[PATCH] KEYS: encrypted: Use SHA-256 library instead of crypto_shash

[PATCH] KEYS: encrypted: Use SHA-256 library instead of crypto_shash

[Eric Biggers]

Instead of the "sha256" crypto_shash, just use sha256().  Similarly,
instead of the "hmac(sha256)" crypto_shash, just use
hmac_sha256_usingrawkey().  This is simpler and faster.

Signed-off-by: Eric Biggers <ebiggers@kernel.org>
---
 security/keys/Kconfig                    |  3 +-
 security/keys/encrypted-keys/encrypted.c | 63 ++++--------------------
 2 files changed, 11 insertions(+), 55 deletions(-)

diff --git a/security/keys/Kconfig b/security/keys/Kconfig
index d4f5fc1e72638..64477e2c4a212 100644
--- a/security/keys/Kconfig
+++ b/security/keys/Kconfig
@@ -85,14 +85,13 @@ endif
 
 config ENCRYPTED_KEYS
 	tristate "ENCRYPTED KEYS"
 	depends on KEYS
 	select CRYPTO
-	select CRYPTO_HMAC
 	select CRYPTO_AES
 	select CRYPTO_CBC
-	select CRYPTO_SHA256
+	select CRYPTO_LIB_SHA256
 	select CRYPTO_RNG
 	help
 	  This option provides support for create/encrypting/decrypting keys
 	  in the kernel.  Encrypted keys are instantiated using kernel
 	  generated random numbers or provided decrypted data, and are
diff --git a/security/keys/encrypted-keys/encrypted.c b/security/keys/encrypted-keys/encrypted.c
index 831cb84fd75a1..513c09e2b01cf 100644
--- a/security/keys/encrypted-keys/encrypted.c
+++ b/security/keys/encrypted-keys/encrypted.c
@@ -25,22 +25,19 @@
 #include <linux/random.h>
 #include <linux/rcupdate.h>
 #include <linux/scatterlist.h>
 #include <linux/ctype.h>
 #include <crypto/aes.h>
-#include <crypto/hash.h>
 #include <crypto/sha2.h>
 #include <crypto/skcipher.h>
 #include <crypto/utils.h>
 
 #include "encrypted.h"
 #include "ecryptfs_format.h"
 
 static const char KEY_TRUSTED_PREFIX[] = "trusted:";
 static const char KEY_USER_PREFIX[] = "user:";
-static const char hash_alg[] = "sha256";
-static const char hmac_alg[] = "hmac(sha256)";
 static const char blkcipher_alg[] = "cbc(aes)";
 static const char key_format_default[] = "default";
 static const char key_format_ecryptfs[] = "ecryptfs";
 static const char key_format_enc32[] = "enc32";
 static unsigned int ivsize;
@@ -52,12 +49,10 @@ static int blksize;
 #define HASH_SIZE SHA256_DIGEST_SIZE
 #define MAX_DATA_SIZE 4096
 #define MIN_DATA_SIZE  20
 #define KEY_ENC32_PAYLOAD_LEN 32
 
-static struct crypto_shash *hash_tfm;
-
 enum {
 	Opt_new, Opt_load, Opt_update, Opt_err
 };
 
 enum {
@@ -327,39 +322,18 @@ static struct key *request_user_key(const char *master_desc, const u8 **master_k
 	*master_keylen = upayload->datalen;
 error:
 	return ukey;
 }
 
-static int calc_hmac(u8 *digest, const u8 *key, unsigned int keylen,
-		     const u8 *buf, unsigned int buflen)
-{
-	struct crypto_shash *tfm;
-	int err;
-
-	tfm = crypto_alloc_shash(hmac_alg, 0, 0);
-	if (IS_ERR(tfm)) {
-		pr_err("encrypted_key: can't alloc %s transform: %ld\n",
-		       hmac_alg, PTR_ERR(tfm));
-		return PTR_ERR(tfm);
-	}
-
-	err = crypto_shash_setkey(tfm, key, keylen);
-	if (!err)
-		err = crypto_shash_tfm_digest(tfm, buf, buflen, digest);
-	crypto_free_shash(tfm);
-	return err;
-}
-
 enum derived_key_type { ENC_KEY, AUTH_KEY };
 
 /* Derive authentication/encryption key from trusted key */
 static int get_derived_key(u8 *derived_key, enum derived_key_type key_type,
 			   const u8 *master_key, size_t master_keylen)
 {
 	u8 *derived_buf;
 	unsigned int derived_buf_len;
-	int ret;
 
 	derived_buf_len = strlen("AUTH_KEY") + 1 + master_keylen;
 	if (derived_buf_len < HASH_SIZE)
 		derived_buf_len = HASH_SIZE;
 
