On Wed, 21 Aug 2024, Ingo Franzki wrote: > On 20.08.2024 17:56, Mikulas Patocka wrote: > > > > > > On Fri, 16 Aug 2024, Ingo Franzki wrote: > > > >> For the MAC based integrity operation, the integrity key size (i.e. > >> key_mac_size) is currently set to the digest size of the used digest. > >> > >> For wrapped key HMAC algorithms, the key size is independent of the > >> cryptographic key size. So there is no known size of the mac key in > >> such cases. The desired key size can optionally be specified as argument > >> when the dm-crypt device is configured via 'integrity_key_size:%u'. > >> If no integrity_key_size argument is specified, the mac key size > >> is still set to the digest size, as before. > >> > >> Increase version number to 1.28.0 so that support for the new > >> argument can be detected by user space (i.e. cryptsetup). > > > > Hi > > > > I know you already discussed it with Milan. I'd like to ask, what's the > > reason for this patch? Milan said that you need it for mainframes - > > please, describe the specific configuration when this patch is needed. > > > > Mikulas > > Hi Mikulas, > > thanks for looking into this. > > In short: Yes, we need it for a new function on Linux on IBM Z platform > (aka s390x), but the general concept of using wrapped keys is not > limited to that platform but can be used by other platforms as well. > Furthermore, the proposed change can also be beneficial for clear key > HMAC integrity protection, to allow choosing the size of the integrity > key. Hi Thanks for the explanation. I discussed it with Milan and we concluded that the patch is OK and that we can stage it for the kernel 6.12. I added the patch to the device mapper repository. You can get it from "git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm.git", checkout branch "remotes/origin/dm-6.12". I fixed two bugs in the patch: 1. crypt_status must report the new argument in its table line 2. sscanf(opt_string, "integrity_key_size:%u"...) should really be sscanf(opt_string, "integrity_key_size:%u%c"...), so that we report syntax error if there are trailing characters after the number. Please, download the updated patch from the "linux-dm.git" repository and test it. Mikulas
