DOCSLIB.ORG

Linux Kernel Crypto API  Crypto Hardware Acceleration  Benchmark and Optimization  Key Management – Linux Keyring, LUKS  Summary

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Linux Kernel Crypto API  Crypto Hardware Acceleration  Benchmark and Optimization  Key Management – Linux Keyring, LUKS  Summary File-system and Block-layer Encryption: Theory, Practice, and Improvement Weigang Li Wenqian Yu Data Center Group 1 2017 Storage DeveloperIntel Conference. Corporation © Intel All Rights Reserved. Agenda Data at-rest encryption File-system encryption Layered: eCryptfs, EFS Native: EXT4, ZFS Full-disk encryption dm-crypt Linux Kernel Crypto API Crypto Hardware Acceleration Benchmark and Optimization Key management – Linux keyring, LUKS Summary 2 2017 Storage Developer Conference. © Intel All Rights Reserved. Data at-rest Encryption Application-level • Flexible to define security strategy, algorithm, key Database management, etc. Encryption • Application dependent Flexibility • File based key management eCryptfs EFS File System • Transparent to application Encryption • Support multiple users / keys EXT4 ZFS Full Disk Encryption dm-crypt • One key for whole disk (volume) (FDE) software • Encrypt everything on disk LUKS • OS-agnostic, Block-layer Software Hardware Transparency Self Encrypting Drive • One Data Encryption Key (DEK) to encrypt the (SED) whole disk, protected by Authentication Key (AK). • Hardware based, secure key is kept in hard-drive 3 2017 Storage Developer Conference. © Intel All Rights Reserved. Data at-rest Encryption Application-level • Flexible to define security strategy, algorithm, key Database management, etc. Encryption • Application dependent Our focus today Flexibility • File based key management eCryptfs EFS File System • Transparent to application Encryption • Support multiple users / keys EXT4 ZFS Full Disk Encryption dm-crypt • One key for whole disk (volume) (FDE) software • Encrypt everything on disk LUKS • OS-agnostic, Block-layer Software Hardware Transparency Self-encrypting Drive • One Data Encryption Key (DEK) to encrypt the (SED) whole disk, protected by Authentication Key (AK). • Hardware based, secure key is kept in hard-drive 4 2017 Storage Developer Conference. © Intel All Rights Reserved. File System Encryption 5 2017 Storage Developer Conference. © Intel All Rights Reserved. File system encryption Application File-system level encryption can be implemented at different level: Fuse-based FS in User space syscalls Fuse Enc/Dec user Layered FS on top of native FS kernel In native FS, better performance Layered File System Enc/Dec Transparent to application. Per-file encryption and key management. Enc/Dec Native Block Layer FEK File File hardware Disk Enc EFEK Master key 6 2017 Storage Developer Conference. © Intel All Rights Reserved. $ mount -t ecryptfs /secret /secret eCryptfs (upper) eCryptfs Select key type to use for newly created files: 1) tspi 2) openssl IVIV 3) passphrase eCryptfs = Enterprise 4) pkcs11-helper (page(page based)based) Selection: 3 Cryptographic Filesystem. Passphrase: xxx Select cipher: xxx R 1) aes: blocksize = 16; min keysize = 16; max keysize = 32 Layered file system. 2) blowfish: blocksize = 8; min keysize = 16; max keysize = 56 N FEK Plaintext 3) des3_ede: blocksize = 8; min keysize = 24; max keysize = 24 G Page In Linux kernel since version 4) twofish: blocksize = 16; min keysize = 16; max keysize = 32 5) cast6: blocksize = 16; min keysize = 16; max keysize = 32 Extent 2.6.19. 