[PATCH v4 8/8] fscrypt: Add HCTR2 support for filename encryption
Ard Biesheuvel
ardb at kernel.org
Tue Apr 12 23:16:25 PDT 2022
On Wed, 13 Apr 2022 at 08:10, Eric Biggers <ebiggers at kernel.org> wrote:
>
> On Tue, Apr 12, 2022 at 05:28:16PM +0000, Nathan Huckleberry wrote:
> > HCTR2 is a tweakable, length-preserving encryption mode. It has the
> > same security guarantees as Adiantum, but is intended for use on CPUs
> > with dedicated crypto instructions. It fixes a known weakness with
> > filename encryption: when two filenames in the same directory share a
> > prefix of >= 16 bytes, with CTS-CBC their encrypted filenames share a
> > common substring, leaking information. HCTR2 does not have this
> > problem.
> >
> > More information on HCTR2 can be found here: Length-preserving
> > encryption with HCTR2: https://eprint.iacr.org/2021/1441.pdf
>
> Please quote titles to distinguish them from the surrounding text. E.g.
>
> More information on HCTR2 can be found in the paper "Length-preserving
> encryption with HCTR2" (https://eprint.iacr.org/2021/1441.pdf)
>
>
> >
> > Signed-off-by: Nathan Huckleberry <nhuck at google.com>
> > ---
> > Documentation/filesystems/fscrypt.rst | 19 ++++++++++++++-----
> > fs/crypto/fscrypt_private.h | 2 +-
> > fs/crypto/keysetup.c | 7 +++++++
> > fs/crypto/policy.c | 4 ++++
> > include/uapi/linux/fscrypt.h | 3 ++-
> > tools/include/uapi/linux/fscrypt.h | 3 ++-
> > 6 files changed, 30 insertions(+), 8 deletions(-)
>
> Can you make sure that all fscrypt patches are Cc'ed to the linux-fscrypt
> mailing list? In this case, just Cc the whole series to there.
>
> >
> > diff --git a/Documentation/filesystems/fscrypt.rst b/Documentation/filesystems/fscrypt.rst
> > index 4d5d50dca65c..09915086abd8 100644
> > --- a/Documentation/filesystems/fscrypt.rst
> > +++ b/Documentation/filesystems/fscrypt.rst
> > @@ -337,6 +337,7 @@ Currently, the following pairs of encryption modes are supported:
> > - AES-256-XTS for contents and AES-256-CTS-CBC for filenames
> > - AES-128-CBC for contents and AES-128-CTS-CBC for filenames
> > - Adiantum for both contents and filenames
> > +- AES-256-XTS for contents and AES-256-HCTR2 for filenames
> >
> > If unsure, you should use the (AES-256-XTS, AES-256-CTS-CBC) pair.
> >
> > @@ -357,6 +358,14 @@ To use Adiantum, CONFIG_CRYPTO_ADIANTUM must be enabled. Also, fast
> > implementations of ChaCha and NHPoly1305 should be enabled, e.g.
> > CONFIG_CRYPTO_CHACHA20_NEON and CONFIG_CRYPTO_NHPOLY1305_NEON for ARM.
> >
> > +AES-256-HCTR2 is another true wide-block encryption mode. It has the same
> > +security guarantees as Adiantum, but is intended for use on CPUs with dedicated
> > +crypto instructions. See the paper "Length-preserving encryption with HCTR2"
> > +(https://eprint.iacr.org/2021/1441.pdf) for more details. To use HCTR2,
> > +CONFIG_CRYPTO_HCTR2 must be enabled. Also, fast implementations of XCTR and
> > +POLYVAL should be enabled, e.g. CRYPTO_POLYVAL_ARM64_CE and
> > +CRYPTO_AES_ARM64_CE_BLK for ARM64.
>
> "same security guarantees as Adiantum" is not really correct. Both Adiantum and
> HCTR2 are secure super-pseudorandom permutations if their underlying primitives
> are secure. So their security guarantees are pretty similar, but not literally
> the same. Can you reword this? This potentially-misleading claim also showed
> up in the commit message.
>
> > diff --git a/fs/crypto/policy.c b/fs/crypto/policy.c
> > index ed3d623724cd..fa8bdb8c76b7 100644
> > --- a/fs/crypto/policy.c
> > +++ b/fs/crypto/policy.c
> > @@ -54,6 +54,10 @@ static bool fscrypt_valid_enc_modes(u32 contents_mode, u32 filenames_mode)
> > filenames_mode == FSCRYPT_MODE_ADIANTUM)
> > return true;
> >
> > + if (contents_mode == FSCRYPT_MODE_AES_256_XTS &&
> > + filenames_mode == FSCRYPT_MODE_AES_256_HCTR2)
> > + return true;
> > +
> > return false;
> > }
>
> This is allowing HCTR2 for both v1 and v2 encryption policies. I don't think we
> should add any new features to v1 encryption policies, as they are deprecated.
> How about allowing HCTR2 for v2 encryption policies only? This is the first new
> encryption mode where this issue has come up, but this could be handled easily
> by splitting fscrypt_valid_enc_modes() into fscrypt_valid_enc_modes_v1() and
> fscrypt_valid_enc_modes_v2(). The v2 one can call the v1 one to share code.
>
> > diff --git a/tools/include/uapi/linux/fscrypt.h b/tools/include/uapi/linux/fscrypt.h
> > index 9f4428be3e36..a756b29afcc2 100644
> > --- a/tools/include/uapi/linux/fscrypt.h
> > +++ b/tools/include/uapi/linux/fscrypt.h
> > @@ -27,7 +27,8 @@
> > #define FSCRYPT_MODE_AES_128_CBC 5
> > #define FSCRYPT_MODE_AES_128_CTS 6
> > #define FSCRYPT_MODE_ADIANTUM 9
> > -/* If adding a mode number > 9, update FSCRYPT_MODE_MAX in fscrypt_private.h */
> > +#define FSCRYPT_MODE_AES_256_HCTR2 10
> > +/* If adding a mode number > 10, update FSCRYPT_MODE_MAX in fscrypt_private.h */
> >
>
> As far as I know, you don't actually need to update the copy of UAPI headers in
> tools/. The people who maintain those files handle that. It doesn't make sense
> to have copies of files in the source tree anyway.
>
Doesn't the x86 build emit a warning if these go out of sync?
More information about the linux-arm-kernel
mailing list