Hi,
On 07/08/2019 07:50, Ard Biesheuvel wrote:
> Instead of instantiating a separate cipher to perform the encryption
> needed to produce the IV, reuse the skcipher used for the block data
> and invoke it one additional time for each block to encrypt a zero
> vector and use the output as the IV.
>
> For CBC mode, this is equivalent to using the bare block cipher, but
> without the risk of ending up with a non-time invariant implementation
> of AES when the skcipher itself is time variant (e.g., arm64 without
> Crypto Extensions has a NEON based time invariant implementation of
> cbc(aes) but no time invariant implementation of the core cipher other
> than aes-ti, which is not enabled by default)
>
> This approach is a compromise between dm-crypt API flexibility and
> reducing dependence on parts of the crypto API that should not usually
> be exposed to other subsystems, such as the bare cipher API.
>
> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@xxxxxxxxxx>
For now I have just pair of images here to test, but seems checksums are ok.
Tested-by: Milan Broz <gmazyland@xxxxxxxxx>
I talked with Mike already, so it should go through DM tree now.
Thanks!
Milan
> ---
> drivers/md/dm-crypt.c | 70 ++++++++++++++-----------------------------
> 1 file changed, 22 insertions(+), 48 deletions(-)
>
> diff --git a/drivers/md/dm-crypt.c b/drivers/md/dm-crypt.c
> index d5216bcc4649..48cd76c88d77 100644
> --- a/drivers/md/dm-crypt.c
> +++ b/drivers/md/dm-crypt.c
> @@ -120,10 +120,6 @@ struct iv_tcw_private {
> u8 *whitening;
> };
>
> -struct iv_eboiv_private {
> - struct crypto_cipher *tfm;
> -};
> -
> /*
> * Crypt: maps a linear range of a block device
> * and encrypts / decrypts at the same time.
> @@ -163,7 +159,6 @@ struct crypt_config {
> struct iv_benbi_private benbi;
> struct iv_lmk_private lmk;
> struct iv_tcw_private tcw;
> - struct iv_eboiv_private eboiv;
> } iv_gen_private;
> u64 iv_offset;
> unsigned int iv_size;
> @@ -847,65 +842,47 @@ static int crypt_iv_random_gen(struct crypt_config *cc, u8 *iv,
> return 0;
> }
>
> -static void crypt_iv_eboiv_dtr(struct crypt_config *cc)
> -{
> - struct iv_eboiv_private *eboiv = &cc->iv_gen_private.eboiv;
> -
> - crypto_free_cipher(eboiv->tfm);
> - eboiv->tfm = NULL;
> -}
> -
> static int crypt_iv_eboiv_ctr(struct crypt_config *cc, struct dm_target *ti,
> const char *opts)
> {
> - struct iv_eboiv_private *eboiv = &cc->iv_gen_private.eboiv;
> - struct crypto_cipher *tfm;
> -
> - tfm = crypto_alloc_cipher(cc->cipher, 0, 0);
> - if (IS_ERR(tfm)) {
> - ti->error = "Error allocating crypto tfm for EBOIV";
> - return PTR_ERR(tfm);
> + if (test_bit(CRYPT_MODE_INTEGRITY_AEAD, &cc->cipher_flags)) {
> + ti->error = "AEAD transforms not supported for EBOIV";
> + return -EINVAL;
> }
>
> - if (crypto_cipher_blocksize(tfm) != cc->iv_size) {
> + if (crypto_skcipher_blocksize(any_tfm(cc)) != cc->iv_size) {
> ti->error = "Block size of EBOIV cipher does "
> "not match IV size of block cipher";
> - crypto_free_cipher(tfm);
> return -EINVAL;
> }
>
> - eboiv->tfm = tfm;
> return 0;
> }
>
> -static int crypt_iv_eboiv_init(struct crypt_config *cc)
> +static int crypt_iv_eboiv_gen(struct crypt_config *cc, u8 *iv,
> + struct dm_crypt_request *dmreq)
> {
> - struct iv_eboiv_private *eboiv = &cc->iv_gen_private.eboiv;
> + u8 buf[MAX_CIPHER_BLOCKSIZE] __aligned(__alignof__(__le64));
> + struct skcipher_request *req;
> + struct scatterlist src, dst;
> + struct crypto_wait wait;
> int err;
>
> - err = crypto_cipher_setkey(eboiv->tfm, cc->key, cc->key_size);
> - if (err)
> - return err;
> -
> - return 0;
> -}
> -
> -static int crypt_iv_eboiv_wipe(struct crypt_config *cc)
> -{
> - /* Called after cc->key is set to random key in crypt_wipe() */
> - return crypt_iv_eboiv_init(cc);
> -}
> + req = skcipher_request_alloc(any_tfm(cc), GFP_KERNEL | GFP_NOFS);
> + if (!req)
> + return -ENOMEM;
>
> -static int crypt_iv_eboiv_gen(struct crypt_config *cc, u8 *iv,
> - struct dm_crypt_request *dmreq)
> -{
> - struct iv_eboiv_private *eboiv = &cc->iv_gen_private.eboiv;
> + memset(buf, 0, cc->iv_size);
> + *(__le64 *)buf = cpu_to_le64(dmreq->iv_sector * cc->sector_size);
>
> - memset(iv, 0, cc->iv_size);
> - *(__le64 *)iv = cpu_to_le64(dmreq->iv_sector * cc->sector_size);
> - crypto_cipher_encrypt_one(eboiv->tfm, iv, iv);
> + sg_init_one(&src, page_address(ZERO_PAGE(0)), cc->iv_size);
> + sg_init_one(&dst, iv, cc->iv_size);
> + skcipher_request_set_crypt(req, &src, &dst, cc->iv_size, buf);
> + skcipher_request_set_callback(req, 0, crypto_req_done, &wait);
> + err = crypto_wait_req(crypto_skcipher_encrypt(req), &wait);
> + skcipher_request_free(req);
>
> - return 0;
> + return err;
> }
>
> static const struct crypt_iv_operations crypt_iv_plain_ops = {
> @@ -962,9 +939,6 @@ static struct crypt_iv_operations crypt_iv_random_ops = {
>
> static struct crypt_iv_operations crypt_iv_eboiv_ops = {
> .ctr = crypt_iv_eboiv_ctr,
> - .dtr = crypt_iv_eboiv_dtr,
> - .init = crypt_iv_eboiv_init,
> - .wipe = crypt_iv_eboiv_wipe,
> .generator = crypt_iv_eboiv_gen
> };
>
>
--
dm-devel mailing list
dm-devel@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/dm-devel
