On Fri, 16 Aug 2024, Ingo Franzki wrote: > For the MAC based integrity operation, the integrity key size (i.e. > key_mac_size) is currently set to the digest size of the used digest. > > For wrapped key HMAC algorithms, the key size is independent of the > cryptographic key size. So there is no known size of the mac key in > such cases. The desired key size can optionally be specified as argument > when the dm-crypt device is configured via 'integrity_key_size:%u'. > If no integrity_key_size argument is specified, the mac key size > is still set to the digest size, as before. > > Increase version number to 1.28.0 so that support for the new > argument can be detected by user space (i.e. cryptsetup). Hi I know you already discussed it with Milan. I'd like to ask, what's the reason for this patch? Milan said that you need it for mainframes - please, describe the specific configuration when this patch is needed. Mikulas > Signed-off-by: Ingo Franzki <ifranzki@xxxxxxxxxxxxx> > --- > Documentation/admin-guide/device-mapper/dm-crypt.rst | 4 ++++ > drivers/md/dm-crypt.c | 11 +++++++++-- > 2 files changed, 13 insertions(+), 2 deletions(-) > > diff --git a/Documentation/admin-guide/device-mapper/dm-crypt.rst b/Documentation/admin-guide/device-mapper/dm-crypt.rst > index e625830d335e..636b47c582f0 100644 > --- a/Documentation/admin-guide/device-mapper/dm-crypt.rst > +++ b/Documentation/admin-guide/device-mapper/dm-crypt.rst > @@ -160,6 +160,10 @@ iv_large_sectors > The <iv_offset> must be multiple of <sector_size> (in 512 bytes units) > if this flag is specified. > > +integrity_key_size:<bytes> > + Use an integrity key of <bytes> size instead of using an integrity key size > + of the digest size of the used HMAC algorithm. > + > > Module parameters:: > max_read_size > diff --git a/drivers/md/dm-crypt.c b/drivers/md/dm-crypt.c > index 348b4b26c272..c4c706115870 100644 > --- a/drivers/md/dm-crypt.c > +++ b/drivers/md/dm-crypt.c > @@ -2937,7 +2937,8 @@ static int crypt_ctr_auth_cipher(struct crypt_config *cc, char *cipher_api) > if (IS_ERR(mac)) > return PTR_ERR(mac); > > - cc->key_mac_size = crypto_ahash_digestsize(mac); > + if (!cc->key_mac_size) > + cc->key_mac_size = crypto_ahash_digestsize(mac); > crypto_free_ahash(mac); > > cc->authenc_key = kmalloc(crypt_authenckey_size(cc), GFP_KERNEL); > @@ -3219,6 +3220,12 @@ static int crypt_ctr_optional(struct dm_target *ti, unsigned int argc, char **ar > cc->cipher_auth = kstrdup(sval, GFP_KERNEL); > if (!cc->cipher_auth) > return -ENOMEM; > + } else if (sscanf(opt_string, "integrity_key_size:%u", &val) == 1) { > + if (val == 0) { > + ti->error = "Invalid integrity_key_size argument"; > + return -EINVAL; > + } > + cc->key_mac_size = val; > } else if (sscanf(opt_string, "sector_size:%hu%c", &cc->sector_size, &dummy) == 1) { > if (cc->sector_size < (1 << SECTOR_SHIFT) || > cc->sector_size > 4096 || > @@ -3758,7 +3765,7 @@ static void crypt_io_hints(struct dm_target *ti, struct queue_limits *limits) > > static struct target_type crypt_target = { > .name = "crypt", > - .version = {1, 27, 0}, > + .version = {1, 28, 0}, > .module = THIS_MODULE, > .ctr = crypt_ctr, > .dtr = crypt_dtr, > -- > 2.43.0 >