| Message ID | 20221108142025.13461-2-nstange@suse.de |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a5d:6687:0:0:0:0:0 with SMTP id l7csp2740701wru;
Tue, 8 Nov 2022 06:27:56 -0800 (PST)
X-Google-Smtp-Source:
AMsMyM7meeP3OJdtm0V3J0sClNe5MkVP2hCLnYYLx+7XkV+ONlOReNbJKI4q+r4efpXdIVPsilq2
X-Received: by 2002:a17:90b:2246:b0:213:48f0:297f with SMTP id
hk6-20020a17090b224600b0021348f0297fmr58314159pjb.236.1667917675948;
Tue, 08 Nov 2022 06:27:55 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1667917675; cv=none;
d=google.com; s=arc-20160816;
b=DGtLxeup1aIAlnrMGqomVk81qf2QFl/3dxgB5DKnchhYFggpMTf8GF9Ds+9pdVWniG
qPbE58AWMA4fPi2yWdQtfqXRtTs2ehuLA9/Ulj4NGuzwllRB1Ogb35ifBPqk4JzqSc3b
tZNsQYYFu2XKoe1zu2/P5uofHQ9nqoN8DqaUGFevLCq/lZo8EFQnWOh+glplJWgCrm0g
YeujN6WAna18z9Bk+koeYZ3rAIfT9/wR4u7agKOcGhCoo8ZblkNGHeExJaPEM4YtPPr0
YCHZO+Ody6NXbhQ+TTdgHCQr+a4i0SEVkaoqx3xTxiAu+oAlVBXf9nsAYVmicEkIXfR1
4SAQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:references:in-reply-to:message-id:date:subject:cc:to:from
:dkim-signature:dkim-signature;
bh=uG7bkbR8f1ErSbpnIswqV7scwgYtGlwKnO07NfMV1Ro=;
b=0p8/QExrVSKMptJUjy9ATz397KJGqpnjtliCsyY6ZCbN0lZGIdXctwV7lWUn0W8eTp
/mB4MkyRNbr70k5hPjunC3bgzhQ8DruGYHneQUHdqLIoUnE+4cK2oI6FN4aYKzAY1oIS
pqb4/+ZTVvArRyJuw3XWPKd/fh0xSRbQO8n6eo5uuBpuixqoF65Dk28IxDR2B7FpIoTN
UtTB6rwt9MacguPSO1+fA/5gHsSRcxPZ7A5ZYo91y45q7ReggBUTPuFjFMTThmU40pLa
2fDT1o48R4xqez9uowTNoB6hTHdVAdJel8OcSkKEfHu/uhzRuI2r3hU4hchSRAWQ6JaR
8LeA==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=S2tQIpOs;
dkim=neutral (no key) header.i=@suse.de header.s=susede2_ed25519
header.b=KlJyrsTf;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
b11-20020a17090a9bcb00b00216058fa03fsi15096185pjw.53.2022.11.08.06.27.36;
Tue, 08 Nov 2022 06:27:55 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@suse.de header.s=susede2_rsa header.b=S2tQIpOs;
dkim=neutral (no key) header.i=@suse.de header.s=susede2_ed25519
header.b=KlJyrsTf;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=suse.de
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S234737AbiKHOU5 (ORCPT <rfc822;tony84727@gmail.com> + 99 others);
Tue, 8 Nov 2022 09:20:57 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57184 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S234651AbiKHOUt (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Tue, 8 Nov 2022 09:20:49 -0500
Received: from smtp-out1.suse.de (smtp-out1.suse.de
[IPv6:2001:67c:2178:6::1c])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 72C36862D2;
Tue, 8 Nov 2022 06:20:48 -0800 (PST)
Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de
[192.168.254.74])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature ECDSA (P-521) server-digest
SHA512)
(No client certificate requested)
by smtp-out1.suse.de (Postfix) with ESMTPS id 2D9EC22A9E;
Tue, 8 Nov 2022 14:20:47 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.de;
s=susede2_rsa;
t=1667917247;
h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
mime-version:mime-version:
content-transfer-encoding:content-transfer-encoding:
in-reply-to:in-reply-to:references:references;
bh=uG7bkbR8f1ErSbpnIswqV7scwgYtGlwKnO07NfMV1Ro=;
b=S2tQIpOsR9mMrPkL1xyeJAXruYNrjsUZ6HF8BLdHGTnO80bnA4iQkodZli0rCTWp17IWc8
G6kffZIEF11rAdTdbELZu1ST4TdSTXfL63M0DMnRrH2pmqypMjsfkU+No7jDGUW6teZcNJ
PWzOVo6S0JUb+DhSXB3gdpuJQuSP/vM=
DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.de;
s=susede2_ed25519; t=1667917247;
h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc:
mime-version:mime-version:
