Eric Lee / smarc-fsl-linux-kernel

17 Jul, 2018

1 commit

  • 19f39eff6   crypto: x86/salsa20 - remove x86 salsa20 implementations ... Browse Code »

    commit b7b73cd5d74694ed59abcdb4974dacb4ff8b2a2a upstream.

    The x86 assembly implementations of Salsa20 use the frame base pointer
    register (%ebp or %rbp), which breaks frame pointer convention and
    breaks stack traces when unwinding from an interrupt in the crypto code.
    Recent (v4.10+) kernels will warn about this, e.g.

    WARNING: kernel stack regs at 00000000a8291e69 in syzkaller047086:4677 has bad 'bp' value 000000001077994c
    [...]

    But after looking into it, I believe there's very little reason to still
    retain the x86 Salsa20 code. First, these are *not* vectorized
    (SSE2/SSSE3/AVX2) implementations, which would be needed to get anywhere
    close to the best Salsa20 performance on any remotely modern x86
    processor; they're just regular x86 assembly. Second, it's still
    unclear that anyone is actually using the kernel's Salsa20 at all,
    especially given that now ChaCha20 is supported too, and with much more
    efficient SSSE3 and AVX2 implementations. Finally, in benchmarks I did
    on both Intel and AMD processors with both gcc 8.1.0 and gcc 4.9.4, the
    x86_64 salsa20-asm is actually slightly *slower* than salsa20-generic
    (~3% slower on Skylake, ~10% slower on Zen), while the i686 salsa20-asm
    is only slightly faster than salsa20-generic (~15% faster on Skylake,
    ~20% faster on Zen). The gcc version made little difference.

    So, the x86_64 salsa20-asm is pretty clearly useless. That leaves just
    the i686 salsa20-asm, which based on my tests provides a 15-20% speed
    boost. But that's without updating the code to not use %ebp. And given
    the maintenance cost, the small speed difference vs. salsa20-generic,
    the fact that few people still use i686 kernels, the doubt that anyone
    is even using the kernel's Salsa20 at all, and the fact that a SSE2
    implementation would almost certainly be much faster on any remotely
    modern x86 processor yet no one has cared enough to add one yet, I don't
    think it's worthwhile to keep.

    Thus, just remove both the x86_64 and i686 salsa20-asm implementations.

    Reported-by: syzbot+ffa3a158337bbc01ff09@syzkaller.appspotmail.com
    Signed-off-by: Eric Biggers
    Signed-off-by: Herbert Xu
    Signed-off-by: Greg Kroah-Hartman

    Eric Biggers
     

04 Feb, 2018

1 commit

02 Nov, 2017

1 commit

  • b24413180   License cleanup: add SPDX GPL-2.0 license identifier to files with no license ... Browse Code »

    Many source files in the tree are missing licensing information, which
    makes it harder for compliance tools to determine the correct license.

    By default all files without license information are under the default
    license of the kernel, which is GPL version 2.

    Update the files which contain no license information with the 'GPL-2.0'
    SPDX license identifier. The SPDX identifier is a legally binding
    shorthand, which can be used instead of the full boiler plate text.

    This patch is based on work done by Thomas Gleixner and Kate Stewart and
    Philippe Ombredanne.

    How this work was done:

    Patches were generated and checked against linux-4.14-rc6 for a subset of
    the use cases:
    - file had no licensing information it it.
    - file was a */uapi/* one with no licensing information in it,
    - file was a */uapi/* one with existing licensing information,

    Further patches will be generated in subsequent months to fix up cases
    where non-standard license headers were used, and references to license
    had to be inferred by heuristics based on keywords.

    The analysis to determine which SPDX License Identifier to be applied to
    a file was done in a spreadsheet of side by side results from of the
    output of two independent scanners (ScanCode & Windriver) producing SPDX
    tag:value files created by Philippe Ombredanne. Philippe prepared the
    base worksheet, and did an initial spot review of a few 1000 files.