@@ -372,14 +346,13 @@ static int get_derived_key(u8 *derived_key, enum derived_key_type key_type,
 	else
 		strcpy(derived_buf, "ENC_KEY");
 
 	memcpy(derived_buf + strlen(derived_buf) + 1, master_key,
 	       master_keylen);
-	ret = crypto_shash_tfm_digest(hash_tfm, derived_buf, derived_buf_len,
-				      derived_key);
+	sha256(derived_buf, derived_buf_len, derived_key);
 	kfree_sensitive(derived_buf);
-	return ret;
+	return 0;
 }
 
 static struct skcipher_request *init_skcipher_req(const u8 *key,
 						  unsigned int key_len)
 {
@@ -501,14 +474,14 @@ static int datablob_hmac_append(struct encrypted_key_payload *epayload,
 	ret = get_derived_key(derived_key, AUTH_KEY, master_key, master_keylen);
 	if (ret < 0)
 		goto out;
 
 	digest = epayload->format + epayload->datablob_len;
-	ret = calc_hmac(digest, derived_key, sizeof derived_key,
-			epayload->format, epayload->datablob_len);
-	if (!ret)
-		dump_hmac(NULL, digest, HASH_SIZE);
+	hmac_sha256_usingrawkey(derived_key, sizeof(derived_key),
+				epayload->format, epayload->datablob_len,
+				digest);
+	dump_hmac(NULL, digest, HASH_SIZE);
 out:
 	memzero_explicit(derived_key, sizeof(derived_key));
 	return ret;
 }
 
@@ -532,13 +505,12 @@ static int datablob_hmac_verify(struct encrypted_key_payload *epayload,
 		p = epayload->master_desc;
 		len -= strlen(epayload->format) + 1;
 	} else
 		p = epayload->format;
 
-	ret = calc_hmac(digest, derived_key, sizeof derived_key, p, len);
-	if (ret < 0)
-		goto out;
+	hmac_sha256_usingrawkey(derived_key, sizeof(derived_key), p, len,
+				digest);
 	ret = crypto_memneq(digest, epayload->format + epayload->datablob_len,
 			    sizeof(digest));
 	if (ret) {
 		ret = -EINVAL;
 		dump_hmac("datablob",
@@ -1009,33 +981,18 @@ EXPORT_SYMBOL_GPL(key_type_encrypted);
 
 static int __init init_encrypted(void)
 {
 	int ret;
 
-	hash_tfm = crypto_alloc_shash(hash_alg, 0, 0);
-	if (IS_ERR(hash_tfm)) {
-		pr_err("encrypted_key: can't allocate %s transform: %ld\n",
-		       hash_alg, PTR_ERR(hash_tfm));
-		return PTR_ERR(hash_tfm);
-	}
-
 	ret = aes_get_sizes();
 	if (ret < 0)
-		goto out;
-	ret = register_key_type(&key_type_encrypted);
-	if (ret < 0)
-		goto out;
-	return 0;
-out:
-	crypto_free_shash(hash_tfm);
-	return ret;
-
+		return ret;
+	return register_key_type(&key_type_encrypted);
 }
 
 static void __exit cleanup_encrypted(void)
 {
-	crypto_free_shash(hash_tfm);
 	unregister_key_type(&key_type_encrypted);
 }
 
 late_initcall(init_encrypted);
 module_exit(cleanup_encrypted);

base-commit: d6084bb815c453de27af8071a23163a711586a6c
-- 
2.50.1

Re: [PATCH] KEYS: encrypted: Use SHA-256 library instead of crypto_shash

[Jarkko Sakkinen]

On Thu, Jul 31, 2025 at 11:47:47AM -0700, Eric Biggers wrote:
> Instead of the "sha256" crypto_shash, just use sha256().  Similarly,
> instead of the "hmac(sha256)" crypto_shash, just use
> hmac_sha256_usingrawkey().  This is simpler and faster.
> 
> Signed-off-by: Eric Biggers <ebiggers@kernel.org>

Yeah, fully agree.

Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>

David, will you pick this?

