Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp332584ybi; Fri, 21 Jun 2019 00:07:20 -0700 (PDT) X-Google-Smtp-Source: APXvYqy0v9JS5mB49i7KGdxWdx3/x3hNXuUgZvmSGMYb27cgBf1bVqnB8ylTvpuOjIGYAbB6Z7xU X-Received: by 2002:a17:902:f204:: with SMTP id gn4mr111891914plb.3.1561100840056; Fri, 21 Jun 2019 00:07:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1561100840; cv=none; d=google.com; s=arc-20160816; b=tXPi67QmzCC24vioFevW5l2oYLsGmsCfUz7vmxypt/Mc//3jid808vN6c+e5/710W8 V8HSGJSKV7RAQxfEQSf4BoAMSFxOu5OAs4iLioU4saXel3PDqHTy3B6+PkXg3r4AX2dg YFIKLMRIL9SjcME6dVrh03GPO4NhnbIciinjj3SYc1NGI27eCF4T0Gxn3mPwwAeKO2yQ w+ImyzRxk0akZ9AffIvQD3anKKpJeju+1fzURLBTFyMHXdkqPS9ZkL62l+/uUdUY1tgL jyLjUzt1tl0rxWYV89SPwegevVS4WAl48LywWcXHjQQBanX3HOUnroIVh7xOfoW5bl8Q HjIA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=M+ipu44bRUM/fC2jb/sLHPlE7YLX58quUWlKDNfCZgo=; b=C/Lc/I0PEIvlO9ekSrIbqoJGVS/9Nw4tN9jhUeYuN9opyEchbs6YgkxjHpqEKgzzLk WOtTbCwkFT+Ak5LJV9GdUxg54DmfgZlxx3CEMCC7ThhWoFLzE2Y3fpdYkZ1xuaMa6RgI JNK++dJV/6p1wv2KZmlwcfGUsPOsWQtVOOKCTvvaGt+H3fb1ogFGrmZdAwjh1/5xFnNh opWnhdWZJiPn7Acg73Dd5QXlFJIx45hnsK46dZU85M1/P3yOVmYKflbKxoPV45UxG5R0 l7f0P09ropzdy66ZeC/9kiGm7YbvaManbZ3m4urmz0C1SBdEMg0CJIK5McllkTpBF8r6 x8yQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=xrfqfzE3; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id ch14si1989097plb.44.2019.06.21.00.07.06; Fri, 21 Jun 2019 00:07:20 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=xrfqfzE3; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726311AbfFUHGd (ORCPT + 99 others); Fri, 21 Jun 2019 03:06:33 -0400 Received: from mail-io1-f66.google.com ([209.85.166.66]:43821 "EHLO mail-io1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726027AbfFUHGd (ORCPT ); Fri, 21 Jun 2019 03:06:33 -0400 Received: by mail-io1-f66.google.com with SMTP id k20so704853ios.10 for ; Fri, 21 Jun 2019 00:06:33 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=M+ipu44bRUM/fC2jb/sLHPlE7YLX58quUWlKDNfCZgo=; b=xrfqfzE36e7CEm7bA18IJhpxy273utoadSKj3s++FOJM88tNE2GFyT5oj4zrUMcMV+ dzK9INeaOjY4nIlRbawaFnt9Bkhn+WU8rEOSi1GtjNFHGXxitO+uzNCvsmmrwpIGSI9B Z4QcNQzmwr3H21SMGcIZKkBdJDYIHmT66iuppXGKlRsO9xL/Z151AlKIxv99kpYTEZKH n3ITIF6nkFPX7zxnmkKqL7hk+7LjLoWr359Z0zeyh22McgUKWk3B3lP65L0uLV+Jkdxu sEjedU3TfLQjQ/4XLYlP39mDNfu0CF9OLRwoXeRky2pGslk9fe9jOB37fI+QkgPJcUys JIoA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=M+ipu44bRUM/fC2jb/sLHPlE7YLX58quUWlKDNfCZgo=; b=WyixE2h9H2uUq+76ot4/oXA54zBaHYhL4f2y3QZQNiMJANgAdYJN+gInGVV1Y295JE vlJiCY1bncRxvLZRVvhG7hI9tNF3zn9rjeg5iaW8AW0GPJ86Rl22RinWNMqy2fOVbQOo c4TFlVEOX+GOeLvGWf+61vkM+dxp+XOfR7o/2UHfnZ+lVX91eqn5xXJQCNAzCjcVeJm2 f+gD0Qk95I842rqnP8Ijezg1WN0N9GsE/09AGdV+7LbQKCj+ACsznQ9NuRX+go61jXC8 1NGmVVt7qX1KraHwLBe0KhybOQxtpSbJ2KtHULMwIFPwk5MMZ3PTqUqXv0NGe/G4TvYE HHYw== X-Gm-Message-State: APjAAAWyAQgoXmuWJrjazSxWs0/azsHgkUdpQjyn0a60EvlvIEce6JoB neAoIN57Wj94lDpnAB3K/jImaRBZ36Kz8bbNIPy3hQ== X-Received: by 2002:a02:5a89:: with SMTP id v131mr19144017jaa.130.1561100792521; Fri, 21 Jun 2019 00:06:32 -0700 (PDT) MIME-Version: 1.0 References: <20190619162921.12509-1-ard.biesheuvel@linaro.org> <459f5760-3a1c-719d-2b44-824ba6283dd7@gmail.com> <075cddec-1603-4a23-17c4-c766b4bd9086@gmail.com> <6a45dfa5-e383-d8a3-ebf1-abdc43c95ebd@gmail.com> In-Reply-To: From: Ard Biesheuvel Date: Fri, 21 Jun 2019 09:06:20 +0200 Message-ID: Subject: Re: [PATCH v3 0/6] crypto: switch