• Daniel Walter's avatar
    fscrypt: add support for AES-128-CBC · b7e7cf7a
    Daniel Walter authored
    fscrypt provides facilities to use different encryption algorithms which
    are selectable by userspace when setting the encryption policy. Currently,
    only AES-256-XTS for file contents and AES-256-CBC-CTS for file names are
    implemented. This is a clear case of kernel offers the mechanism and
    userspace selects a policy. Similar to what dm-crypt and ecryptfs have.
    
    This patch adds support for using AES-128-CBC for file contents and
    AES-128-CBC-CTS for file name encryption. To mitigate watermarking
    attacks, IVs are generated using the ESSIV algorithm. While AES-CBC is
    actually slightly less secure than AES-XTS from a security point of view,
    there is more widespread hardware support. Using AES-CBC gives us the
    acceptable performance while still providing a moderate level of security
    for persistent storage.
    
    Especially low-powered embedded devices with crypto accelerators such as
    CAAM or CESA often only support AES-CBC. Since using AES-CBC over AES-XTS
    is basically thought of a last resort, we use AES-128-CBC over AES-256-CBC
    since it has less encryption rounds and yields noticeable better
    performance starting from a file size of just a few kB.
    Signed-off-by: 's avatarDaniel Walter <dwalter@sigma-star.at>
    [david@sigma-star.at: addressed review comments]
    Signed-off-by: David Gstir's avatarDavid Gstir <david@sigma-star.at>
    Reviewed-by: 's avatarEric Biggers <ebiggers@google.com>
    Signed-off-by: 's avatarTheodore Ts'o <tytso@mit.edu>
    b7e7cf7a