BR, Jarkko

> ---
>  security/keys/Kconfig                    |  3 +-
>  security/keys/encrypted-keys/encrypted.c | 63 ++++--------------------
>  2 files changed, 11 insertions(+), 55 deletions(-)
> 
> diff --git a/security/keys/Kconfig b/security/keys/Kconfig
> index d4f5fc1e72638..64477e2c4a212 100644
> --- a/security/keys/Kconfig
> +++ b/security/keys/Kconfig
> @@ -85,14 +85,13 @@ endif
>  
>  config ENCRYPTED_KEYS
>  	tristate "ENCRYPTED KEYS"
>  	depends on KEYS
>  	select CRYPTO
> -	select CRYPTO_HMAC
>  	select CRYPTO_AES
>  	select CRYPTO_CBC
> -	select CRYPTO_SHA256
> +	select CRYPTO_LIB_SHA256
>  	select CRYPTO_RNG
>  	help
>  	  This option provides support for create/encrypting/decrypting keys
>  	  in the kernel.  Encrypted keys are instantiated using kernel
>  	  generated random numbers or provided decrypted data, and are
> diff --git a/security/keys/encrypted-keys/encrypted.c b/security/keys/encrypted-keys/encrypted.c
> index 831cb84fd75a1..513c09e2b01cf 100644
> --- a/security/keys/encrypted-keys/encrypted.c
> +++ b/security/keys/encrypted-keys/encrypted.c
> @@ -25,22 +25,19 @@
>  #include <linux/random.h>
>  #include <linux/rcupdate.h>
>  #include <linux/scatterlist.h>
>  #include <linux/ctype.h>
>  #include <crypto/aes.h>
> -#include <crypto/hash.h>
>  #include <crypto/sha2.h>
>  #include <crypto/skcipher.h>
>  #include <crypto/utils.h>
>  
>  #include "encrypted.h"
>  #include "ecryptfs_format.h"
>  
>  static const char KEY_TRUSTED_PREFIX[] = "trusted:";
>  static const char KEY_USER_PREFIX[] = "user:";
> -static const char hash_alg[] = "sha256";
> -static const char hmac_alg[] = "hmac(sha256)";
>  static const char blkcipher_alg[] = "cbc(aes)";
>  static const char key_format_default[] = "default";
>  static const char key_format_ecryptfs[] = "ecryptfs";
>  static const char key_format_enc32[] = "enc32";
>  static unsigned int ivsize;
> @@ -52,12 +49,10 @@ static int blksize;
>  #define HASH_SIZE SHA256_DIGEST_SIZE
>  #define MAX_DATA_SIZE 4096
>  #define MIN_DATA_SIZE  20
>  #define KEY_ENC32_PAYLOAD_LEN 32
>  
> -static struct crypto_shash *hash_tfm;
> -
>  enum {
>  	Opt_new, Opt_load, Opt_update, Opt_err
>  };
>  
>  enum {
> @@ -327,39 +322,18 @@ static struct key *request_user_key(const char *master_desc, const u8 **master_k
>  	*master_keylen = upayload->datalen;
>  error:
>  	return ukey;
>  }
>  
> -static int calc_hmac(u8 *digest, const u8 *key, unsigned int keylen,
> -		     const u8 *buf, unsigned int buflen)
> -{
> -	struct crypto_shash *tfm;
> -	int err;
> -
> -	tfm = crypto_alloc_shash(hmac_alg, 0, 0);
> -	if (IS_ERR(tfm)) {
> -		pr_err("encrypted_key: can't alloc %s transform: %ld\n",
> -		       hmac_alg, PTR_ERR(tfm));
> -		return PTR_ERR(tfm);
> -	}
> -
> -	err = crypto_shash_setkey(tfm, key, keylen);
> -	if (!err)
> -		err = crypto_shash_tfm_digest(tfm, buf, buflen, digest);
> -	crypto_free_shash(tfm);
> -	return err;
> -}
> -
>  enum derived_key_type { ENC_KEY, AUTH_KEY };
>  
>  /* Derive authentication/encryption key from trusted key */
>  static int get_derived_key(u8 *derived_key, enum derived_key_type key_type,
>  			   const u8 *master_key, size_t master_keylen)
>  {
>  	u8 *derived_buf;
>  	unsigned int derived_buf_len;
> -	int ret;
>  
>  	derived_buf_len = strlen("AUTH_KEY") + 1 + master_keylen;
>  	if (derived_buf_len < HASH_SIZE)
>  		derived_buf_len = HASH_SIZE;
>  
> @@ -372,14 +346,13 @@ static int get_derived_key(u8 *derived_key, enum derived_key_type key_type,
>  	else
>  		strcpy(derived_buf, "ENC_KEY");
>  
>  	memcpy(derived_buf + strlen(derived_buf) + 1, master_key,
>  	       master_keylen);
> -	ret = crypto_shash_tfm_digest(hash_tfm, derived_buf, derived_buf_len,
> -				      derived_key);
> +	sha256(derived_buf, derived_buf_len, derived_key);
>  	kfree_sensitive(derived_buf);
> -	return ret;
> +	return 0;
>  }
>  
>  static struct skcipher_request *init_skcipher_req(const u8 *key,
>  						  unsigned int key_len)
>  {
> @@ -501,14 +474,14 @@ static int datablob_hmac_append(struct encrypted_key_payload *epayload,
>  	ret = get_derived_key(derived_key, AUTH_KEY, master_key, master_keylen);
>  	if (ret < 0)
>  		goto out;
>  
>  	digest = epayload->format + epayload->datablob_len;
> -	ret = calc_hmac(digest, derived_key, sizeof derived_key,
> -			epayload->format, epayload->datablob_len);
> -	if (!ret)
> -		dump_hmac(NULL, digest, HASH_SIZE);
> +	hmac_sha256_usingrawkey(derived_key, sizeof(derived_key),
> +				epayload->format, epayload->datablob_len,
> +				digest);
> +	dump_hmac(NULL, digest, HASH_SIZE);
>  out:
>  	memzero_explicit(derived_key, sizeof(derived_key));
>  	return ret;
>  }
>  
> @@ -532,13 +505,12 @@ static int datablob_hmac_verify(struct encrypted_key_payload *epayload,
>  		p = epayload->master_desc;
>  		len -= strlen(epayload->format) + 1;
>  	} else
>  		p = epayload->format;
>  
> -	ret = calc_hmac(digest, derived_key, sizeof derived_key, p, len);
> -	if (ret < 0)
> -		goto out;
> +	hmac_sha256_usingrawkey(derived_key, sizeof(derived_key), p, len,
> +				digest);
>  	ret = crypto_memneq(digest, epayload->format + epayload->datablob_len,
>  			    sizeof(digest));
>  	if (ret) {
>  		ret = -EINVAL;
>  		dump_hmac("datablob",
> @@ -1009,33 +981,18 @@ EXPORT_SYMBOL_GPL(key_type_encrypted);
>  
>  static int __init init_encrypted(void)
>  {
>  	int ret;
>  
> -	hash_tfm = crypto_alloc_shash(hash_alg, 0, 0);
> -	if (IS_ERR(hash_tfm)) {
> -		pr_err("encrypted_key: can't allocate %s transform: %ld\n",
> -		       hash_alg, PTR_ERR(hash_tfm));
> -		return PTR_ERR(hash_tfm);
> -	}
> -
>  	ret = aes_get_sizes();
>  	if (ret < 0)
> -		goto out;
> -	ret = register_key_type(&key_type_encrypted);
> -	if (ret < 0)
> -		goto out;
> -	return 0;
> -out:
> -	crypto_free_shash(hash_tfm);
> -	return ret;
> -
> +		return ret;
> +	return register_key_type(&key_type_encrypted);
>  }
>  
>  static void __exit cleanup_encrypted(void)
>  {
> -	crypto_free_shash(hash_tfm);
>  	unregister_key_type(&key_type_encrypted);
>  }
>  
>  late_initcall(init_encrypted);
>  module_exit(cleanup_encrypted);
> 
> base-commit: d6084bb815c453de27af8071a23163a711586a6c
> -- 
> 2.50.1
> 

