09 Jul, 2018
27 commits
-
sha256-generic and sha224-generic had a cra_priority of 0, so it wasn't
possible to have a lower priority SHA-256 or SHA-224 implementation, as
is desired for sha256_mb which is only useful under certain workloads
and is otherwise extremely slow. Change them to priority 100, which is
the priority used for many of the other generic algorithms.Signed-off-by: Eric Biggers
Signed-off-by: Herbert Xu -
sha1-generic had a cra_priority of 0, so it wasn't possible to have a
lower priority SHA-1 implementation, as is desired for sha1_mb which is
only useful under certain workloads and is otherwise extremely slow.
Change it to priority 100, which is the priority used for many of the
other generic algorithms.Signed-off-by: Eric Biggers
Signed-off-by: Herbert Xu -
"arch/x86/crypto/sha*-mb" needs a trailing slash, since it refers to
directories. Otherwise get_maintainer.pl doesn't find the entry.Signed-off-by: Eric Biggers
Signed-off-by: Herbert Xu -
There is a copy-paste error where sha256_mb_mgr_get_comp_job_avx2()
copies the SHA-256 digest state from sha256_mb_mgr::args::digest to
job_sha256::result_digest. Consequently, the sha256_mb algorithm
sometimes calculates the wrong digest. Fix it.Reproducer using AF_ALG:
#include
#include
#include
#include
#include
#includestatic const __u8 expected[32] =
"\xad\x7f\xac\xb2\x58\x6f\xc6\xe9\x66\xc0\x04\xd7\xd1\xd1\x6b\x02"
"\x4f\x58\x05\xff\x7c\xb4\x7c\x7a\x85\xda\xbd\x8b\x48\x89\x2c\xa7";int main()
{
int fd;
struct sockaddr_alg addr = {
.salg_type = "hash",
.salg_name = "sha256_mb",
};
__u8 data[4096] = { 0 };
__u8 digest[32];
int ret;
int i;fd = socket(AF_ALG, SOCK_SEQPACKET, 0);
bind(fd, (void *)&addr, sizeof(addr));
fork();
fd = accept(fd, 0, 0);
do {
ret = write(fd, data, 4096);
assert(ret == 4096);
ret = read(fd, digest, 32);
assert(ret == 32);
} while (memcmp(digest, expected, 32) == 0);printf("wrong digest: ");
for (i = 0; i < 32; i++)
printf("%02x", digest[i]);
printf("\n");
}Output was:
wrong digest: ad7facb2000000000000000000000000ffffffef7cb47c7a85dabd8b48892ca7
Fixes: 172b1d6b5a93 ("crypto: sha256-mb - fix ctx pointer and digest copy")
Cc: # v4.8+
Signed-off-by: Eric Biggers
Signed-off-by: Herbert Xu -
This patch main goal is to improve driver performance by moving the
crypto request from a list to a RDR ring shadow.This is possible since there is one producer and one consume for this
RDR request shadow and one ring descriptor is left unused.
Doing this change eliminates the use of spinlock when accessing the
descriptor ring and the need to dynamicaly allocate memory per crypto
request.The crypto request is placed in the first RDR shadow descriptor only
if there are enough descriptors, when the result handler is invoked,
it fetches the first result descriptor from RDR shadow.Signed-off-by: Ofer Heifetz
Signed-off-by: Antoine Tenart
Signed-off-by: Herbert Xu -
This patch adds support for two new algorithms in the Inside Secure
SafeXcel cryptographic engine driver: ecb(des3_ede) and cbc(des3_ede).Signed-off-by: Ofer Heifetz
Signed-off-by: Antoine Tenart
Signed-off-by: Herbert Xu -
This patch adds support for two algorithms in the Inside Secure SafeXcel
cryptographic engine driver: ecb(des) and cbc(des).Signed-off-by: Ofer Heifetz
Signed-off-by: Antoine Tenart
Signed-off-by: Herbert Xu -
This patch adds support for the hmac(md5) algorithm in the Inside Secure
SafeXcel cryptographic engine driver.Signed-off-by: Ofer Heifetz
Signed-off-by: Antoine Tenart
Signed-off-by: Herbert Xu -
This patch adds the MD5 algorithm support to the Inside Secure SafeXcel
cryptographic engine driver.Signed-off-by: Ofer Heifetz
Signed-off-by: Antoine Tenart
Signed-off-by: Herbert Xu -
The ORO bridge (connected to the EIP197 write channel) does not
generate back pressure towards the EIP197 when its internal FIFO is
full. It assumes that the EIP will not drive more write transactions
than the maximal supported outstanding (32).Hence tx_max_cmd_queue must be configured to 5 (or less).
