[dm-devel] [PATCH 3/3] dm-crypt: Implement eboiv - encrypted byte-offset initialization vector.
Ard Biesheuvel
ard.biesheuvel at linaro.org
Fri Jul 5 06:32:03 UTC 2019
On Fri, 5 Jul 2019 at 05:08, Herbert Xu <herbert at gondor.apana.org.au> wrote:
>
> On Thu, Jul 04, 2019 at 08:11:46PM +0200, Ard Biesheuvel wrote:
> >
> > To be clear, making the cipher API internal only is something that I
> > am proposing but hasn't been widely discussed yet. So if you make a
> > good argument why it is a terrible idea, I'm sure it will be taken
> > into account.
> >
> > The main issue is that the cipher API is suboptimal if you process
> > many blocks in sequence, since SIMD implementations will not be able
> > to amortize the cost of kernel_fpu_begin()/end(). This is something
> > that we might be able to fix in other ways (and a SIMD get/put
> > interface has already been proposed which looks suitable for this as
> > well) but that would still involve an API change for something that
> > isn't the correct abstraction in the first place in many cases. (There
> > are multiple implementations of ccm(aes) using cipher_encrypt_one() in
> > a loop, for instance, and these are not able to benefit from, e.g,
> > the accelerated implementation that I created for arm64, since it open
> > codes the CCM operations)
>
> I agree with what you guys have concluded so far. But I do have
> something I want to say about eboiv's implementation itself.
>
> AFAICS this is using the same key as the actual data. So why
> don't you combine it with the actual data when encrypting/decrypting?
>
> That is, add a block at the front of the actual data containing
> the little-endian byte offset and then use an IV of zero.
>
That would only work for encryption.
More information about the dm-devel
mailing list