    The 4.13 kernel was the starting point of the analysis with 60,537 files
    assessed. Kate Stewart did a file by file comparison of the scanner
    results in the spreadsheet to determine which SPDX license identifier(s)
    to be applied to the file. She confirmed any determination that was not
    immediately clear with lawyers working with the Linux Foundation.

    Criteria used to select files for SPDX license identifier tagging was:
    - Files considered eligible had to be source code files.
    - Make and config files were included as candidates if they contained >5
    lines of source
    - File already had some variant of a license header in it (even if
    Reviewed-by: Philippe Ombredanne
    Reviewed-by: Thomas Gleixner
    Signed-off-by: Greg Kroah-Hartman

    Greg Kroah-Hartman
     

09 Aug, 2017

1 commit

  • 72548b093   crypto: algif_aead - copy AAD from src to dst ... Browse Code »

    Use the NULL cipher to copy the AAD and PT/CT from the TX SGL
    to the RX SGL. This allows an in-place crypto operation on the
    RX SGL for encryption, because the TX data is always smaller or
    equal to the RX data (the RX data will hold the tag).

    For decryption, a per-request TX SGL is created which will only hold
    the tag value. As the RX SGL will have no space for the tag value and
    an in-place operation will not write the tag buffer, the TX SGL with the
    tag value is chained to the RX SGL. This now allows an in-place
    crypto operation.

    For example:

    * without the patch:
    kcapi -x 2 -e -c "gcm(aes)" -p 89154d0d4129d322e4487bafaa4f6b46 -k c0ece3e63198af382b5603331cc23fa8 -i 7e489b83622e7228314d878d -a afcd7202d621e06ca53b70c2bdff7fb2 -l 16 -u -s
    00000000000000000000000000000000f4a3eacfbdadd3b1a17117b1d67ffc1f1e21efbbc6d83724a8c296e3bb8cda0c

    * with the patch:
    kcapi -x 2 -e -c "gcm(aes)" -p 89154d0d4129d322e4487bafaa4f6b46 -k c0ece3e63198af382b5603331cc23fa8 -i 7e489b83622e7228314d878d -a afcd7202d621e06ca53b70c2bdff7fb2 -l 16 -u -s
    afcd7202d621e06ca53b70c2bdff7fb2f4a3eacfbdadd3b1a17117b1d67ffc1f1e21efbbc6d83724a8c296e3bb8cda0c

    Tests covering this functionality have been added to libkcapi.

    Signed-off-by: Stephan Mueller
    Signed-off-by: Herbert Xu

    Stephan Mueller
     

10 Jun, 2017

1 commit

  • 6755fd269   crypto: ecdh - add privkey generation support ... Browse Code »

    Add support for generating ecc private keys.

    Generation of ecc private keys is helpful in a user-space to kernel
    ecdh offload because the keys are not revealed to user-space. Private
    key generation is also helpful to implement forward secrecy.

    If the user provides a NULL ecc private key, the kernel will generate it
    and further use it for ecdh.

    Move ecdh's object files below drbg's. drbg must be present in the kernel
    at the time of calling.

    Signed-off-by: Tudor Ambarus
    Reviewed-by: Stephan Müller
    Signed-off-by: Herbert Xu

    Tudor-Dan Ambarus
     

05 Apr, 2017

1 commit

  • ad1064cd6   crypto: xts - drop gf128mul dependency ... Browse Code »

    Since the gf128mul_x_ble function used by xts.c is now defined inline
    in the header file, the XTS module no longer depends on gf128mul.
    Therefore, the 'select CRYPTO_GF128MUL' line can be safely removed.

    Signed-off-by: Ondrej Mosnacek
    Reviewd-by: Eric Biggers
    Signed-off-by: Herbert Xu

    Ondrej Mosnáček
     

24 Mar, 2017

2 commits

  • 146c8688d   crypto: powerpc - Stress test for vpmsum implementations ... Browse Code »

    vpmsum implementations often don't kick in for short test vectors.
    This is a simple test module that does a configurable number of
    random tests, each up to 64kB and each with random offsets.

