Re: [RFC PATCH v2 00/12] crypto: Adiantum support

From: Milan Broz
Date: Mon Nov 19 2018 - 15:05:29 EST

Next message: Luis Chamberlain: "Re: [PATCH v2 1/2] firmware: add nowarn variant of request_firmware_nowait()"
Previous message: Auger Eric: "Re: [PATCH v5] vfio: platform: Add generic reset controller support"
In reply to: Eric Biggers: "Re: [RFC PATCH v2 00/12] crypto: Adiantum support"
Next in thread: Jason A. Donenfeld: "Re: [RFC PATCH v2 00/12] crypto: Adiantum support"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

On 19/11/2018 20:28, Eric Biggers wrote:
> Note that Adiantum benchmarks on x86 are misleading at the moment, since the
> initial kernel patchset doesn't include SSE2 and AVX2 optimized XChaCha and
> NHPoly1305. To start, only C and arm32 NEON implementations are included.
> Hence, on x86 Adiantum will appear much slower than it should be. But I'm
> planning to add the x86 and arm64 implementations, so it will get much faster.

The posted benchmark was just an example (it was 32bit virtual machine on my
old laptop so numbers are misleading).

If Adiantum is going to be merged, I expect it can be used as an alternative
even on x86, so I expect more optimizations.

...
> I think that when using AF_ALG, cryptsetup should get the IV size from
> /proc/crypto, or else have it hardcoded that "adiantum" uses 32-byte IVs.
> (Actually Adiantum can formally can use any size IV, but we had to choose a
> fixed size for Linux's crypto API.)

I do not want to parse /proc/crypto (it needs to load the module first anyway)
and proper API was not yet here when I wrote this code (I think we were the first
real user of userspace crypto api...)

> Getting the IV size via CRYPTO_MSG_GETALG via NETLINK_CRYPTO is also an option,
> but that requires the kconfig option CONFIG_CRYPTO_USER which isn't guaranteed
> to be enabled even if CONFIG_CRYPTO_USER_API_SKCIPHER is.

Yes. For now, I hardcode Adiantum IV size in cryptsetup and later we will try to
find a more generic way.

> Also: why is cryptsetup's default keyslot encryption AES-128-XTS instead of
> AES-256-XTS? People can choose a cipher with a 256-bit key strength such as
> AES-256-XTS or Adiantum, so the keyslots should use at least that strength too.

It was inherited from 256bit default key (so 2xAES-128 in XTS).
It is still the default for LUKS1, but we should perhaps change it to double key
it for XTS mode (at least for fallback keyslot encryption).

Anyway, we will release cryptsetup 2.0.6 very soon to fix one problem
in LUKS2, so I'll add the Adiantum IV size there as well so people can play with it.

Thanks,
Milan

p.s.
Reading the discussion about Zinc/Adiantum - I would perhaps prefer to merge
Adiantum first (if it is ready).
It is a new feature, I see it as useful cipher alternative for dm-crypt and it can be
esily backported without Zinc to older kernels (I am testing it actually this way).

Next message: Luis Chamberlain: "Re: [PATCH v2 1/2] firmware: add nowarn variant of request_firmware_nowait()"
Previous message: Auger Eric: "Re: [PATCH v5] vfio: platform: Add generic reset controller support"
In reply to: Eric Biggers: "Re: [RFC PATCH v2 00/12] crypto: Adiantum support"
Next in thread: Jason A. Donenfeld: "Re: [RFC PATCH v2 00/12] crypto: Adiantum support"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]