tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

fscrypt: allow 256-bit master keys with AES-256-XTS

fscrypt currently requires a 512-bit master key when AES-256-XTS is
used, since AES-256-XTS keys are 512-bit and fscrypt requires that the
master key be at least as long any key that will be derived from it.

However, this is overly strict because AES-256-XTS doesn't actually have
a 512-bit security strength, but rather 256-bit. The fact that XTS
takes twice the expected key size is a quirk of the XTS mode. It is
sufficient to use 256 bits of entropy for AES-256-XTS, provided that it
is first properly expanded into a 512-bit key, which HKDF-SHA512 does.

Therefore, relax the check of the master key size to use the security
strength of the derived key rather than the size of the derived key
(except for v1 encryption policies, which don't use HKDF).

Besides making things more flexible for userspace, this is needed in
order for the use of a KDF which only takes a 256-bit key to be
introduced into the fscrypt key hierarchy. This will happen with
hardware-wrapped keys support, as all known hardware which supports that
feature uses an SP800-108 KDF using AES-256-CMAC, so the wrapped keys
are wrapped 256-bit AES keys. Moreover, there is interest in fscrypt
supporting the same type of AES-256-CMAC based KDF in software as an
alternative to HKDF-SHA512. There is no security problem with such
features, so fix the key length check to work properly with them.

Reviewed-by: Paul Crowley <paulcrowley@google.com>
Link: https://lore.kernel.org/r/20210921030303.5598-1-ebiggers@kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>

