Received: by 2002:a25:8b12:0:0:0:0:0 with SMTP id i18csp2559997ybl; Sun, 11 Aug 2019 04:15:55 -0700 (PDT) X-Google-Smtp-Source: APXvYqz68fZqJhDccGE+p8qF+xyBRJQtCqnYU5IMieSNo86CVTRt2yrx706zbwwOVQtpipCkLLas X-Received: by 2002:a65:4341:: with SMTP id k1mr25742873pgq.153.1565522155314; Sun, 11 Aug 2019 04:15:55 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1565522155; cv=none; d=google.com; s=arc-20160816; b=OUDmXnl2Be/k/Cm2SPiIFeGMoD+2b3X+xOk9dfW5/0GTdFAiKHfsYJzNXYmGgYJeou AOpA3jHyyeUF4xAJiVWq+gZIDjVxNMyLwY/GTQh4YOnCPgEixTlW0AGYXDcTZjd0j0C8 +0NaV6XzJuU/6jdBgo1Av2Cx/xgqUddESZmjruvSw1pTsYhik+P7pehv/KGcXQOk0ivF gLcqimc0n441xLe/qOAPhSaOgZuJYN6MttpBoaFZzvLt+i2PKNB8kgFVQBUGN+hgOeRJ 3QERJ9iYeylnnhzeddmxNP+cgDeR+aJQQFmpKYXVwEY7u4H0RDWQccQ3yvrhJuGxumyW 4jNw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:openpgp:from:references:cc:to:subject:dkim-signature; bh=mPou2l6/6d60x+ugqGKrLJjTouLAr6zsgM8Vh/aSpGE=; b=u5soWJl7eopIZ/YhciNiSzfHFgrti12jLOhOzx6w3zoG/r85YTckj35sXmT2W49Yn8 EckbjTLIe6cRZZnccqWQIqSpvKoI9deUVx63DyCy6wz374wAzHD7NcrooPSfNu6evQf1 Un/15m/HuozSZbcJdsJlZj1KtxFoNoQ9IUadxhE9Krp5rDystGb6AraCUXMnaIzFgIPs RU/1JA/7yEbEbIyEA+Pe5vVOqPOjm4NS6e73lo9HZZVAuTux2XRsNAJ8TTx1tWg85pmT yoUSwEEs/kQoXybTF2KcCPufjNuKFZHm6xTFD8C3Dhq562KlyrqHH9GOqtk5vSnCWb1L mG1w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=HDRvEENe; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v11si747421pfe.163.2019.08.11.04.15.27; Sun, 11 Aug 2019 04:15:55 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=HDRvEENe; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725855AbfHKLNB (ORCPT + 99 others); Sun, 11 Aug 2019 07:13:01 -0400 Received: from mail-wm1-f41.google.com ([209.85.128.41]:32821 "EHLO mail-wm1-f41.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725826AbfHKLNB (ORCPT ); Sun, 11 Aug 2019 07:13:01 -0400 Received: by mail-wm1-f41.google.com with SMTP id p77so9073092wme.0 for ; Sun, 11 Aug 2019 04:12:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:openpgp:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=mPou2l6/6d60x+ugqGKrLJjTouLAr6zsgM8Vh/aSpGE=; b=HDRvEENewEc/2utj964O4FhxALvIRbSd3HAt4ypNU1kJb95B10i61kWpID7R8o25SJ pKzBz7A1uVR+linBP7DId3tDeDSuX1CkpqhlJPikMGxMbiG4CaE/iFDkDJZ021e9CfOW CnjVzgOE+lUVAztuA4vKxcYAK7jnzWePOWFsb4UTbkMtq6nFxjBGyFpZtFHPyGZN6Gyo pBWcSmZVN0m/eOaaYlBqfPq+ROFznOFMjNNeMzf1tX2etiNWjcRyQpMzCqw9M5aVpfOM gcrs70cJVy9NfKweFeD5sthiXfhd/ZBPtxcwT1OucPC5Isgx6TxjG5QsEpsytwQPng61 hFqw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:openpgp:message-id :date:user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=mPou2l6/6d60x+ugqGKrLJjTouLAr6zsgM8Vh/aSpGE=; b=IfurRUt4dJ3rAqmdlo5J4hj1VWIDoF2HCN9Sptt6IG3oB2badMJYkokbuOHSYd495H i3uhGna9T1Sjxeq3ivqIcUqUBnJLlnqN+3yIaAgAp6bJQnkJimczVr9jPAX7AHYqABRJ VAeLJxHtgS6L54hs5PBeUmzwqFuAgZx1R4ri3R5edFh8PePQDG7PRgXNQL+zydpi5ZjC z4QsAbhAyq2Bdm8th8fBokiCkM2oweSuVvdaMBtk2pWtJPndLAgGjsQpWhv2uRYasuSX k878jX/SVf7NQYLHqp2bb5DpmrcgwwJOusjVx/+7c+Xe0ckGz9Il7HGX+BEv49S7UKdk dOhg== X-Gm-Message-State: APjAAAWoIchco8dhQBsY0WyAQkvI7K9FT6VEZsmclQNvEJTDdyA3jZP3 