projects / linux-block.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 9d2c0b4) | patch
fscrypt: Add HCTR2 support for filename encryption
authorNathan Huckleberry <nhuck@google.com>
Fri, 20 May 2022 18:15:01 +0000 (18:15 +0000)
committerHerbert Xu <herbert@gondor.apana.org.au>
Fri, 10 Jun 2022 08:40:18 +0000 (16:40 +0800)
commit6b2a51ff03bf0c54cbc699ee85a9a49eb203ebfc
tree8110bcd6c9baaedb35a031ae2529b2e47fa74269tree | snapshot
parent9d2c0b485c46c7c5f781067c60300def5d1365cbcommit | diff
fscrypt: Add HCTR2 support for filename encryption

HCTR2 is a tweakable, length-preserving encryption mode that is intended
for use on CPUs with dedicated crypto instructions.  HCTR2 has the
property that a bitflip in the plaintext changes the entire ciphertext.
This property fixes a known weakness with filename encryption: when two
filenames in the same directory share a prefix of >= 16 bytes, with
AES-CTS-CBC their encrypted filenames share a common substring, leaking
information.  HCTR2 does not have this problem.

More information on HCTR2 can be found here: "Length-preserving
encryption with HCTR2": https://eprint.iacr.org/2021/1441.pdf

Signed-off-by: Nathan Huckleberry <nhuck@google.com>
Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
Acked-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Documentation/filesystems/fscrypt.rst diff | blob | blame | history
fs/crypto/fscrypt_private.h diff | blob | blame | history
fs/crypto/keysetup.c diff | blob | blame | history
fs/crypto/policy.c diff | blob | blame | history
include/uapi/linux/fscrypt.h diff | blob | blame | history
Linux 6.x block layer and io_uring tree(s)