    Both CRC-T10DIF and CRC32C are tested.

    Cc: Anton Blanchard
    Signed-off-by: Daniel Axtens
    Signed-off-by: Herbert Xu

    Daniel Axtens
     
  • b01df1c16   crypto: powerpc - Add CRC-T10DIF acceleration ... Browse Code »

    T10DIF is a CRC16 used heavily in NVMe.

    It turns out we can accelerate it with a CRC32 library and a few
    little tricks.

    Provide the accelerator based the refactored CRC32 code.

    Cc: Anton Blanchard
    Thanks-to: Hong Bo Peng
    Signed-off-by: Daniel Axtens
    Signed-off-by: Herbert Xu

    Daniel Axtens
     

23 Feb, 2017

1 commit

  • 12cb3a1c4   crypto: xts - Add ECB dependency ... Browse Code »

    Since the
    commit f1c131b45410a202eb45cc55980a7a9e4e4b4f40
    crypto: xts - Convert to skcipher
    the XTS mode is based on ECB, so the mode must select
    ECB otherwise it can fail to initialize.

    Signed-off-by: Milan Broz
    Signed-off-by: Herbert Xu

    Milan Broz
     

11 Feb, 2017

2 commits

  • f15f05b0a   crypto: ccm - switch to separate cbcmac driver ... Browse Code »

    Update the generic CCM driver to defer CBC-MAC processing to a
    dedicated CBC-MAC ahash transform rather than open coding this
    transform (and much of the associated scatterwalk plumbing) in
    the CCM driver itself.

    This cleans up the code considerably, but more importantly, it allows
    the use of alternative CBC-MAC implementations that don't suffer from
    performance degradation due to significant setup time (e.g., the NEON
    based AES code needs to enable/disable the NEON, and load the S-box
    into 16 SIMD registers, which cannot be amortized over the entire input
    when using the cipher interface)

    Signed-off-by: Ard Biesheuvel
    Signed-off-by: Herbert Xu

    Ard Biesheuvel
     
  • b5e0b032b   crypto: aes - add generic time invariant AES cipher ... Browse Code »

    Lookup table based AES is sensitive to timing attacks, which is due to
    the fact that such table lookups are data dependent, and the fact that
    8 KB worth of tables covers a significant number of cachelines on any
    architecture, resulting in an exploitable correlation between the key
    and the processing time for known plaintexts.

    For network facing algorithms such as CTR, CCM or GCM, this presents a
    security risk, which is why arch specific AES ports are typically time
    invariant, either through the use of special instructions, or by using
    SIMD algorithms that don't rely on table lookups.

    For generic code, this is difficult to achieve without losing too much
    performance, but we can improve the situation significantly by switching
    to an implementation that only needs 256 bytes of table data (the actual
    S-box itself), which can be prefetched at the start of each block to
    eliminate data dependent latencies.

    This code encrypts at ~25 cycles per byte on ARM Cortex-A57 (while the
    ordinary generic AES driver manages 18 cycles per byte on this
    hardware). Decryption is substantially slower.

    Signed-off-by: Ard Biesheuvel
    Signed-off-by: Herbert Xu

    Ard Biesheuvel
     

28 Nov, 2016

4 commits

25 Oct, 2016

6 commits

21 Oct, 2016

1 commit

  • 1f696097a   crypto: api - Fix Kconfig dependencies for FIPS ... Browse Code »

    Currently FIPS depends on MODULE_SIG, even if MODULES is disabled.
    This change allows the enabling of FIPS without support for modules.

    If module loading support is enabled, only then does
    FIPS require MODULE_SIG.

    Signed-off-by: Alec Ari
    Signed-off-by: Herbert Xu

    Alec Ari
     

09 Aug, 2016

1 commit

05 Jul, 2016

1 commit

  • 6dd7a82cc   crypto: powerpc - Add POWER8 optimised crc32c ... Browse Code »

    Use the vector polynomial multiply-sum instructions in POWER8 to
    speed up crc32c.