6) cast5: blocksize = 8; min keysize = 5; max keysize = 16 Selection [aes]: 1 Mount eCryptfs on top of a Select key bytes: 1) 16 Per page encryption directory to protect it. 2) 32 3) 24 Selection [16]: 1 Un-mount eCryptfs, the files in Enable plaintext passthrough (y/n) [n]: Enc Enc Enable filename encryption (y/n) [n]: lower FS are encrypted and Attempting to mount with the following options: ecryptfs_unlink_sigs un-readable. ecryptfs_key_bytes=16 ecryptfs_cipher=aes The Encrypted FEK (EFEK) is ecryptfs_sig=aa20c2d38cf280d5 FEKEK Mounted eCryptfs auth-tok stored in the lower FS. EFEK Ciphertext keyring Page KDF key source Native FS (lower) Ref: http://ecryptfs.sourceforge.net/ecryptfs.pdf 7 2017 Storage Developer Conference. © Intel All Rights Reserved. EFS EFS = Encrypting File System Filter driver layered on top of NTFS Source: https://technet.microsoft.com/library/bb457116.aspx#EJAA 8 2017 Storage Developer Conference. © Intel All Rights Reserved. EFS (Cont.) Plaintext Encryption Combination of public key RNG FEK (RSA) and symmetric key encryption (3DES, AES). Ciphertext FEK is protected by user’s pub-key RSA public key. Encryption ENC EFEK is decrypted by user’s EFEK private key to unlock the DEC encrypted file. pri-key RSA Decryption On-disk FEK can be re-encrypted by other’s pub-key to share the encrypted file with other user FEK Decryption w/o re-encrypting the file content. Plaintext 9 2017 Storage Developer Conference. © Intel All Rights Reserved. EXT4 encryption $ mkfs -t ext4 /dev/nvme1n1 RNG IV (page based) $ tune2fs -O encrypt /dev/nvme1n1 $ mount /dev/nvme1n1 /mnt/ext4 Plaintext $ e4crypt add_key /mnt/ext4 Page FEK Enter passphrase (echo disabled): xxx inode Key with descriptor [775a2062517e439c] applied to /mnt/ext4. nonce $ keyctl list @s 2 keys in keyring: setkey 453787240: --alswrv 0 65534 keyring: _uid.0 Enc 1024073693: --alsw-v 0 0 logon: ext4:775a2062517e439c Enc Ciphertext Page In Linux kernel since version 4.1. Master Per-directory Master key. key inode Per-file encryption key (FEK, derived nonce Key-ring from master key and nonce). On-disk Support AES-256-XTS. e4crypt / keyctl (Linux Kernel 4.12) 10 2017 Storage Developer Conference. © Intel All Rights Reserved. ZOL encryption $ zpool create -o ashift=13 testpool /dev/.. $ zfs create -o encryption=aes-128-ccm IV testpool/tank R Enter passphrase for 'tank': xxx N Salt K Plaintext Enter again: xxx G D FEK Block $ zfs get all testpool/tank Master F testpool/tank encryption aes-128-ccm local key IV Enc ZOL = ZFS On Linux Keystore Ciphertext Block http://zfsonlinux.org/ Wrapping key Enc ZOL encryption is not in mainline yet IV PR: https://github.com/zfsonlinux/zfs/pull/5769 KDF Salt Support AES-CCM, AES-GCM MAC passphrase blkptr_t file E(master key) uri Seal master key IV key source MAC On-disk 11 2017 Storage Developer Conference. © Intel All Rights Reserved. Block Layer Encryption 12 2017 Storage Developer Conference. © Intel All Rights Reserved. Block layer encryption Encrypt everything on the disk – one Application key for whole disk (volume). user syscalls Hides file and directory information, kernel such as name and size. File system OS-agnostic. Block layer Master Encrypt Decrypt key volume volume hardware Wrapped Enc Disk key Password 13 2017 Storage Developer Conference. © Intel All Rights Reserved. dm-crypt $cryptsetup luksFormat -c aes-xts-plain64 -s 512 / dev/nvme3n1 $cryptsetup luksFormat -c aes-cbc-essiv:sha256 -s 256 / dev/nvme3n1 Are you sure? (Type uppercase yes): YES