| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 12 May 2015 17:20:42 -0700 From: Jaegeuk Kim <jaegeuk@...nel.org> To: Theodore Ts'o <tytso@....edu>, linux-kernel@...r.kernel.org, linux-fsdevel@...r.kernel.org, linux-f2fs-devel@...ts.sourceforge.net, mhalcrow@...gle.com Subject: Re: [PATCH] f2fs crypto: use inode number for xts_tweak On Tue, May 12, 2015 at 07:35:57PM -0400, Theodore Ts'o wrote: > On Mon, May 11, 2015 at 08:51:03PM -0700, Jaegeuk Kim wrote: > > Previoulsy when making xts_tweak, page->index was used. > > But, when it supports fcollapse, the block address was moved, so that we can > > lose the original page->index, which causes decrytion failure. > > > > In order to avoid that, let's use the inode->i_ino for xfs_tweak hint. > > I'm afraid that's a really bad idea. We need to have a different xts > tweak for each block, and if we use the inode number, then every > single block will have the same XTS tweak, which is a cryptographic > disaster. Thank you for the kind explanation. I just thought that inode number was enough for encryption, since user can easily retrieve any inode number and its block offsets/addresses as well. > > Basically, we currently can't support either collapse range or insert > range for encrypted files. In ext4 we explicitly return EOPNOTSUPP if > there is an attempt to call collapse range on an encrypted file. > Personally, I don't think this is a major restriction, so I haven't > lost any sleep over this. Ok, I see. It should not be a major concern. I'll deactivate collapse/insert in f2fs instead. > > Eventually, Michael and I hope to add support for Galois Counter Mode, > but that requires the file system to be able to store per-block > cryptrographic information, which can be used for the GCM > authentication tag as well as a per-block IV. The per-block IV being > stored in a separate data structure would also allow insert > range/collapse range to work, at the cost of needing to do a lookup to > fetch the per-block cryptographic information. (And to set the > per-block cryptographic information when writing the information, in a > way where we can atomically write the data block as well as the > per-block authenticaiton tag, which gets a bit tricky....) > > In any case, I believe support for data integrity is a far more > compelling reason for adding pre-block crypto information, and > supporting collapse/insert range is at best a fortunate side effect. Got it, thanks, :) > > Cheers, > > - Ted -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists