1. 16 Jul, 2020 22 commits
    • Ard Biesheuvel's avatar
      crypto: x86/chacha-sse3 - use unaligned loads for state array · e79a3171
      Ard Biesheuvel authored
      Due to the fact that the x86 port does not support allocating objects
      on the stack with an alignment that exceeds 8 bytes, we have a rather
      ugly hack in the x86 code for ChaCha to ensure that the state array is
      aligned to 16 bytes, allowing the SSE3 implementation of the algorithm
      to use aligned loads.
      
      Given that the performance benefit of using of aligned loads appears to
      be limited (~0.25% for 1k blocks using tcrypt on a Corei7-8650U), and
      the fact that this hack has leaked into generic ChaCha code, let's just
      remove it.
      
      Cc: Martin Willi <martin@strongswan.org>
      Cc: Herbert Xu <herbert@gondor.apana.org.au>
      Cc: Eric Biggers <ebiggers@kernel.org>
      Signed-off-by: default avatarArd Biesheuvel <ardb@kernel.org>
      Reviewed-by: default avatarMartin Willi <martin@strongswan.org>
      Reviewed-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      e79a3171
    • Herbert Xu's avatar
      crypto: lib/chacha20poly1305 - Add missing function declaration · 06cc2afb
      Herbert Xu authored
      This patch adds a declaration for chacha20poly1305_selftest to
      silence a sparse warning.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      06cc2afb
    • Ard Biesheuvel's avatar
      crypto: mediatek - use AES library for GCM key derivation · f441ba2a
      Ard Biesheuvel authored
      The Mediatek accelerator driver calls into a dynamically allocated
      skcipher of the ctr(aes) variety to perform GCM key derivation, which
      involves AES encryption of a single block consisting of NUL bytes.
      
      There is no point in using the skcipher API for this, so use the AES
      library interface instead.
      Signed-off-by: default avatarArd Biesheuvel <ardb@kernel.org>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      f441ba2a
    • Ard Biesheuvel's avatar
      crypto: sahara - permit asynchronous skcipher as fallback · 56ca499f
      Ard Biesheuvel authored
      Even though the sahara driver implements asynchronous versions of
      ecb(aes) and cbc(aes), the fallbacks it allocates are required to be
      synchronous. Given that SIMD based software implementations are usually
      asynchronous as well, even though they rarely complete asynchronously
      (this typically only happens in cases where the request was made from
      softirq context, while SIMD was already in use in the task context that
      it interrupted), these implementations are disregarded, and either the
      generic C version or another table based version implemented in assembler
      is selected instead.
      
      Since falling back to synchronous AES is not only a performance issue, but
      potentially a security issue as well (due to the fact that table based AES
      is not time invariant), let's fix this, by allocating an ordinary skcipher
      as the fallback, and invoke it with the completion routine that was given
      to the outer request.
      Signed-off-by: default avatarArd Biesheuvel <ardb@kernel.org>
      Reviewed-by: default avatarHoria Geantă <horia.geanta@nxp.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      56ca499f
    • Ard Biesheuvel's avatar
      crypto: qce - permit asynchronous skcipher as fallback · 90e2f782
      Ard Biesheuvel authored
      Even though the qce driver implements asynchronous versions of ecb(aes),
      cbc(aes)and xts(aes), the fallbacks it allocates are required to be
      synchronous. Given that SIMD based software implementations are usually
      asynchronous as well, even though they rarely complete asynchronously
      (this typically only happens in cases where the request was made from
      softirq context, while SIMD was already in use in the task context that
      it interrupted), these implementations are disregarded, and either the
      generic C version or another table based version implemented in assembler
      is selected instead.
      
      Since falling back to synchronous AES is not only a performance issue, but
      potentially a security issue as well (due to the fact that table based AES
      is not time invariant), let's fix this, by allocating an ordinary skcipher
      as the fallback, and invoke it with the completion routine that was given
      to the outer request.
      
