Better kernel crypto

Looks like we’ll finally have some optimized crypto in the kernel, having just received GPL licensing signoff from the original author of the i586 optimized AES code, Brian Gladman.

In addition to optimized ASM code (of which we need more), we also need support for hardware crypto. This requires a new asynchronous API and an overhaul of much calling code (e.g. IPSec). I presented on the topic at the recent Kernel Networking Summit in Oregon (slides).

For anyone interested in helping with development, there’s a new Crypto API mailing list. Some collected requirements can be found in this aging document.

Kernel disk encryption has been problematic: the cryptoloop code is buggy on journaled filesystems, has multiple security problems, and is unmaintained. The newer dm-crypt solution is technically superior, but as it is compatible with cryptoloop encryption, it also has the same security issues. Thankfully, noted cryptographer David Wagner has stepped in to help review the security of our existing code, and has offered to help review future development. Discussion of improved security for dm-crypt is happening on the dm-crypt mailing list.

Michael Halcrow of IBM gave a talk last week at OLS on disk encryption, reviewing existing schemes and then explaining how he plans to extend Cryptfs for use as a Linux desktop disk encryption system. The OLS proceedings don’t seem to be officially online yet but they should be soon (or ask around for a copy). The Cryptfs work looks promising, hopefully we’ll see it upstream soon.