Received: by 2002:a05:6a10:6d10:0:0:0:0 with SMTP id gq16csp263636pxb; Tue, 12 Apr 2022 23:45:51 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxZnsRiFdhrbkBFGRWYIXt7x9LymAYHOogu8pdzqiqYYqwZRWSRPcyHyRV2jXhAlgSjn+Kq X-Received: by 2002:a17:902:e84c:b0:158:6bd9:8591 with SMTP id t12-20020a170902e84c00b001586bd98591mr12572700plg.170.1649832351125; Tue, 12 Apr 2022 23:45:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1649832351; cv=none; d=google.com; s=arc-20160816; b=d0wdhdF8cUVQy7TETAQIzAqMElZE2eNyTYwHkeSr55GdPPlBR8u6Y6MSyLhbhCOU/L 8loSEbw1yFCa5szcw4yTKYQEVGQcwgzgkJnx2o6UScC3Pux0VY39HM3IKhJ6Fmqb8WbR Ve0+3p9tFBndIOydEWUioSOd8nLhcTCIjgkVRa02oXHVdNThjwXeWZ1/3QbbET3Y39Jy NZMNCa/5yIGiD7+uEl9xMgk7zs6ec2e3hrALnGmQsb47TEAORJm8RlRTKtZxxmRrIEur o/6zFf5WYLnRwmHgYfIHi8JeOlIpTu3nYMPg2675S89wyhOF08boBhPpIn2MTpnSUvG9 uhWQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=fHLqWZWky2sUKXrzCoOr9MjjtTUqahwl0AZUA4ClT+M=; b=LGBHDbbea93GDTjlclUIWuF/7OldTN15fL0qAwJ4mxQb9lellTc6YgAYQJy093rFaT a5ILFDIe/I+DBx7kONnKLAhVU8yrixY3CzBrbskeARmT87GJzhKleAAGAZi89P88g0EA E+LXHy3R1/Il2531V3Unp9DE3uNzmiRvcY/q4dhnfTAEjVjlK9M7GD+0QkL5HeS05acw 5BII0ElGedIx2NUDh70USWEI5184g9lotoTuMiAsUMg5fDvlHFULUYQhnAgDm9fx5Q25 k9ZkceqnV3htSxlO5KxLeJm18B/ruWh9x7qAZ7ZXo5Gs/PHc3znfbjEwcgzN92rSjSA6 9skA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=Hc2Q1d4d; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id s205-20020a632cd6000000b0039d5b6aa353si5008494pgs.8.2022.04.12.23.45.22; Tue, 12 Apr 2022 23:45:51 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=Hc2Q1d4d; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231894AbiDMGTA (ORCPT + 99 others); Wed, 13 Apr 2022 02:19:00 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46792 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231951AbiDMGS7 (ORCPT ); Wed, 13 Apr 2022 02:18:59 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 96E76340CE for ; Tue, 12 Apr 2022 23:16:39 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 3BB2461CF1 for ; Wed, 13 Apr 2022 06:16:39 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id A0828C385AA for ; Wed, 13 Apr 2022 06:16:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1649830598; bh=okRlPQNcB+6A2GoR1KXbY9jJModBQBGkTc2iPAB4FmE=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=Hc2Q1d4dmHsBNg6vj1/IOtdoyJGCzVDN3SqobL3FcB5P0ZbbtaUdbUEY43PlysS6k FdoVqX3XNgAZm/qmzPkLjbvwYeTTikAJOYFo7zYCqDzuH/aMEfhi/pfWubr4Kidohf kwaFHO19CuWq306/Z5+or/87d1yhw9DlOKKtnykDhqVXcXgKsal0EC9qDAdYt3QTAu 4zbnS5JDkYNlkHZ30PyflziK//krMQWq3Zy8EStflQnqaRXexJvfMLd/WsYnr8qHyC bKUuLliJGtFOzGxJgt8UeO2Fxgk7ElA2XZoyHO7l2uwXZduxUOWTTtjXl2TOpZ809R 3aMTRTp5aM+7A== Received: by mail-oa1-f44.google.com with SMTP id 586e51a60fabf-d6ca46da48so1002230fac.12 for ; Tue, 12 Apr 2022 23:16:38 -0700 (PDT) X-Gm-Message-State: AOAM531RZKLWMY8FWrd7LDktMH6SDFQG9saNk+Vnx+QklxJOK8qTCEhO ItVIFjk3NexBDDBevEhFu5/s2NMkvThj1zjosr4= X-Received: by 2002:a05:6870:eaa5:b0:da:b3f:2b45 with SMTP id s37-20020a056870eaa500b000da0b3f2b45mr3814788oap.228.1649830597712; Tue, 12 Apr 2022 23:16:37 -0700 (PDT) MIME-Version: 1.0 References: <20220412172816.917723-1-nhuck@google.com> <20220412172816.917723-9-nhuck@google.com> In-Reply-To: From: Ard Biesheuvel Date: Wed, 13 Apr 2022 08:16:25 +0200 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH v4 8/8] fscrypt: Add HCTR2 support for filename encryption To: Eric Biggers Cc: Nathan Huckleberry , Linux Crypto Mailing List , Herbert Xu , "David S. Miller" , Linux ARM , Paul Crowley , Sami Tolvanen Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On Wed, 13 Apr 2022 at 08:10, Eric Biggers wrote: > > On Tue, Apr 12, 2022 at 05:28:16PM +0000, Nathan Huckleberry wrote: > > HCTR2 is a tweakable, length-preserving encryption mode. It has the > > same security guarantees as Adiantum, but is intended for use on CPUs > > with dedicated crypto instructions. It fixes a known weakness with > > filename encryption: when two filenames in the same directory share a > > prefix of >= 16 bytes, with CTS-CBC their encrypted filenames share a > > common substring, leaking information. HCTR2 does not have this > > problem. > > > > More information on HCTR2 can be found here: Length-preserving > > encryption with HCTR2: https://eprint.iacr.org/2021/1441.pdf > > Please quote titles