Re: [PATCH] KEYS: encrypted: Use SHA-256 library instead of crypto_shash

[Mimi Zohar]

On Thu, 2025-07-31 at 11:47 -0700, Eric Biggers wrote:
> Instead of the "sha256" crypto_shash, just use sha256().  Similarly,
> instead of the "hmac(sha256)" crypto_shash, just use
> hmac_sha256_usingrawkey().  This is simpler and faster.
> 
> Signed-off-by: Eric Biggers <ebiggers@kernel.org>

Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>

> ---
>  security/keys/Kconfig                    |  3 +-
>  security/keys/encrypted-keys/encrypted.c | 63 ++++--------------------
>  2 files changed, 11 insertions(+), 55 deletions(-)
> 
> diff --git a/security/keys/Kconfig b/security/keys/Kconfig
> index d4f5fc1e72638..64477e2c4a212 100644
> --- a/security/keys/Kconfig
> +++ b/security/keys/Kconfig
> @@ -85,14 +85,13 @@ endif
>  
>  config ENCRYPTED_KEYS
>  	tristate "ENCRYPTED KEYS"
>  	depends on KEYS
>  	select CRYPTO
> -	select CRYPTO_HMAC
>  	select CRYPTO_AES
>  	select CRYPTO_CBC
> -	select CRYPTO_SHA256
> +	select CRYPTO_LIB_SHA256
>  	select CRYPTO_RNG
>  	help
>  	  This option provides support for create/encrypting/decrypting keys
>  	  in the kernel.  Encrypted keys are instantiated using kernel
>  	  generated random numbers or provided decrypted data, and are
> diff --git a/security/keys/encrypted-keys/encrypted.c b/security/keys/encrypted-keys/encrypted.c
> index 831cb84fd75a1..513c09e2b01cf 100644
> --- a/security/keys/encrypted-keys/encrypted.c
> +++ b/security/keys/encrypted-keys/encrypted.c
> @@ -25,22 +25,19 @@
>  #include <linux/random.h>
>  #include <linux/rcupdate.h>
>  #include <linux/scatterlist.h>
>  #include <linux/ctype.h>
>  #include <crypto/aes.h>
> -#include <crypto/hash.h>
>  #include <crypto/sha2.h>
>  #include <crypto/skcipher.h>
>  #include <crypto/utils.h>
>  
>  #include "encrypted.h"
>  #include "ecryptfs_format.h"
>  
>  static const char KEY_TRUSTED_PREFIX[] = "trusted:";
>  static const char KEY_USER_PREFIX[] = "user:";
> -static const char hash_alg[] = "sha256";
> -static const char hmac_alg[] = "hmac(sha256)";
>  static const char blkcipher_alg[] = "cbc(aes)";
>  static const char key_format_default[] = "default";
>  static const char key_format_ecryptfs[] = "ecryptfs";
>  static const char key_format_enc32[] = "enc32";
>  static unsigned int ivsize;
> @@ -52,12 +49,10 @@ static int blksize;
>  #define HASH_SIZE SHA256_DIGEST_SIZE
>  #define MAX_DATA_SIZE 4096
>  #define MIN_DATA_SIZE  20
>  #define KEY_ENC32_PAYLOAD_LEN 32
>  
> -static struct crypto_shash *hash_tfm;
> -
>  enum {
>  	Opt_new, Opt_load, Opt_update, Opt_err
>  };
>  
>  enum {
> @@ -327,39 +322,18 @@ static struct key *request_user_key(const char *master_desc, const u8 **master_k
>  	*master_keylen = upayload->datalen;
>  error:
>  	return ukey;
>  }
>  
> -static int calc_hmac(u8 *digest, const u8 *key, unsigned int keylen,
> -		     const u8 *buf, unsigned int buflen)
> -{
> -	struct crypto_shash *tfm;
> -	int err;
> -
> -	tfm = crypto_alloc_shash(hmac_alg, 0, 0);
> -	if (IS_ERR(tfm)) {
> -		pr_err("encrypted_key: can't alloc %s transform: %ld\n",
> -		       hmac_alg, PTR_ERR(tfm));
> -		return PTR_ERR(tfm);
> -	}
> -
> -	err = crypto_shash_setkey(tfm, key, keylen);
> -	if (!err)
> -		err = crypto_shash_tfm_digest(tfm, buf, buflen, digest);
