integritysetup: Add PHMAC algorithm to list of known algorithms

Add the PHMAC integrity algorithm to the list of supported algorithms. The PHMAC algorithm is like the regular HMAC algorithm, but it takes a wrapped key as input. A key for the PHMAC algorithm is an opaque key blob, who's physical size has nothing to do with the cryptographic size. Currently PHMAC is only available for the s390x architecture.
2026-04-14 00:14:32 +09:00 · 2024-03-04 09:26:18 +01:00
parent 7bf1cfe3b2
commit eb7b0d413e
4 changed files with 9 additions and 3 deletions
--- a/man/integritytab.xml
+++ b/man/integritytab.xml
@@ -56,7 +56,7 @@
    <para>The third field if present contains an absolute filename path to a key file or a <literal>-</literal>
    to specify none.  When the filename is present, the "integrity-algorithm" defaults to <literal>hmac-sha256</literal>
    with the key length derived from the number of bytes in the key file.  At this time the only supported integrity algorithms
-    when using key file are hmac-sha256 and hmac-sha512.  The maximum size of the key file is 4096 bytes.
+    when using key file are hmac-sha256, hmac-sha512, phmac-sha256, and hmac-sha512.  The maximum size of the key file is 4096 bytes.
    </para>

     <para>The fourth field, if present, is a comma-delimited list of options or a <literal>-</literal> to specify none. The following options are
@@ -125,7 +125,7 @@
      </varlistentry>

      <varlistentry>
-        <term><option>integrity-algorithm=[crc32c|crc32|xxhash64|sha1|sha256|hmac-sha256|hmac-sha512]</option></term>
+        <term><option>integrity-algorithm=[crc32c|crc32|xxhash64|sha1|sha256|hmac-sha256|hmac-sha512|phmac-sha256|phmac-sha512]</option></term>

        <listitem><para>
        The algorithm used for integrity checking.  The default is crc32c. Must match option used during format.
--- a/src/integritysetup/integrity-util.c
+++ b/src/integritysetup/integrity-util.c
@@ -11,7 +11,7 @@
 #include "time-util.h"

 static int supported_integrity_algorithm(char *user_supplied) {
-        if (!STR_IN_SET(user_supplied, "crc32", "crc32c", "xxhash64", "sha1", "sha256", "hmac-sha256", "hmac-sha512"))
+        if (!STR_IN_SET(user_supplied, "crc32", "crc32c", "xxhash64", "sha1", "sha256", "hmac-sha256", "hmac-sha512", "phmac-sha256", "phmac-sha512"))
                return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Unsupported integrity algorithm (%s)", user_supplied);
        return 0;
 }
--- a/src/integritysetup/integrity-util.h
+++ b/src/integritysetup/integrity-util.h
@@ -13,4 +13,6 @@ int parse_integrity_options(

 #define DM_HMAC_256 "hmac(sha256)"
 #define DM_HMAC_512 "hmac(sha512)"
+#define DM_PHMAC_256 "phmac(sha256)"
+#define DM_PHMAC_512 "phmac(sha512)"
 #define DM_MAX_KEY_SIZE 4096            /* Maximum size of key allowed for dm-integrity */
--- a/src/integritysetup/integritysetup.c
+++ b/src/integritysetup/integritysetup.c
@@ -79,6 +79,10 @@ static const char *integrity_algorithm_select(const void *key_file_buf) {
                        return DM_HMAC_256;
                if (streq("hmac-sha512", arg_integrity_algorithm))
                        return DM_HMAC_512;
+                if (streq("phmac-sha256", arg_integrity_algorithm))
+                        return DM_PHMAC_256;
+                if (streq("phmac-sha512", arg_integrity_algorithm))
+                        return DM_PHMAC_512;
                return arg_integrity_algorithm;
        } else if (key_file_buf)
                return DM_HMAC_256;