1. 16 Jul, 2020 36 commits
    • Mikulas Patocka's avatar
      crypto: drivers - set the flag CRYPTO_ALG_ALLOCATES_MEMORY · b8aa7dc5
      Mikulas Patocka authored
      Set the flag CRYPTO_ALG_ALLOCATES_MEMORY in the crypto drivers that
      allocate memory.
      
      drivers/crypto/allwinner/sun8i-ce/sun8i-ce-core.c: sun8i_ce_cipher
      drivers/crypto/allwinner/sun8i-ss/sun8i-ss-core.c: sun8i_ss_cipher
      drivers/crypto/amlogic/amlogic-gxl-core.c: meson_cipher
      drivers/crypto/axis/artpec6_crypto.c: artpec6_crypto_common_init
      drivers/crypto/bcm/cipher.c: spu_skcipher_rx_sg_create
      drivers/crypto/caam/caamalg.c: aead_edesc_alloc
      drivers/crypto/caam/caamalg_qi.c: aead_edesc_alloc
      drivers/crypto/caam/caamalg_qi2.c: aead_edesc_alloc
      drivers/crypto/caam/caamhash.c: hash_digest_key
      drivers/crypto/cavium/cpt/cptvf_algs.c: process_request
      drivers/crypto/cavium/nitrox/nitrox_aead.c: nitrox_process_se_request
      drivers/crypto/cavium/nitrox/nitrox_skcipher.c: nitrox_process_se_request
      drivers/crypto/ccp/ccp-crypto-aes-cmac.c: ccp_do_cmac_update
      drivers/crypto/ccp/ccp-crypto-aes-galois.c: ccp_crypto_enqueue_request
      drivers/crypto/ccp/ccp-crypto-aes-xts.c: ccp_crypto_enqueue_request
      drivers/crypto/ccp/ccp-crypto-aes.c: ccp_crypto_enqueue_request
      drivers/crypto/ccp/ccp-crypto-des3.c: ccp_crypto_enqueue_request
      drivers/crypto/ccp/ccp-crypto-sha.c: ccp_crypto_enqueue_request
      drivers/crypto/chelsio/chcr_algo.c: create_cipher_wr
      drivers/crypto/hisilicon/sec/sec_algs.c: sec_alloc_and_fill_hw_sgl
      drivers/crypto/hisilicon/sec2/sec_crypto.c: sec_alloc_req_id
      drivers/crypto/inside-secure/safexcel_cipher.c: safexcel_queue_req
      drivers/crypto/inside-secure/safexcel_hash.c: safexcel_ahash_enqueue
      drivers/crypto/ixp4xx_crypto.c: ablk_perform
      drivers/crypto/marvell/cesa/cipher.c: mv_cesa_skcipher_dma_req_init
      drivers/crypto/marvell/cesa/hash.c: mv_cesa_ahash_dma_req_init
      drivers/crypto/marvell/octeontx/otx_cptvf_algs.c: create_ctx_hdr
      drivers/crypto/n2_core.c: n2_compute_chunks
      drivers/crypto/picoxcell_crypto.c: spacc_sg_to_ddt
      drivers/crypto/qat/qat_common/qat_algs.c: qat_alg_skcipher_encrypt
      drivers/crypto/qce/skcipher.c: qce_skcipher_async_req_handle
      drivers/crypto/talitos.c : talitos_edesc_alloc
      drivers/crypto/virtio/virtio_crypto_algs.c: __virtio_crypto_skcipher_do_req
      drivers/crypto/xilinx/zynqmp-aes-gcm.c: zynqmp_aes_aead_cipher
      Signed-off-by: default avatarMikulas Patocka <mpatocka@redhat.com>
      [EB: avoid overly-long lines]
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      b8aa7dc5
    • Eric Biggers's avatar
      crypto: algapi - introduce the flag CRYPTO_ALG_ALLOCATES_MEMORY · fbb6cda4
      Eric Biggers authored
      Introduce a new algorithm flag CRYPTO_ALG_ALLOCATES_MEMORY.  If this
      flag is set, then the driver allocates memory in its request routine.
      Such drivers are not suitable for disk encryption because GFP_ATOMIC
      allocation can fail anytime (causing random I/O errors) and GFP_KERNEL
      allocation can recurse into the block layer, causing a deadlock.
      
