* [PATCH v2] crypto: Introduce SM4 symmetric cipher algorithm
@ 2023-11-28 15:24 Hyman Huang
2023-11-28 15:57 ` Philippe Mathieu-Daudé
0 siblings, 1 reply; 6+ messages in thread
From: Hyman Huang @ 2023-11-28 15:24 UTC (permalink / raw)
To: qemu-devel
Cc: Daniel P . Berrangé,
Paolo Bonzini, Marc-André Lureau, Thomas Huth,
Philippe Mathieu-Daudé,
Eric Blake, Markus Armbruster, Hyman Huang
Introduce the SM4 cipher algorithms (OSCCA GB/T 32907-2016).
SM4 (GBT.32907-2016) is a cryptographic standard issued by the
Organization of State Commercial Administration of China (OSCCA)
as an authorized cryptographic algorithms for the use within China.
Use the crypto-sm4 meson build option for enabling this feature.
Signed-off-by: Hyman Huang <yong.huang@smartx.com>
---
crypto/block-luks.c | 11 ++++++++
crypto/cipher-gcrypt.c.inc | 8 ++++++
crypto/cipher-nettle.c.inc | 49 +++++++++++++++++++++++++++++++++
crypto/cipher.c | 6 ++++
meson.build | 23 ++++++++++++++++
meson_options.txt | 2 ++
qapi/crypto.json | 5 +++-
scripts/meson-buildoptions.sh | 3 ++
tests/unit/test-crypto-cipher.c | 13 +++++++++
9 files changed, 119 insertions(+), 1 deletion(-)
diff --git a/crypto/block-luks.c b/crypto/block-luks.c
index fb01ec38bb..f0813d69b4 100644
--- a/crypto/block-luks.c
+++ b/crypto/block-luks.c
@@ -95,12 +95,23 @@ qcrypto_block_luks_cipher_size_map_twofish[] = {
{ 0, 0 },
};
+#ifdef CONFIG_CRYPTO_SM4
+static const QCryptoBlockLUKSCipherSizeMap
+qcrypto_block_luks_cipher_size_map_sm4[] = {
+ { 16, QCRYPTO_CIPHER_ALG_SM4},
+ { 0, 0 },
+};
+#endif
+
static const QCryptoBlockLUKSCipherNameMap
qcrypto_block_luks_cipher_name_map[] = {
{ "aes", qcrypto_block_luks_cipher_size_map_aes },
{ "cast5", qcrypto_block_luks_cipher_size_map_cast5 },
{ "serpent", qcrypto_block_luks_cipher_size_map_serpent },
{ "twofish", qcrypto_block_luks_cipher_size_map_twofish },
+#ifdef CONFIG_CRYPTO_SM4
+ { "sm4", qcrypto_block_luks_cipher_size_map_sm4},
+#endif
};
QEMU_BUILD_BUG_ON(sizeof(struct QCryptoBlockLUKSKeySlot) != 48);
diff --git a/crypto/cipher-gcrypt.c.inc b/crypto/cipher-gcrypt.c.inc
index a6a0117717..1377cbaf14 100644
--- a/crypto/cipher-gcrypt.c.inc
+++ b/crypto/cipher-gcrypt.c.inc
@@ -35,6 +35,9 @@ bool qcrypto_cipher_supports(QCryptoCipherAlgorithm alg,
case QCRYPTO_CIPHER_ALG_SERPENT_256:
case QCRYPTO_CIPHER_ALG_TWOFISH_128:
case QCRYPTO_CIPHER_ALG_TWOFISH_256:
+#ifdef CONFIG_CRYPTO_SM4
+ case QCRYPTO_CIPHER_ALG_SM4:
+#endif
break;
default:
return false;
@@ -219,6 +222,11 @@ static QCryptoCipher *qcrypto_cipher_ctx_new(QCryptoCipherAlgorithm alg,
case QCRYPTO_CIPHER_ALG_TWOFISH_256:
gcryalg = GCRY_CIPHER_TWOFISH;
break;
+#ifdef CONFIG_CRYPTO_SM4
+ case QCRYPTO_CIPHER_ALG_SM4:
+ gcryalg = GCRY_CIPHER_SM4;
+ break;
+#endif
default:
error_setg(errp, "Unsupported cipher algorithm %s",
QCryptoCipherAlgorithm_str(alg));
diff --git a/crypto/cipher-nettle.c.inc b/crypto/cipher-nettle.c.inc
index 24cc61f87b..42b39e18a2 100644
--- a/crypto/cipher-nettle.c.inc
+++ b/crypto/cipher-nettle.c.inc
@@ -33,6 +33,9 @@
#ifndef CONFIG_QEMU_PRIVATE_XTS
#include <nettle/xts.h>
#endif
+#ifdef CONFIG_CRYPTO_SM4
+#include <nettle/sm4.h>
+#endif
static inline bool qcrypto_length_check(size_t len, size_t blocksize,
Error **errp)
@@ -426,6 +429,30 @@ DEFINE_ECB_CBC_CTR_XTS(qcrypto_nettle_twofish,
QCryptoNettleTwofish, TWOFISH_BLOCK_SIZE,
twofish_encrypt_native, twofish_decrypt_native)
+#ifdef CONFIG_CRYPTO_SM4
+typedef struct QCryptoNettleSm4 {
+ QCryptoCipher base;
+ struct sm4_ctx key[2];
+} QCryptoNettleSm4;
+
+static void sm4_encrypt_native(void *ctx, size_t length,
+ uint8_t *dst, const uint8_t *src)
+{
+ struct sm4_ctx *keys = ctx;
+ sm4_crypt(&keys[0], length, dst, src);
+}
+
+static void sm4_decrypt_native(void *ctx, size_t length,
+ uint8_t *dst, const uint8_t *src)