content-transfer-encoding:content-transfer-encoding:
in-reply-to:in-reply-to:references:references;
bh=uG7bkbR8f1ErSbpnIswqV7scwgYtGlwKnO07NfMV1Ro=;
b=KlJyrsTfyiJ5AaM/jlA9pToJSlXsFBVquwdB4l/WR9qI2U1mbUcggpwAbxZgZCNIAzPvsU
DmdguqNlPjek2aAQ==
Received: from imap2.suse-dmz.suse.de (imap2.suse-dmz.suse.de
[192.168.254.74])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature ECDSA (P-521) server-digest
SHA512)
(No client certificate requested)
by imap2.suse-dmz.suse.de (Postfix) with ESMTPS id 1F98E13398;
Tue, 8 Nov 2022 14:20:47 +0000 (UTC)
Received: from dovecot-director2.suse.de ([192.168.254.65])
by imap2.suse-dmz.suse.de with ESMTPSA
id kBtiB79lamMTKQAAMHmgww
(envelope-from <nstange@suse.de>); Tue, 08 Nov 2022 14:20:47 +0000
From: Nicolai Stange <nstange@suse.de>
To: Herbert Xu <herbert@gondor.apana.org.au>,
"David S. Miller" <davem@davemloft.net>
Cc: Vladis Dronov <vdronov@redhat.com>,
Stephan Mueller <smueller@chronox.de>,
linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org,
Nicolai Stange <nstange@suse.de>
Subject: [PATCH 1/4] crypto: xts - restrict key lengths to approved values in
FIPS mode
Date: Tue, 8 Nov 2022 15:20:22 +0100
Message-Id: <20221108142025.13461-2-nstange@suse.de>
X-Mailer: git-send-email 2.38.0
In-Reply-To: <20221108142025.13461-1-nstange@suse.de>
References: <20221108142025.13461-1-nstange@suse.de>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIM_SIGNED,
DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE,
SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1748938445030610812?=
X-GMAIL-MSGID: =?utf-8?q?1748938445030610812?=
|
| Series |
Trivial set of FIPS 140-3 related changes
|
|
Commit Message
Nicolai Stange
Nov. 8, 2022, 2:20 p.m. UTC
According to FIPS 140-3 IG C.I., only (total) key lengths of either
256 bits or 512 bits are allowed with xts(aes). Make xts_verify_key() to
reject anything else in FIPS mode.
As xts(aes) is the only approved xts() template instantiation in FIPS mode,
the new restriction implemented in xts_verify_key() effectively only
applies to this particular construction.
Signed-off-by: Nicolai Stange <nstange@suse.de>
---
include/crypto/xts.h | 7 +++++++
1 file changed, 7 insertions(+)
Comments
> diff --git a/include/crypto/xts.h b/include/crypto/xts.h ... > @@ -35,6 +35,13 @@ static inline int xts_verify_key(struct crypto_skcipher > *tfm, > if (keylen % 2) > return -EINVAL; > > + /* > + * In FIPS mode only a combined key length of either 256 or > + * 512 bits is allowed, c.f. FIPS 140-3 IG C.I. > + */ > + if (fips_enabled && keylen != 32 && keylen != 64) > + return -EINVAL; > + > /* ensure that the AES and tweak key are not identical */ > if ((fips_enabled || (crypto_skcipher_get_flags(tfm) & > CRYPTO_TFM_REQ_FORBID_WEAK_KEYS)) && > -- > 2.38.0 arch/s390/crypto/aes_s390.c has similar lines: static int xts_aes_set_key(struct crypto_skcipher *tfm, const u8 *in_key, unsigned int key_len) { struct s390_xts_ctx *xts_ctx = crypto_skcipher_ctx(tfm); unsigned long fc; int err; err = xts_fallback_setkey(tfm, in_key, key_len); if (err) return err; /* In fips mode only 128 bit or 256 bit keys are valid */ if (fips_enabled && key_len != 32 && key_len != 64) return -EINVAL; xts_fallback_setkey will now enforce that rule when setting up the fallback algorithm keys, which makes the xts_aes_set_key check unreachable. If that fallback setup were not present, then a call to xts_verify_key might be preferable to enforce any other rules like the WEAK_KEYS rule.
