From patchwork Wed Oct 5 18:23:07 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Michael Halcrow X-Patchwork-Id: 9363277 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 0A4016077E for ; Wed, 5 Oct 2016 18:23:16 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 00AB2285E1 for ; Wed, 5 Oct 2016 18:23:16 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id E956128683; Wed, 5 Oct 2016 18:23:15 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.3 required=2.0 tests=BAYES_00, DKIM_ADSP_CUSTOM_MED, DKIM_SIGNED, RCVD_IN_DNSWL_HI, RCVD_IN_SORBS_SPAM, T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 3312D285E1 for ; Wed, 5 Oct 2016 18:23:15 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754814AbcJESXN (ORCPT ); Wed, 5 Oct 2016 14:23:13 -0400 Received: from mail-pa0-f42.google.com ([209.85.220.42]:34540 "EHLO mail-pa0-f42.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754699AbcJESXL (ORCPT ); Wed, 5 Oct 2016 14:23:11 -0400 Received: by mail-pa0-f42.google.com with SMTP id rz1so33028872pab.1 for ; Wed, 05 Oct 2016 11:23:11 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=ETab+nK0/jmAll7CtbE2JFLImjs4H9z9xUAhghcPJTw=; b=LKtNgpaLVdqqUgi7KtceQIHzzuZjWRwwE4CId+3UmDsUpHnHDeW5i/u91ktVgIZJXV tl+5AeH6wnsPIEmqKJqBUgyE7Os1AcDoTrp2DOmB6wb8PY8AsmwAzXxjbBm50tDoinEo zPfs1dkZVDgaTISu97mj1lfTDlHniwoPIyHYmpnglMq+clr/ijlWhvt5F71ecoI4ApjR XBlIX5y12V+OZ6PenF0VGq76JC9vY2GgmjOQm4KCsH7z9+E9SEf0OgWE7a5F0khqZTBm fCpGZvocng/LMU3gl0Hhm5ZoZ2hxnRnkda2WfGArY6POQGGGedVvUQihYw+Cw2r+zeV3 fERQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to:user-agent; bh=ETab+nK0/jmAll7CtbE2JFLImjs4H9z9xUAhghcPJTw=; b=KKGaAOuMlqPARLx5fbX6ZUAhHuTx8QDdJsR4XNbuC8LO5yEvW+dEFwPAfCiIyrIHcW 041SIQKS/BkiRShJ6WVy3VUxzSs4oWEXcfyW+zv12yju/5MutkfI2NHiVGfhstPePwer bnTaUqMbBuNTKh9L9tT+4J77s4qf9D2k9AfYemuSvPgUwua8GDFlsgcJ5satVvSPi6TH siQje+GlBGSjhXtcVKcrASUT1ao4QQ5cc1v43KcuGYjSCHhka9Wie9gJdFENbWzwWrZq 7hWFCmqrNq5w3BnudwlRqxsjxo+qoajuXbrF9OA4ef0NDx4KZcLL5Hr7RVxWf+1+8T5U fZiQ== X-Gm-Message-State: AA6/9RnqSmI4pmXgCyyKy2JG9uhS/Mi0cLCcbtY4U3auoyuABlMI9WNAIAbNnccsOYjFCf6F X-Received: by 10.66.189.194 with SMTP id gk2mr15141724pac.211.1475691790539; Wed, 05 Oct 2016 11:23:10 -0700 (PDT) Received: from localhost ([2620:0:1008:13:1da:9ba4:5495:e730]) by smtp.gmail.com with ESMTPSA id qd12sm6955194pab.22.2016.10.05.11.23.09 (version=TLS1_2 cipher=AES128-SHA bits=128/128); Wed, 05 Oct 2016 11:23:09 -0700 (PDT) Date: Wed, 5 Oct 2016 11:23:07 -0700 From: Michael Halcrow To: David Gstir Cc: Richard Weinberger , linux-fsdevel , linux-ext4@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net, Theodore Ts'o , jaegeuk@kernel.org, Eric Biggers , Anand Jain , Tyler Hicks Subject: Re: [PATCH] fscrypto: make XTS tweak initialization endian-independent Message-ID: <20161005182307.GA1164@google.com> References: <20161005170659.GA110549@google.com> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <20161005170659.GA110549@google.com> User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP > Eric, > > > On 04.10.2016, at 18:38, Eric Biggers wrote: > > > > On Tue, Oct 04, 2016 at 10:46:54AM +0200, Richard Weinberger wrote: > >>> Also, currently this code *is* only supposed to be used for XTS. > >>> There's a bug where a specially crafted filesystem can cause > >>> this code path to be entered with CTS, but I have a patch > >>> pending in the ext4 tree to fix that. > >> > >> David and I are currently working on UBIFS encryption and we have > >> to support other cipher modes than XTS. So, keeping fscrypto as > >> generic as possible would be nice. :-) > >> > > > > The problem was that the kernel supported reading a file whose > > contents was encrypted with CTS, which is only supposed to be used > > for filenames. This was inconsistent with > > FS_IOC_SET_ENCRYPTION_POLICY which currently only allows XTS for > > contents and CTS for filenames. So in other words I wanted to > > eliminate a strange scenario that was not intended to happen and > > was almost certainly never tested. > > > > Either way, new modes can still be added if there is a good reason > > to do so. What new encryption modes are you thinking of adding, > > would they be for contents or for filenames, and are you thinking > > they would be offered by all filesystems (ext4 and f2fs too)? > > We currently have one case where our embedded platform is only able > to do AES-CBC in hardware, not AES-XTS. So switching to AES-CBC for > file contents would yield far better performance while still being > "secure enough". Great to see more interest in file system encryption. A few thoughts. I'm concerned about the proliferation of storage encryption code in the kernel. Of course, I'm perhaps the worst instigator. However what's happening now is that we have several file systems that are proposing their own encryption, as well as several attempts at support for hardware encryption. High-performance random access read/write block storage encryption with authentication is hard to get right. The way I see it, the ideal solution would have these properties: * The actual cryptographic transform happens in as few places as possible -- preferably one place in software, with a sensible vendor-neutral API for defering to hardware. * All blocks in the file system, including both file contents and file system metadata, are cryptographically