> -	crypto_free_shash(tfm);
> -	return err;
> -}
> -
>  enum derived_key_type { ENC_KEY, AUTH_KEY };
>  
>  /* Derive authentication/encryption key from trusted key */
>  static int get_derived_key(u8 *derived_key, enum derived_key_type key_type,
>  			   const u8 *master_key, size_t master_keylen)
>  {
>  	u8 *derived_buf;
>  	unsigned int derived_buf_len;
> -	int ret;
>  
>  	derived_buf_len = strlen("AUTH_KEY") + 1 + master_keylen;
>  	if (derived_buf_len < HASH_SIZE)
>  		derived_buf_len = HASH_SIZE;
>  
> @@ -372,14 +346,13 @@ static int get_derived_key(u8 *derived_key, enum derived_key_type key_type,
>  	else
>  		strcpy(derived_buf, "ENC_KEY");
>  
>  	memcpy(derived_buf + strlen(derived_buf) + 1, master_key,
>  	       master_keylen);
> -	ret = crypto_shash_tfm_digest(hash_tfm, derived_buf, derived_buf_len,
> -				      derived_key);
> +	sha256(derived_buf, derived_buf_len, derived_key);
>  	kfree_sensitive(derived_buf);
> -	return ret;
> +	return 0;
>  }
>  
>  static struct skcipher_request *init_skcipher_req(const u8 *key,
>  						  unsigned int key_len)
>  {
> @@ -501,14 +474,14 @@ static int datablob_hmac_append(struct encrypted_key_payload *epayload,
>  	ret = get_derived_key(derived_key, AUTH_KEY, master_key, master_keylen);
>  	if (ret < 0)
>  		goto out;
>  
>  	digest = epayload->format + epayload->datablob_len;
> -	ret = calc_hmac(digest, derived_key, sizeof derived_key,
> -			epayload->format, epayload->datablob_len);
> -	if (!ret)
> -		dump_hmac(NULL, digest, HASH_SIZE);
> +	hmac_sha256_usingrawkey(derived_key, sizeof(derived_key),
> +				epayload->format, epayload->datablob_len,
> +				digest);
> +	dump_hmac(NULL, digest, HASH_SIZE);
>  out:
>  	memzero_explicit(derived_key, sizeof(derived_key));
>  	return ret;
>  }
>  
> @@ -532,13 +505,12 @@ static int datablob_hmac_verify(struct encrypted_key_payload *epayload,
>  		p = epayload->master_desc;
>  		len -= strlen(epayload->format) + 1;
>  	} else
>  		p = epayload->format;
>  
> -	ret = calc_hmac(digest, derived_key, sizeof derived_key, p, len);
> -	if (ret < 0)
> -		goto out;
> +	hmac_sha256_usingrawkey(derived_key, sizeof(derived_key), p, len,
> +				digest);
>  	ret = crypto_memneq(digest, epayload->format + epayload->datablob_len,
>  			    sizeof(digest));
>  	if (ret) {
>  		ret = -EINVAL;
>  		dump_hmac("datablob",
> @@ -1009,33 +981,18 @@ EXPORT_SYMBOL_GPL(key_type_encrypted);
>  
>  static int __init init_encrypted(void)
>  {
>  	int ret;
>  
> -	hash_tfm = crypto_alloc_shash(hash_alg, 0, 0);
> -	if (IS_ERR(hash_tfm)) {
> -		pr_err("encrypted_key: can't allocate %s transform: %ld\n",
> -		       hash_alg, PTR_ERR(hash_tfm));
> -		return PTR_ERR(hash_tfm);
> -	}
> -
>  	ret = aes_get_sizes();
>  	if (ret < 0)
> -		goto out;
> -	ret = register_key_type(&key_type_encrypted);
> -	if (ret < 0)
> -		goto out;
> -	return 0;
> -out:
> -	crypto_free_shash(hash_tfm);
> -	return ret;
> -
> +		return ret;
> +	return register_key_type(&key_type_encrypted);
>  }
>  
>  static void __exit cleanup_encrypted(void)
>  {
> -	crypto_free_shash(hash_tfm);
>  	unregister_key_type(&key_type_encrypted);
>  }
>  
>  late_initcall(init_encrypted);
>  module_exit(cleanup_encrypted);
> 
> base-commit: d6084bb815c453de27af8071a23163a711586a6c

