0001 Kernel Crypto API Architecture
0002 ==============================
0003
0004 Cipher algorithm types
0005 ----------------------
0006
0007 The kernel crypto API provides different API calls for the following
0008 cipher types:
0009
0010 - Symmetric ciphers
0011
0012 - AEAD ciphers
0013
0014 - Message digest, including keyed message digest
0015
0016 - Random number generation
0017
0018 - User space interface
0019
0020 Ciphers And Templates
0021 ---------------------
0022
0023 The kernel crypto API provides implementations of single block ciphers
0024 and message digests. In addition, the kernel crypto API provides
0025 numerous "templates" that can be used in conjunction with the single
0026 block ciphers and message digests. Templates include all types of block
0027 chaining mode, the HMAC mechanism, etc.
0028
0029 Single block ciphers and message digests can either be directly used by
0030 a caller or invoked together with a template to form multi-block ciphers
0031 or keyed message digests.
0032
0033 A single block cipher may even be called with multiple templates.
0034 However, templates cannot be used without a single cipher.
0035
0036 See /proc/crypto and search for "name". For example:
0037
0038 - aes
0039
0040 - ecb(aes)
0041
0042 - cmac(aes)
0043
0044 - ccm(aes)
0045
0046 - rfc4106(gcm(aes))
0047
0048 - sha1
0049
0050 - hmac(sha1)
0051
0052 - authenc(hmac(sha1),cbc(aes))
0053
0054 In these examples, "aes" and "sha1" are the ciphers and all others are
0055 the templates.
0056
0057 Synchronous And Asynchronous Operation
0058 --------------------------------------
0059
0060 The kernel crypto API provides synchronous and asynchronous API
0061 operations.
0062
0063 When using the synchronous API operation, the caller invokes a cipher
0064 operation which is performed synchronously by the kernel crypto API.
0065 That means, the caller waits until the cipher operation completes.
0066 Therefore, the kernel crypto API calls work like regular function calls.
0067 For synchronous operation, the set of API calls is small and
0068 conceptually similar to any other crypto library.
0069
0070 Asynchronous operation is provided by the kernel crypto API which
0071 implies that the invocation of a cipher operation will complete almost
0072 instantly. That invocation triggers the cipher operation but it does not
0073 signal its completion. Before invoking a cipher operation, the caller
0074 must provide a callback function the kernel crypto API can invoke to
0075 signal the completion of the cipher operation. Furthermore, the caller
0076 must ensure it can handle such asynchronous events by applying
0077 appropriate locking around its data. The kernel crypto API does not
0078 perform any special serialization operation to protect the caller's data
0079 integrity.
0080
0081 Crypto API Cipher References And Priority
0082 -----------------------------------------
0083
0084 A cipher is referenced by the caller with a string. That string has the
0085 following semantics:
0086
0087 ::
0088
0089 template(single block cipher)
0090
0091
0092 where "template" and "single block cipher" is the aforementioned
0093 template and single block cipher, respectively. If applicable,
0094 additional templates may enclose other templates, such as
0095
0096 ::
0097
0098 template1(template2(single block cipher)))
0099
0100
0101 The kernel crypto API may provide multiple implementations of a template
0102 or a single block cipher. For example, AES on newer Intel hardware has
0103 the following implementations: AES-NI, assembler implementation, or
0104 straight C. Now, when using the string "aes" with the kernel crypto API,
0105 which cipher implementation is used? The answer to that question is the
0106 priority number assigned to each cipher implementation by the kernel
0107 crypto API. When a caller uses the string to refer to a cipher during
0108 initialization of a cipher handle, the kernel crypto API looks up all
0109 implementations providing an implementation with that name and selects
0110 the implementation with the highest priority.
0111
0112 Now, a caller may have the need to refer to a specific cipher
0113 implementation and thus does not want to rely on the priority-based
0114 selection. To accommodate this scenario, the kernel crypto API allows
0115 the cipher implementation to register a unique name in addition to
0116 common names. When using that unique name, a caller is therefore always
0117 sure to refer to the intended cipher implementation.
