Received: by 2002:a25:8b12:0:0:0:0:0 with SMTP id i18csp3021415ybl; Sun, 11 Aug 2019 13:35:20 -0700 (PDT) X-Google-Smtp-Source: APXvYqyUve2ivW4yWBjwP6ihgMqYgCzlvdIYx85XhMUbQ0bI2JbpK1MwnnZkxX89o2BBEYyxJv6y X-Received: by 2002:a17:902:20c2:: with SMTP id v2mr17699305plg.209.1565555720636; Sun, 11 Aug 2019 13:35:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1565555720; cv=none; d=google.com; s=arc-20160816; b=qbJbXJjBqeLMVxXxTLJm7La0X3qqC9mzjLPg9VDW45l+iVKapuzrDlVDHD+72Ey53a ZXf7glG0EHfyDYfGixw2S8XmlJ9ISAbNcyukApk08wOUpnMi9ghdh+sNBGsk9w5/O6eS FzY8Fr76HmAy1kYu7JKe8w7eEULCxHutvpbaNKlmtymuESQ1XpQN3dutmuiUhcFWHAly LzwBYucp0oPJ4GlK3xL4xY93cPqhnRfga1Xjm315sAyjJWobMdAvnuwwrbIdgfj4jZ2Z ISYQsM07WUHIhWA9tgmXiOEy9FmaFnbxD8IAGLxH4dRB33Tf1f/I+2M2WM0wI0Dmwuj4 PmVw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:mail-followup-to :message-id:subject:cc:to:from:date:dkim-signature; bh=eIWhqVfFtH2so3YmQ3ou6169hUUdcedEV0HaLeneSD8=; b=dcudKejySlTivi3ideo214rKkTHQSyPYHVC0Zj93kEKFKDDcGFBXUCDx36vbbKIJzH ZCL20gcqPdZb9LgDAw5ja59SHi7U2IRiiJFLXjuXmrGns4vFa8mHBtmY+QNI/5tMiER4 C961WzmJOITglJLxvqf2icKLij3LuJn2A8MNwhUp7ScNEzyEW9f2eCS25oBa5JeFc2Ge FyycrvWJaVoIx4fH7UWzj4iazbFwIZ5+ND52n76yUH0HsA0fltXpzVoONYhhimD2Bezs hDpLENPq+r6XzN1IMsPujj4SooMKI5INlDhs/gKK9tTHZfPN+kg9hYhFlXHbMCV6J8MI v5zw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=CLvhhSDa; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p186si48464628pgp.373.2019.08.11.13.34.57; Sun, 11 Aug 2019 13:35:20 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=CLvhhSDa; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726275AbfHKUeS (ORCPT + 99 others); Sun, 11 Aug 2019 16:34:18 -0400 Received: from mail.kernel.org ([198.145.29.99]:46266 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726164AbfHKUeS (ORCPT ); Sun, 11 Aug 2019 16:34:18 -0400 Received: from sol.localdomain (c-24-5-143-220.hsd1.ca.comcast.net [24.5.143.220]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 2C18A208C2; Sun, 11 Aug 2019 20:34:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1565555657; bh=zyT1J9izO43wde10EowpdqxvCnXXhgr2NVZbukgkcUo=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=CLvhhSDarI/wDRTxJuVwt9RYXfG91H1jVia5EHiciPqlZrpDff5/3dIF5Vro1oy4D 4ycK+28p68QG45ykghs3CbBKNIGCwJ3US7HezFXecIzfoKNjVnhLmIKtWOR/rpYvI8 7v+1eAUDjJR4y3eo0+hdtKwcXSm0bIj17z/f44Ao= Date: Sun, 11 Aug 2019 13:34:06 -0700 From: Eric Biggers To: Milan Broz Cc: Ard Biesheuvel , Pascal Van Leeuwen , "dm-devel@redhat.com" , Herbert Xu , Horia Geanta , "linux-crypto@vger.kernel.org" Subject: Re: [dm-devel] xts fuzz testing and lack of ciphertext stealing support Message-ID: <20190811203406.GA17421@sol.localdomain> Mail-Followup-To: Milan Broz , Ard Biesheuvel , Pascal Van Leeuwen , "dm-devel@redhat.com" , Herbert Xu , Horia Geanta , "linux-crypto@vger.kernel.org" References: <20190809024821.GA7186@gondor.apana.org.au> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.12.1 (2019-06-15) Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On Sun, Aug 11, 2019 at 01:12:56PM +0200, Milan Broz wrote: > On 10/08/2019 06:39, Ard Biesheuvel wrote: > > Truncated IVs are a huge issue, since we already expose the correct > > API via AF_ALG (without any restrictions on how many of the IV bits > > are populated), and apparently, if your AF_ALG request for xts(aes) > > happens to be fulfilled by the CAAM driver and your implementation > > uses more than 64 bits for the IV, the top bits get truncated silently > > and your data might get eaten. > > Actually, I think we have already serious problem with in in kernel (no AF_ALG needed). > > I do not have the hardware, but please could you check that dm-crypt big-endian IV > (plain64be) produces the same output on CAAM? > > It is 64bit IV, but big-endian and we use size of cipher block (16bytes) here, > so the first 8 bytes are zero in this case. > > I would expect data corruption in comparison to generic implementation, > if it supports only the first 64bit... > > Try this: > > # create small null device of 8 sectors, we use zeroes as fixed ciphertext > dmsetup create zero --table "0 8 zero" > > # create crypt device on top of it (with some key), using plain64be IV > dmsetup create crypt --table "0 8 crypt aes-xts-plain64be e8cfa3dbfe373b536be43c5637387786c01be00ba5f730aacb039e86f3eb72f3 0 /dev/mapper/zero 0" > > # and compare it with and without your driver, this is what I get here: > # sha256sum /dev/mapper/crypt > 532f71198d0d84d823b8e410738c6f43bc3e149d844dd6d37fa5b36d150501e1 /dev/mapper/crypt > # dmsetup remove crypt > > You can try little-endian version (plain64), this should always work even with CAAM > dmsetup create crypt --table "0 8 crypt aes-xts-plain64 e8cfa3dbfe373b536be43c5637387786c01be00ba5f730aacb039e86f3eb72f3 0 /dev/mapper/zero 0" > > # sha256sum /dev/mapper/crypt > f17abd27dedee4e539758eabdb6c15fa619464b509cf55f16433e6a25da42857 /dev/mapper/crypt > # dmsetup remove crypt > > # dmsetup remove zero > > > If you get different plaintext in the first case, your driver is actually creating > data corruption in this configuration and it should be fixed! > (Only the first sector must be the same, because it has IV == 0.) > > Milan > > p.s. > If you ask why we have this IV, it was added per request to allow map some chipset-based > encrypted drives directly. I guess it is used for some data forensic things. > Also, if the CAAM driver is really truncating the IV for "xts(aes)", it should already be failing the extra crypto self-tests, since the fuzz testing in test_skcipher_vs_generic_impl() uses random IVs. - Eric