From patchwork Tue Aug 6 08:02:33 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ard Biesheuvel X-Patchwork-Id: 170645 Delivered-To: patch@linaro.org Received: by 2002:a92:512:0:0:0:0:0 with SMTP id q18csp5351696ile; Tue, 6 Aug 2019 01:02:46 -0700 (PDT) X-Google-Smtp-Source: APXvYqxBzDPaOo/WjpD3QPrXjOpRir1Wu25OTWF4SXSOj6OAYH592h3zXi1LJBRp8Ya2xSkIDi9Z X-Received: by 2002:aa7:9516:: with SMTP id b22mr2362612pfp.106.1565078566840; Tue, 06 Aug 2019 01:02:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1565078566; cv=none; d=google.com; s=arc-20160816; b=s8mEpEa3kI4BzpMAWgaF59jpGWvr1JeCbpP8TIHWwF838jmb9Q6gHCpuL+VRo+aeVp n3AXv0RuE36+wmVaP68TVmTtOyKxpPUeJnFUlKqKbh5ou+0TvhBTn0m58SaNHBgukP95 6JrNQ1BFj+gCZiKAiD88S5fewORbtBv6obn10eS1zdQMx0EpP6XqUsNoDT1Y+XbBe914 gH5vs9fwwc42i72mF8tn7jALv7DepPe8MMGEXqrV2H/clTGuSNA5lkoF6SACs43aFjdI vjf4+Jh+eHQPFR6mmeSwmEfSUI7sSSm/JOJisKSPtpRxVdbPEn4uAX9fHrh3QbHCA1GW FyrA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature; bh=9eCxiU7trAIwWtoYhqWEWGHnQv1gzwh/Q9h6ScO5S58=; b=0rzzx6EpXvfXjRu8B1aZOqr5i6ttpMCC86SX+/TKDYOW7awOgCSP+Zehl0HVeixkZi SRaxEU1Jqk9ztW1S7UZvjVtqdUmh7LnN7GnsLqhWcQfLjQHAw3129AojRXywP9aEh9UL Uflo9KLfR7zM+dM9caXmFs0DUbkFO/wo2HR5FPw07o9SvnKff6L47/aEVipZCnES5mnX tMJmCXwsvpdNiADfdHec00+tZHQNuyECHMRP0+uvDAtQEMJLx/V8D8Ed/i8E2aHpycJi MvmJK6k5L+KsYmoZWjtLAurnL93k33sXPTFv7ZjXt0QAZ+anN9AIJ5GT52BP9EIshhxD 2aSA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="uGsaTM/M"; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m32si45016256pld.438.2019.08.06.01.02.46; Tue, 06 Aug 2019 01:02:46 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b="uGsaTM/M"; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727259AbfHFICq (ORCPT + 3 others); Tue, 6 Aug 2019 04:02:46 -0400 Received: from mail-wr1-f66.google.com ([209.85.221.66]:39270 "EHLO mail-wr1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732160AbfHFICq (ORCPT ); Tue, 6 Aug 2019 04:02:46 -0400 Received: by mail-wr1-f66.google.com with SMTP id x4so33716364wrt.6 for ; Tue, 06 Aug 2019 01:02:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=9eCxiU7trAIwWtoYhqWEWGHnQv1gzwh/Q9h6ScO5S58=; b=uGsaTM/M2gCO96HNT2CT+L0/NsYOQP5WwmmlN+ya7tI16k5RMO2HwcYWh6H6R3oYHm rAzdwy+lnPGdSNHSO1FV3Crk5TwyEYOTLawosrkK1bSB0Ypn33n9eBbZXhy9wY6QNR3S amR1DiMRY2rT94FVuPH5ZMNe0BS2+l9qybrY3769M6HE/Fi2yk/NyDTlLcmW4DDJfDRm 8/3szwCVQVOO/b231zSJdRgRtJQTLJ/3KKLUxisOaBJpzZOBhiIZxOBqyS+o68pY/jBw KfuEtggPHIGXBSjQq6RTjYiXzRgy4LhaB1z90bfk5rsi782P9hTmgRJ/c8Be1kI77Sfj hwNQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=9eCxiU7trAIwWtoYhqWEWGHnQv1gzwh/Q9h6ScO5S58=; b=mXvH1BFel9m/gXtvLgWkOIuR/JxWfDOwBrXgNAOlMpMnPysZHpw5ZOJ5PafgrdMGwk TPX7O6zingCdnoeRMXfVJCUZE7Yr7aw5qifxNzd+PQegBLpuHK3rZDfMxZBrKWZH14BK ZM8B/WxvRZk0eL0KXBLEIFblPLKSUg8dxyO1KPObOqJhoLfG99cwBkyQOj6n/NZf9KN3 hb2STO/QoFoPZYaAgBG9f0eV99RQqeXRiNMhI84tqKjT/RA4DL4iJYWS15iF7PbqG+DU 9mq1gzTgp9fmoFZbZ/nNO8TUrftoxfnB3//o5KRI8Ry0IijiFXhoKsbOhyEYT+om5D7B mUvw== X-Gm-Message-State: APjAAAWe55msFvNTomXpY7ZuR5w07lrtE4AT20C4NkU0bsVe4zIMSj14 RuPhN/XUDs4QKMSN81TxsWq0QOMx6c34sg== X-Received: by 2002:a5d:4e02:: with SMTP id p2mr3054604wrt.182.1565078563578; Tue, 06 Aug 2019 01:02:43 -0700 (PDT) Received: