12 Mar, 2016
1 commit
-
Because the old rfc4543 implementation always injected an IV into
the AD, while the new one does not, we have to disable the test
while it is converted over to the new AEAD interface.Signed-off-by: Herbert Xu
26 Jan, 2016
1 commit
-
The output buffer in test_ahash_speed will point to an address located
within the tcrypt module image.
This causes problems when trying to DMA map the buffer.
For e.g. on ARM-based LS1021A, a page fault occurs within the
DMA API when trying to access the struct page returned by
virt_to_page(output):insmod tcrypt.ko mode=403
testing speed of async sha1 (sha1-caam)
test 0 ( 16 byte blocks, 16 bytes per update, 1 updates):
Unable to handle kernel paging request at virtual address f07e9080
pgd = e58d0e00
[f07e9080] *pgd=80000080007003, *pmd=00000000
Internal error: Oops: 206 [#1] SMP THUMB2
Modules linked in: tcrypt(+)
CPU: 1 PID: 1119 Comm: insmod Not tainted 4.2.0-rc1-256134-gbf433416e675 #1
Hardware name: Freescale LS1021A
task: ea063900 ti: e5a34000 task.ti: e5a34000
PC is at dma_cache_maint_page+0x38/0xd0
LR is at __dma_page_cpu_to_dev+0x15/0x64
pc : [] lr : [] psr: 000f0033
sp : e5a35ca0 ip : 8063df00 fp : f07e9080
r10: 00000cd0 r9 : 8063df00 r8 : 805a2f04
r7 : 0017f804 r6 : 00000002 r5 : ee7f9000 r4 : 00000014
r3 : 80612d40 r2 : 01ff0080 r1 : 00000380 r0 : ee7f9000
Flags: nzcv IRQs on FIQs on Mode SVC_32 ISA Thumb Segment user
Control: 70c5387d Table: e58d0e00 DAC: 9b7ede70
Process insmod (pid: 1119, stack limit = 0xe5a34210)
Stack: (0xe5a35ca0 to 0xe5a36000)
[...]
[] (dma_cache_maint_page) from [] (__dma_page_cpu_to_dev+0x15/0x64)
[] (__dma_page_cpu_to_dev) from [] (arm_dma_map_page+0x1f/0x44)
[] (arm_dma_map_page) from [] (ahash_digest+0x35f/0x510)
[] (ahash_digest) from [] (test_ahash_speed.constprop.6+0x24a/0x4e4 [tcrypt])
[] (test_ahash_speed.constprop.6 [tcrypt]) from [] (do_test+0x1898/0x2058 [tcrypt])
[] (do_test [tcrypt]) from [] (tcrypt_mod_init+0x2e/0x63 [tcrypt])
[] (tcrypt_mod_init [tcrypt]) from [] (do_one_initcall+0xb3/0x134)
[] (do_one_initcall) from [] (do_init_module+0x3b/0x13c)
[] (do_init_module) from [] (load_module+0x97b/0x9dc)
[] (load_module) from [] (SyS_finit_module+0x35/0x3e)
[] (SyS_finit_module) from [] (ret_fast_syscall+0x1/0x4c)
Code: 1aba 0152 eb00 0b02 (5882) 0f92addr2line -f -i -e vmlinux 800155a0
page_zonenum
include/linux/mm.h:728
page_zone
include/linux/mm.h:881
dma_cache_maint_page
arch/arm/mm/dma-mapping.c:822Signed-off-by: Horia Geant?
Signed-off-by: Herbert Xu
10 Nov, 2015
1 commit
-
commit 3fc89adb9fa4beff31374a4bf50b3d099d88ae83 upstream.
Currently a number of Crypto API operations may fail when a signal
occurs. This causes nasty problems as the caller of those operations
are often not in a good position to restart the operation.In fact there is currently no need for those operations to be
interrupted by user signals at all. All we need is for them to
be killable.This patch replaces the relevant calls of signal_pending with
fatal_signal_pending, and wait_for_completion_interruptible with
wait_for_completion_killable, respectively.Signed-off-by: Herbert Xu
Signed-off-by: Greg Kroah-Hartman
27 Oct, 2015
1 commit
-
commit 8996eafdcbad149ac0f772fb1649fbb75c482a6a upstream.
Unlike shash algorithms, ahash drivers must implement export
and import as their descriptors may contain hardware state and
cannot be exported as is. Unfortunately some ahash drivers did
not provide them and end up causing crashes with algif_hash.This patch adds a check to prevent these drivers from registering
ahash algorithms until they are fixed.Signed-off-by: Russell King
Signed-off-by: Herbert Xu
Signed-off-by: Greg Kroah-Hartman
04 Aug, 2015
1 commit
-
commit f2b3dee484f9cee967a54ef05a66866282337519 upstream.
The call to asymmetric_key_hex_to_key_id() from ca_keys_setup()
silently fails with -ENOMEM. Instead of dynamically allocating
memory from a __setup function, this patch defines a variable
and calls __asymmetric_key_hex_to_key_id(), a new helper function,
directly.This bug was introduced by 'commit 46963b774d44 ("KEYS: Overhaul
key identification when searching for asymmetric keys")'.Changelog:
- for clarification, rename hexlen to asciihexlen in
asymmetric_key_hex_to_key_id()
- add size argument to __asymmetric_key_hex_to_key_id() - David Howells
- inline __asymmetric_key_hex_to_key_id() - David Howells
- remove duplicate strlen() callsAcked-by: David Howells
Signed-off-by: Mimi Zohar
Signed-off-by: Greg Kroah-Hartman
27 May, 2015
1 commit
-
Pull crypto fix from Herbert Xu:
"This disables the newly (4.1) added user-space AEAD interface so that
we can fix issues in the underlying kernel AEAD interface. Once the
new kernel AEAD interface is ready we can then reenable the user-space
AEAD interface"* git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
crypto: algif_aead - Disable AEAD user-space for now
26 May, 2015
1 commit
-
The newly added AEAD user-space isn't quite ready for prime time
just yet. In particular it is conflicting with the AEAD single
SG list interface change so this patch disables it now.Once the SG list stuff is completely done we can then renable
this interface.Signed-off-by: Herbert Xu
22 May, 2015
1 commit
-
Pull crypto fix from Herbert Xu:
"This fixes a the crash in the newly added algif_aead interface when it
tries to link SG lists"* git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
crypto: algif_aead - fix invalid sgl linking
18 May, 2015
1 commit
-
This patch fixes it.
Also minor updates to comments.Signed-off-by: Tadeusz Struk
Signed-off-by: Herbert Xu
25 Apr, 2015
1 commit
-
Pull md updates from Neil Brown:
"More updates that usual this time. A few have performance impacts
which hould mostly be positive, but RAID5 (in particular) can be very
work-load ensitive... We'll have to wait and see.Highlights:
- "experimental" code for managing md/raid1 across a cluster using
DLM. Code is not ready for general use and triggers a WARNING if
used. However it is looking good and mostly done and having in
mainline will help co-ordinate development.- RAID5/6 can now batch multiple (4K wide) stripe_heads so as to
handle a full (chunk wide) stripe as a single unit.- RAID6 can now perform read-modify-write cycles which should help
performance on larger arrays: 6 or more devices.- RAID5/6 stripe cache now grows and shrinks dynamically. The value
set is used as a minimum.- Resync is now allowed to go a little faster than the 'mininum' when
there is competing IO. How much faster depends on the speed of the
devices, so the effective minimum should scale with device speed to
some extent"* tag 'md/4.1' of git://neil.brown.name/md: (58 commits)
md/raid5: don't do chunk aligned read on degraded array.
md/raid5: allow the stripe_cache to grow and shrink.
md/raid5: change ->inactive_blocked to a bit-flag.
md/raid5: move max_nr_stripes management into grow_one_stripe and drop_one_stripe
md/raid5: pass gfp_t arg to grow_one_stripe()
md/raid5: introduce configuration option rmw_level
md/raid5: activate raid6 rmw feature
md/raid6 algorithms: xor_syndrome() for SSE2
md/raid6 algorithms: xor_syndrome() for generic int
md/raid6 algorithms: improve test program
md/raid6 algorithms: delta syndrome functions
raid5: handle expansion/resync case with stripe batching
raid5: handle io error of batch list
RAID5: batch adjacent full stripe write
raid5: track overwrite disk count
raid5: add a new flag to track if a stripe can be batched
raid5: use flex_array for scribble data
md raid0: access mddev->queue (request queue member) conditionally because it is not set when accessed from dm-raid
md: allow resync to go faster when there is competing IO.
md: remove 'go_faster' option from ->sync_request()
...