      For now, this flag is only implemented for some algorithm types.  We
      also assume some usage constraints for it to be meaningful, since there
      are lots of edge cases the crypto API allows (e.g., misaligned or
      fragmented scatterlists) that mean that nearly any crypto algorithm can
      allocate memory in some case.  See the comment for details.
      
      Also add this flag to CRYPTO_ALG_INHERITED_FLAGS so that when a template
      is instantiated, this flag is set on the template instance if it is set
      on any algorithm the instance uses.
      
      Based on a patch by Mikulas Patocka <mpatocka@redhat.com>
      (https://lore.kernel.org/r/alpine.LRH.2.02.2006301414580.30526@file01.intranet.prod.int.rdu2.redhat.com).
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      fbb6cda4
    • Eric Biggers's avatar
      crypto: algapi - add NEED_FALLBACK to INHERITED_FLAGS · 2eb27c11
      Eric Biggers authored
      CRYPTO_ALG_NEED_FALLBACK is handled inconsistently.  When it's requested
      to be clear, some templates propagate that request to child algorithms,
      while others don't.
      
      It's apparently desired for NEED_FALLBACK to be propagated, to avoid
      deadlocks where a module tries to load itself while it's being
      initialized, and to avoid unnecessarily complex fallback chains where we
      have e.g. cbc-aes-$driver falling back to cbc(aes-$driver) where
      aes-$driver itself falls back to aes-generic, instead of cbc-aes-$driver
      simply falling back to cbc(aes-generic).  There have been a number of
      fixes to this effect:
      
      commit 89027579 ("crypto: xts - Propagate NEED_FALLBACK bit")
      commit d2c2a85c ("crypto: ctr - Propagate NEED_FALLBACK bit")
      commit e6c2e65c ("crypto: cbc - Propagate NEED_FALLBACK bit")
      
      But it seems that other templates can have the same problems too.
      
      To avoid this whack-a-mole, just add NEED_FALLBACK to INHERITED_FLAGS so
      that it's always inherited.
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      2eb27c11
    • Eric Biggers's avatar
      crypto: algapi - use common mechanism for inheriting flags · 7bcb2c99
      Eric Biggers authored
      The flag CRYPTO_ALG_ASYNC is "inherited" in the sense that when a
      template is instantiated, the template will have CRYPTO_ALG_ASYNC set if
      any of the algorithms it uses has CRYPTO_ALG_ASYNC set.
      
      We'd like to add a second flag (CRYPTO_ALG_ALLOCATES_MEMORY) that gets
      "inherited" in the same way.  This is difficult because the handling of
      CRYPTO_ALG_ASYNC is hardcoded everywhere.  Address this by:
      
        - Add CRYPTO_ALG_INHERITED_FLAGS, which contains the set of flags that
          have these inheritance semantics.
      
        - Add crypto_algt_inherited_mask(), for use by template ->create()
          methods.  It returns any of these flags that the user asked to be
          unset and thus must be passed in the 'mask' to crypto_grab_*().
      
        - Also modify crypto_check_attr_type() to handle computing the 'mask'
          so that most templates can just use this.
      
        - Make crypto_grab_*() propagate these flags to the template instance
          being created so that templates don't have to do this themselves.
      
      Make crypto/simd.c propagate these flags too, since it "wraps" another
      algorithm, similar to a template.
      
      Based on a patch by Mikulas Patocka <mpatocka@redhat.com>
      (https://lore.kernel.org/r/alpine.LRH.2.02.2006301414580.30526@file01.intranet.prod.int.rdu2.redhat.com).
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      7bcb2c99
    • Eric Biggers's avatar
      crypto: seqiv - remove seqiv_create() · 4688111e
      Eric Biggers authored
      seqiv_create() is pointless because it just checks that the template is
      being instantiated as an AEAD, then calls seqiv_aead_create().  But
      seqiv_aead_create() does the exact same check, via aead_geniv_alloc().
      
