From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
To: linux-crypto@vger.kernel.org
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Herbert Xu <herbert@gondor.apana.org.au>,
Eric Biggers <ebiggers@google.com>,
dm-devel@redhat.com, linux-fscrypt@vger.kernel.org,
Gilad Ben-Yossef <gilad@benyossef.com>,
Milan Broz <gmazyland@gmail.com>
Subject: [PATCH v12 0/4] crypto: switch to crypto API for ESSIV generation
Date: Thu, 15 Aug 2019 22:28:54 +0300 [thread overview]
Message-ID: <20190815192858.28125-1-ard.biesheuvel@linaro.org> (raw)
This series creates an ESSIV template that produces a skcipher or AEAD
transform based on a tuple of the form '<skcipher>,<shash>' (or '<aead>,<shash>'
for the AEAD case). It exposes the encapsulated sync or async skcipher/aead by
passing through all operations, while using the cipher/shash pair to transform
the input IV into an ESSIV output IV.
Changes since v11:
- Avoid spawns for the ESSIV shash and cipher algos. Instead, the shash TFM is
allocated per-instance (which is appropriate since it is unkeyed and thus
stateless), and the cipher is allocated explicitly based on the parsed
skcipher/aead cra_name.
Changes since v10:
- Drop patches against fscrypt and dm-crypt - these will be routed via the
respective maintainer trees during the next cycle
- Fix error handling when parsing the cipher name from the skcipher cra_name
- Use existing ivsize temporary instead of retrieving it again
- Expose cra_name via module alias (#4)
Changes since v9:
- Fix cipher_api parsing bug that was introduced by dropping the cipher name
parsing patch in v9 (#3). Thanks to Milan for finding it.
- Fix a couple of instances where the old essiv(x,y,z) format was used in
comments instead of the essiv(x,z) format we adopted in v9
Changes since v8:
- Remove 'cipher' argument from essiv() template, and instead, parse the
cra_name of the skcipher to obtain the cipher. This is slightly cleaner
than what dm-crypt currently does, since we can get the cra_name from the
spawn, and we don't have to actually allocate the TFM. Since this implies
that dm-crypt does not need to provide the cipher, we can drop the parsing
code from it entirely (assuming the eboiv patch I sent out recently is
applied first) (patch #7)
- Restrict the essiv() AEAD instantiation to AEADs whose cra_name starts with
'authenc('
- Rebase onto cryptodev/master
- Drop dm-crypt to reorder/refactor cipher name parsing, since it was wrong
and it is no longer needed.
- Drop Milan's R-b since the code has changed
- Fix bug in accelerated arm64 implementation.
Changes since v7:
- rebase onto cryptodev/master
- drop change to ivsize in #2
- add Milan's R-b's
Changes since v6:
- make CRYPTO_ESSIV user selectable so we can opt out of selecting it even
if FS_ENCRYPTION (which cannot be built as a module) is enabled
- move a comment along with the code it referred to (#3), not that this change
and removing some redundant braces makes the diff look totally different
- add Milan's R-b to #3 and #4
Changes since v5:
- drop redundant #includes and drop some unneeded braces (#2)
- add test case for essiv(authenc(hmac(sha256),cbc(aes)),aes,sha256)
- make ESSIV driver deal with assoc data that is described by more than two
scatterlist entries - this only happens when the extended tests are being
performed, so don't optimize for it
- clarify that both fscrypt and dm-crypt only use ESSIV in special cases (#7)
Changes since v4:
- make the ESSIV template IV size equal the IV size of the encapsulated
cipher - defining it as 8 bytes was needlessly restrictive, and also
complicated the code for no reason
- add a missing kfree() spotted by Smatch
- add additional algo length name checks when constructing the essiv()
cipher name
- reinstate the 'essiv' IV generation implementation in dm-crypt, but
make its generation function identical to plain64le (and drop the other
methods)
- fix a bug in the arm64 CE/NEON code
- simplify the arm64 code by reusing more of the existing CBC implementation
(patch #6 is new to this series and was added for this reason)
Changes since v3:
- address various review comments from Eric on patch #1
