Eric Lee / smarc-fsl-linux-kernel

09 Jan, 2020

6 commits

  • a24a1fd73   crypto: algapi - remove crypto_template::{alloc,free}() ... Browse Code »

    Now that all templates provide a ->create() method which creates an
    instance, installs a strongly-typed ->free() method directly to it, and
    registers it, the older ->alloc() and ->free() methods in
    'struct crypto_template' are no longer used. Remove them.

    Signed-off-by: Eric Biggers
    Signed-off-by: Herbert Xu

    Eric Biggers
     
  • aed11cf57   crypto: algapi - fold crypto_init_spawn() into crypto_grab_spawn() ... Browse Code »

    Now that crypto_init_spawn() is only called by crypto_grab_spawn(),
    simplify things by moving its functionality into crypto_grab_spawn().

    In the process of doing this, also be more consistent about when the
    spawn and instance are updated, and remove the crypto_spawn::dropref
    flag since now it's always set.

    Signed-off-by: Eric Biggers
    Signed-off-by: Herbert Xu

    Eric Biggers
     
  • 629f1afc1   crypto: algapi - remove obsoleted instance creation helpers ... Browse Code »

    Remove lots of helper functions that were previously used for
    instantiating crypto templates, but are now unused:

    - crypto_get_attr_alg() and similar functions looked up an inner
    algorithm directly from a template parameter. These were replaced
    with getting the algorithm's name, then calling crypto_grab_*().

    - crypto_init_spawn2() and similar functions initialized a spawn, given
    an algorithm. Similarly, these were replaced with crypto_grab_*().

    - crypto_alloc_instance() and similar functions allocated an instance
    with a single spawn, given the inner algorithm. These aren't useful
    anymore since crypto_grab_*() need the instance allocated first.

    Signed-off-by: Eric Biggers
    Signed-off-by: Herbert Xu

    Eric Biggers
     
  • d5ed3b65f   crypto: cipher - make crypto_spawn_cipher() take a crypto_cipher_spawn ... Browse Code »

    Now that all users of single-block cipher spawns have been converted to
    use 'struct crypto_cipher_spawn' rather than the less specifically typed
    'struct crypto_spawn', make crypto_spawn_cipher() take a pointer to a
    'struct crypto_cipher_spawn' rather than a 'struct crypto_spawn'.

    Signed-off-by: Eric Biggers
    Signed-off-by: Herbert Xu

    Eric Biggers
     
  • 0764ac287   crypto: cipher - introduce crypto_cipher_spawn and crypto_grab_cipher() ... Browse Code »

    Currently, "cipher" (single-block cipher) spawns are usually initialized
    by using crypto_get_attr_alg() to look up the algorithm, then calling
    crypto_init_spawn(). In one case, crypto_grab_spawn() is used directly.

    The former way is different from how skcipher, aead, and akcipher spawns
    are initialized (they use crypto_grab_*()), and for no good reason.
    This difference introduces unnecessary complexity.

    The crypto_grab_*() functions used to have some problems, like not
    holding a reference to the algorithm and requiring the caller to
    initialize spawn->base.inst. But those problems are fixed now.

    Also, the cipher spawns are not strongly typed; e.g., the API requires
    that the user manually specify the flags CRYPTO_ALG_TYPE_CIPHER and
    CRYPTO_ALG_TYPE_MASK. Though the "cipher" algorithm type itself isn't
    yet strongly typed, we can start by making the spawns strongly typed.

    So, let's introduce a new 'struct crypto_cipher_spawn', and functions
    crypto_grab_cipher() and crypto_drop_cipher() to grab and drop them.

    Later patches will convert all cipher spawns to use these, then make
    crypto_spawn_cipher() take 'struct crypto_cipher_spawn' as well, instead
    of a bare 'struct crypto_spawn' as it currently does.