      While at it, remove the pointless memset() from qce_skcipher_init(), and
      remove the call to it qce_skcipher_init_fallback().
      Signed-off-by: default avatarArd Biesheuvel <ardb@kernel.org>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      90e2f782
    • Ard Biesheuvel's avatar
      crypto: picoxcell - permit asynchronous skcipher as fallback · dc6e71c9
      Ard Biesheuvel authored
      Even though the picoxcell driver implements asynchronous versions of
      ecb(aes) and cbc(aes), the fallbacks it allocates are required to be
      synchronous. Given that SIMD based software implementations are usually
      asynchronous as well, even though they rarely complete asynchronously
      (this typically only happens in cases where the request was made from
      softirq context, while SIMD was already in use in the task context that
      it interrupted), these implementations are disregarded, and either the
      generic C version or another table based version implemented in assembler
      is selected instead.
      
      Since falling back to synchronous AES is not only a performance issue, but
      potentially a security issue as well (due to the fact that table based AES
      is not time invariant), let's fix this, by allocating an ordinary skcipher
      as the fallback, and invoke it with the completion routine that was given
      to the outer request.
      Signed-off-by: default avatarArd Biesheuvel <ardb@kernel.org>
      Reviewed-by: default avatarJamie Iles <jamie@jamieiles.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      dc6e71c9
    • Ard Biesheuvel's avatar
      crypto: mxs-dcp - permit asynchronous skcipher as fallback · c9598d4e
      Ard Biesheuvel authored
      Even though the mxs-dcp driver implements asynchronous versions of
      ecb(aes) and cbc(aes), the fallbacks it allocates are required to be
      synchronous. Given that SIMD based software implementations are usually
      asynchronous as well, even though they rarely complete asynchronously
      (this typically only happens in cases where the request was made from
      softirq context, while SIMD was already in use in the task context that
      it interrupted), these implementations are disregarded, and either the
      generic C version or another table based version implemented in assembler
      is selected instead.
      
      Since falling back to synchronous AES is not only a performance issue, but
      potentially a security issue as well (due to the fact that table based AES
      is not time invariant), let's fix this, by allocating an ordinary skcipher
      as the fallback, and invoke it with the completion routine that was given
      to the outer request.
      Signed-off-by: default avatarArd Biesheuvel <ardb@kernel.org>
      Reviewed-by: default avatarHoria Geantă <horia.geanta@nxp.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      c9598d4e
    • Ard Biesheuvel's avatar
      crypto: chelsio - permit asynchronous skcipher as fallback · d8c6d188
      Ard Biesheuvel authored
      Even though the chelsio driver implements asynchronous versions of
      cbc(aes) and xts(aes), the fallbacks it allocates are required to be
      synchronous. Given that SIMD based software implementations are usually
      asynchronous as well, even though they rarely complete asynchronously
      (this typically only happens in cases where the request was made from
      softirq context, while SIMD was already in use in the task context that
      it interrupted), these implementations are disregarded, and either the
      generic C version or another table based version implemented in assembler
      is selected instead.
      
      Since falling back to synchronous AES is not only a performance issue, but
      potentially a security issue as well (due to the fact that table based AES
      is not time invariant), let's fix this, by allocating an ordinary skcipher
      as the fallback, and invoke it with the completion routine that was given
      to the outer request.
      Signed-off-by: default avatarArd Biesheuvel <ardb@kernel.org>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      d8c6d188
    • Ard Biesheuvel's avatar
      crypto: ccp - permit asynchronous skcipher as fallback · 413b61ce
      Ard Biesheuvel authored
      Even though the ccp driver implements an asynchronous version of xts(aes),
      the fallback it allocates is required to be synchronous. Given that SIMD
      based software implementations are usually asynchronous as well, even
      though they rarely complete asynchronously (this typically only happens
      in cases where the request was made from softirq context, while SIMD was
      already in use in the task context that it interrupted), these
      implementations are disregarded, and either the generic C version or
      another table based version implemented in assembler is selected instead.
      
