Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp2294366ybi;
        Mon, 17 Jun 2019 02:15:39 -0700 (PDT)
X-Google-Smtp-Source: APXvYqyb6gb6HBe4aWCzVc/OppDSeAKX9UpvsKmnF5knFlVQ/oYjfamqpy8kDyt6w4rCMAklTans
X-Received: by 2002:a62:1ec3:: with SMTP id e186mr113957864pfe.197.1560762939598;
        Mon, 17 Jun 2019 02:15:39 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1560762939; cv=none;
        d=google.com; s=arc-20160816;
        b=DD/FT8o40JzV/JoLM9WgSfFUcZWDbWOAzGsSDkjV3kW8TbW60y7bFJ+NY8VogagASn
         x+Ab3vZtQEAEINR8n3Ihb/iNsJbUmrrrcibyRnWyhyQvRl9JHyc/286XGUdrLyk0po8o
         iOL+B3NPKu5WvwxrOKIcD4iGEbArJ1JvoqJgT7pnyNppqXeHqUDF5CMMX2/TtBfnMkBS
         ZrwwnXT3JJwtoggOikpZISolcWnmbmov5JwCqjWw8bI2YU4GrvPT5HQvkPqiHrfzjb8U
         j16JldQfaj1Q6wpEGZbPZfIe1p3sCHVinAvf/mUFnGZnZwPuqSRTVxHYMoFg2i4429jG
         m89Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=BBlAq8Hgbk1PhfyJUI7i/pP6QgmDuBb0PZdu9I+mRE8=;
        b=lfwrLwBs7FnbO5rB10nCzypPED/Uxg+J7EnDUw3Mkb26KFyKXUj93x3MUKqjOvdvP7
         sj8vVZpyx2h/l5NfgHsQE02ahAi6pb4CVk/IOdR16sSA05G0yuYfo1R+6BWRjyE9qRIR
         Ne7nCUmOC3dZZjHwKEaThy0X7H/TX7U9nAvNFLnvPv8JEia9qWHT73QI6fWz6I2F2n5O
         M3WSdaHv+eDhYSwv4SBrb5nIZzJweK/DDfuIoxeyA729vgn5ZD5aj0zj8PWZCxgWWRxk
         DarRtS4LTdQgfFtBOFPsXxRoFKslzUC6XW5HYgkJG+NBdpXaCwzcgCA6ShQRDaTNvc3G
         vQQg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linaro.org header.s=google header.b=WYpWGUjm;
       spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Return-Path: <linux-crypto-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id d10si9272402plr.307.2019.06.17.02.15.23;
        Mon, 17 Jun 2019 02:15:39 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linaro.org header.s=google header.b=WYpWGUjm;
       spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727806AbfFQJPO (ORCPT <rfc822;nullstelllensatz@gmail.com>
        + 99 others); Mon, 17 Jun 2019 05:15:14 -0400
Received: from mail-io1-f65.google.com ([209.85.166.65]:44768 "EHLO
        mail-io1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727323AbfFQJPN (ORCPT
        <rfc822;linux-crypto@vger.kernel.org>);
        Mon, 17 Jun 2019 05:15:13 -0400
Received: by mail-io1-f65.google.com with SMTP id s7so19510118iob.11
        for <linux-crypto@vger.kernel.org>; Mon, 17 Jun 2019 02:15:13 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=BBlAq8Hgbk1PhfyJUI7i/pP6QgmDuBb0PZdu9I+mRE8=;
        b=WYpWGUjmF/b5U2DhXFfHaq8D+8s5go2/jFOJkLk2uW4kq/Fv7IjgWsCIoP43Tynt7H
         2blO6czII4FOD+tpOnQXimX+P037O7oXWstll/m5VLtgOnz5kU/beNS0K5g4+DUssMf8
         v127qxFMTsWiy5evx4nnTswUoRAa8OusVmK004aPXfXLNTQ29ioi4+qt3LdgKW5v7Adt
         CrF2/V2eQnw6tmt8vvq7hN31gUyYz8pwsXZajaxSBLTYz5WfRkyePZV4qr+pLxZWYGlC
         dBDm8qNvcoQd4zGwUNIu2drZ6m41Tg2gN6jU6vUjKCRfjbvfnQhz8dfskKQb57+eBbpc
         tY8Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=BBlAq8Hgbk1PhfyJUI7i/pP6QgmDuBb0PZdu9I+mRE8=;
        b=KO/JyJhgPkKXb46/L0KuDEt+Gx6+1GCrBLNF63LZ132JVM8Bjjt/bSoyPgI20H9wPC
         Rnm299J5dNDMd8HmQDEn6gne3F3Lie2gcPqkecBvm/IEoUo58gq7X6wtcX59soiNaQf6
         dXJ5TRXy9pZbGEx0YQ5icqUUYQ9I2sYQqdY99HZJPrcuQfjTl+bkLYb9D6jSGw4KmtNQ
         ZKMMbxk1E7iIAtQq/In5iwivalbhaGwhDVFOaL7GbAJcM+pJePvqRFQE2jNrg/JCOxLN
         Xujfz15rus1FY+yupOvZ4Fi1mX+A+mYdXFncZKd+rqB2NMnWj8NnsHhrUEh4Ql8GgVXQ
         mXyQ==
X-Gm-Message-State: APjAAAWXm6hk1xMOV8gv3PWOPDoCa+dVqZq9vLHXu9OLt80LUsRSXp7r
        q/6DtenL2Mieyv/Kw29id/2ik96Yo0nUWUWINL5Z1g==
X-Received: by 2002:a02:3308:: with SMTP id c8mr14821917jae.103.1560762912862;
 Mon, 17 Jun 2019 02:15:12 -0700 (PDT)
MIME-Version: 1.0
References: <20190614083404.20514-1-ard.biesheuvel@linaro.org>
 <20190616204419.GE923@sol.localdomain> <CAOtvUMf86_TGYLoAHWuRW0Jz2=cXbHHJnAsZhEvy6SpSp_xgOQ@mail.gmail.com>
In-Reply-To: <CAOtvUMf86_TGYLoAHWuRW0Jz2=cXbHHJnAsZhEvy6SpSp_xgOQ@mail.gmail.com>
From:   Ard Biesheuvel <ard.biesheuvel@linaro.org>
Date:   Mon, 17 Jun 2019 11:15:01 +0200
Message-ID: <CAKv+Gu_r_WXf2y=FVYHL-T8gFSV6e4TmGkLNJ-cw6UjK_s=A=g@mail.gmail.com>
Subject: Re: [RFC PATCH 0/3] crypto: switch to shash for ESSIV generation
To:     Gilad Ben-Yossef <gilad@benyossef.com>
Cc:     Eric Biggers <ebiggers@kernel.org>,
        Linux Crypto Mailing List <linux-crypto@vger.kernel.org>,
        Herbert Xu <herbert@gondor.apana.org.au>,
        device-mapper development <dm-devel@redhat.com>,
        linux-fscrypt@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"
Sender: linux-crypto-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-crypto.vger.kernel.org>
X-Mailing-List: linux-crypto@vger.kernel.org

