Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp1959341ybi;
        Thu, 20 Jun 2019 06:53:04 -0700 (PDT)
X-Google-Smtp-Source: APXvYqxLgLVAonIHgBvM7DagIST2C0Ujyfgq7oYPVcO189DJcX5owQnFozMy2mggI8Zh0z2flFJf
X-Received: by 2002:a63:2a0f:: with SMTP id q15mr13242930pgq.163.1561038783943;
        Thu, 20 Jun 2019 06:53:03 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1561038783; cv=none;
        d=google.com; s=arc-20160816;
        b=TMXYxoQMihsq08z0o5nlCgqKa9aDCX/tho0sriZhRjDigInqfgbjpk21yi2pHDZsGC
         RIbiwq0rWwAPnTYkENrKPErTa2Ba2bFp0mrW7IW4tPfhTH9zbmeD5f5Iw6sMWldOrlI6
         AKwCoOugibJ9VyaDqktplBRSFdTCRPToALjFtv0b8noWbvxAxRldXdL9le3S8q/38M/o
         FS702fRwlWeGlwyzqP5k+fjeE7WQgTWowONdlJ9N+8j1qXCadCZ6/yVTlU75+kCHsB8i
         w+aWCSoxPbRPfdQaMFRcQteBAHNNM++er1O6OuiwVZ/uo94NLQ8sOhUqPAmGVA0+77fE
         2TIw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=dPlo4ROIMQa8sOuaoqIkOQSj3Mcwb4w4V3cG/vc+vQA=;
        b=n5nNTOBLAE+jm/nL1g0Kh0K5C5w+GwJXTClSavTKirAwRUvpjuTh5YnvuUMz00qBCa
         fMCF5VqV/3+NGrJX/j2Kqhny3+4by9U0dCAoZSsGcOCN/5DyB8jP5V8H9SvY25Zm0zEr
         wNbwjRo9DRKUHfKA7puSsEvTY+i2wyST7MMfTfZBKnNTBXj6ypLTAjBGWHgMauptvNz1
         bu3GbILv8egSn3OPS3mEoysaRArxo9Lv5KBXYOWzaH0jWWjJ4kmsEipn/A7tUGEdnE85
         1qLS4VqTTIxTA64T7gAHeo2ANqn8Yhr0MMpPaGwz5ozrqntmEua2Sc+xN7+nI/dF54dC
         4tfA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linaro.org header.s=google header.b=lxhbTNJh;
       spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Return-Path: <linux-crypto-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id w184si20610857pfw.271.2019.06.20.06.52.47;
        Thu, 20 Jun 2019 06:53:03 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linaro.org header.s=google header.b=lxhbTNJh;
       spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726582AbfFTNwn (ORCPT <rfc822;venktesh.bolla@gmail.com>
        + 99 others); Thu, 20 Jun 2019 09:52:43 -0400
Received: from mail-io1-f67.google.com ([209.85.166.67]:44483 "EHLO
        mail-io1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726620AbfFTNwn (ORCPT
        <rfc822;linux-crypto@vger.kernel.org>);
        Thu, 20 Jun 2019 09:52:43 -0400
Received: by mail-io1-f67.google.com with SMTP id s7so591041iob.11
        for <linux-crypto@vger.kernel.org>; Thu, 20 Jun 2019 06:52:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=dPlo4ROIMQa8sOuaoqIkOQSj3Mcwb4w4V3cG/vc+vQA=;
        b=lxhbTNJhQFHk5Nh49O6lU3dP3+kNBGjoiUV/BmQODg1LQ9Ub0dY++pcl+pEuFGqFrT
         EzzKvo6ufBm/yDlmslfhMxaC6tBCVVuhFtRoZJ2+/uexU7u3Dpw/5JikDj7jbU4h+0vG
         oxm+FB1xxsa00eBmMG6HfGBDgYCY76whWDcTY1+7Dbp7jtNOL0a/VLmwhvraGWbEnYXh
         V+ZRKzeFMi7E5UQ0zNGA6KFdYevZbtBXc4htEE9IXNtQMYreaMAQ17xo2wkT5wJotxy+
         UMVM93Is2GOBTuQTLDk1cKc+cGEIAmgePwFuaFNU9Lw+zlkalRvhmXBXLTjbzwo77HJV
         mlGA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=dPlo4ROIMQa8sOuaoqIkOQSj3Mcwb4w4V3cG/vc+vQA=;
        b=lfk3+14/iAQcDpUHVSYs1q/E0vLJ1637yeJk/Q5Cmk6rNKDrppNmGE2Rbo+NOUbSoL
         jax2YbsgZHRkqxQGAukkzDMgkI8O6TuLBkYaE0xbpXS8hnLR5C6M6SQHAQU3Az0xjMiV
         SfG/aXaFscKnudoZu65sOHr3T1VM5XGugbpjc/rVk2pM9UFeXomE2eqaBoqIXKCjdOuE
         GONyS8tV1haz9+axVkIzxE/1MjyqWMfmvi/CCWiHq0Bjku5g3EVBkmeILb1Bsw5XDV+5
         HKy6o+Y1wbfNLUo318IVG2SNnNhee+pfS76aqRKjopFRt9CgNEMz7dVAK3qvgd9k7zkS
         yr9A==
X-Gm-Message-State: APjAAAVUOysc5kJhka1HEcJ3RMniqe0O7J2/b9N8O8vKZvhY0CCf6Xdy
        ccZ9PQBgcNds+zEfkvjwHxiwu6QZAOSLfmnwWedIr3iGT9g=
X-Received: by 2002:a5d:9d97:: with SMTP id 23mr18882540ion.204.1561038762005;
 Thu, 20 Jun 2019 06:52:42 -0700 (PDT)
MIME-Version: 1.0
References: <20190619162921.12509-1-ard.biesheuvel@linaro.org>
 <459f5760-3a1c-719d-2b44-824ba6283dd7@gmail.com> <CAKv+Gu9jk8KxWykTcKeh6k0HUb47wgx7iZYuwwN8AUyErFLXxA@mail.gmail.com>
 <075cddec-1603-4a23-17c4-c766b4bd9086@gmail.com> <6a45dfa5-e383-d8a3-ebf1-abdc43c95ebd@gmail.com>
In-Reply-To: <6a45dfa5-e383-d8a3-ebf1-abdc43c95ebd@gmail.com>
From:   Ard Biesheuvel <ard.biesheuvel@linaro.org>
Date:   Thu, 20 Jun 2019 15:52:30 +0200
Message-ID: <CAKv+Gu-ZETNJh2VzUkpbQUmYv6Zqb7nVj91bxuxKoNAJwgON=w@mail.gmail.com>
Subject: Re: [PATCH v3 0/6] crypto: switch to crypto API for ESSIV generation
To:     Milan Broz <gmazyland@gmail.com>
Cc:     "open list:HARDWARE RANDOM NUMBER GENERATOR CORE" 
        <linux-crypto@vger.kernel.org>,
        Herbert Xu <herbert@gondor.apana.org.au>,
        Eric Biggers <ebiggers@google.com>,
        device-mapper development <dm-devel@redhat.com>,
        linux-fscrypt@vger.kernel.org,
        Gilad Ben-Yossef <gilad@benyossef.com>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-crypto-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-crypto.vger.kernel.org>
X-Mailing-List: linux-crypto@vger.kernel.org