      Since falling back to synchronous AES is not only a performance issue, but
      potentially a security issue as well (due to the fact that table based AES
      is not time invariant), let's fix this, by allocating an ordinary skcipher
      as the fallback, and invoke it with the completion routine that was given
      to the outer request.
      Signed-off-by: default avatarArd Biesheuvel <ardb@kernel.org>
      Acked-by: default avatarJohn Allen <john.allen@amd.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      413b61ce
    • Ard Biesheuvel's avatar
      crypto: sun8i-ss - permit asynchronous skcipher as fallback · 44b59175
      Ard Biesheuvel authored
      Even though the sun8i-ss driver implements asynchronous versions of
      ecb(aes) and cbc(aes), the fallbacks it allocates are required to be
      synchronous. Given that SIMD based software implementations are usually
      asynchronous as well, even though they rarely complete asynchronously
      (this typically only happens in cases where the request was made from
      softirq context, while SIMD was already in use in the task context that
      it interrupted), these implementations are disregarded, and either the
      generic C version or another table based version implemented in assembler
      is selected instead.
      
      Since falling back to synchronous AES is not only a performance issue, but
      potentially a security issue as well (due to the fact that table based AES
      is not time invariant), let's fix this, by allocating an ordinary skcipher
      as the fallback, and invoke it with the completion routine that was given
      to the outer request.
      Signed-off-by: default avatarArd Biesheuvel <ardb@kernel.org>
      Acked-by: default avatarCorentin Labbe <clabbe.montjoie@gmail.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      44b59175
    • Ard Biesheuvel's avatar
      crypto: sun8i-ce - permit asynchronous skcipher as fallback · 31abd3eb
      Ard Biesheuvel authored
      Even though the sun8i-ce driver implements asynchronous versions of
      ecb(aes) and cbc(aes), the fallbacks it allocates are required to be
      synchronous. Given that SIMD based software implementations are usually
      asynchronous as well, even though they rarely complete asynchronously
      (this typically only happens in cases where the request was made from
      softirq context, while SIMD was already in use in the task context that
      it interrupted), these implementations are disregarded, and either the
      generic C version or another table based version implemented in assembler
      is selected instead.
      
      Since falling back to synchronous AES is not only a performance issue, but
      potentially a security issue as well (due to the fact that table based AES
      is not time invariant), let's fix this, by allocating an ordinary skcipher
      as the fallback, and invoke it with the completion routine that was given
      to the outer request.
      Signed-off-by: default avatarArd Biesheuvel <ardb@kernel.org>
      Acked-by: default avatarCorentin Labbe <clabbe.montjoie@gmail.com>
      Tested-by: default avatarCorentin Labbe <clabbe.montjoie@gmail.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      31abd3eb
    • Ard Biesheuvel's avatar
      crypto: sun4i - permit asynchronous skcipher as fallback · 89fb00f2
      Ard Biesheuvel authored
      Even though the sun4i driver implements asynchronous versions of ecb(aes)
      and cbc(aes), the fallbacks it allocates are required to be synchronous.
      Given that SIMD based software implementations are usually asynchronous
      as well, even though they rarely complete asynchronously (this typically
      only happens in cases where the request was made from softirq context,
      while SIMD was already in use in the task context that it interrupted),
      these implementations are disregarded, and either the generic C version
      or another table based version implemented in assembler is selected
      instead.
      
      Since falling back to synchronous AES is not only a performance issue, but
      potentially a security issue as well (due to the fact that table based AES
      is not time invariant), let's fix this, by allocating an ordinary skcipher
      as the fallback, and invoke it with the completion routine that was given
      to the outer request.
      Signed-off-by: default avatarArd Biesheuvel <ardb@kernel.org>
      Tested-by: default avatarCorentin Labbe <clabbe.montjoie@gmail.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      89fb00f2
    • Ard Biesheuvel's avatar
      crypto: omap-aes - permit asynchronous skcipher as fallback · 6a99d7a2
      Ard Biesheuvel authored
      Even though the omap-aes driver implements asynchronous versions of
      ecb(aes), cbc(aes) and ctr(aes), the fallbacks it allocates are required
      to be synchronous. Given that SIMD based software implementations are
      usually asynchronous as well, even though they rarely complete
      asynchronously (this typically only happens in cases where the request was
      made from softirq context, while SIMD was already in use in the task
      context that it interrupted), these implementations are disregarded, and
      either the generic C version or another table based version implemented in
      assembler is selected instead.
      
