From: Milan Broz <gmazyland@gmail.com>
To: Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Pascal Van Leeuwen <pvanleeuwen@verimatrix.com>
Cc: Horia Geanta <horia.geanta@nxp.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
"dm-devel@redhat.com" <dm-devel@redhat.com>,
"linux-crypto@vger.kernel.org" <linux-crypto@vger.kernel.org>
Subject: Re: [dm-devel] xts fuzz testing and lack of ciphertext stealing support
Date: Sun, 11 Aug 2019 13:12:56 +0200 [thread overview]
Message-ID: <d6d0b155-476b-d495-3418-4b171003cdd7@gmail.com> (raw)
In-Reply-To: <CAKv+Gu-xWxZ58tzyYoH_jDKfJoM+KzOWWpzCeHEmOXQ39Bv15g@mail.gmail.com>
On 10/08/2019 06:39, Ard Biesheuvel wrote:
> Truncated IVs are a huge issue, since we already expose the correct
> API via AF_ALG (without any restrictions on how many of the IV bits
> are populated), and apparently, if your AF_ALG request for xts(aes)
> happens to be fulfilled by the CAAM driver and your implementation
> uses more than 64 bits for the IV, the top bits get truncated silently
> and your data might get eaten.
Actually, I think we have already serious problem with in in kernel (no AF_ALG needed).
I do not have the hardware, but please could you check that dm-crypt big-endian IV
(plain64be) produces the same output on CAAM?
It is 64bit IV, but big-endian and we use size of cipher block (16bytes) here,
so the first 8 bytes are zero in this case.
I would expect data corruption in comparison to generic implementation,
if it supports only the first 64bit...
Try this:
# create small null device of 8 sectors, we use zeroes as fixed ciphertext
dmsetup create zero --table "0 8 zero"
# create crypt device on top of it (with some key), using plain64be IV
dmsetup create crypt --table "0 8 crypt aes-xts-plain64be e8cfa3dbfe373b536be43c5637387786c01be00ba5f730aacb039e86f3eb72f3 0 /dev/mapper/zero 0"
# and compare it with and without your driver, this is what I get here:
# sha256sum /dev/mapper/crypt
532f71198d0d84d823b8e410738c6f43bc3e149d844dd6d37fa5b36d150501e1 /dev/mapper/crypt
# dmsetup remove crypt
You can try little-endian version (plain64), this should always work even with CAAM
dmsetup create crypt --table "0 8 crypt aes-xts-plain64 e8cfa3dbfe373b536be43c5637387786c01be00ba5f730aacb039e86f3eb72f3 0 /dev/mapper/zero 0"
# sha256sum /dev/mapper/crypt
f17abd27dedee4e539758eabdb6c15fa619464b509cf55f16433e6a25da42857 /dev/mapper/crypt
# dmsetup remove crypt
# dmsetup remove zero
If you get different plaintext in the first case, your driver is actually creating
data corruption in this configuration and it should be fixed!
(Only the first sector must be the same, because it has IV == 0.)
Milan
p.s.
If you ask why we have this IV, it was added per request to allow map some chipset-based
encrypted drives directly. I guess it is used for some data forensic things.
WARNING: multiple messages have this Message-ID (diff)
From: Milan Broz <gmazyland@gmail.com>
To: Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Pascal Van Leeuwen <pvanleeuwen@verimatrix.com>
Cc: "dm-devel@redhat.com" <dm-devel@redhat.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
Horia Geanta <horia.geanta@nxp.com>,
"linux-crypto@vger.kernel.org" <linux-crypto@vger.kernel.org>
Subject: Re: xts fuzz testing and lack of ciphertext stealing support
Date: Sun, 11 Aug 2019 13:12:56 +0200 [thread overview]
Message-ID: <d6d0b155-476b-d495-3418-4b171003cdd7@gmail.com> (raw)
In-Reply-To: <CAKv+Gu-xWxZ58tzyYoH_jDKfJoM+KzOWWpzCeHEmOXQ39Bv15g@mail.gmail.com>
On 10/08/2019 06:39, Ard Biesheuvel wrote:
> Truncated IVs are a huge issue, since we already expose the correct
> API via AF_ALG (without any restrictions on how many of the IV bits
> are populated), and apparently, if your AF_ALG request for xts(aes)
> happens to be fulfilled by the CAAM driver and your implementation
> uses more than 64 bits for the IV, the top bits get truncated silently
> and your data might get eaten.
Actually, I think we have already serious problem with in in kernel (no AF_ALG needed).
I do not have the hardware, but please could you check that dm-crypt big-endian IV
(plain64be) produces the same output on CAAM?
