| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20230215101034.2c3cd1d6@kernel.org>
Date: Wed, 15 Feb 2023 10:10:34 -0800
From: Jakub Kicinski <kuba@...nel.org>
To: Willem de Bruijn <willemb@...gle.com>
Cc: Florian Westphal <fw@...len.de>, davem@...emloft.net,
netdev@...r.kernel.org, edumazet@...gle.com, pabeni@...hat.com
Subject: Re: [RFC] net: skbuff: let struct skb_ext live inside the head
On Wed, 15 Feb 2023 09:37:09 -0500 Willem de Bruijn wrote:
> How much data does psp need? The google version [1] embeds structs
> psp_skb, which may include a 256b key. If on tx the key is looked up
> from skb->sk, then on rx the only truly required field is the 32-bit
> SPI, to match a decrypted packet's session key to the socket. With a
> pointer hack on the lowest bits of skb->extensions such a tiny
> extension could perhaps be embedded in the pointer field itself.
>
> https://github.com/google/psp/blob/linux-v5.15-psp-v1.0/include/net/psp_defs.h
So.. the most I could compress it to without sacrificing any security
was:
struct psp_skb_ext {
u32 spi;
u16 generation;
u8 version;
};
I took the liberty to cut the generation down to 16 bits. The version
is not necessary if we assume all machines and flow run a single
version. But then why is the auth-only version even in the spec :(
In any case, you're right that this would fit into the pointer with
minor clever encoding. It felt even more hacky than extending shinfo
TBH.
I'd be curious to hear other opinions!
Powered by blists - more mailing lists