On Wed, 21 Aug 2024, Ingo Franzki wrote:
> On 20.08.2024 17:56, Mikulas Patocka wrote:
> >
> >
> > On Fri, 16 Aug 2024, Ingo Franzki wrote:
> >
> >> For the MAC based integrity operation, the integrity key size (i.e.
> >> key_mac_size) is currently set to the digest size of the used digest.
> >>
> >> For wrapped key HMAC algorithms, the key size is independent of the
> >> cryptographic key size. So there is no known size of the mac key in
> >> such cases. The desired key size can optionally be specified as argument
> >> when the dm-crypt device is configured via 'integrity_key_size:%u'.
> >> If no integrity_key_size argument is specified, the mac key size
> >> is still set to the digest size, as before.
> >>
> >> Increase version number to 1.28.0 so that support for the new
> >> argument can be detected by user space (i.e. cryptsetup).
> >
> > Hi
> >
> > I know you already discussed it with Milan. I'd like to ask, what's the
> > reason for this patch? Milan said that you need it for mainframes -
> > please, describe the specific configuration when this patch is needed.
> >
> > Mikulas
>
> Hi Mikulas,
>
> thanks for looking into this.
>
> In short: Yes, we need it for a new function on Linux on IBM Z platform
> (aka s390x), but the general concept of using wrapped keys is not
> limited to that platform but can be used by other platforms as well.
> Furthermore, the proposed change can also be beneficial for clear key
> HMAC integrity protection, to allow choosing the size of the integrity
> key.
Hi
Thanks for the explanation. I discussed it with Milan and we concluded
that the patch is OK and that we can stage it for the kernel 6.12.
I added the patch to the device mapper repository. You can get it from
"git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm.git",
checkout branch "remotes/origin/dm-6.12".
I fixed two bugs in the patch:
1. crypt_status must report the new argument in its table line
2. sscanf(opt_string, "integrity_key_size:%u"...) should really be
sscanf(opt_string, "integrity_key_size:%u%c"...), so that we report
syntax error if there are trailing characters after the number.
Please, download the updated patch from the "linux-dm.git" repository and
test it.
Mikulas
