Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp2821613ybi; Thu, 4 Jul 2019 20:15:05 -0700 (PDT) X-Google-Smtp-Source: APXvYqzYS7XewYHs9X4L8OBBrqnQL8B8iuv5EaMgAeaEN93byUWeoK3aforUCmfN+i8BoDqkQ2et X-Received: by 2002:a17:90a:21cc:: with SMTP id q70mr1786745pjc.56.1562296505212; Thu, 04 Jul 2019 20:15:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1562296505; cv=none; d=google.com; s=arc-20160816; b=o2U8D8FN9UxICNZySm5GFB1Lqt+lFvy8sNVhJ4Tcu5EG2PQ5T3qjMjK+5mMaK6Mwz/ eyg7jMiFg1+0Rf9NJKrVe7LH9Hlmk0id8hv1l0eMLdM9VbNVl4P8gTAL4748CcXvoxwv khAJAbarCWeiGmblULCuNdAFnz7fnQtd6bNnS28hFzL8uc/QGOKzGHmJw6bUe2Bn9Frw wmYkisvKer9T38ENtWgJ8k4O5zZ5bhTJ+FT+g1okss/LoaGpZBef3ORdWGDTnWUVjXLs ytiOsGWbfVa7fe5EdK6YLLSmxrILCZB8r8ySEjYNjgthN0V4PY5P6nuzIVTsfb2DJhZW xPjQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=Y/uLMGxvwjZB7SsTg3MEOUlF4VtMEsKVhZXy0Z49UYg=; b=HfPWPctLV0g5zsWodZmwTIbsbRZhQFu2LONCPGC+BMHNM7DiU5Qel753A1oMZR6oFB 2OP8FW2M+AdjS3OFRvEJzME19Vs+rzmmOnHnDdu/qQe38Ei/kKuVzmdf/LKWGR3/NaOe DeDkFXUz671aX3y4gs6qtBO3jrw6AKlK0kdQvKQFINwd0n7OW+vZAM0yOgXG//Je+RSo lKUkHI+RUF4Y/ZNydQ9erTN+mAfghODOpl7/7pfcewmOk8q508JmMXrNEXu7DUq+Axy3 qrTF1r9uD7eI7imZC4PBMKFQTtEd0dFeZj9vZkyupqMUE8yoKM7K9XsRK3Ycf4w9vD+t 8lyA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h33si6404316pje.95.2019.07.04.20.14.42; Thu, 04 Jul 2019 20:15:04 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727395AbfGEDIh (ORCPT + 99 others); Thu, 4 Jul 2019 23:08:37 -0400 Received: from helcar.hmeau.com ([216.24.177.18]:51362 "EHLO deadmen.hmeau.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726404AbfGEDIh (ORCPT ); Thu, 4 Jul 2019 23:08:37 -0400 Received: from gondobar.mordor.me.apana.org.au ([192.168.128.4] helo=gondobar) by deadmen.hmeau.com with esmtps (Exim 4.89 #2 (Debian)) id 1hjEaM-0000wR-V8; Fri, 05 Jul 2019 11:08:30 +0800 Received: from herbert by gondobar with local (Exim 4.89) (envelope-from ) id 1hjEaJ-0002dk-BM; Fri, 05 Jul 2019 11:08:27 +0800 Date: Fri, 5 Jul 2019 11:08:27 +0800 From: Herbert Xu To: Ard Biesheuvel Cc: Milan Broz , Eric Biggers , device-mapper development , "open list:HARDWARE RANDOM NUMBER GENERATOR CORE" Subject: Re: [PATCH 3/3] dm-crypt: Implement eboiv - encrypted byte-offset initialization vector. Message-ID: <20190705030827.k6f7hnhxjsoxdj6b@gondor.apana.org.au> References: <20190704131033.9919-1-gmazyland@gmail.com> <20190704131033.9919-3-gmazyland@gmail.com> <7a8d13ee-2d3f-5357-48c6-37f56d7eff07@gmail.com> <4286b8f6-03b5-a8b4-4db2-35dda954e518@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: NeoMutt/20170113 (1.7.2) Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On Thu, Jul 04, 2019 at 08:11:46PM +0200, Ard Biesheuvel wrote: > > To be clear, making the cipher API internal only is something that I > am proposing but hasn't been widely discussed yet. So if you make a > good argument why it is a terrible idea, I'm sure it will be taken > into account. > > The main issue is that the cipher API is suboptimal if you process > many blocks in sequence, since SIMD implementations will not be able > to amortize the cost of kernel_fpu_begin()/end(). This is something > that we might be able to fix in other ways (and a SIMD get/put > interface has already been proposed which looks suitable for this as > well) but that would still involve an API change for something that > isn't the correct abstraction in the first place in many cases. (There > are multiple implementations of ccm(aes) using cipher_encrypt_one() in > a loop, for instance, and these are not able to benefit from, e.g, > the accelerated implementation that I created for arm64, since it open > codes the CCM operations) I agree with what you guys have concluded so far. But I do have something I want to say about eboiv's implementation itself. AFAICS this is using the same key as the actual data. So why don't you combine it with the actual data when encrypting/decrypting? That is, add a block at the front of the actual data containing the little-endian byte offset and then use an IV of zero. Cheers, -- Email: Herbert Xu Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt