Linux-Crypto Archive on lore.kernel.org
 help / color / Atom feed
* XTS template wrapping question
@ 2019-08-09 11:39 Pascal Van Leeuwen
  2019-08-09 14:18 ` Pascal Van Leeuwen
  2019-08-09 16:46 ` Eric Biggers
  0 siblings, 2 replies; 7+ messages in thread
From: Pascal Van Leeuwen @ 2019-08-09 11:39 UTC (permalink / raw)
  To: linux-crypto, herbert, davem, Eric Biggers

Herbert, Eric,

While working on the XTS template, I noticed that it is being used 
(e.g. from testmgr, but also when explictly exported from other drivers)
as e.g. "xts(aes)", with the generic driver actually being 
"xts(ecb(aes-generic))". 

While what I would expect would be "xts(ecb(aes))", the reason being
that plain "aes" is defined as a single block cipher while the XTS
template actually efficiently wraps an skcipher (like ecb(aes)).
The generic driver reference actually proves this point.

The problem with XTS being used without the ecb template in between,
is that hardware accelerators will typically advertise an ecb(aes)
skcipher and the current approach makes it impossible to leverage
that for XTS (while the XTS template *could* actually do that
efficiently, from what I understand from the code ...).
Advertising a single block "aes" cipher from a hardware accelerator
unfortunately defeats the purpose of acceleration.

I also wonder what happens if aes-generic is the only AES 
implementation available? How would the crypto API know it needs to 
do "xts(aes)" as "xts(ecb(aes))" without some explicit export?
(And I don't see how xts(aes) would work directly, considering 
that only seems to handle single cipher blocks? Or ... will
the crypto API actually wrap some multi-block skcipher thing 
around the single block cipher instance automatically??)

Regards,
Pascal van Leeuwen
Silicon IP Architect, Multi-Protocol Engines @ Verimatrix
www.insidesecure.com


^ permalink raw reply	[flat|nested] 7+ messages in thread

* RE: XTS template wrapping question
  2019-08-09 11:39 XTS template wrapping question Pascal Van Leeuwen
@ 2019-08-09 14:18 ` Pascal Van Leeuwen
  2019-08-09 15:06   ` Pascal Van Leeuwen
  2019-08-09 16:46 ` Eric Biggers
  1 sibling, 1 reply; 7+ messages in thread
From: Pascal Van Leeuwen @ 2019-08-09 14:18 UTC (permalink / raw)
  To: Pascal Van Leeuwen, linux-crypto, herbert, davem, Eric Biggers

> -----Original Message-----
> From: linux-crypto-owner@vger.kernel.org <linux-crypto-owner@vger.kernel.org> On Behalf Of
> Pascal Van Leeuwen
> Sent: Friday, August 9, 2019 1:39 PM
> To: linux-crypto@vger.kernel.org; herbert@gondor.apana.org.au; davem@davemloft.net; Eric
> Biggers <ebiggers@kernel.org>
> Subject: XTS template wrapping question
> 
> Herbert, Eric,
> 
> While working on the XTS template, I noticed that it is being used
> (e.g. from testmgr, but also when explictly exported from other drivers)
> as e.g. "xts(aes)", with the generic driver actually being
> "xts(ecb(aes-generic))".
> 
> While what I would expect would be "xts(ecb(aes))", the reason being
> that plain "aes" is defined as a single block cipher while the XTS
> template actually efficiently wraps an skcipher (like ecb(aes)).
> The generic driver reference actually proves this point.
> 
> The problem with XTS being used without the ecb template in between,
> is that hardware accelerators will typically advertise an ecb(aes)
> skcipher and the current approach makes it impossible to leverage
> that for XTS (while the XTS template *could* actually do that
> efficiently, from what I understand from the code ...).
> Advertising a single block "aes" cipher from a hardware accelerator
> unfortunately defeats the purpose of acceleration.
> 
> I also wonder what happens if aes-generic is the only AES
> implementation available? How would the crypto API know it needs to
> do "xts(aes)" as "xts(ecb(aes))" without some explicit export?
> (And I don't see how xts(aes) would work directly, considering
> that only seems to handle single cipher blocks? Or ... will
> the crypto API actually wrap some multi-block skcipher thing
> around the single block cipher instance automatically??)
> 
Actually, the above was based on observations from testmgr, which
doesn't seem to test xts(safexcel-ecb-aes) even though I gave that
a very high .cra_priority as well as that what is advertised under 
/proc/crypto, which does not include such a thing either.

