Re: [PATCH 0/2] Secure deletion under JFFS2

From: Theuns Verwoerd
Date: Sun Jul 22 2018 - 18:30:17 EST




On 07/23/2018 07:06 AM, Richard Weinberger wrote:
> On Fri, Jul 20, 2018 at 1:50 AM, Theuns Verwoerd
> <theuns.verwoerd@xxxxxxxxxxxxxxxxxxx> wrote:
>> Security certifications such as FIPS require the capability to securely
>> delete files, which is problematic under JFFS2's log-based model. We can
> Can you please be a little more specific about the certifications?
https://www.niap-ccevs.org/Documents_and_Guidance/view_td.cfm?td_id=133

gives some level of context. I believe both FIPS and CC have similar
expectations around key deletion.
> These days secure deletion at file system level is almost impossible to achieve
> since you don't have full control of the storage stack.
> I know, I know, In the raw flash case we have, but still. It makes
> things very complicated.
>
> A common approach do delete a file in a secure way is having it
> encrypted and upon deletion
> you forget the key.
> Wouldn't that work for you too?
To retain granularity for managing individual keys, you'd require a 1:1
key-to-access-key (ktak). Because keys are expected to be persistent,
so must the ktak be - at which point we've replaced the requirement for
securely deleting a key with one to securely delete a ktak.
(In addition, since this approach falls outside the specific language
used in the certification guidance documents, it'd need to be justified
in detail, which adds risk.)

Regards,

Theuns
KRN