Linux 6.2 Adding FSCRYPT Support For China's Questionable SM4 Cipher

Written by Michael Larabel in Linux Storage on 12 December 2022 at 05:30 AM EST. 31 Comments
LINUX STORAGE
As part of the many pull requests being sent in early for the Linux 6.2 merge window to avoid crunch time around the holidays is the FSCRYPT file-system encryption framework updates.

Support for China's SM4 cipher is being added to FSCRYPT but the maintainer of this area of the kernel recommends against using it.

SM4 is the block cipher developed by the China and used for WLAN/WiFi WAPI and Transport Layer Security (TLS) purposes among other use-cases. SM4 has so far been rejected by the ISO for standardization with some questioning it due to its close association with the Chinese government. The WLAN Authentication and Privacy Infrastructure (WAPI) has also been rejected by the IEEE and ISO.

The Linux kernel already ships an optimized SM4 cipher implementation while for Linux 6.2 the plan is adding optional SM4 usage to the FSCRYPT framework for file-system encryption. FSCRYPT allows for file encryption via a common API on the likes of EXT4, UBIFS, and F2FS.

Alibaba worked on this FSCRYPT SM4 support and when questioned over the merits of adding SM4 to FSCRYPT, the explanation was:
We want to provide our users with the ability to encrypt disks and files using SM4-XTS, the ability to sign SM2/3, and the ability to use SM4-GCM/CCM with TLS (of course this belongs to other parts), quite a few users need these features.

FSCRYPT maintainer Eric Biggers went ahead and included these SM4-XTS patches in the FSCRYPT subsystem, but noted in the pull request:
This release adds SM4 encryption support, contributed by Tianjia Zhang. SM4 is a Chinese block cipher that is an alternative to AES.

I recommend against using SM4, but (according to Tianjia) some people are being required to use it. Since SM4 has been turning up in many other places (crypto API, wireless, TLS, OpenSSL, ARMv8 CPUs, etc.), it hasn't been very controversial, and some people have to use it, I don't think it would be fair for me to reject this optional feature.

So barring any objections from Linus Torvalds, optional SM4-XTS support for blk-crypto and FSCRYPT will be found in Linux 6.2.
31 Comments
Related News
Linux Fixes Regression That Broke File Names With ❤️ & Other Special Characters
OpenZFS 2.2.7 Released With Linux 6.12 Support, Many Fixes
Optimizing Linux MD Bitmap Code Yields 89% Throughput Boost For Quad SSDs
NFS Server Scalability Improvement & Other NFS Enhancements For Linux 6.13
IO_uring Enjoys Hybrid IO Polling & Ring Resizing With Linux 6.13
exFAT Driver With Linux 6.13 Reduces FAT Chain Traversal For Better Performance
About The Author
Michael Larabel

Michael Larabel is the principal author of Phoronix.com and founded the site in 2004 with a focus on enriching the Linux hardware experience. Michael has written more than 20,000 articles covering the state of Linux hardware support, Linux performance, graphics drivers, and other topics. Michael is also the lead developer of the Phoronix Test Suite, Phoromatic, and OpenBenchmarking.org automated benchmarking software. He can be followed via Twitter, LinkedIn, or contacted via MichaelLarabel.com.

Popular News This Week
OpenWrt Affected By Security Issue That Could Have Led To Compromised Build Artifacts
Linus Torvalds Comes Out Against "Completely Broken" x86_64 Feature Levels
Linux EFI Zboot Abandoning "Compression Library Museum", Focusing On Gzip & Zstd
COSMIC Alpha 4 Released For System76's Rust-Based Desktop
Ptyxis Becomes Ubuntu's Recommended Replacement To GNOME Terminal
How AMD Is Taking Standard C/C++ Code To Run Directly On GPUs
GNU Shepherd 1.0 Service Manager Released As "Solid Tool" Alternative To systemd
KDE Starts December By Landing A Number Of New Features