from localhost.localdomain ([2a02:587:a407:da00:582f:8334:9cd9:7241]) by smtp.gmail.com with ESMTPSA id g12sm123785475wrv.9.2019.08.06.01.02.41 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 06 Aug 2019 01:02:42 -0700 (PDT) From: Ard Biesheuvel To: linux-crypto@vger.kernel.org Cc: herbert@gondor.apana.org.au, ebiggers@kernel.org, agk@redhat.com, snitzer@redhat.com, dm-devel@redhat.com, gmazyland@gmail.com, Ard Biesheuvel Subject: [RFC PATCH 1/2] md/dm-crypt - restrict EBOIV to cbc(aes) Date: Tue, 6 Aug 2019 11:02:33 +0300 Message-Id: <20190806080234.27998-2-ard.biesheuvel@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20190806080234.27998-1-ard.biesheuvel@linaro.org> References: <20190806080234.27998-1-ard.biesheuvel@linaro.org> Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Support for the EBOIV IV mode was introduced this cycle, and is explicitly intended for interoperability with BitLocker, which only uses it combined with AES in CBC mode. Using EBOIV in combination with any other skcipher or aead mode is not recommended, and so there is no need to support this. However, the way the EBOIV support is currently integrated permits it to be combined with other skcipher or aead modes, and once the cat is out of the bag, we will need to support it indefinitely. So let's restrict EBOIV to cbc(aes), and reject attempts to instantiate it with other modes. Signed-off-by: Ard Biesheuvel --- drivers/md/dm-crypt.c | 7 +++++++ 1 file changed, 7 insertions(+) -- 2.17.1 diff --git a/drivers/md/dm-crypt.c b/drivers/md/dm-crypt.c index d5216bcc4649..a5e8d5bc1581 100644 --- a/drivers/md/dm-crypt.c +++ b/drivers/md/dm-crypt.c @@ -861,6 +861,13 @@ static int crypt_iv_eboiv_ctr(struct crypt_config *cc, struct dm_target *ti, struct iv_eboiv_private *eboiv = &cc->iv_gen_private.eboiv; struct crypto_cipher *tfm; + if (test_bit(CRYPT_MODE_INTEGRITY_AEAD, &cc->cipher_flags) || + strcmp("cbc(aes)", + crypto_tfm_alg_name(crypto_skcipher_tfm(any_tfm(cc))))) { + ti->error = "Unsupported encryption mode for EBOIV"; + return -EINVAL; + } + tfm = crypto_alloc_cipher(cc->cipher, 0, 0); if (IS_ERR(tfm)) { ti->error = "Error allocating crypto tfm for EBOIV"; From patchwork Tue Aug 6 08:02:34 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ard Biesheuvel X-Patchwork-Id: 170646 Delivered-To: patch@linaro.org Received: by 2002:a92:512:0:0:0:0:0 with SMTP id q18csp5351779ile; Tue, 6 Aug 2019 01:02:50 -0700 (PDT) X-Google-Smtp-Source: APXvYqxphrHLWzB08vRLe9+utoQztd0cwxKfZATCEduxhkLEvUF3Y09pmYgycGnAcG4BtKVMgs5Y X-Received: by 2002:a63:6ec1:: with SMTP id j184mr450531pgc.232.1565078570169; Tue, 06 Aug 2019 01:02:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1565078570; cv=none; d=google.com; s=arc-20160816; b=D7vmFjrzcokx1vyiZdGLlPwOmz0RmbBjSYoaLaGAGZpL/FCOd9lAZ+q/vBZ2BkuWB8 eRiL+8WCo1vfDajHYvREtNvYx1qhmgwP131l9DtR7I0XCG9AjB7B/S7d2gU2Z03SUTeW gIVmNOeZCIdh7ktqbEVjyHaPfNUpeLLKtbaA2m528loU/xlxfTPAyqzy+mtsnyVHsUBI 04qDAt182Dn2vwz7rJ3u0fOdr79bGBydjrfpCiMOCRGyNqD2FTN9nrR/T6JfBEQC2XCI x5CoE/5pM7/jPkAbsutzrLKUz301fIfsxQ6wISNDZJUXlni2MBNOlFpePd/mnTNVfzow