However, playing with tcrypt mode=600 shows some interesting 
results:

WITHOUT the inside-secure driver loaded, both LRW encrypt and
decrypt run on top of ecb-aes-aesni as you would expect.
Both xts encrypt and decrypt give a "failed to load transform" 
with an error code of -80. Strange ... -80 = ELIBBAD??
(Do note that the selftest of xts(aes) using xts-aesni worked 
just fine according to /proc/crypto!)

WITH the inside-secure driver loaded, NOT advertising xts(aes)
itself and everything at cra_priority of 300: same (expected).

WITH the inside-secure driver loaded, NOT advertising xts(aes)
itself and everything safexcel at cra_priority of 2000:
LRW decrypt now runs on top of safexcel-ecb-aes, but LRW
encrypt now runs on top of aes-generic? This makes no sense as
the encrypt datapath structure is the same as for decrypt so
it should run just fine on top of safexcel-ecb-aes. And besides
that, why drop from aesni all the way down to aes-generic??
xts encrypt and decrypt still give the -80 error, while you
would expect that to now run using the xts wrapper around
safexcel-ecb-aes (but no way to tell if that's happening).

WITH the inside-secure driver loaded, advertising xts(aes)
itself and everything at cra_priority of 2000: 
still the same LRW assymmetry as mentioned above, but
xts encrypt and decrypt now work fine using safexcel-aes-xts

Conclusions from the above:

- There's something fishy with the selection of the underlying
  AES cipher for LRW encrypt (but not for LRW decrypt).
- xts-aes-aesni (and the xts.c wrapper?) appear(s) broken in 
  some way not detected by testmgr but affecting tcrypt use,
  while the inside-secure driver's local xts works just fine

Regards,
Pascal van Leeuwen
Silicon IP Architect, Multi-Protocol Engines @ Verimatrix
www.insidesecure.com

^ permalink raw reply	[flat|nested] 7+ messages in thread

* RE: XTS template wrapping question
  2019-08-09 14:18 ` Pascal Van Leeuwen
@ 2019-08-09 15:06   ` Pascal Van Leeuwen
  2019-08-09 17:06     ` Eric Biggers
  0 siblings, 1 reply; 7+ messages in thread
From: Pascal Van Leeuwen @ 2019-08-09 15:06 UTC (permalink / raw)
  To: linux-crypto, herbert, davem, Eric Biggers