4NxontGnz/Y/ycUv/oSjnz0tLDD6 X-Received: by 2002:a7b:ce1a:: with SMTP id m26mr15860345wmc.60.1565521978713; Sun, 11 Aug 2019 04:12:58 -0700 (PDT) Received: from [192.168.8.101] (37-48-59-8.nat.epc.tmcz.cz. [37.48.59.8]) by smtp.gmail.com with ESMTPSA id x20sm9980012wmc.1.2019.08.11.04.12.57 (version=TLS1_3 cipher=AEAD-AES128-GCM-SHA256 bits=128/128); Sun, 11 Aug 2019 04:12:58 -0700 (PDT) Subject: Re: [dm-devel] xts fuzz testing and lack of ciphertext stealing support To: Ard Biesheuvel , Pascal Van Leeuwen Cc: Horia Geanta , Herbert Xu , "dm-devel@redhat.com" , "linux-crypto@vger.kernel.org" References: <20f4832e-e3af-e3c2-d946-13bf8c367a60@nxp.com> <20190809024821.GA7186@gondor.apana.org.au> From: Milan Broz Openpgp: preference=signencrypt Message-ID: Date: Sun, 11 Aug 2019 13:12:56 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On 10/08/2019 06:39, Ard Biesheuvel wrote: > Truncated IVs are a huge issue, since we already expose the correct > API via AF_ALG (without any restrictions on how many of the IV bits > are populated), and apparently, if your AF_ALG request for xts(aes) > happens to be fulfilled by the CAAM driver and your implementation > uses more than 64 bits for the IV, the top bits get truncated silently > and your data might get eaten. Actually, I think we have already serious problem with in in kernel (no AF_ALG needed). I do not have the hardware, but please could you check that dm-crypt big-endian IV (plain64be) produces the same output on CAAM? It is 64bit IV, but big-endian and we use size of cipher block (16bytes) here, so the first 8 bytes are zero in this case. I would expect data corruption in comparison to generic implementation, if it supports only the first 64bit... Try this: # create small null device of 8 sectors, we use zeroes as fixed ciphertext dmsetup create zero --table "0 8 zero" # create crypt device on top of it (with some key), using plain64be IV dmsetup create crypt --table "0 8 crypt aes-xts-plain64be e8cfa3dbfe373b536be43c5637387786c01be00ba5f730aacb039e86f3eb72f3 0 /dev/mapper/zero 0" # and compare it with and without your driver, this is what I get here: # sha256sum /dev/mapper/crypt 532f71198d0d84d823b8e410738c6f43bc3e149d844dd6d37fa5b36d150501e1 /dev/mapper/crypt # dmsetup remove crypt You can try little-endian version (plain64), this should always work even with CAAM dmsetup create crypt --table "0 8 crypt aes-xts-plain64 e8cfa3dbfe373b536be43c5637387786c01be00ba5f730aacb039e86f3eb72f3 0 /dev/mapper/zero 0" # sha256sum /dev/mapper/crypt f17abd27dedee4e539758eabdb6c15fa619464b509cf55f16433e6a25da42857 /dev/mapper/crypt # dmsetup remove crypt # dmsetup remove zero If you get different plaintext in the first case, your driver is actually creating data corruption in this configuration and it should be fixed! (Only the first sector must be the same, because it has IV == 0.) Milan p.s. If you ask why we have this IV, it was added per request to allow map some chipset-based encrypted drives directly. I guess it is used for some data forensic things.