On Wed, 24 Jul 2019 at 19:10, Pascal Van Leeuwen <pvanleeu...@verimatrix.com> wrote: > > Ard, > > > -----Original Message----- > > From: Ard Biesheuvel <ard.biesheu...@linaro.org> > > Sent: Monday, July 22, 2019 6:43 PM > > To: Pascal Van Leeuwen <pvanleeu...@verimatrix.com> > > Cc: Milan Broz <gmazyl...@gmail.com>; Herbert Xu > > <herb...@gondor.apana.org.au>; dm-devel@redhat.com; linux- > > cry...@vger.kernel.org; Horia Geanta <horia.gea...@nxp.com> > > Subject: Re: [dm-devel] xts fuzz testing and lack of ciphertext stealing > > support > > > > On Mon, 22 Jul 2019 at 12:44, Pascal Van Leeuwen > > <pvanleeu...@verimatrix.com> wrote: > > > > > > > -----Original Message----- > > > > From: Ard Biesheuvel <ard.biesheu...@linaro.org> > > > > Sent: Sunday, July 21, 2019 11:50 AM > > > > To: Milan Broz <gmazyl...@gmail.com> > > > > Cc: Pascal Van Leeuwen <pvanleeu...@verimatrix.com>; Herbert Xu > > > > <herb...@gondor.apana.org.au>; dm-devel@redhat.com; linux- > > > > cry...@vger.kernel.org; Horia Geanta <horia.gea...@nxp.com> > > > > Subject: Re: [dm-devel] xts fuzz testing and lack of ciphertext > > > > stealing support > > > > > > > > On Sat, 20 Jul 2019 at 10:35, Milan Broz <gmazyl...@gmail.com> wrote: > > > > > > > > > > On 20/07/2019 08:58, Eric Biggers wrote: > > > > > > On Thu, Jul 18, 2019 at 01:19:41PM +0200, Milan Broz wrote: > > > > > >> Also, I would like to avoid another "just because it is nicer" > > > > > >> module dependence (XTS->XEX->ECB). > > > > > >> Last time (when XTS was reimplemented using ECB) we have many > > > > > >> reports with initramfs > > > > > >> missing ECB module preventing boot from AES-XTS encrypted root > > > > > >> after kernel upgrade... > > > > > >> Just saying. (Despite the last time it was keyring what broke > > > > > >> encrypted boot ;-) > > > > > >> > > > > > > > > > > > > Can't the "missing modules in initramfs" issue be solved by using a > > > > > > MODULE_SOFTDEP()? Actually, why isn't that being used for xts -> > > > > > > ecb already? > > > > > > > > > > > > (There was also a bug where CONFIG_CRYPTO_XTS didn't select > > > > > > CONFIG_CRYPTO_ECB, > > > > > > but that was simply a bug, which was fixed.) > > > > > > > > > > Sure, and it is solved now. (Some systems with a hardcoded list of > > > > > modules > > > > > have to be manually updated etc., but that is just bad design). > > > > > It can be done properly from the beginning. > > > > > > > > > > I just want to say that that switching to XEX looks like wasting time > > > > > to me > > > > > for no additional benefit. > > > > > > > > > > Fully implementing XTS does make much more sense for me, even though > > > > > it is long-term > > > > > the effort and the only user, for now, would be testmgr. > > > > > > > > > > So, there are no users because it does not work. It makes no sense > > > > > to implement it, because there are no users... (sorry, sounds like > > > > > catch 22 :) > > > > > > > > > > (Maybe someone can use it for keyslot encryption for keys not aligned > > > > > to > > > > > block size, dunno. Actually, some filesystem encryption could have > > > > > use for it.) > > > > > > > > > > > Or "xts" and "xex" could go in the same kernel module xts.ko, which > > > > > > would make > > > > > > this a non-issue. > > > > > > > > > > If it is not available for users, I really see no reason to introduce > > > > > XEX when > > > > > it is just XTS with full blocks. > > > > > > > > > > If it is visible to users, it needs some work in userspace - XEX (as > > > > > XTS) need two keys, > > > > > people are already confused enough that 256bit key in AES-XTS means > > > > > AES-128... > > > > > So the examples, hints, man pages need to be updated, at least. > > > > > > > > > > > > > OK, consider me persuaded. We are already exposing xts(...) to > > > > userland, and since we already implement a proper subset of true XTS, > > > > it will be simply a matter of making sure that the existing XTS > > > > implementations don't regress in performance on the non-CTS code > > > > paths. > > > > > > > > It would be useful, though, to have some generic helper functions, > > > > e.g., like the one we have for CBC, or the one I recently proposed for > > > > CTS, so that existing implementations (such as the bit sliced AES) can > > > > easily be augmented with a CTS code path (but performance may not be > > > > optimal in those cases). For the ARM implementations based on AES > > > > instructions, it should be reasonably straight forward to implement it > > > > close to optimally by reusing some of the code I added for CBC-CTS > > > > (but I won't get around to doing that for a while). If there are any > > > > volunteers for looking into the generic or x86/AES-NI implementations, > > > > please come forward :-) Also, if any of the publications that were > > > > quoted in this thread have suitable test vectors, that would be good > > > > to know. > > > > > > Unfortunately, these algorithm & protocol specifications tend to be very > > > frugal when it > > > comes to providing test vectors, barely scratching the surface of any > > > corner cases, but > > > at least there is one non-multiple-of-16 vector in the original IEEE > > > P1619 / D16 > > > specification in Annex B Test Vectors (last vector, "XTS-AES-128 applied > > > for a data unit > > > that is not a multiple of 16 bytes") > > > > > > > Actually, that spec has a couple of test vectors. Unfortunately, they > > are all rather short (except the last one in the 'no multiple of 16 > > bytes' paragraph, but unfortunately, that one is in fact a multiple of > > 16 bytes) > > > > I added them here [0] along with an arm64 implementation for the AES > > instruction based driver. Could you please double check that these > > work against your driver? > > > I got XTS working with the inside-secure driver and these (and all other) > vectors pass :-) >
Excellent, thanks for the report. May I add your Tested-by when I post the patch? (just the one that adds the test vectors) > > That would establish a ground truth against > > which we can implement the generic version as well. > > > > [0] > > https://git.kernel.org/pub/scm/linux/kernel/git/ardb/linux.git/log/?h=xts-cts > > > > > Besides that, I'd be happy to generate some testvectors from our > > > defacto-standard > > > implementation ;-) > > > > > > > One or two larger ones would be useful, yes. > > > I'll see if I can extract some suitable vectors from our verification suite > ... > Great. Once available, I'll run them against my implementations and report back. -- dm-devel mailing list dm-devel@redhat.com https://www.redhat.com/mailman/listinfo/dm-devel