> diff --git a/include/crypto/xts.h b/include/crypto/xts.h ... > @@ -35,6 +35,13 @@ static inline int xts_verify_key(struct crypto_skcipher > *tfm, > if (keylen % 2) > return -EINVAL; > > + /* > + * In FIPS mode only a combined key length of either 256 or > + * 512 bits is allowed, c.f. FIPS 140-3 IG C.I. > + */ > + if (fips_enabled && keylen != 32 && keylen != 64) > + return -EINVAL; > + > /* ensure that the AES and tweak key are not identical */ > if ((fips_enabled || (crypto_skcipher_get_flags(tfm) & > CRYPTO_TFM_REQ_FORBID_WEAK_KEYS)) && > -- > 2.38.0 There's another function in the same file called xts_check_key() that is used by some of the hardware drivers: arch/s390/crypto/paes_s390.c: * xts_check_key verifies the key length is not odd and makes [that references it in the comment but actually calls xts_verify_key in the code] drivers/crypto/axis/artpec6_crypto.c: ret = xts_check_key(&cipher->base, key, keylen); drivers/crypto/cavium/cpt/cptvf_algs.c: err = xts_check_key(tfm, key, keylen); drivers/crypto/cavium/nitrox/nitrox_skcipher.c: ret = xts_check_key(tfm, key, keylen); drivers/crypto/ccree/cc_cipher.c: xts_check_key(tfm, key, keylen)) { drivers/crypto/marvell/octeontx/otx_cptvf_algs.c: ret = xts_check_key(crypto_skcipher_tfm(tfm), key, keylen); drivers/crypto/marvell/octeontx2/otx2_cptvf_algs.c: ret = xts_check_key(crypto_skcipher_tfm(tfm), key, keylen); drivers/crypto/atmel-aes.c: err = xts_check_key(crypto_skcipher_tfm(tfm), key, keylen); It already has one check qualified by fips_enabled: /* ensure that the AES and tweak key are not identical */ if (fips_enabled && !crypto_memneq(key, key + (keylen / 2), keylen / 2)) return -EINVAL; Should that implement the same key length restrictions?
"Elliott, Robert (Servers)" <elliott@hpe.com> writes: >> diff --git a/include/crypto/xts.h b/include/crypto/xts.h > ... >> @@ -35,6 +35,13 @@ static inline int xts_verify_key(struct crypto_skcipher >> *tfm, >> if (keylen % 2) >> return -EINVAL; >> >> + /* >> + * In FIPS mode only a combined key length of either 256 or >> + * 512 bits is allowed, c.f. FIPS 140-3 IG C.I. >> + */ >> + if (fips_enabled && keylen != 32 && keylen != 64) >> + return -EINVAL; >> + >> /* ensure that the AES and tweak key are not identical */ >> if ((fips_enabled || (crypto_skcipher_get_flags(tfm) & >> CRYPTO_TFM_REQ_FORBID_WEAK_KEYS)) && >> -- >> 2.38.0 > > There's another function in the same file called xts_check_key() > that is used by some of the hardware drivers: Right, thanks for spotting. AFAICT, xts_check_key() is the older of the two variants, xts_verify_key() had been introduced with commit f1c131b45410 ("crypto: xts - Convert to skcipher"). There had initially only been a single call from generic crypto/xts.c and the main difference to xts_check_key() had been that it took a crypto_skcipher for its tfm argument rather than a plain crypto_tfm as xts_check_key() did. It seems that over time, xts crypto drivers adopted the newer xts_verify_key() variant then. > > arch/s390/crypto/paes_s390.c: * xts_check_key verifies the key length is not odd and makes > [that references it in the comment but actually calls xts_verify_key in the code] > drivers/crypto/axis/artpec6_crypto.c: ret = xts_check_key(&cipher->base, key, keylen); > drivers/crypto/cavium/cpt/cptvf_algs.c: err = xts_check_key(tfm, key, keylen); > drivers/crypto/cavium/nitrox/nitrox_skcipher.c: ret = xts_check_key(tfm, key, keylen); > drivers/crypto/ccree/cc_cipher.c: xts_check_key(tfm, key, keylen)) { > drivers/crypto/marvell/octeontx/otx_cptvf_algs.c: ret = xts_check_key(crypto_skcipher_tfm(tfm), key, keylen); > drivers/crypto/marvell/octeontx2/otx2_cptvf_algs.c: ret = xts_check_key(crypto_skcipher_tfm(tfm), key, keylen); > drivers/crypto/atmel-aes.c: err = xts_check_key(crypto_skcipher_tfm(tfm), key, keylen); > > It