RE: [PATCH v2 0/2] crypto: LEA block cipher implementation

From: Dongsoo Lee
Date: Fri Jun 09 2023 - 07:58:36 EST

Next message: Sai Krishna: "[net PATCH v2] octeontx2-af: Move validation of ptp pointer before its usage"
Previous message: Krishna Chaitanya Chundru: "Re: [PATCH v2 1/3] dt-bindings: PCI: qcom: ep: Add interconnects path"
Next in thread: Eric Biggers: "Re: [PATCH v2 0/2] crypto: LEA block cipher implementation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 2 Jun 2023 14:39:46 -0700, Eric Biggers wrote:
> I haven't seen any patch that proposes adding LEA support to fscrypt.
> Also, I'm
> not sure that the information you've provided so far is sufficient
> motivation
> for adding it to fscrypt. I did recently allow another national pride
> cipher,
> SM4, to be added to fscrypt, but that was only because a user said they
> were
> being *required* to use SM4. It's not clear that's the case for LEA.

Hello,

We thought that having the dm-crypt module as an in-kernel user of this
patch is enough to apply it. Of course, it would have been better to include
fscrypt in the patch, as file system encryption is very important for
data-at-rest encryption along with disk encryption.

Unfortunately, currently, vendors trying to supply Linux-based data-at-rest
encryption products by utilizing the dm-crypt or the fscrypt modules to
government agencies or public institutions in Korea are experiencing great
difficulties.

According to Korean regulations, the data transmitted and stored by
government agencies and public institutions must be protected using KCMVP
validated cryptographic modules. (KCMVP, the Korean Cryptographic Module
Validation Program, is a Korean security accreditation program for
cryptographic modules, like the CMVP in the United States.) According to the
KCMVP, cryptographic modules that are to be adopted in government agencies
and public institutions are required to use the approved cryptographic
algorithms to encrypt data. As mentioned earlier, LEA, SEED, and ARIA are
the only KCMVP-approved block ciphers.

As you know, the best approach to performing data-at-rest encryption on
Linux is using kernel modules like dm-crypt or fscrypt. Therefore, applying
the proposed patch would be very beneficial for the vendors wanting to
supply Linux products to government agencies or public institutions in
Korea, since they must use the KCMVP-approved cryptographic algorithms such
as LEA.

We kindly request a positive response to enable the utilization of
data-at-rest encryption in such special circumstances, thereby improving
Korea's Linux environment.

Thank you.

Next message: Sai Krishna: "[net PATCH v2] octeontx2-af: Move validation of ptp pointer before its usage"
Previous message: Krishna Chaitanya Chundru: "Re: [PATCH v2 1/3] dt-bindings: PCI: qcom: ep: Add interconnects path"
Next in thread: Eric Biggers: "Re: [PATCH v2 0/2] crypto: LEA block cipher implementation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]