Re: [PATCH 1/5 v2] PM / hibernate: Create snapshot keys handler

From: Andy Lutomirski
Date: Tue Jan 08 2019 - 18:54:28 EST



> On Jan 7, 2019, at 11:09 PM, Stephan Mueller <smueller@xxxxxxxxxx> wrote:
>
> Am Dienstag, 8. Januar 2019, 06:03:58 CET schrieb Herbert Xu:
>
> Hi Herbert,
>
>> Are we going to have multiple implementations for the same KDF?
>> If not then the crypto API is not a good fit. To consolidate
>> multiple implementations of the same KDF, simply provide helpers
>> for them.
>
> It is unlikely to have multiple implementations of a KDF. However, KDFs relate
> to hashes like block chaining modes to raw block ciphers. Thus a KDF can be
> applied with different hashes.
>
> My idea was to add template support to RNGs (because KDFs are effectively a
> type of RNG since they produce an arbitrary output from a fixed input). The
> KDFs would be a template wrapping hashes. For example, the CTR-KDF from
> SP800-108 could be instantiated like kdf-ctr(sha256).
>
>

I think that, if the crypto API is going to grow a KDF facility, it should be done right. Have a key type or flag or whatever that says âthis key may *only* be used to derive keys using such-and-such algorithmâ, and have a helper to derive a key. That helper should take some useful parameters and mix them in:

- What type of key is being derived? ECDSA signing key? HMAC key? AES key?

- Can user code access the derived key?

- What is the keyâs purpose? âEncrypt and authenticate a hibernation imageâ would be a purpose.

- Number of bytes.

All of these parameters should be mixed in to the key derivation.

Also, an AE key, even for AES+HMAC, should be just one derived key. If you need 512 bits, ask for a 512-bit key, not two 256-bit keys.