IV Enter passphrase: xxx (sector(sector based) based) Plaintext Verify passphrase: xxx $cryptsetup open --type luks /dev/nvme3n1 dm-crypt-disk R Sector Master Enter passphrase for /dev/nvme3n1: xxx N (512B) key $ lsblk G nvme3n1 259:1 0 745.2G 0 disk └─dm-crypt-disk 253:3 0 745.2G 0 crypt $ mkfs -t ext4 /dev/mapper/dm-crypt-disk $ mount /dev/mapper/dm-crypt-disk /dm-crypt-disk/ setkey $ df -T Enc Enc /dev/mapper/dm-crypt-disk ext4 1% /dm-crypt-disk $ umount /dm-crypt-disk $ cryptsetup close dm-crypt-disk passphrase In Linux kernel since version 2.6. key-file Ciphertext Per-sector encryption. Key Slot Sector (512B) Support AES-XTS, AES-CBC. LUKS HDR Single master key for whole disk. Using LUKS for key management - 8 key cryptsetup On-disk slots. 14 2017 Storage Developer Conference. © Intel All Rights Reserved. Linux Kernel Crypto API 15 2017 Storage Developer Conference. © Intel All Rights Reserved. Linux Kernel Crypto API Linux Kernel sub-system $ cat /proc/crypto: Data Transform Symmetric key ciphers: skcipher eCryptfs Ext4 … Asymmetric key ciphers: IPsec dm-crypt akcipher AEAD ciphers API call Callback Message digest Linux Kernel Crypto API Random number generation Submit Callback Compression Memory Crypto driver is registered and Engine Driver selected based on its priority. sg_list Support asynchronous operation for Request Response Page hardware acceleration. DMA Crypto Hardware 16 2017 Storage Developer Conference. © Intel All Rights Reserved. Cryptographic Hardware Acceleration 17 2017 Storage Developer Conference. © Intel All Rights Reserved. Security Benchmarks 110 Intel® QuickAssist Technology 100 90 80 70 60 50 40 30 20 10 0 RSA 2K IPSec SSL Decrypt 1 Forwarding 3 WebProxy1 (kOps/s) (Gbps) (Gbps) Software-based OpenSSL with Intel® QAT Big Data Benchmarks with Compression 2 SW Snappy Compression Intel® QAT Compression 99 Hadoop run time 1. NGINX* and OpenSSL* connections/second. Conducted by Intel Applications Integration Team. Claim is actual performance measurement. reduced significantly Intel® microprocessor. Processor: Intel® Xeon® processor Scalable family with C6xxB0 ES2 Performance tests use cores from a single CPU, Memory configuration:, DDR4–2400. Populated with 1 (16 GB) DIMM per channel, total of 6 DIMMs Intel® QuickAssist Technology driver: QAT1.7.Upstream.L.0.8.0-37 Fedora* 22 (Kernel 4.2.7) BIOS: PLYDCRB1.86B.0088.D09.1606011736 87 3. Cloudera* 5.4.2 with Snappy* Software vs. Intel® QuickAssist Technology hardware solution. Conducted by Intel Applications Integration Team. Claim is actual performance measurement. Intel® Xeon® processor E5-2699 v4 (56 cores enabled) 256 GB DDR4 1.6 TB NVMe SSD 1 Intel® C6xxx-based card (24x) 10 Gbps CentOS* 6.7 w/ 2.6.32 kernel Cloudera* 5.4.2 QAT driver 0.9.1 Snappy* 1.1.2 (popular, fast compression codec) One NameNode Eight DataNodes 10 Gbps network 2- 24 Core Intel(r) Xeon Scalable Platform -SP @1.8GHz, Single (UP) Processor configuration. Intel(r) C627 PCH with crypto acceleration capability (in x16 mode) Neon City platform. DDR4 2400MHz RDIMMs 6x16GB(total 96 GB), 6 Channels,1 x Intel® CorporationRed Rock Canyon 100GbE EthernetSwitch in the x16 PCIe slot on Socket 0. 8 cache ways allocated for DDIO. TERASORT TIME IN MINUTES LOWER IS BETTER Intel® QuickAssist Technology integrates hardware acceleration for compute intensive workloads Such as Bulk Cryptography, Public Key Exchange & Compression on Intel® Architecture Platforms 18 2017 Storage Developer Conference. © Intel All Rights Reserved.
