kernel-2.6.23.diff

Fast and transparent file system and swap encryption package for linux. No source code changes to li

Before this patch can be applied to kernel, drivers/block/loop.c and
include/linux/loop.h source files must be removed:

    rm -f drivers/block/loop.c include/linux/loop.h

diff -urN linux-2.6.23-noloop/drivers/block/Kconfig linux-2.6.23-AES/drivers/block/Kconfig
--- linux-2.6.23-noloop/drivers/block/Kconfig	2007-10-11 18:26:34.000000000 +0300
+++ linux-2.6.23-AES/drivers/block/Kconfig	2007-10-11 20:15:59.000000000 +0300
@@ -248,14 +248,6 @@
 	  bits of, say, a sound file). This is also safe if the file resides
 	  on a remote file server.
 
-	  There are several ways of encrypting disks. Some of these require
-	  kernel patches. The vanilla kernel offers the cryptoloop option
-	  and a Device Mapper target (which is superior, as it supports all
-	  file systems). If you want to use the cryptoloop, say Y to both
-	  LOOP and CRYPTOLOOP, and make sure you have a recent (version 2.12
-	  or later) version of util-linux. Additionally, be aware that
-	  the cryptoloop is not safe for storing journaled filesystems.
-
 	  Note that this loop device has nothing to do with the loopback
 	  device used for network connections from the machine to itself.
 
@@ -264,20 +256,32 @@
 
 	  Most users will answer N here.
 
-config BLK_DEV_CRYPTOLOOP
-	tristate "Cryptoloop Support"
-	select CRYPTO
-	select CRYPTO_CBC
+config BLK_DEV_LOOP_AES
+	bool "AES encrypted loop device support"
 	depends on BLK_DEV_LOOP
 	---help---
-	  Say Y here if you want to be able to use the ciphers that are 
-	  provided by the CryptoAPI as loop transformation. This might be
-	  used as hard disk encryption.
-
-	  WARNING: This device is not safe for journaled file systems like
-	  ext3 or Reiserfs. Please use the Device Mapper crypto module
-	  instead, which can be configured to be on-disk compatible with the
-	  cryptoloop device.
+	  If you want to use AES encryption algorithm to encrypt loop
+	  devices, say Y here. If you don't know what to do here, say N.
+
+config BLK_DEV_LOOP_KEYSCRUB
+	bool "loop encryption key scrubbing support"
+	depends on BLK_DEV_LOOP
+	---help---
+	  Loop encryption key scrubbing moves and inverts key bits in
+	  kernel RAM so that the thin oxide which forms the storage
+	  capacitor dielectric of DRAM cells is not permitted to develop
+	  detectable property. For more info, see Peter Gutmann's paper:
+	  http://www.cypherpunks.to/~peter/usenix01.pdf
+
+	  Paranoid tinfoil hat crowd say Y here, everyone else say N.
+
+config BLK_DEV_LOOP_PADLOCK
+	bool "VIA padlock hardware AES support"
+	depends on BLK_DEV_LOOP && BLK_DEV_LOOP_AES && (X86 || X86_64)
+	---help---
+	  If you have VIA processor that supports padlock xcrypt instructions,
+	  say Y here. If enabled, presence of VIA padlock instructions is detected
+	  at run time, but code still works on non-padlock processors too.
 
 config BLK_DEV_NBD
 	tristate "Network block device support"
diff -urN linux-2.6.23-noloop/drivers/block/Makefile linux-2.6.23-AES/drivers/block/Makefile
--- linux-2.6.23-noloop/drivers/block/Makefile	2007-10-11 18:26:34.000000000 +0300
+++ linux-2.6.23-AES/drivers/block/Makefile	2007-10-11 20:15:59.000000000 +0300
@@ -1,6 +1,11 @@
 #
 # Makefile for the kernel block device drivers.
 #
+
+CFLAGS_loop.o := $(shell if test -r $(srctree)/include/linux/sched.h; then if sed -e '1,/^struct task_struct {$$/ d' $(srctree)/include/linux/sched.h | sed -e '/^};$$/,$$ d' | grep -q -s 'struct rlimit rlim.RLIM_NLIMITS.;'; then echo "-DOLD_PER_THREAD_RLIMITS"; fi; fi)
+CFLAGS_loop.o += $(shell if test -r $(srctree)/include/linux/timer.h; then if ! sed -e '1,/^struct timer_list {$$/ d' $(srctree)/include/linux/timer.h | sed -e '/^};$$/,$$ d' | grep -q -s 'unsigned long data;'; then echo "-DNEW_TIMER_VOID_PTR_PARAM"; fi; fi)
+CFLAGS_loop.o += $(shell if test -r $(srctree)/include/linux/buffer_head.h; then if grep -q -s '^void invalidate_bdev.*struct block_device.*int' $(srctree)/include/linux/buffer_head.h; then echo "-DOLD_INVALIDATE_BDEV_INTERFACE"; fi; fi)
+
 # 12 June 2000, Christoph Hellwig <hch@infradead.org>
 # Rewritten to use lists instead of if-statements.
 # 
diff -urN linux-2.6.23-noloop/drivers/block/loop.c linux-2.6.23-AES/drivers/block/loop.c
--- linux-2.6.23-noloop/drivers/block/loop.c	1970-01-01 02:00:00.000000000 +0200
+++ linux-2.6.23-AES/drivers/block/loop.c	2007-10-24 20:26:05.000000000 +0300
@@ -0,0 +1,2900 @@
+/*
+ *  linux/drivers/block/loop.c
+ *
+ *  Written by Theodore Ts'o, 3/29/93
+ *
+ * Copyright 1993 by Theodore Ts'o.  Redistribution of this file is
+ * permitted under the GNU General Public License.
+ *
+ * DES encryption plus some minor changes by Werner Almesberger, 30-MAY-1993
+ * more DES encryption plus IDEA encryption by Nicholas J. Leon, June 20, 1996
+ *
+ * Modularized and updated for 1.1.16 kernel - Mitch Dsouza 28th May 1994
+ * Adapted for 1.3.59 kernel - Andries Brouwer, 1 Feb 1996
+ *
+ * Fixed do_loop_request() re-entrancy - Vincent.Renardias@waw.com Mar 20, 1997
+ *
+ * Added devfs support - Richard Gooch <rgooch@atnf.csiro.au> 16-Jan-1998
+ *
+ * Handle sparse backing files correctly - Kenn Humborg, Jun 28, 1998
+ *
+ * Loadable modules and other fixes by AK, 1998
+ *
+ * Make real block number available to downstream transfer functions, enables
+ * CBC (and relatives) mode encryption requiring unique IVs per data block.
+ * Reed H. Petty, rhp@draper.net
+ *
+ * Maximum number of loop devices now dynamic via max_loop module parameter.
+ * Russell Kroll <rkroll@exploits.org> 19990701
+ *
+ * Maximum number of loop devices when compiled-in now selectable by passing
+ * max_loop=<1-255> to the kernel on boot.
+ * Erik I. Bols