Re: [PATCH] dm-crypt: Allow to specify the integrity key size as option

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On Fri, 16 Aug 2024, Ingo Franzki wrote:

> For the MAC based integrity operation, the integrity key size (i.e.
> key_mac_size) is currently set to the digest size of the used digest.
> 
> For wrapped key HMAC algorithms, the key size is independent of the
> cryptographic key size. So there is no known size of the mac key in
> such cases. The desired key size can optionally be specified as argument
> when the dm-crypt device is configured via 'integrity_key_size:%u'.
> If no integrity_key_size argument is specified, the mac key size
> is still set to the digest size, as before.
> 
> Increase version number to 1.28.0 so that support for the new
> argument can be detected by user space (i.e. cryptsetup).

Hi

I know you already discussed it with Milan. I'd like to ask, what's the 
reason for this patch? Milan said that you need it for mainframes - 
please, describe the specific configuration when this patch is needed.

Mikulas


> Signed-off-by: Ingo Franzki <ifranzki@xxxxxxxxxxxxx>
> ---
>  Documentation/admin-guide/device-mapper/dm-crypt.rst |  4 ++++
>  drivers/md/dm-crypt.c                                | 11 +++++++++--
>  2 files changed, 13 insertions(+), 2 deletions(-)
> 
> diff --git a/Documentation/admin-guide/device-mapper/dm-crypt.rst b/Documentation/admin-guide/device-mapper/dm-crypt.rst
> index e625830d335e..636b47c582f0 100644
> --- a/Documentation/admin-guide/device-mapper/dm-crypt.rst
> +++ b/Documentation/admin-guide/device-mapper/dm-crypt.rst
> @@ -160,6 +160,10 @@ iv_large_sectors
>     The <iv_offset> must be multiple of <sector_size> (in 512 bytes units)
>     if this flag is specified.
>  
> +integrity_key_size:<bytes>
> +   Use an integrity key of <bytes> size instead of using an integrity key size
> +   of the digest size of the used HMAC algorithm.
> +
>  
>  Module parameters::
>  max_read_size
> diff --git a/drivers/md/dm-crypt.c b/drivers/md/dm-crypt.c
> index 348b4b26c272..c4c706115870 100644
> --- a/drivers/md/dm-crypt.c
> +++ b/drivers/md/dm-crypt.c
> @@ -2937,7 +2937,8 @@ static int crypt_ctr_auth_cipher(struct crypt_config *cc, char *cipher_api)
>  	if (IS_ERR(mac))
>  		return PTR_ERR(mac);
>  
> -	cc->key_mac_size = crypto_ahash_digestsize(mac);
> +	if (!cc->key_mac_size)
> +		cc->key_mac_size = crypto_ahash_digestsize(mac);
>  	crypto_free_ahash(mac);
>  
>  	cc->authenc_key = kmalloc(crypt_authenckey_size(cc), GFP_KERNEL);
> @@ -3219,6 +3220,12 @@ static int crypt_ctr_optional(struct dm_target *ti, unsigned int argc, char **ar
>  			cc->cipher_auth = kstrdup(sval, GFP_KERNEL);
>  			if (!cc->cipher_auth)
>  				return -ENOMEM;
> +		} else if (sscanf(opt_string, "integrity_key_size:%u", &val) == 1) {
> +			if (val == 0) {
> +				ti->error = "Invalid integrity_key_size argument";
> +				return -EINVAL;
> +			}
> +			cc->key_mac_size = val;
>  		} else if (sscanf(opt_string, "sector_size:%hu%c", &cc->sector_size, &dummy) == 1) {
>  			if (cc->sector_size < (1 << SECTOR_SHIFT) ||
>  			    cc->sector_size > 4096 ||
> @@ -3758,7 +3765,7 @@ static void crypt_io_hints(struct dm_target *ti, struct queue_limits *limits)
>  
>  static struct target_type crypt_target = {
>  	.name   = "crypt",
> -	.version = {1, 27, 0},
> +	.version = {1, 28, 0},
>  	.module = THIS_MODULE,
>  	.ctr    = crypt_ctr,
>  	.dtr    = crypt_dtr,
> -- 
> 2.43.0
> 





[Index of Archives]     [DM Crypt]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Packaging]     [Fedora SELinux]     [Yosemite Discussion]     [KDE Users]     [Fedora Docs]

  Powered by Linux