22 Apr, 2015
1 commit
-
Glue it altogehter. The raid6 rmw path should work the same as the
already existing raid5 logic. So emulate the prexor handling/flags
and split functions as needed.1) Enable xor_syndrome() in the async layer.
2) Split ops_run_prexor() into RAID4/5 and RAID6 logic. Xor the syndrome
at the start of a rmw run as we did it before for the single parity.3) Take care of rmw run in ops_run_reconstruct6(). Again process only
the changed pages to get syndrome back into sync.4) Enhance set_syndrome_sources() to fill NULL pages if we are in a rmw
run. The lower layers will calculate start & end pages from that and
call the xor_syndrome() correspondingly.5) Adapt the several places where we ignored Q handling up to now.
Performance numbers for a single E5630 system with a mix of 10 7200k
desktop/server disks. 300 seconds random write with 8 threads onto a
3,2TB (10*400GB) RAID6 64K chunk without spare (group_thread_cnt=4)bsize rmw_level=1 rmw_level=0 rmw_level=1 rmw_level=0
skip_copy=1 skip_copy=1 skip_copy=0 skip_copy=0
4K 115 KB/s 141 KB/s 165 KB/s 140 KB/s
8K 225 KB/s 275 KB/s 324 KB/s 274 KB/s
16K 434 KB/s 536 KB/s 640 KB/s 534 KB/s
32K 751 KB/s 1,051 KB/s 1,234 KB/s 1,045 KB/s
64K 1,339 KB/s 1,958 KB/s 2,282 KB/s 1,962 KB/s
128K 2,673 KB/s 3,862 KB/s 4,113 KB/s 3,898 KB/s
256K 7,685 KB/s 7,539 KB/s 7,557 KB/s 7,638 KB/s
512K 19,556 KB/s 19,558 KB/s 19,652 KB/s 19,688 Kb/sSigned-off-by: Markus Stockhausen
Signed-off-by: NeilBrown
16 Apr, 2015
3 commits
-
Commit 9c521a200bc3 ("crypto: api - remove instance when test failed")
tried to grab a module reference count before the module was even set.Worse, it then goes on to free the module reference count after it is
set so you quickly end up with a negative module reference count which
prevents people from using any instances belonging to that module.This patch moves the module initialisation before the reference
count.Reported-by: Linus Torvalds
Signed-off-by: Herbert Xu
Signed-off-by: Linus Torvalds -
The networking updates from David Miller removed the iocb argument from
sendmsg and recvmsg (in commit 1b784140474e: "net: Remove iocb argument
from sendmsg and recvmsg"), but the crypto code had added new instances
of them.When I pulled the crypto update, it was a silent semantic mis-merge, and
I overlooked the new warning messages in my test-build. I try to fix
those in the merge itself, but that relies on me noticing. Oh well.Signed-off-by: Linus Torvalds
-
Pull crypto update from Herbert Xu:
"Here is the crypto update for 4.1:New interfaces:
- user-space interface for AEAD
- user-space interface for RNG (i.e., pseudo RNG)New hashes:
- ARMv8 SHA1/256
- ARMv8 AES
- ARMv8 GHASH
- ARM assembler and NEON SHA256
- MIPS OCTEON SHA1/256/512
- MIPS img-hash SHA1/256 and MD5
- Power 8 VMX AES/CBC/CTR/GHASH
- PPC assembler AES, SHA1/256 and MD5
- Broadcom IPROC RNG driverCleanups/fixes:
- prevent internal helper algos from being exposed to user-space
- merge common code from assembly/C SHA implementations
- misc fixes"* git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: (169 commits)
crypto: arm - workaround for building with old binutils
crypto: arm/sha256 - avoid sha256 code on ARMv7-M
crypto: x86/sha512_ssse3 - move SHA-384/512 SSSE3 implementation to base layer
crypto: x86/sha256_ssse3 - move SHA-224/256 SSSE3 implementation to base layer
crypto: x86/sha1_ssse3 - move SHA-1 SSSE3 implementation to base layer
crypto: arm64/sha2-ce - move SHA-224/256 ARMv8 implementation to base layer
crypto: arm64/sha1-ce - move SHA-1 ARMv8 implementation to base layer
crypto: arm/sha2-ce - move SHA-224/256 ARMv8 implementation to base layer
crypto: arm/sha256 - move SHA-224/256 ASM/NEON implementation to base layer
crypto: arm/sha1-ce - move SHA-1 ARMv8 implementation to base layer
crypto: arm/sha1_neon - move SHA-1 NEON implementation to base layer
crypto: arm/sha1 - move SHA-1 ARM asm implementation to base layer
crypto: sha512-generic - move to generic glue implementation
crypto: sha256-generic - move to generic glue implementation
crypto: sha1-generic - move to generic glue implementation
crypto: sha512 - implement base layer for SHA-512
crypto: sha256 - implement base layer for SHA-256
crypto: sha1 - implement base layer for SHA-1
crypto: api - remove instance when test failed
crypto: api - Move alg ref count init to crypto_check_alg
...
