Bug 2212771 - Do not allow selecting specific cipher implementation in libcryptsetup
Summary: Do not allow selecting specific cipher implementation in libcryptsetup
Keywords:
Status: VERIFIED
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: cryptsetup
Version: 9.0
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: rc
: 9.3
Assignee: Daniel Zaťovič
QA Contact: guazhang@redhat.com
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-06-06 10:06 UTC by Ondrej Kozina
Modified: 2023-07-14 00:43 UTC (History)
5 users (show)

Fixed In Version: cryptsetup-2.6.0-3.el9
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Gitlab cryptsetup cryptsetup issues 809 0 None closed Unsigned header allows attacker to choose vulnerable AES implementation in untrusted cloud host setting 2023-06-06 10:06:16 UTC
Red Hat Issue Tracker RHELPLAN-159060 0 None None None 2023-06-06 10:09:26 UTC

Description Ondrej Kozina 2023-06-06 10:06:17 UTC 
Description of problem:

Libcryptsetup should not allow selecting specific cipher implementation when using 'capi' cipher format. For example aes-generic is SW implementation of AES cipher in kernel that does not use HW acceleration specific to available CPU.

Selecting specific cipher implementation should always be delegated to kernel crypto layer. This may allow loading cipher implementations that are susceptible to side-channel attacks on volume keys.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. cryptsetup luksFormat -c 'capi:xts(ecb(aes-generic))-plain64' /dev/device
2. cryptsetup open /dev/device

Actual results:
It passes in both step 1) and step 2)

Expected results:
Neither luksFormat or subsequent open commands shall pass. It also applies on LUKS2 headers previously formated/changed to use aes-generic implementation in kernel.

Additional info:
aes-generic driver is AES software implementation using lookup tables, susceptible to side-channel attacks.
Comment 2 guazhang@redhat.com 2023-07-11 04:57:01 UTC 

cryptsetup-2.6.0-2.el9.x86_64
[root@dell-per730-43 ~]# cryptsetup luksFormat -c 'capi:xts(ecb(aes-generic))-plain64' t.tar -q
Enter passphrase for t.tar: 
[root@dell-per730-43 ~]# $?
-bash: 0: command not found
[root@dell-per730-43 ~]# 


cryptsetup-2.6.0-3.el9.x86_64
[root@storageqe-100 ~]# cryptsetup luksFormat -c 'capi:xts(ecb(aes-generic))-plain64' t.tar 
No known cipher specification pattern detected.
[root@storageqe-100 ~]# $?
-bash: 1: command not found
[root@storageqe-100 ~]# 

so the fixed package have passed.
Note You need to log in before you can comment on or make changes to this bug.