- use Kconfig's 'imply' instead of 'select' to permit CRYPTO_ESSIV to be
enabled as a module or disabled entirely even if fscrypt is compiled in (#2)
- fix an issue in the AEAD encrypt path caused by the IV being clobbered by
the inner skcipher before the hmac was being calculated
Changes since v2:
- fixed a couple of bugs that snuck in after I'd done the bulk of my
testing
- some cosmetic tweaks to the ESSIV template skcipher setkey function
to align it with the aead one
- add a test case for essiv(cbc(aes),aes,sha256)
- add an accelerated implementation for arm64 that combines the IV
derivation and the actual en/decryption in a single asm routine
Code can be found here
https://git.kernel.org/pub/scm/linux/kernel/git/ardb/linux.git/log/?h=essiv-v11
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Eric Biggers <ebiggers@google.com>
Cc: dm-devel@redhat.com
Cc: linux-fscrypt@vger.kernel.org
Cc: Gilad Ben-Yossef <gilad@benyossef.com>
Cc: Milan Broz <gmazyland@gmail.com>
Ard Biesheuvel (4):
crypto: essiv - create wrapper template for ESSIV generation
crypto: essiv - add tests for essiv in cbc(aes)+sha256 mode
crypto: arm64/aes-cts-cbc - factor out CBC en/decryption of a walk
crypto: arm64/aes - implement accelerated ESSIV/CBC mode
arch/arm64/crypto/aes-glue.c | 206 +++++--
arch/arm64/crypto/aes-modes.S | 28 +
crypto/Kconfig | 28 +
crypto/Makefile | 1 +
crypto/essiv.c | 645 ++++++++++++++++++++
crypto/tcrypt.c | 9 +
crypto/testmgr.c | 14 +
crypto/testmgr.h | 497 +++++++++++++++
8 files changed, 1386 insertions(+), 42 deletions(-)
create mode 100644 crypto/essiv.c
--
2.17.1
WARNING: multiple messages have this Message-ID (diff)
From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
To: linux-crypto@vger.kernel.org
Cc: Herbert Xu <herbert@gondor.apana.org.au>,
Eric Biggers <ebiggers@google.com>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
linux-fscrypt@vger.kernel.org,
Gilad Ben-Yossef <gilad@benyossef.com>,
dm-devel@redhat.com, Milan Broz <gmazyland@gmail.com>
Subject: [dm-devel] [PATCH v12 0/4] crypto: switch to crypto API for ESSIV generation
Date: Thu, 15 Aug 2019 22:28:54 +0300 [thread overview]
Message-ID: <20190815192858.28125-1-ard.biesheuvel@linaro.org> (raw)
This series creates an ESSIV template that produces a skcipher or AEAD
transform based on a tuple of the form '<skcipher>,<shash>' (or '<aead>,<shash>'
for the AEAD case). It exposes the encapsulated sync or async skcipher/aead by
passing through all operations, while using the cipher/shash pair to transform
the input IV into an ESSIV output IV.
Changes since v11:
- Avoid spawns for the ESSIV shash and cipher algos. Instead, the shash TFM is
allocated per-instance (which is appropriate since it is unkeyed and thus
stateless), and the cipher is allocated explicitly based on the parsed
skcipher/aead cra_name.
Changes since v10:
- Drop patches against fscrypt and dm-crypt - these will be routed via the
respective maintainer trees during the next cycle
- Fix error handling when parsing the cipher name from the skcipher cra_name
- Use existing ivsize temporary instead of retrieving it again
- Expose cra_name via module alias (#4)
Changes since v9:
- Fix cipher_api parsing bug that was introduced by dropping the cipher name
parsing patch in v9 (#3). Thanks to Milan for finding it.
- Fix a couple of instances where the old essiv(x,y,z) format was used in
comments instead of the essiv(x,z) format we adopted in v9
Changes since v8:
- Remove 'cipher' argument from essiv() template, and instead, parse the
cra_name of the skcipher to obtain the cipher. This is slightly cleaner
than what dm-crypt currently does, since we can get the cra_name from the
spawn, and we don't have to actually allocate the TFM. Since this implies
that dm-crypt does not need to provide the cipher, we can drop the parsing
code from it entirely (assuming the eboiv patch I sent out recently is
applied first) (patch #7)
- Restrict the essiv() AEAD instantiation to AEADs whose cra_name starts with
'authenc('
- Rebase onto cryptodev/master
- Drop dm-crypt to reorder/refactor cipher name parsing, since it was wrong
and it is no longer needed.