0118
0119 The list of available ciphers is given in /proc/crypto. However, that
0120 list does not specify all possible permutations of templates and
0121 ciphers. Each block listed in /proc/crypto may contain the following
0122 information -- if one of the components listed as follows are not
0123 applicable to a cipher, it is not displayed:
0124
0125 - name: the generic name of the cipher that is subject to the
0126 priority-based selection -- this name can be used by the cipher
0127 allocation API calls (all names listed above are examples for such
0128 generic names)
0129
0130 - driver: the unique name of the cipher -- this name can be used by the
0131 cipher allocation API calls
0132
0133 - module: the kernel module providing the cipher implementation (or
0134 "kernel" for statically linked ciphers)
0135
0136 - priority: the priority value of the cipher implementation
0137
0138 - refcnt: the reference count of the respective cipher (i.e. the number
0139 of current consumers of this cipher)
0140
0141 - selftest: specification whether the self test for the cipher passed
0142
0143 - type:
0144
0145 - skcipher for symmetric key ciphers
0146
0147 - cipher for single block ciphers that may be used with an
0148 additional template
0149
0150 - shash for synchronous message digest
0151
0152 - ahash for asynchronous message digest
0153
0154 - aead for AEAD cipher type
0155
0156 - compression for compression type transformations
0157
0158 - rng for random number generator
0159
0160 - kpp for a Key-agreement Protocol Primitive (KPP) cipher such as
0161 an ECDH or DH implementation
0162
0163 - blocksize: blocksize of cipher in bytes
0164
0165 - keysize: key size in bytes
0166
0167 - ivsize: IV size in bytes
0168
0169 - seedsize: required size of seed data for random number generator
0170
0171 - digestsize: output size of the message digest
0172
0173 - geniv: IV generator (obsolete)
0174
0175 Key Sizes
0176 ---------
0177
0178 When allocating a cipher handle, the caller only specifies the cipher
0179 type. Symmetric ciphers, however, typically support multiple key sizes
0180 (e.g. AES-128 vs. AES-192 vs. AES-256). These key sizes are determined
0181 with the length of the provided key. Thus, the kernel crypto API does
0182 not provide a separate way to select the particular symmetric cipher key
0183 size.
0184
0185 Cipher Allocation Type And Masks
0186 --------------------------------
0187
0188 The different cipher handle allocation functions allow the specification
0189 of a type and mask flag. Both parameters have the following meaning (and
0190 are therefore not covered in the subsequent sections).
0191
0192 The type flag specifies the type of the cipher algorithm. The caller
0193 usually provides a 0 when the caller wants the default handling.
0194 Otherwise, the caller may provide the following selections which match
0195 the aforementioned cipher types:
0196
0197 - CRYPTO_ALG_TYPE_CIPHER Single block cipher
0198
0199 - CRYPTO_ALG_TYPE_COMPRESS Compression
0200
0201 - CRYPTO_ALG_TYPE_AEAD Authenticated Encryption with Associated Data
0202 (MAC)
0203
0204 - CRYPTO_ALG_TYPE_KPP Key-agreement Protocol Primitive (KPP) such as
0205 an ECDH or DH implementation
0206
0207 - CRYPTO_ALG_TYPE_HASH Raw message digest
0208
0209 - CRYPTO_ALG_TYPE_SHASH Synchronous multi-block hash
0210
0211 - CRYPTO_ALG_TYPE_AHASH Asynchronous multi-block hash
0212
0213 - CRYPTO_ALG_TYPE_RNG Random Number Generation
0214
0215 - CRYPTO_ALG_TYPE_AKCIPHER Asymmetric cipher
0216
0217 - CRYPTO_ALG_TYPE_PCOMPRESS Enhanced version of
0218 CRYPTO_ALG_TYPE_COMPRESS allowing for segmented compression /
0219 decompression instead of performing the operation on one segment
0220 only. CRYPTO_ALG_TYPE_PCOMPRESS is intended to replace
0221 CRYPTO_ALG_TYPE_COMPRESS once existing consumers are converted.
0222
0223 The mask flag restricts the type of cipher. The only allowed flag is
0224 CRYPTO_ALG_ASYNC to restrict the cipher lookup function to
0225 asynchronous ciphers. Usually, a caller provides a 0 for the mask flag.
