mbox series

[RFC,v2,0/3] cifs: introduce support for AES-GMAC signing

Message ID 20220829213354.2714-1-ematsumiya@suse.de (mailing list archive)
Headers show
Series cifs: introduce support for AES-GMAC signing | expand

Message

Enzo Matsumiya Aug. 29, 2022, 9:33 p.m. UTC 
Hi,

This patch series introduce the support for AES-GMAC signing for SMB 3.1.1,
when the negotiate signing context is successfully negotiated.

This is an implementation of the MS-SMB2 spec, section 3.1.4.1 "Signing An
Outgoing Message".

AES-GMAC uses AES-128-GCM (kernel crypto algorithm "gcm(aes)" from the gcm
module) as its base.

AES-GCM, an authenticated encryption algorithm, takes 4 inputs for encryption:
1. a secret key
2. an initialization vector (IV), or nonce
3. the plaintext data (the message to be encrypted)
4. an extra buffer called Additional Authenticated data (AAD), or sometimes
   Associated Data (AD)

Superficially describing it, it encrypts the plaintext using the key and then
uses the nonce to generate an authentication tag (our signature, in this
context).  It then produces 2 outputs; the encrypted data, along with its
computed authentication tag.  The AAD buffer is left intact.

Because of this design, AES-GCM can be used to "encrypt" an empty plaintext
buffer, and still run its authentication generation algorithm over the AAD
buffer (which is set to our SMB2 message), making it practically a MAC
algorithm.

Compared to AES-CMAC, AES-GMAC has shown (*) to be much faster because its
internal authentication algorithm can be paralellized by taking advantage of
especialized, optimized CPU instructions (on certain supported platforms).

With these patches, I hope cifs.ko can get a performance improvemente when
AES-GMAC is used for message signing.

Patch 1/3: add the core functions to perform AES-GMAC signing (see commit
	   message for more details)
Patch 2/3: set the "enable_negotiate_signing" module param as deprecated,
	   making cifs.ko always try to negotiate AES-GMAC first, but use
	   AES-CMAC if fail
Patch 3/3: show the signing algorithm name being used in DebugData

To do/discuss:
- serious benchmark and comparison (vs AES-CMAC) on cifs.ko workloads (*)
- complete removal of "enable_negotiate_signing" module param
- RDMA/SMB Direct; I have no experience with it, nor an RDMA-capable setup
- bugs?

Any kind of feedback is welcome.


Cheers,

Enzo Matsumiya (3):
  cifs: introduce AES-GMAC signing support for SMB 3.1.1
  cifs: deprecate 'enable_negotiate_signing' module param
  cifs: show signing algorithm name in DebugData

 fs/cifs/cifs_debug.c    |   7 +-
 fs/cifs/cifsencrypt.c   |   5 +
 fs/cifs/cifsfs.c        |   8 +-
 fs/cifs/cifsglob.h      |  12 +-
 fs/cifs/sess.c          |   2 +
 fs/cifs/smb2glob.h      |  10 +
 fs/cifs/smb2misc.c      |   6 +
 fs/cifs/smb2ops.c       | 484 +++++++++++++++++++++++++++++++++-------
 fs/cifs/smb2pdu.c       |  97 ++++++--
 fs/cifs/smb2proto.h     |   7 +-
 fs/cifs/smb2transport.c |  87 ++++++--
 11 files changed, 592 insertions(+), 133 deletions(-)