| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 15 Dec 2015 00:31:52 +0100 From: Milan Broz <gmazyland@...il.com> To: Baolin Wang <baolin.wang@...aro.org>, axboe@...nel.dk, agk@...hat.com, snitzer@...hat.com, dm-devel@...hat.com Cc: neilb@...e.com, dan.j.williams@...el.com, martin.petersen@...cle.com, sagig@...lanox.com, kent.overstreet@...il.com, keith.busch@...el.com, tj@...nel.org, broonie@...nel.org, arnd@...db.de, linux-block@...r.kernel.org, linux-raid@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH 2/2] md: dm-crypt: Optimize the dm-crypt for XTS mode On 12/14/2015 09:23 AM, Baolin Wang wrote: > In now dm-crypt code, it is ineffective to map one bio with just only > one scatterlist at one time for XTS mode. We can use multiple scatterlists > to map the whole bio and send all scatterlists of one bio to crypto engine > to encrypt or decrypt, which can improve the hardware engine's efficiency. ... > + /* > + * Here we need to check if it can be encrypted or decrypted with > + * bulk block, which means these encryption modes don't need IV or > + * just need one initial IV. For bulk mode, we can expand the > + * scatterlist entries to map the bio, then send all the scatterlists > + * to the hardware engine at one time to improve the crypto engine > + * efficiency. But it does not fit for other encryption modes, it has > + * to do encryption and decryption sector by sector because every > + * sector has different IV. > + */ > + if (!strcmp(chainmode, "ecb") || !strcmp(chainmode, "xts")) > + cc->bulk_crypto = 1; > + else > + cc->bulk_crypto = 0;n It is perfectly fine to use another IV even for XTS mode (despite it is not needed). You can use ESSIV for example, or benbi (big-endian variant of plain IV). (And it is really used for some LUKS devices.) How it is supposed to work in this case? If I read this patch correctly, it will completely corrupt data in this case because it expects plain (consecutive) IV... Also how it handles 32bit plain IV (that restart after 2TB)? (IOW plain IV, not plain64). Milan -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists