I recently purchased a n810 to store my personal data and to stay online when away from my computer. While I love the device for its simplicity and privacy (no cell phone contracts, etc), I find it terribly lacking in applications that keep data secure. Therefore I would like to start developing an application to address these inadequacies as soon as possible.

The concept is a simple one, but as I am new to the Maemo scene I would like a bit of guidance or information before digging around in the very large code base.

My idea is to present 3 levels of security for the MyData folder on the Nokia. At the first level, and probably for release 1, a simply password will be required for any and all accesses into this folder by any program. This folder will be kept encrypted by a secure algorithm that will cause a minimal hit to file system performance and speed. To maintain absolute security and the best compatibility with existing programs this change must be transparent to the other applications. At later releases I would like to use the camera to take retina scans and use the mic for voice comparisons (see http://www.biowallet.net/).

In theory I expect that I will have to write a hook for any access into this folder and interrupt the process to present a request for identification, once completed it will decrypt the folder and allow the access. One thing I need to know right off the bat is if this folder is required by certain systems in Maemo for purposes other than storage. Obviously I do not want the program to continually request identification each time Maemo checks a user setting or something.
In its most basic form, all data in MyData will reside as a single block of encrypted data that is only decrypted when proper identification is provided. As far as Maemo is concerned, this folder should remain unchanged and intact, so my program should act as a transparent proxy to reinterpret the os request for data.

While the task itself is fairly straight forward, I would like more information and guidance on the implementation of the file system lock for MyData. I am no stranger to the linux environment, however I am be no means an expert. Therefore I would first like to know where I would need to look in the Maemo distribution to implement such a lock, and then I would like to any information about the best way to implement such a system in linux.

I am currently reading up on maemo and hildon development, as well as studying the implementation of the linux file system operation in maemo. This research can be greatly sped up by help from people who have used this software before and know much more than I do.

I need to have at least a basic version of this system working by the end of January so any information that might lead to a workable solution will be greatly appreciated.

A little background on me; I am not afraid of editing binary files, as I fear that some of the implementation might reside in Nokia's closed source applications. Also I an quite fluent in both C and C++ but new to the ARM architecture and these devices in general. I have a basic understanding of linux and the systems that work underneath maemo, but in this phase of program design any information is welcome.

Thank you for your time
Red Comet

Just FYI, you are not going to be able to use the camera for retina scans and use the mic for voice comparisons. They are way to shitty for that kind of thing (maybe the mic, but its going to be easy to fool). You will have to wait for the next tablet which will have a nice camera for that to happen.

And most people do not put data in the flash memory. It is too small and gets filled with apps. What you need is an encryption on the SD cards. It should (aka I am just talking here) be easy to port one of the various encrypted file systems to maemo, and use them.

I was originally thinking about something like truecrypt for those cards, but there are a couple of disadvantages. Firstly encrypting the entire card will cause me some grief when trying to write to it from an outside system. I would have to set something up on another machine to be able to read and write from it. Secondly, I am a little bit hesitant to encrypt 2gb+ of data for the n810 because it seems to me that would be much slower to decrypt that data when compared to a few megabytes of text data stored in MyData, but I have not done any tests yet so maybe its not that big of a deal.
I am disappointed to hear about the camera and mic though, thanks for the information.

The problem is that you have to go way lower Maemo to do what you wanted while maintaining transparency to other applications.

The application access files using regular I/O calls to the Linux operative system.

To make your changes transparent, thus, you need to dig into those.

A bunch of years ago we (University of Salerno) developed a cryptographic file system for Linux and to achieve our goals we choose to modify NFS by adding encryption. The resulting file system was called TCFS and one need to mount a regular NFS share using TCFS instead of NFS in order to decrypt/encrypt data.

I am not suggesting you to write a new file system, as the internal flash memory and the card should be reformatted with it, won't be as compatible and for sure won't be an easy task.
I am not even suggesting to patch JFFS and/or FAT in order to add encryption.
This, as well, would break compatibility.

What COULD be done, is to add support for plug-ins to the VFS (Virtual File-System) layer in the Linux kernel.
Much as BSD file-system layers do.

I don't know how the Linux VFS evolved lately, but I doubt it already provides a plug-in API. It would be very interesting to provide one, as one could simply write an encryption/decryption plug-in and .. plug it in.

I think you understand how hacking the Linux kernel is not that easy.
I think that would be the best solution, but an easier one does exist. You can use FUSE to create your own user-space file-system with encryption.
I think FUSE is pretty much supported by the GVFS, but I am not well informed on the matter.

Anidel

Thank you very much for the information, you have provided me several leads I can now go into a dig up more information (or existing projects, cross fingers).

I will look into these measures starting with FUSE and hopefully derive a workable design document that I can then begin work on.

I'm interested in (helping to implement) the retinal scanning and voice recognition stuff, give me a shout when you're ready to start coding.

Self-certifying File System (SFS) is another example which used NFS internally. The method has been popular.

FreeBSD Handbook about geom-class, geom(4)

Userspace; FUSE...

Yes.