From: "Horia Geantă" <horia.geanta@freescale.com>
To: Martin Hicks <mort@bork.org>
Cc: <linux-crypto@vger.kernel.org>,
Scott Wood <scottwood@freescale.com>,
<linuxppc-dev@lists.ozlabs.org>, Milan Broz <gmazyland@gmail.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
Kim Phillips <kim.phillips@freescale.com>
Subject: Re: [PATCH 0/2] crypto: talitos: Add AES-XTS mode
Date: Mon, 16 Mar 2015 20:46:05 +0200 [thread overview]
Message-ID: <550724ED.1050003@freescale.com> (raw)
In-Reply-To: <CAJUS3Xmv3atWu=-ydYrSVe+5PON7SM22hoXDQ1_5_ULM_zKvbQ@mail.gmail.com>
On 3/13/2015 4:08 PM, Martin Hicks wrote:
> Hi Horia,
>
> On Wed, Mar 11, 2015 at 11:48 AM, Horia Geantă
> <horia.geanta@freescale.com> wrote:
>>
>> While here: note that xts-talitos supports only two key lengths - 256
>> and 512 bits. There are tcrypt speed tests that check also for 384-bit
>> keys (which is out-of-spec, but still...), leading to a "Key Size Error"
>> - see below (KSE bit in AESU Interrupt Status Register is set)
>
> Ok. I've limited the keysize to 32 or 64 bytes for AES-XTS in the
> talitos driver.
>
> This was my first experiments with the tcrypt module. It also brought
> up another issue related to the IV limitations of this hardware. The
> latest patch that I have returns an error when there is a non-zero
> value in the second 8 bytes of the IV:
>
> + /*
> + * AES-XTS uses the first two AES Context registers for:
> + *
> + * Register 1: Sector Number (Little Endian)
> + * Register 2: Sector Size (Big Endian)
> + *
> + * Whereas AES-CBC uses registers 1/2 as a 16-byte IV.
> + */
> + if ((ctx->desc_hdr_template &
> + (DESC_HDR_SEL0_MASK | DESC_HDR_MODE0_MASK)) ==
> + (DESC_HDR_SEL0_AESU | DESC_HDR_MODE0_AESU_XTS)) {
> + u64 *aesctx2 = (u64 *)areq->info + 1;
> +
> + if (*aesctx2 != 0) {
> + dev_err(ctx->dev,
> + "IV length limited to the first 8 bytes.");
> + return ERR_PTR(-EINVAL);
> + }
> +
> + /* Fixed sized sector */
> + *aesctx2 = cpu_to_be64(1 << SECTOR_SHIFT);
> + }
>
>
> This approach causes the tcrypt tests to fail because tcrypt sets all
> 16 bytes of the IV to 0xff. I think returning an error is the right
> approach for the talitos module, but it would be nice if tcrypt still
> worked. Should tcrypt just set the IV bytes to 0 instead of 0xff?
> Isn't one IV just as good as another? I think adding exceptions to
> the tcrypt code would be ugly, but maybe one should be made for XTS
> since the standard dictates that the IV should be plain or plain64?
AFAICT xts-aes standard does not mandate for plain or plain64.
The requirements are the following (below IV = tweak value, sector =
data unit):
-IV size: 16 bytes
-IV format: little endian byte array
-IV values: non-negative; consecutive IV values for consecutive sectors
In practice, an 8-byte IV should be enough to represent the sector index
even for large capacity storage devices.
However, dm-crypt has support for a user-provided iv_offset that is
added to the sector index: IV = sector_index + iv_offset.
While in most of the cases user would choose iv_offset = 0, in theory
anything is possible.
IMHO the correct approach would be to use a fallback tfm that would
handle all the requests with IVs > 8 bytes.
We can take this off-list if you prefer.
Horia
WARNING: multiple messages have this Message-ID (diff)
From: "Horia Geantă" <horia.geanta@freescale.com>
To: Martin Hicks <mort@bork.org>
Cc: Herbert Xu <herbert@gondor.apana.org.au>,
linux-crypto@vger.kernel.org,
Scott Wood <scottwood@freescale.com>,
linuxppc-dev@lists.ozlabs.org, Milan Broz <gmazyland@gmail.com>
Subject: Re: [PATCH 0/2] crypto: talitos: Add AES-XTS mode
Date: Mon, 16 Mar 2015 20:46:05 +0200 [thread overview]
Message-ID: <550724ED.1050003@freescale.com> (raw)
In-Reply-To: <CAJUS3Xmv3atWu=-ydYrSVe+5PON7SM22hoXDQ1_5_ULM_zKvbQ@mail.gmail.com>
On 3/13/2015 4:08 PM, Martin Hicks wrote:
> Hi Horia,
>
> On Wed, Mar 11, 2015 at 11:48 AM, Horia Geantă
> <horia.geanta@freescale.com> wrote:
>>
>> While here: note that xts-talitos supports only two key lengths - 256
>> and 512 bits. There are tcrypt speed tests that check also for 384-bit
>> keys (which is out-of-spec, but still...), leading to a "Key Size Error"
>> - see below (KSE bit in AESU Interrupt Status Register is set)
>
> Ok. I've limited the keysize to 32 or 64 bytes for AES-XTS in the
> talitos driver.