    Signed-off-by: Eric Biggers
    Signed-off-by: Herbert Xu

    Eric Biggers
     
  • de95c9574   crypto: algapi - pass instance to crypto_grab_spawn() ... Browse Code »

    Currently, crypto_spawn::inst is first used temporarily to pass the
    instance to crypto_grab_spawn(). Then crypto_init_spawn() overwrites it
    with crypto_spawn::next, which shares the same union. Finally,
    crypto_spawn::inst is set again when the instance is registered.

    Make this less convoluted by just passing the instance as an argument to
    crypto_grab_spawn() instead.

    Signed-off-by: Eric Biggers
    Signed-off-by: Herbert Xu

    Eric Biggers
     

27 Dec, 2019

1 commit

  • 5f567fffa   crypto: api - Retain alg refcount in crypto_grab_spawn ... Browse Code »

    This patch changes crypto_grab_spawn to retain the reference count
    on the algorithm. This is because the caller needs to access the
    algorithm parameters and without the reference count the algorithm
    can be freed at any time.

    The reference count will be subsequently dropped by the crypto API
    once the instance has been registered. The helper crypto_drop_spawn
    will also conditionally drop the reference count depending on whether
    it has been registered.

    Note that the code is actually added to crypto_init_spawn. However,
    unless the caller activates this by setting spawn->dropref beforehand
    then nothing happens. The only caller that sets dropref is currently
    crypto_grab_spawn.

    Once all legacy users of crypto_init_spawn disappear, then we can
    kill the dropref flag.

    Internally each instance will maintain a list of its spawns prior
    to registration. This memory used by this list is shared with
    other fields that are only used after registration. In order for
    this to work a new flag spawn->registered is added to indicate
    whether spawn->inst can be used.

    Fixes: d6ef2f198d4c ("crypto: api - Add crypto_grab_spawn primitive")
    Signed-off-by: Herbert Xu

    Herbert Xu
     

20 Dec, 2019

1 commit

  • c6d633a92   crypto: algapi - make unregistration functions return void ... Browse Code »

    Some of the algorithm unregistration functions return -ENOENT when asked
    to unregister a non-registered algorithm, while others always return 0
    or always return void. But no users check the return value, except for
    two of the bulk unregistration functions which print a message on error
    but still always return 0 to their caller, and crypto_del_alg() which
    calls crypto_unregister_instance() which always returns 0.

    Since unregistering a non-registered algorithm is always a kernel bug
    but there isn't anything callers should do to handle this situation at
    runtime, let's simplify things by making all the unregistration
    functions return void, and moving the error message into
    crypto_unregister_alg() and upgrading it to a WARN().

    Signed-off-by: Eric Biggers
    Signed-off-by: Herbert Xu

    Eric Biggers
     

11 Dec, 2019

1 commit

  • 4f87ee118   crypto: api - Do not zap spawn->alg ... Browse Code »

    Currently when a spawn is removed we will zap its alg field.
    This is racy because the spawn could belong to an unregistered
    instance which may dereference the spawn->alg field.

    This patch fixes this by keeping spawn->alg constant and instead
    adding a new spawn->dead field to indicate that a spawn is going
    away.

    Signed-off-by: Herbert Xu

    Herbert Xu
     

17 Nov, 2019

1 commit

01 Nov, 2019

1 commit

  • c65058b75   crypto: skcipher - remove the "blkcipher" algorithm type ... Browse Code »

    Now that all "blkcipher" algorithms have been converted to "skcipher",
    remove the blkcipher algorithm type.

    The skcipher (symmetric key cipher) algorithm type was introduced a few
    years ago to replace both blkcipher and ablkcipher (synchronous and
    asynchronous block cipher). The advantages of skcipher include:

    - A much less confusing name, since none of these algorithm types have
    ever actually been for raw block ciphers, but rather for all
    length-preserving encryption modes including block cipher modes of
    operation, stream ciphers, and other length-preserving modes.