      Just remove seqiv_create() and use seqiv_aead_create() directly.
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      4688111e
    • Eric Biggers's avatar
      crypto: geniv - remove unneeded arguments from aead_geniv_alloc() · e72b48c5
      Eric Biggers authored
      The type and mask arguments to aead_geniv_alloc() are always 0, so
      remove them.
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      e72b48c5
    • Uros Bizjak's avatar
      crypto: x86 - Remove include/asm/inst.h · d7866e50
      Uros Bizjak authored
      Current minimum required version of binutils is 2.23,
      which supports PSHUFB, PCLMULQDQ, PEXTRD, AESKEYGENASSIST,
      AESIMC, AESENC, AESENCLAST, AESDEC, AESDECLAST and MOVQ
      instruction mnemonics.
      
      Substitute macros from include/asm/inst.h with a proper
      instruction mnemonics in various assmbly files from
      x86/crypto directory, and remove now unneeded file.
      
      The patch was tested by calculating and comparing sha256sum
      hashes of stripped object files before and after the patch,
      to be sure that executable code didn't change.
      Signed-off-by: default avatarUros Bizjak <ubizjak@gmail.com>
      CC: Herbert Xu <herbert@gondor.apana.org.au>
      CC: "David S. Miller" <davem@davemloft.net>
      CC: Thomas Gleixner <tglx@linutronix.de>
      CC: Ingo Molnar <mingo@redhat.com>
      CC: Borislav Petkov <bp@alien8.de>
      CC: "H. Peter Anvin" <hpa@zytor.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      d7866e50
    • Herbert Xu's avatar
      crypto: ccp - Silence strncpy warning · 2c2e1836
      Herbert Xu authored
      This patch kills an strncpy by using strscpy instead.  The name
      would be silently truncated if it is too long.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Acked-by: default avatarJohn Allen <john.allen@amd.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      2c2e1836
    • Alexander A. Klimov's avatar
      hwrng: ks-sa - Replace HTTP links with HTTPS ones · 8832cfd3
      Alexander A. Klimov authored
      Rationale:
      Reduces attack surface on kernel devs opening the links for MITM
      as HTTPS traffic is much harder to manipulate.
      
      Deterministic algorithm:
      For each file:
        If not .svg:
          For each line:
            If doesn't contain `\bxmlns\b`:
              For each link, `\bhttp://[^# \t\r\n]*(?:\w|/)`:
      	  If neither `\bgnu\.org/license`, nor `\bmozilla\.org/MPL\b`:
                  If both the HTTP and HTTPS versions
                  return 200 OK and serve the same content:
                    Replace HTTP with HTTPS.
      Signed-off-by: default avatarAlexander A. Klimov <grandmaster@al2klimov.de>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      8832cfd3
    • Eric Biggers's avatar
      ASoC: cros_ec_codec: use sha256() instead of open coding · 9d4cafa5
      Eric Biggers authored
      Now that there's a function that calculates the SHA-256 digest of a
      buffer in one step, use it instead of sha256_init() + sha256_update() +
      sha256_final().
      
