diff options
| author | Ard Biesheuvel <ard.biesheuvel@linaro.org> | 2019-08-07 08:50:22 +0300 |
|---|---|---|
| committer | Mike Snitzer <snitzer@redhat.com> | 2019-08-23 10:13:13 -0400 |
| commit | 39d13a1ac41dc8254f484fcd21af7ff05e316fad (patch) | |
| tree | f76542a2804d0a5cc9b7ee983af1c95e0e5e4daf /.get_maintainer.ignore | |
| parent | 123d87d553e26f67e7be318c97c971b6b5fb1daa (diff) | |
| download | lwn-39d13a1ac41dc8254f484fcd21af7ff05e316fad.tar.gz lwn-39d13a1ac41dc8254f484fcd21af7ff05e316fad.zip | |
dm crypt: reuse eboiv skcipher for IV generation
Instead of instantiating a separate cipher to perform the encryption
needed to produce the IV, reuse the skcipher used for the block data
and invoke it one additional time for each block to encrypt a zero
vector and use the output as the IV.
For CBC mode, this is equivalent to using the bare block cipher, but
without the risk of ending up with a non-time invariant implementation
of AES when the skcipher itself is time variant (e.g., arm64 without
Crypto Extensions has a NEON based time invariant implementation of
cbc(aes) but no time invariant implementation of the core cipher other
than aes-ti, which is not enabled by default).
This approach is a compromise between dm-crypt API flexibility and
reducing dependence on parts of the crypto API that should not usually
be exposed to other subsystems, such as the bare cipher API.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Tested-by: Milan Broz <gmazyland@gmail.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Diffstat (limited to '.get_maintainer.ignore')
0 files changed, 0 insertions, 0 deletions