already has one check qualified by fips_enabled: > > /* ensure that the AES and tweak key are not identical */ > if (fips_enabled && !crypto_memneq(key, key + (keylen / 2), keylen / 2)) > return -EINVAL; > > Should that implement the same key length restrictions? From a quick glance, all of the above drivers merely convert some crypto_skcipher to a crypto_tfm before passing it to xts_check_key(). So I think these should all be made to call xts_verify_key() directly instead, the former xts_check_key() could then get dropped. But that's more of a cleanup IMO and would probably deserve a separate patch series on its own. Thanks! Nicolai
"Elliott, Robert (Servers)" <elliott@hpe.com> writes: >> diff --git a/include/crypto/xts.h b/include/crypto/xts.h > ... >> @@ -35,6 +35,13 @@ static inline int xts_verify_key(struct crypto_skcipher >> *tfm, >> if (keylen % 2) >> return -EINVAL; >> >> + /* >> + * In FIPS mode only a combined key length of either 256 or >> + * 512 bits is allowed, c.f. FIPS 140-3 IG C.I. >> + */ >> + if (fips_enabled && keylen != 32 && keylen != 64) >> + return -EINVAL; >> + >> /* ensure that the AES and tweak key are not identical */ >> if ((fips_enabled || (crypto_skcipher_get_flags(tfm) & >> CRYPTO_TFM_REQ_FORBID_WEAK_KEYS)) && >> -- >> 2.38.0 > > arch/s390/crypto/aes_s390.c has similar lines: > > static int xts_aes_set_key(struct crypto_skcipher *tfm, const u8 *in_key, > unsigned int key_len) > { > struct s390_xts_ctx *xts_ctx = crypto_skcipher_ctx(tfm); > unsigned long fc; > int err; > > err = xts_fallback_setkey(tfm, in_key, key_len); > if (err) > return err; > > /* In fips mode only 128 bit or 256 bit keys are valid */ > if (fips_enabled && key_len != 32 && key_len != 64) > return -EINVAL; > > > xts_fallback_setkey will now enforce that rule when setting up the > fallback algorithm keys, which makes the xts_aes_set_key check > unreachable. Good finding! > > If that fallback setup were not present, then a call to xts_verify_key > might be preferable to enforce any other rules like the WEAK_KEYS > rule. > So if this patch here would get accepted, I'd propose to remove the then dead code from aes_s390 afterwards and make an explicit call to xts_verify_key() instead. Or shall I split out the XTS patch from this series here and post these two changes separately then? Herbert, any preferences? Thanks! Nicolai
On Wed, Nov 09, 2022 at 11:39:19AM +0100, Nicolai Stange wrote: > > Or shall I split out the XTS patch from this series here and post these > two changes separately then? Herbert, any preferences? You can do this as a follow-up. Thanks,
On Wed, Nov 09, 2022 at 11:06:17AM +0100, Nicolai Stange wrote: > > >From a quick glance, all of the above drivers merely convert some > crypto_skcipher to a crypto_tfm before passing it to xts_check_key(). > > So I think these should all be made to call xts_verify_key() directly > instead, the former xts_check_key() could then get dropped. But that's > more of a cleanup IMO and would probably deserve a separate patch series > on its own. We should make sure both do the same thing though. So either change all the drivers or just change xts_check_key in your patch in addition to xts_verify_key. Cheers,
diff --git a/include/crypto/xts.h b/include/crypto/xts.h index 0f8dba69feb4..a233c1054df2 100644 --- a/include/crypto/xts.h +++ b/include/crypto/xts.h @@ -35,6 +35,13 @@ static inline int xts_verify_key(struct crypto_skcipher *tfm, if (keylen % 2) return -EINVAL; + /* + * In FIPS mode only a combined key length of either 256 or + * 512 bits is allowed, c.f. FIPS 140-3 IG C.I. + */ + if (fips_enabled && keylen != 32 && keylen != 64) + return -EINVAL; + /* ensure that the AES and tweak key are not identical */ if ((fips_enabled || (crypto_skcipher_get_flags(tfm) & CRYPTO_TFM_REQ_FORBID_WEAK_KEYS)) &&