> -----Original Message-----
> From: Pascal Van Leeuwen <pvanleeuwen@verimatrix.com>
> Sent: Friday, August 9, 2019 4:18 PM
> To: Pascal Van Leeuwen <pvanleeuwen@verimatrix.com>; linux-crypto@vger.kernel.org;
> herbert@gondor.apana.org.au; davem@davemloft.net; Eric Biggers <ebiggers@kernel.org>
> Subject: RE: XTS template wrapping question
> 
> > -----Original Message-----
> > From: linux-crypto-owner@vger.kernel.org <linux-crypto-owner@vger.kernel.org> On Behalf
> Of
> > Pascal Van Leeuwen
> > Sent: Friday, August 9, 2019 1:39 PM
> > To: linux-crypto@vger.kernel.org; herbert@gondor.apana.org.au; davem@davemloft.net; Eric
> > Biggers <ebiggers@kernel.org>
> > Subject: XTS template wrapping question
> >
> > Herbert, Eric,
> >
> > While working on the XTS template, I noticed that it is being used
> > (e.g. from testmgr, but also when explictly exported from other drivers)
> > as e.g. "xts(aes)", with the generic driver actually being
> > "xts(ecb(aes-generic))".
> >
> > While what I would expect would be "xts(ecb(aes))", the reason being
> > that plain "aes" is defined as a single block cipher while the XTS
> > template actually efficiently wraps an skcipher (like ecb(aes)).
> > The generic driver reference actually proves this point.
> >
> > The problem with XTS being used without the ecb template in between,
> > is that hardware accelerators will typically advertise an ecb(aes)
> > skcipher and the current approach makes it impossible to leverage
> > that for XTS (while the XTS template *could* actually do that
> > efficiently, from what I understand from the code ...).
> > Advertising a single block "aes" cipher from a hardware accelerator
> > unfortunately defeats the purpose of acceleration.
> >
> > I also wonder what happens if aes-generic is the only AES
> > implementation available? How would the crypto API know it needs to
> > do "xts(aes)" as "xts(ecb(aes))" without some explicit export?
> > (And I don't see how xts(aes) would work directly, considering
> > that only seems to handle single cipher blocks? Or ... will
> > the crypto API actually wrap some multi-block skcipher thing
> > around the single block cipher instance automatically??)
> >
> Actually, the above was based on observations from testmgr, which
> doesn't seem to test xts(safexcel-ecb-aes) even though I gave that
> a very high .cra_priority as well as that what is advertised under
> /proc/crypto, which does not include such a thing either.
> 
> However, playing with tcrypt mode=600 shows some interesting
> results:
> 
> WITHOUT the inside-secure driver loaded, both LRW encrypt and
> decrypt run on top of ecb-aes-aesni as you would expect.
> Both xts encrypt and decrypt give a "failed to load transform"
> with an error code of -80. Strange ... -80 = ELIBBAD??
> (Do note that the selftest of xts(aes) using xts-aesni worked
> just fine according to /proc/crypto!)
> 
> WITH the inside-secure driver loaded, NOT advertising xts(aes)
> itself and everything at cra_priority of 300: same (expected).
> 
> WITH the inside-secure driver loaded, NOT advertising xts(aes)
> itself and everything safexcel at cra_priority of 2000:
> LRW decrypt now runs on top of safexcel-ecb-aes, but LRW
> encrypt now runs on top of aes-generic? This makes no sense as
> the encrypt datapath structure is the same as for decrypt so
> it should run just fine on top of safexcel-ecb-aes. And besides
> that, why drop from aesni all the way down to aes-generic??
> xts encrypt and decrypt still give the -80 error, while you
> would expect that to now run using the xts wrapper around
> safexcel-ecb-aes (but no way to tell if that's happening).
> 
> WITH the inside-secure driver loaded, advertising xts(aes)
> itself and everything at cra_priority of 2000:
> still the same LRW assymmetry as mentioned above, but
> xts encrypt and decrypt now work fine using safexcel-aes-xts
> 
> Conclusions from the above:
> 
> - There's something fishy with the selection of the underlying
>   AES cipher for LRW encrypt (but not for LRW decrypt).
>
Actually, this makes no sense at all as crypto_skcipher_alloc 
does not even see the direction you're going to use in your 
requests. Still, it is what I consistently see happening in 
the tcrypt logging. Weird!

> - xts-aes-aesni (and the xts.c wrapper?) appear(s) broken in
>   some way not detected by testmgr but affecting tcrypt use,
>   while the inside-secure driver's local xts works just fine
> 

Regards,
Pascal van Leeuwen
Silicon IP Architect, Multi-Protocol Engines @ Verimatrix
www.insidesecure.com

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: XTS template wrapping question
  2019-08-09 11:39 XTS template wrapping question Pascal Van Leeuwen
  2019-08-09 14:18 ` Pascal Van Leeuwen
@ 2019-08-09 16:46 ` Eric Biggers
  2019-08-09 21:49   ` Pascal Van Leeuwen
  1 sibling, 1 reply; 7+ messages in thread
From: Eric Biggers @ 2019-08-09 16:46 UTC (permalink / raw)
  To: Pascal Van Leeuwen; +Cc: linux-crypto, herbert, davem

