Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp1613915ybi;
        Thu, 20 Jun 2019 00:31:15 -0700 (PDT)
X-Google-Smtp-Source: APXvYqytABc43Ifmm4LtBu3oAINm2b12OVOoGs664zmwG7Mh0Mf/zStCditF4Qpz/38Z2sE77T1Z
X-Received: by 2002:a17:902:6947:: with SMTP id k7mr49771970plt.253.1561015875631;
        Thu, 20 Jun 2019 00:31:15 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1561015875; cv=none;
        d=google.com; s=arc-20160816;
        b=fFpK8FIHOvlr8kfCZEsgUaYagNPy3fXZ8paIgPJQiNU4bymsmT9whOqlDA9RSkb8t+
         a+ka9AWqmdzEodO6V9YA3b0fG3hKpidWFlZCEiwvxVefS5teydTCpBJfqN6ynrJDA/2a
         ot/zt6EOtfmaY3/OcyuxN3N/rcnu9E0Fgq3UxvOGjjX6TjJaP7Ld30qmEz7t20+EIXk8
         +AIk8lzo/49DK6XdxtekhwQWnPE1NBPZ6A4b0zIu9/JbSDcQCaG/mFApRzoD3v/wzjhS
         xwZuuaEMcBT4cH12XzKTXHRYxgiXUublNCZIi4Rx0dXmx30EBwA6pgaiIBoW/she2hiW
         u7Zw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=OleUuoLJ/awB8gj1L9pb8+s5gnreN1ERy+tmQ30S79M=;
        b=uBsjry4PQ/d8VoqWnFvuxHYvaXzDgMhLrryjlxlq7gNONNo6LULbc5nhJau+aLISIu
         c/zjopgGKKYSOxGTRZeLsPe+ouddV52hhheXVCg3LiFrHDUt9ZBiqAMcXekoyTNakBjY
         Fv0dzXD35BoJpRhj9DYgf/XpmdBZChHY4uNJFxr8MQJCFUrXiINn7Qcmz0WzvxLLqhNp
         SyzTignkftP51Q0wD7s3k5ckY/gzINb+AwEf1/rmeAWx6gO3le07aEXl5VSBNaP3pLkT
         XBveg7BOnaJT65i0TRbt0eIlVG/cjny5doK+IN2wqxWtJEj7g8rETYSBqfieDVZ+FQvd
         sgVA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linaro.org header.s=google header.b=lWtjdJMb;
       spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Return-Path: <linux-crypto-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id j14si17004484pll.251.2019.06.20.00.30.57;
        Thu, 20 Jun 2019 00:31:15 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linaro.org header.s=google header.b=lWtjdJMb;
       spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1725966AbfFTHaz (ORCPT <rfc822;venktesh.bolla@gmail.com>
        + 99 others); Thu, 20 Jun 2019 03:30:55 -0400
Received: from mail-io1-f65.google.com ([209.85.166.65]:41853 "EHLO
        mail-io1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1725872AbfFTHaz (ORCPT
        <rfc822;linux-crypto@vger.kernel.org>);
        Thu, 20 Jun 2019 03:30:55 -0400
Received: by mail-io1-f65.google.com with SMTP id w25so41247ioc.8
        for <linux-crypto@vger.kernel.org>; Thu, 20 Jun 2019 00:30:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=OleUuoLJ/awB8gj1L9pb8+s5gnreN1ERy+tmQ30S79M=;
        b=lWtjdJMbHtOsAdidtW99iwblOZlLS7lxCFi7XVqidfsGH7qb6gFm1x0hpVEwGvkQTE
         5tDjTsctDn3ekC/PM5dU94f+GluSKlyWpw+2tFfWXPsqt7+tjWXTcX1dJw0lEVWkof4v
         q/DjDDZyP4UAIn9orVK4ykzsWhVqbI00cgiyENYTxVjzaJeh/SjuDVp+NSVMXVfZABb/
         J5AyKD6eEt8PVPDQvaaSAHU0DW2LxSyrANM513LYDUJb0UPwgnHhlps9GzQLPUxnrq8J
         pPFs15Q1UoAZ5/P0dWhYH4k8qRlnHusQLDrWanqHEeOdgW8c+Zmut7QSuLy7QFAn1rVE
         MwLg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=OleUuoLJ/awB8gj1L9pb8+s5gnreN1ERy+tmQ30S79M=;
        b=HgBytyTSQtUnhtGNcd/pNLxvDQ46fYXPL1i6sqjfFmkbmkWqtgqBT6YxrYLQZeMpfE
         p3Mtwwqn59g6dqjPyEmhoBDkxIIxgPWKlVw/K6p8zhQ6MmalOH5GxRwMZB773y/SyHih
         4YBt2ZijuKMNi9eM7oVqDk9DbUIkTzbXA4wm7jGEsJH6LvH1wiZ1XbR78nZf9MNjSQNg
         k6hzn12855it4LNzz5vwckVUk6mvp9zzFGkbjIKRm66tbyPgtfjSlNGX57IIh2O+vB+C
         36KEIZHJXLRvjtXBQB2LScR77ZFRaRroPGKMWMto4e5fTX6E4zGb7/Y2WX9Pw/aZB5Dg
         J84g==
X-Gm-Message-State: APjAAAVi8ONsz/kE0xIFv0/Y2yaRWaZCt1oyj9nw6g3OVV4ibGu3//+r
        85Vvju3zxS70WeerYtDwBMsDQGugww4roG9g16l8Q7n3
X-Received: by 2002:a05:6602:98:: with SMTP id h24mr28401891iob.49.1561015854360;
 Thu, 20 Jun 2019 00:30:54 -0700 (PDT)
MIME-Version: 1.0
References: <20190619162921.12509-1-ard.biesheuvel@linaro.org>
 <20190619162921.12509-2-ard.biesheuvel@linaro.org> <20190620010417.GA722@sol.localdomain>
 <20190620011325.phmxmeqnv2o3wqtr@gondor.apana.org.au>
In-Reply-To: <20190620011325.phmxmeqnv2o3wqtr@gondor.apana.org.au>
From:   Ard Biesheuvel <ard.biesheuvel@linaro.org>
Date:   Thu, 20 Jun 2019 09:30:41 +0200
Message-ID: <CAKv+Gu-OwzmoYR5uymSNghEVc9xbkkt5C8MxAYA48UE=yBgb5g@mail.gmail.com>
Subject: Re: [PATCH v3 1/6] crypto: essiv - create wrapper template for ESSIV generation
To:     Herbert Xu <herbert@gondor.apana.org.au>
Cc:     Eric Biggers <ebiggers@kernel.org>,
        "open list:HARDWARE RANDOM NUMBER GENERATOR CORE" 
        <linux-crypto@vger.kernel.org>,
        device-mapper development <dm-devel@redhat.com>,
        linux-fscrypt@vger.kernel.org,
        Gilad Ben-Yossef <gilad@benyossef.com>,
        Milan Broz <gmazyland@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-crypto-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-crypto.vger.kernel.org>
X-Mailing-List: linux-crypto@vger.kernel.org

