WRITE)
> > ?r = crypt_copy_write_data(bv_in, bv_out, offset, 1 << SECTOR_SHIFT); else? r = crypt_copy_read_data(bv_in, bv_out, offset, 1 << SECTOR_SHIFT);
> > ?
> > I want to call another function to copy data of a sector from 
> > ctx->bio_in to
> > ctx->bio_out directly.
> > ?
> > ?
> > I tried the following implementation 
> > ?
> > in ps_copy_write_data()
> > ?
> > ?
> > struct bio_vec *bv_in = bio_iovec_idx(ctx->bio_in, ctx->idx_in); 
> > struct bio_vec *bv_out = bio_iovec_idx(ctx->bio_out, ctx->idx_out); 
> > struct page * page_in = bv_in->bv_page; 
> > struct page * page_out = bv_out->bv_page;
> > ?
> > void * addr1 = kmap_atomic(page_in, KM_USER0); 
> > void * addr2 = kmap_atomic(page_out, KM_USER1);
> > ?
> > unsigned int offset = ctx->offset_in;
> > ?
> > memcpy(addr2 + offset, addr1 + offset, 1 << SECTOR_SHIFT);
> > ?
> > kunmap_atomic(addr2, KM_USER1);
> > kunmap_atomic(addr1, KM_USER0);
> > ?
> > but above implementation works for read (since bv_in and bv_out are same for decryption) but does not work for write. 
> > ?
> > It seems that 
> > memcpy(addr2 + offset, addr1 + offset, 1 << SECTOR_SHIFT);
> > ?
> > fails to copy page associated with bv_in? to page associated with bv_out 
> > ?
> > ?
> > ?
> > Could you give me a?hint to reslove this issue?
> > ?
> > Thanks
> > ?
> > Fan
> 
> > _______________________________________________
> > dm-crypt mailing list
> > dm-crypt at saout.de
> > http://www.saout.de/mailman/listinfo/dm-crypt
> 
> 
> -- 
> Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno at wagner.name 
> GnuPG:? ID: 1E25338F? FP: 0C30 5782 9D93 F785 E79C? 0296 797F 6B50 1E25 338F
> ----
> One of the painful things about our time is that those who feel certainty 
> are stupid, and those with any imagination and understanding are filled 
> with doubt and indecision. -- Bertrand Russell 
> 
> 
> ------------------------------
> 
> Message: 3
> Date: Wed, 18 Jan 2012 11:24:14 -0800 (PST)
> From: FAN ZHANG <fzhangcsc at yahoo.com>
> To: "dm-crypt at saout.de" <dm-crypt at saout.de>
> Cc: Fan Zhang <fzhangcsc at yahoo.com>
> Subject: [dm-crypt] test mail list
> Message-ID:
> ??? <1326914654.68613.YahooMailNeo at web161404.mail.bf1.yahoo.com>
> Content-Type: text/plain; charset="us-ascii"
> 
> My previous mail did not go through, I just want to test this mail list again
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://www.saout.de/pipermail/dm-crypt/attachments/20120118/f773637f/attachment-0001.html>
> 
> ------------------------------
> 
> Message: 4
> Date: Wed, 18 Jan 2012 21:19:58 +0100
> From: Milan Broz <mbroz at redhat.com>
> To: FAN ZHANG <fzhangcsc at yahoo.com>
> Cc: "dm-crypt at saout.de" <dm-crypt at saout.de>
> Subject: Re: [dm-crypt] Bypass encrypt and decrypt data in dm-crypt
> Message-ID: <4F17296E.5050702 at redhat.com>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
> 
> On 01/18/2012 04:56 PM, FAN ZHANG wrote:
> > All:
> > We are using dm-crypt for Android device encryption.However, we need
> > reserve some sectors in block device for status and integration check
> > and do not want to encrypt/decrypt some sectors when using dm-crypt.
> 
> Please can you describe exactly what you need?
> 
> I will not accept any patch in dmcrypt which bypass encryption,
> but I think the problem is solvable using combination
> of dm targets, or? using some trick.
> 
> But I still have no idea what problem you are trying to solve...
> (Please do not describe implementation, describe the problem.)
> 
> Thanks,
> Milan
> 
> 
> 
> ------------------------------
> 
> _______________________________________________
> dm-crypt mailing list
> dm-crypt at saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt
> 
> 
> End of dm-crypt Digest, Vol 31, Issue 17
> ****************************************

> _______________________________________________
> dm-crypt mailing list
> dm-crypt at saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt


-- 
Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email: arno at wagner.name 
GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25 338F
----
One of the painful things about our time is that those who feel certainty 
are stupid, and those with any imagination and understanding are filled 
with doubt and indecision. -- Bertrand Russell 


More information about the dm-crypt mailing list