From: "Horia Geantă" <horia.geanta@freescale.com>
To: Martin Hicks <mort@bork.org>
Cc: <linux-crypto@vger.kernel.org>,
Scott Wood <scottwood@freescale.com>,
<linuxppc-dev@lists.ozlabs.org>, Milan Broz <gmazyland@gmail.com>,
Herbert Xu <herbert@gondor.apana.org.au>
Subject: Re: [PATCH 0/2] crypto: talitos: Add AES-XTS mode
Date: Wed, 11 Mar 2015 17:48:33 +0200 [thread overview]
Message-ID: <550063D1.2070105@freescale.com> (raw)
In-Reply-To: <CAJUS3XkY0tbYqBbU5HR7NT63UPFi5DO6XWuymbZnQaJEA5kkBw@mail.gmail.com>
On 3/9/2015 5:08 PM, Martin Hicks wrote:
> On Mon, Mar 9, 2015 at 6:16 AM, Horia Geantă <horia.geanta@freescale.com> wrote:
>> On 3/3/2015 7:44 PM, Martin Hicks wrote:
>>> On Tue, Mar 3, 2015 at 10:44 AM, Horia Geantă
>>> <horia.geanta@freescale.com> wrote:
>>>>
>>>> For talitos, there are two cases:
>>>>
>>>> 1. request data size is <= data unit / sector size
>>>> talitos can handle any IV / tweak scheme
>>>>
>>>> 2. request data size > sector size
>>>> since talitos internally generates the IV for the next sector by
>>>> incrementing the previous IV, only IV schemes that allocate consecutive
>>>> IV to consecutive sectors will function correctly.
>>>>
>>>
>>> it's not clear to me that #1 is right. I guess it could be, but the
>>> IV length would be limited to 8 bytes.
>>
>> Yes, there's a limitation in talitos wrt. XTS IV / tweak size - it's up
>> to 8 bytes.
>> So I guess ESSIV won't work with talitos-xts, since the encrypted IV
>> output is 16 bytes.
>> But as previously said, ESSIV breaks the XTS standard requirement for
>> having a consecutive IV for consecutive blocks. ESSIV should really be
>> used only with disk-level encryption schemes that require an
>> unpredictable IV.
>
> Ok. I'll verify that the second half of the IV is zeroed.
>
> One last thing that I'm not sure of is what string to place in
> cra_ablkcipher.geniv field. "eseqiv" seems wrong if plain/plain64
> are the IVs that XTS is designed for.
Right. But since currently dm-crypt does not use .givencrypt and deals
with IV generation by itself, we're safe.
When dm-crypt IV generation will be moved to crypto, we'll have to
revisit this.
While here: note that xts-talitos supports only two key lengths - 256
and 512 bits. There are tcrypt speed tests that check also for 384-bit
keys (which is out-of-spec, but still...), leading to a "Key Size Error"
- see below (KSE bit in AESU Interrupt Status Register is set)
testing speed of async xts(aes) (xts-aes-talitos) encryption
[...]
test 5 (384 bit key, 16 byte blocks):
talitos ffe30000.crypto: CDPR is NULL, giving up search for offending
descriptor
talitos ffe30000.crypto: AESUISR 0x00000000_00000200
talitos ffe30000.crypto: DESCBUF 0x64300011_00000000
talitos ffe30000.crypto: DESCBUF 0x00000000_00000000
talitos ffe30000.crypto: DESCBUF 0x00100000_00000000
talitos ffe30000.crypto: DESCBUF 0x00300000_00000000
talitos ffe30000.crypto: DESCBUF 0x00100000_00000000
talitos ffe30000.crypto: DESCBUF 0x00100000_00000000
talitos ffe30000.crypto: DESCBUF 0x00100000_00000000
talitos ffe30000.crypto: DESCBUF 0x00000000_00000000
encryption() failed flags=0
So for xts, driver must enforce 256/512 bit key lengths and return
CRYPTO_TFM_RES_BAD_KEY_LEN in all other cases.
Or a SW fallback could be used for the other cases, but I don't think
it's worth the effort since these are non-standard.
Horia
WARNING: multiple messages have this Message-ID (diff)
From: "Horia Geantă" <horia.geanta@freescale.com>
To: Martin Hicks <mort@bork.org>
Cc: Scott Wood <scottwood@freescale.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
linuxppc-dev@lists.ozlabs.org, linux-crypto@vger.kernel.org,
Milan Broz <gmazyland@gmail.com>
Subject: Re: [PATCH 0/2] crypto: talitos: Add AES-XTS mode
Date: Wed, 11 Mar 2015 17:48:33 +0200 [thread overview]
Message-ID: <550063D1.2070105@freescale.com> (raw)
In-Reply-To: <CAJUS3XkY0tbYqBbU5HR7NT63UPFi5DO6XWuymbZnQaJEA5kkBw@mail.gmail.com>
On 3/9/2015 5:08 PM, Martin Hicks wrote:
> On Mon, Mar 9, 2015 at 6:16 AM, Horia Geantă <horia.geanta@freescale.com> wrote:
>> On 3/3/2015 7:44 PM, Martin Hicks wrote:
>>> On Tue, Mar 3, 2015 at 10:44 AM, Horia Geantă
>>> <horia.geanta@freescale.com> wrote:
>>>>
>>>> For talitos, there are two cases:
>>>>
>>>> 1. request data size is <= data unit / sector size
>>>> talitos can handle any IV / tweak scheme
>>>>
>>>> 2. request data size > sector size
>>>> since talitos internally generates the IV for the next sector by
>>>> incrementing the previous IV, only IV schemes that allocate consecutive
>>>> IV to consecutive sectors will function correctly.