Re: [PATCH] KEYS: encrypted: Use SHA-256 library instead of crypto_shash

[Mimi Zohar]

On Tue, 2025-08-05 at 16:41 +0300, Jarkko Sakkinen wrote:
> On Thu, Jul 31, 2025 at 11:47:47AM -0700, Eric Biggers wrote:
> > Instead of the "sha256" crypto_shash, just use sha256().  Similarly,
> > instead of the "hmac(sha256)" crypto_shash, just use
> > hmac_sha256_usingrawkey().  This is simpler and faster.
> > 
> > Signed-off-by: Eric Biggers <ebiggers@kernel.org>
> 
> Yeah, fully agree.
> 
> Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
> 
> David, will you pick this?
> 

Do you want this patch being upstreamed with "[PATCH 0/2] Convert lib/digsig.c
to SHA-1 library" patch set?

thanks,

Mimi

> 
> > ---
> >  security/keys/Kconfig                    |  3 +-
> >  security/keys/encrypted-keys/encrypted.c | 63 ++++--------------------
> >  2 files changed, 11 insertions(+), 55 deletions(-)
> > 
> > diff --git a/security/keys/Kconfig b/security/keys/Kconfig
> > index d4f5fc1e72638..64477e2c4a212 100644
> > --- a/security/keys/Kconfig
> > +++ b/security/keys/Kconfig
> > @@ -85,14 +85,13 @@ endif
> >  
> >  config ENCRYPTED_KEYS
> >  	tristate "ENCRYPTED KEYS"
> >  	depends on KEYS
> >  	select CRYPTO
> > -	select CRYPTO_HMAC
> >  	select CRYPTO_AES
> >  	select CRYPTO_CBC
> > -	select CRYPTO_SHA256
> > +	select CRYPTO_LIB_SHA256
> >  	select CRYPTO_RNG
> >  	help
> >  	  This option provides support for create/encrypting/decrypting keys
> >  	  in the kernel.  Encrypted keys are instantiated using kernel
> >  	  generated random numbers or provided decrypted data, and are
> > diff --git a/security/keys/encrypted-keys/encrypted.c b/security/keys/encrypted-keys/encrypted.c
> > index 831cb84fd75a1..513c09e2b01cf 100644
> > --- a/security/keys/encrypted-keys/encrypted.c
> > +++ b/security/keys/encrypted-keys/encrypted.c
> > @@ -25,22 +25,19 @@
> >  #include <linux/random.h>
> >  #include <linux/rcupdate.h>
> >  #include <linux/scatterlist.h>
> >  #include <linux/ctype.h>
> >  #include <crypto/aes.h>
> > -#include <crypto/hash.h>
> >  #include <crypto/sha2.h>
> >  #include <crypto/skcipher.h>
> >  #include <crypto/utils.h>
> >  
> >  #include "encrypted.h"
> >  #include "ecryptfs_format.h"
> >  
> >  static const char KEY_TRUSTED_PREFIX[] = "trusted:";
> >  static const char KEY_USER_PREFIX[] = "user:";
> > -static const char hash_alg[] = "sha256";
> > -static const char hmac_alg[] = "hmac(sha256)";
> >  static const char blkcipher_alg[] = "cbc(aes)";
> >  static const char key_format_default[] = "default";
> >  static const char key_format_ecryptfs[] = "ecryptfs";
> >  static const char key_format_enc32[] = "enc32";
> >  static unsigned int ivsize;
> > @@ -52,12 +49,10 @@ static int blksize;
> >  #define HASH_SIZE SHA256_DIGEST_SIZE
> >  #define MAX_DATA_SIZE 4096
> >  #define MIN_DATA_SIZE  20
> >  #define KEY_ENC32_PAYLOAD_LEN 32
> >  
> > -static struct crypto_shash *hash_tfm;
> > -
> >  enum {
> >  	Opt_new, Opt_load, Opt_update, Opt_err
> >  };
> >  
> >  enum {
> > @@ -327,39 +322,18 @@ static struct key *request_user_key(const char *master_desc, const u8 **master_k
> >  	*master_keylen = upayload->datalen;
> >  error:
> >  	return ukey;
> >  }
> >  
> > -static int calc_hmac(u8 *digest, const u8 *key, unsigned int keylen,
> > -		     const u8 *buf, unsigned int buflen)
> > -{
> > -	struct crypto_shash *tfm;
> > -	int err;
> > -
> > -	tfm = crypto_alloc_shash(hmac_alg, 0, 0);
> > -	if (IS_ERR(tfm)) {
> > -		pr_err("encrypted_key: can't alloc %s transform: %ld\n",
> > -		       hmac_alg, PTR_ERR(tfm));
> > -		return PTR_ERR(tfm);
> > -	}
> > -
