From: Pascal Van Leeuwen <pvanleeuwen@verimatrix.com>
To: Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Milan Broz <gmazyland@gmail.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>,
"dm-devel@redhat.com" <dm-devel@redhat.com>,
"linux-crypto@vger.kernel.org" <linux-crypto@vger.kernel.org>,
Horia Geanta <horia.geanta@nxp.com>
Subject: RE: [dm-devel] xts fuzz testing and lack of ciphertext stealing support
Date: Mon, 22 Jul 2019 09:44:39 +0000 [thread overview]
Message-ID: <MN2PR20MB2973B9C2DDC508A81AF4A207CAC40@MN2PR20MB2973.namprd20.prod.outlook.com> (raw)
In-Reply-To: <CAKv+Gu9UF+a1UhVU19g1XcLaEqEaAwwkSm3-2wTHEAdD-q4mLQ@mail.gmail.com>
> -----Original Message-----
> From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> Sent: Sunday, July 21, 2019 11:50 AM
> To: Milan Broz <gmazyland@gmail.com>
> Cc: Pascal Van Leeuwen <pvanleeuwen@verimatrix.com>; Herbert Xu <herbert@gondor.apana.org.au>; dm-devel@redhat.com; linux-
> crypto@vger.kernel.org; Horia Geanta <horia.geanta@nxp.com>
> Subject: Re: [dm-devel] xts fuzz testing and lack of ciphertext stealing support
>
> On Sat, 20 Jul 2019 at 10:35, Milan Broz <gmazyland@gmail.com> wrote:
> >
> > On 20/07/2019 08:58, Eric Biggers wrote:
> > > On Thu, Jul 18, 2019 at 01:19:41PM +0200, Milan Broz wrote:
> > >> Also, I would like to avoid another "just because it is nicer" module dependence (XTS->XEX->ECB).
> > >> Last time (when XTS was reimplemented using ECB) we have many reports with initramfs
> > >> missing ECB module preventing boot from AES-XTS encrypted root after kernel upgrade...
> > >> Just saying. (Despite the last time it was keyring what broke encrypted boot ;-)
> > >>
> > >
> > > Can't the "missing modules in initramfs" issue be solved by using a
> > > MODULE_SOFTDEP()? Actually, why isn't that being used for xts -> ecb already?
> > >
> > > (There was also a bug where CONFIG_CRYPTO_XTS didn't select CONFIG_CRYPTO_ECB,
> > > but that was simply a bug, which was fixed.)
> >
> > Sure, and it is solved now. (Some systems with a hardcoded list of modules
> > have to be manually updated etc., but that is just bad design).
> > It can be done properly from the beginning.
> >
> > I just want to say that that switching to XEX looks like wasting time to me
> > for no additional benefit.
> >
> > Fully implementing XTS does make much more sense for me, even though it is long-term
> > the effort and the only user, for now, would be testmgr.
> >
> > So, there are no users because it does not work. It makes no sense
> > to implement it, because there are no users... (sorry, sounds like catch 22 :)
> >
> > (Maybe someone can use it for keyslot encryption for keys not aligned to
> > block size, dunno. Actually, some filesystem encryption could have use for it.)
> >
> > > Or "xts" and "xex" could go in the same kernel module xts.ko, which would make
> > > this a non-issue.
> >
> > If it is not available for users, I really see no reason to introduce XEX when
> > it is just XTS with full blocks.
> >
> > If it is visible to users, it needs some work in userspace - XEX (as XTS) need two keys,
> > people are already confused enough that 256bit key in AES-XTS means AES-128...
> > So the examples, hints, man pages need to be updated, at least.
> >
>
> OK, consider me persuaded. We are already exposing xts(...) to
> userland, and since we already implement a proper subset of true XTS,
> it will be simply a matter of making sure that the existing XTS
> implementations don't regress in performance on the non-CTS code
> paths.
>
> It would be useful, though, to have some generic helper functions,
> e.g., like the one we have for CBC, or the one I recently proposed for
> CTS, so that existing implementations (such as the bit sliced AES) can
> easily be augmented with a CTS code path (but performance may not be
> optimal in those cases). For the ARM implementations based on AES
> instructions, it should be reasonably straight forward to implement it
> close to optimally by reusing some of the code I added for CBC-CTS
> (but I won't get around to doing that for a while). If there are any
> volunteers for looking into the generic or x86/AES-NI implementations,
> please come forward :-) Also, if any of the publications that were
> quoted in this thread have suitable test vectors, that would be good
> to know.