>>>>
>>>
>>> it's not clear to me that #1 is right. I guess it could be, but the
>>> IV length would be limited to 8 bytes.
>>
>> Yes, there's a limitation in talitos wrt. XTS IV / tweak size - it's up
>> to 8 bytes.
>> So I guess ESSIV won't work with talitos-xts, since the encrypted IV
>> output is 16 bytes.
>> But as previously said, ESSIV breaks the XTS standard requirement for
>> having a consecutive IV for consecutive blocks. ESSIV should really be
>> used only with disk-level encryption schemes that require an
>> unpredictable IV.
>
> Ok. I'll verify that the second half of the IV is zeroed.
>
> One last thing that I'm not sure of is what string to place in
> cra_ablkcipher.geniv field. "eseqiv" seems wrong if plain/plain64
> are the IVs that XTS is designed for.
Right. But since currently dm-crypt does not use .givencrypt and deals
with IV generation by itself, we're safe.
When dm-crypt IV generation will be moved to crypto, we'll have to
revisit this.
While here: note that xts-talitos supports only two key lengths - 256
and 512 bits. There are tcrypt speed tests that check also for 384-bit
keys (which is out-of-spec, but still...), leading to a "Key Size Error"
- see below (KSE bit in AESU Interrupt Status Register is set)
testing speed of async xts(aes) (xts-aes-talitos) encryption
[...]
test 5 (384 bit key, 16 byte blocks):
talitos ffe30000.crypto: CDPR is NULL, giving up search for offending
descriptor
talitos ffe30000.crypto: AESUISR 0x00000000_00000200
talitos ffe30000.crypto: DESCBUF 0x64300011_00000000
talitos ffe30000.crypto: DESCBUF 0x00000000_00000000
talitos ffe30000.crypto: DESCBUF 0x00100000_00000000
talitos ffe30000.crypto: DESCBUF 0x00300000_00000000
talitos ffe30000.crypto: DESCBUF 0x00100000_00000000
talitos ffe30000.crypto: DESCBUF 0x00100000_00000000
talitos ffe30000.crypto: DESCBUF 0x00100000_00000000
talitos ffe30000.crypto: DESCBUF 0x00000000_00000000
encryption() failed flags=0
So for xts, driver must enforce 256/512 bit key lengths and return
CRYPTO_TFM_RES_BAD_KEY_LEN in all other cases.
Or a SW fallback could be used for the other cases, but I don't think
it's worth the effort since these are non-standard.
Horia
next prev parent reply other threads:[~2015-03-11 15:48 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-02-20 17:00 [PATCH 0/2] crypto: talitos: Add AES-XTS mode Martin Hicks
2015-02-20 17:00 ` Martin Hicks
2015-02-20 17:00 ` [PATCH 1/2] crypto: talitos: Clean ups and comment fixes for ablkcipher commands Martin Hicks
2015-02-20 17:00 ` Martin Hicks
2015-02-20 17:00 ` [PATCH 2/2] crypto: talitos: Add AES-XTS Support Martin Hicks
2015-02-20 17:00 ` Martin Hicks
2015-02-27 15:46 ` Horia Geantă
2015-02-27 15:46 ` Horia Geantă
2015-03-06 0:16 ` Kim Phillips
2015-03-06 0:16 ` Kim Phillips
2015-03-06 16:49 ` Martin Hicks
2015-03-06 16:49 ` Martin Hicks
2015-03-06 19:28 ` Martin Hicks
2015-03-06 19:28 ` Martin Hicks
2015-03-07 1:16 ` Kim Phillips
2015-03-07 1:16 ` Kim Phillips
2015-03-09 9:22 ` Horia Geantă
2015-03-09 9:22 ` Horia Geantă
2015-03-02 13:25 ` [PATCH 0/2] crypto: talitos: Add AES-XTS mode Horia Geantă
2015-03-02 13:25 ` Horia Geantă
2015-03-02 14:37 ` Milan Broz
2015-03-02 22:09 ` Martin Hicks
2015-03-02 22:09 ` Martin Hicks
2015-03-03 15:44 ` Horia Geantă
2015-03-03 15:44 ` Horia Geantă
2015-03-03 17:44 ` Martin Hicks
2015-03-03 17:44 ` Martin Hicks
2015-03-09 10:16 ` Horia Geantă
2015-03-09 10:16 ` Horia Geantă
2015-03-09 15:08 ` Martin Hicks
2015-03-09 15:08 ` Martin Hicks
2015-03-11 15:48 ` Horia Geantă [this message]
2015-03-11 15:48 ` Horia Geantă
2015-03-13 14:08 ` Martin Hicks
2015-03-13 14:08 ` Martin Hicks
2015-03-16 18:46 ` Horia Geantă
2015-03-16 18:46 ` Horia Geantă
2015-03-02 21:44 ` Martin Hicks
2015-03-02 21:44 ` Martin Hicks
2015-03-02 22:03 ` Martin Hicks
2015-03-02 22:03 ` Martin Hicks
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=550063D1.2070105@freescale.com \
--to=horia.geanta@freescale.com \
--cc=gmazyland@gmail.com \
--cc=herbert@gondor.apana.org.au \
--cc=linux-crypto@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=mort@bork.org \
--cc=scottwood@freescale.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.