Re: [RFC PATCH 0/3] mtd: nand: add randomizer support
From: Jason Gunthorpe
Date: Thu May 01 2014 - 17:31:54 EST
On Thu, May 01, 2014 at 10:56:06PM +0200, Boris BREZILLON wrote:
> > However, with a synchronous scrambler the security concern boils down
> > to how robust and unpredictable is the PRBS.
>
> I'm not sure security is the main concern here.
> AFAICT, NAND scramblers (note that I stopped using the name "randomizer"
> :-)) is mainly used to avoid large island of identical data, because
> some NAND chips are sensible to such patterns (see [1] page 14).
Right, if you send to the flash 'the wrong data' then some combination of:
1) Retention time till ECC failure is reduced
2) The flash block is permanently damaged early
3) A 'nearby', unrelated flash block has ECC failure due to interference
So, if someone deliberately and maliciously defeats the scrambler and
deliberately sends in wrong data what happens?
1/3) Delibrate, predictable file system corruption
2) Create device damage and significantly early replacement of the device.
All could lead to a DOS attack of some sort, at a minimum.
FWIW, there was a similar attack against a certain communication
system. The line scrambler was statistically predictable, and if an
attacker sent enough packets that were the predictable anti-scramble
then enough would align with the scamble pattern and the
communication channel would fail and retrain creating a DOS vector.
For this reason these days com systems tend to use a 58 bit
self-synchronous LFSR for scrambling purposes.
> And this is exactly what's done in the sunxi HW scrambler
> implementation, or at least you can do it based on what you're
> specifying in your DT (see the "nand-randomizer-seeds" in the 3rd
> patch): you can define a seed table and the seed is selected based on
> the page number you're reading or writing.
Well, re-using fixed (and public) seeds:
state = rnd->seeds[page % rnd->nseeds];
Just changes the probabilities. For instance, some filesystems can be
asked to create extents with a large alignment (like 2M) to speed IOs,
and a small seeds table means the seeds within such a file will be
fully predictable.
If you are already stuck with this, then fine, it can be a driver
specific binding - but if this is a new green-field design, intended
to be broadly used as a core MTD feature:
I'd suggest just seeding with the block number xor some value, and
using a LFSR with a state space larger than the number of blocks in
the device, and don't specify a seeds array in DT.
Regards,
Jason
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/