It is 64bit IV, but big-endian and we use size of cipher block (16bytes) here,
so the first 8 bytes are zero in this case.
I would expect data corruption in comparison to generic implementation,
if it supports only the first 64bit...
Try this:
# create small null device of 8 sectors, we use zeroes as fixed ciphertext
dmsetup create zero --table "0 8 zero"
# create crypt device on top of it (with some key), using plain64be IV
dmsetup create crypt --table "0 8 crypt aes-xts-plain64be e8cfa3dbfe373b536be43c5637387786c01be00ba5f730aacb039e86f3eb72f3 0 /dev/mapper/zero 0"
# and compare it with and without your driver, this is what I get here:
# sha256sum /dev/mapper/crypt
532f71198d0d84d823b8e410738c6f43bc3e149d844dd6d37fa5b36d150501e1 /dev/mapper/crypt
# dmsetup remove crypt
You can try little-endian version (plain64), this should always work even with CAAM
dmsetup create crypt --table "0 8 crypt aes-xts-plain64 e8cfa3dbfe373b536be43c5637387786c01be00ba5f730aacb039e86f3eb72f3 0 /dev/mapper/zero 0"
# sha256sum /dev/mapper/crypt
f17abd27dedee4e539758eabdb6c15fa619464b509cf55f16433e6a25da42857 /dev/mapper/crypt
# dmsetup remove crypt
# dmsetup remove zero
If you get different plaintext in the first case, your driver is actually creating
data corruption in this configuration and it should be fixed!
(Only the first sector must be the same, because it has IV == 0.)
Milan
p.s.
If you ask why we have this IV, it was added per request to allow map some chipset-based
encrypted drives directly. I guess it is used for some data forensic things.
next prev parent reply other threads:[~2019-08-11 11:13 UTC|newest]
Thread overview: 110+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-16 17:46 xts fuzz testing and lack of ciphertext stealing support Horia Geanta
2019-07-16 22:16 ` Eric Biggers
2019-07-17 17:09 ` Horia Geanta
2019-07-17 17:09 ` Horia Geanta
2019-07-17 17:28 ` Eric Biggers
2019-07-17 17:28 ` Eric Biggers
2019-07-17 18:08 ` Ard Biesheuvel
2019-07-18 6:52 ` Herbert Xu
2019-07-18 6:52 ` Herbert Xu
2019-07-18 7:15 ` Ard Biesheuvel
2019-07-18 7:15 ` Ard Biesheuvel
2019-07-18 7:21 ` Herbert Xu
2019-07-18 7:21 ` Herbert Xu
2019-07-18 7:28 ` Ard Biesheuvel
2019-07-18 7:28 ` Ard Biesheuvel
2019-07-18 7:50 ` Herbert Xu
2019-07-18 7:50 ` Herbert Xu
2019-07-18 7:40 ` Milan Broz
2019-07-18 7:40 ` Milan Broz
2019-07-18 10:40 ` Pascal Van Leeuwen
2019-07-18 11:19 ` Milan Broz
2019-07-18 11:19 ` Milan Broz
2019-07-18 15:27 ` Herbert Xu
2019-07-18 15:27 ` Herbert Xu
2019-07-20 6:58 ` [dm-devel] " Eric Biggers
2019-07-20 6:58 ` Eric Biggers
2019-07-20 7:35 ` [dm-devel] " Milan Broz
2019-07-20 7:35 ` Milan Broz
2019-07-20 10:13 ` Markus
2019-07-21 9:50 ` [dm-devel] " Ard Biesheuvel
2019-07-21 9:50 ` Ard Biesheuvel
2019-07-22 9:44 ` [dm-devel] " Pascal Van Leeuwen
2019-07-22 16:43 ` Ard Biesheuvel
2019-07-22 16:43 ` Ard Biesheuvel
2019-07-22 22:46 ` [dm-devel] " Pascal Van Leeuwen
2019-07-24 12:23 ` Pascal Van Leeuwen
2019-07-24 12:50 ` Pascal Van Leeuwen
2019-07-24 16:10 ` Pascal Van Leeuwen
2019-07-25 6:22 ` Ard Biesheuvel
