From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.saout.de ([127.0.0.1]) by localhost (mail.saout.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M_I3nrIck9o9 for ; Fri, 13 Dec 2013 07:42:55 +0100 (CET) Received: from mxout.secure-mail.biz (mxout.secure-mail.biz [151.236.24.76]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.saout.de (Postfix) with ESMTPS for ; Fri, 13 Dec 2013 07:42:55 +0100 (CET) Received: from mail.secure-mail.biz (localhost [127.0.0.1]) by mxout.secure-mail.biz (Postfix) with SMTP id 9BD7F41A16350 for ; Fri, 13 Dec 2013 07:42:52 +0100 (CET) Received: from [127.0.0.1] (localhost [127.0.0.1]) by mail.secure-mail.biz (b1gMailServer) with ESMTP id 6B8B409A for ; Fri, 13 Dec 2013 07:42:52 +0100 (CET) Date: Fri, 13 Dec 2013 07:42:52 +0100 MIME-Version: 1.0 Message-ID: From: In-Reply-To: <529A214E.1060305@gmail.com> References: <529A214E.1060305@gmail.com> Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit Content-Disposition: inline Subject: Re: [dm-crypt] GEOM_ELI support in dm-crypt/cryptsetup Reply-To: f000m@z1p.biz List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , To: Milan Broz Cc: dm-crypt@saout.de Hi Milan, sorry for my late reply. --- Ursprüngliche Nachricht --- Von: Milan Broz Datum: 30.11.2013 18:33:02 An: f000m@z1p.biz Betreff: Re: [dm-crypt] GEOM_ELI support in dm-crypt/cryptsetup > Hi, > > On 11/30/2013 04:25 PM, f000m@z1p.biz wrote: > > I am planing to make dm-crypt and cryptsetup able to > > handle FreeBSD's GEOM_ELI crypted devices (without its > > integrity stuff). > > I think that even integrity stuff would be interesting > but that's a lot of kernel work. > (But I am quite interested how FreeBSD approach looks like anyway.) > The first comment in the header file explains how it works. http://svnweb.freebsd.org/base/head/sys/geom/eli/g_eli_integrity.c?view=co > > In the kernel modul there would be minor changes > > concerning two more IV generators needed to add: > > First, because of a slightly different handling of plain type > > (it uses offsets instead of sectors). > > Second, GEOM_ELI uses CBC with unpredictable IV instead of > > ESSIV Mode. > > Not sure I understand offset/sectors problem. > Can you elaborate more here? Is it just multiplication > of sector number by sector size or something else? > (Or just point me to the docs :) > Yes it is for plain mode. You can see it in g_eli_crypto_ivgen(). http://svnweb.freebsd.org/base/head/sys/geom/eli/g_eli.c?view=co The unpredicable IV generation creates a SHA256 digest. It uses a IV seed and the offset number (sector number by sector size). Also it would need to add a routine to calculate (HMAC-SHA-512) the encryption key on the fly because GEOM_ELI uses multiple encryption keys since version 5. It uses a different key for every 2^20 sectors. So I would put it in the IV generators, too. > Anyway, adding new IV generators to dmcrypt should not be big problem > (in principle). > > > Additionally cryptsetup must be patched to be able > > to deal with the metadata structure of GEOM_ELI devices. > > > > Would there be any interests in committing me this code > > to the upstream? > > Well, I am not sure how broadly this format is used and if > there are potential users in Linux world, so if you can > post more description here it would be nice. > It is a common tool in FreeBSD for cryptography. So it would be nice one could access these FreeBSD devices with Linux, too (I think =). > (And if anyone on list is interested, plesase say so... now :) > > But in general, yes, I think it is good idea. > > I would suggest you to do these steps: > > 1) provide links to documentation of format, limitation > of your approach etc (also should be included in patch later) > > 2) first, implement needed changes in Linux kernel (dmcrypt IVs) > (if it is only new IV, it should be straightforward) > Please post patches to DM devel list (dm-devel@redhat.com) > > This should be done in advance - for testing, you can use > dmsetup to configure dmcrypt device and test it works for your > images. > > Cryptsetup support can come later (we need patch in stable kernel > first to release build supporting it). > > 3) second, post patches for cryptsetup to this list. > > Please keep format specific code in separate directory, > lib/geli/* or so. > (I am planning some unified interface for formats in future (1.7), > so see how is e.g. TCRYPT done - it should be very similar). > > Please post at least simple regression tests together with patches > (see tests/ dir). > > License of new code must be compatible with released code, > basically GPL2+/LGPL2.1+ for cryptsetup. > > (And be prepared it will take some time and perhaps reiterated > patch posts - mainly for kernel part :) > > Thanks, > Milan > Thanks for your suggestions. Best regards. ______________________________________________________ powered by Secure-Mail.biz - anonymous and secure e-mail accounts.