    - It unified blkcipher and ablkcipher into a single algorithm type
    which supports both synchronous and asynchronous implementations.
    Note, blkcipher already operated only on scatterlists, so the fact
    that skcipher does too isn't a regression in functionality.

    - Better type safety by using struct skcipher_alg, struct
    crypto_skcipher, etc. instead of crypto_alg, crypto_tfm, etc.

    - It sometimes simplifies the implementations of algorithms.

    Also, the blkcipher API was no longer being tested.

    Signed-off-by: Eric Biggers
    Signed-off-by: Herbert Xu

    Eric Biggers
     

02 Aug, 2019

1 commit

  • f9981bc53   crypto: api - Remove redundant #ifdef in crypto_yield() ... Browse Code »

    While looking at CONFIG_PREEMPT dependencies treewide the #ifdef in
    crypto_yield() matched.

    CONFIG_PREEMPT and CONFIG_PREEMPT_VOLUNTARY are mutually exclusive so the
    extra !CONFIG_PREEMPT conditional is redundant.

    cond_resched() has only an effect when CONFIG_PREEMPT_VOLUNTARY is set,
    otherwise it's a stub which the compiler optimizes out.

    Remove the whole conditional.

    No functional change.

    Signed-off-by: Thomas Gleixner
    Cc: linux-crypto@vger.kernel.org
    Cc: Herbert Xu
    Cc: "David S. Miller"
    Signed-off-by: Herbert Xu

    Thomas Gleixner
     

09 Jul, 2019

1 commit

  • 4d2fa8b44   Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 ... Browse Code »

    Pull crypto updates from Herbert Xu:
    "Here is the crypto update for 5.3:

    API:
    - Test shash interface directly in testmgr
    - cra_driver_name is now mandatory

    Algorithms:
    - Replace arc4 crypto_cipher with library helper
    - Implement 5 way interleave for ECB, CBC and CTR on arm64
    - Add xxhash
    - Add continuous self-test on noise source to drbg
    - Update jitter RNG

    Drivers:
    - Add support for SHA204A random number generator
    - Add support for 7211 in iproc-rng200
    - Fix fuzz test failures in inside-secure
    - Fix fuzz test failures in talitos
    - Fix fuzz test failures in qat"

    * 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: (143 commits)
    crypto: stm32/hash - remove interruptible condition for dma
    crypto: stm32/hash - Fix hmac issue more than 256 bytes
    crypto: stm32/crc32 - rename driver file
    crypto: amcc - remove memset after dma_alloc_coherent
    crypto: ccp - Switch to SPDX license identifiers
    crypto: ccp - Validate the the error value used to index error messages
    crypto: doc - Fix formatting of new crypto engine content
    crypto: doc - Add parameter documentation
    crypto: arm64/aes-ce - implement 5 way interleave for ECB, CBC and CTR
    crypto: arm64/aes-ce - add 5 way interleave routines
    crypto: talitos - drop icv_ool
    crypto: talitos - fix hash on SEC1.
    crypto: talitos - move struct talitos_edesc into talitos.h
    lib/scatterlist: Fix mapping iterator when sg->offset is greater than PAGE_SIZE
    crypto/NX: Set receive window credits to max number of CRBs in RxFIFO
    crypto: asymmetric_keys - select CRYPTO_HASH where needed
    crypto: serpent - mark __serpent_setkey_sbox noinline
    crypto: testmgr - dynamically allocate crypto_shash
    crypto: testmgr - dynamically allocate testvec_config
    crypto: talitos - eliminate unneeded 'done' functions at build time
    ...

    Linus Torvalds
     

31 May, 2019

1 commit

  • 2874c5fd2   treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 ... Browse Code »

    Based on 1 normalized pattern(s):

    this program is free software you can redistribute it and or modify
    it under the terms of the gnu general public license as published by
    the free software foundation either version 2 of the license or at
    your option any later version

    extracted by the scancode license scanner the SPDX license identifier

    GPL-2.0-or-later

    has been chosen to replace the boilerplate/reference in 3029 file(s).

