Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp2366811ybi; Mon, 17 Jun 2019 03:40:19 -0700 (PDT) X-Google-Smtp-Source: APXvYqzpOwzqM+t+YJpbwG+Mn+Zl/rW/c677sppRXuBQumaTN8w3Xgb1iFJAA2dGBL5FxNcrXXNT X-Received: by 2002:a17:90a:9281:: with SMTP id n1mr24681471pjo.25.1560768019597; Mon, 17 Jun 2019 03:40:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1560768019; cv=none; d=google.com; s=arc-20160816; b=YQW6YUO8GbPJjxLMpkIkjMZbVcj+s/LEPnsQKRq1IrbxO2RJk5TOZFSGshoMiObhl3 BTHB3SHcaz+MdlRpZCc5ZHsLePNO4fdNZ5DTdnkFYkW/qWacmP3MrOTwOsTnmCZ93njK kCHxXw/Fva9fTIvBo548hYVc/jbwvzO2bDVYiPd63y0RwPk5A/F2BxZRJ6YltP4couou jdOwhvoJao6FP01A30uldZWZCu1PVm1f5ER8MbychvgtbSN1VAerBEXg4eZTpC/xls09 dCwnDqcKpv7+bUsLhJW855tdAaiazb3ap0oryFUoB8RScyT+fsT0w4ZH86FWrMTzlgbu YChg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:openpgp:from:references:cc:to:subject:dkim-signature; bh=POQUQG4MYB5xEHchrmHz7dMXS7q/nCg6auQxpiFJVc8=; b=MVV+T5eRljt++sZEgvsfPdLIktVggi8cIyin0f/2NUoBMStUxelQTHwrm2hzXTX80k YRCnHlZM78lJ9qQZo+FhMGOMBITSDpAc3F03/7mvqqBpGO/Kq5HL8lnvsX84iFKzHP8V TykaI3rJ2S5kpvPn4reDmjIGl4RAKN/JgwWACUDIoWV8qQ8VNVdJv1VI93knQ1mRa22X M9LSnl3LudoeJO9JVLyz7z4wuog4zvRNqlp5ondvr8meOrztbxaIk4XT935AD7zNXzPj nz7CyUzaSsZ1da+38BmpUX9q203PnMH7GpLEIjAm+D2jXnM40uL9wDefHhDG4rhF1fh8 37PA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=SyGcWgtg; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id y14si8833515pfr.82.2019.06.17.03.40.01; Mon, 17 Jun 2019 03:40:19 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=SyGcWgtg; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726336AbfFQKj6 (ORCPT + 99 others); Mon, 17 Jun 2019 06:39:58 -0400 Received: from mail-wr1-f67.google.com ([209.85.221.67]:42638 "EHLO mail-wr1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726091AbfFQKj6 (ORCPT ); Mon, 17 Jun 2019 06:39:58 -0400 Received: by mail-wr1-f67.google.com with SMTP id x17so9359506wrl.9; Mon, 17 Jun 2019 03:39:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:openpgp:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=POQUQG4MYB5xEHchrmHz7dMXS7q/nCg6auQxpiFJVc8=; b=SyGcWgtgdAELquNabM+nexfBqTjNd4wqDx+BMeVDp2zKguLYpfaJd8f8Tp8ZgTRDTP 5unNl9XeVCGRuzKTqNV2Jwz6s/ScWZnIBnJdmokb0nmN9i98EKKSQwJDHizG0fJPC9qK t32Jp2KHAOqlHuuPpcxVqHspzqRtT2LBwahgRL+vnPqQ9gawO/beN00XaF8N86VdiOZH 22sciINSBhtIQhUexugsvn4RMg0z+foU9cALIdOZdbcuz6z2BDYG5w3gzsAKyDjpXr+g WjJ9Pp306eDSJ7rZMj9+bMRqjSazuZk2Z/gutwnmKAxEY0viiaBAsffTNIqdsgelic5K EWjg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:openpgp:message-id :date:user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=POQUQG4MYB5xEHchrmHz7dMXS7q/nCg6auQxpiFJVc8=; b=pJbUcpkPI9sNEA72sJSYy5/Tz/WQX22hivvLIq21R4pdA940rrlZFbqQIDGTpQUQ0F L1p45cSNILNpRVD7onL8m8uxkPveXVBtCkH2/ZqrlqNZqcYRUs85HgmHqsnYp24hRlug 5PPtbR/BjyqHfeE6G2u0V7jgqxbJuG/m0UzHpFqhr84EBz7/oUvTpkapG7O6RVerwOIX H451gJfL8EGHEparuhvXcjCoblvDi6XyuqM0rsn7WqsSg/2XZzK8BHjfFF+GfrPdVixn xJhj974hjOgWuaIlrLTHwgqkIQy+SiEq1BgRTE/V1TD/uy/6W01WVbgQgr8gpuljxwff 9A7g== X-Gm-Message-State: APjAAAUwb6Kc0/TJtpAlpSBfS+ztOaB2n0y1Byy1En+4evzY/SS+099f GryoDxTqlCh0TMhBOyNei2A= X-Received: by 2002:adf:fb47:: with SMTP id c7mr39219046wrs.116.1560767995778; Mon, 17 Jun 2019 03:39:55 -0700 (PDT) Received: from [172.22.36.64] (redhat-nat.vtp.fi.muni.cz. [78.128.215.6]) by smtp.gmail.com with ESMTPSA id c11sm8392658wrs.97.2019.06.17.03.39.54 (version=TLS1_3 cipher=AEAD-AES128-GCM-SHA256 bits=128/128); Mon, 17 Jun 2019 03:39:55 -0700 (PDT) Subject: Re: [RFC PATCH 0/3] crypto: switch to shash for ESSIV generation To: Ard Biesheuvel , Gilad Ben-Yossef Cc: Eric Biggers , device-mapper development , linux-fscrypt@vger.kernel.org, Linux Crypto Mailing List , Herbert Xu References: <20190614083404.20514-1-ard.biesheuvel@linaro.org> <20190616204419.GE923@sol.localdomain> From: Milan Broz Openpgp: preference=signencrypt Message-ID: <8e58230a-cf0e-5a81-886b-6aa72a8e5265@gmail.com> Date: Mon, 17 Jun 2019 12:39:54 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.7.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On 17/06/2019 11:15, Ard Biesheuvel wrote: >> I will also add that going the skcipher route rather than shash will >> allow hardware tfm providers like CryptoCell that can do the ESSIV >> part in hardware implement that as a single API call and/or hardware >> invocation flow. >> For those system that benefit from hardware providers this can be beneficial. >> > > Ah yes, thanks for reminding me. There was some debate in the past > about this, but I don't remember the details. > > I think implementing essiv() as a skcipher template is indeed going to > be the best approach, I will look into that. For ESSIV (that is de-facto standard now), I think there is no problem to move it to crypto API. The problem is with some other IV generators in dm-crypt. Some do a lot of more work than just IV (it is hackish, it can modify data, this applies for loop AES "lmk" and compatible TrueCrypt "tcw" IV implementations). For these I would strongly say it should remain "hacked" inside dm-crypt only (it is unusable for anything else than disk encryption and should not be visible outside). Moreover, it is purely legacy code - we provide it for users can access old systems only. If you end with rewriting all IVs as templates, I think it is not a good idea. If it is only about ESSIV, and patch for dm-crypt is simple, it is a reasonable approach. (The same applies for simple dmcryp IVs like "plain" "plain64", "plain64be and "benbi" that are just linear IVs in various encoded variants.) Milan