RE: [dm-devel] xts fuzz testing and lack of ciphertext stealing support

From: Pascal Van Leeuwen <pvanleeuwen@verimatrix.com>
To: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Milan Broz <gmazyland@gmail.com>,
	Herbert Xu <herbert@gondor.apana.org.au>,
	"dm-devel@redhat.com" <dm-devel@redhat.com>,
	"linux-crypto@vger.kernel.org" <linux-crypto@vger.kernel.org>,
	Horia Geanta <horia.geanta@nxp.com>
Subject: RE: [dm-devel] xts fuzz testing and lack of ciphertext stealing support
Date: Thu, 25 Jul 2019 07:49:34 +0000	[thread overview]
Message-ID: <MN2PR20MB2973CAE4E9CFFE1F417B2509CAC10@MN2PR20MB2973.namprd20.prod.outlook.com> (raw)
In-Reply-To: <CAKv+Gu-8n_DoauycDQS_9zzRew1rTuPaLxHyg6xhXMmqEvMaCA@mail.gmail.com>


> -----Original Message-----
> From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> Sent: Thursday, July 25, 2019 8:22 AM
> To: Pascal Van Leeuwen <pvanleeuwen@verimatrix.com>
> Cc: Milan Broz <gmazyland@gmail.com>; Herbert Xu <herbert@gondor.apana.org.au>; dm-devel@redhat.com; linux-
> crypto@vger.kernel.org; Horia Geanta <horia.geanta@nxp.com>
> Subject: Re: [dm-devel] xts fuzz testing and lack of ciphertext stealing support
> 
> > >
> > > Actually, that spec has a couple of test vectors. Unfortunately, they
> > > are all rather short (except the last one in the 'no multiple of 16
> > > bytes' paragraph, but unfortunately, that one is in fact a multiple of
> > > 16 bytes)
> > >
> > > I added them here [0] along with an arm64 implementation for the AES
> > > instruction based driver. Could you please double check that these
> > > work against your driver?
> > >
> > I got XTS working with the inside-secure driver and these (and all other) vectors pass :-)
> >
> 
> Excellent, thanks for the report. May I add your Tested-by when I post
> the patch? (just the one that adds the test vectors)
> 
Sure, feel free

> > > That would establish a ground truth against
> > > which we can implement the generic version as well.
> > >
> > > [0] https://git.kernel.org/pub/scm/linux/kernel/git/ardb/linux.git/log/?h=xts-cts
> > >
> > > > Besides that, I'd be happy to generate some testvectors from our defacto-standard
> > > > implementation ;-)
> > > >
> > >
> > > One or two larger ones would be useful, yes.
> > >
> > I'll see if I can extract some suitable vectors from our verification suite ...
> >
> 
> Great. Once available, I'll run them against my implementations and report back.
>
Just wondering ... do you have any particular requirements on the sizes?
From my implementation's perspective, it doesn't make a whole lot of sense to test vectors 
of more than 3 times the cipher block size, but then I realized that you probably need
larger vectors due to the loop unrolling you do for the vector implementations?
You also don't want them to be too big as they take up space in the kernel image ...

Regards,
Pascal van Leeuwen
Silicon IP Architect, Multi-Protocol Engines @ Verimatrix
www.insidesecure.com