• Milan Broz's avatar
    dm crypt: add cryptographic data integrity protection (authenticated encryption) · ef43aa38
    Milan Broz authored
    Allow the use of per-sector metadata, provided by the dm-integrity
    module, for integrity protection and persistently stored per-sector
    Initialization Vector (IV).  The underlying device must support the
    "DM-DIF-EXT-TAG" dm-integrity profile.
    
    The per-bio integrity metadata is allocated by dm-crypt for every bio.
    
    Example of low-level mapping table for various types of use:
     DEV=/dev/sdb
     SIZE=417792
    
     # Additional HMAC with CBC-ESSIV, key is concatenated encryption key + HMAC key
     SIZE_INT=389952
     dmsetup create x --table "0 $SIZE_INT integrity $DEV 0 32 J 0"
     dmsetup create y --table "0 $SIZE_INT crypt aes-cbc-essiv:sha256 \
     11ff33c6fb942655efb3e30cf4c0fd95f5ef483afca72166c530ae26151dd83b \
     00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff \
     0 /dev/mapper/x 0 1 integrity:32:hmac(sha256)"
    
     # AEAD (Authenticated Encryption with Additional Data) - GCM with random IVs
     # GCM in kernel uses 96bits IV and we store 128bits auth tag (so 28 bytes metadata space)
     SIZE_INT=393024
     dmsetup create x --table "0 $SIZE_INT integrity $DEV 0 28 J 0"
     dmsetup create y --table "0 $SIZE_INT crypt aes-gcm-random \
     11ff33c6fb942655efb3e30cf4c0fd95f5ef483afca72166c530ae26151dd83b \
     0 /dev/mapper/x 0 1 integrity:28:aead"
    
     # Random IV only for XTS mode (no integrity protection but provides atomic random sector change)
     SIZE_INT=401272
     dmsetup create x --table "0 $SIZE_INT integrity $DEV 0 16 J 0"
     dmsetup create y --table "0 $SIZE_INT crypt aes-xts-random \
     11ff33c6fb942655efb3e30cf4c0fd95f5ef483afca72166c530ae26151dd83b \
     0 /dev/mapper/x 0 1 integrity:16:none"
    
     # Random IV with XTS + HMAC integrity protection
     SIZE_INT=377656
     dmsetup create x --table "0 $SIZE_INT integrity $DEV 0 48 J 0"
     dmsetup create y --table "0 $SIZE_INT crypt aes-xts-random \
     11ff33c6fb942655efb3e30cf4c0fd95f5ef483afca72166c530ae26151dd83b \
     00112233445566778899aabbccddeeff00112233445566778899aabbccddeeff \
     0 /dev/mapper/x 0 1 integrity:48:hmac(sha256)"
    
    Both AEAD and HMAC protection authenticates not only data but also
    sector metadata.
    
    HMAC protection is implemented through autenc wrapper (so it is
    processed the same way as an authenticated mode).
    
    In HMAC mode there are two keys (concatenated in dm-crypt mapping
    table).  First is the encryption key and the second is the key for
    authentication (HMAC).  (It is userspace decision if these keys are
    independent or somehow derived.)
    
    The sector request for AEAD/HMAC authenticated encryption looks like this:
     |----- AAD -------|------ DATA -------|-- AUTH TAG --|
     | (authenticated) | (auth+encryption) |              |
     | sector_LE |  IV |  sector in/out    |  tag in/out  |
    
    For writes, the integrity fields are calculated during AEAD encryption
    of every sector and stored in bio integrity fields and sent to
    underlying dm-integrity target for storage.
    
    For reads, the integrity metadata is verified during AEAD decryption of
    every sector (they are filled in by dm-integrity, but the integrity
    fields are pre-allocated in dm-crypt).
    
    There is also an experimental support in cryptsetup utility for more
    friendly configuration (part of LUKS2 format).
    
    Because the integrity fields are not valid on initial creation, the
    device must be "formatted".  This can be done by direct-io writes to the
    device (e.g. dd in direct-io mode).  For now, there is available trivial
    tool to do this, see: https://github.com/mbroz/dm_int_toolsSigned-off-by: default avatarMilan Broz <gmazyland@gmail.com>
    Signed-off-by: default avatarOndrej Mosnacek <omosnacek@gmail.com>
    Signed-off-by: default avatarVashek Matyas <matyas@fi.muni.cz>
    Signed-off-by: default avatarMike Snitzer <snitzer@redhat.com>
    ef43aa38
dm-crypt.c 71.5 KB