protected. * Encryption is authenticated and has versioning support to enforce consistency and defend against rollback. * File systems can select which keys protect which blocks. * Authentication of all storage chains back to Secure Boot. To solve all of these simultaneously, it looks like we'll want to consider changes to the kernel block API: From here, we can delegate to dm-crypt to perform the block transformation using the key in the bio. Or we can defer to the block storage driver to provision the key into the hardware encryption element and tag requests to use that key. This promises to get a big chunk of the file contents encryption logic out of the file system layer. If the file system doesn't provide a bi_crypt_ctx, then dm-crypt can use the default key, which would be shared among all tenants of the system. That shared key can potentially be further protected by the distro by leveraging a secure element like a TPM. For user-specific file contents -- say, what's in the user's home directory -- then that can be protected with a key that's only made available after the user logs in (providing their credentials). Other tenants on the same device who can get at the shared key might still get information like how many files other users have or what the directory structure is, but at least they can't read the contents of other users' files. Meanwhile, the volume is comprehensively protected against the "left in a taxi" scenario. > Generally speaking though, it would be great to have encryption > _and_ authentication for file contents. Not good enough for me. I want authenticated encryption for everything, contents or metadata. > AEAD modes like GCM or future finalists of the CAESAR competition > come to mind. GCM is problematic for block storage, primarily because it's catastrophic to reuse a key/IV pair. If you naively use the same key when writing more than 2^32 blocks with a random IV, you've just stepped into the collision "danger zone" (per NIST SP 800-38D). We have a design that involves frequent encryption key derivation in order to address the collision space problem. But that's just one piece of the solution to the whole problem. > IIRC the ext4 encryption design document mentions this, but it's > unclear to me why AES-GCM wasn't used for file contents from the > beginning. I'd guess it has to do with where to store the > authentication tag and performance. Comparatively, that's the easy part. The hard part is ensuring *consistency* between the ciphertext and the cryptographic metadata. If you write out the ciphertext and don't get the IV you used for it out to storage simultaneously, you've just lost the block. And vice-versa. Then there's the problem of internal consistency. Supposing you do manage to get the blocks and their crypto metadata out together, what's to stop an attacker from punching holes (for example)? You need an authenticated dictionary structure at that point, such as a Merkle tree or an authenticated skiplist. Now you have an additional data structure to maintain. And you're rebalancing a Merkle tree in the midst of modifications, or you're producing an implementation of ASL in the Linux kernel (which, BTW, my team does have a prototype for right now). Once we have a root of an authenticated dictionary, we can look to a high-performance secure hardware element to sign that root against a monotonic counter to get rollback protection. To protect the entire block device, we need the authentication data to be consistent with the ciphertext at the block level. So that means something like copy-on-write or log-structured volume at the dm- layer. Right now the best shortcut I've been able to come up starts with a loopback mount on btrfs. > Does anybody have details on that? Hopefully I've been able to shine some light on the reasons why high-performance random access read/write block storage encryption with authentication is a harder problem than it looks on the surface. In the meantime, to address the CBC thing, I'd want to understand what the hardware is doing exactly. I wouldn't want the existence of code that supports CBC in fs/crypto to be interpreted as some sort of endorsement for using it rather than XTS (when unauthenticated encryption is for some reason the only viable option) for new storage encryption applications. > Thanks, > David --- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/include/linux/blk_types.h b/include/linux/blk_types.h index 436f43f..de3492a 100644 --- a/include/linux/blk_types.h +++ b/include/linux/blk_types.h @@ -19,6 +19,20 @@ typedef void (bio_end_io_t) (struct bio *); typedef void (bio_destructor_t) (struct bio *); #ifdef CONFIG_BLOCK + +#ifdef CONFIG_BLK_CRYPT +struct bio_crypt_ctx { + unsigned int bc_flags; /* Indicates union interpretation */ + union { + struct key *bc_key; + unsigned int bc_key_type; /* Implies size */ + unsigned int bc_key_size; + }; + atomic_t __bc_cnt; /* Pin count */ + u8 bc_key[0]; +}; +#endif + /* * main unit of I/O for the block layer and lower layers (ie drivers and * stacking drivers) @@ -81,6 +95,10 @@ struct bio { struct bio_set *bi_pool; +#ifdef CONFIG_BLK_CRYPT + struct bio_crypt_ctx *bi_crypt_ctx; +#endif + /* * We can inline a number of vecs at the end of the bio, to avoid * double allocations for a small number of bio_vecs. This member