+{
+ struct sm4_ctx *keys = ctx;
+ sm4_crypt(&keys[1], length, dst, src);
+}
+
+DEFINE_ECB(qcrypto_nettle_sm4,
+ QCryptoNettleSm4, SM4_BLOCK_SIZE,
+ sm4_encrypt_native, sm4_decrypt_native)
+#endif
bool qcrypto_cipher_supports(QCryptoCipherAlgorithm alg,
QCryptoCipherMode mode)
@@ -443,6 +470,9 @@ bool qcrypto_cipher_supports(QCryptoCipherAlgorithm alg,
case QCRYPTO_CIPHER_ALG_TWOFISH_128:
case QCRYPTO_CIPHER_ALG_TWOFISH_192:
case QCRYPTO_CIPHER_ALG_TWOFISH_256:
+#ifdef CONFIG_CRYPTO_SM4
+ case QCRYPTO_CIPHER_ALG_SM4:
+#endif
break;
default:
return false;
@@ -701,6 +731,25 @@ static QCryptoCipher *qcrypto_cipher_ctx_new(QCryptoCipherAlgorithm alg,
return &ctx->base;
}
+#ifdef CONFIG_CRYPTO_SM4
+ case QCRYPTO_CIPHER_ALG_SM4:
+ {
+ QCryptoNettleSm4 *ctx = g_new0(QCryptoNettleSm4, 1);
+
+ switch (mode) {
+ case QCRYPTO_CIPHER_MODE_ECB:
+ ctx->base.driver = &qcrypto_nettle_sm4_driver_ecb;
+ break;
+ default:
+ goto bad_cipher_mode;
+ }
+
+ sm4_set_encrypt_key(&ctx->key[0], key);
+ sm4_set_decrypt_key(&ctx->key[1], key);
+
+ return &ctx->base;
+ }
+#endif
default:
error_setg(errp, "Unsupported cipher algorithm %s",
diff --git a/crypto/cipher.c b/crypto/cipher.c
index 74b09a5b26..5f512768ea 100644
--- a/crypto/cipher.c
+++ b/crypto/cipher.c
@@ -38,6 +38,9 @@ static const size_t alg_key_len[QCRYPTO_CIPHER_ALG__MAX] = {
[QCRYPTO_CIPHER_ALG_TWOFISH_128] = 16,
[QCRYPTO_CIPHER_ALG_TWOFISH_192] = 24,
[QCRYPTO_CIPHER_ALG_TWOFISH_256] = 32,
+#ifdef CONFIG_CRYPTO_SM4
+ [QCRYPTO_CIPHER_ALG_SM4] = 16,
+#endif
};
static const size_t alg_block_len[QCRYPTO_CIPHER_ALG__MAX] = {
@@ -53,6 +56,9 @@ static const size_t alg_block_len[QCRYPTO_CIPHER_ALG__MAX] = {
[QCRYPTO_CIPHER_ALG_TWOFISH_128] = 16,
[QCRYPTO_CIPHER_ALG_TWOFISH_192] = 16,
[QCRYPTO_CIPHER_ALG_TWOFISH_256] = 16,
+#ifdef CONFIG_CRYPTO_SM4
+ [QCRYPTO_CIPHER_ALG_SM4] = 16,
+#endif
};
static const bool mode_need_iv[QCRYPTO_CIPHER_MODE__MAX] = {
diff --git a/meson.build b/meson.build
index ec01f8b138..256d3257bb 100644
--- a/meson.build
+++ b/meson.build
@@ -1480,6 +1480,7 @@ endif
gcrypt = not_found
nettle = not_found
hogweed = not_found
+crypto_sm4 = not_found
xts = 'none'
if get_option('nettle').enabled() and get_option('gcrypt').enabled()
@@ -1514,6 +1515,26 @@ if not gnutls_crypto.found()
xts = 'private'
endif
endif
+ if get_option('crypto_sm4').enabled()
+ if get_option('gcrypt').enabled()
+ # SM4 ALG is available in libgcrypt >= 1.9
+ crypto_sm4 = dependency('libgcrypt', version: '>=1.9',
+ method: 'config-tool',
+ required: get_option('gcrypt'))
+ # SM4 ALG static compilation
+ if crypto_sm4.found() and get_option('prefer_static')
+ crypto_sm4 = declare_dependency(dependencies: [
+ crypto_sm4,
+ cc.find_library('gpg-error', required: true)],
+ version: crypto_sm4.version())
+ endif
+ else
+ # SM4 ALG is available in nettle >= 3.9
+ crypto_sm4 = dependency('nettle', version: '>=3.9',
+ method: 'pkg-config',
+ required: get_option('nettle'))
+ endif
+ endif
endif
gmp = dependency('gmp', required: false, method: 'pkg-config')
@@ -2199,6 +2220,7 @@ config_host_data.set('CONFIG_GNUTLS_CRYPTO', gnutls_crypto.found())
config_host_data.set('CONFIG_TASN1', tasn1.found())
config_host_data.set('CONFIG_GCRYPT', gcrypt.found())
config_host_data.set('CONFIG_NETTLE', nettle.found())
+config_host_data.set('CONFIG_CRYPTO_SM4', crypto_sm4.found())
config_host_data.set('CONFIG_HOGWEED', hogweed.found())
config_host_data.set('CONFIG_QEMU_PRIVATE_XTS', xts == 'private')
config_host_data.set('CONFIG_MALLOC_TRIM', has_malloc_trim)
@@ -4273,6 +4295,7 @@ summary_info += {'nettle': nettle}
if nettle.found()
summary_info += {' XTS': xts != 'private'}
endif
+summary_info += {'SM4 ALG support': crypto_sm4}
summary_info += {'AF_ALG support': have_afalg}
summary_info += {'rng-none': get_option('rng_none')}
summary_info += {'Linux keyring': have_keyring}
diff --git a/meson_options.txt b/meson_options.txt
index c9baeda639..db8de4ec5b 100644
--- a/meson_options.txt
+++ b/meson_options.txt
@@ -172,6 +172,8 @@ option('nettle', type : 'feature', value : 'auto',
description: 'nettle cryptography support')
option('gcrypt', type : 'feature', value : 'auto',
description: 'libgcrypt cryptography support')
+option('crypto_sm4', type : 'feature', value : 'auto',
+ description: 'SM4 symmetric cipher algorithm support')
option('crypto_afalg', type : 'feature', value : 'disabled',
description: 'Linux AF_ALG crypto backend driver')
option('libdaxctl', type : 'feature', value : 'auto',
diff --git a/qapi/crypto.json b/qapi/crypto.json
index fd3d46ebd1..2f2aeff5fd 100644
--- a/qapi/crypto.json
+++ b/qapi/crypto.json
@@ -94,6 +94,8 @@
#
# @twofish-256: Twofish with 256 bit / 32 byte keys
#
+# @sm4: SM4 with 128 bit / 16 byte keys (since 9.0)
+#
# Since: 2.6
##
{ 'enum': 'QCryptoCipherAlgorithm',
@@ -102,7 +104,8 @@
'des', '3des',
'cast5-128',
'serpent-128', 'serpent-192', 'serpent-256',
- 'twofish-128', 'twofish-192', 'twofish-256']}
+ 'twofish-128', 'twofish-192', 'twofish-256',
+ 'sm4']}
##
# @QCryptoCipherMode:
diff --git a/scripts/meson-buildoptions.sh b/scripts/meson-buildoptions.sh
index 680fa3f581..f189f34829 100644
--- a/scripts/meson-buildoptions.sh
+++ b/scripts/meson-buildoptions.sh
@@ -106,6 +106,7 @@ meson_options_help() {
printf "%s\n" ' colo-proxy colo-proxy support'
printf "%s\n" ' coreaudio CoreAudio sound support'
printf "%s\n" ' crypto-afalg Linux AF_ALG crypto backend driver'
+ printf "%s\n" ' crypto-sm4 SM4 symmetric cipher algorithm support'
printf "%s\n" ' curl CURL block device driver'
printf "%s\n" ' curses curses UI'
printf "%s\n" ' dbus-display -display dbus support'
@@ -282,6 +283,8 @@ _meson_option_parse() {
--disable-coroutine-pool) printf "%s" -Dcoroutine_pool=false ;;
--enable-crypto-afalg) printf "%s" -Dcrypto_afalg=enabled ;;
--disable-crypto-afalg) printf "%s" -Dcrypto_afalg=disabled ;;
+ --enable-crypto-sm4) printf "%s" -Dcrypto_sm4=enabled ;;
+ --disable-crypto-sm4) printf "%s" -Dcrypto_sm4=disabled ;;
--enable-curl) printf "%s" -Dcurl=enabled ;;
--disable-curl) printf "%s" -Dcurl=disabled ;;
--enable-curses) printf "%s" -Dcurses=enabled ;;
diff --git a/tests/unit/test-crypto-cipher.c b/tests/unit/test-crypto-cipher.c
index d9d9d078ff..11ab1a54fc 100644
--- a/tests/unit/test-crypto-cipher.c
+++ b/tests/unit/test-crypto-cipher.c
@@ -382,6 +382,19 @@ static QCryptoCipherTestData test_data[] = {
.plaintext = "90afe91bb288544f2c32dc239b2635e6",
.ciphertext = "6cb4561c40bf0a9705931cb6d408e7fa",
},
+#ifdef CONFIG_CRYPTO_SM4
+ {
+ /* SM4, GB/T 32907-2016, Appendix A.1 */
+ .path = "/crypto/cipher/sm4",
+ .alg = QCRYPTO_CIPHER_ALG_SM4,
+ .mode = QCRYPTO_CIPHER_MODE_ECB,
+ .key = "0123456789abcdeffedcba9876543210",
+ .plaintext =
+ "0123456789abcdeffedcba9876543210",
+ .ciphertext =
+ "681edf34d206965e86b3e94f536e4246",
+ },
+#endif
{
/* #1 32 byte key, 32 byte PTX */
.path = "/crypto/cipher/aes-xts-128-1",
--
2.39.1
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH v2] crypto: Introduce SM4 symmetric cipher algorithm
2023-11-28 15:24 [PATCH v2] crypto: Introduce SM4 symmetric cipher algorithm Hyman Huang
@ 2023-11-28 15:57 ` Philippe Mathieu-Daudé
2023-11-28 16:20 ` Daniel P. Berrangé
2023-11-29 1:43 ` Yong Huang
0 siblings, 2 replies; 6+ messages in thread
From: Philippe Mathieu-Daudé @ 2023-11-28 15:57 UTC (permalink / raw)
To: Hyman Huang, qemu-devel
Cc: Daniel P . Berrangé,
Paolo Bonzini, Marc-André Lureau, Thomas Huth, Eric Blake,
Markus Armbruster
Hi Hyman,
On 28/11/23 16:24, Hyman Huang wrote:
> Introduce the SM4 cipher algorithms (OSCCA GB/T 32907-2016).