On Fri, Aug 09, 2019 at 11:39:12AM +0000, Pascal Van Leeuwen wrote:
> Herbert, Eric,
> 
> While working on the XTS template, I noticed that it is being used 
> (e.g. from testmgr, but also when explictly exported from other drivers)
> as e.g. "xts(aes)", with the generic driver actually being 
> "xts(ecb(aes-generic))". 
> 
> While what I would expect would be "xts(ecb(aes))", the reason being
> that plain "aes" is defined as a single block cipher while the XTS
> template actually efficiently wraps an skcipher (like ecb(aes)).
> The generic driver reference actually proves this point.
> 
> The problem with XTS being used without the ecb template in between,
> is that hardware accelerators will typically advertise an ecb(aes)
> skcipher and the current approach makes it impossible to leverage
> that for XTS (while the XTS template *could* actually do that
> efficiently, from what I understand from the code ...).
> Advertising a single block "aes" cipher from a hardware accelerator
> unfortunately defeats the purpose of acceleration.
> 
> I also wonder what happens if aes-generic is the only AES 
> implementation available? How would the crypto API know it needs to 
> do "xts(aes)" as "xts(ecb(aes))" without some explicit export?
> (And I don't see how xts(aes) would work directly, considering 
> that only seems to handle single cipher blocks? Or ... will
> the crypto API actually wrap some multi-block skcipher thing 
> around the single block cipher instance automatically??)
> 

"xts(aes)" is the cra_name for AES-XTS, while everything else (e.g.
"xts(ecb(aes-generic))", "xts-aes-aesni", "xts(ecb-aes-aesni)")
is a cra_driver_name for AES-XTS.

"xts(ecb(aes))" doesn't make sense, as it's neither the cra_name nor does it
name a specific implementation.

See create() in crypto/xts.c.  It allows the XTS template to be passed either
the string "aes", *or* a string which names an *implementation* of "ecb(aes)",
like "ecb(aes-generic)" or "ecb-aes-aesni".  In the first case it allocates
"ecb(aes)" so it gets the highest priority AES-ECB implementation.

So in both cases the XTS template uses AES-ECB via the skcipher API.

- Eric

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: XTS template wrapping question
  2019-08-09 15:06   ` Pascal Van Leeuwen
@ 2019-08-09 17:06     ` Eric Biggers
  2019-08-09 21:55       ` Pascal Van Leeuwen
  0 siblings, 1 reply; 7+ messages in thread
From: Eric Biggers @ 2019-08-09 17:06 UTC (permalink / raw)
  To: Pascal Van Leeuwen; +Cc: linux-crypto, herbert, davem