0226
0227 When the caller provides a mask and type specification, the caller
0228 limits the search the kernel crypto API can perform for a suitable
0229 cipher implementation for the given cipher name. That means, even when a
0230 caller uses a cipher name that exists during its initialization call,
0231 the kernel crypto API may not select it due to the used type and mask
0232 field.
0233
0234 Internal Structure of Kernel Crypto API
0235 ---------------------------------------
0236
0237 The kernel crypto API has an internal structure where a cipher
0238 implementation may use many layers and indirections. This section shall
0239 help to clarify how the kernel crypto API uses various components to
0240 implement the complete cipher.
0241
0242 The following subsections explain the internal structure based on
0243 existing cipher implementations. The first section addresses the most
0244 complex scenario where all other scenarios form a logical subset.
0245
0246 Generic AEAD Cipher Structure
0247 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
0248
0249 The following ASCII art decomposes the kernel crypto API layers when
0250 using the AEAD cipher with the automated IV generation. The shown
0251 example is used by the IPSEC layer.
0252
0253 For other use cases of AEAD ciphers, the ASCII art applies as well, but
0254 the caller may not use the AEAD cipher with a separate IV generator. In
0255 this case, the caller must generate the IV.
0256
0257 The depicted example decomposes the AEAD cipher of GCM(AES) based on the
0258 generic C implementations (gcm.c, aes-generic.c, ctr.c, ghash-generic.c,
0259 seqiv.c). The generic implementation serves as an example showing the
0260 complete logic of the kernel crypto API.
0261
0262 It is possible that some streamlined cipher implementations (like
0263 AES-NI) provide implementations merging aspects which in the view of the
0264 kernel crypto API cannot be decomposed into layers any more. In case of
0265 the AES-NI implementation, the CTR mode, the GHASH implementation and
0266 the AES cipher are all merged into one cipher implementation registered
0267 with the kernel crypto API. In this case, the concept described by the
0268 following ASCII art applies too. However, the decomposition of GCM into
0269 the individual sub-components by the kernel crypto API is not done any
0270 more.
0271
0272 Each block in the following ASCII art is an independent cipher instance
0273 obtained from the kernel crypto API. Each block is accessed by the
0274 caller or by other blocks using the API functions defined by the kernel
0275 crypto API for the cipher implementation type.
0276
0277 The blocks below indicate the cipher type as well as the specific logic
0278 implemented in the cipher.
0279
0280 The ASCII art picture also indicates the call structure, i.e. who calls
0281 which component. The arrows point to the invoked block where the caller
0282 uses the API applicable to the cipher type specified for the block.
0283
0284 ::
0285
0286
0287 kernel crypto API | IPSEC Layer
0288 |
0289 +-----------+ |
0290 | | (1)
0291 | aead | <----------------------------------- esp_output
0292 | (seqiv) | ---+
0293 +-----------+ |
0294 | (2)
0295 +-----------+ |
0296 | | <--+ (2)
0297 | aead | <----------------------------------- esp_input
0298 | (gcm) | ------------+
0299 +-----------+ |
0300 | (3) | (5)
0301 v v
0302 +-----------+ +-----------+
0303 | | | |
0304 | skcipher | | ahash |
0305 | (ctr) | ---+ | (ghash) |
0306 +-----------+ | +-----------+
0307 |
0308 +-----------+ | (4)
0309 | | <--+
0310 | cipher |
0311 | (aes) |
0312 +-----------+
0313
0314
0315
0316 The following call sequence is applicable when the IPSEC layer triggers
0317 an encryption operation with the esp_output function. During
0318 configuration, the administrator set up the use of seqiv(rfc4106(gcm(aes)))
0319 as the cipher for ESP. The following call sequence is now depicted in
0320 the ASCII art above:
0321
0322 1. esp_output() invokes crypto_aead_encrypt() to trigger an
0323 encryption operation of the AEAD cipher with IV generator.
0324
0325 The SEQIV generates the IV.
0326
0327 2. Now, SEQIV uses the AEAD API function calls to invoke the associated
0328 AEAD cipher. In our case, during the instantiation of SEQIV, the
0329 cipher handle for GCM is provided to SEQIV. This means that SEQIV
0330 invokes AEAD cipher operations with the GCM cipher handle.
0331
0332 During instantiation of the GCM handle, the CTR(AES) and GHASH
0333 ciphers are instantiated. The cipher handles for CTR(AES) and GHASH
0334 are retained for later use.
0335
0336 The GCM implementation is responsible to invoke the CTR mode AES and
0337 the GHASH cipher in the right manner to implement the GCM
0338 specification.
0339
0340 3. The GCM AEAD cipher type implementation now invokes the SKCIPHER API
0341 with the instantiated CTR(AES) cipher handle.
0342
0343 During instantiation of the CTR(AES) cipher, the CIPHER type
0344 implementation of AES is instantiated. The cipher handle for AES is
0345 retained.
0346
0347 That means that the SKCIPHER implementation of CTR(AES) only
0348 implements the CTR block chaining mode. After performing the block
0349 chaining operation, the CIPHER implementation of AES is invoked.
0350
0351 4. The SKCIPHER of CTR(AES) now invokes the CIPHER API with the AES
0352 cipher handle to encrypt one block.
0353
0354 5. The GCM AEAD implementation also invokes the GHASH cipher
0355 implementation via the AHASH API.
0356
0357 When the IPSEC layer triggers the esp_input() function, the same call
0358 sequence is followed with the only difference that the operation starts
0359 with step (2).
0360
0361 Generic Block Cipher Structure
0362 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
0363
0364 Generic block ciphers follow the same concept as depicted with the ASCII
0365 art picture above.
0366
0367 For example, CBC(AES) is implemented with cbc.c, and aes-generic.c. The
0368 ASCII art picture above applies as well with the difference that only
0369 step (4) is used and the SKCIPHER block chaining mode is CBC.
0370
0371 Generic Keyed Message Digest Structure
0372 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
0373
0374 Keyed message digest implementations again follow the same concept as
0375 depicted in the ASCII art picture above.
0376
0377 For example, HMAC(SHA256) is implemented with hmac.c and
0378 sha256_generic.c. The following ASCII art illustrates the
0379 implementation:
0380
0381 ::
0382
0383
0384 kernel crypto API | Caller
0385 |
0386 +-----------+ (1) |
0387 | | <------------------ some_function
0388 | ahash |
0389 | (hmac) | ---+
0390 +-----------+ |
0391 | (2)
0392 +-----------+ |
0393 | | <--+
0394 | shash |
0395 | (sha256) |
0396 +-----------+
0397
0398
0399
0400 The following call sequence is applicable when a caller triggers an HMAC
0401 operation:
0402
0403 1. The AHASH API functions are invoked by the caller. The HMAC
0404 implementation performs its operation as needed.
0405
0406 During initialization of the HMAC cipher, the SHASH cipher type of
0407 SHA256 is instantiated. The cipher handle for the SHA256 instance is
0408 retained.
0409
0410 At one time, the HMAC implementation requires a SHA256 operation
0411 where the SHA256 cipher handle is used.
0412
0413 2. The HMAC instance now invokes the SHASH API with the SHA256 cipher
0414 handle to calculate the message digest.
