Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp155351imu; Tue, 8 Jan 2019 16:47:05 -0800 (PST) X-Google-Smtp-Source: ALg8bN4CJV4WAyfTHvYcMHpldlEk9e++N+XGZyw71Nar9+v7nbV+t1FarQf0o4OBSgyZm0itgnx8 X-Received: by 2002:a63:62c4:: with SMTP id w187mr3217259pgb.230.1546994825045; Tue, 08 Jan 2019 16:47:05 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1546994825; cv=none; d=google.com; s=arc-20160816; b=dkiDuFcfajf8OljdPKn93xtmtmog2E2bzZluZpBGYWCpOBKNggfCV580pfGYfVDYw5 WvAFTusXND6vSuEpKPZ5SOhi8Ef/BRGv3tzw5fv7ia1fyI39IGkOdhpzobjGdrLb/wEo 4T3F4KyL1F7cycPOnDiY4P56qaAdXKNbXOIEJwnS0i7t7EAfnnZpBtyFbi1y3Ze+NT0m NWzEsrf68JTVFfuofwEGEHht9lgae0do0+NXDduIa7STM5tfKL3+Fz+2AG1Bh9CV/duh 9wRIszfwxNkLuoL4CAbHgfh4Ew0hGnTji8KjhNceVbLgmZhEQu3rK56kZU8BCqzm2k6K nZkg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:date:cc:to:from:subject:message-id :dkim-signature; bh=jgV1A3h0xGX82m5vldJefgRRWSUw46ANrMuQhFxd7Eo=; b=gb0PAii4MIcvQObZ3ToSmOJzj0yGHB+NYouSeSvlAK8Gk3in6VZPN7p7PrWeCxQODr gOvsFfPIRHp7k1VufrFE569dd/v7Qapkiey1W6cG9vzcgNsFeEBmHO09vFqiaTtNzPb1 gmoPqHWnh1uCYXOtlv8n+Dr1bSZtHBGHHe3mLjudBK8Qi4S9i3QV+5j5V4Ncw9jA2A3W q7qZ+Iu5cvMnhR9qGmj4SRT1Bp99/ZhZGRMiXpJ+A+0NfauazJotVB1arbNwplpYk5Ch RpnZfTqJv9IB1RWZQkko4riEP/J2/OqkqGz53mhhssiBHvjT2qEoWgy9ipJXH/LwPJNv 4R7A== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@hansenpartnership.com header.s=20151216 header.b="j8N/MBbn"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c21si15124225plo.165.2019.01.08.16.46.47; Tue, 08 Jan 2019 16:47:04 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@hansenpartnership.com header.s=20151216 header.b="j8N/MBbn"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=hansenpartnership.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729042AbfAIAof (ORCPT + 99 others); Tue, 8 Jan 2019 19:44:35 -0500 Received: from bedivere.hansenpartnership.com ([66.63.167.143]:55646 "EHLO bedivere.hansenpartnership.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728348AbfAIAoe (ORCPT ); Tue, 8 Jan 2019 19:44:34 -0500 Received: from localhost (localhost [127.0.0.1]) by bedivere.hansenpartnership.com (Postfix) with ESMTP id 3B2378EE42E; Tue, 8 Jan 2019 16:44:33 -0800 (PST) Received: from bedivere.hansenpartnership.com ([127.0.0.1]) by localhost (bedivere.hansenpartnership.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KHomr7pM1keH; Tue, 8 Jan 2019 16:44:33 -0800 (PST) Received: from [153.66.254.194] (unknown [50.35.68.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by bedivere.hansenpartnership.com (Postfix) with ESMTPSA id 43CB98EE0CD; Tue, 8 Jan 2019 16:44:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=hansenpartnership.com; s=20151216; t=1546994672; bh=z5+d8DHLJ0gC18Ea1bZtZf+3A8M4EyUIZWv69mZ8sqk=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=j8N/MBbnjm/9Z5p/H29CMU+FljfT5XyRXjDassQUw47QTGBb25C4VYGh6uA5UnUqY tWlJofvQVNUdHAd3L8vz+3dvirjPVZTxdLCApNnaExbASUV72A3rMhAEJv6Ppa1SnA ng/6bhp8tiMgU/NZzaMRdx2mp1bdx7b4AueamdSI= Message-ID: <1546994671.6077.10.camel@HansenPartnership.com> Subject: Re: [PATCH 1/5 v2] PM / hibernate: Create snapshot keys handler From: James Bottomley To: Andy Lutomirski , Stephan Mueller Cc: Herbert Xu , "Lee, Chun-Yi" , "Rafael J . Wysocki" , Pavel Machek , linux-kernel@vger.kernel.org, linux-pm@vger.kernel.org, keyrings@vger.kernel.org, "Rafael J. Wysocki" , Chen Yu , Oliver Neukum , Ryan Chen , David Howells , Giovanni Gherdovich , Randy Dunlap , Jann Horn , Andy Lutomirski Date: Tue, 08 Jan 2019 16:44:31 -0800 In-Reply-To: References: <20190103143227.9138-1-jlee@suse.com> <4499700.LRS4F2YjjC@tauon.chronox.de> <20190108050358.llsox32hggn2jioe@gondor.apana.org.au> <1565399.7ulKdI1fm5@tauon.chronox.de> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.26.6 Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, 2019-01-08 at 15:54 -0800, Andy Lutomirski wrote: > > On Jan 7, 2019, at 11:09 PM, Stephan Mueller > > wrote: > > > > Am Dienstag, 8. Januar 2019, 06:03:58 CET schrieb Herbert Xu: > > > > Hi Herbert, > > > > > Are we going to have multiple implementations for the same KDF? > > > If not then the crypto API is not a good fit. To consolidate > > > multiple implementations of the same KDF, simply provide helpers > > > for them. > > > > It is unlikely to have multiple implementations of a KDF. However, > > KDFs relate to hashes like block chaining modes to raw block > > ciphers. Thus a KDF can be applied with different hashes. > > > > My idea was to add template support to RNGs (because KDFs are > > effectively a type of RNG since they produce an arbitrary output > > from a fixed input). The KDFs would be a template wrapping hashes. > > For example, the CTR-KDF from SP800-108 could be instantiated like > > kdf-ctr(sha256). > > > > > > I think that, if the crypto API is going to grow a KDF facility, it > should be done right. Have a key type or flag or whatever that says > “this key may *only* be used to derive keys using such-and-such > algorithm”, and have a helper to derive a key. That helper should > take some useful parameters and mix them in: > > - What type of key is being derived? ECDSA signing key? HMAC > key? AES key? > > - Can user code access the derived key? > > - What is the key’s purpose? “Encrypt and authenticate a hibernation > image” would be a purpose. > > - Number of bytes. > > All of these parameters should be mixed in to the key derivation. > > Also, an AE key, even for AES+HMAC, should be just one derived > key. If you need 512 bits, ask for a 512-bit key, not two 256-bit > keys. Actually, it would be enormously helpful if we could reuse these pieces for the TPM as well. It has two KDFs: KDFa, which is the CTR-KDF from SP800-108 and KDFe which is the SP800-56A KDF for elliptic curve one pass Diffie Hellman, so if we're going to do the former, I'd really like the latter as well. The way the TPM parametrises input to both KDFs is (hashAlg, key, label, contextU, contextV, bits) Where hashAlg = the hash algorithm used as the PRF key = the input parameter of variable bit size or the x co-ordinate of the shared point label = An ASCII string representing the use contextU = public input U contextV = public input V bits = number of output bits Is that a good enough parametrisation (not the only way you distinguish uses is with the label, which is not recoverable)? ContextU and ContextV are simply concatenated to form the full Context of SP800-108, but we tend to need two separate inputs (for KDFe they're the public x co-ordinates of the points of the two inputs to ECDH for instance; in KDFa they're usually the local and remote nonces). The labels for TPM usage are things like "INTEGRITY" for HMAC keys or "CFB" when generating an aes128-cfb session key. For KDFe, the tpm seems to like the label "SECRET". Although the TPM specifies fixed short strings for the label, nothing prevents them being longer like the purpose you state above (essentially we could mix purpose, use and key type into the label and the contexts). From the point of view of accelerators, the only thing you really need to know is the hash algorthim (PRF), because everything else above is an input to the function, so I suppose it makes sense to name them as kdf-X(PRF) where X would be ctr or ecdh and PRF would be a hash. James