| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <ba4880b2-0569-4125-9670-0119d37d57b0@gmail.com> Date: Thu, 17 Oct 2024 23:03:21 +0200 From: Milan Broz <gmazyland@...il.com> To: Eric Biggers <ebiggers@...nel.org> Cc: dm-devel@...ts.linux.dev, linux-block@...r.kernel.org, linux-kernel@...r.kernel.org, Md Sadre Alam <quic_mdalam@...cinc.com>, Israel Rukshin <israelr@...dia.com>, Mikulas Patocka <mpatocka@...hat.com> Subject: Re: [RFC PATCH v2 2/2] dm-inlinecrypt: add target for inline block device encryption On 10/17/24 10:28 PM, Eric Biggers wrote: > On Thu, Oct 17, 2024 at 10:17:04PM +0200, Milan Broz wrote: >> On 10/17/24 9:44 PM, Eric Biggers wrote: >>> On Wed, Oct 16, 2024 at 04:27:48PM -0700, Eric Biggers wrote: >>>> Add a new device-mapper target "dm-inlinecrypt" that is similar to >>>> dm-crypt but uses the blk-crypto API instead of the regular crypto API. >>>> This allows it to take advantage of inline encryption hardware such as >>>> that commonly built into UFS host controllers. >>> >>> A slight difference in behavior vs. dm-crypt that I just became aware of: >>> dm-crypt allows XTS keys whose first half equals the second half, i.e. >>> cipher key == tweak key. dm-inlinecrypt typically will not allow this. Inline >>> encryption hardware typically rejects such keys, and blk-crypto-fallback rejects >>> them too because it uses CRYPTO_TFM_REQ_FORBID_WEAK_KEYS. >>> >>> IMO, rejecting these weak keys is desirable, and the fact that dm-inlinecrypt >>> fixes this issue with dm-crypt will just need to be documented. >> >> Hm, I thought this is already rejected in crypto API (at least in FIPS mode)... >> >> It should be rejected exactly as you described even for dm-crypt, >> just the check should be (IMO) part of crypto API (set keys), not dm-crypt itself. >> >> And here I think we should not be backward "compatible" as it is security issue, >> both XTS keys just must not be the same. >> > > In "FIPS mode" such keys are always rejected, but otherwise it is opt-in via the > flag CRYPTO_TFM_REQ_FORBID_WEAK_KEYS. dm-crypt doesn't use that flag. > > We could certainly try to fix that in dm-crypt, though I expect that some > dm-crypt users have started relying on such keys. It is a common misconception > that XTS is secure when the two halves of the key are the same. Ah, ok, I missed that weak keys flag. We never did that in cryptsetup (including LUKS and plain with hashed passwords), with the exception for benchmark (where it it was not a real key, just all zeroes, and was fixed years ago as it did not work in FIPS) -- and obviously the case when user set the key explicitly. The same check is now in VeraCrypt (that uses dm-crypt on Linux). I know about several broken HW crypto, but actually no dm-crypt user. IMO we should set CRYPTO_TFM_REQ_FORBID_WEAK_KEYS by default. We can always introduce flag to disable it, but I would really like to know if there are any real users.... Milan
Powered by blists - more mailing lists