From: Mike Snitzer <snitzer@redhat.com>
To: Milan Broz <gmazyland@gmail.com>
Cc: Thibaut Sautereau <thibaut.sautereau@clip-os.org>,
dm-devel@redhat.com, Alasdair Kergon <agk@redhat.com>,
linux-kernel@vger.kernel.org
Subject: Re: dm-crypt error when CONFIG_CRYPTO_AUTHENC is disabled
Date: Fri, 20 Sep 2019 17:27:46 -0400 [thread overview]
Message-ID: <20190920212746.GA22061@redhat.com> (raw)
In-Reply-To: <13e25b01-f344-ea1d-8f6c-9d0a60eb1e0f@gmail.com>
On Fri, Sep 20 2019 at 3:21pm -0400,
Milan Broz <gmazyland@gmail.com> wrote:
> On 20/09/2019 19:37, Mike Snitzer wrote:
> > On Fri, Sep 20 2019 at 11:44am -0400,
> > Thibaut Sautereau <thibaut.sautereau@clip-os.org> wrote:
> >
> >> Hi,
> >>
> >> I just got a dm-crypt "crypt: Error allocating crypto tfm" error when
> >> trying to "cryptsetup open" a volume. I found out that it was only
> >> happening when I disabled CONFIG_CRYPTO_AUTHENC.
> >>
> >> drivers/md/dm-crypt.c includes the crypto/authenc.h header and seems to
> >> use some CRYPTO_AUTHENC-related stuff. Therefore, shouldn't
> >> CONFIG_DM_CRYPT select CONFIG_CRYPTO_AUTHENC?
> >
> > Yes, it looks like commit ef43aa38063a6 ("dm crypt: add cryptographic
> > data integrity protection (authenticated encryption)") should've added
> > 'select CRYPTO_AUTHENC' to dm-crypt's Kconfig. I'll let Milan weigh-in
> > but that seems like the right way forward.
>
> No, I don't this so. It is like you use some algorithm that is just not compiled-in,
> or it is disabled in the current state (because of FIPS mode od so) - it fails
> to initialize it.
>
> I think we should not force dm-crypt to depend on AEAD - most users
> do not use authenticated encryption, it is perfectly ok to keep this compiled out.
>
> I do not see any principal difference from disabling any other crypto
> (if you disable XTS mode, it fails to open device that uses it).
>
> IMO the current config dependence is ok.
That is a good point. I hadn't considered the kernel compiles just fine
without CRYPTO_AUTHENC.. which it clearly does.
SO I retract the question/thought of updating the Kconfig for dm-crypt
in my previous mail.
Though in hindsight: wonder whether the dm-integrity based dm-crypt
authenticated encryption support should have been exposed as a proper
CONFIG option within the DM_CRYPT section? Rather than lean on the
crypto subsystem to happily stub out the dm-crypt AEAD and AUTHENC
related code dm-crypt could've established #ifdef boundaries for that
code.
I'm open to suggestions and/or confirmation that the way things are now
is perfectly fine. But I do see this report as something that should
drive some improvement.
Mike
next prev parent reply other threads:[~2019-09-20 21:27 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-20 15:44 dm-crypt error when CONFIG_CRYPTO_AUTHENC is disabled Thibaut Sautereau
2019-09-20 17:37 ` Mike Snitzer
2019-09-20 19:21 ` Milan Broz
2019-09-20 21:27 ` Mike Snitzer [this message]
2019-09-20 21:47 ` [dm-devel] " Eric Biggers
2019-09-23 8:20 ` Thibaut Sautereau
2019-09-23 9:46 ` Milan Broz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190920212746.GA22061@redhat.com \
--to=snitzer@redhat.com \
--cc=agk@redhat.com \
--cc=dm-devel@redhat.com \
--cc=gmazyland@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=thibaut.sautereau@clip-os.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.