Intro to lofi(7d)
Taken from the man page lofi(7d):
The lofi file driver exports a file as a block device. Reads
and writes to the block device are translated to reads and
writes on the underlying file. This is useful when the file
contains a file system image. Exporting it as a block device
through the lofi file driver allows normal system utilities
to operate on the image through the block device (like
fstyp(1M), fsck(1M), and mount(1M). This is useful for accessing
CD-ROM and FAT floppy images. See lofiadm(1M) for examples.
Project Complete as of snv_105 integration of crypto support
loficc project scope
This project plans to add support for compression and encryption to
the lofi(7d) driver. Similar to what has been done for other systems.
- Compression support in lofi(7d) driver (Integrated snv_80)
- Crypto support in the lofi(7d) driver (Integrated snv_105)
- Changes to lofiadm(1m) to set/show compression & encryption support
- Support for wrapped keys on PKCS#11 devices such as smartcards.
Possible Futures
- Database for storing persistent mappings of mount point to lofi file/user.
Need to consider if this should be in the nameservice or just local. - Maybe a PAM module for mounting the devices.
Status
- lofi compression support has been integrated into Nevada build 80. A webrev of the integrated changes can be found here
- PSARC case for lofi compression can be found here
- PSARC case for lofi crypto
- Nevada prototype code for crypto part has been completed, a copy of it is posted here
- Userland API created to find out what kernel crypto algorithms are available along with their supported key lengths
- lofi crypto support integrated into Nevada build 105
Dependencies
The Cryptographic Framework API will be used as the way to do the crypto in the kernel. This allows us to get access to hardware crypto for free when it is available. The APIs in kernel exist today.
- We intend to use AES in XEX mode, this isn't yet integrated into the OpenSolaris code base but will be coming soon. For just now we have a prototype that uses AES in CBC mode.
- We need an API in userland to find out what crypto algorithms, and their supported key lengths, are available to the kernel. The PKCS#11 APIs can't be used for this since they tell us what is available to user land. The cryptoadm(1m) command has a private implementation of this that uses the ioctl interface of /dev/cryptoadm. We need to make this a function based interface and put it into libcryptoutil. The CR for this API is 6236948.
Project Team
Casper Dik, Moinak Ghosh, Darren Moffat, Dina Nimeh, Joep Vesseur, Alok Aggarwal