Received: by 2002:a05:6a10:af89:0:0:0:0 with SMTP id iu9csp1699250pxb; Wed, 12 Jan 2022 22:59:08 -0800 (PST) X-Google-Smtp-Source: ABdhPJwb1+wwbBGcroHvRu19eT3jTKEBCF4w0zGo2sNjEDTkVbXNRS14cZom0mIEV+6gCYycwq8h X-Received: by 2002:a05:6402:4387:: with SMTP id o7mr3006005edc.266.1642057147889; Wed, 12 Jan 2022 22:59:07 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1642057147; cv=none; d=google.com; s=arc-20160816; b=Pf8SyHHPPJfPEMV12bBryf3nRLicCYUv3pN/Szvv+2bT9jEBueaHbF1c8xqsAua+/j 6emJTFhL3MjVPWBG30FKQU0SQBZgct0GpPjdpkwLpifSwC42egpBW8igT3y9MU6/qWwg bqdtZQXNF59h3KeYYCSlsQ8OyAxzgvg6N7kZ1msv0+fMFsuEgiPA/lj93boDNLEWXenN mR3lQDbDhKca1LMXKA54n4j3h9NZiXQuv6m2K7I6rXC7s7L+A8tInA8Sd/8BGBva32Nf IgBCyeW9cbZYG4tDZXqXEDLXdrcqJYV2RDtszCyCrJsZThZrW0S+J1ywJboGRbIDspyw XE2w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=m18no3eU9YHeOBJ70PLazPrqlrGWJoUY+UtRV0RJfnE=; b=Y+TTHiDkXjhqjRhENTQ9EgpCEvOcMzqYsS32gLgb7k+09pcmFleesCdp3z5YchnHb9 WSgZmfgn0EcVRaMIu7qJbcUB/6tbxA6WslN9LP4pU8hFN2+geDLWyGz3OYiIyLFcO5Mv xKIsxLV3OBZTazrr3TF3mlCXjFaIN/MT/kS3PBieJsTd7QIwtiKOSOWJm86MNUeMknP9 nh+uNDTbZoyyPwm1sPVKUwTdpNJcZdT78Omd8z09DH5SItby4zbZxBcYourmrrwFNLqe kgX2VOum4e37XQ9a0Y81bFOX5rM99nWJHZZTQ3YlbTTE69TabgkMuhw3sXqdOK+BllF2 5UCQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=UmuUGXve; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id t9si1290731edd.213.2022.01.12.22.57.57; Wed, 12 Jan 2022 22:59:07 -0800 (PST) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=UmuUGXve; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231345AbiAMBd5 (ORCPT + 99 others); Wed, 12 Jan 2022 20:33:57 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58722 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231324AbiAMBd4 (ORCPT ); Wed, 12 Jan 2022 20:33:56 -0500 Received: from mail-pl1-x635.google.com (mail-pl1-x635.google.com [IPv6:2607:f8b0:4864:20::635]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9A9CCC06173F; Wed, 12 Jan 2022 17:33:56 -0800 (PST) Received: by mail-pl1-x635.google.com with SMTP id n11so5289152plf.4; Wed, 12 Jan 2022 17:33:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=m18no3eU9YHeOBJ70PLazPrqlrGWJoUY+UtRV0RJfnE=; b=UmuUGXve9r7RpYvZiev379MA7uABBPIy9NIzLlVQhCGARCNeA/XjbLXQelwd22Mej0 h5Iz1VIfFDIDHao2yWLxgdxlqhcWkTX26NtLyVoTbJszoXGMfwcedOCg8vcf3ZbCKDbA NYEOMU3JWY3nuGgrPhMOfyQs1k3NewqmLeKJtNJIsJsd91tUMyU4g9PsuIkNxSH6JmBC NDrtMv69cUP9EDabJI/kJZF4z4oXMfqsKhiLVDPl2rjwBU9Jc9+wXx7vcvehSkYXqBeq HDS5kFfAXxOTFj494Qi1piZ4QZ0/9cfRHutIueLlMtDLAg5jHot2s3D8b2hTsNDaYKpc s3+Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=m18no3eU9YHeOBJ70PLazPrqlrGWJoUY+UtRV0RJfnE=; b=VVTEBGHRreeOmId70EU+TpmTEdR1lLZhHxcU8rZu4YwUDSNyRgtijiu+yXca7fO3yH wnCFz9b3LF5NTtPaN+fUP+Pxt8iJsjd/OTgtbK4Wx6F+OKCohdF0Qkeoo2og/M5iNBoH brUu2J77GsP79bN5mOIHqP8hNEl3EUV91jWo17SnqScVsnURrOQO/FqDsuCxXyrgh3/p 8xgTcPj3T+g3pAXfFRlP1YkonXC7IFcKegf3ExgtG2l5pSAX/4YjaIm5Mh14y5yidJNL aUh7ejj9AoUzgFwytmxHzBIQ+EAbSMtCk3+bo+/+NZFuWQ7uW1F8080Kl1En5TGBDraU aKDA== X-Gm-Message-State: AOAM5335Jm4Wnz5JU7TzJ7F4dWPVMO9dWnomlBMdzY1pDQeJr1kEd/TK aKqVwuyk43mFKsq+Hfo1FXZ4lbVbNcoDAwefO1g= X-Received: by 2002:a63:be49:: with SMTP id g9mr1967928pgo.375.1642037635993; Wed, 12 Jan 2022 17:33:55 -0800 (PST) MIME-Version: 1.0 References: <20220112131204.800307-1-Jason@zx2c4.com> <20220112131204.800307-2-Jason@zx2c4.com> <87tue8ftrm.fsf@toke.dk> In-Reply-To: <87tue8ftrm.fsf@toke.dk> From: Alexei Starovoitov Date: Wed, 12 Jan 2022 17:33:44 -0800 Message-ID: Subject: Re: [PATCH RFC v1 1/3] bpf: move from sha1 to blake2s in tag calculation To: =?UTF-8?B?VG9rZSBIw7hpbGFuZC1Kw7hyZ2Vuc2Vu?= Cc: "Jason A. Donenfeld" , Network Development , LKML , Geert Uytterhoeven , Herbert Xu , Ard Biesheuvel , Jean-Philippe Aumasson , Linux Crypto Mailing List , bpf Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On Wed, Jan 12, 2022 at 5:14 PM Toke H=C3=B8iland-J=C3=B8rgensen wrote: > > [ adding the bpf list - please make sure to include that when sending > BPF-related patches, not everyone in BPF land follows netdev ] > > "Jason A. Donenfeld" writes: > > > BLAKE2s is faster and more secure. SHA-1 has been broken for a long tim= e > > now. This also removes quite a bit of code, and lets us potentially > > remove sha1 from lib, which would further reduce vmlinux size. > > AFAIU, the BPF tag is just used as an opaque (i.e., arbitrary) unique > identifier for BPF programs, without any guarantees of stability. Which > means changing it should be fine; at most we'd confuse some operators > who have memorised the tags of their BPF programs :) > > The only other concern I could see would be if it somehow locked us into > that particular algorithm for other future use cases for computing > hashes of BPF programs (say, signing if that ends up being the direction > we go in). But obviously SHA1 would not be a good fit for that anyway, > so the algorithm choice would have to be part of that discussion in any > case. > > So all in all, I don't see any issues with making this change for BPF. Nack. It's part of api. We cannot change it.