>
> SM4 (GBT.32907-2016) is a cryptographic standard issued by the
> Organization of State Commercial Administration of China (OSCCA)
> as an authorized cryptographic algorithms for the use within China.
>
> Use the crypto-sm4 meson build option for enabling this feature.
>
> Signed-off-by: Hyman Huang <yong.huang@smartx.com>
> ---
> crypto/block-luks.c | 11 ++++++++
> crypto/cipher-gcrypt.c.inc | 8 ++++++
> crypto/cipher-nettle.c.inc | 49 +++++++++++++++++++++++++++++++++
> crypto/cipher.c | 6 ++++
> meson.build | 23 ++++++++++++++++
> meson_options.txt | 2 ++
> qapi/crypto.json | 5 +++-
> scripts/meson-buildoptions.sh | 3 ++
> tests/unit/test-crypto-cipher.c | 13 +++++++++
> 9 files changed, 119 insertions(+), 1 deletion(-)
> diff --git a/meson.build b/meson.build
> index ec01f8b138..256d3257bb 100644
> --- a/meson.build
> +++ b/meson.build
> @@ -1480,6 +1480,7 @@ endif
> gcrypt = not_found
> nettle = not_found
> hogweed = not_found
> +crypto_sm4 = not_found
> xts = 'none'
>
> if get_option('nettle').enabled() and get_option('gcrypt').enabled()
> @@ -1514,6 +1515,26 @@ if not gnutls_crypto.found()
> xts = 'private'
> endif
> endif
> + if get_option('crypto_sm4').enabled()
We want to detect it by default (not only when explicitly enabled) ...
> + if get_option('gcrypt').enabled()
> + # SM4 ALG is available in libgcrypt >= 1.9
> + crypto_sm4 = dependency('libgcrypt', version: '>=1.9',
> + method: 'config-tool',
> + required: get_option('gcrypt'))
> + # SM4 ALG static compilation
> + if crypto_sm4.found() and get_option('prefer_static')
> + crypto_sm4 = declare_dependency(dependencies: [
> + crypto_sm4,
> + cc.find_library('gpg-error', required: true)],
> + version: crypto_sm4.version())
> + endif
> + else
> + # SM4 ALG is available in nettle >= 3.9
> + crypto_sm4 = dependency('nettle', version: '>=3.9',
> + method: 'pkg-config',
> + required: get_option('nettle'))
> + endif
... and if it was forced with --enable-crypto_sm4 AND not found,
display an error.
IIUC your config you try to find the best effort implementation then
if not found, keep going silently.
> + endif
> endif
> diff --git a/scripts/meson-buildoptions.sh b/scripts/meson-buildoptions.sh
> index 680fa3f581..f189f34829 100644
> --- a/scripts/meson-buildoptions.sh
> +++ b/scripts/meson-buildoptions.sh
> @@ -106,6 +106,7 @@ meson_options_help() {
> printf "%s\n" ' colo-proxy colo-proxy support'
> printf "%s\n" ' coreaudio CoreAudio sound support'
> printf "%s\n" ' crypto-afalg Linux AF_ALG crypto backend driver'
> + printf "%s\n" ' crypto-sm4 SM4 symmetric cipher algorithm support'
> printf "%s\n" ' curl CURL block device driver'
> printf "%s\n" ' curses curses UI'
> printf "%s\n" ' dbus-display -display dbus support'
> @@ -282,6 +283,8 @@ _meson_option_parse() {
> --disable-coroutine-pool) printf "%s" -Dcoroutine_pool=false ;;
> --enable-crypto-afalg) printf "%s" -Dcrypto_afalg=enabled ;;
> --disable-crypto-afalg) printf "%s" -Dcrypto_afalg=disabled ;;
> + --enable-crypto-sm4) printf "%s" -Dcrypto_sm4=enabled ;;
> + --disable-crypto-sm4) printf "%s" -Dcrypto_sm4=disabled ;;
> --enable-curl) printf "%s" -Dcurl=enabled ;;
> --disable-curl) printf "%s" -Dcurl=disabled ;;
> --enable-curses) printf "%s" -Dcurses=enabled ;;
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH v2] crypto: Introduce SM4 symmetric cipher algorithm
2023-11-28 15:57 ` Philippe Mathieu-Daudé
@ 2023-11-28 16:20 ` Daniel P. Berrangé
2023-11-29 1:40 ` Yong Huang
2023-11-29 1:43 ` Yong Huang
1 sibling, 1 reply; 6+ messages in thread
From: Daniel P. Berrangé @ 2023-11-28 16:20 UTC (permalink / raw)
To: Philippe Mathieu-Daudé
Cc: Hyman Huang, qemu-devel, Paolo Bonzini, Marc-André Lureau,
Thomas Huth, Eric Blake, Markus Armbruster
On Tue, Nov 28, 2023 at 04:57:20PM +0100, Philippe Mathieu-Daudé wrote:
> Hi Hyman,
>
> On 28/11/23 16:24, Hyman Huang wrote:
> > Introduce the SM4 cipher algorithms (OSCCA GB/T 32907-2016).
