[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <YdZ5HrOKEffBrQIm@sol.localdomain>
Date: Wed, 5 Jan 2022 21:07:42 -0800
From: Eric Biggers <ebiggers@...nel.org>
To: "Bae, Chang Seok" <chang.seok.bae@...el.com>
Cc: "dm-devel@...hat.com" <dm-devel@...hat.com>,
Thomas Gleixner <tglx@...utronix.de>,
Borislav Petkov <bp@...e.de>,
Dave Hansen <dave.hansen@...ux.intel.com>,
Ingo Molnar <mingo@...nel.org>,
"Lutomirski, Andy" <luto@...nel.org>,
the arch/x86 maintainers <x86@...nel.org>,
Herbert Xu <herbert@...dor.apana.org.au>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
Linux Crypto Mailing List <linux-crypto@...r.kernel.org>,
"Williams, Dan J" <dan.j.williams@...el.com>,
"Gairuboyina, Charishma1" <charishma1.gairuboyina@...el.com>,
"Dwarakanath, Kumar N" <kumar.n.dwarakanath@...el.com>,
"Krishnakumar, Lalithambika" <lalithambika.krishnakumar@...el.com>,
"Shankar, Ravi V" <ravi.v.shankar@...el.com>
Subject: Re: [PATCH v4 00/13] x86: Support Key Locker
On Wed, Jan 05, 2022 at 09:55:17PM +0000, Bae, Chang Seok wrote:
> >> +-----------+---------------+---------------+
> >> | Cipher | Encryption | Decryption |
> >> | (AES-KL) | (MiB/s) | (MiB/s) |
> >> +-----------+---------------+---------------+
> >> | AES-CBC | 505.3 | 2097.8 |
> >> | AES-XTS | 1130 | 696.4 |
> >> +-----------+-------------------------------+
> >
> > Why is AES-XTS decryption so much slower than AES-XTS encryption? They should
> > be about the same.
>
> Analyzing and understanding this with specific hardware implementation takes
> time for us. Will come back and update you when we have anything to share here.
Note that for disk encryption, decryption performance is usually more important
than encryption performance. So your performance results are strange.
> > Also, is the AES-CBC support really useful, given that for disk encryption,
> > AES-XTS is recommended over AES-CBC these days?
>
> Yes, we understand that AES-XTS is the primary option for disk encryption.
>
> But it seems that AES-CBC had been used for disk encryption, [1]:
>
> Comparing XTS to CBC for hard disk encryption
> If a storage device vendor is seeking FIPS 140-2 certification today,
> they will typically use CBC encryption, or even ECB. CBC is a good
> mode, ...
That document is very old. XTS has been NIST-approved for over a decade now.
>
> As long as it is factual that the mode was once popular, it can help somebody
> who wants to use Key Locker for an old disk image I think.
AES-CBC is/was usually used with ESSIV, in which case the key cannot be fully
protected by Key Locker.
I'm not sure you should bother to support legacy use cases, especially since it
might mislead users into choosing a worse algorithm.
- Eric
Powered by blists - more mailing lists