12 Apr, 2015
1 commit
-
convert open-coded instances
Signed-off-by: Al Viro
10 Apr, 2015
5 commits
-
This updated the generic SHA-512 implementation to use the
generic shared SHA-512 glue code.It also implements a .finup hook crypto_sha512_finup() and exports
it to other modules. The import and export() functions and the
.statesize member are dropped, since the default implementation
is perfectly suitable for this module.Signed-off-by: Ard Biesheuvel
Signed-off-by: Herbert Xu -
This updates the generic SHA-256 implementation to use the
new shared SHA-256 glue code.It also implements a .finup hook crypto_sha256_finup() and exports
it to other modules. The import and export() functions and the
.statesize member are dropped, since the default implementation
is perfectly suitable for this module.Signed-off-by: Ard Biesheuvel
Signed-off-by: Herbert Xu -
This updated the generic SHA-1 implementation to use the generic
shared SHA-1 glue code.It also implements a .finup hook crypto_sha1_finup() and exports
it to other modules. The import and export() functions and the
.statesize member are dropped, since the default implementation
is perfectly suitable for this module.Signed-off-by: Ard Biesheuvel
Signed-off-by: Herbert Xu -
A cipher instance is added to the list of instances unconditionally
regardless of whether the associated test failed. However, a failed
test implies that during another lookup, the cipher instance will
be added to the list again as it will not be found by the lookup
code.That means that the list can be filled up with instances whose tests
failed.Note: tests only fail in reality in FIPS mode when a cipher is not
marked as fips_allowed=1. This can be seen with cmac(des3_ede) that does
not have a fips_allowed=1. When allocating the cipher, the allocation
fails with -ENOENT due to the missing fips_allowed=1 flag (which
causes the testmgr to return EINVAL). Yet, the instance of
cmac(des3_ede) is shown in /proc/crypto. Allocating the cipher again
fails again, but a 2nd instance is listed in /proc/crypto.The patch simply de-registers the instance when the testing failed.
Signed-off-by: Stephan Mueller
Signed-off-by: Herbert Xu -
We currently initialise the crypto_alg ref count in the function
__crypto_register_alg. As one of the callers of that function
crypto_register_instance needs to obtain a ref count before it
calls __crypto_register_alg, we need to move the initialisation
out of there.Since both callers of __crypto_register_alg call crypto_check_alg,
this is the logical place to perform the initialisation.Signed-off-by: Herbert Xu
Acked-by: Stephan Mueller
09 Apr, 2015
1 commit
-
trivial conflict in net/socket.c and non-trivial one in crypto -
that one had evaded aio_complete() removal.Signed-off-by: Al Viro
08 Apr, 2015
1 commit
-
The function crypto_alg_match returns an algorithm without taking
any references on it. This means that the algorithm can be freed
at any time, therefore all users of crypto_alg_match are buggy.This patch fixes this by taking a reference count on the algorithm
to prevent such races.Signed-off-by: Herbert Xu
07 Apr, 2015
1 commit
-
This patch fix a spelling typo in crypto/Kconfig.