    Signed-off-by: Thomas Gleixner
    Reviewed-by: Allison Randal
    Cc: linux-spdx@vger.kernel.org
    Link: https://lkml.kernel.org/r/20190527070032.746973796@linutronix.de
    Signed-off-by: Greg Kroah-Hartman

    Thomas Gleixner
     

30 May, 2019

1 commit

25 Jan, 2019

1 commit

11 Jan, 2019

1 commit

  • 14aa1a839   crypto: algapi - remove crypto_alloc_instance() ... Browse Code »

    Now that all "blkcipher" templates have been converted to "skcipher",
    crypto_alloc_instance() is no longer used. And it's not useful any
    longer as it creates an old-style weakly typed instance rather than a
    new-style strongly typed instance. So remove it, and now that the name
    is freed up rename crypto_alloc_instance2() to crypto_alloc_instance().

    Signed-off-by: Eric Biggers
    Signed-off-by: Herbert Xu

    Eric Biggers
     

04 Sep, 2018

2 commits

  • dd8b083f9   crypto: api - Introduce notifier for new crypto algorithms ... Browse Code »

    Introduce a facility that can be used to receive a notification
    callback when a new algorithm becomes available. This can be used by
    existing crypto registrations to trigger a switch from a software-only
    algorithm to a hardware-accelerated version.

    A new CRYPTO_MSG_ALG_LOADED state is introduced to the existing crypto
    notification chain, and the register/unregister functions are exported
    so they can be called by subsystems outside of crypto.

    Signed-off-by: Martin K. Petersen
    Suggested-by: Herbert Xu
    Signed-off-by: Martin K. Petersen
    Signed-off-by: Herbert Xu

    Martin K. Petersen
     
  • a9f7f88a1   crypto: api - Introduce generic max blocksize and alignmask ... Browse Code »

    In the quest to remove all stack VLA usage from the kernel[1], this
    exposes a new general upper bound on crypto blocksize and alignmask
    (higher than for the existing cipher limits) for VLA removal,
    and introduces new checks.

    At present, the highest cra_alignmask in the kernel is 63. The highest
    cra_blocksize is 144 (SHA3_224_BLOCK_SIZE, 18 8-byte words). For the
    new blocksize limit, I went with 160 (20 8-byte words).

    [1] https://lkml.kernel.org/r/CA+55aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qPXydAacU1RqZWA@mail.gmail.com

    Signed-off-by: Kees Cook
    Signed-off-by: Herbert Xu

    Kees Cook
     

21 Apr, 2018

1 commit

  • 13c935bb0   crypto: api - laying defines and checks for statically allocated buffers ... Browse Code »

    In preparation for the removal of VLAs[1] from crypto code.
    We create 2 new compile-time constants: all ciphers implemented
    in Linux have a block size less than or equal to 16 bytes and
    the most demanding hw require 16 bytes alignment for the block
    buffer.
    We also enforce these limits in crypto_check_alg when a new
    cipher is registered.

    [1] http://lkml.kernel.org/r/CA+55aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qPXydAacU1RqZWA@mail.gmail.com

    Signed-off-by: Salvatore Mesoraca
    Signed-off-by: Herbert Xu

    Salvatore Mesoraca
     

31 Mar, 2018

1 commit

04 Aug, 2017

2 commits

  • 45fe93dff   crypto: algapi - make crypto_xor() take separate dst and src arguments ... Browse Code »

    There are quite a number of occurrences in the kernel of the pattern

    if (dst != src)
    memcpy(dst, src, walk.total % AES_BLOCK_SIZE);
    crypto_xor(dst, final, walk.total % AES_BLOCK_SIZE);

    or

    crypto_xor(keystream, src, nbytes);
    memcpy(dst, keystream, nbytes);

    where crypto_xor() is preceded or followed by a memcpy() invocation
    that is only there because crypto_xor() uses its output parameter as
    one of the inputs. To avoid having to add new instances of this pattern
    in the arm64 code, which will be refactored to implement non-SIMD
    fallbacks, add an alternative implementation called crypto_xor_cpy(),
    taking separate input and output arguments. This removes the need for
    the separate memcpy().