      Also simplify the code by inlining calculate_sha256() into its caller
      and switching a debug log statement to use %*phN instead of bin2hex().
      Acked-by: default avatarTzung-Bi Shih <tzungbi@google.com>
      Reviewed-by: default avatarArd Biesheuvel <ardb@kernel.org>
      Cc: alsa-devel@alsa-project.org
      Cc: Ard Biesheuvel <ardb@kernel.org>
      Cc: Cheng-Yi Chiang <cychiang@chromium.org>
      Cc: Enric Balletbo i Serra <enric.balletbo@collabora.com>
      Cc: Guenter Roeck <groeck@chromium.org>
      Cc: Tzung-Bi Shih <tzungbi@google.com>
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      9d4cafa5
    • Eric Biggers's avatar
      mptcp: use sha256() instead of open coding · 5a7a0d94
      Eric Biggers authored
      Now that there's a function that calculates the SHA-256 digest of a
      buffer in one step, use it instead of sha256_init() + sha256_update() +
      sha256_final().
      Reviewed-by: default avatarArd Biesheuvel <ardb@kernel.org>
      Acked-by: default avatarMatthieu Baerts <matthieu.baerts@tessares.net>
      Cc: mptcp@lists.01.org
      Cc: Mat Martineau <mathew.j.martineau@linux.intel.com>
      Cc: Matthieu Baerts <matthieu.baerts@tessares.net>
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      5a7a0d94
    • Eric Biggers's avatar
      efi: use sha256() instead of open coding · 2164960d
      Eric Biggers authored
      Now that there's a function that calculates the SHA-256 digest of a
      buffer in one step, use it instead of sha256_init() + sha256_update() +
      sha256_final().
      Reviewed-by: default avatarArd Biesheuvel <ardb@kernel.org>
      Tested-by: default avatarHans de Goede <hdegoede@redhat.com>
      Cc: linux-efi@vger.kernel.org
      Cc: Ard Biesheuvel <ardb@kernel.org>
      Cc: Hans de Goede <hdegoede@redhat.com>
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      2164960d
    • Eric Biggers's avatar
      crypto: lib/sha256 - add sha256() function · 9ea9c58b
      Eric Biggers authored
      Add a function sha256() which computes a SHA-256 digest in one step,
      combining sha256_init() + sha256_update() + sha256_final().
      
      This is similar to how we also have blake2s().
      Reviewed-by: default avatarArd Biesheuvel <ardb@kernel.org>
      Tested-by: default avatarHans de Goede <hdegoede@redhat.com>
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      9ea9c58b
    • Eric Biggers's avatar
      crypto: sparc - rename sha256 to sha256_alg · 6e8f972f
      Eric Biggers authored
      To avoid a naming collision when we add a sha256() library function,
      rename the "sha256" static variable in sha256_glue.c to "sha256_alg".
      For consistency, also rename "sha224" to "sha224_alg".
      Reported-by: default avatarkernel test robot <lkp@intel.com>
      Cc: sparclinux@vger.kernel.org
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      6e8f972f
    • Ard Biesheuvel's avatar
      crypto: x86/chacha-sse3 - use unaligned loads for state array · e79a3171
      Ard Biesheuvel authored
      Due to the fact that the x86 port does not support allocating objects
      on the stack with an alignment that exceeds 8 bytes, we have a rather
      ugly hack in the x86 code for ChaCha to ensure that the state array is
      aligned to 16 bytes, allowing the SSE3 implementation of the algorithm
      to use aligned loads.
      
      Given that the performance benefit of using of aligned loads appears to
      be limited (~0.25% for 1k blocks using tcrypt on a Corei7-8650U), and
      the fact that this hack has leaked into generic ChaCha code, let's just
      remove it.
      
      Cc: Martin Willi <martin@strongswan.org>
      Cc: Herbert Xu <herbert@gondor.apana.org.au>
      Cc: Eric Biggers <ebiggers@kernel.org>
      Signed-off-by: default avatarArd Biesheuvel <ardb@kernel.org>
      Reviewed-by: default avatarMartin Willi <martin@strongswan.org>
      Reviewed-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      e79a3171
    • Herbert Xu's avatar
      crypto: lib/chacha20poly1305 - Add missing function declaration · 06cc2afb
      Herbert Xu authored
      This patch adds a declaration for chacha20poly1305_selftest to
      silence a sparse warning.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      06cc2afb
    • Ard Biesheuvel's avatar
      crypto: mediatek - use AES library for GCM key derivation · f441ba2a
      Ard Biesheuvel authored
      The Mediatek accelerator driver calls into a dynamically allocated
      skcipher of the ctr(aes) variety to perform GCM key derivation, which
      involves AES encryption of a single block consisting of NUL bytes.
      
