lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4351b4fa-2558-4b73-8604-81a4b1eef9dc@gmail.com>
Date: Sun, 5 Jan 2025 21:54:06 +0100
From: Milan Broz <gmazyland@...il.com>
To: Mikulas Patocka <mpatocka@...hat.com>
Cc: Alasdair Kergon <agk@...hat.com>, Mike Snitzer <snitzer@...nel.org>,
 dm-devel@...ts.linux.dev, Yu Kuai <yukuai1@...weicloud.com>,
 lkml <linux-kernel@...r.kernel.org>, "yukuai (C)" <yukuai3@...wei.com>
Subject: Re: [discussion] proposal to bypass zero data for dm-crypt


On 1/3/25 5:25 PM, Mikulas Patocka wrote:
> Milan, what do you think about this from a cryptographic point of view?
> Does it make sense to add an option that would detect zero data and skip
> decryption in this case?

It is a very dangerous thing.

Disk encryption is a length-preserving encryption, so it cannot prevent
decryption of modified ciphertext. However, such ciphertext modification
(without key knowledge) will cause a pseudorandom plaintext output
(IOW attacker cannot easily flip bits or whole sectors by ciphertext
modification).

If you allow the zeroed sector to transform to valid plaintext directly,
the attacker can wipe arbitrary plaintext sector. It can lead to fatal
issues (for example, wiping filesystem metadata bitmaps on some known
location).

Stack FDE (dm-crypt) below the filesystem or other storage layer
(like thin provision) that supports sparse data, and you will get
the expected behavior without such tricks.

Milan


> 
> Mikulas
> 
> On Sat, 21 Dec 2024, Yu Kuai wrote:
> 
>> Background
>>
>> We provide virtual machines for customers to use, which include an important
>> feature: in the initial state, the disks in the virtual machine do not occupy
>> actual storage space, and the data read by users is all zeros until the user
>> writes data for the first time. This can save a large amount of storage.
>>
>> Problem
>>
>> However, after introducing dm-crypt, this feature has failed. Because we
>> expect the data read by users in the initial state to be zero, we have to
>> write all zeros from dm-crypt.
>>
>> Hence we'd like to propose to bypass zero data for dm-crypt, for
>> example:
>>
>> before:
>> zero data -> encrypted zero data
>> decrypted zero data -> zero data
>> others
>>
>> after:
>> zero data -> zero data
>> decrypted zero data -> encrypted zero data
>> others(doesn't change)
>>
>> We'd like to hear from the community for suggestions first, before we
>> start. :)
>>
>> Thanks,
>> Kuai
>>
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