lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Tue, 12 May 2015 19:35:57 -0400
From:	Theodore Ts'o <tytso@....edu>
To:	Jaegeuk Kim <jaegeuk@...nel.org>
Cc:	linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org,
	linux-f2fs-devel@...ts.sourceforge.net, mhalcrow@...gle.com
Subject: Re: [PATCH] f2fs crypto: use inode number for xts_tweak

On Mon, May 11, 2015 at 08:51:03PM -0700, Jaegeuk Kim wrote:
> Previoulsy when making xts_tweak, page->index was used.
> But, when it supports fcollapse, the block address was moved, so that we can
> lose the original page->index, which causes decrytion failure.
> 
> In order to avoid that, let's use the inode->i_ino for xfs_tweak hint.

I'm afraid that's a really bad idea.  We need to have a different xts
tweak for each block, and if we use the inode number, then every
single block will have the same XTS tweak, which is a cryptographic
disaster.

Basically, we currently can't support either collapse range or insert
range for encrypted files.  In ext4 we explicitly return EOPNOTSUPP if
there is an attempt to call collapse range on an encrypted file.
Personally, I don't think this is a major restriction, so I haven't
lost any sleep over this.

Eventually, Michael and I hope to add support for Galois Counter Mode,
but that requires the file system to be able to store per-block
cryptrographic information, which can be used for the GCM
authentication tag as well as a per-block IV.  The per-block IV being
stored in a separate data structure would also allow insert
range/collapse range to work, at the cost of needing to do a lookup to
fetch the per-block cryptographic information.  (And to set the
per-block cryptographic information when writing the information, in a
way where we can atomically write the data block as well as the
per-block authenticaiton tag, which gets a bit tricky....)

In any case, I believe support for data integrity is a far more
compelling reason for adding pre-block crypto information, and
supporting collapse/insert range is at best a fortunate side effect.

Cheers,

						- Ted
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