On Fri, Aug 09, 2019 at 03:06:23PM +0000, Pascal Van Leeuwen wrote:
> > -----Original Message-----
> > From: Pascal Van Leeuwen <pvanleeuwen@verimatrix.com>
> > Sent: Friday, August 9, 2019 4:18 PM
> > To: Pascal Van Leeuwen <pvanleeuwen@verimatrix.com>; linux-crypto@vger.kernel.org;
> > herbert@gondor.apana.org.au; davem@davemloft.net; Eric Biggers <ebiggers@kernel.org>
> > Subject: RE: XTS template wrapping question
> > 
> > > -----Original Message-----
> > > From: linux-crypto-owner@vger.kernel.org <linux-crypto-owner@vger.kernel.org> On Behalf
> > Of
> > > Pascal Van Leeuwen
> > > Sent: Friday, August 9, 2019 1:39 PM
> > > To: linux-crypto@vger.kernel.org; herbert@gondor.apana.org.au; davem@davemloft.net; Eric
> > > Biggers <ebiggers@kernel.org>
> > > Subject: XTS template wrapping question
> > >
> > > Herbert, Eric,
> > >
> > > While working on the XTS template, I noticed that it is being used
> > > (e.g. from testmgr, but also when explictly exported from other drivers)
> > > as e.g. "xts(aes)", with the generic driver actually being
> > > "xts(ecb(aes-generic))".
> > >
> > > While what I would expect would be "xts(ecb(aes))", the reason being
> > > that plain "aes" is defined as a single block cipher while the XTS
> > > template actually efficiently wraps an skcipher (like ecb(aes)).
> > > The generic driver reference actually proves this point.
> > >
> > > The problem with XTS being used without the ecb template in between,
> > > is that hardware accelerators will typically advertise an ecb(aes)
> > > skcipher and the current approach makes it impossible to leverage
> > > that for XTS (while the XTS template *could* actually do that
> > > efficiently, from what I understand from the code ...).
> > > Advertising a single block "aes" cipher from a hardware accelerator
> > > unfortunately defeats the purpose of acceleration.
> > >
> > > I also wonder what happens if aes-generic is the only AES
> > > implementation available? How would the crypto API know it needs to
> > > do "xts(aes)" as "xts(ecb(aes))" without some explicit export?
> > > (And I don't see how xts(aes) would work directly, considering
> > > that only seems to handle single cipher blocks? Or ... will
> > > the crypto API actually wrap some multi-block skcipher thing
> > > around the single block cipher instance automatically??)
> > >
> > Actually, the above was based on observations from testmgr, which
> > doesn't seem to test xts(safexcel-ecb-aes) even though I gave that
> > a very high .cra_priority as well as that what is advertised under
> > /proc/crypto, which does not include such a thing either.
> > 
> > However, playing with tcrypt mode=600 shows some interesting
> > results:
> > 
> > WITHOUT the inside-secure driver loaded, both LRW encrypt and
> > decrypt run on top of ecb-aes-aesni as you would expect.
> > Both xts encrypt and decrypt give a "failed to load transform"
> > with an error code of -80. Strange ... -80 = ELIBBAD??
> > (Do note that the selftest of xts(aes) using xts-aesni worked
> > just fine according to /proc/crypto!)
> > 
> > WITH the inside-secure driver loaded, NOT advertising xts(aes)
> > itself and everything at cra_priority of 300: same (expected).
> > 
> > WITH the inside-secure driver loaded, NOT advertising xts(aes)
> > itself and everything safexcel at cra_priority of 2000:
> > LRW decrypt now runs on top of safexcel-ecb-aes, but LRW
> > encrypt now runs on top of aes-generic? This makes no sense as
> > the encrypt datapath structure is the same as for decrypt so
> > it should run just fine on top of safexcel-ecb-aes. And besides
> > that, why drop from aesni all the way down to aes-generic??
> > xts encrypt and decrypt still give the -80 error, while you
> > would expect that to now run using the xts wrapper around
> > safexcel-ecb-aes (but no way to tell if that's happening).
> > 
> > WITH the inside-secure driver loaded, advertising xts(aes)
> > itself and everything at cra_priority of 2000:
> > still the same LRW assymmetry as mentioned above, but
> > xts encrypt and decrypt now work fine using safexcel-aes-xts
> > 
> > Conclusions from the above:
> > 
> > - There's something fishy with the selection of the underlying
> >   AES cipher for LRW encrypt (but not for LRW decrypt).
> >
> Actually, this makes no sense at all as crypto_skcipher_alloc 
> does not even see the direction you're going to use in your 
> requests. Still, it is what I consistently see happening in 
> the tcrypt logging. Weird!

There's a known bug when the extra self-tests are enabled, where the first
allocation of an algorithm actually returns the generic implementation, not the
highest priority implementation.  See:
https://lkml.kernel.org/linux-crypto/20190409181608.GA122471@gmail.com/
Does that explain what you saw?

> 
> > - xts-aes-aesni (and the xts.c wrapper?) appear(s) broken in
> >   some way not detected by testmgr but affecting tcrypt use,
> >   while the inside-secure driver's local xts works just fine
> > 

Is this reproducible without any local patches?  If so, can you provide clear
reproduction steps?