    This is just over 41x faster than the slice-by-8 method that it
    replaces. Measurements on a 4.1 GHz POWER8 show it sustaining
    52 GiB/sec.

    A simple btrfs write performance test:

    dd if=/dev/zero of=/mnt/tmpfile bs=1M count=4096
    sync

    is over 3.7x faster.

    Signed-off-by: Anton Blanchard
    Signed-off-by: Herbert Xu

    Anton Blanchard
     

28 Jun, 2016

1 commit

27 Jun, 2016

1 commit

23 Jun, 2016

3 commits

  • 3c4b23901   crypto: ecdh - Add ECDH software support ... Browse Code »

    * Implement ECDH under kpp API
    * Provide ECC software support for curve P-192 and
    P-256.
    * Add kpp test for ECDH with data generated by OpenSSL

    Signed-off-by: Salvatore Benedetto
    Signed-off-by: Herbert Xu

    Salvatore Benedetto
     
  • 802c7f1c8   crypto: dh - Add DH software implementation ... Browse Code »

    * Implement MPI based Diffie-Hellman under kpp API
    * Test provided uses data generad by OpenSSL

    Signed-off-by: Salvatore Benedetto
    Signed-off-by: Herbert Xu

    Salvatore Benedetto
     
  • 4e5f2c400   crypto: kpp - Key-agreement Protocol Primitives API (KPP) ... Browse Code »

    Add key-agreement protocol primitives (kpp) API which allows to
    implement primitives required by protocols such as DH and ECDH.
    The API is composed mainly by the following functions
    * set_secret() - It allows the user to set his secret, also
    referred to as his private key, along with the parameters
    known to both parties involved in the key-agreement session.
    * generate_public_key() - It generates the public key to be sent to
    the other counterpart involved in the key-agreement session. The
    function has to be called after set_params() and set_secret()
    * generate_secret() - It generates the shared secret for the session

    Other functions such as init() and exit() are provided for allowing
    cryptographic hardware to be inizialized properly before use

    Signed-off-by: Salvatore Benedetto
    Signed-off-by: Herbert Xu

    Salvatore Benedetto
     

20 Jun, 2016

1 commit

  • 53964b9ee   crypto: sha3 - Add SHA-3 hash algorithm ... Browse Code »

    This patch adds the implementation of SHA3 algorithm
    in software and it's based on original implementation
    pushed in patch https://lwn.net/Articles/518415/ with
    additional changes to match the padding rules specified
    in SHA-3 specification.

    Signed-off-by: Jeff Garzik
    Signed-off-by: Raveendra Padasalagi
    Signed-off-by: Herbert Xu

    Jeff Garzik
     

15 Jun, 2016

1 commit

  • 355912852   crypto: drbg - use CTR AES instead of ECB AES ... Browse Code »

    The CTR DRBG derives its random data from the CTR that is encrypted with
    AES.

    This patch now changes the CTR DRBG implementation such that the
    CTR AES mode is employed. This allows the use of steamlined CTR AES
    implementation such as ctr-aes-aesni.

    Unfortunately there are the following subtile changes we need to apply
    when using the CTR AES mode:

    - the CTR mode increments the counter after the cipher operation, but
    the CTR DRBG requires the increment before the cipher op. Hence, the
    crypto_inc is applied to the counter (drbg->V) once it is
    recalculated.

    - the CTR mode wants to encrypt data, but the CTR DRBG is interested in
    the encrypted counter only. The full CTR mode is the XOR of the
    encrypted counter with the plaintext data. To access the encrypted
    counter, the patch uses a NULL data vector as plaintext to be
    "encrypted".