2019-07-25 6:22 ` Ard Biesheuvel
2019-07-25 7:49 ` [dm-devel] " Pascal Van Leeuwen
2019-07-25 8:01 ` Ard Biesheuvel
2019-07-25 8:01 ` Ard Biesheuvel
2019-07-26 10:31 ` [dm-devel] " Pascal Van Leeuwen
2019-07-26 19:59 ` Horia Geanta
2019-07-26 19:59 ` Horia Geanta
2019-07-26 21:43 ` [dm-devel] " Pascal Van Leeuwen
2019-07-27 5:39 ` Ard Biesheuvel
2019-07-27 5:39 ` Ard Biesheuvel
2019-07-27 12:56 ` [dm-devel] " Pascal Van Leeuwen
2019-07-27 16:04 ` Milan Broz
2019-07-27 16:04 ` Milan Broz
2019-08-04 8:36 ` [dm-devel] " Ard Biesheuvel
2019-08-04 8:36 ` Ard Biesheuvel
[not found] ` <20f4832e-e3af-e3c2-d946-13bf8c367a60@nxp.com>
2019-08-07 15:51 ` [dm-devel] " Horia Geanta
2019-08-07 15:51 ` Horia Geanta
2019-08-07 20:57 ` [dm-devel] " Pascal Van Leeuwen
2019-08-08 14:50 ` Horia Geanta
2019-08-08 14:50 ` Horia Geanta
2019-08-09 8:35 ` [dm-devel] " Pascal Van Leeuwen
2019-08-08 13:43 ` Pascal Van Leeuwen
2019-08-08 18:01 ` Horia Geanta
2019-08-08 18:01 ` Horia Geanta
2019-08-09 2:48 ` [dm-devel] " Herbert Xu
2019-08-09 2:48 ` Herbert Xu
2019-08-09 6:45 ` [dm-devel] " Ard Biesheuvel
2019-08-09 6:45 ` Ard Biesheuvel
2019-08-09 7:44 ` [dm-devel] " Horia Geanta
2019-08-09 7:44 ` Horia Geanta
2019-08-09 17:49 ` [dm-devel] " Ard Biesheuvel
2019-08-09 17:49 ` Ard Biesheuvel
2019-08-09 20:57 ` [dm-devel] " Pascal Van Leeuwen
2019-08-10 4:39 ` Ard Biesheuvel
2019-08-10 4:39 ` Ard Biesheuvel
2019-08-11 11:12 ` Milan Broz [this message]
2019-08-11 11:12 ` Milan Broz
2019-08-11 20:34 ` [dm-devel] " Eric Biggers
2019-08-11 20:34 ` Eric Biggers
2019-08-11 21:39 ` [dm-devel] " Pascal Van Leeuwen
2019-08-11 21:29 ` Pascal Van Leeuwen
2019-08-12 4:51 ` Herbert Xu
2019-08-12 4:51 ` Herbert Xu
2019-08-11 21:15 ` [dm-devel] " Pascal Van Leeuwen
2019-08-11 22:24 ` Ard Biesheuvel
2019-08-11 22:24 ` Ard Biesheuvel
2019-08-12 1:04 ` [dm-devel] " Pascal Van Leeuwen
2019-07-18 15:29 ` Herbert Xu
2019-07-18 15:29 ` Herbert Xu
2019-07-18 15:43 ` Pascal Van Leeuwen
2019-07-18 15:51 ` Herbert Xu
2019-07-18 15:51 ` Herbert Xu
2019-07-18 16:19 ` Ard Biesheuvel
2019-07-18 16:19 ` Ard Biesheuvel
2019-07-18 16:22 ` Herbert Xu
2019-07-18 16:22 ` Herbert Xu
2019-07-18 17:03 ` Pascal Van Leeuwen
2019-07-19 5:34 ` Ard Biesheuvel
2019-07-19 5:34 ` Ard Biesheuvel
2019-07-19 7:29 ` Pascal Van Leeuwen
2019-07-19 17:14 ` Ard Biesheuvel
2019-07-19 17:14 ` Ard Biesheuvel
2019-07-19 20:07 ` Pascal Van Leeuwen
2019-07-19 7:29 ` Pascal Van Leeuwen
2019-07-18 17:03 ` Pascal Van Leeuwen
2019-07-18 16:35 ` Pascal Van Leeuwen
2019-07-19 1:47 ` Herbert Xu
2019-07-19 1:47 ` Herbert Xu
2019-07-18 16:35 ` Pascal Van Leeuwen
2019-07-18 15:43 ` Pascal Van Leeuwen
2019-07-18 10:40 ` Pascal Van Leeuwen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d6d0b155-476b-d495-3418-4b171003cdd7@gmail.com \
--to=gmazyland@gmail.com \
--cc=ard.biesheuvel@linaro.org \
--cc=dm-devel@redhat.com \
--cc=herbert@gondor.apana.org.au \
--cc=horia.geanta@nxp.com \
--cc=linux-crypto@vger.kernel.org \
--cc=pvanleeuwen@verimatrix.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.