> >
> > SM4 (GBT.32907-2016) is a cryptographic standard issued by the
> > Organization of State Commercial Administration of China (OSCCA)
> > as an authorized cryptographic algorithms for the use within China.
> >
> > Use the crypto-sm4 meson build option for enabling this feature.
> >
> > Signed-off-by: Hyman Huang <yong.huang@smartx.com>
> > ---
> > crypto/block-luks.c | 11 ++++++++
> > crypto/cipher-gcrypt.c.inc | 8 ++++++
> > crypto/cipher-nettle.c.inc | 49 +++++++++++++++++++++++++++++++++
> > crypto/cipher.c | 6 ++++
> > meson.build | 23 ++++++++++++++++
> > meson_options.txt | 2 ++
> > qapi/crypto.json | 5 +++-
> > scripts/meson-buildoptions.sh | 3 ++
> > tests/unit/test-crypto-cipher.c | 13 +++++++++
> > 9 files changed, 119 insertions(+), 1 deletion(-)
>
>
> > diff --git a/meson.build b/meson.build
> > index ec01f8b138..256d3257bb 100644
> > --- a/meson.build
> > +++ b/meson.build
> > @@ -1480,6 +1480,7 @@ endif
> > gcrypt = not_found
> > nettle = not_found
> > hogweed = not_found
> > +crypto_sm4 = not_found
> > xts = 'none'
> > if get_option('nettle').enabled() and get_option('gcrypt').enabled()
> > @@ -1514,6 +1515,26 @@ if not gnutls_crypto.found()
> > xts = 'private'
> > endif
> > endif
> > + if get_option('crypto_sm4').enabled()
>
> We want to detect it by default (not only when explicitly enabled) ...
>
> > + if get_option('gcrypt').enabled()
> > + # SM4 ALG is available in libgcrypt >= 1.9
> > + crypto_sm4 = dependency('libgcrypt', version: '>=1.9',
> > + method: 'config-tool',
> > + required: get_option('gcrypt'))
> > + # SM4 ALG static compilation
> > + if crypto_sm4.found() and get_option('prefer_static')
> > + crypto_sm4 = declare_dependency(dependencies: [
> > + crypto_sm4,
> > + cc.find_library('gpg-error', required: true)],
> > + version: crypto_sm4.version())
> > + endif
> > + else
> > + # SM4 ALG is available in nettle >= 3.9
> > + crypto_sm4 = dependency('nettle', version: '>=3.9',
> > + method: 'pkg-config',
> > + required: get_option('nettle'))
> > + endif
>
> ... and if it was forced with --enable-crypto_sm4 AND not found,
> display an error.
>
> IIUC your config you try to find the best effort implementation then
> if not found, keep going silently.
Yes, ignore the get_option() calls, and instead look at .found()
in the library we just detected
ie
if nettle.found()
....check sm4 in nettle
endif
if gcrypt.found()
....check sm4 in crypt
endif
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH v2] crypto: Introduce SM4 symmetric cipher algorithm
2023-11-28 16:20 ` Daniel P. Berrangé
@ 2023-11-29 1:40 ` Yong Huang
2023-11-29 16:50 ` Daniel P. Berrangé
0 siblings, 1 reply; 6+ messages in thread
From: Yong Huang @ 2023-11-29 1:40 UTC (permalink / raw)
To: Daniel P. Berrangé
Cc: Philippe Mathieu-Daudé,
qemu-devel, Paolo Bonzini, Marc-André Lureau, Thomas Huth,
Eric Blake, Markus Armbruster
[-- Attachment #1: Type: text/plain, Size: 4253 bytes --]
I'll try to understand the comment, if i misunderstood, please point out.
On Wed, Nov 29, 2023 at 12:20 AM Daniel P. Berrangé <berrange@redhat.com>
wrote:
> On Tue, Nov 28, 2023 at 04:57:20PM +0100, Philippe Mathieu-Daudé wrote:
> > Hi Hyman,
> >
> > On 28/11/23 16:24, Hyman Huang wrote:
> > > Introduce the SM4 cipher algorithms (OSCCA GB/T 32907-2016).
