On Mon, Aug 12, 2019 at 05:53:19PM +0300, Ard Biesheuvel wrote: > Instead of open coding the calculations for ESSIV handling, use a > ESSIV skcipher which does all of this under the hood. > > Signed-off-by: Ard Biesheuvel <ard.biesheuvel@xxxxxxxxxx> This looks fine (except for one comment below), but this heavily conflicts with the fscrypt patches planned for v5.4. So I suggest moving this to the end of the series and having Herbert take only 1-6, and I'll apply this one to the fscrypt tree later. Thanks! > --- > fs/crypto/Kconfig | 1 + > fs/crypto/crypto.c | 5 -- > fs/crypto/fscrypt_private.h | 9 -- > fs/crypto/keyinfo.c | 92 +------------------- > 4 files changed, 4 insertions(+), 103 deletions(-) > > diff --git a/fs/crypto/Kconfig b/fs/crypto/Kconfig > index 5fdf24877c17..6f3d59b880b7 100644 > --- a/fs/crypto/Kconfig > +++ b/fs/crypto/Kconfig > @@ -5,6 +5,7 @@ config FS_ENCRYPTION > select CRYPTO_AES > select CRYPTO_CBC > select CRYPTO_ECB > + select CRYPTO_ESSIV > select CRYPTO_XTS > select CRYPTO_CTS > select KEYS In v5.3 I removed the 'select CRYPTO_SHA256', so now ESSIV shouldn't be selected here either. Instead we should just update the documentation: diff --git a/Documentation/filesystems/fscrypt.rst b/Documentation/filesystems/fscrypt.rst index 82efa41b0e6c02..a1e2ab12a99943 100644 --- a/Documentation/filesystems/fscrypt.rst +++ b/Documentation/filesystems/fscrypt.rst @@ -193,7 +193,8 @@ If unsure, you should use the (AES-256-XTS, AES-256-CTS-CBC) pair. AES-128-CBC was added only for low-powered embedded devices with crypto accelerators such as CAAM or CESA that do not support XTS. To use AES-128-CBC, CONFIG_CRYPTO_SHA256 (or another SHA-256 -implementation) must be enabled so that ESSIV can be used. +implementation) and CONFIG_CRYPTO_ESSIV must be enabled so that ESSIV +can be used. Adiantum is a (primarily) stream cipher-based mode that is fast even on CPUs without dedicated crypto instructions. It's also a true