Signed-off-by: Masanari Iida
Signed-off-by: Herbert Xu
03 Apr, 2015
2 commits
-
This patch makes crypto_unregister_instance take a crypto_instance
instead of a crypto_alg. This allows us to remove a duplicate
CRYPTO_ALG_INSTANCE check in crypto_unregister_instance.Signed-off-by: Herbert Xu
-
There are multiple problems in crypto_unregister_instance:
1) The cra_refcnt BUG_ON check is racy and can cause crashes.
2) The cra_refcnt check shouldn't exist at all.
3) There is no reference on tmpl to protect the tmpl->free call.This patch rewrites the function using crypto_remove_spawn which
now morphs into crypto_remove_instance.Signed-off-by: Herbert Xu
02 Apr, 2015
3 commits
-
After the TX sgl is expanded we need to explicitly mark end of data
at the last buffer that contains data.Changes in v2
- use type 'bool' and true/false for 'mark'.Signed-off-by: Tadeusz Struk
Signed-off-by: David S. Miller -
No need to use kzalloc to allocate sgls as the structure is initialized anyway.
Signed-off-by: Tadeusz Struk
Signed-off-by: David S. Miller -
Use EXPORT_SYMBOL_GPL instead of EXPORT_SYMBOL.
Signed-off-by: Tadeusz Struk
Signed-off-by: David S. Miller
31 Mar, 2015
5 commits
-
The mcryptd is used as a wrapper around internal ciphers. Therefore,
the mcryptd must process the internal cipher by marking mcryptd as
internal if the underlying cipher is an internal cipher.Signed-off-by: Stephan Mueller
Signed-off-by: Herbert Xu -
With ciphers that now cannot be accessed via the kernel crypto API,
callers shall be able to identify the ciphers that are not callable. The
/proc/crypto file is added a boolean field identifying that such
internal ciphers.Signed-off-by: Stephan Mueller
Signed-off-by: Herbert Xu -
The cryptd is used as a wrapper around internal ciphers. Therefore, the
cryptd must process the internal cipher by marking cryptd as internal if
the underlying cipher is an internal cipher.Signed-off-by: Stephan Mueller
Signed-off-by: Herbert Xu -
Allocate the ciphers irrespectively if they are marked as internal
or not. As all ciphers, including the internal ciphers will be
processed by the testmgr, it needs to be able to allocate those
ciphers.Signed-off-by: Stephan Mueller
Signed-off-by: Herbert Xu -
Several hardware related cipher implementations are implemented as
follows: a "helper" cipher implementation is registered with the
kernel crypto API.Such helper ciphers are never intended to be called by normal users. In
some cases, calling them via the normal crypto API may even cause
failures including kernel crashes. In a normal case, the "wrapping"
ciphers that use the helpers ensure that these helpers are invoked
such that they cannot cause any calamity.Considering the AF_ALG user space interface, unprivileged users can
call all ciphers registered with the crypto API, including these
helper ciphers that are not intended to be called directly. That
means, with AF_ALG user space may invoke these helper ciphers
and may cause undefined states or side effects.To avoid any potential side effects with such helpers, the patch
prevents the helpers to be called directly. A new cipher type
flag is added: CRYPTO_ALG_INTERNAL. This flag shall be used
to mark helper ciphers. These ciphers can only be used if the
caller invoke the cipher with CRYPTO_ALG_INTERNAL in the type and
mask field.Signed-off-by: Stephan Mueller
Signed-off-by: Herbert Xu
25 Mar, 2015
1 commit
-
Change type from unsigned long to int to fix an issue reported by kbuild robot:
crypto/algif_skcipher.c:596 skcipher_recvmsg_async() warn: unsigned 'used' is
never less than zero.Signed-off-by: Tadeusz Struk
Signed-off-by: David S. Miller
24 Mar, 2015
2 commits
-
The way the algif_skcipher works currently is that on sendmsg/sendpage it
builds an sgl for the input data and then on read/recvmsg it sends the job
for encryption putting the user to sleep till the data is processed.
This way it can only handle one job at a given time.
This patch changes it to be asynchronous by adding AIO support.Signed-off-by: Tadeusz Struk
Signed-off-by: David S. Miller -
Allow to link af_alg sgls.