> > >
> > > SM4 (GBT.32907-2016) is a cryptographic standard issued by the
> > > Organization of State Commercial Administration of China (OSCCA)
> > > as an authorized cryptographic algorithms for the use within China.
> > >
> > > Use the crypto-sm4 meson build option for enabling this feature.
> > >
> > > Signed-off-by: Hyman Huang <yong.huang@smartx.com>
> > > ---
> > > crypto/block-luks.c | 11 ++++++++
> > > crypto/cipher-gcrypt.c.inc | 8 ++++++
> > > crypto/cipher-nettle.c.inc | 49
> +++++++++++++++++++++++++++++++++
> > > crypto/cipher.c | 6 ++++
> > > meson.build | 23 ++++++++++++++++
> > > meson_options.txt | 2 ++
> > > qapi/crypto.json | 5 +++-
> > > scripts/meson-buildoptions.sh | 3 ++
> > > tests/unit/test-crypto-cipher.c | 13 +++++++++
> > > 9 files changed, 119 insertions(+), 1 deletion(-)
> >
> >
> > > diff --git a/meson.build b/meson.build
> > > index ec01f8b138..256d3257bb 100644
> > > --- a/meson.build
> > > +++ b/meson.build
> > > @@ -1480,6 +1480,7 @@ endif
> > > gcrypt = not_found
> > > nettle = not_found
> > > hogweed = not_found
> > > +crypto_sm4 = not_found
> > > xts = 'none'
> > > if get_option('nettle').enabled() and get_option('gcrypt').enabled()
> > > @@ -1514,6 +1515,26 @@ if not gnutls_crypto.found()
> > > xts = 'private'
> > > endif
> > > endif
> > > + if get_option('crypto_sm4').enabled()
> >
> > We want to detect it by default (not only when explicitly enabled) ...
> >
> > > + if get_option('gcrypt').enabled()
> > > + # SM4 ALG is available in libgcrypt >= 1.9
> > > + crypto_sm4 = dependency('libgcrypt', version: '>=1.9',
> > > + method: 'config-tool',
> > > + required: get_option('gcrypt'))
> > > + # SM4 ALG static compilation
> > > + if crypto_sm4.found() and get_option('prefer_static')
> > > + crypto_sm4 = declare_dependency(dependencies: [
> > > + crypto_sm4,
> > > + cc.find_library('gpg-error', required: true)],
> > > + version: crypto_sm4.version())
> > > + endif
> > > + else
> > > + # SM4 ALG is available in nettle >= 3.9
> > > + crypto_sm4 = dependency('nettle', version: '>=3.9',
> > > + method: 'pkg-config',
> > > + required: get_option('nettle'))
> > > + endif
> >
> > ... and if it was forced with --enable-crypto_sm4 AND not found,
> > display an error.
> >
> > IIUC your config you try to find the best effort implementation then
> > if not found, keep going silently.
>
> Yes, ignore the get_option() calls, and instead look at .found()
> in the library we just detected
>
ie
>
> if nettle.found()
> ....check sm4 in nettle
> endif
>
> if gcrypt.found()
> ....check sm4 in crypt
> endif
>
> To detect if sm4 is supported, there may be two methods:
One is to specify the version explicitly(ligcrypt >=1.9,nettle >= 3.9)
as in patch
Another is to use the cc.link for a test. eg:
+ crypto_sm4 = gcrypt
+ if gcrypt.found() and not cc.links('''
+ #include <gcrypt.h>
+ void main(void) {
+ gcry_cipher_hd_t handler;
+ gcry_cipher_open(&handler, GCRY_CIPHER_SM4,
GCRY_CIPHER_MODE_ECB, 0);
+ }''', dependencies: gcrypt)
+ crypto_sm4 = not_found
+ endif
Is the latter a better choice?
>
> With regards,
> Daniel
> --
> |: https://berrange.com -o-
> https://www.flickr.com/photos/dberrange :|
> |: https://libvirt.org -o-
> https://fstop138.berrange.com :|
> |: https://entangle-photo.org -o-
> https://www.instagram.com/dberrange :|
>
>
--
Best regards
[-- Attachment #2: Type: text/html, Size: 7623 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH v2] crypto: Introduce SM4 symmetric cipher algorithm
2023-11-28 15:57 ` Philippe Mathieu-Daudé
2023-11-28 16:20 ` Daniel P. Berrangé
@ 2023-11-29 1:43 ` Yong Huang
1 sibling, 0 replies; 6+ messages in thread
From: Yong Huang @ 2023-11-29 1:43 UTC (permalink / raw)
To: Philippe Mathieu-Daudé
Cc: qemu-devel, Daniel P . Berrangé,
Paolo Bonzini, Marc-André Lureau, Thomas Huth, Eric Blake,
Markus Armbruster
[-- Attachment #1: Type: text/plain, Size: 4241 bytes --]
On Tue, Nov 28, 2023 at 11:57 PM Philippe Mathieu-Daudé <philmd@linaro.org>
wrote:
> Hi Hyman,
>
> On 28/11/23 16:24, Hyman Huang wrote:
> > Introduce the SM4 cipher algorithms (OSCCA GB/T 32907-2016).
