> -----Original Message----- > From: Horia Geanta <horia.geanta@xxxxxxx> > Sent: Thursday, August 8, 2019 4:50 PM > To: Pascal Van Leeuwen <pvanleeuwen@xxxxxxxxxxxxxx>; Ard Biesheuvel > <ard.biesheuvel@xxxxxxxxxx> > Cc: Milan Broz <gmazyland@xxxxxxxxx>; Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>; dm- > devel@xxxxxxxxxx; linux-crypto@xxxxxxxxxxxxxxx > Subject: Re: [dm-devel] xts fuzz testing and lack of ciphertext stealing support > > On 8/7/2019 11:58 PM, Pascal Van Leeuwen wrote: > >> -----Original Message----- > >> From: Horia Geanta <horia.geanta@xxxxxxx> > >> Sent: Wednesday, August 7, 2019 5:52 PM > >> To: Pascal Van Leeuwen <pvanleeuwen@xxxxxxxxxxxxxx>; Ard Biesheuvel > >> <ard.biesheuvel@xxxxxxxxxx> > >> Cc: Milan Broz <gmazyland@xxxxxxxxx>; Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>; dm- > >> devel@xxxxxxxxxx; linux-crypto@xxxxxxxxxxxxxxx > >> Subject: Re: [dm-devel] xts fuzz testing and lack of ciphertext stealing support > >> > >> On 7/26/2019 10:59 PM, Horia Geantă wrote: > >>> On 7/26/2019 1:31 PM, Pascal Van Leeuwen wrote: > >>>> Ok, find below a patch file that adds your vectors from the specification > >>>> plus my set of additional vectors covering all CTS alignments combined > >>>> with the block sizes you desired. Please note though that these vectors > >>>> are from our in-house home-grown model so no warranties. > >>> I've checked the test vectors against caam (HW + driver). > >>> > >>> Test vectors from IEEE 1619-2007 (i.e. up to and including "XTS-AES 18") > >>> are fine. > >>> > >>> caam complains when /* Additional vectors to increase CTS coverage */ > >>> section starts: > >>> alg: skcipher: xts-aes-caam encryption test failed (wrong result) on test vector 9, > >> cfg="in-place" > >>> > >> I've nailed this down to a caam hw limitation. > >> Except for lx2160a and ls1028a SoCs, all the (older) SoCs allow only for > >> 8-byte wide IV (sector index). > >> > > I guess it's easy to say now, but I already suspected a problem with full 16 > > byte random IV's. A problem with CTS itself seemed implausible due to the base > > vectors from the spec running fine and I did happen to notice that all > > vectors from the spec only use up to the lower 40 bits of the sector number. > > While my vectors randomize all 16 bytes. > > > > So I guess that means that 16 byte multiples (i.e. not needing CTS) with > > full 16 byte sector numbers will probably also fail on caam HW ... > > > Yes, the limitation applies for all input sizes. > > It's actually mentioned in the commit that added xts support few years back: > c6415a6016bf ("crypto: caam - add support for acipher xts(aes)") > > sector index - HW limitation: CAAM device supports sector index of only > 8 bytes to be used for sector index inside IV, instead of whole 16 bytes > received on request. This represents 2 ^ 64 = 16,777,216 Tera of possible > values for sector index. > > > As for the tweak size, with very close scrutiny of the IEEE spec I actually > > noticed some inconsistencies: > > > > - the text very clearly defines the tweak as 128 bit and starting from an > > *arbitrary* non-negative integer, this is what I based my implementation on > > > > - all text examples and test vectors max out at 40 bits ... just examples, > > but odd nonetheless (why 40 anyway?) > > > > - the example code fragment in Annex C actually has the S data unit number > > input as an u64b, further commented as "64 bits" (but then loops 16 times to > > convert it to a byte string ...) > > > The input I received from our HW design team was something like: > > - some P1619 drafts used LRW (instead of XTS), where the tweak "T" > was 16B-wide > > - at some point P1619 drafts switched (and eventually standardized) XTS, > where "T" is no longer the tweak - "i" is the (public) tweak, "T" being > an intermediate (hidden) result in the encryption scheme > > - since for XTS "i" is supposed to be the sector number, > there is no need to support 16B values - 8B being deemed sufficient > Actually, the specification does NOT define i as a straight sector number, it specifies i to start from some "arbitrary non-negative integer" with further values assigned "consecutively". (which does not even mandate a binary increment, as long as it can be seen as some unbroken ordered sequence). A predictable sector number being a potential attack vector, I can imagine not wanting to start i from zero (although that's probably what most simple implementations will do?). > Agree, limiting "i" (XTS tweak) to 8B is out-of-spec - irrespective of the > usefulness of the full 16B. > That's why latest Freescale / NXP SoCs support 16B tweaks. > > Thanks, > Horia Regards, Pascal van Leeuwen Silicon IP Architect, Multi-Protocol Engines @ Verimatrix www.insidesecure.com