Signed-off-by: Ofer Heifetz
Signed-off-by: Antoine Tenart
Signed-off-by: Herbert Xu -
This patch adds extra steps in the module removal path, to reset the
command and result rings. The corresponding interrupts are cleared, and
the ring address configuration is reset.Signed-off-by: Ofer Heifetz
[Antoine: small reworks, commit message]
Signed-off-by: Antoine Tenart
Signed-off-by: Herbert Xu -
This patch updates the TRC configuration so that the version of the
EIP197 engine being used is taken into account, as the configuration
differs between the EIP197B and the EIP197D.Signed-off-by: Ofer Heifetz
[Antoine: commit message]
Signed-off-by: Antoine Tenart
Signed-off-by: Herbert Xu -
This patch documents the new compatible used for the eip197d engine, as
this new engine is now supported by the Inside Secure SafeXcel
cryptographic driver.Signed-off-by: Antoine Tenart
Signed-off-by: Herbert Xu -
This patch adds support for the eip197d engine to the Inside Secure
SafeXcel cryptographic driver. This new engine is similar to the eip197b
and reuse most of its code.Signed-off-by: Antoine Tenart
Signed-off-by: Herbert Xu -
So far a single processing engine (PE) was configured and used in the
Inside Secure SafeXcel cryptographic engine driver. Some versions have
more than a single PE. This patch rework the driver's initialization to
take this into account and to allow configuring more than one PE.Signed-off-by: Ofer Heifetz
[Antoine: some reworks and commit message.]
Signed-off-by: Antoine Tenart
Signed-off-by: Herbert Xu -
The Inside Secure SafeXcel driver currently uses 4 rings, but the
eip197d engines has 8 of them. This patch updates the driver so that
rings are allocated dynamically based on the number of available rings
supported by a given engine.Signed-off-by: Ofer Heifetz
Signed-off-by: Antoine Tenart
Signed-off-by: Herbert Xu -
Add a flags field in the private structure, and a first flag for engines
needing context invalidation (currently only the eip197b). The
invalidation is needed when the engine includes a TRC cache, which will
also be true for the upcoming addition of the eip197d engine.Suggested-by: Ofer Heifetz
Signed-off-by: Antoine Tenart
Signed-off-by: Herbert Xu -
EIP engines do not support the same set of algorithms. So far the
supported engines in the Inside Secure SafeXcel driver support the same
set of algorithms, but that won't be true for all engines. This patch
adds an 'engines' field in the algorithm definitions so that they only
are registered when using a compatible cryptographic engine.Signed-off-by: Antoine Tenart
Signed-off-by: Herbert Xu -
The compatibles were updated in the Inside Secure SafeXcel cryptographic
driver, as the ones previously used were not specific enough. The old
compatibles are still supported by the driver for backward
compatibility.This patch updates the documentation accordingly.
Signed-off-by: Antoine Tenart
Signed-off-by: Herbert Xu -
At first we used two compatibles in the SafeXcel driver, named after the
engine revision: eip97 and eip197. However this family of engines has
more precise versions and in fact we're supporting the eip97ies and
eip197b. More versions will be supported in the future, such as the
eip197d, and we'll need to differentiate them.This patch fixes the compatibles used in the driver, to now use precise
ones. The two historical compatibles are kept for backward
compatibility.Signed-off-by: Antoine Tenart
Signed-off-by: Herbert Xu -
This patch moves the firmware loaded by the Inside Secure SafeXcel
driver from /lib/firmware/ to /lib/firmware/inside-secure/eip197b/. This
prepares the driver for future patches which will support other
revisions of the EIP197 crypto engine as they'll have their own
firmwares.To keep the compatibility of what was done, the old path is still
supported as a fallback for the EIP197b (currently the only one
supported by the driver that loads a firmware).Signed-off-by: Antoine Tenart
Signed-off-by: Herbert Xu -
According to SP800-56A section 5.6.2.1, the public key to be processed
for the DH operation shall be checked for appropriateness. The check
shall covers the full verification test in case the domain parameter Q
is provided as defined in SP800-56A section 5.6.2.3.1. If Q is not
provided, the partial check according to SP800-56A section 5.6.2.3.2 is
performed.The full verification test requires the presence of the domain parameter
Q. Thus, the patch adds the support to handle Q. It is permissible to
not provide the Q value as part of the domain parameters. This implies
that the interface is still backwards-compatible where so far only P and
G are to be provided. However, if Q is provided, it is imported.Without the test, the NIST ACVP testing fails. After adding this check,
the NIST ACVP testing passes. Testing without providing the Q domain
parameter has been performed to verify the interface has not changed.Signed-off-by: Stephan Mueller
Signed-off-by: Herbert Xu -
Adding pm and pm_runtime support to STM32 CRC.
