From: Mike Snitzer <snitzer@redhat.com>
To: Milan Broz <gmazyland@gmail.com>
Cc: Thibaut Sautereau <thibaut.sautereau@clip-os.org>,
dm-devel@redhat.com, Alasdair Kergon <agk@redhat.com>,
linux-kernel@vger.kernel.org
Subject: Re: dm-crypt error when CONFIG_CRYPTO_AUTHENC is disabled
Date: Fri, 20 Sep 2019 17:27:46 -0400 [thread overview]
Message-ID: <20190920212746.GA22061@redhat.com> (raw)
In-Reply-To: <13e25b01-f344-ea1d-8f6c-9d0a60eb1e0f@gmail.com>
On Fri, Sep 20 2019 at 3:21pm -0400,
Milan Broz <gmazyland@gmail.com> wrote:
> On 20/09/2019 19:37, Mike Snitzer wrote:
> > On Fri, Sep 20 2019 at 11:44am -0400,
> > Thibaut Sautereau <thibaut.sautereau@clip-os.org> wrote:
> >
> >> Hi,
> >>
> >> I just got a dm-crypt "crypt: Error allocating crypto tfm" error when
> >> trying to "cryptsetup open" a volume. I found out that it was only
> >> happening when I disabled CONFIG_CRYPTO_AUTHENC.
> >>
> >> drivers/md/dm-crypt.c includes the crypto/authenc.h header and seems to
> >> use some CRYPTO_AUTHENC-related stuff. Therefore, shouldn't
> >> CONFIG_DM_CRYPT select CONFIG_CRYPTO_AUTHENC?
> >
> > Yes, it looks like commit ef43aa38063a6 ("dm crypt: add cryptographic
> > data integrity protection (authenticated encryption)") should've added
> > 'select CRYPTO_AUTHENC' to dm-crypt's Kconfig. I'll let Milan weigh-in
> > but that seems like the right way forward.
>
> No, I don't this so. It is like you use some algorithm that is just not compiled-in,
> or it is disabled in the current state (because of FIPS mode od so) - it fails
> to initialize it.
>
> I think we should not force dm-crypt to depend on AEAD - most users
> do not use authenticated encryption, it is perfectly ok to keep this compiled out.
>
> I do not see any principal difference from disabling any other crypto
> (if you disable XTS mode, it fails to open device that uses it).
>
> IMO the current config dependence is ok.
That is a good point. I hadn't considered the kernel compiles just fine
without CRYPTO_AUTHENC.. which it clearly does.
SO I retract the question/thought of updating the Kconfig for dm-crypt
in my previous mail.
Though in hindsight: wonder whether the dm-integrity based dm-crypt
authenticated encryption support should have been exposed as a proper
CONFIG option within the DM_CRYPT section? Rather than lean on the
crypto subsystem to happily stub out the dm-crypt AEAD and AUTHENC
related code dm-crypt could've established #ifdef boundaries for that
code.
I'm open to suggestions and/or confirmation that the way things are now
is perfectly fine. But I do see this report as something that should
drive some improvement.
Mike
next prev parent reply other threads:[~2019-09-20 21:27 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-20 15:44 dm-crypt error when CONFIG_CRYPTO_AUTHENC is disabled Thibaut Sautereau
2019-09-20 17:37 ` Mike Snitzer
2019-09-20 19:21 ` Milan Broz
2019-09-20 21:27 ` Mike Snitzer [this message]
2019-09-20 21:47 ` [dm-devel] " Eric Biggers
2019-09-23 8:20 ` Thibaut Sautereau
2019-09-23 9:46 ` Milan Broz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190920212746.GA22061@redhat.com \
--to=snitzer@redhat.com \
--cc=agk@redhat.com \
--cc=dm-devel@redhat.com \
--cc=gmazyland@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=thibaut.sautereau@clip-os.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).