Eric Biggers 7f595d6a abb861fa

+61 -22
+5 -5
Documentation/filesystems/fscrypt.rst
··· 176 176 177 177 Each encrypted directory tree is protected by a *master key*. Master 178 178 keys can be up to 64 bytes long, and must be at least as long as the 179 - greater of the key length needed by the contents and filenames 180 - encryption modes being used. For example, if AES-256-XTS is used for 181 - contents encryption, the master key must be 64 bytes (512 bits). Note 182 - that the XTS mode is defined to require a key twice as long as that 183 - required by the underlying block cipher. 179 + greater of the security strength of the contents and filenames 180 + encryption modes being used. For example, if any AES-256 mode is 181 + used, the master key must be at least 256 bits, i.e. 32 bytes. A 182 + stricter requirement applies if the key is used by a v1 encryption 183 + policy and AES-256-XTS is used; such keys must be 64 bytes. 184 184 185 185 To "unlock" an encrypted directory tree, userspace must provide the 186 186 appropriate master key. There can be any number of master keys, each
+3 -2
fs/crypto/fscrypt_private.h
··· 549 549 struct fscrypt_mode { 550 550 const char *friendly_name; 551 551 const char *cipher_str; 552 - int keysize; 553 - int ivsize; 552 + int keysize; /* key size in bytes */ 553 + int security_strength; /* security strength in bytes */ 554 + int ivsize; /* IV size in bytes */ 554 555 int logged_impl_name; 555 556 enum blk_crypto_mode_num blk_crypto_mode; 556 557 };
+8 -3
fs/crypto/hkdf.c
··· 16 16 17 17 /* 18 18 * HKDF supports any unkeyed cryptographic hash algorithm, but fscrypt uses 19 - * SHA-512 because it is reasonably secure and efficient; and since it produces 20 - * a 64-byte digest, deriving an AES-256-XTS key preserves all 64 bytes of 21 - * entropy from the master key and requires only one iteration of HKDF-Expand. 19 + * SHA-512 because it is well-established, secure, and reasonably efficient. 20 + * 21 + * HKDF-SHA256 was also considered, as its 256-bit security strength would be 22 + * sufficient here. A 512-bit security strength is "nice to have", though. 23 + * Also, on 64-bit CPUs, SHA-512 is usually just as fast as SHA-256. In the 24 + * common case of deriving an AES-256-XTS key (512 bits), that can result in 25 + * HKDF-SHA512 being much faster than HKDF-SHA256, as the longer digest size of 26 + * SHA-512 causes HKDF-Expand to only need to do one iteration rather than two. 22 27 */ 23 28 #define HKDF_HMAC_ALG "hmac(sha512)" 24 29 #define HKDF_HASHLEN SHA512_DIGEST_SIZE
+45 -12
fs/crypto/keysetup.c
··· 19 19 .friendly_name = "AES-256-XTS", 20 20 .cipher_str = "xts(aes)", 21 21 .keysize = 64, 22 + .security_strength = 32, 22 23 .ivsize = 16, 23 24 .blk_crypto_mode = BLK_ENCRYPTION_MODE_AES_256_XTS, 24 25 }, ··· 27 26 .friendly_name = "AES-256-CTS-CBC", 28 27 .cipher_str = "cts(cbc(aes))", 29 28 .keysize = 32, 29 + .security_strength = 32, 30 30 .ivsize = 16, 31 31 }, 32 32 [FSCRYPT_MODE_AES_128_CBC] = { 33 33 .friendly_name = "AES-128-CBC-ESSIV", 34 34 .cipher_str = "essiv(cbc(aes),sha256)", 35 35 .keysize = 16, 36 + .security_strength = 16, 36 37 .ivsize = 16, 37 38 .blk_crypto_mode = BLK_ENCRYPTION_MODE_AES_128_CBC_ESSIV, 38 39 }, ··· 42 39 .friendly_name = "AES-128-CTS-CBC", 43 40 .cipher_str = "cts(cbc(aes))", 44 41 .keysize = 16, 42 + .security_strength = 16, 45 43 .ivsize = 16, 46 44 }, 47 45 [FSCRYPT_MODE_ADIANTUM] = { 48 46 .friendly_name = "Adiantum", 49 47 .cipher_str = "adiantum(xchacha12,aes)", 50 48 .keysize = 32, 49 + .security_strength = 32, 51 50 .ivsize = 32, 52 51 .blk_crypto_mode = BLK_ENCRYPTION_MODE_ADIANTUM, 53 52 }, ··· 363 358 } 364 359 365 360 /* 361 + * Check whether the size of the given master key (@mk) is appropriate for the 362 + * encryption settings which a particular file will use (@ci). 363 + * 364 + * If the file uses a v1 encryption policy, then the master key must be at least 365 + * as long as the derived key, as this is a requirement of the v1 KDF. 366 + * 367 + * Otherwise, the KDF can accept any size key, so we enforce a slightly looser 368 + * requirement: we require that the size of the master key be at least the 369 + * maximum security strength of any algorithm whose key will be derived from it 370 + * (but in practice we only need to consider @ci->ci_mode, since any other 371 + * possible subkeys such as DIRHASH and INODE_HASH will never increase the 372 + * required key size over @ci->ci_mode). This allows AES-256-XTS keys to be 373 + * derived from a 256-bit master key, which is cryptographically sufficient, 374 + * rather than requiring a 512-bit master key which is unnecessarily long. (We 375 + * still allow 512-bit master keys if the user chooses to use them, though.) 376 + */ 377 + static bool fscrypt_valid_master_key_size(const struct fscrypt_master_key *mk, 378 + const struct fscrypt_info *ci) 379 + { 380 + unsigned int min_keysize; 381 + 382 + if (ci->ci_policy.version == FSCRYPT_POLICY_V1) 383 + min_keysize = ci->ci_mode->keysize; 384 + else 385 + min_keysize = ci->ci_mode->security_strength; 386 + 387 + if (mk->mk_secret.size < min_keysize) { 388 + fscrypt_warn(NULL, 389 + "key with %s %*phN is too short (got %u bytes, need %u+ bytes)", 390 + master_key_spec_type(&mk->mk_spec), 391 + master_key_spec_len(&mk->mk_spec), 392 + (u8 *)&mk->mk_spec.u, 393 + mk->mk_secret.size, min_keysize); 394 + return false; 395 + } 396 + return true; 397 + } 398 + 399 + /* 366 400 * Find the master key, then set up the inode's actual encryption key. 367 401 * 368 402 * If the master key is found in the filesystem-level keyring, then the ··· 466 422 goto out_release_key; 467 423 } 468 424 469 - /* 470 - * Require that the master key be at least as long as the derived key. 471 - * Otherwise, the derived key cannot possibly contain as much entropy as 472 - * that required by the encryption mode it will be used for. For v1 473 - * policies it's also required for the KDF to work at all. 474 - */ 475 - if (mk->mk_secret.size < ci->ci_mode->keysize) { 476 - fscrypt_warn(NULL, 477 - "key with %s %*phN is too short (got %u bytes, need %u+ bytes)", 478 - master_key_spec_type(&mk_spec), 479 - master_key_spec_len(&mk_spec), (u8 *)&mk_spec.u, 480 - mk->mk_secret.size, ci->ci_mode->keysize); 425 + if (!fscrypt_valid_master_key_size(mk, ci)) { 481 426 err = -ENOKEY; 482 427 goto out_release_key; 483 428 }