Re: [PATCH 1/5 v2] PM / hibernate: Create snapshot keys handler

[Andy Lutomirski]

> On Jan 7, 2019, at 11:09 PM, Stephan Mueller <smueller@xxxxxxxxxx> wrote:
> 
> Am Dienstag, 8. Januar 2019, 06:03:58 CET schrieb Herbert Xu:
> 
> Hi Herbert,
> 
>> Are we going to have multiple implementations for the same KDF?
>> If not then the crypto API is not a good fit.  To consolidate
>> multiple implementations of the same KDF, simply provide helpers
>> for them.
> 
> It is unlikely to have multiple implementations of a KDF. However, KDFs relate 
> to hashes like block chaining modes to raw block ciphers. Thus a KDF can be 
> applied with different hashes.
> 
> My idea was to add template support to RNGs (because KDFs are effectively a 
> type of RNG since they produce an arbitrary output from a fixed input). The 
> KDFs would be a template wrapping hashes. For example, the CTR-KDF from 
> SP800-108 could be instantiated like kdf-ctr(sha256).
> 
> 

I think that, if the crypto API is going to grow a KDF facility, it should be done right. Have a key type or flag or whatever that says âthis key may *only* be used to derive keys using such-and-such algorithmâ, and have a helper to derive a key.  That helper should take some useful parameters and mix them in:

- What type of key is being derived?  ECDSA signing key?  HMAC key?  AES key?

- Can user code access the derived key?

- What is the keyâs purpose?  âEncrypt and authenticate a hibernation imageâ would be a purpose.

- Number of bytes.

All of these parameters should be mixed in to the key derivation.

Also, an AE key, even for AES+HMAC, should be just one derived key.  If you need 512 bits, ask for a 512-bit key, not two 256-bit keys.