nJ1w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature; bh=Qm6JmV3kYksXWkeHC8pJWnKVfNR1ILujwNkPpqX8u58=; b=XzfcOj+UALPOuWqCrP8HKyWDk3HQEv+/JY3h5i6SMxfOf0Ilmi2P9DtnLmaBkdMH2v uiVdEyIJKrsNmo1Y5QdrBau5ktgbeXNE6cO+G76LMFed4Q8zwNZ+151qe1hnaOMSzE1C p5PwVrYw0QzaOSsle8p0HNhL5jcEgmdGunxxnYQ0vLujIuvngzBsJMmP/2PsxdbW9spr xV8uSQOiNqdoPypR/jmeSEKcmHafrTWw52O2sMeADrjjGmoq4H5hX8h6FmmYoxnbLIMr M8o7Ulyh339c8saxOLtMDzJFChoZPDhiFYX8sWqULfEngClnZ0zS74LwGEGJHut59+dX eG8Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=KO+jyoMY; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m32si45016256pld.438.2019.08.06.01.02.49; Tue, 06 Aug 2019 01:02:50 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=KO+jyoMY; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732160AbfHFICt (ORCPT + 3 others); Tue, 6 Aug 2019 04:02:49 -0400 Received: from mail-wr1-f65.google.com ([209.85.221.65]:40962 "EHLO mail-wr1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732122AbfHFICt (ORCPT ); Tue, 6 Aug 2019 04:02:49 -0400 Received: by mail-wr1-f65.google.com with SMTP id c2so83657236wrm.8 for ; Tue, 06 Aug 2019 01:02:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=Qm6JmV3kYksXWkeHC8pJWnKVfNR1ILujwNkPpqX8u58=; b=KO+jyoMY9ilq+waDLre4wpNqq5bKuzook/vdC1KlJZH8sM8Xr0/2PXSLIkBEXb88+G /FNvoKUgUdmlI2Dkh9Ppgs/BFXyxmZBEjb5ySCKUc9nqoUIAPKtwR/xdPXPnaY5/LqHZ +RWkYDUar7b5P3zL+bZxI2YOdjZggxbk0T6Q7AYB85IPrZo+/JCl9xvNy/uc598h9tyO 4v1/GeZMfKP3rZyAuNuIODNX4HPPuHkyp2TpFmGXCaAi9y6wqmqs9EHEP/Odu4slwf8P p1I24ENa85XU5QBYPWtQhQWo/FitJ3sz8EQriWOkImaQpKRM16C/XczKEjk7G6DbMUJu pvAQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=Qm6JmV3kYksXWkeHC8pJWnKVfNR1ILujwNkPpqX8u58=; b=SCP6YnW22rllWfiFFtXSjIBMy2CLTi1qWm2mKMzxLF1cDKC8ZW0fnBV+GOMs58KY2Z AfUtUwGHmPVLhB7ao5t3+uUAwUu4PnZR7YAjb8OgJMPePyzRvg9pLxdwA7qGVTNlZBQz 7vM+oOdAYx116GZs3p+sBc0Ue90mQ4uCtMilSQHi3O4niPkpWIOdAijItDsbO+AG1Dgd drR/XsiyDAgwRisaJ9XQVT94Vtv3M3ZKbqjqUaE3dabzF/9PffK2JNWRA3tqLiNZUykE ySczIsi9s/Pv6HeKPOhTQYNgZGO/8T5588n0y1O892eFXtTdqNTJUEvDup9gqKpkeZZv GYuQ== X-Gm-Message-State: APjAAAWBlfci3lQhJFHewgPxNcFsbptqBbqHH6tKWA6Bwej4bMcQAL5X X3rw4ETa9DZGHkF4nnqE57KJBtekhXFeiw== X-Received: by 2002:a5d:5507:: with SMTP id b7mr3023744wrv.35.1565078566677; Tue, 06 Aug 2019 01:02:46 -0700 (PDT) Received: from localhost.localdomain ([2a02:587:a407:da00:582f:8334:9cd9:7241]) by smtp.gmail.com with ESMTPSA id g12sm123785475wrv.9.2019.08.06.01.02.43 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 06 Aug 2019 01:02:46 -0700 (PDT) From: Ard Biesheuvel To: linux-crypto@vger.kernel.org Cc: herbert@gondor.apana.org.au, ebiggers@kernel.org, agk@redhat.com, snitzer@redhat.com, dm-devel@redhat.com, gmazyland@gmail.com, Ard Biesheuvel Subject: [RFC PATCH 2/2] md/dm-crypt - switch to AES library for EBOIV Date: Tue, 6 Aug 2019 11:02:34 +0300 Message-Id: <20190806080234.27998-3-ard.biesheuvel@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20190806080234.27998-1-ard.biesheuvel@linaro.org> References: <20190806080234.27998-1-ard.biesheuvel@linaro.org> Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org The EBOIV IV mode reuses the same AES encryption key that is used for encrypting the data, and uses it to perform a single block encryption of the byte offset to produce the IV. Since