>
> This was my first experiments with the tcrypt module. It also brought
> up another issue related to the IV limitations of this hardware. The
> latest patch that I have returns an error when there is a non-zero
> value in the second 8 bytes of the IV:
>
> + /*
> + * AES-XTS uses the first two AES Context registers for:
> + *
> + * Register 1: Sector Number (Little Endian)
> + * Register 2: Sector Size (Big Endian)
> + *
> + * Whereas AES-CBC uses registers 1/2 as a 16-byte IV.
> + */
> + if ((ctx->desc_hdr_template &
> + (DESC_HDR_SEL0_MASK | DESC_HDR_MODE0_MASK)) ==
> + (DESC_HDR_SEL0_AESU | DESC_HDR_MODE0_AESU_XTS)) {
> + u64 *aesctx2 = (u64 *)areq->info + 1;
> +
> + if (*aesctx2 != 0) {
> + dev_err(ctx->dev,
> + "IV length limited to the first 8 bytes.");
> + return ERR_PTR(-EINVAL);
> + }
> +
> + /* Fixed sized sector */
> + *aesctx2 = cpu_to_be64(1 << SECTOR_SHIFT);
> + }
>
>
> This approach causes the tcrypt tests to fail because tcrypt sets all
> 16 bytes of the IV to 0xff. I think returning an error is the right
> approach for the talitos module, but it would be nice if tcrypt still
> worked. Should tcrypt just set the IV bytes to 0 instead of 0xff?
> Isn't one IV just as good as another? I think adding exceptions to
> the tcrypt code would be ugly, but maybe one should be made for XTS
> since the standard dictates that the IV should be plain or plain64?
AFAICT xts-aes standard does not mandate for plain or plain64.
The requirements are the following (below IV = tweak value, sector =
data unit):
-IV size: 16 bytes
-IV format: little endian byte array
-IV values: non-negative; consecutive IV values for consecutive sectors
In practice, an 8-byte IV should be enough to represent the sector index
even for large capacity storage devices.
However, dm-crypt has support for a user-provided iv_offset that is
added to the sector index: IV = sector_index + iv_offset.
While in most of the cases user would choose iv_offset = 0, in theory
anything is possible.
IMHO the correct approach would be to use a fallback tfm that would
handle all the requests with IVs > 8 bytes.
We can take this off-list if you prefer.
Horia
next prev parent reply other threads:[~2015-03-16 18:46 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-02-20 17:00 [PATCH 0/2] crypto: talitos: Add AES-XTS mode Martin Hicks
2015-02-20 17:00 ` Martin Hicks
2015-02-20 17:00 ` [PATCH 1/2] crypto: talitos: Clean ups and comment fixes for ablkcipher commands Martin Hicks
2015-02-20 17:00 ` Martin Hicks
2015-02-20 17:00 ` [PATCH 2/2] crypto: talitos: Add AES-XTS Support Martin Hicks
2015-02-20 17:00 ` Martin Hicks
2015-02-27 15:46 ` Horia Geantă
2015-02-27 15:46 ` Horia Geantă
2015-03-06 0:16 ` Kim Phillips
2015-03-06 0:16 ` Kim Phillips
2015-03-06 16:49 ` Martin Hicks
2015-03-06 16:49 ` Martin Hicks
2015-03-06 19:28 ` Martin Hicks
2015-03-06 19:28 ` Martin Hicks
2015-03-07 1:16 ` Kim Phillips
2015-03-07 1:16 ` Kim Phillips
2015-03-09 9:22 ` Horia Geantă
2015-03-09 9:22 ` Horia Geantă
2015-03-02 13:25 ` [PATCH 0/2] crypto: talitos: Add AES-XTS mode Horia Geantă
2015-03-02 13:25 ` Horia Geantă
2015-03-02 14:37 ` Milan Broz
2015-03-02 22:09 ` Martin Hicks
2015-03-02 22:09 ` Martin Hicks
2015-03-03 15:44 ` Horia Geantă
2015-03-03 15:44 ` Horia Geantă
2015-03-03 17:44 ` Martin Hicks
2015-03-03 17:44 ` Martin Hicks
2015-03-09 10:16 ` Horia Geantă
2015-03-09 10:16 ` Horia Geantă
2015-03-09 15:08 ` Martin Hicks
2015-03-09 15:08 ` Martin Hicks
2015-03-11 15:48 ` Horia Geantă
2015-03-11 15:48 ` Horia Geantă
2015-03-13 14:08 ` Martin Hicks
2015-03-13 14:08 ` Martin Hicks
2015-03-16 18:46 ` Horia Geantă [this message]
2015-03-16 18:46 ` Horia Geantă
2015-03-02 21:44 ` Martin Hicks
2015-03-02 21:44 ` Martin Hicks
2015-03-02 22:03 ` Martin Hicks
2015-03-02 22:03 ` Martin Hicks
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=550724ED.1050003@freescale.com \
--to=horia.geanta@freescale.com \
--cc=gmazyland@gmail.com \
--cc=herbert@gondor.apana.org.au \
--cc=kim.phillips@freescale.com \
--cc=linux-crypto@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=mort@bork.org \
--cc=scottwood@freescale.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.