to crypto API for ESSIV generation To: Milan Broz Cc: "open list:HARDWARE RANDOM NUMBER GENERATOR CORE" , Herbert Xu , Eric Biggers , device-mapper development , linux-fscrypt@vger.kernel.org, Gilad Ben-Yossef Content-Type: text/plain; charset="UTF-8" Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On Fri, 21 Jun 2019 at 09:01, Milan Broz wrote: > > On 20/06/2019 15:52, Ard Biesheuvel wrote: > >>>> Does this include configurations that combine authenc with essiv? > >>> > >>> Hm, seems that we are missing these in luks2-integrity-test. I'll add them there. > >>> > >>> I also used this older test > >>> https://gitlab.com/omos/dm-crypt-test-scripts/blob/master/root/test_dmintegrity.sh > >>> > >>> (just aes-gcm-random need to be commented out, we never supported this format, it was > >>> written for some devel version) > >>> > >>> But seems ESSIV is there tested only without AEAD composition... > >>> > >>> So yes, this AEAD part need more testing. > >> > >> And unfortunately it does not work - it returns EIO on sectors where it should not be data corruption. > >> > >> I added few lines with length-preserving mode with ESSIV + AEAD, please could you run luks2-integrity-test > >> in cryptsetup upstream? > >> > >> This patch adds the tests: > >> https://gitlab.com/cryptsetup/cryptsetup/commit/4c74ff5e5ae328cb61b44bf99f98d08ffee3366a > >> > >> It is ok on mainline kernel, fails with the patchset: > >> > >> # ./luks2-integrity-test > >> [aes-cbc-essiv:sha256:hmac-sha256:128:512][FORMAT][ACTIVATE]sha256sum: /dev/mapper/dmi_test: Input/output error > >> [FAIL] > >> Expecting ee501705a084cd0ab6f4a28014bcf62b8bfa3434de00b82743c50b3abf06232c got . > >> > >> FAILED backtrace: > >> 77 ./luks2-integrity-test > >> 112 intformat ./luks2-integrity-test > >> 127 main ./luks2-integrity-test > >> > > > > OK, I will investigate. > > > > I did my testing in a VM using a volume that was created using a > > distro kernel, and mounted and used it using a kernel with these > > changes applied. > > > > Likewise, if I take a working key.img and mode-test.img, i can mount > > it and use it on the system running these patches. > > > > I noticed that this test uses algif_skcipher not algif_aead when it > > formats the volume, and so I wonder if the way userland creates the > > image is affected by this? > > Not sure if I understand the question, but I do not think userspace even touch data area here > (except direct-io wiping after the format, but it does not read it back). > > It only encrypts keyslots - and here we cannot use AEAD (in fact it is already > authenticated by a LUKS digest). > > So if the data area uses AEAD (or composition of length-preserving mode and > some authentication tag like HMAC), we fallback to non-AEAD for keyslot encryption. > > In short, to test it, you need to activate device (that works ok with your patches) > and *access* the data, testing LUKS format and just keyslot access will never use AEAD. > > So init the data by direct-io writes, and try to read them back (with dd). > > For testing data on dm-integrity (or dm-crypt with AEAD encryption stacked oved dm-integrity) > I used small utility, maybe it could be useful https://github.com/mbroz/dm_int_tools > Thanks. It appears that my code generates the wrong authentication tags on encryption, but on decryption it works fine. I'll keep digging ...