Re: [PATCH v8 0/7] crypto: switch to crypto API for ESSIV generation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 4 Jul 2019 at 20:30, Ard Biesheuvel <ard.biesheuvel@xxxxxxxxxx> wrote:
>
> This series creates an ESSIV template that produces a skcipher or AEAD
> transform based on a tuple of the form '<skcipher>,<cipher>,<shash>'
> (or '<aead>,<cipher>,<shash>' for the AEAD case). It exposes the
> encapsulated sync or async skcipher/aead by passing through all operations,
> while using the cipher/shash pair to transform the input IV into an ESSIV
> output IV.
>
> This matches what both users of ESSIV in the kernel do, and so it is proposed
> as a replacement for those, in patches #2 and #4.
>
> Note to the maintainer: patches #2 .. #4 are against other subsystems, and
> so it might make sense to take only the crypto patches (#1, #5, and optionally
> #6 and #7) now, and allow the other subsystem maintainers to take the other
> patches at their leisure during the next cycle.
>

Please disregard #6 and #7 for now - the IV handling is busted after
the rebase to cryptodev/master. #1 and #5 should be fine though

Since I am obviously unsuccessful in cranking out these patches
without bugs in time before my leave, I am going to stop trying, and I
will get back to this work when I return from my leave, around the end
of September.


> This code has been tested using the fscrypt test suggested by Eric
> (generic/549 *), as well as the mode-test scripts suggested by Milan for
> the dm-crypt case. I also tested the aead case in a virtual machine,
> but it definitely needs some wider testing from the dm-crypt experts.
>
> * due to sloppiness on my part, the fscrypt change was actually broken
>   since I switched back to using full size IVs in the ESSIV template.
>   This time, I fixed this, and reran the test in question and it passed.
>
> The consensus appears to be that it would be useful if the crypto API
> encapsulates the handling of multiple subsequent blocks that are
> encrypted using a 64-bit LE counter as IV, and makes it the duty of
> the algo to increment the counter between blocks. However, this is
> equally suitable for non-ESSIV transforms (or even more so), and so
> this is left as a future enhancement to  be applied on top.
>
> Changes since v7:
> - rebase onto cryptodev/master
> - drop change to ivsize in #2
> - add Milan's R-b's
>
> Changes since v6:
> - make CRYPTO_ESSIV user selectable so we can opt out of selecting it even
>   if FS_ENCRYPTION (which cannot be built as a module) is enabled
> - move a comment along with the code it referred to (#3), not that this change
>   and removing some redundant braces makes the diff look totally different
> - add Milan's R-b to #3 and #4
>
> Changes since v5:
> - drop redundant #includes and drop some unneeded braces (#2)
> - add test case for essiv(authenc(hmac(sha256),cbc(aes)),aes,sha256)
> - make ESSIV driver deal with assoc data that is described by more than two
>   scatterlist entries - this only happens when the extended tests are being
>   performed, so don't optimize for it
> - clarify that both fscrypt and dm-crypt only use ESSIV in special cases (#7)
>
> Changes since v4:
> - make the ESSIV template IV size equal the IV size of the encapsulated
>   cipher - defining it as 8 bytes was needlessly restrictive, and also
>   complicated the code for no reason
> - add a missing kfree() spotted by Smatch
> - add additional algo length name checks when constructing the essiv()
>   cipher name
> - reinstate the 'essiv' IV generation implementation in dm-crypt, but
>   make its generation function identical to plain64le (and drop the other
>   methods)
> - fix a bug in the arm64 CE/NEON code
> - simplify the arm64 code by reusing more of the existing CBC implementation
>   (patch #6 is new to this series and was added for this reason)
>
> Changes since v3:
> - address various review comments from Eric on patch #1
> - use Kconfig's 'imply' instead of 'select' to permit CRYPTO_ESSIV to be
>   enabled as a module or disabled entirely even if fscrypt is compiled in (#2)
> - fix an issue in the AEAD encrypt path caused by the IV being clobbered by
>   the inner skcipher before the hmac was being calculated
>
> Changes since v2:
> - fixed a couple of bugs that snuck in after I'd done the bulk of my
>   testing
> - some cosmetic tweaks to the ESSIV template skcipher setkey function
>   to align it with the aead one
> - add a test case for essiv(cbc(aes),aes,sha256)
> - add an accelerated implementation for arm64 that combines the IV
>   derivation and the actual en/decryption in a single asm routine
>
> Scroll down for tcrypt speed test result comparing the essiv template
> with the asm implementation. Bare cbc(aes) tests included for reference
> as well. Taken on a 2GHz Cortex-A57 (AMD Seattle)
>
> Code can be found here
> https://git.kernel.org/pub/scm/linux/kernel/git/ardb/linux.git/log/?h=essiv-v8
>
> Cc: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
> Cc: Eric Biggers <ebiggers@xxxxxxxxxx>
> Cc: dm-devel@xxxxxxxxxx
> Cc: linux-fscrypt@xxxxxxxxxxxxxxx
> Cc: Gilad Ben-Yossef <gilad@xxxxxxxxxxxxx>
> Cc: Milan Broz <gmazyland@xxxxxxxxx>
>
> Ard Biesheuvel (7):
>   crypto: essiv - create wrapper template for ESSIV generation
>   fs: crypto: invoke crypto API for ESSIV handling
>   md: dm-crypt: infer ESSIV block cipher from cipher string directly
>   md: dm-crypt: switch to ESSIV crypto API template
>   crypto: essiv - add test vector for essiv(cbc(aes),aes,sha256)
>   crypto: arm64/aes-cts-cbc - factor out CBC en/decryption of a walk
>   crypto: arm64/aes - implement accelerated ESSIV/CBC mode
>
>  arch/arm64/crypto/aes-glue.c  | 205 +++++--
>  arch/arm64/crypto/aes-modes.S |  29 +-
>  crypto/Kconfig                |  28 +
>  crypto/Makefile               |   1 +
>  crypto/essiv.c                | 640 ++++++++++++++++++++
>  crypto/tcrypt.c               |   9 +
>  crypto/testmgr.c              |  14 +
>  crypto/testmgr.h              | 497 +++++++++++++++
>  drivers/md/Kconfig            |   1 +
>  drivers/md/dm-crypt.c         | 235 ++-----
>  fs/crypto/Kconfig             |   1 +
>  fs/crypto/crypto.c            |   5 -
>  fs/crypto/fscrypt_private.h   |   9 -
>  fs/crypto/keyinfo.c           |  93 +--
>  14 files changed, 1435 insertions(+), 332 deletions(-)
>  create mode 100644 crypto/essiv.c
>
> --
> 2.17.1
>



[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]

  Powered by Linux