Load more

Recommended publications
  • The Linux Kernel Module Programming Guide
    The Linux Kernel Module Programming Guide Peter Jay Salzman Michael Burian Ori Pomerantz Copyright © 2001 Peter Jay Salzman 2007−05−18 ver 2.6.4 The Linux Kernel Module Programming Guide is a free book; you may reproduce and/or modify it under the terms of the Open Software License, version 1.1. You can obtain a copy of this license at http://opensource.org/licenses/osl.php. This book is distributed in the hope it will be useful, but without any warranty, without even the implied warranty of merchantability or fitness for a particular purpose. The author encourages wide distribution of this book for personal or commercial use, provided the above copyright notice remains intact and the method adheres to the provisions of the Open Software License. In summary, you may copy and distribute this book free of charge or for a profit. No explicit permission is required from the author for reproduction of this book in any medium, physical or electronic. Derivative works and translations of this document must be placed under the Open Software License, and the original copyright notice must remain intact. If you have contributed new material to this book, you must make the material and source code available for your revisions. Please make revisions and updates available directly to the document maintainer, Peter Jay Salzman <[email protected]>. This will allow for the merging of updates and provide consistent revisions to the Linux community. If you publish or distribute this book commercially, donations, royalties, and/or printed copies are greatly appreciated by the author and the Linux Documentation Project (LDP).
    [Show full text]
  • PV204: Disk Encryption Lab
    PV204: Disk encryption lab May 12, 2016, Milan Broz <[email protected]> Introduction Encryption can provide confidentiality and authenticity of user data. It can be implemented on several different layes, including application, file system or storage device. Application encryption examples are PGP or ZIP compression with password. Encryption of files (inside filesystem or through independent layer like Linux eCryptfs) provides more generic solution. Yet some parts (like filesystem metadata) are still unencrypted. However this solution provides encrypted data with private key per user. (Every user can have own directory encrypted by own key.) Encryption of the low-level storage (disk) is called Full Disk Encryption (FDE). It is completely transparent to the user (no need to choose what to encrypt – the whole disk is encrypted). The encrypted disk behaves as the same as a disk without encryption. The major disadvantage is that everyone who knows the password can read the whole disk. Often we combine FDE with another encryption layer. The primary use of FDE is to provide data confidentiality in power-down mode (stolen laptop does not leak user data). Once the disk is unlocked, the main encryption key remains in system, usually directly in system RAM. Exercise II will show how easy is to get this key from memory image of system. Another disadvantage of FDE is that it usually cannot guarantee integrity of data. Encryption is fully transparent and length-preserving, the ciphertext and plaintext device are of the same size. There is no space to store any integrity information. This allows attacks by direct modification of ciphertext.