On Thu, 20 Jun 2019 at 15:14, Milan Broz <gmazyland@gmail.com> wrote:
>
> On 20/06/2019 14:09, Milan Broz wrote:
> > On 20/06/2019 13:54, Ard Biesheuvel wrote:
> >> On Thu, 20 Jun 2019 at 13:22, Milan Broz <gmazyland@gmail.com> wrote:
> >>>
> >>> On 19/06/2019 18:29, Ard Biesheuvel wrote:
> >>>> This series creates an ESSIV template that produces a skcipher or AEAD
> >>>> transform based on a tuple of the form '<skcipher>,<cipher>,<shash>'
> >>>> (or '<aead>,<cipher>,<shash>' for the AEAD case). It exposes the
> >>>> encapsulated sync or async skcipher/aead by passing through all operations,
> >>>> while using the cipher/shash pair to transform the input IV into an ESSIV
> >>>> output IV.
> >>>>
> >>>> This matches what both users of ESSIV in the kernel do, and so it is proposed
> >>>> as a replacement for those, in patches #2 and #4.
> >>>>
> >>>> This code has been tested using the fscrypt test suggested by Eric
> >>>> (generic/549), as well as the mode-test script suggested by Milan for
> >>>> the dm-crypt case. I also tested the aead case in a virtual machine,
> >>>> but it definitely needs some wider testing from the dm-crypt experts.
> >>>>
> >>>> Changes since v2:
> >>>> - fixed a couple of bugs that snuck in after I'd done the bulk of my
> >>>>   testing
> >>>> - some cosmetic tweaks to the ESSIV template skcipher setkey function
> >>>>   to align it with the aead one
> >>>> - add a test case for essiv(cbc(aes),aes,sha256)
> >>>> - add an accelerated implementation for arm64 that combines the IV
> >>>>   derivation and the actual en/decryption in a single asm routine
> >>>
> >>> I run tests for the whole patchset, including some older scripts and seems
> >>> it works for dm-crypt now.
> >>>
> >>
> >> Thanks Milan, that is really helpful.
> >>
> >> Does this include configurations that combine authenc with essiv?
> >
> > Hm, seems that we are missing these in luks2-integrity-test. I'll add them there.
> >
> > I also used this older test
> > https://gitlab.com/omos/dm-crypt-test-scripts/blob/master/root/test_dmintegrity.sh
> >
> > (just aes-gcm-random need to be commented out, we never supported this format, it was
> > written for some devel version)
> >
> > But seems ESSIV is there tested only without AEAD composition...
> >
> > So yes, this AEAD part need more testing.
>
> And unfortunately it does not work - it returns EIO on sectors where it should not be data corruption.
>
> I added few lines with length-preserving mode with ESSIV + AEAD, please could you run luks2-integrity-test
> in cryptsetup upstream?
>
> This patch adds the tests:
> https://gitlab.com/cryptsetup/cryptsetup/commit/4c74ff5e5ae328cb61b44bf99f98d08ffee3366a
>
> It is ok on mainline kernel, fails with the patchset:
>
> # ./luks2-integrity-test
> [aes-cbc-essiv:sha256:hmac-sha256:128:512][FORMAT][ACTIVATE]sha256sum: /dev/mapper/dmi_test: Input/output error
> [FAIL]
>  Expecting ee501705a084cd0ab6f4a28014bcf62b8bfa3434de00b82743c50b3abf06232c got .
>
> FAILED backtrace:
> 77 ./luks2-integrity-test
> 112 intformat ./luks2-integrity-test
> 127 main ./luks2-integrity-test
>

OK, I will investigate.

I did my testing in a VM using a volume that was created using a
distro kernel, and mounted and used it using a kernel with these
changes applied.

Likewise, if I take a working key.img and mode-test.img, i can mount
it and use it on the system running these patches.

I noticed that this test uses algif_skcipher not algif_aead when it
formats the volume, and so I wonder if the way userland creates the
image is affected by this?