All of lore.kernel.org
 help / color / mirror / Atom feed
From: Eric Biggers <ebiggers@kernel.org>
To: linux-block@vger.kernel.org, linux-fscrypt@vger.kernel.org
Cc: linux-arm-msm@vger.kernel.org, kernel-team@android.com,
	Thara Gopinath <thara.gopinath@linaro.org>,
	Gaurav Kashyap <gaurkash@codeaurora.org>,
	Satya Tangirala <satyaprateek2357@gmail.com>
Subject: Re: [RFC PATCH v2 4/5] fscrypt: allow 256-bit master keys with AES-256-XTS
Date: Mon, 20 Sep 2021 20:16:44 -0700	[thread overview]
Message-ID: <YUlOnG4bfj7beDah@sol.localdomain> (raw)
In-Reply-To: <20210916174928.65529-5-ebiggers@kernel.org>

On Thu, Sep 16, 2021 at 10:49:27AM -0700, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@google.com>
> 
> fscrypt currently requires a 512-bit master key when AES-256-XTS is
> used, since AES-256-XTS keys are 512-bit and fscrypt requires that the
> master key be at least as long any key that will be derived from it.
> 
> However, this is overly strict because AES-256-XTS doesn't actually have
> a 512-bit security strength, but rather 256-bit.  The fact that XTS
> takes twice the expected key size is a quirk of the XTS mode.  It is
> sufficient to use 256 bits of entropy for AES-256-XTS, provided that it
> is first properly expanded into a 512-bit key, which HKDF-SHA512 does.
> 
> Therefore, relax the check of the master key size to use the security
> strength of the derived key rather than the size of the derived key
> (except for v1 encryption policies, which don't use HKDF).
> 
> Besides making things more flexible for userspace, this is needed in
> order for the use of a KDF which only takes a 256-bit key to be
> introduced into the fscrypt key hierarchy.  This will happen with
> hardware-wrapped keys support, as all known hardware which supports that
> feature uses an SP800-108 KDF using AES-256-CMAC, so the wrapped keys
> are wrapped 256-bit AES keys.  Moreover, there is interest in fscrypt
> supporting the same type of AES-256-CMAC based KDF in software as an
> alternative to HKDF-SHA512.  There is no security problem with such
> features, so fix the key length check to work properly with them.
> 
> Signed-off-by: Eric Biggers <ebiggers@google.com>
> ---
>  fs/crypto/fscrypt_private.h |  5 ++--
>  fs/crypto/hkdf.c            | 11 +++++--
>  fs/crypto/keysetup.c        | 57 +++++++++++++++++++++++++++++--------
>  3 files changed, 56 insertions(+), 17 deletions(-)

I've applied this patch to fscrypt.git#master for 5.16, as it's a useful cleanup
which isn't dependent on the hardware-wrapped keys feature.  I also fixed this
patch to update the documentation, which I had overlooked in this case.

- Eric

  parent reply	other threads:[~2021-09-21  3:30 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-09-16 17:49 [RFC PATCH v2 0/5] Support for hardware-wrapped inline encryption keys Eric Biggers
2021-09-16 17:49 ` [RFC PATCH v2 1/5] block: add basic hardware-wrapped key support Eric Biggers
2021-09-16 17:49 ` [RFC PATCH v2 2/5] block: add ioctls to create and prepare hardware-wrapped keys Eric Biggers
2021-09-16 17:49 ` [RFC PATCH v2 3/5] fscrypt: improve documentation for inline encryption Eric Biggers
2021-09-21  3:13   ` Eric Biggers
2021-09-16 17:49 ` [RFC PATCH v2 4/5] fscrypt: allow 256-bit master keys with AES-256-XTS Eric Biggers
2021-09-17 17:46   ` Paul Crowley
2021-09-21  3:16   ` Eric Biggers [this message]
2021-09-16 17:49 ` [RFC PATCH v2 5/5] fscrypt: add support for hardware-wrapped keys Eric Biggers
2021-09-27 18:12 ` [RFC PATCH v2 0/5] Support for hardware-wrapped inline encryption keys Eric Biggers

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=YUlOnG4bfj7beDah@sol.localdomain \
    --to=ebiggers@kernel.org \
    --cc=gaurkash@codeaurora.org \
    --cc=kernel-team@android.com \
    --cc=linux-arm-msm@vger.kernel.org \
    --cc=linux-block@vger.kernel.org \
    --cc=linux-fscrypt@vger.kernel.org \
    --cc=satyaprateek2357@gmail.com \
    --cc=thara.gopinath@linaro.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.