Signed-off-by: Lionel Debieve
Signed-off-by: Herbert Xu -
Adding pm and pm_runtime support to STM32 HASH.
Signed-off-by: Lionel Debieve
Signed-off-by: Herbert Xu -
Adding pm and pm_runtime support to STM32 CRYP.
Signed-off-by: Lionel Debieve
Signed-off-by: Herbert Xu -
As of GCC 9.0.0 the build is reporting warnings like:
crypto/ablkcipher.c: In function ‘crypto_ablkcipher_report’:
crypto/ablkcipher.c:374:2: warning: ‘strncpy’ specified bound 64 equals destination size [-Wstringop-truncation]
strncpy(rblkcipher.geniv, alg->cra_ablkcipher.geniv ?: "",
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
sizeof(rblkcipher.geniv));
~~~~~~~~~~~~~~~~~~~~~~~~~This means the strnycpy might create a non null terminated string. Fix this by
explicitly performing '\0' termination.Cc: Greg Kroah-Hartman
Cc: Arnd Bergmann
Cc: Max Filippov
Cc: Eric Biggers
Cc: Nick Desaulniers
Signed-off-by: Stafford Horne
Signed-off-by: Herbert Xu -
According to SP800-56A section 5.6.2.1, the public key to be processed
for the ECDH operation shall be checked for appropriateness. When the
public key is considered to be an ephemeral key, the partial validation
test as defined in SP800-56A section 5.6.2.3.4 can be applied.The partial verification test requires the presence of the field
elements of a and b. For the implemented NIST curves, b is defined in
FIPS 186-4 appendix D.1.2. The element a is implicitly given with the
Weierstrass equation given in D.1.2 where a = p - 3.Without the test, the NIST ACVP testing fails. After adding this check,
the NIST ACVP testing passes.Signed-off-by: Stephan Mueller
Signed-off-by: Herbert Xu
01 Jul, 2018
7 commits
-
The function skcipher_walk_next declared as static and marked as
EXPORT_SYMBOL_GPL. It's a bit confusing for internal function to be
exported. The area of visibility for such function is its .c file
and all other modules. Other *.c files of the same module can't use it,
despite all other modules can. Relying on the fact that this is the
internal function and it's not a crucial part of the API, the patch
just removes the EXPORT_SYMBOL_GPL marking of skcipher_walk_next.Found by Linux Driver Verification project (linuxtesting.org).