    [Show full text]
  • Studying the Real World Today's Topics
    Studying the real world Today's topics Free and open source software (FOSS) What is it, who uses it, history Making the most of other people's software Learning from, using, and contributing Learning about your own system Using tools to understand software without source Free and open source software Access to source code Free = freedom to use, modify, copy Some potential benefits Can build for different platforms and needs Development driven by community Different perspectives and ideas More people looking at the code for bugs/security issues Structure Volunteers, sponsored by companies Generally anyone can propose ideas and submit code Different structures in charge of what features/code gets in Free and open source software Tons of FOSS out there Nearly everything on myth Desktop applications (Firefox, Chromium, LibreOffice) Programming tools (compilers, libraries, IDEs) Servers (Apache web server, MySQL) Many companies contribute to FOSS Android core Apple Darwin Microsoft .NET A brief history of FOSS 1960s: Software distributed with hardware Source included, users could fix bugs 1970s: Start of software licensing 1974: Software is copyrightable 1975: First license for UNIX sold 1980s: Popularity of closed-source software Software valued independent of hardware Richard Stallman Started the free software movement (1983) The GNU project GNU = GNU's Not Unix An operating system with unix-like interface GNU General Public License Free software: users have access to source, can modify and redistribute Must share modifications under same
    [Show full text]
  • Android (Operating System) 1 Android (Operating System)
    Android (operating system) 1 Android (operating system) Android Home screen displayed by Samsung Nexus S with Google running Android 2.3 "Gingerbread" Company / developer Google Inc., Open Handset Alliance [1] Programmed in C (core), C++ (some third-party libraries), Java (UI) Working state Current [2] Source model Free and open source software (3.0 is currently in closed development) Initial release 21 October 2008 Latest stable release Tablets: [3] 3.0.1 (Honeycomb) Phones: [3] 2.3.3 (Gingerbread) / 24 February 2011 [4] Supported platforms ARM, MIPS, Power, x86 Kernel type Monolithic, modified Linux kernel Default user interface Graphical [5] License Apache 2.0, Linux kernel patches are under GPL v2 Official website [www.android.com www.android.com] Android is a software stack for mobile devices that includes an operating system, middleware and key applications.[6] [7] Google Inc. purchased the initial developer of the software, Android Inc., in 2005.[8] Android's mobile operating system is based on a modified version of the Linux kernel. Google and other members of the Open Handset Alliance collaborated on Android's development and release.[9] [10] The Android Open Source Project (AOSP) is tasked with the maintenance and further development of Android.[11] The Android operating system is the world's best-selling Smartphone platform.[12] [13] Android has a large community of developers writing applications ("apps") that extend the functionality of the devices. There are currently over 150,000 apps available for Android.[14] [15] Android Market is the online app store run by Google, though apps can also be downloaded from third-party sites.
    [Show full text]
  • Crypto Wars of the 1990S
    Danielle Kehl, Andi Wilson, and Kevin Bankston DOOMED TO REPEAT HISTORY? LESSONS FROM THE CRYPTO WARS OF THE 1990S CYBERSECURITY June 2015 | INITIATIVE © 2015 NEW AMERICA This report carries a Creative Commons license, which permits non-commercial re-use of New America content when proper attribution is provided. This means you are free to copy, display and distribute New America’s work, or in- clude our content in derivative works, under the following conditions: ATTRIBUTION. NONCOMMERCIAL. SHARE ALIKE. You must clearly attribute the work You may not use this work for If you alter, transform, or build to New America, and provide a link commercial purposes without upon this work, you may distribute back to www.newamerica.org. explicit prior permission from the resulting work only under a New America. license identical to this one. For the full legal code of this Creative Commons license, please visit creativecommons.org. If you have any questions about citing or reusing New America content, please contact us. AUTHORS Danielle Kehl, Senior Policy Analyst, Open Technology Institute Andi Wilson, Program Associate, Open Technology Institute Kevin Bankston, Director, Open Technology Institute ABOUT THE OPEN TECHNOLOGY INSTITUTE ACKNOWLEDGEMENTS The Open Technology Institute at New America is committed to freedom The authors would like to thank and social justice in the digital age. To achieve these goals, it intervenes Hal Abelson, Steven Bellovin, Jerry in traditional policy debates, builds technology, and deploys tools with Berman, Matt Blaze, Alan David- communities. OTI brings together a unique mix of technologists, policy son, Joseph Hall, Lance Hoffman, experts, lawyers, community organizers, and urban planners to examine the Seth Schoen, and Danny Weitzner impacts of technology and policy on people, commerce, and communities.
