| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 26 Oct 2020 19:29:57 +0100
From: Milan Broz <gmazyland@...il.com>
To: Eric Biggers <ebiggers@...nel.org>,
Gilad Ben-Yossef <gilad@...yossef.com>
Cc: Herbert Xu <herbert@...dor.apana.org.au>,
"David S. Miller" <davem@...emloft.net>,
Alasdair Kergon <agk@...hat.com>,
Mike Snitzer <snitzer@...hat.com>, dm-devel@...hat.com,
Song Liu <song@...nel.org>, Ofir Drang <ofir.drang@....com>,
linux-crypto@...r.kernel.org, linux-kernel@...r.kernel.org,
linux-raid@...r.kernel.org
Subject: Re: [PATCH 3/4] dm crypt: switch to EBOIV crypto API template
On 26/10/2020 18:52, Eric Biggers wrote:
> On Mon, Oct 26, 2020 at 03:04:46PM +0200, Gilad Ben-Yossef wrote:
>> Replace the explicit EBOIV handling in the dm-crypt driver with calls
>> into the crypto API, which now possesses the capability to perform
>> this processing within the crypto subsystem.
>>
>> Signed-off-by: Gilad Ben-Yossef <gilad@...yossef.com>
>>
>> ---
>> drivers/md/Kconfig | 1 +
>> drivers/md/dm-crypt.c | 61 ++++++++++++++-----------------------------
>> 2 files changed, 20 insertions(+), 42 deletions(-)
>>
>> diff --git a/drivers/md/Kconfig b/drivers/md/Kconfig
>> index 30ba3573626c..ca6e56a72281 100644
>> --- a/drivers/md/Kconfig
>> +++ b/drivers/md/Kconfig
>> @@ -273,6 +273,7 @@ config DM_CRYPT
>> select CRYPTO
>> select CRYPTO_CBC
>> select CRYPTO_ESSIV
>> + select CRYPTO_EBOIV
>> help
>> This device-mapper target allows you to create a device that
>> transparently encrypts the data on it. You'll need to activate
>
> Can CRYPTO_EBOIV please not be selected by default? If someone really wants
> Bitlocker compatibility support, they can select this option themselves.
Please no! Until this move of IV to crypto API, we can rely on
support in dm-crypt (if it is not supported, it is just a very old kernel).
(Actually, this was the first thing I checked in this patchset - if it is
unconditionally enabled for compatibility once dmcrypt is selected.)
People already use removable devices with BitLocker.
It was the whole point that it works out-of-the-box without enabling anything.
If you insist on this to be optional, please better keep this IV inside dmcrypt.
(EBOIV has no other use than for disk encryption anyway.)
Or maybe another option would be to introduce option under dm-crypt Kconfig that
defaults to enabled (like support for foreign/legacy disk encryption schemes) and that
selects these IVs/modes.
But requiring some random switch in crypto API will only confuse users.
Milan
Powered by blists - more mailing lists