- Drop Milan's R-b since the code has changed
- Fix bug in accelerated arm64 implementation.
Changes since v7:
- rebase onto cryptodev/master
- drop change to ivsize in #2
- add Milan's R-b's
Changes since v6:
- make CRYPTO_ESSIV user selectable so we can opt out of selecting it even
if FS_ENCRYPTION (which cannot be built as a module) is enabled
- move a comment along with the code it referred to (#3), not that this change
and removing some redundant braces makes the diff look totally different
- add Milan's R-b to #3 and #4
Changes since v5:
- drop redundant #includes and drop some unneeded braces (#2)
- add test case for essiv(authenc(hmac(sha256),cbc(aes)),aes,sha256)
- make ESSIV driver deal with assoc data that is described by more than two
scatterlist entries - this only happens when the extended tests are being
performed, so don't optimize for it
- clarify that both fscrypt and dm-crypt only use ESSIV in special cases (#7)
Changes since v4:
- make the ESSIV template IV size equal the IV size of the encapsulated
cipher - defining it as 8 bytes was needlessly restrictive, and also
complicated the code for no reason
- add a missing kfree() spotted by Smatch
- add additional algo length name checks when constructing the essiv()
cipher name
- reinstate the 'essiv' IV generation implementation in dm-crypt, but
make its generation function identical to plain64le (and drop the other
methods)
- fix a bug in the arm64 CE/NEON code
- simplify the arm64 code by reusing more of the existing CBC implementation
(patch #6 is new to this series and was added for this reason)
Changes since v3:
- address various review comments from Eric on patch #1
- use Kconfig's 'imply' instead of 'select' to permit CRYPTO_ESSIV to be
enabled as a module or disabled entirely even if fscrypt is compiled in (#2)
- fix an issue in the AEAD encrypt path caused by the IV being clobbered by
the inner skcipher before the hmac was being calculated
Changes since v2:
- fixed a couple of bugs that snuck in after I'd done the bulk of my
testing
- some cosmetic tweaks to the ESSIV template skcipher setkey function
to align it with the aead one
- add a test case for essiv(cbc(aes),aes,sha256)
- add an accelerated implementation for arm64 that combines the IV
derivation and the actual en/decryption in a single asm routine
Code can be found here
https://git.kernel.org/pub/scm/linux/kernel/git/ardb/linux.git/log/?h=essiv-v11
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Eric Biggers <ebiggers@google.com>
Cc: dm-devel@redhat.com
Cc: linux-fscrypt@vger.kernel.org
Cc: Gilad Ben-Yossef <gilad@benyossef.com>
Cc: Milan Broz <gmazyland@gmail.com>
Ard Biesheuvel (4):
crypto: essiv - create wrapper template for ESSIV generation
crypto: essiv - add tests for essiv in cbc(aes)+sha256 mode
crypto: arm64/aes-cts-cbc - factor out CBC en/decryption of a walk
crypto: arm64/aes - implement accelerated ESSIV/CBC mode
arch/arm64/crypto/aes-glue.c | 206 +++++--
arch/arm64/crypto/aes-modes.S | 28 +
crypto/Kconfig | 28 +
crypto/Makefile | 1 +
crypto/essiv.c | 645 ++++++++++++++++++++
crypto/tcrypt.c | 9 +
crypto/testmgr.c | 14 +
crypto/testmgr.h | 497 +++++++++++++++
8 files changed, 1386 insertions(+), 42 deletions(-)
create mode 100644 crypto/essiv.c
--
2.17.1
--
dm-devel mailing list
dm-devel@redhat.com
https://www.redhat.com/mailman/listinfo/dm-devel
WARNING: multiple messages have this Message-ID (diff)
From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
To: linux-crypto@vger.kernel.org
Cc: Herbert Xu <herbert@gondor.apana.org.au>,
Eric Biggers <ebiggers@google.com>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
linux-fscrypt@vger.kernel.org,
Gilad Ben-Yossef <gilad@benyossef.com>,
dm-devel@redhat.com, Milan Broz <gmazyland@gmail.com>
Subject: [PATCH v12 0/4] crypto: switch to crypto API for ESSIV generation
Date: Thu, 15 Aug 2019 22:28:54 +0300 [thread overview]
Message-ID: <20190815192858.28125-1-ard.biesheuvel@linaro.org> (raw)
This series creates an ESSIV template that produces a skcipher or AEAD
transform based on a tuple of the form '<skcipher>,<shash>' (or '<aead>,<shash>'
for the AEAD case). It exposes the encapsulated sync or async skcipher/aead by
passing through all operations, while using the cipher/shash pair to transform
the input IV into an ESSIV output IV.
Changes since v11:
- Avoid spawns for the ESSIV shash and cipher algos. Instead, the shash TFM is
allocated per-instance (which is appropriate since it is unkeyed and thus
stateless), and the cipher is allocated explicitly based on the parsed
skcipher/aead cra_name.
Changes since v10:
- Drop patches against fscrypt and dm-crypt - these will be routed via the
respective maintainer trees during the next cycle
- Fix error handling when parsing the cipher name from the skcipher cra_name
- Use existing ivsize temporary instead of retrieving it again
- Expose cra_name via module alias (#4)
Changes since v9:
- Fix cipher_api parsing bug that was introduced by dropping the cipher name
parsing patch in v9 (#3). Thanks to Milan for finding it.
- Fix a couple of instances where the old essiv(x,y,z) format was used in
comments instead of the essiv(x,z) format we adopted in v9
Changes since v8:
- Remove 'cipher' argument from essiv() template, and instead, parse the
cra_name of the skcipher to obtain the cipher. This is slightly cleaner
than what dm-crypt currently does, since we can get the cra_name from the
spawn, and we don't have to actually allocate the TFM. Since this implies
that dm-crypt does not need to provide the cipher, we can drop the parsing
code from it entirely (assuming the eboiv patch I sent out recently is
applied first) (patch #7)
- Restrict the essiv() AEAD instantiation to AEADs whose cra_name starts with
'authenc('
- Rebase onto cryptodev/master
- Drop dm-crypt to reorder/refactor cipher name parsing, since it was wrong
and it is no longer needed.
- Drop Milan's R-b since the code has changed
- Fix bug in accelerated arm64 implementation.
Changes since v7:
- rebase onto cryptodev/master
- drop change to ivsize in #2
- add Milan's R-b's
Changes since v6:
- make CRYPTO_ESSIV user selectable so we can opt out of selecting it even
if FS_ENCRYPTION (which cannot be built as a module) is enabled
- move a comment along with the code it referred to (#3), not that this change
and removing some redundant braces makes the diff look totally different
- add Milan's R-b to #3 and #4
Changes since v5:
- drop redundant #includes and drop some unneeded braces (#2)
- add test case for essiv(authenc(hmac(sha256),cbc(aes)),aes,sha256)
- make ESSIV driver deal with assoc data that is described by more than two
scatterlist entries - this only happens when the extended tests are being
performed, so don't optimize for it
- clarify that both fscrypt and dm-crypt only use ESSIV in special cases (#7)
Changes since v4:
- make the ESSIV template IV size equal the IV size of the encapsulated
cipher - defining it as 8 bytes was needlessly restrictive, and also
complicated the code for no reason
- add a missing kfree() spotted by Smatch
- add additional algo length name checks when constructing the essiv()
cipher name
- reinstate the 'essiv' IV generation implementation in dm-crypt, but
make its generation function identical to plain64le (and drop the other
methods)
- fix a bug in the arm64 CE/NEON code
- simplify the arm64 code by reusing more of the existing CBC implementation
(patch #6 is new to this series and was added for this reason)
Changes since v3:
- address various review comments from Eric on patch #1
- use Kconfig's 'imply' instead of 'select' to permit CRYPTO_ESSIV to be
enabled as a module or disabled entirely even if fscrypt is compiled in (#2)