- Eric

^ permalink raw reply	[flat|nested] 7+ messages in thread

* RE: XTS template wrapping question
  2019-08-09 16:46 ` Eric Biggers
@ 2019-08-09 21:49   ` Pascal Van Leeuwen
  0 siblings, 0 replies; 7+ messages in thread
From: Pascal Van Leeuwen @ 2019-08-09 21:49 UTC (permalink / raw)
  To: Eric Biggers; +Cc: linux-crypto, herbert, davem

> -----Original Message-----
> From: Eric Biggers <ebiggers@kernel.org>
> Sent: Friday, August 9, 2019 6:46 PM
> To: Pascal Van Leeuwen <pvanleeuwen@verimatrix.com>
> Cc: linux-crypto@vger.kernel.org; herbert@gondor.apana.org.au; davem@davemloft.net
> Subject: Re: XTS template wrapping question
> 
> On Fri, Aug 09, 2019 at 11:39:12AM +0000, Pascal Van Leeuwen wrote:
> > Herbert, Eric,
> >
> > While working on the XTS template, I noticed that it is being used
> > (e.g. from testmgr, but also when explictly exported from other drivers)
> > as e.g. "xts(aes)", with the generic driver actually being
> > "xts(ecb(aes-generic))".
> >
> > While what I would expect would be "xts(ecb(aes))", the reason being
> > that plain "aes" is defined as a single block cipher while the XTS
> > template actually efficiently wraps an skcipher (like ecb(aes)).
> > The generic driver reference actually proves this point.
> >
> > The problem with XTS being used without the ecb template in between,
> > is that hardware accelerators will typically advertise an ecb(aes)
> > skcipher and the current approach makes it impossible to leverage
> > that for XTS (while the XTS template *could* actually do that
> > efficiently, from what I understand from the code ...).
> > Advertising a single block "aes" cipher from a hardware accelerator
> > unfortunately defeats the purpose of acceleration.
> >
> > I also wonder what happens if aes-generic is the only AES
> > implementation available? How would the crypto API know it needs to
> > do "xts(aes)" as "xts(ecb(aes))" without some explicit export?
> > (And I don't see how xts(aes) would work directly, considering
> > that only seems to handle single cipher blocks? Or ... will
> > the crypto API actually wrap some multi-block skcipher thing
> > around the single block cipher instance automatically??)
> >
> 
> "xts(aes)" is the cra_name for AES-XTS, while everything else (e.g.
> "xts(ecb(aes-generic))", "xts-aes-aesni", "xts(ecb-aes-aesni)")
> is a cra_driver_name for AES-XTS.
> 
> "xts(ecb(aes))" doesn't make sense, as it's neither the cra_name nor does it
> name a specific implementation.
> 
Hmmm ... but if xts(aes) wants to wrap around an aes skcipher implementation,
it will have to search for "ecb(aes)". Since "aes" would give it a single
cipher block (generic) implementation that wouldn't work.
And it adds the "ecb(" somewhere under water in the wrapper, which is very
confusing if you don't know about that.
As it is confusing that there is an "aes" and an "ecb(aes)", aes being a
blockcipher and ecb not being a mode at all, but just the bare cipher.

Considering my hw driver actually exports ecb(aes) and NOT aes due to this,
xts(ecb(aes)) actually would have made MORE sense, IMNSHO.
(implementation wise, not semantically)

The whole thing would have been different if "ecb(aes)" had been just "aes".

> See create() in crypto/xts.c.  It allows the XTS template to be passed either
> the string "aes", *or* a string which names an *implementation* of "ecb(aes)",
> like "ecb(aes-generic)" or "ecb-aes-aesni".  In the first case it allocates
> "ecb(aes)" so it gets the highest priority AES-ECB implementation.
> 
> So in both cases the XTS template uses AES-ECB via the skcipher API.
> 
> - Eric
>
Yes, thanks I figured that out by now ...

