On 17/06/2019 15:59, Ard Biesheuvel wrote: > > So my main question/showstopper at the moment is: which modes do we > need to support for ESSIV? Only CBC? Any skcipher? Or both skciphers > and AEADs? Support, or cover by internal test? I think you nee to support everything what dmcrypt currently allows, if you want to port dmcrypt to new API. I know of many systems that use aes-xts-essiv:sha256 (it does not make sense much but people just use it). Some people use serpent and twofish, but we allow any cipher that fits... For the start, run this https://gitlab.com/cryptsetup/cryptsetup/blob/master/tests/mode-test In other words, if you add some additional limit, we are breaking backward compatibility. (Despite the configuration is "wrong" from the security point of view.) Milan