    Signed-off-by: Ard Biesheuvel
    Signed-off-by: Herbert Xu

    Ard Biesheuvel
     
  • a7c391f04   crypto: algapi - use separate dst and src operands for __crypto_xor() ... Browse Code »

    In preparation of introducing crypto_xor_cpy(), which will use separate
    operands for input and output, modify the __crypto_xor() implementation,
    which it will share with the existing crypto_xor(), which provides the
    actual functionality when not using the inline version.

    Signed-off-by: Ard Biesheuvel
    Signed-off-by: Herbert Xu

    Ard Biesheuvel
     

27 Feb, 2017

1 commit

11 Feb, 2017

1 commit

  • db91af0fb   crypto: algapi - make crypto_xor() and crypto_inc() alignment agnostic ... Browse Code »

    Instead of unconditionally forcing 4 byte alignment for all generic
    chaining modes that rely on crypto_xor() or crypto_inc() (which may
    result in unnecessary copying of data when the underlying hardware
    can perform unaligned accesses efficiently), make those functions
    deal with unaligned input explicitly, but only if the Kconfig symbol
    HAVE_EFFICIENT_UNALIGNED_ACCESS is set. This will allow us to drop
    the alignmasks from the CBC, CMAC, CTR, CTS, PCBC and SEQIV drivers.

    For crypto_inc(), this simply involves making the 4-byte stride
    conditional on HAVE_EFFICIENT_UNALIGNED_ACCESS being set, given that
    it typically operates on 16 byte buffers.

    For crypto_xor(), an algorithm is implemented that simply runs through
    the input using the largest strides possible if unaligned accesses are
    allowed. If they are not, an optimal sequence of memory accesses is
    emitted that takes the relative alignment of the input buffers into
    account, e.g., if the relative misalignment of dst and src is 4 bytes,
    the entire xor operation will be completed using 4 byte loads and stores
    (modulo unaligned bits at the start and end). Note that all expressions
    involving misalign are simply eliminated by the compiler when
    HAVE_EFFICIENT_UNALIGNED_ACCESS is defined.

    Signed-off-by: Ard Biesheuvel
    Signed-off-by: Herbert Xu

    Ard Biesheuvel
     

07 Sep, 2016

1 commit

18 Jul, 2016

1 commit

01 Jul, 2016

1 commit

06 Feb, 2016

1 commit

01 Feb, 2016

2 commits

  • 735d37b54   crypto: engine - Introduce the block request crypto engine framework ... Browse Code »

    Now block cipher engines need to implement and maintain their own queue/thread
    for processing requests, moreover currently helpers provided for only the queue
    itself (in crypto_enqueue_request() and crypto_dequeue_request()) but they
    don't help with the mechanics of driving the hardware (things like running the
    request immediately, DMA map it or providing a thread to process the queue in)
    even though a lot of that code really shouldn't vary that much from device to
    device.

    Thus this patch provides a mechanism for pushing requests to the hardware
    as it becomes free that drivers could use. And this framework is patterned
    on the SPI code and has worked out well there.
    (https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/
    drivers/spi/spi.c?id=ffbbdd21329f3e15eeca6df2d4bc11c04d9d91c0)

    Signed-off-by: Baolin Wang
    Signed-off-by: Herbert Xu

    Baolin Wang
     
  • 9f93a8a0b   crypto: api - Introduce crypto_queue_len() helper function ... Browse Code »

    This patch introduces crypto_queue_len() helper function to help to get the
    queue length in the crypto queue list now.

