Re: [PATCH 0/6] Add Hygon SEV support

From: Paolo Bonzini <pbonzini@redhat.com>
To: "Pascal Van Leeuwen" <pvanleeuwen@insidesecure.com>,
	"Hao Feng" <fenghao@hygon.cn>,
	"'Tom Lendacky '" <thomas.lendacky@amd.com>,
	"'Gary Hook '" <gary.hook@amd.com>,
	"'Herbert Xu '" <herbert@gondor.apana.org.au>,
	"' David S. Miller '" <davem@davemloft.net>,
	"'Janakarajan Natarajan '" <Janakarajan.Natarajan@amd.com>,
	"'Joerg Roedel '" <joro@8bytes.org>,
	"' Radim Krčmář '" <rkrcmar@redhat.com>,
	"'Thomas Gleixner '" <tglx@linutronix.de>,
	"'Ingo Molnar '" <mingo@redhat.com>,
	"'Borislav Petkov '" <bp@alien8.de>,
	"' H. Peter Anvin '" <hpa@zytor.com>
Cc: 'Zhaohui Du ' <duzhaohui@hygon.cn>,
	'Zhiwei Ying ' <yingzhiwei@hygon.cn>, 'Wen Pu ' <puwen@hygon.cn>,
	"x86@kernel.org" <x86@kernel.org>,
	"linux-crypto@vger.kernel.org" <linux-crypto@vger.kernel.org>,
	"kvm@vger.kernel.org" <kvm@vger.kernel.org>,
	"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH 0/6] Add Hygon SEV support
Date: Tue, 16 Apr 2019 10:09:29 +0200	[thread overview]
Message-ID: <985108b1-6d51-4458-48de-c5b96c5f14f9@redhat.com> (raw)
In-Reply-To: <AM6PR09MB35234C86C0502E1FAAB3A305D2240@AM6PR09MB3523.eurprd09.prod.outlook.com>

On 16/04/19 08:58, Pascal Van Leeuwen wrote:
>>> Besides that, they are in heavy practical use in mainland China, 
>>> usually as direct replacements for SHA2-256 and AES in whatever 
>>> protocol or use case you need: IPsec, TLS, WPA2, XTS for disk encryption,
>>> you name it.
>>
>> How should that mean anything?
>
> Uhm ... no, the fact that something is actually *useful* to potentially
> a billion plus people doesn't mean anything ...

Useful does not mean secure, does it?  PKZIP encryption was certainly
useful back in the day, but it was not secure.

>> I did educate myself a bit, but I'm not an expert in cryptography, so I
>> would like to be sure that these are not another Speck or DUAL-EC-DRBG.
>
> Innocent until proven guilty mean anything to you?

This is not a court of justice, it's a software project.  For that
matter "certainty beyond reasonable doubt" is not a thing either in this
context.

>>  "SM2 is based on ECC(Elliptic Curve Cryptography), and uses a special
>> curve" is enough for me to see warning signs, at least without further
>> explanations,
>>
> The specification is public (if you can read Chinese, anyway), so open to
> analysis. Either way, it's quite irrelevant to Chinese organisations that
> HAVE to use SM2. And anyone else can just decide NOT to use it, you don't
> even have to compile it into your kernel. It's called freedom.

"Freedom" didn't apply when Speck was proposed for inclusion in Linux,
and I would like to make sure I don't make a mistake when adding crypto
interfaces.  If SM2/3/4 were broken, I couldn't care less if someone HAS
to use them, they can patch their kernel.  But if they're not then I
appreciate that you wrote to correct me, it's helpful.  Please
understand that 99% of the community has not ever heard of anything but
SHA-{1,2,3}, ECDSA, Ed25519, AES.  If somebody comes up with a patch
with "strange" crypto, it's up to them to say that they are secure---and
again, the key word is secure, not useful.

Paolo

>> and so does the fact that the initial SM3 values were
>> changed from SHA-2 and AFAICT there is no public justification for
>> that.
>>
> Actually, SM3 is an *improvement* on SHA-2, and there has been ample
> analysis done on that to, in fact, confirm it's (slightly) better.
> So there IS public justification. Don't shout if you don't know the
> facts.