[dm-crypt] Use of GCM mode with dm-crypt

Will Drewry wad at chromium.org
Tue May 3 14:46:45 CEST 2011

FWIW, putting integrity checking at the filesystem layer should be
done carefully as well.  If your threat model includes attacks
resulting from attacker-controlled metadata, then you may still be
exposed to a variety of issues in the filesystem layer itself (even if
it is difficult for an attacker to do reliably given how great
dm-crypt is :).

I've had good experience layering a dm target for block-level
integrity checking under the fs layer as it avoids the risks
associated and gets all the nice benefits of the block cache, etc.
(The target my project uses isn't upstream yet, but after a lot of
in-progress cleanup, we hope it will be![1]).  The approach should
layer just fine with dm-crypt as well.

Anyway, just my two cents.  Cheers!

1 - http://git.chromium.org/gitweb/?p=chromiumos/third_party/kernel.git;a=blob;f=Documentation/device-mapper/dm-verity.txt

On Tue, May 3, 2011 at 5:22 AM, Samantha Adams <saman.adams at gmail.com> wrote:
> Probably the best solution is to check integrity in the FS layer.
> Concerning gcm, in my opinion, it's a pity that we can't use an AE mode onf
> encryption because in this way we would be able to also check data
> authenticity.
> Anyway, thank you all for you answers ! :)
> Sam
> On Wed, Apr 27, 2011 at 3:43 PM, Arno Wagner <arno at wagner.name> wrote:
>> On Wed, Apr 27, 2011 at 11:41:01AM +0200, Milan Broz wrote:
>> > On 04/27/2011 10:40 AM, Samantha Adams wrote:
>> [...]
>> > Basically it would be new encryption DM target (it can share code
>> > but the mapping here is different).
>> >
>> > The crucial question where do you want to store authentication tag...
>> > If there is some standard way, perhaphs it can be done.
>> >
>> > But isn't better to provide these integrity services to filesystem
>> > on top of dmcrypt? (so fs can allocate blocks storing integrity info)
>> In my view, integrity check, just as compression (and the filesystem
>> itself) all belong on top of encryption. For the other two, this is
>> obvious. For the integrity check, what is the FS layer to do if it
>> fails? If you have error correction or redundancy in the FS, then
>> it can do something, but on crypto-layer you can just propagate the
>> error and handling would be done elsewhere. Also note that the
>> problem of storing the tags.checksums goes away on the FS layer,
>> as one of the primary tasks of a FS is storing metadata.
>> Arno
>> --
>> Arno Wagner, Dr. sc. techn., Dipl. Inform., CISSP -- Email:
>> arno at wagner.name
>> GnuPG:  ID: 1E25338F  FP: 0C30 5782 9D93 F785 E79C  0296 797F 6B50 1E25
>> 338F
>> ----
>> Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans
>> If it's in the news, don't worry about it.  The very definition of
>> "news" is "something that hardly ever happens." -- Bruce Schneier
>> _______________________________________________
>> dm-crypt mailing list
>> dm-crypt at saout.de
>> http://www.saout.de/mailman/listinfo/dm-crypt
> _______________________________________________
> dm-crypt mailing list
> dm-crypt at saout.de
> http://www.saout.de/mailman/listinfo/dm-crypt

More information about the dm-crypt mailing list