      There is no point in using the skcipher API for this, so use the AES
      library interface instead.
      Signed-off-by: default avatarArd Biesheuvel <ardb@kernel.org>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      f441ba2a
    • Ard Biesheuvel's avatar
      crypto: sahara - permit asynchronous skcipher as fallback · 56ca499f
      Ard Biesheuvel authored
      Even though the sahara driver implements asynchronous versions of
      ecb(aes) and cbc(aes), the fallbacks it allocates are required to be
      synchronous. Given that SIMD based software implementations are usually
      asynchronous as well, even though they rarely complete asynchronously
      (this typically only happens in cases where the request was made from
      softirq context, while SIMD was already in use in the task context that
      it interrupted), these implementations are disregarded, and either the
      generic C version or another table based version implemented in assembler
      is selected instead.
      
      Since falling back to synchronous AES is not only a performance issue, but
      potentially a security issue as well (due to the fact that table based AES
      is not time invariant), let's fix this, by allocating an ordinary skcipher
      as the fallback, and invoke it with the completion routine that was given
      to the outer request.
      Signed-off-by: default avatarArd Biesheuvel <ardb@kernel.org>
      Reviewed-by: default avatarHoria Geantă <horia.geanta@nxp.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      56ca499f
    • Ard Biesheuvel's avatar
      crypto: qce - permit asynchronous skcipher as fallback · 90e2f782
      Ard Biesheuvel authored
      Even though the qce driver implements asynchronous versions of ecb(aes),
      cbc(aes)and xts(aes), the fallbacks it allocates are required to be
      synchronous. Given that SIMD based software implementations are usually
      asynchronous as well, even though they rarely complete asynchronously
      (this typically only happens in cases where the request was made from
      softirq context, while SIMD was already in use in the task context that
      it interrupted), these implementations are disregarded, and either the
      generic C version or another table based version implemented in assembler
      is selected instead.
      
      Since falling back to synchronous AES is not only a performance issue, but
      potentially a security issue as well (due to the fact that table based AES
      is not time invariant), let's fix this, by allocating an ordinary skcipher
      as the fallback, and invoke it with the completion routine that was given
      to the outer request.
      
      While at it, remove the pointless memset() from qce_skcipher_init(), and
      remove the call to it qce_skcipher_init_fallback().
      Signed-off-by: default avatarArd Biesheuvel <ardb@kernel.org>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      90e2f782
    • Ard Biesheuvel's avatar
      crypto: picoxcell - permit asynchronous skcipher as fallback · dc6e71c9
      Ard Biesheuvel authored
      Even though the picoxcell driver implements asynchronous versions of
      ecb(aes) and cbc(aes), the fallbacks it allocates are required to be
      synchronous. Given that SIMD based software implementations are usually
      asynchronous as well, even though they rarely complete asynchronously
      (this typically only happens in cases where the request was made from
      softirq context, while SIMD was already in use in the task context that
      it interrupted), these implementations are disregarded, and either the
      generic C version or another table based version implemented in assembler
      is selected instead.
      
      Since falling back to synchronous AES is not only a performance issue, but
      potentially a security issue as well (due to the fact that table based AES
      is not time invariant), let's fix this, by allocating an ordinary skcipher
      as the fallback, and invoke it with the completion routine that was given
      to the outer request.
      Signed-off-by: default avatarArd Biesheuvel <ardb@kernel.org>
      Reviewed-by: default avatarJamie Iles <jamie@jamieiles.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      dc6e71c9
    • Ard Biesheuvel's avatar
      crypto: mxs-dcp - permit asynchronous skcipher as fallback · c9598d4e
      Ard Biesheuvel authored
      Even though the mxs-dcp driver implements asynchronous versions of
      ecb(aes) and cbc(aes), the fallbacks it allocates are required to be
      synchronous. Given that SIMD based software implementations are usually
      asynchronous as well, even though they rarely complete asynchronously
      (this typically only happens in cases where the request was made from
      softirq context, while SIMD was already in use in the task context that
      it interrupted), these implementations are disregarded, and either the
      generic C version or another table based version implemented in assembler
      is selected instead.
      
