This series creates an ESSIV template that produces a skcipher or AEAD
transform based on a tuple of the form '<skcipher>,<shash>' (or '<aead>,<shash>'
for the AEAD case). It exposes the encapsulated sync or async skcipher/aead by
passing through all operations, while using the cipher/shash pair to transform
the input IV into an ESSIV output IV.
Changes since v11:
- Avoid spawns for the ESSIV shash and cipher algos. Instead, the shash TFM is
allocated per-instance (which is appropriate since it is unkeyed and thus
stateless), and the cipher is allocated explicitly based on the parsed
skcipher/aead cra_name.
Changes since v10:
- Drop patches against fscrypt and dm-crypt - these will be routed via the
respective maintainer trees during the next cycle
- Fix error handling when parsing the cipher name from the skcipher cra_name
- Use existing ivsize temporary instead of retrieving it again
- Expose cra_name via module alias (#4)
Changes since v9:
- Fix cipher_api parsing bug that was introduced by dropping the cipher name
parsing patch in v9 (#3). Thanks to Milan for finding it.
- Fix a couple of instances where the old essiv(x,y,z) format was used in
comments instead of the essiv(x,z) format we adopted in v9
Changes since v8:
- Remove 'cipher' argument from essiv() template, and instead, parse the
cra_name of the skcipher to obtain the cipher. This is slightly cleaner
than what dm-crypt currently does, since we can get the cra_name from the
spawn, and we don't have to actually allocate the TFM. Since this implies
that dm-crypt does not need to provide the cipher, we can drop the parsing
code from it entirely (assuming the eboiv patch I sent out recently is
applied first) (patch #7)
- Restrict the essiv() AEAD instantiation to AEADs whose cra_name starts with
'authenc('
- Rebase onto cryptodev/master
- Drop dm-crypt to reorder/refactor cipher name parsing, since it was wrong
and it is no longer needed.
- Drop Milan's R-b since the code has changed
- Fix bug in accelerated arm64 implementation.
Changes since v7:
- rebase onto cryptodev/master
- drop change to ivsize in #2
- add Milan's R-b's
Changes since v6:
- make CRYPTO_ESSIV user selectable so we can opt out of selecting it even
if FS_ENCRYPTION (which cannot be built as a module) is enabled
- move a comment along with the code it referred to (#3), not that this change
and removing some redundant braces makes the diff look totally different
- add Milan's R-b to #3 and #4
Changes since v5:
- drop redundant #includes and drop some unneeded braces (#2)
- add test case for essiv(authenc(hmac(sha256),cbc(aes)),aes,sha256)
- make ESSIV driver deal with assoc data that is described by more than two
scatterlist entries - this only happens when the extended tests are being
performed, so don't optimize for it
- clarify that both fscrypt and dm-crypt only use ESSIV in special cases (#7)
Changes since v4:
- make the ESSIV template IV size equal the IV size of the encapsulated
cipher - defining it as 8 bytes was needlessly restrictive, and also
complicated the code for no reason
- add a missing kfree() spotted by Smatch
- add additional algo length name checks when constructing the essiv()
cipher name
- reinstate the 'essiv' IV generation implementation in dm-crypt, but
make its generation function identical to plain64le (and drop the other
methods)
- fix a bug in the arm64 CE/NEON code
- simplify the arm64 code by reusing more of the existing CBC implementation
(patch #6 is new to this series and was added for this reason)
Changes since v3:
- address various review comments from Eric on patch #1
- use Kconfig's 'imply' instead of 'select' to permit CRYPTO_ESSIV to be
enabled as a module or disabled entirely even if fscrypt is compiled in (#2)
- fix an issue in the AEAD encrypt path caused by the IV being clobbered by
the inner skcipher before the hmac was being calculated
Changes since v2:
- fixed a couple of bugs that snuck in after I'd done the bulk of my
testing
- some cosmetic tweaks to the ESSIV template skcipher setkey function
to align it with the aead one
- add a test case for essiv(cbc(aes),aes,sha256)
- add an accelerated implementation for arm64 that combines the IV
derivation and the actual en/decryption in a single asm routine
Code can be found here
https://git.kernel.org/pub/scm/linux/kernel/git/ardb/linux.git/log/?h=essiv-v11
Cc: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Cc: Eric Biggers <ebiggers@xxxxxxxxxx>
Cc: dm-devel@xxxxxxxxxx
Cc: linux-fscrypt@xxxxxxxxxxxxxxx
Cc: Gilad Ben-Yossef <gilad@xxxxxxxxxxxxx>
Cc: Milan Broz <gmazyland@xxxxxxxxx>
Ard Biesheuvel (4):
crypto: essiv - create wrapper template for ESSIV generation
crypto: essiv - add tests for essiv in cbc(aes)+sha256 mode
crypto: arm64/aes-cts-cbc - factor out CBC en/decryption of a walk
crypto: arm64/aes - implement accelerated ESSIV/CBC mode
arch/arm64/crypto/aes-glue.c | 206 +++++--
arch/arm64/crypto/aes-modes.S | 28 +
crypto/Kconfig | 28 +
crypto/Makefile | 1 +
crypto/essiv.c | 645 ++++++++++++++++++++
crypto/tcrypt.c | 9 +
crypto/testmgr.c | 14 +
crypto/testmgr.h | 497 +++++++++++++++
8 files changed, 1386 insertions(+), 42 deletions(-)
create mode 100644 crypto/essiv.c
--
2.17.1
--
dm-devel mailing list
dm-devel@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/dm-devel