> > -	err = crypto_shash_setkey(tfm, key, keylen);
> > -	if (!err)
> > -		err = crypto_shash_tfm_digest(tfm, buf, buflen, digest);
> > -	crypto_free_shash(tfm);
> > -	return err;
> > -}
> > -
> >  enum derived_key_type { ENC_KEY, AUTH_KEY };
> >  
> >  /* Derive authentication/encryption key from trusted key */
> >  static int get_derived_key(u8 *derived_key, enum derived_key_type key_type,
> >  			   const u8 *master_key, size_t master_keylen)
> >  {
> >  	u8 *derived_buf;
> >  	unsigned int derived_buf_len;
> > -	int ret;
> >  
> >  	derived_buf_len = strlen("AUTH_KEY") + 1 + master_keylen;
> >  	if (derived_buf_len < HASH_SIZE)
> >  		derived_buf_len = HASH_SIZE;
> >  
> > @@ -372,14 +346,13 @@ static int get_derived_key(u8 *derived_key, enum derived_key_type key_type,
> >  	else
> >  		strcpy(derived_buf, "ENC_KEY");
> >  
> >  	memcpy(derived_buf + strlen(derived_buf) + 1, master_key,
> >  	       master_keylen);
> > -	ret = crypto_shash_tfm_digest(hash_tfm, derived_buf, derived_buf_len,
> > -				      derived_key);
> > +	sha256(derived_buf, derived_buf_len, derived_key);
> >  	kfree_sensitive(derived_buf);
> > -	return ret;
> > +	return 0;
> >  }
> >  
> >  static struct skcipher_request *init_skcipher_req(const u8 *key,
> >  						  unsigned int key_len)
> >  {
> > @@ -501,14 +474,14 @@ static int datablob_hmac_append(struct encrypted_key_payload *epayload,
> >  	ret = get_derived_key(derived_key, AUTH_KEY, master_key, master_keylen);
> >  	if (ret < 0)
> >  		goto out;
> >  
> >  	digest = epayload->format + epayload->datablob_len;
> > -	ret = calc_hmac(digest, derived_key, sizeof derived_key,
> > -			epayload->format, epayload->datablob_len);
> > -	if (!ret)
> > -		dump_hmac(NULL, digest, HASH_SIZE);
> > +	hmac_sha256_usingrawkey(derived_key, sizeof(derived_key),
> > +				epayload->format, epayload->datablob_len,
> > +				digest);
> > +	dump_hmac(NULL, digest, HASH_SIZE);
> >  out:
> >  	memzero_explicit(derived_key, sizeof(derived_key));
> >  	return ret;
> >  }
> >  
> > @@ -532,13 +505,12 @@ static int datablob_hmac_verify(struct encrypted_key_payload *epayload,
> >  		p = epayload->master_desc;
> >  		len -= strlen(epayload->format) + 1;
> >  	} else
> >  		p = epayload->format;
> >  
> > -	ret = calc_hmac(digest, derived_key, sizeof derived_key, p, len);
> > -	if (ret < 0)
> > -		goto out;
> > +	hmac_sha256_usingrawkey(derived_key, sizeof(derived_key), p, len,
> > +				digest);
> >  	ret = crypto_memneq(digest, epayload->format + epayload->datablob_len,
> >  			    sizeof(digest));
> >  	if (ret) {
> >  		ret = -EINVAL;
> >  		dump_hmac("datablob",
> > @@ -1009,33 +981,18 @@ EXPORT_SYMBOL_GPL(key_type_encrypted);
> >  
> >  static int __init init_encrypted(void)
> >  {
> >  	int ret;
> >  
> > -	hash_tfm = crypto_alloc_shash(hash_alg, 0, 0);
> > -	if (IS_ERR(hash_tfm)) {
> > -		pr_err("encrypted_key: can't allocate %s transform: %ld\n",
> > -		       hash_alg, PTR_ERR(hash_tfm));
> > -		return PTR_ERR(hash_tfm);
> > -	}
> > -
> >  	ret = aes_get_sizes();
> >  	if (ret < 0)
> > -		goto out;
> > -	ret = register_key_type(&key_type_encrypted);
> > -	if (ret < 0)
> > -		goto out;
> > -	return 0;
> > -out:
> > -	crypto_free_shash(hash_tfm);
> > -	return ret;
> > -
> > +		return ret;
> > +	return register_key_type(&key_type_encrypted);
> >  }
> >  
> >  static void __exit cleanup_encrypted(void)
> >  {
> > -	crypto_free_shash(hash_tfm);
> >  	unregister_key_type(&key_type_encrypted);
> >  }
> >  
> >  late_initcall(init_encrypted);
> >  module_exit(cleanup_encrypted);
> > 
> > base-commit: d6084bb815c453de27af8071a23163a711586a6c
> > -- 
> > 2.50.1
> > 
> 

Re: [PATCH] KEYS: encrypted: Use SHA-256 library instead of crypto_shash

[Eric Biggers]

On Sun, Sep 07, 2025 at 07:57:12AM -0400, Mimi Zohar wrote:
> On Tue, 2025-08-05 at 16:41 +0300, Jarkko Sakkinen wrote:
> > On Thu, Jul 31, 2025 at 11:47:47AM -0700, Eric Biggers wrote:
> > > Instead of the "sha256" crypto_shash, just use sha256().  Similarly,
> > > instead of the "hmac(sha256)" crypto_shash, just use
> > > hmac_sha256_usingrawkey().  This is simpler and faster.
> > > 
> > > Signed-off-by: Eric Biggers <ebiggers@kernel.org>
> > 
> > Yeah, fully agree.
> > 
> > Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
> > 
> > David, will you pick this?
> > 
> 
> Do you want this patch being upstreamed with "[PATCH 0/2] Convert lib/digsig.c
> to SHA-1 library" patch set?
> 
> thanks,
> 
> Mimi

If someone could apply this for v6.18, that would be great.  It's
independent of my other patches.  It looks like Mimi has been taking
changes to this file most recently.  If David or Jarkko wants to take it
instead, that's fine too.  As long as someone does it.

- Eric

Re: [PATCH] KEYS: encrypted: Use SHA-256 library instead of crypto_shash

[Jarkko Sakkinen]

On Mon, Sep 15, 2025 at 11:39:49AM -0500, Eric Biggers wrote:
> On Sun, Sep 07, 2025 at 07:57:12AM -0400, Mimi Zohar wrote:
> > On Tue, 2025-08-05 at 16:41 +0300, Jarkko Sakkinen wrote:
> > > On Thu, Jul 31, 2025 at 11:47:47AM -0700, Eric Biggers wrote:
> > > > Instead of the "sha256" crypto_shash, just use sha256().  Similarly,
> > > > instead of the "hmac(sha256)" crypto_shash, just use
> > > > hmac_sha256_usingrawkey().  This is simpler and faster.
> > > > 
> > > > Signed-off-by: Eric Biggers <ebiggers@kernel.org>
> > > 
> > > Yeah, fully agree.
> > > 
> > > Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
> > > 
> > > David, will you pick this?
> > > 
> > 
> > Do you want this patch being upstreamed with "[PATCH 0/2] Convert lib/digsig.c
> > to SHA-1 library" patch set?
> > 
> > thanks,
> > 
> > Mimi
> 
> If someone could apply this for v6.18, that would be great.  It's
> independent of my other patches.  It looks like Mimi has been taking
> changes to this file most recently.  If David or Jarkko wants to take it
> instead, that's fine too.  As long as someone does it.

I did it and I'm sorry that I didn't do this earlier!

df8f189a0d3e (HEAD -> next, origin/next) KEYS: encrypted: Use SHA-256 library instead of crypto_shash
72f6cd8ad0db (origin/master, origin/HEAD, master) tpm: Use HMAC-SHA256 library instead of open-coded HMAC

Somehow my head did ticks after applying patch below and thought that
everything is ok :-) I actually had plan to apply this one too but now
it is there ready for PR.

> 
> - Eric

BR, Jarkko