      Since falling back to synchronous AES is not only a performance issue, but
      potentially a security issue as well (due to the fact that table based AES
      is not time invariant), let's fix this, by allocating an ordinary skcipher
      as the fallback, and invoke it with the completion routine that was given
      to the outer request.
      Signed-off-by: default avatarArd Biesheuvel <ardb@kernel.org>
      Reviewed-by: default avatarHoria Geantă <horia.geanta@nxp.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      c9598d4e
    • Ard Biesheuvel's avatar
      crypto: chelsio - permit asynchronous skcipher as fallback · d8c6d188
      Ard Biesheuvel authored
      Even though the chelsio driver implements asynchronous versions of
      cbc(aes) and xts(aes), the fallbacks it allocates are required to be
      synchronous. Given that SIMD based software implementations are usually
      asynchronous as well, even though they rarely complete asynchronously
      (this typically only happens in cases where the request was made from
      softirq context, while SIMD was already in use in the task context that
      it interrupted), these implementations are disregarded, and either the
      generic C version or another table based version implemented in assembler
      is selected instead.
      
      Since falling back to synchronous AES is not only a performance issue, but
      potentially a security issue as well (due to the fact that table based AES
      is not time invariant), let's fix this, by allocating an ordinary skcipher
      as the fallback, and invoke it with the completion routine that was given
      to the outer request.
      Signed-off-by: default avatarArd Biesheuvel <ardb@kernel.org>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      d8c6d188
    • Ard Biesheuvel's avatar
      crypto: ccp - permit asynchronous skcipher as fallback · 413b61ce
      Ard Biesheuvel authored
      Even though the ccp driver implements an asynchronous version of xts(aes),
      the fallback it allocates is required to be synchronous. Given that SIMD
      based software implementations are usually asynchronous as well, even
      though they rarely complete asynchronously (this typically only happens
      in cases where the request was made from softirq context, while SIMD was
      already in use in the task context that it interrupted), these
      implementations are disregarded, and either the generic C version or
      another table based version implemented in assembler is selected instead.
      
      Since falling back to synchronous AES is not only a performance issue, but
      potentially a security issue as well (due to the fact that table based AES
      is not time invariant), let's fix this, by allocating an ordinary skcipher
      as the fallback, and invoke it with the completion routine that was given
      to the outer request.
      Signed-off-by: default avatarArd Biesheuvel <ardb@kernel.org>
      Acked-by: default avatarJohn Allen <john.allen@amd.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      413b61ce
    • Ard Biesheuvel's avatar
      crypto: sun8i-ss - permit asynchronous skcipher as fallback · 44b59175
      Ard Biesheuvel authored
      Even though the sun8i-ss driver implements asynchronous versions of
      ecb(aes) and cbc(aes), the fallbacks it allocates are required to be
      synchronous. Given that SIMD based software implementations are usually
      asynchronous as well, even though they rarely complete asynchronously
      (this typically only happens in cases where the request was made from
      softirq context, while SIMD was already in use in the task context that
      it interrupted), these implementations are disregarded, and either the
      generic C version or another table based version implemented in assembler
      is selected instead.
      
      Since falling back to synchronous AES is not only a performance issue, but
      potentially a security issue as well (due to the fact that table based AES
      is not time invariant), let's fix this, by allocating an ordinary skcipher
      as the fallback, and invoke it with the completion routine that was given
      to the outer request.
      Signed-off-by: default avatarArd Biesheuvel <ardb@kernel.org>
      Acked-by: default avatarCorentin Labbe <clabbe.montjoie@gmail.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      44b59175
    • Ard Biesheuvel's avatar
      crypto: sun8i-ce - permit asynchronous skcipher as fallback · 31abd3eb
      Ard Biesheuvel authored
      Even though the sun8i-ce driver implements asynchronous versions of
      ecb(aes) and cbc(aes), the fallbacks it allocates are required to be
      synchronous. Given that SIMD based software implementations are usually
      asynchronous as well, even though they rarely complete asynchronously
      (this typically only happens in cases where the request was made from
      softirq context, while SIMD was already in use in the task context that
      it interrupted), these implementations are disregarded, and either the
      generic C version or another table based version implemented in assembler
      is selected instead.
      
