On jeu., 2011-05-19 at 10:52 +0200, Milan Broz wrote: > On 05/19/2011 10:01 AM, Yves-Alexis Perez wrote: > > On jeu., 2011-05-19 at 09:05 +0200, Milan Broz wrote: > >> On 05/18/2011 11:53 PM, Yves-Alexis Perez wrote: > >>> If you read the paper, you'll noticed there's nothing to change to > >>> dm-crypt, as the cypher is registered in the Crypto-API, it can be used > >>> directly. > >> > >> TBH dmcrypt keeps its own copy of key (because key it is still part > >> of the device-mapper mapping table so it must be available for > >> status commands). > > > > In that case it'll be the âdummyâ key. > > The logic now works that table line received from dmcrypt > is directly usable - cryptsetup uses that e.g. for resize. > Replacing the key with zeroes or something will break this. I don't know enough dm-crypt arch, but aiui from the paper, everytime you use the crypto-api to do stuff, it'll use the key in CPU debug registers and not the dummy key. Do you mean cryptsetup resize doesn't use the crypto-api (and will thus fail)? > > >> So there are some changes needed but basically technicaly unrelated > >> to that patch. > >> (This will hopefully change with new mapping table format soon.) > > > > Needed for what? > > You mean new table format? No, I meant the âchanges neededâ :) > > ... etc. > > >> > >> Anyway, it must be accepted into kernel crypto layer first. > > > > I'm not even sure it'll be submitted though. > > So it is just academic exercise for conferences? No idea. Just to be clear, I'm in now way associated to that paper, I just found it interesting after seeing the first mail in thread and wanted to add my views about the suppossingly needed changes to dm-crypt. But looking at their website and the papers I didn't see anything about submitting the patch upstream. It might not be acceptable to use the debug registers in mainline kernel though. > > For the AES-NI one, if the hypervisor supports it (they tested on KVM) > > yes (though the vm registers are stored in the host ram anyway). > > Yes, that was my point. (AES-NI works for guests but bare hw has > of course limited hw resources.) Note that I'm not sure it's a good idea to use encryption in a guest anyway, at least not to protect from the host. Regards, -- Yves-Alexis _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
