On 07/08/2019 07:50, Ard Biesheuvel wrote: > Instead of instantiating a separate cipher to perform the encryption > needed to produce the IV, reuse the skcipher used for the block data > and invoke it one additional time for each block to encrypt a zero > vector and use the output as the IV. > > For CBC mode, this is equivalent to using the bare block cipher, but > without the risk of ending up with a non-time invariant implementation > of AES when the skcipher itself is time variant (e.g., arm64 without > Crypto Extensions has a NEON based time invariant implementation of > cbc(aes) but no time invariant implementation of the core cipher other > than aes-ti, which is not enabled by default) > > This approach is a compromise between dm-crypt API flexibility and > reducing dependence on parts of the crypto API that should not usually > be exposed to other subsystems, such as the bare cipher API. > > Signed-off-by: Ard Biesheuvel <ard.biesheuvel@xxxxxxxxxx> Yes, this is a good idea, I'll test it. Thanks! Milan