On Mon, 17 Jun 2019 at 10:52, Gilad Ben-Yossef <gilad@benyossef.com> wrote:
>
> On Sun, Jun 16, 2019 at 11:44 PM Eric Biggers <ebiggers@kernel.org> wrote:
> >
> > [+Cc dm-devel and linux-fscrypt]
> >
> > On Fri, Jun 14, 2019 at 10:34:01AM +0200, Ard Biesheuvel wrote:
> > > This series is presented as an RFC for a couple of reasons:
> > > - it is only build tested
> > > - it is unclear whether this is the right way to move away from the use of
> > >   bare ciphers in non-crypto code
> > > - we haven't really discussed whether moving away from the use of bare ciphers
> > >   in non-crypto code is a goal we agree on
> > >
> > > This series creates an ESSIV shash template that takes a (cipher,hash) tuple,
> > > where the digest size of the hash must be a valid key length for the cipher.
> > > The setkey() operation takes the hash of the input key, and sets into the
> > > cipher as the encryption key. Digest operations accept input up to the
> > > block size of the cipher, and perform a single block encryption operation to
> > > produce the ESSIV output.
> ...
> > I agree that moving away from bare block ciphers is generally a good idea.  For
> > fscrypt I'm fine with moving ESSIV into the crypto API, though I'm not sure a
> > shash template is the best approach.  Did you also consider making it a skcipher
> > template so that users can do e.g. "essiv(cbc(aes),sha256,aes)"?  That would
> > simplify things much more on the fscrypt side, since then all the ESSIV-related
> > code would go away entirely except for changing the string "cbc(aes)" to
> > "essiv(cbc(aes),sha256,aes)".
>
> I will also add that going the skcipher route rather than shash will
> allow hardware tfm providers like CryptoCell that can do the ESSIV
> part in hardware implement that as a single API call and/or hardware
> invocation flow.
> For those system that benefit from hardware providers this can be beneficial.
>

Ah yes, thanks for reminding me. There was some debate in the past
about this, but I don't remember the details.

I think implementing essiv() as a skcipher template is indeed going to
be the best approach, I will look into that.