    Signed-off-by: Stephan Mueller
    Signed-off-by: Herbert Xu

    Stephan Mueller
     

05 May, 2016

1 commit

18 Mar, 2016

1 commit

  • 70477371d   Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 ... Browse Code »

    Pull crypto update from Herbert Xu:
    "Here is the crypto update for 4.6:

    API:
    - Convert remaining crypto_hash users to shash or ahash, also convert
    blkcipher/ablkcipher users to skcipher.
    - Remove crypto_hash interface.
    - Remove crypto_pcomp interface.
    - Add crypto engine for async cipher drivers.
    - Add akcipher documentation.
    - Add skcipher documentation.

    Algorithms:
    - Rename crypto/crc32 to avoid name clash with lib/crc32.
    - Fix bug in keywrap where we zero the wrong pointer.

    Drivers:
    - Support T5/M5, T7/M7 SPARC CPUs in n2 hwrng driver.
    - Add PIC32 hwrng driver.
    - Support BCM6368 in bcm63xx hwrng driver.
    - Pack structs for 32-bit compat users in qat.
    - Use crypto engine in omap-aes.
    - Add support for sama5d2x SoCs in atmel-sha.
    - Make atmel-sha available again.
    - Make sahara hashing available again.
    - Make ccp hashing available again.
    - Make sha1-mb available again.
    - Add support for multiple devices in ccp.
    - Improve DMA performance in caam.
    - Add hashing support to rockchip"

    * 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: (116 commits)
    crypto: qat - remove redundant arbiter configuration
    crypto: ux500 - fix checks of error code returned by devm_ioremap_resource()
    crypto: atmel - fix checks of error code returned by devm_ioremap_resource()
    crypto: qat - Change the definition of icp_qat_uof_regtype
    hwrng: exynos - use __maybe_unused to hide pm functions
    crypto: ccp - Add abstraction for device-specific calls
    crypto: ccp - CCP versioning support
    crypto: ccp - Support for multiple CCPs
    crypto: ccp - Remove check for x86 family and model
    crypto: ccp - memset request context to zero during import
    lib/mpi: use "static inline" instead of "extern inline"
    lib/mpi: avoid assembler warning
    hwrng: bcm63xx - fix non device tree compatibility
    crypto: testmgr - allow rfc3686 aes-ctr variants in fips mode.
    crypto: qat - The AE id should be less than the maximal AE number
    lib/mpi: Endianness fix
    crypto: rockchip - add hash support for crypto engine in rk3288
    crypto: xts - fix compile errors
    crypto: doc - add skcipher API documentation
    crypto: doc - update AEAD AD handling
    ...

    Linus Torvalds
     

01 Feb, 2016

1 commit

  • 735d37b54   crypto: engine - Introduce the block request crypto engine framework ... Browse Code »

    Now block cipher engines need to implement and maintain their own queue/thread
    for processing requests, moreover currently helpers provided for only the queue
    itself (in crypto_enqueue_request() and crypto_dequeue_request()) but they
    don't help with the mechanics of driving the hardware (things like running the
    request immediately, DMA map it or providing a thread to process the queue in)
    even though a lot of that code really shouldn't vary that much from device to
    device.

    Thus this patch provides a mechanism for pushing requests to the hardware
    as it becomes free that drivers could use. And this framework is patterned
    on the SPI code and has worked out well there.
    (https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/
    drivers/spi/spi.c?id=ffbbdd21329f3e15eeca6df2d4bc11c04d9d91c0)

    Signed-off-by: Baolin Wang
    Signed-off-by: Herbert Xu

    Baolin Wang
     

27 Jan, 2016

2 commits

  • 2f313e029   crypto: jitterentropy - always select CRYPTO_RNG ... Browse Code »

    When building the jitterentropy driver by itself, we get a link error
    when CRYPTO_RNG is not enabled as well:

    crypto/built-in.o: In function `jent_mod_init':
    jitterentropy-kcapi.c:(.init.text+0x98): undefined reference to `crypto_register_rng'
    crypto/built-in.o: In function `jent_mod_exit':
    jitterentropy-kcapi.c:(.exit.text+0x60): undefined reference to `crypto_unregister_rng'

    This adds a 'select CRYPTO_RNG' to CRYPTO_JITTERENTROPY to ensure the API
    is always there when it's used, not just when DRBG is also enabled.
    CRYPTO_DRBG would set it implicitly through CRYPTO_JITTERENTROPY now,
    but this leaves it in place to make it explicit what the driver does.

