Re: [PATCH] fscrypt: add support for ChaCha20 contents encryption

2017-12-11 Thread David Gstir
> On 08.12.2017, at 03:51, Jason A. Donenfeld wrote: > > Hi Eric, > > Nice to see more use of ChaCha20. However... > > Can we skip over the "sort of worse than XTS, but not having _real_ > authentication sucks anyway in either case, so whatever" and move > directly to, "linux

Re: [PATCH] fscrypt: add support for ChaCha20 contents encryption

2017-12-10 Thread Eric Biggers
On Fri, Dec 08, 2017 at 07:48:54PM -0500, Jeffrey Walton wrote: > > Still, a stream cipher is sufficient to protect data confidentiality in > > the event of a single point-in-time permanent offline compromise of the > > disk, which currently is the primary threat model for fscrypt. Thus, > > when

Re: [PATCH] fscrypt: add support for ChaCha20 contents encryption

2017-12-08 Thread Jeffrey Walton
> Still, a stream cipher is sufficient to protect data confidentiality in > the event of a single point-in-time permanent offline compromise of the > disk, which currently is the primary threat model for fscrypt. Thus, > when the alternative is quite literally *no encryption*, we might as > well

Re: [PATCH] fscrypt: add support for ChaCha20 contents encryption

2017-12-08 Thread Eric Biggers
On Fri, Dec 08, 2017 at 07:20:43AM +, Ard Biesheuvel wrote: > On 8 December 2017 at 02:51, Jason A. Donenfeld wrote: > > Hi Eric, > > > > Nice to see more use of ChaCha20. However... > > > > Can we skip over the "sort of worse than XTS, but not having _real_ > >

Re: [PATCH] fscrypt: add support for ChaCha20 contents encryption

2017-12-08 Thread Ard Biesheuvel
On 8 December 2017 at 10:14, Stephan Mueller wrote: > Am Freitag, 8. Dezember 2017, 11:06:31 CET schrieb Ard Biesheuvel: > > Hi Ard, > >> >> Given how it is not uncommon for counters to be used as IV, this is a >> fundamental flaw that could rear its head in other places as

Re: [PATCH] fscrypt: add support for ChaCha20 contents encryption

2017-12-08 Thread Ard Biesheuvel
On 8 December 2017 at 09:11, Ard Biesheuvel wrote: > On 8 December 2017 at 09:11, Ard Biesheuvel wrote: >> Hi Eric, >> >> On 8 December 2017 at 01:38, Eric Biggers wrote: >>> From: Eric Biggers >>>

Re: [PATCH] fscrypt: add support for ChaCha20 contents encryption

2017-12-08 Thread Ard Biesheuvel
On 8 December 2017 at 09:11, Ard Biesheuvel wrote: > Hi Eric, > > On 8 December 2017 at 01:38, Eric Biggers wrote: >> From: Eric Biggers >> >> fscrypt currently only supports AES encryption. However, many low-end >> mobile

Re: [PATCH] fscrypt: add support for ChaCha20 contents encryption

2017-12-08 Thread Ard Biesheuvel
Hi Eric, On 8 December 2017 at 01:38, Eric Biggers wrote: > From: Eric Biggers > > fscrypt currently only supports AES encryption. However, many low-end > mobile devices still use older CPUs such as ARMv7, which do not support > the AES instructions

Re: [PATCH] fscrypt: add support for ChaCha20 contents encryption

2017-12-07 Thread Ard Biesheuvel
On 8 December 2017 at 02:51, Jason A. Donenfeld wrote: > Hi Eric, > > Nice to see more use of ChaCha20. However... > > Can we skip over the "sort of worse than XTS, but not having _real_ > authentication sucks anyway in either case, so whatever" and move > directly to, "linux

Re: [PATCH] fscrypt: add support for ChaCha20 contents encryption

2017-12-07 Thread Jason A. Donenfeld
Hi Eric, Nice to see more use of ChaCha20. However... Can we skip over the "sort of worse than XTS, but not having _real_ authentication sucks anyway in either case, so whatever" and move directly to, "linux finally supports authenticated encryption for disk encryption!"? This would be a big

[PATCH] fscrypt: add support for ChaCha20 contents encryption

2017-12-07 Thread Eric Biggers
From: Eric Biggers fscrypt currently only supports AES encryption. However, many low-end mobile devices still use older CPUs such as ARMv7, which do not support the AES instructions (the ARMv8 Cryptography Extensions). This results in very poor AES performance, even if the