      Since falling back to synchronous AES is not only a performance issue, but
      potentially a security issue as well (due to the fact that table based AES
      is not time invariant), let's fix this, by allocating an ordinary skcipher
      as the fallback, and invoke it with the completion routine that was given
      to the outer request.
      Signed-off-by: default avatarArd Biesheuvel <ardb@kernel.org>
      Acked-by: default avatarCorentin Labbe <clabbe.montjoie@gmail.com>
      Tested-by: default avatarCorentin Labbe <clabbe.montjoie@gmail.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      31abd3eb
    • Ard Biesheuvel's avatar
      crypto: sun4i - permit asynchronous skcipher as fallback · 89fb00f2
      Ard Biesheuvel authored
      Even though the sun4i driver implements asynchronous versions of ecb(aes)
      and cbc(aes), the fallbacks it allocates are required to be synchronous.
      Given that SIMD based software implementations are usually asynchronous
      as well, even though they rarely complete asynchronously (this typically
      only happens in cases where the request was made from softirq context,
      while SIMD was already in use in the task context that it interrupted),
      these implementations are disregarded, and either the generic C version
      or another table based version implemented in assembler is selected
      instead.
      
      Since falling back to synchronous AES is not only a performance issue, but
      potentially a security issue as well (due to the fact that table based AES
      is not time invariant), let's fix this, by allocating an ordinary skcipher
      as the fallback, and invoke it with the completion routine that was given
      to the outer request.
      Signed-off-by: default avatarArd Biesheuvel <ardb@kernel.org>
      Tested-by: default avatarCorentin Labbe <clabbe.montjoie@gmail.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      89fb00f2
    • Ard Biesheuvel's avatar
      crypto: omap-aes - permit asynchronous skcipher as fallback · 6a99d7a2
      Ard Biesheuvel authored
      Even though the omap-aes driver implements asynchronous versions of
      ecb(aes), cbc(aes) and ctr(aes), the fallbacks it allocates are required
      to be synchronous. Given that SIMD based software implementations are
      usually asynchronous as well, even though they rarely complete
      asynchronously (this typically only happens in cases where the request was
      made from softirq context, while SIMD was already in use in the task
      context that it interrupted), these implementations are disregarded, and
      either the generic C version or another table based version implemented in
      assembler is selected instead.
      
      Since falling back to synchronous AES is not only a performance issue, but
      potentially a security issue as well (due to the fact that table based AES
      is not time invariant), let's fix this, by allocating an ordinary skcipher
      as the fallback, and invoke it with the completion routine that was given
      to the outer request.
      Signed-off-by: default avatarArd Biesheuvel <ardb@kernel.org>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      6a99d7a2
    • Ard Biesheuvel's avatar
      crypto: amlogic-gxl - permit async skcipher as fallback · 1d63e455
      Ard Biesheuvel authored
      Even though the amlogic-gxl driver implements asynchronous versions of
      ecb(aes) and cbc(aes), the fallbacks it allocates are required to be
      synchronous. Given that SIMD based software implementations are usually
      asynchronous as well, even though they rarely complete asynchronously
      (this typically only happens in cases where the request was made from
      softirq context, while SIMD was already in use in the task context that
      it interrupted), these implementations are disregarded, and either the
      generic C version or another table based version implemented in assembler
      is selected instead.
      
      Since falling back to synchronous AES is not only a performance issue,
      but potentially a security issue as well (due to the fact that table
      based AES is not time invariant), let's fix this, by allocating an
      ordinary skcipher as the fallback, and invoke it with the completion
      routine that was given to the outer request.
      Signed-off-by: default avatarArd Biesheuvel <ardb@kernel.org>
      Tested-by: default avatarCorentin Labbe <clabbe@baylibre.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      1d63e455
    • Ard Biesheuvel's avatar
      crypto: amlogic-gxl - default to build as module · 3f368b88
      Ard Biesheuvel authored
      The AmLogic GXL crypto accelerator driver is built into the kernel if
      ARCH_MESON is set. However, given the single image policy of arm64, its
      defconfig enables all platforms by default, and so ARCH_MESON is usually
      enabled.
      