Signed-off-by: Denis Efremov
Signed-off-by: Herbert Xu -
Register a crypto algo with the Linux crypto layer only if
the algorithm is supported by the backend virtio-crypto
device.Also route crypto requests to a virtio-crypto
device, only if it can support the requested service and
algorithm.Signed-off-by: Farhan Ali
Acked-by: Gonglei
Acked-by: Christian Borntraeger
Signed-off-by: Herbert Xu -
Read the crypto services and algorithm masks which provides
information about the services and algorithms supported by
virtio-crypto backend.Signed-off-by: Farhan Ali
Acked-by: Gonglei
Acked-by: Christian Borntraeger
Signed-off-by: Herbert Xu -
Remove the original version of the VMAC template that had the nonce
hardcoded to 0 and produced a digest with the wrong endianness. I'm
unsure whether this had users or not (there are no explicit in-kernel
references to it), but given that the hardcoded nonce made it wildly
insecure unless a unique key was used for each message, let's try
removing it and see if anyone complains.Leave the new "vmac64" template that requires the nonce to be explicitly
specified as the first 16 bytes of data and uses the correct endianness
for the digest.Signed-off-by: Eric Biggers
Signed-off-by: Herbert Xu -
Currently the VMAC template uses a "nonce" hardcoded to 0, which makes
it insecure unless a unique key is set for every message. Also, the
endianness of the final digest is wrong: the implementation uses little
endian, but the VMAC specification has it as big endian, as do other
VMAC implementations such as the one in Crypto++.Add a new VMAC template where the nonce is passed as the first 16 bytes
of data (similar to what is done for Poly1305's nonce), and the digest
is big endian. Call it "vmac64", since the old name of simply "vmac"
didn't clarify whether the implementation is of VMAC-64 or of VMAC-128
(which produce 64-bit and 128-bit digests respectively); so we fix the
naming ambiguity too.Signed-off-by: Eric Biggers
Signed-off-by: Herbert Xu -
syzbot reported a crash in vmac_final() when multiple threads
concurrently use the same "vmac(aes)" transform through AF_ALG. The bug
is pretty fundamental: the VMAC template doesn't separate per-request
state from per-tfm (per-key) state like the other hash algorithms do,
but rather stores it all in the tfm context. That's wrong.Also, vmac_final() incorrectly zeroes most of the state including the
derived keys and cached pseudorandom pad. Therefore, only the first
VMAC invocation with a given key calculates the correct digest.Fix these bugs by splitting the per-tfm state from the per-request state
and using the proper init/update/final sequencing for requests.Reproducer for the crash:
#include
#include
#includeint main()
{
int fd;
struct sockaddr_alg addr = {
.salg_type = "hash",
.salg_name = "vmac(aes)",
};
char buf[256] = { 0 };fd = socket(AF_ALG, SOCK_SEQPACKET, 0);
bind(fd, (void *)&addr, sizeof(addr));
setsockopt(fd, SOL_ALG, ALG_SET_KEY, buf, 16);
fork();
fd = accept(fd, NULL, NULL);
for (;;)
write(fd, buf, 256);
}The immediate cause of the crash is that vmac_ctx_t.partial_size exceeds
VMAC_NHBYTES, causing vmac_final() to memset() a negative length.Reported-by: syzbot+264bca3a6e8d645550d3@syzkaller.appspotmail.com
Fixes: f1939f7c5645 ("crypto: vmac - New hash algorithm for intel_txt support")
Cc: # v2.6.32+
Signed-off-by: Eric Biggers
Signed-off-by: Herbert Xu -
The VMAC template assumes the block cipher has a 128-bit block size, but
it failed to check for that. Thus it was possible to instantiate it
using a 64-bit block size cipher, e.g. "vmac(cast5)", causing
uninitialized memory to be used.Add the needed check when instantiating the template.
Fixes: f1939f7c5645 ("crypto: vmac - New hash algorithm for intel_txt support")
Cc: # v2.6.32+
Signed-off-by: Eric Biggers
Signed-off-by: Herbert Xu
22 Jun, 2018
6 commits
-
Remove it because when using a slow console, it can affect
the speed of crypto operations.Similar to 'commit 730f23b66095 ("crypto: vmx - Remove overly
verbose printk from AES XTS init")'.Signed-off-by: Tudor Ambarus
Signed-off-by: Herbert Xu -
Remove the limitation of single element scatterlists. ECDH with
multi-element scatterlists is needed by TPM.Similar to 'commit 95ec01ba1ef0 ("crypto: ecdh - fix to allow multi
segment scatterlists")'.Signed-off-by: Tudor Ambarus
Signed-off-by: Herbert Xu -
The structure algs is local to the source and does not need to be in
global scope, so make it static.Cleans up sparse warning:
drivers/crypto/cavium/cpt/cptvf_algs.c:354:19: warning: symbol 'algs'
was not declared. Should it be static?Signed-off-by: Colin Ian King
Signed-off-by: Herbert Xu -
Trival fix to correct the indentation of a single statement
Signed-off-by: Colin Ian King
Signed-off-by: Herbert Xu -
This patch adds the authenc(hmac(sha384),cbc(aes)) algorithm support to
the Inside Secure SafeXcel driver.Signed-off-by: Antoine Tenart
Signed-off-by: Herbert Xu -
This patch adds the hmac(sha384) algorithm support to the Inside Secure
SafeXcel driver.Signed-off-by: Antoine Tenart
Signed-off-by: Herbert Xu