> >
> > SM4 (GBT.32907-2016) is a cryptographic standard issued by the
> > Organization of State Commercial Administration of China (OSCCA)
> > as an authorized cryptographic algorithms for the use within China.
> >
> > Use the crypto-sm4 meson build option for enabling this feature.
> >
> > Signed-off-by: Hyman Huang <yong.huang@smartx.com>
> > ---
> > crypto/block-luks.c | 11 ++++++++
> > crypto/cipher-gcrypt.c.inc | 8 ++++++
> > crypto/cipher-nettle.c.inc | 49 +++++++++++++++++++++++++++++++++
> > crypto/cipher.c | 6 ++++
> > meson.build | 23 ++++++++++++++++
> > meson_options.txt | 2 ++
> > qapi/crypto.json | 5 +++-
> > scripts/meson-buildoptions.sh | 3 ++
> > tests/unit/test-crypto-cipher.c | 13 +++++++++
> > 9 files changed, 119 insertions(+), 1 deletion(-)
>
>
> > diff --git a/meson.build b/meson.build
> > index ec01f8b138..256d3257bb 100644
> > --- a/meson.build
> > +++ b/meson.build
> > @@ -1480,6 +1480,7 @@ endif
> > gcrypt = not_found
> > nettle = not_found
> > hogweed = not_found
> > +crypto_sm4 = not_found
> > xts = 'none'
> >
> > if get_option('nettle').enabled() and get_option('gcrypt').enabled()
> > @@ -1514,6 +1515,26 @@ if not gnutls_crypto.found()
> > xts = 'private'
> > endif
> > endif
> > + if get_option('crypto_sm4').enabled()
>
> We want to detect it by default (not only when explicitly enabled) ...
>
Ok, get it.
>
> > + if get_option('gcrypt').enabled()
> > + # SM4 ALG is available in libgcrypt >= 1.9
> > + crypto_sm4 = dependency('libgcrypt', version: '>=1.9',
> > + method: 'config-tool',
> > + required: get_option('gcrypt'))
> > + # SM4 ALG static compilation
> > + if crypto_sm4.found() and get_option('prefer_static')
> > + crypto_sm4 = declare_dependency(dependencies: [
> > + crypto_sm4,
> > + cc.find_library('gpg-error', required: true)],
> > + version: crypto_sm4.version())
> > + endif
> > + else
> > + # SM4 ALG is available in nettle >= 3.9
> > + crypto_sm4 = dependency('nettle', version: '>=3.9',
> > + method: 'pkg-config',
> > + required: get_option('nettle'))
> > + endif
>
> ... and if it was forced with --enable-crypto_sm4 AND not found,
> display an error.
>
Ok.
>
> IIUC your config you try to find the best effort implementation then
> if not found, keep going silently.
>
> > + endif
> > endif
>
>
> > diff --git a/scripts/meson-buildoptions.sh
> b/scripts/meson-buildoptions.sh
> > index 680fa3f581..f189f34829 100644
> > --- a/scripts/meson-buildoptions.sh
> > +++ b/scripts/meson-buildoptions.sh
> > @@ -106,6 +106,7 @@ meson_options_help() {
> > printf "%s\n" ' colo-proxy colo-proxy support'
> > printf "%s\n" ' coreaudio CoreAudio sound support'
> > printf "%s\n" ' crypto-afalg Linux AF_ALG crypto backend driver'
> > + printf "%s\n" ' crypto-sm4 SM4 symmetric cipher algorithm
> support'
> > printf "%s\n" ' curl CURL block device driver'
> > printf "%s\n" ' curses curses UI'
> > printf "%s\n" ' dbus-display -display dbus support'
> > @@ -282,6 +283,8 @@ _meson_option_parse() {
> > --disable-coroutine-pool) printf "%s" -Dcoroutine_pool=false ;;
> > --enable-crypto-afalg) printf "%s" -Dcrypto_afalg=enabled ;;
> > --disable-crypto-afalg) printf "%s" -Dcrypto_afalg=disabled ;;
> > + --enable-crypto-sm4) printf "%s" -Dcrypto_sm4=enabled ;;
> > + --disable-crypto-sm4) printf "%s" -Dcrypto_sm4=disabled ;;
> > --enable-curl) printf "%s" -Dcurl=enabled ;;
> > --disable-curl) printf "%s" -Dcurl=disabled ;;
> > --enable-curses) printf "%s" -Dcurses=enabled ;;
>
>
--
Best regards
[-- Attachment #2: Type: text/html, Size: 6511 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH v2] crypto: Introduce SM4 symmetric cipher algorithm
2023-11-29 1:40 ` Yong Huang
@ 2023-11-29 16:50 ` Daniel P. Berrangé
0 siblings, 0 replies; 6+ messages in thread
From: Daniel P. Berrangé @ 2023-11-29 16:50 UTC (permalink / raw)
To: Yong Huang
Cc: Philippe Mathieu-Daudé,
qemu-devel, Paolo Bonzini, Marc-André Lureau, Thomas Huth,
Eric Blake, Markus Armbruster
On Wed, Nov 29, 2023 at 09:40:29AM +0800, Yong Huang wrote:
> I'll try to understand the comment, if i misunderstood, please point out.