table-based AES is known to be susceptible to known-plaintext attacks on the key, and given that the same key is used to encrypt the byte offset (which is known to an attacker), we should be careful not to permit arbitrary instantiations where the allocated AES cipher is provided by aes-generic or other table-based drivers that are known to be time variant and thus susceptible to this kind of attack. Instead, let's switch to the new AES library, which has a D-cache footprint that is only 1/32th of the generic AES driver, and which contains some mitigations to reduce the timing variance even further. Signed-off-by: Ard Biesheuvel --- drivers/md/dm-crypt.c | 33 ++++++-------------- 1 file changed, 9 insertions(+), 24 deletions(-) -- 2.17.1 diff --git a/drivers/md/dm-crypt.c b/drivers/md/dm-crypt.c index a5e8d5bc1581..4650ab4b9415 100644 --- a/drivers/md/dm-crypt.c +++ b/drivers/md/dm-crypt.c @@ -27,6 +27,7 @@ #include #include #include +#include #include #include #include @@ -121,7 +122,7 @@ struct iv_tcw_private { }; struct iv_eboiv_private { - struct crypto_cipher *tfm; + struct crypto_aes_ctx aes_ctx; }; /* @@ -851,16 +852,12 @@ static void crypt_iv_eboiv_dtr(struct crypt_config *cc) { struct iv_eboiv_private *eboiv = &cc->iv_gen_private.eboiv; - crypto_free_cipher(eboiv->tfm); - eboiv->tfm = NULL; + memset(eboiv, 0, sizeof(*eboiv)); } static int crypt_iv_eboiv_ctr(struct crypt_config *cc, struct dm_target *ti, const char *opts) { - struct iv_eboiv_private *eboiv = &cc->iv_gen_private.eboiv; - struct crypto_cipher *tfm; - if (test_bit(CRYPT_MODE_INTEGRITY_AEAD, &cc->cipher_flags) || strcmp("cbc(aes)", crypto_tfm_alg_name(crypto_skcipher_tfm(any_tfm(cc))))) { @@ -868,20 +865,6 @@ static int crypt_iv_eboiv_ctr(struct crypt_config *cc, struct dm_target *ti, return -EINVAL; } - tfm = crypto_alloc_cipher(cc->cipher, 0, 0); - if (IS_ERR(tfm)) { - ti->error = "Error allocating crypto tfm for EBOIV"; - return PTR_ERR(tfm); - } - - if (crypto_cipher_blocksize(tfm) != cc->iv_size) { - ti->error = "Block size of EBOIV cipher does " - "not match IV size of block cipher"; - crypto_free_cipher(tfm); - return -EINVAL; - } - - eboiv->tfm = tfm; return 0; } @@ -890,7 +873,7 @@ static int crypt_iv_eboiv_init(struct crypt_config *cc) struct iv_eboiv_private *eboiv = &cc->iv_gen_private.eboiv; int err; - err = crypto_cipher_setkey(eboiv->tfm, cc->key, cc->key_size); + err = aes_expandkey(&eboiv->aes_ctx, cc->key, cc->key_size); if (err) return err; @@ -899,8 +882,10 @@ static int crypt_iv_eboiv_init(struct crypt_config *cc) static int crypt_iv_eboiv_wipe(struct crypt_config *cc) { - /* Called after cc->key is set to random key in crypt_wipe() */ - return crypt_iv_eboiv_init(cc); + struct iv_eboiv_private *eboiv = &cc->iv_gen_private.eboiv; + + memset(eboiv, 0, sizeof(*eboiv)); + return 0; } static int crypt_iv_eboiv_gen(struct crypt_config *cc, u8 *iv, @@ -910,7 +895,7 @@ static int crypt_iv_eboiv_gen(struct crypt_config *cc, u8 *iv, memset(iv, 0, cc->iv_size); *(__le64 *)iv = cpu_to_le64(dmreq->iv_sector * cc->sector_size); - crypto_cipher_encrypt_one(eboiv->tfm, iv, iv); + aes_encrypt(&eboiv->aes_ctx, iv, iv); return 0; }