to distinguish them from the surrounding text. E.g. > > More information on HCTR2 can be found in the paper "Length-preserving > encryption with HCTR2" (https://eprint.iacr.org/2021/1441.pdf) > > > > > > Signed-off-by: Nathan Huckleberry > > --- > > Documentation/filesystems/fscrypt.rst | 19 ++++++++++++++----- > > fs/crypto/fscrypt_private.h | 2 +- > > fs/crypto/keysetup.c | 7 +++++++ > > fs/crypto/policy.c | 4 ++++ > > include/uapi/linux/fscrypt.h | 3 ++- > > tools/include/uapi/linux/fscrypt.h | 3 ++- > > 6 files changed, 30 insertions(+), 8 deletions(-) > > Can you make sure that all fscrypt patches are Cc'ed to the linux-fscrypt > mailing list? In this case, just Cc the whole series to there. > > > > > diff --git a/Documentation/filesystems/fscrypt.rst b/Documentation/filesystems/fscrypt.rst > > index 4d5d50dca65c..09915086abd8 100644 > > --- a/Documentation/filesystems/fscrypt.rst > > +++ b/Documentation/filesystems/fscrypt.rst > > @@ -337,6 +337,7 @@ Currently, the following pairs of encryption modes are supported: > > - AES-256-XTS for contents and AES-256-CTS-CBC for filenames > > - AES-128-CBC for contents and AES-128-CTS-CBC for filenames > > - Adiantum for both contents and filenames > > +- AES-256-XTS for contents and AES-256-HCTR2 for filenames > > > > If unsure, you should use the (AES-256-XTS, AES-256-CTS-CBC) pair. > > > > @@ -357,6 +358,14 @@ To use Adiantum, CONFIG_CRYPTO_ADIANTUM must be enabled. Also, fast > > implementations of ChaCha and NHPoly1305 should be enabled, e.g. > > CONFIG_CRYPTO_CHACHA20_NEON and CONFIG_CRYPTO_NHPOLY1305_NEON for ARM. > > > > +AES-256-HCTR2 is another true wide-block encryption mode. It has the same > > +security guarantees as Adiantum, but is intended for use on CPUs with dedicated > > +crypto instructions. See the paper "Length-preserving encryption with HCTR2" > > +(https://eprint.iacr.org/2021/1441.pdf) for more details. To use HCTR2, > > +CONFIG_CRYPTO_HCTR2 must be enabled. Also, fast implementations of XCTR and > > +POLYVAL should be enabled, e.g. CRYPTO_POLYVAL_ARM64_CE and > > +CRYPTO_AES_ARM64_CE_BLK for ARM64. > > "same security guarantees as Adiantum" is not really correct. Both Adiantum and > HCTR2 are secure super-pseudorandom permutations if their underlying primitives > are secure. So their security guarantees are pretty similar, but not literally > the same. Can you reword this? This potentially-misleading claim also showed > up in the commit message. > > > diff --git a/fs/crypto/policy.c b/fs/crypto/policy.c > > index ed3d623724cd..fa8bdb8c76b7 100644 > > --- a/fs/crypto/policy.c > > +++ b/fs/crypto/policy.c > > @@ -54,6 +54,10 @@ static bool fscrypt_valid_enc_modes(u32 contents_mode, u32 filenames_mode) > > filenames_mode == FSCRYPT_MODE_ADIANTUM) > > return true; > > > > + if (contents_mode == FSCRYPT_MODE_AES_256_XTS && > > + filenames_mode == FSCRYPT_MODE_AES_256_HCTR2) > > + return true; > > + > > return false; > > } > > This is allowing HCTR2 for both v1 and v2 encryption policies. I don't think we > should add any new features to v1 encryption policies, as they are deprecated. > How about allowing HCTR2 for v2 encryption policies only? This is the first new > encryption mode where this issue has come up, but this could be handled easily > by splitting fscrypt_valid_enc_modes() into fscrypt_valid_enc_modes_v1() and > fscrypt_valid_enc_modes_v2(). The v2 one can call the v1 one to share code. > > > diff --git a/tools/include/uapi/linux/fscrypt.h b/tools/include/uapi/linux/fscrypt.h > > index 9f4428be3e36..a756b29afcc2 100644 > > --- a/tools/include/uapi/linux/fscrypt.h > > +++ b/tools/include/uapi/linux/fscrypt.h > > @@ -27,7 +27,8 @@ > > #define FSCRYPT_MODE_AES_128_CBC 5 > > #define FSCRYPT_MODE_AES_128_CTS 6 > > #define FSCRYPT_MODE_ADIANTUM 9 > > -/* If adding a mode number > 9, update FSCRYPT_MODE_MAX in fscrypt_private.h */ > > +#define FSCRYPT_MODE_AES_256_HCTR2 10 > > +/* If adding a mode number > 10, update FSCRYPT_MODE_MAX in fscrypt_private.h */ > > > > As far as I know, you don't actually need to update the copy of UAPI headers in > tools/. The people who maintain those files handle that. It doesn't make sense > to have copies of files in the source tree anyway. > Doesn't the x86 build emit a warning if these go out of sync?