    Signed-off-by: Arnd Bergmann
    Signed-off-by: Herbert Xu

    Arnd Bergmann
     
  • 110492183   crypto: compress - remove unused pcomp interface ... Browse Code »

    It is unused now, so remove it.

    Signed-off-by: Joonsoo Kim
    Signed-off-by: Herbert Xu

    Joonsoo Kim
     

26 Jan, 2016

1 commit

  • 578c60fbe   crypto: ghash,poly1305 - select CRYPTO_HASH where needed ... Browse Code »

    The ghash and poly1305 hash implementations can be enabled when
    CONFIG_CRYPTO_HASH is turned off, causing a link error:

    crypto/built-in.o: In function `ghash_mod_init':
    (.init.text+0xd0): undefined reference to `crypto_register_shash'
    crypto/built-in.o: In function `ghash_mod_exit':
    (.exit.text+0xb4): undefined reference to `crypto_unregister_shash'
    crypto/built-in.o: In function `poly1305_mod_init':
    (.init.text+0xb4): undefined reference to `crypto_register_shash'
    crypto/built-in.o: In function `poly1305_mod_exit':
    (.exit.text+0x98): undefined reference to `crypto_unregister_shash'

    This adds an explicit 'select', like all other hashes have it.

    Signed-off-by: Arnd Bergmann
    Signed-off-by: Herbert Xu

    Arnd Bergmann
     

15 Oct, 2015

1 commit

21 Sep, 2015

1 commit

09 Sep, 2015

1 commit

  • b793c005c   Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security ... Browse Code »

    Pull security subsystem updates from James Morris:
    "Highlights:

    - PKCS#7 support added to support signed kexec, also utilized for
    module signing. See comments in 3f1e1bea.

    ** NOTE: this requires linking against the OpenSSL library, which
    must be installed, e.g. the openssl-devel on Fedora **

    - Smack
    - add IPv6 host labeling; ignore labels on kernel threads
    - support smack labeling mounts which use binary mount data

    - SELinux:
    - add ioctl whitelisting (see
    http://kernsec.org/files/lss2015/vanderstoep.pdf)
    - fix mprotect PROT_EXEC regression caused by mm change

    - Seccomp:
    - add ptrace options for suspend/resume"

    * 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (57 commits)
    PKCS#7: Add OIDs for sha224, sha284 and sha512 hash algos and use them
    Documentation/Changes: Now need OpenSSL devel packages for module signing
    scripts: add extract-cert and sign-file to .gitignore
    modsign: Handle signing key in source tree
    modsign: Use if_changed rule for extracting cert from module signing key
    Move certificate handling to its own directory
    sign-file: Fix warning about BIO_reset() return value
    PKCS#7: Add MODULE_LICENSE() to test module
    Smack - Fix build error with bringup unconfigured
    sign-file: Document dependency on OpenSSL devel libraries
    PKCS#7: Appropriately restrict authenticated attributes and content type
    KEYS: Add a name for PKEY_ID_PKCS7
    PKCS#7: Improve and export the X.509 ASN.1 time object decoder
    modsign: Use extract-cert to process CONFIG_SYSTEM_TRUSTED_KEYS
    extract-cert: Cope with multiple X.509 certificates in a single file
    sign-file: Generate CMS message as signature instead of PKCS#7
    PKCS#7: Support CMS messages also [RFC5652]
    X.509: Change recorded SKID & AKID to not include Subject or Issuer
    PKCS#7: Check content type and versions
    MAINTAINERS: The keyrings mailing list has moved
    ...

    Linus Torvalds