    [Show full text]
  • FIPS 140-2 Non-Proprietary Security Policy Oracle Linux 7 Kernel Crypto
    FIPS 140-2 Non-Proprietary Security Policy Oracle Linux 7 Kernel Crypto API Cryptographic Module FIPS 140-2 Level 1 Validation Software Version: R7-2.0.0 Date: December 7, 2018 Document Version 1.1 ©Oracle Corporation This document may be reproduced whole and intact including the Copyright notice. Title: Oracle Linux 7 Kernel Crypto API Cryptographic Module Security Policy December 07, 2018 Author: Atsec Information Security Contributing Authors: Oracle Linux Engineering Oracle Security Evaluations – Global Product Security Oracle Corporation World Headquarters 500 Oracle Parkway Redwood Shores, CA 94065 U.S.A. Worldwide Inquiries: Phone: +1.650.506.7000 Fax: +1.650.506.7200 oracle.com Copyright © 2018, Oracle and/or its affiliates. All rights reserved. This document is provided for information purposes only and the contents hereof are subject to change without notice. This document is not warranted to be error-free, nor subject to any other warranties or conditions, whether expressed orally or implied in law, including implied warranties and conditions of merchantability or fitness for a particular purpose. Oracle specifically disclaim any liability with respect to this document and no contractual obligations are formed either directly or indirectly by this document. This document may reproduced or distributed whole and intact including this copyright notice. Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their respective owners. Oracle Linux 7 Kernel Crypto API Cryptographic
    [Show full text]
  • Mcafee Foundstone Fsl Update
    2016-AUG-18 FSL version 7.5.841 MCAFEE FOUNDSTONE FSL UPDATE To better protect your environment McAfee has created this FSL check update for the Foundstone Product Suite. The following is a detailed summary of the new and updated checks included with this release. NEW CHECKS 20369 - Splunk Enterprise Multiple Vulnerabilities (SP-CAAAPQM) Category: General Vulnerability Assessment -> NonIntrusive -> Web Server Risk Level: High CVE: CVE-2013-0211, CVE-2015-2304, CVE-2016-1541, CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2108, CVE- 2016-2109, CVE-2016-2176 Description Multiple vulnerabilities are present in some versions of Splunk Enterprise. Observation Splunk Enterprise is an operational intelligence solution Multiple vulnerabilities are present in some versions of Splunk Enterprise. The flaws lie in multiple components. Successful exploitation by a remote attacker could lead to the information disclosure of sensitive information, cause denial of service or execute arbitrary code. 20428 - (HT206899) Apple iCloud Multiple Vulnerabilities Prior To 5.2.1 Category: Windows Host Assessment -> Miscellaneous (CATEGORY REQUIRES CREDENTIALS) Risk Level: High CVE: CVE-2016-1684, CVE-2016-1836, CVE-2016-4447, CVE-2016-4448, CVE-2016-4449, CVE-2016-4483, CVE-2016-4607, CVE- 2016-4608, CVE-2016-4609, CVE-2016-4610, CVE-2016-4612, CVE-2016-4614, CVE-2016-4615, CVE-2016-4616, CVE-2016-4619 Description Multiple vulnerabilities are present in some versions of Apple iCloud. Observation Apple iCloud is a manager for the Apple's could based storage service. Multiple vulnerabilities are present in some versions of Apple iCloud. The flaws lie in several components. Successful exploitation could allow an attacker to retrieve sensitive data, cause a denial of service condition or have other unspecified impact on the target system.
