Re: [PATCH 3/4] dm crypt: switch to EBOIV crypto API template

From: Eric Biggers
Date: Mon Oct 26 2020 - 14:39:41 EST


On Mon, Oct 26, 2020 at 07:29:57PM +0100, Milan Broz wrote:
> On 26/10/2020 18:52, Eric Biggers wrote:
> > On Mon, Oct 26, 2020 at 03:04:46PM +0200, Gilad Ben-Yossef wrote:
> >> Replace the explicit EBOIV handling in the dm-crypt driver with calls
> >> into the crypto API, which now possesses the capability to perform
> >> this processing within the crypto subsystem.
> >>
> >> Signed-off-by: Gilad Ben-Yossef <gilad@xxxxxxxxxxxxx>
> >>
> >> ---
> >> drivers/md/Kconfig | 1 +
> >> drivers/md/dm-crypt.c | 61 ++++++++++++++-----------------------------
> >> 2 files changed, 20 insertions(+), 42 deletions(-)
> >>
> >> diff --git a/drivers/md/Kconfig b/drivers/md/Kconfig
> >> index 30ba3573626c..ca6e56a72281 100644
> >> --- a/drivers/md/Kconfig
> >> +++ b/drivers/md/Kconfig
> >> @@ -273,6 +273,7 @@ config DM_CRYPT
> >> select CRYPTO
> >> select CRYPTO_CBC
> >> select CRYPTO_ESSIV
> >> + select CRYPTO_EBOIV
> >> help
> >> This device-mapper target allows you to create a device that
> >> transparently encrypts the data on it. You'll need to activate
> >
> > Can CRYPTO_EBOIV please not be selected by default? If someone really wants
> > Bitlocker compatibility support, they can select this option themselves.
>
> Please no! Until this move of IV to crypto API, we can rely on
> support in dm-crypt (if it is not supported, it is just a very old kernel).
> (Actually, this was the first thing I checked in this patchset - if it is
> unconditionally enabled for compatibility once dmcrypt is selected.)
>
> People already use removable devices with BitLocker.
> It was the whole point that it works out-of-the-box without enabling anything.
>
> If you insist on this to be optional, please better keep this IV inside dmcrypt.
> (EBOIV has no other use than for disk encryption anyway.)
>
> Or maybe another option would be to introduce option under dm-crypt Kconfig that
> defaults to enabled (like support for foreign/legacy disk encryption schemes) and that
> selects these IVs/modes.
> But requiring some random switch in crypto API will only confuse users.

CONFIG_DM_CRYPT can either select every weird combination of algorithms anyone
can ever be using, or it can select some defaults and require any other needed
algorithms to be explicitly selected.

In reality, dm-crypt has never even selected any particular block ciphers, even
AES. Nor has it ever selected XTS. So it's actually always made users (or
kernel distributors) explicitly select algorithms. Why the Bitlocker support
suddenly different?

I'd think a lot of dm-crypt users don't want to bloat their kernels with random
legacy algorithms.

- Eric