Signed-off-by: Tadeusz Struk
Signed-off-by: David S. Miller
16 Mar, 2015
1 commit
-
Due to the change to RNGs to always return zero in success case, the RNG
interface must zeroize the buffer with the length provided by the
caller.Signed-off-by: Stephan Mueller
Signed-off-by: Herbert Xu
13 Mar, 2015
1 commit
-
Due to the change to RNGs to always return zero in success case, the
invocation of the RNGs in the test manager must be updated as otherwise
the RNG self tests are not properly executed any more.Signed-off-by: Stephan Mueller
Signed-off-by: Alexander Bergmann
Signed-off-by: Herbert Xu
12 Mar, 2015
1 commit
-
This moves all Kconfig symbols defined in crypto/Kconfig that depend
on CONFIG_ARM to a dedicated Kconfig file in arch/arm/crypto, which is
where the code that implements those features resides as well.Signed-off-by: Ard Biesheuvel
Signed-off-by: Herbert Xu
11 Mar, 2015
1 commit
-
Commit 5be4d4c94b1f ("crypto: replace scatterwalk_sg_next with sg_next")
did not consider the fact that scatterwalk_sg_next() was looking at
sg entry length, while sg_next() looks at the "chained" sg bit.This should have no effect in theory. However in practice, there are
cases where the sg table is initialized to a number of entries and
some of them are not properly configured. While scatterwalk_sg_next()
would have returned NULL (since sg length = 0 and sg page_link = 0),
sg_next() happily returns the next unconfigured sg entry.insmod tcrypt.ko mode=500 sec=1
testing speed of async cbc(aes) (cbc-aes-talitos) encryption
test 0 (128 bit key, 16 byte blocks):
Unable to handle kernel paging request for data at address 0x00000000
Faulting instruction address: 0xc00d79e4
Oops: Kernel access of bad area, sig: 11 [#1]
SMP NR_CPUS=8 P1022 DS
Modules linked in: tcrypt(+) talitos
CPU: 0 PID: 2670 Comm: insmod Not tainted 4.0.0-rc1-QorIQ-SDK-V1.6+g904f1ca82209 #1
task: e8de3200 ti: e70bc000 task.ti: e70bc000
NIP: c00d79e4 LR: f92d223c CTR: c00d79c8
REGS: e70bda00 TRAP: 0300 Not tainted (4.0.0-rc1-QorIQ-SDK-V1.6+g904f1ca82209)
MSR: 00029000 CR: 84428f22 XER: 00000000
DEAR: 00000000 ESR: 00000000
GPR00: f92d223c e70bdab0 e8de3200 00000000 e70bdbb8 00000001 00000000 00000000
GPR08: 00000000 00000000 c08b0380 27282010 c00d79c8 1003a634 00000000 e70bdf1c
GPR16: e70bdef0 00000020 00000000 c08c0000 00000010 00000000 e70bdbb8 00000010
GPR24: e976d3a8 00000010 00000000 e70bdbd8 e8961010 00000001 c086e560 00000000
NIP [c00d79e4] page_address+0x1c/0x110
LR [f92d223c] talitos_map_sg+0x130/0x184 [talitos]
Call Trace:
[e70bdab0] [00000010] 0x10 (unreliable)
[e70bdad0] [f92d223c] talitos_map_sg+0x130/0x184 [talitos]
[e70bdb00] [f92d30d8] common_nonsnoop.constprop.13+0xc0/0x304 [talitos]
[e70bdb30] [f933fd90] test_acipher_speed+0x434/0x7dc [tcrypt]
[e70bdcc0] [f934318c] do_test+0x2478/0x306c [tcrypt]
[e70bdd80] [f11fe058] tcrypt_mod_init+0x58/0x100 [tcrypt]
[e70bdda0] [c0002354] do_one_initcall+0x90/0x1f4
[e70bde10] [c061fe00] do_init_module+0x60/0x1ac
[e70bde30] [c00a79f0] load_module+0x185c/0x1f88
[e70bdee0] [c00a82b0] SyS_finit_module+0x7c/0x98
[e70bdf40] [c000e8b0] ret_from_syscall+0x0/0x3cSigned-off-by: Herbert Xu