Regards,
Pascal van Leeuwen
Silicon IP Architect, Multi-Protocol Engines @ Verimatrix
www.insidesecure.com


^ permalink raw reply	[flat|nested] 7+ messages in thread

* RE: XTS template wrapping question
  2019-08-09 17:06     ` Eric Biggers
@ 2019-08-09 21:55       ` Pascal Van Leeuwen
  0 siblings, 0 replies; 7+ messages in thread
From: Pascal Van Leeuwen @ 2019-08-09 21:55 UTC (permalink / raw)
  To: Eric Biggers; +Cc: linux-crypto, herbert, davem

> -----Original Message-----
> From: Eric Biggers <ebiggers@kernel.org>
> Sent: Friday, August 9, 2019 7:07 PM
> To: Pascal Van Leeuwen <pvanleeuwen@verimatrix.com>
> Cc: linux-crypto@vger.kernel.org; herbert@gondor.apana.org.au; davem@davemloft.net
> Subject: Re: XTS template wrapping question
> 
> On Fri, Aug 09, 2019 at 03:06:23PM +0000, Pascal Van Leeuwen wrote:
> > > -----Original Message-----
> > > From: Pascal Van Leeuwen <pvanleeuwen@verimatrix.com>
> > > Sent: Friday, August 9, 2019 4:18 PM
> > > To: Pascal Van Leeuwen <pvanleeuwen@verimatrix.com>; linux-crypto@vger.kernel.org;
> > > herbert@gondor.apana.org.au; davem@davemloft.net; Eric Biggers <ebiggers@kernel.org>
> > > Subject: RE: XTS template wrapping question
> > >
> > > > -----Original Message-----
> > > > From: linux-crypto-owner@vger.kernel.org <linux-crypto-owner@vger.kernel.org> On Behalf
> > > Of
> > > > Pascal Van Leeuwen
> > > > Sent: Friday, August 9, 2019 1:39 PM
> > > > To: linux-crypto@vger.kernel.org; herbert@gondor.apana.org.au; davem@davemloft.net;
> Eric
> > > > Biggers <ebiggers@kernel.org>
> > > > Subject: XTS template wrapping question
> > > >
> > > > Herbert, Eric,
> > > >
> > > > While working on the XTS template, I noticed that it is being used
> > > > (e.g. from testmgr, but also when explictly exported from other drivers)
> > > > as e.g. "xts(aes)", with the generic driver actually being
> > > > "xts(ecb(aes-generic))".
> > > >
> > > > While what I would expect would be "xts(ecb(aes))", the reason being
> > > > that plain "aes" is defined as a single block cipher while the XTS
> > > > template actually efficiently wraps an skcipher (like ecb(aes)).
> > > > The generic driver reference actually proves this point.
> > > >
> > > > The problem with XTS being used without the ecb template in between,
> > > > is that hardware accelerators will typically advertise an ecb(aes)
> > > > skcipher and the current approach makes it impossible to leverage
> > > > that for XTS (while the XTS template *could* actually do that
> > > > efficiently, from what I understand from the code ...).
> > > > Advertising a single block "aes" cipher from a hardware accelerator
> > > > unfortunately defeats the purpose of acceleration.
> > > >
> > > > I also wonder what happens if aes-generic is the only AES
> > > > implementation available? How would the crypto API know it needs to
> > > > do "xts(aes)" as "xts(ecb(aes))" without some explicit export?
> > > > (And I don't see how xts(aes) would work directly, considering
> > > > that only seems to handle single cipher blocks? Or ... will
> > > > the crypto API actually wrap some multi-block skcipher thing
> > > > around the single block cipher instance automatically??)
> > > >
> > > Actually, the above was based on observations from testmgr, which
> > > doesn't seem to test xts(safexcel-ecb-aes) even though I gave that
> > > a very high .cra_priority as well as that what is advertised under
> > > /proc/crypto, which does not include such a thing either.
> > >
> > > However, playing with tcrypt mode=600 shows some interesting
> > > results:
> > >
> > > WITHOUT the inside-secure driver loaded, both LRW encrypt and
> > > decrypt run on top of ecb-aes-aesni as you would expect.
> > > Both xts encrypt and decrypt give a "failed to load transform"
> > > with an error code of -80. Strange ... -80 = ELIBBAD??
> > > (Do note that the selftest of xts(aes) using xts-aesni worked
> > > just fine according to /proc/crypto!)
> > >
> > > WITH the inside-secure driver loaded, NOT advertising xts(aes)
> > > itself and everything at cra_priority of 300: same (expected).
> > >
> > > WITH the inside-secure driver loaded, NOT advertising xts(aes)
> > > itself and everything safexcel at cra_priority of 2000:
> > > LRW decrypt now runs on top of safexcel-ecb-aes, but LRW
> > > encrypt now runs on top of aes-generic? This makes no sense as
> > > the encrypt datapath structure is the same as for decrypt so
> > > it should run just fine on top of safexcel-ecb-aes. And besides
> > > that, why drop from aesni all the way down to aes-generic??
> > > xts encrypt and decrypt still give the -80 error, while you
> > > would expect that to now run using the xts wrapper around
> > > safexcel-ecb-aes (but no way to tell if that's happening).
> > >
> > > WITH the inside-secure driver loaded, advertising xts(aes)
> > > itself and everything at cra_priority of 2000:
> > > still the same LRW assymmetry as mentioned above, but
> > > xts encrypt and decrypt now work fine using safexcel-aes-xts
> > >
> > > Conclusions from the above:
> > >
> > > - There's something fishy with the selection of the underlying
> > >   AES cipher for LRW encrypt (but not for LRW decrypt).
> > >
> > Actually, this makes no sense at all as crypto_skcipher_alloc
> > does not even see the direction you're going to use in your
> > requests. Still, it is what I consistently see happening in
> > the tcrypt logging. Weird!
> 
> There's a known bug when the extra self-tests are enabled, where the first
> allocation of an algorithm actually returns the generic implementation, not the
> highest priority implementation.  See:
> https://lkml.kernel.org/linux-crypto/20190409181608.GA122471@gmail.com/
> Does that explain what you saw?
> 
Ah! That must indeed be the same problem. Encrypt is first here, so
that apparently gets generic and then decrypt gets the hw version.
So I guess that bug does not just apply to the self tests then ...(!)

