Gitiles
Code Review Sign In
gerrit.omnirom.org / android_packages_modules_Virtualization / 195f89cd06b03af91cd80b59896a2e2f5291dc76^! / . / libs / devicemapper / src / crypt.rs
commit195f89cd06b03af91cd80b59896a2e2f5291dc76[log] [tgz]
authorShikha Panwar <shikhapanwar@google.com>Wed Nov 23 16:20:34 2022 +0000
committerShikha Panwar <shikhapanwar@google.com>Mon Nov 28 19:31:05 2022 +0000
tree3af3974314bd0f6b2bcd2f6a4929d8c2f53463cd
parent2ce2057d214d9f8179a31bf73a5de14e17fd4d95 [diff] [blame]
Change block cipher mode from XTS -> HCTR2

We will be using aes-hctr2-plain64 cipher for  encryptedstore.

Reason: With XTS, an attacker can tamper or replay at 16-byte
granularity. A bit flip in the encrypted text diffuses randomly in
plaintext, but only within an aligned 16-byte range. But with HCTR2 this
diffusion will be at crypto sector size.

For IV we use the 64 bytes' sector number referred to as "plain64".

Bug: 259253336
Test: Run a vm with --storage & --storage-size flag
Change-Id: I1ecd98072d6cb552d93fbc4053a3e6f004e0854e

diff --git a/libs/devicemapper/src/crypt.rs b/libs/devicemapper/src/crypt.rs
index 9b715a5..75105ce 100644
--- a/libs/devicemapper/src/crypt.rs
+++ b/libs/devicemapper/src/crypt.rs

@@ -33,9 +33,21 @@
 
 /// Supported ciphers
 pub enum CipherType {
-    // TODO(b/253394457) Include ciphers with authenticated modes as well
+    // AES-256-HCTR2 takes a 32-byte key
+    AES256HCTR2,
+    // XTS requires key of twice the length of the underlying block cipher i.e., 64B for AES256
     AES256XTS,
 }
+impl CipherType {
+    fn get_kernel_crypto_name(&self) -> &str {
+        match *self {
+            // We use "plain64" as the IV/nonce generation algorithm -
+            // which basically is the sector number.
+            CipherType::AES256HCTR2 => "aes-hctr2-plain64",
+            CipherType::AES256XTS => "aes-xts-plain64",
+        }
+    }
+}
 
 pub struct DmCryptTarget(Box<[u8]>);
 
@@ -59,7 +71,7 @@
 impl<'a> Default for DmCryptTargetBuilder<'a> {
     fn default() -> Self {
         DmCryptTargetBuilder {
-            cipher: CipherType::AES256XTS,
+            cipher: CipherType::AES256HCTR2,
             key: None,
             iv_offset: 0,
             device_path: None,
@@ -121,7 +133,7 @@
         // <offset> [<#opt_params> <opt_params>]
         let mut body = String::new();
         use std::fmt::Write;
-        write!(&mut body, "{} ", get_kernel_crypto_name(&self.cipher))?;
+        write!(&mut body, "{} ", self.cipher.get_kernel_crypto_name())?;
         write!(&mut body, "{} ", key)?;
         write!(&mut body, "{} ", self.iv_offset)?;
         write!(&mut body, "{} ", device_path)?;
@@ -145,9 +157,3 @@
         Ok(DmCryptTarget(buf.into_boxed_slice()))
     }
 }
-
-fn get_kernel_crypto_name(cipher: &CipherType) -> &str {
-    match cipher {
-        CipherType::AES256XTS => "aes-xts-plain64",
-    }
-}