    [Show full text]
  • Self-Encrypting Deception: Weaknesses in the Encryption of Solid State Drives
    Self-encrypting deception: weaknesses in the encryption of solid state drives Carlo Meijer Bernard van Gastel Institute for Computing and Information Sciences School of Computer Science Radboud University Nijmegen Open University of the Netherlands [email protected] and Institute for Computing and Information Sciences Radboud University Nijmegen Bernard.vanGastel@{ou.nl,ru.nl} Abstract—We have analyzed the hardware full-disk encryption full-disk encryption. Full-disk encryption software, especially of several solid state drives (SSDs) by reverse engineering their those integrated in modern operating systems, may decide to firmware. These drives were produced by three manufacturers rely solely on hardware encryption in case it detects support between 2014 and 2018, and are both internal models using the SATA and NVMe interfaces (in a M.2 or 2.5" traditional form by the storage device. In case the decision is made to rely on factor) and external models using the USB interface. hardware encryption, typically software encryption is disabled. In theory, the security guarantees offered by hardware encryp- As a primary example, BitLocker, the full-disk encryption tion are similar to or better than software implementations. In software built into Microsoft Windows, switches off software reality, we found that many models using hardware encryption encryption and completely relies on hardware encryption by have critical security weaknesses due to specification, design, and implementation issues. For many models, these security default if the drive advertises support. weaknesses allow for complete recovery of the data without Contribution. This paper evaluates both internal and external knowledge of any secret (such as the password).
    [Show full text]
  • [13주차] Sysfs and Procfs
    1 7 Computer Core Practice1: Operating System Week13. sysfs and procfs Jhuyeong Jhin and Injung Hwang Embedded Software Lab. Embedded Software Lab. 2 sysfs 7 • A pseudo file system provided by the Linux kernel. • sysfs exports information about various kernel subsystems, HW devices, and associated device drivers to user space through virtual files. • The mount point of sysfs is usually /sys. • sysfs abstrains devices or kernel subsystems as a kobject. Embedded Software Lab. 3 How to create a file in /sys 7 1. Create and add kobject to the sysfs 2. Declare a variable and struct kobj_attribute – When you declare the kobj_attribute, you should implement the functions “show” and “store” for reading and writing from/to the variable. – One variable is one attribute 3. Create a directory in the sysfs – The directory have attributes as files • When the creation of the directory is completed, the directory and files(attributes) appear in /sys. • Reference: ${KERNEL_SRC_DIR}/include/linux/sysfs.h ${KERNEL_SRC_DIR}/fs/sysfs/* • Example : ${KERNEL_SRC_DIR}/kernel/ksysfs.c Embedded Software Lab. 4 procfs 7 • A special filesystem in Unix-like operating systems. • procfs presents information about processes and other system information in a hierarchical file-like structure. • Typically, it is mapped to a mount point named /proc at boot time. • procfs acts as an interface to internal data structures in the kernel. The process IDs of all processes in the system • Kernel provides a set of functions which are designed to make the operations for the file in /proc : “seq_file interface”. – We will create a file in procfs and print some data from data structure by using this interface.
    [Show full text]
  • Namespacing in Selinux
    Namespacing in SELinux Linux.conf.au 2018 Sydney, Australia James Morris [email protected] Introduction ● Who am I? – Linux security subsystem maintainer ● Previously: Crypto API, Netfilter, SELinux, LSM, IPSec, MCS, sVirt ● Recovering manager ● blog.namei.org ● @xjamesmorris ● Overview – Briefly review technologies – Discuss requirements – SELinux namespace prototype – Current work: inode labeling – Future work SELinux ● Label-based mandatory access control (MAC) – Set security labels on: ● Subjects ● Objects – Define permissions – Centrally managed policy – Enforced by kernel ● Generalized ● Separation of policy and mechanism Linux Security Modules (LSM) ● Kernel API for access control ● Hooks – Located at security decision points – All security relevant information available – Race-free ● Kind of like Netfilter but for the whole kernel ● Pluggable: Smack, SELinux, AppArmor etc. Linux Namespaces ● Private views of global resources – mount, network, ipc, pid, user, uts, cgroup ● APIs: clone(2), setns(2), unshare(2) ● See also: pam_namespace(8) ● Uses: – Sandboxes – Containers – Multi-level security (!) ● No namespacing of LSM or other security APIs Containers ● Not a Thing ™ ● Actually namespaces + cgroups + magic – Docker, lxc, lxd etc. ● Very popular ● Kernel security APIs not containerized, e.g. – Limits functionality for OS-like containers – SELinux on Fedora-based distros pretends to be disabled inside container, and yet … ! Use Cases ● Enable SELinux confinement within a container – Currently runs as one global label and appears
    [Show full text]
  • Speeding up Linux Disk Encryption Ignat Korchagin @Ignatkn $ Whoami
    Speeding Up Linux Disk Encryption Ignat Korchagin @ignatkn $ whoami ● Performance and security at Cloudflare ● Passionate about security and crypto ● Enjoy low level programming @ignatkn Encrypting data at rest The storage stack applications @ignatkn The storage stack applications filesystems @ignatkn The storage stack applications filesystems block subsystem @ignatkn The storage stack applications filesystems block subsystem storage hardware @ignatkn Encryption at rest layers applications filesystems block subsystem SED, OPAL storage hardware @ignatkn Encryption at rest layers applications filesystems LUKS/dm-crypt, BitLocker, FileVault block subsystem SED, OPAL storage hardware @ignatkn Encryption at rest layers applications ecryptfs, ext4 encryption or fscrypt filesystems LUKS/dm-crypt, BitLocker, FileVault block subsystem SED, OPAL storage hardware @ignatkn Encryption at rest layers DBMS, PGP, OpenSSL, Themis applications ecryptfs, ext4 encryption or fscrypt filesystems LUKS/dm-crypt, BitLocker, FileVault block subsystem SED, OPAL storage hardware @ignatkn Storage hardware encryption Pros: ● it’s there ● little configuration needed ● fully transparent to applications ● usually faster than other layers @ignatkn Storage hardware encryption Pros: ● it’s there ● little configuration needed ● fully transparent to applications ● usually faster than other layers Cons: ● no visibility into the implementation ● no auditability ● sometimes poor security https://support.microsoft.com/en-us/help/4516071/windows-10-update-kb4516071 @ignatkn Block
    [Show full text]
  • Filesystem Considerations for Embedded Devices ELC2015 03/25/15
    Filesystem considerations for embedded devices ELC2015 03/25/15 Tristan Lelong Senior embedded software engineer Filesystem considerations ABSTRACT The goal of this presentation is to answer a question asked by several customers: which filesystem should you use within your embedded design’s eMMC/SDCard? These storage devices use a standard block interface, compatible with traditional filesystems, but constraints are not those of desktop PC environments. EXT2/3/4, BTRFS, F2FS are the first of many solutions which come to mind, but how do they all compare? Typical queries include performance, longevity, tools availability, support, and power loss robustness. This presentation will not dive into implementation details but will instead summarize provided answers with the help of various figures and meaningful test results. 2 TABLE OF CONTENTS 1. Introduction 2. Block devices 3. Available filesystems 4. Performances 5. Tools 6. Reliability 7. Conclusion Filesystem considerations ABOUT THE AUTHOR • Tristan Lelong • Embedded software engineer @ Adeneo Embedded • French, living in the Pacific northwest • Embedded software, free software, and Linux kernel enthusiast. 4 Introduction Filesystem considerations Introduction INTRODUCTION More and more embedded designs rely on smart memory chips rather than bare NAND or NOR. This presentation will start by describing: • Some context to help understand the differences between NAND and MMC • Some typical requirements found in embedded devices designs • Potential filesystems to use on MMC devices 6 Filesystem considerations Introduction INTRODUCTION Focus will then move to block filesystems. How they are supported, what feature do they advertise. To help understand how they compare, we will present some benchmarks and comparisons regarding: • Tools • Reliability • Performances 7 Block devices Filesystem considerations Block devices MMC, EMMC, SD CARD Vocabulary: • MMC: MultiMediaCard is a memory card unveiled in 1997 by SanDisk and Siemens based on NAND flash memory.
    [Show full text]