> >
> > > - xts-aes-aesni (and the xts.c wrapper?) appear(s) broken in
> > >   some way not detected by testmgr but affecting tcrypt use,
> > >   while the inside-secure driver's local xts works just fine
> > >
> 
> Is this reproducible without any local patches?  If so, can you provide clear
> reproduction steps?
> 
I'm not aware of any local patches. I tried it after backing out the 
xts.c stuff Ard and I have been working on regarding CTS and that still 
failed.

Just try:
modprobe tcrypt mode=600 sec=1 num_mb=100

On a system that has aesni has the highest priority implementation.

> - Eric



Regards,
Pascal van Leeuwen
Silicon IP Architect, Multi-Protocol Engines @ Verimatrix
www.insidesecure.com


^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, back to index

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-08-09 11:39 XTS template wrapping question Pascal Van Leeuwen
2019-08-09 14:18 ` Pascal Van Leeuwen
2019-08-09 15:06   ` Pascal Van Leeuwen
2019-08-09 17:06     ` Eric Biggers
2019-08-09 21:55       ` Pascal Van Leeuwen
2019-08-09 16:46 ` Eric Biggers
2019-08-09 21:49   ` Pascal Van Leeuwen

Linux-Crypto Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-crypto/0 linux-crypto/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-crypto linux-crypto/ https://lore.kernel.org/linux-crypto \
		linux-crypto@vger.kernel.org linux-crypto@archiver.kernel.org
	public-inbox-index linux-crypto


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-crypto


AGPL code for this site: git clone https://public-inbox.org/ public-inbox