>
> On Wed, Nov 29, 2023 at 12:20 AM Daniel P. Berrangé <berrange@redhat.com>
> wrote:
>
> > On Tue, Nov 28, 2023 at 04:57:20PM +0100, Philippe Mathieu-Daudé wrote:
> > > Hi Hyman,
> > >
> > > On 28/11/23 16:24, Hyman Huang wrote:
> > > > Introduce the SM4 cipher algorithms (OSCCA GB/T 32907-2016).
> > > >
> > > > SM4 (GBT.32907-2016) is a cryptographic standard issued by the
> > > > Organization of State Commercial Administration of China (OSCCA)
> > > > as an authorized cryptographic algorithms for the use within China.
> > > >
> > > > Use the crypto-sm4 meson build option for enabling this feature.
> > > >
> > > > Signed-off-by: Hyman Huang <yong.huang@smartx.com>
> > > > ---
> > > > crypto/block-luks.c | 11 ++++++++
> > > > crypto/cipher-gcrypt.c.inc | 8 ++++++
> > > > crypto/cipher-nettle.c.inc | 49
> > +++++++++++++++++++++++++++++++++
> > > > crypto/cipher.c | 6 ++++
> > > > meson.build | 23 ++++++++++++++++
> > > > meson_options.txt | 2 ++
> > > > qapi/crypto.json | 5 +++-
> > > > scripts/meson-buildoptions.sh | 3 ++
> > > > tests/unit/test-crypto-cipher.c | 13 +++++++++
> > > > 9 files changed, 119 insertions(+), 1 deletion(-)
> > >
> > >
> > > > diff --git a/meson.build b/meson.build
> > > > index ec01f8b138..256d3257bb 100644
> > > > --- a/meson.build
> > > > +++ b/meson.build
> > > > @@ -1480,6 +1480,7 @@ endif
> > > > gcrypt = not_found
> > > > nettle = not_found
> > > > hogweed = not_found
> > > > +crypto_sm4 = not_found
> > > > xts = 'none'
> > > > if get_option('nettle').enabled() and get_option('gcrypt').enabled()
> > > > @@ -1514,6 +1515,26 @@ if not gnutls_crypto.found()
> > > > xts = 'private'
> > > > endif
> > > > endif
> > > > + if get_option('crypto_sm4').enabled()
> > >
> > > We want to detect it by default (not only when explicitly enabled) ...
> > >
> > > > + if get_option('gcrypt').enabled()
> > > > + # SM4 ALG is available in libgcrypt >= 1.9
> > > > + crypto_sm4 = dependency('libgcrypt', version: '>=1.9',
> > > > + method: 'config-tool',
> > > > + required: get_option('gcrypt'))
> > > > + # SM4 ALG static compilation
> > > > + if crypto_sm4.found() and get_option('prefer_static')
> > > > + crypto_sm4 = declare_dependency(dependencies: [
> > > > + crypto_sm4,
> > > > + cc.find_library('gpg-error', required: true)],
> > > > + version: crypto_sm4.version())
> > > > + endif
> > > > + else
> > > > + # SM4 ALG is available in nettle >= 3.9
> > > > + crypto_sm4 = dependency('nettle', version: '>=3.9',
> > > > + method: 'pkg-config',
> > > > + required: get_option('nettle'))
> > > > + endif
> > >
> > > ... and if it was forced with --enable-crypto_sm4 AND not found,
> > > display an error.
> > >
> > > IIUC your config you try to find the best effort implementation then
> > > if not found, keep going silently.
> >
> > Yes, ignore the get_option() calls, and instead look at .found()
> > in the library we just detected
> >
> ie
> >
> > if nettle.found()
> > ....check sm4 in nettle
> > endif
> >
> > if gcrypt.found()
> > ....check sm4 in crypt
> > endif
> >
> > To detect if sm4 is supported, there may be two methods:
> One is to specify the version explicitly(ligcrypt >=1.9,nettle >= 3.9)
> as in patch
>
> Another is to use the cc.link for a test. eg:
>
> + crypto_sm4 = gcrypt
> + if gcrypt.found() and not cc.links('''
> + #include <gcrypt.h>
> + void main(void) {
> + gcry_cipher_hd_t handler;
> + gcry_cipher_open(&handler, GCRY_CIPHER_SM4,
> GCRY_CIPHER_MODE_ECB, 0);
> + }''', dependencies: gcrypt)
> + crypto_sm4 = not_found
> + endif
>
> Is the latter a better choice?
I'm fine with either a version check, or a link check. A
link check is robust against anyone backporting new features,
so a little better.
With regards,
Daniel
--
|: https://berrange.com -o- https://www.flickr.com/photos/dberrange :|
|: https://libvirt.org -o- https://fstop138.berrange.com :|
|: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2023-11-29 16:51 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-11-28 15:24 [PATCH v2] crypto: Introduce SM4 symmetric cipher algorithm Hyman Huang
2023-11-28 15:57 ` Philippe Mathieu-Daudé
2023-11-28 16:20 ` Daniel P. Berrangé
2023-11-29 1:40 ` Yong Huang
2023-11-29 16:50 ` Daniel P. Berrangé
2023-11-29 1:43 ` Yong Huang
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.