On Thu, Apr 30, 2020 at 11:03:36PM -0700, Eric Biggers wrote: > On Tue, Apr 28, 2020 at 12:58:57PM +0200, Johannes Thumshirn wrote: > > There was interest in also using a HMAC version of Blake2b from the community, > > but as none of the crypto libraries used by user-space BTRFS tools as a > > backend does currently implement a HMAC version with Blake2b, it is not (yet) > > included. > > Note that BLAKE2b optionally takes a key, so using HMAC with it is unnecessary. > > And the kernel crypto API's implementation of BLAKE2b already supports this. > I.e. you can call crypto_shash_setkey() directly on "blake2b-256". The idea behind using HMAC + checksum and not the built-in blake2b keyed hash was to make the definitions unified and use the established crypto primitives without algorithm-specific tweaks. But you're right that using "blake2b-256" + setkey achieves the same, I haven't realized that.