- fix an issue in the AEAD encrypt path caused by the IV being clobbered by
the inner skcipher before the hmac was being calculated
Changes since v2:
- fixed a couple of bugs that snuck in after I'd done the bulk of my
testing
- some cosmetic tweaks to the ESSIV template skcipher setkey function
to align it with the aead one
- add a test case for essiv(cbc(aes),aes,sha256)
- add an accelerated implementation for arm64 that combines the IV
derivation and the actual en/decryption in a single asm routine
Code can be found here
https://git.kernel.org/pub/scm/linux/kernel/git/ardb/linux.git/log/?h=essiv-v11
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Eric Biggers <ebiggers@google.com>
Cc: dm-devel@redhat.com
Cc: linux-fscrypt@vger.kernel.org
Cc: Gilad Ben-Yossef <gilad@benyossef.com>
Cc: Milan Broz <gmazyland@gmail.com>
Ard Biesheuvel (4):
crypto: essiv - create wrapper template for ESSIV generation
crypto: essiv - add tests for essiv in cbc(aes)+sha256 mode
crypto: arm64/aes-cts-cbc - factor out CBC en/decryption of a walk
crypto: arm64/aes - implement accelerated ESSIV/CBC mode
arch/arm64/crypto/aes-glue.c | 206 +++++--
arch/arm64/crypto/aes-modes.S | 28 +
crypto/Kconfig | 28 +
crypto/Makefile | 1 +
crypto/essiv.c | 645 ++++++++++++++++++++
crypto/tcrypt.c | 9 +
crypto/testmgr.c | 14 +
crypto/testmgr.h | 497 +++++++++++++++
8 files changed, 1386 insertions(+), 42 deletions(-)
create mode 100644 crypto/essiv.c
--
2.17.1
next reply other threads:[~2019-08-15 19:29 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-15 19:28 Ard Biesheuvel [this message]
2019-08-15 19:28 ` [PATCH v12 0/4] crypto: switch to crypto API for ESSIV generation Ard Biesheuvel
2019-08-15 19:28 ` [dm-devel] " Ard Biesheuvel
2019-08-15 19:28 ` [PATCH v12 1/4] crypto: essiv - create wrapper template " Ard Biesheuvel
2019-08-15 19:28 ` Ard Biesheuvel
2019-08-15 19:28 ` [dm-devel] " Ard Biesheuvel
2019-08-19 6:32 ` Herbert Xu
2019-08-19 6:32 ` Herbert Xu
2019-08-19 14:14 ` Ard Biesheuvel
2019-08-19 14:14 ` Ard Biesheuvel
2019-08-19 14:14 ` Ard Biesheuvel
2019-08-19 23:35 ` Herbert Xu
2019-08-19 23:35 ` Herbert Xu
2019-08-19 23:35 ` Herbert Xu
2019-08-15 19:28 ` [PATCH v12 2/4] crypto: essiv - add tests for essiv in cbc(aes)+sha256 mode Ard Biesheuvel
2019-08-15 19:28 ` Ard Biesheuvel
2019-08-15 19:28 ` [dm-devel] " Ard Biesheuvel
2019-08-15 19:28 ` [PATCH v12 3/4] crypto: arm64/aes-cts-cbc - factor out CBC en/decryption of a walk Ard Biesheuvel
2019-08-15 19:28 ` Ard Biesheuvel
2019-08-15 19:28 ` [dm-devel] " Ard Biesheuvel
2019-08-15 19:28 ` [PATCH v12 4/4] crypto: arm64/aes - implement accelerated ESSIV/CBC mode Ard Biesheuvel
2019-08-15 19:28 ` Ard Biesheuvel
2019-08-15 19:28 ` [dm-devel] " Ard Biesheuvel
2019-08-16 7:29 ` [PATCH v12 0/4] crypto: switch to crypto API for ESSIV generation Milan Broz
2019-08-16 7:29 ` Milan Broz
2019-08-16 8:18 ` Ard Biesheuvel
2019-08-16 8:18 ` Ard Biesheuvel
2019-08-16 8:18 ` Ard Biesheuvel
2019-08-16 8:26 ` Milan Broz
2019-08-16 8:26 ` Milan Broz
2019-08-16 8:26 ` Milan Broz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190815192858.28125-1-ard.biesheuvel@linaro.org \
--to=ard.biesheuvel@linaro.org \
--cc=dm-devel@redhat.com \
--cc=ebiggers@google.com \
--cc=gilad@benyossef.com \
--cc=gmazyland@gmail.com \
--cc=herbert@gondor.apana.org.au \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-fscrypt@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.