On Thu, 20 Jun 2019 at 03:14, Herbert Xu <herbert@gondor.apana.org.au> wrote:
>
> On Wed, Jun 19, 2019 at 06:04:17PM -0700, Eric Biggers wrote:
> >
> > > +#define ESSIV_IV_SIZE              sizeof(u64)     // IV size of the outer algo
> > > +#define MAX_INNER_IV_SIZE  16              // max IV size of inner algo
> >
> > Why does the outer algorithm declare a smaller IV size?  Shouldn't it just be
> > the same as the inner algorithm's?
>
> In general we allow outer algorithms to have distinct IV sizes
> compared to the inner algorithm.  For example, rfc4106 has a
> different IV size compared to gcm.
>
> In this case, the outer IV size is the block number so that's
> presumably why 64 bits is sufficient.  Do you forsee a case where
> we need 128-bit block numbers?
>

Indeed, the whole point of this template is that it turns a 64-bit
sector number into a n-bit IV, where n equals the block size of the
essiv cipher, and its min/max keysize covers the digest size of the
shash.

I don't think it makes sense to generalize this further, and if I
understand the feedback from Herbert and Gilad correctly, it would
even be better to define the input IV as a LE 64-bit counter
explicitly, so we can auto increment it between sectors.

But that leaves the question how to convey the sector size to the
template. Gilad suggests

essiv(cbc(aes),aes,sha256,xxx)

where xxx is the sector size, and incoming requests whose cryptlen is
an exact multiple of the sector size will have their LE counter auto
incremented between sectors. Note that we could make it optional for
now, and default to 4k, but I will at least have to parse the argument
if it is present and reject values != 4096

Is this the right approach? Or are there better ways to convey this
information when instantiating the template?
Also, it seems to me that the dm-crypt and fscrypt layers would
require major surgery in order to take advantage of this.