Unfortunately, these algorithm & protocol specifications tend to be very frugal when it
comes to providing test vectors, barely scratching the surface of any corner cases, but
at least there is one non-multiple-of-16 vector in the original IEEE P1619 / D16
specification in Annex B Test Vectors (last vector, "XTS-AES-128 applied for a data unit
that is not a multiple of 16 bytes")
Besides that, I'd be happy to generate some testvectors from our defacto-standard
implementation ;-)
Regards,
Pascal van Leeuwen
Silicon IP Architect, Multi-Protocol Engines @ Verimatrix
www.insidesecure.com
next prev parent reply other threads:[~2019-07-22 9:44 UTC|newest]
Thread overview: 65+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-16 17:46 xts fuzz testing and lack of ciphertext stealing support Horia Geanta
2019-07-16 22:16 ` Eric Biggers
2019-07-17 17:09 ` Horia Geanta
2019-07-17 17:28 ` Eric Biggers
2019-07-17 18:08 ` Ard Biesheuvel
2019-07-18 6:52 ` Herbert Xu
2019-07-18 7:15 ` Ard Biesheuvel
2019-07-18 7:21 ` Herbert Xu
2019-07-18 7:28 ` Ard Biesheuvel
2019-07-18 7:50 ` Herbert Xu
2019-07-18 7:40 ` Milan Broz
2019-07-18 10:40 ` Pascal Van Leeuwen
2019-07-18 11:19 ` Milan Broz
2019-07-18 15:27 ` Herbert Xu
2019-07-20 6:58 ` [dm-devel] " Eric Biggers
2019-07-20 7:35 ` Milan Broz
2019-07-21 9:50 ` Ard Biesheuvel
2019-07-22 9:44 ` Pascal Van Leeuwen [this message]
2019-07-22 16:43 ` Ard Biesheuvel
2019-07-22 22:46 ` Pascal Van Leeuwen
2019-07-24 12:23 ` Pascal Van Leeuwen
2019-07-24 12:50 ` Pascal Van Leeuwen
2019-07-24 16:10 ` Pascal Van Leeuwen
2019-07-25 6:22 ` Ard Biesheuvel
2019-07-25 7:49 ` Pascal Van Leeuwen
2019-07-25 8:01 ` Ard Biesheuvel
2019-07-26 10:31 ` Pascal Van Leeuwen
2019-07-26 19:59 ` Horia Geanta
2019-07-26 21:43 ` Pascal Van Leeuwen
2019-07-27 5:39 ` Ard Biesheuvel
2019-07-27 12:56 ` Pascal Van Leeuwen
2019-07-27 16:04 ` Milan Broz
2019-08-04 8:36 ` Ard Biesheuvel
[not found] ` <20f4832e-e3af-e3c2-d946-13bf8c367a60@nxp.com>
2019-08-07 15:51 ` Horia Geanta
2019-08-07 20:57 ` Pascal Van Leeuwen
2019-08-08 14:50 ` Horia Geanta
2019-08-09 8:35 ` Pascal Van Leeuwen
2019-08-08 13:43 ` Pascal Van Leeuwen
2019-08-08 18:01 ` Horia Geanta
2019-08-09 2:48 ` Herbert Xu
2019-08-09 6:45 ` Ard Biesheuvel
2019-08-09 7:44 ` Horia Geanta
2019-08-09 17:49 ` Ard Biesheuvel
2019-08-09 20:57 ` Pascal Van Leeuwen
2019-08-10 4:39 ` Ard Biesheuvel
2019-08-11 11:12 ` Milan Broz
2019-08-11 20:34 ` Eric Biggers
2019-08-11 21:39 ` Pascal Van Leeuwen
2019-08-11 21:29 ` Pascal Van Leeuwen
2019-08-12 4:51 ` Herbert Xu
2019-08-11 21:15 ` Pascal Van Leeuwen
2019-08-11 22:24 ` Ard Biesheuvel
2019-08-12 1:04 ` Pascal Van Leeuwen
2019-07-18 15:29 ` Herbert Xu
2019-07-18 15:43 ` Pascal Van Leeuwen
2019-07-18 15:51 ` Herbert Xu
2019-07-18 16:19 ` Ard Biesheuvel
2019-07-18 16:22 ` Herbert Xu
2019-07-18 17:03 ` Pascal Van Leeuwen
2019-07-19 5:34 ` Ard Biesheuvel
2019-07-19 7:29 ` Pascal Van Leeuwen
2019-07-19 17:14 ` Ard Biesheuvel
2019-07-19 20:07 ` Pascal Van Leeuwen
2019-07-18 16:35 ` Pascal Van Leeuwen
2019-07-19 1:47 ` Herbert Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=MN2PR20MB2973B9C2DDC508A81AF4A207CAC40@MN2PR20MB2973.namprd20.prod.outlook.com \
--to=pvanleeuwen@verimatrix.com \
--cc=ard.biesheuvel@linaro.org \
--cc=dm-devel@redhat.com \
--cc=gmazyland@gmail.com \
--cc=herbert@gondor.apana.org.au \
--cc=horia.geanta@nxp.com \
--cc=linux-crypto@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).