      This means that the AmLogic driver causes the arm64 defconfig build to
      pull in a huge chunk of the crypto stack as a builtin as well, which is
      undesirable, so let's make the amlogic GXL driver default to 'm' instead.
      Signed-off-by: default avatarArd Biesheuvel <ardb@kernel.org>
      Tested-by: default avatarCorentin Labbe <clabbe@baylibre.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      3f368b88
    • Herbert Xu's avatar
      hwrng: ba431 - Include kernel.h · 271dead3
      Herbert Xu authored
      There are multiple things in this file that requires kernel.h but
      it's only included through other header files indirectly.  This
      patch adds a direct inclusion as those indirect inclusions may go
      away at any point.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      271dead3
    • Longfang Liu's avatar
      crypto: hisilicon/sec2 - fix some coding styles · 38c3b74e
      Longfang Liu authored
      Modify some log output interfaces and
      update author information
      Signed-off-by: default avatarLongfang Liu <liulongfang@huawei.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      38c3b74e
    • Longfang Liu's avatar
      crypto: hisilicon/sec2 - update debugfs interface parameters · 6b534f7a
      Longfang Liu authored
      Update debugfs interface parameters, and adjust the
      processing logic inside the corresponding function
      Signed-off-by: default avatarLongfang Liu <liulongfang@huawei.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      6b534f7a
    • Longfang Liu's avatar
      crypto: hisilicon/sec2 - update SEC initialization and reset · d0228aeb
      Longfang Liu authored
      Updates the initialization and reset of SEC driver's
      register operation.
      Signed-off-by: default avatarLongfang Liu <liulongfang@huawei.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      d0228aeb
    • Kai Ye's avatar
      crypto:hisilicon/sec2 - update busy processing logic · 9597efc3
      Kai Ye authored
      As before, if a SEC queue is at the 'fake busy' status,
      the request with a 'fake busy' flag will be sent into hardware
      and the sending function returns busy. After the request is
      finished, SEC driver's call back will identify the 'fake busy' flag,
      and notifies the user that hardware is not busy now by calling
      user's call back function.
      
      Now, a request sent into busy hardware will be cached in the
      SEC queue's backlog, return '-EBUSY' to user.
      After the request being finished, the cached requests will
      be processed in the call back function. to notify the
      corresponding user that SEC queue can process more requests.
      Signed-off-by: default avatarKai Ye <yekai13@huawei.com>
      Reviewed-by: default avatarLongfang Liu <liulongfang@huawei.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      9597efc3
    • Kai Ye's avatar
      crypto: hisilicon/sec2 - clear SEC debug regs · 7dc95d0e
      Kai Ye authored
      SEC debug registers aren't cleared even if its driver is removed,
      so add a clearing operation in driver removing.
      Signed-off-by: default avatarKai Ye <yekai13@huawei.com>
      Reviewed-by: default avatarLongfang Liu <liulongfang@huawei.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      7dc95d0e
    • Herbert Xu's avatar
      crypto: caam - Remove broken arc4 support · eeedb618
      Herbert Xu authored
      The arc4 algorithm requires storing state in the request context
      in order to allow more than one encrypt/decrypt operation.  As this
      driver does not seem to do that, it means that using it for more
      than one operation is broken.
      
      Fixes: eaed71a4 ("crypto: caam - add ecb(*) support")
      Link: https://lore.kernel.org/linux-crypto/CAMj1kXGvMe_A_iQ43Pmygg9xaAM-RLy=_M=v+eg--8xNmv9P+w@mail.gmail.com
      Link: https://lore.kernel.org/linux-crypto/20200702101947.682-1-ardb@kernel.orgSigned-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Acked-by: default avatarArd Biesheuvel <ardb@kernel.org>
      Acked-by: default avatarHoria Geantă <horia.geanta@nxp.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      eeedb618
  2. 09 Jul, 2020 4 commits