kernel_optimize_test/fs/crypto
Eric Biggers 68ac723fb1 fscrypt: allow 256-bit master keys with AES-256-XTS
[ Upstream commit 7f595d6a6cdc336834552069a2e0a4f6d4756ddf ]

fscrypt currently requires a 512-bit master key when AES-256-XTS is
used, since AES-256-XTS keys are 512-bit and fscrypt requires that the
master key be at least as long any key that will be derived from it.

However, this is overly strict because AES-256-XTS doesn't actually have
a 512-bit security strength, but rather 256-bit.  The fact that XTS
takes twice the expected key size is a quirk of the XTS mode.  It is
sufficient to use 256 bits of entropy for AES-256-XTS, provided that it
is first properly expanded into a 512-bit key, which HKDF-SHA512 does.

Therefore, relax the check of the master key size to use the security
strength of the derived key rather than the size of the derived key
(except for v1 encryption policies, which don't use HKDF).

Besides making things more flexible for userspace, this is needed in
order for the use of a KDF which only takes a 256-bit key to be
introduced into the fscrypt key hierarchy.  This will happen with
hardware-wrapped keys support, as all known hardware which supports that
feature uses an SP800-108 KDF using AES-256-CMAC, so the wrapped keys
are wrapped 256-bit AES keys.  Moreover, there is interest in fscrypt
supporting the same type of AES-256-CMAC based KDF in software as an
alternative to HKDF-SHA512.  There is no security problem with such
features, so fix the key length check to work properly with them.

Reviewed-by: Paul Crowley <paulcrowley@google.com>
Link: https://lore.kernel.org/r/20210921030303.5598-1-ebiggers@kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2021-11-18 14:03:54 +01:00
..
bio.c fscrypt: add inline encryption support 2020-07-08 10:29:30 -07:00
crypto.c fscrypt: adjust logging for in-creation inodes 2020-09-22 06:48:38 -07:00
fname.c fscrypt: don't ignore minor_hash when hash is 0 2021-07-14 16:56:53 +02:00
fscrypt_private.h fscrypt: allow 256-bit master keys with AES-256-XTS 2021-11-18 14:03:54 +01:00
hkdf.c fscrypt: allow 256-bit master keys with AES-256-XTS 2021-11-18 14:03:54 +01:00
hooks.c fscrypt: add fscrypt_symlink_getattr() for computing st_size 2021-09-08 08:48:59 +02:00
inline_crypt.c fscrypt: fix inline encryption not used on new files 2020-11-11 20:59:07 -08:00
Kconfig fscrypt: switch fscrypt_do_sha256() to use the SHA-256 library 2020-07-21 16:02:13 -07:00
keyring.c fscrypt: remove kernel-internal constants from UAPI header 2020-12-26 16:02:43 +01:00
keysetup_v1.c fscrypt: stop pretending that key setup is nofs-safe 2020-09-22 06:48:42 -07:00
keysetup.c fscrypt: allow 256-bit master keys with AES-256-XTS 2021-11-18 14:03:54 +01:00
Makefile fscrypt: add inline encryption support 2020-07-08 10:29:30 -07:00
policy.c fscrypt: remove kernel-internal constants from UAPI header 2020-12-26 16:02:43 +01:00