    Signed-off-by: Baolin Wang
    Signed-off-by: Herbert Xu

    Baolin Wang
     

14 Jul, 2015

2 commits

13 May, 2015

2 commits

  • 5d1d65f8b   crypto: aead - Convert top level interface to new style ... Browse Code »

    This patch converts the top-level aead interface to the new style.
    All user-level AEAD interface code have been moved into crypto/aead.h.

    The allocation/free functions have switched over to the new way of
    allocating tfms.

    This patch also removes the double indrection on setkey so the
    indirection now exists only at the alg level.

    Apart from these there are no user-visible changes.

    Signed-off-by: Herbert Xu

    Herbert Xu
     
  • d6ef2f198   crypto: api - Add crypto_grab_spawn primitive ... Browse Code »

    This patch adds a new primitive crypto_grab_spawn which is meant
    to replace crypto_init_spawn and crypto_init_spawn2. Under the
    new scheme the user no longer has to worry about reference counting
    the alg object before it is subsumed by the spawn.

    It is pretty much an exact copy of crypto_grab_aead.

    Prior to calling this function spawn->frontend and spawn->inst
    must have been set.

    Signed-off-by: Herbert Xu

    Herbert Xu
     

03 Apr, 2015

1 commit

20 Jun, 2014

1 commit

10 Mar, 2014

2 commits

07 Oct, 2013

1 commit

  • 6bf37e5aa   crypto: crypto_memneq - add equality testing of memory regions w/o timing leaks ... Browse Code »

    When comparing MAC hashes, AEAD authentication tags, or other hash
    values in the context of authentication or integrity checking, it
    is important not to leak timing information to a potential attacker,
    i.e. when communication happens over a network.

    Bytewise memory comparisons (such as memcmp) are usually optimized so
    that they return a nonzero value as soon as a mismatch is found. E.g,
    on x86_64/i5 for 512 bytes this can be ~50 cyc for a full mismatch
    and up to ~850 cyc for a full match (cold). This early-return behavior
    can leak timing information as a side channel, allowing an attacker to
    iteratively guess the correct result.

    This patch adds a new method crypto_memneq ("memory not equal to each
    other") to the crypto API that compares memory areas of the same length
    in roughly "constant time" (cache misses could change the timing, but
    since they don't reveal information about the content of the strings
    being compared, they are effectively benign). Iow, best and worst case
    behaviour take the same amount of time to complete (in contrast to
    memcmp).

    Note that crypto_memneq (unlike memcmp) can only be used to test for
    equality or inequality, NOT for lexicographical order. This, however,
    is not an issue for its use-cases within the crypto API.

    We tried to locate all of the places in the crypto API where memcmp was
    being used for authentication or integrity checking, and convert them
    over to crypto_memneq.

    crypto_memneq is declared noinline, placed in its own source file,
    and compiled with optimizations that might increase code size disabled
    ("Os") because a smart compiler (or LTO) might notice that the return
    value is always compared against zero/nonzero, and might then
    reintroduce the same early-return optimization that we are trying to
    avoid.

    Using #pragma or __attribute__ optimization annotations of the code
    for disabling optimization was avoided as it seems to be considered
    broken or unmaintained for long time in GCC [1]. Therefore, we work
    around that by specifying the compile flag for memneq.o directly in
    the Makefile. We found that this seems to be most appropriate.

    As we use ("Os"), this patch also provides a loop-free "fast-path" for
    frequently used 16 byte digests. Similarly to kernel library string
    functions, leave an option for future even further optimized architecture
    specific assembler implementations.

    This was a joint work of James Yonan and Daniel Borkmann. Also thanks
    for feedback from Florian Weimer on this and earlier proposals [2].

    [1] http://gcc.gnu.org/ml/gcc/2012-07/msg00211.html
    [2] https://lkml.org/lkml/2013/2/10/131

    Signed-off-by: James Yonan
    Signed-off-by: Daniel Borkmann
    Cc: Florian Weimer
    Signed-off-by: Herbert Xu

    James Yonan