      Since falling back to synchronous AES is not only a performance issue, but
      potentially a security issue as well (due to the fact that table based AES
      is not time invariant), let's fix this, by allocating an ordinary skcipher
      as the fallback, and invoke it with the completion routine that was given
      to the outer request.
      Signed-off-by: default avatarArd Biesheuvel <ardb@kernel.org>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      6a99d7a2
    • Ard Biesheuvel's avatar
      crypto: amlogic-gxl - permit async skcipher as fallback · 1d63e455
      Ard Biesheuvel authored
      Even though the amlogic-gxl driver implements asynchronous versions of
      ecb(aes) and cbc(aes), the fallbacks it allocates are required to be
      synchronous. Given that SIMD based software implementations are usually
      asynchronous as well, even though they rarely complete asynchronously
      (this typically only happens in cases where the request was made from
      softirq context, while SIMD was already in use in the task context that
      it interrupted), these implementations are disregarded, and either the
      generic C version or another table based version implemented in assembler
      is selected instead.
      
      Since falling back to synchronous AES is not only a performance issue,
      but potentially a security issue as well (due to the fact that table
      based AES is not time invariant), let's fix this, by allocating an
      ordinary skcipher as the fallback, and invoke it with the completion
      routine that was given to the outer request.
      Signed-off-by: default avatarArd Biesheuvel <ardb@kernel.org>
      Tested-by: default avatarCorentin Labbe <clabbe@baylibre.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      1d63e455
    • Ard Biesheuvel's avatar
      crypto: amlogic-gxl - default to build as module · 3f368b88
      Ard Biesheuvel authored
      The AmLogic GXL crypto accelerator driver is built into the kernel if
      ARCH_MESON is set. However, given the single image policy of arm64, its
      defconfig enables all platforms by default, and so ARCH_MESON is usually
      enabled.
      
      This means that the AmLogic driver causes the arm64 defconfig build to
      pull in a huge chunk of the crypto stack as a builtin as well, which is
      undesirable, so let's make the amlogic GXL driver default to 'm' instead.
      Signed-off-by: default avatarArd Biesheuvel <ardb@kernel.org>
      Tested-by: default avatarCorentin Labbe <clabbe@baylibre.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      3f368b88
    • Herbert Xu's avatar
      hwrng: ba431 - Include kernel.h · 271dead3
      Herbert Xu authored
      There are multiple things in this file that requires kernel.h but
      it's only included through other header files indirectly.  This
      patch adds a direct inclusion as those indirect inclusions may go
      away at any point.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      271dead3
    • Longfang Liu's avatar
      crypto: hisilicon/sec2 - fix some coding styles · 38c3b74e
      Longfang Liu authored
      Modify some log output interfaces and
      update author information
      Signed-off-by: default avatarLongfang Liu <liulongfang@huawei.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      38c3b74e
    • Longfang Liu's avatar
      crypto: hisilicon/sec2 - update debugfs interface parameters · 6b534f7a
      Longfang Liu authored
      Update debugfs interface parameters, and adjust the
      processing logic inside the corresponding function
      Signed-off-by: default avatarLongfang Liu <liulongfang@huawei.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      6b534f7a
    • Longfang Liu's avatar
      crypto: hisilicon/sec2 - update SEC initialization and reset · d0228aeb
      Longfang Liu authored
      Updates the initialization and reset of SEC driver's
      register operation.
      Signed-off-by: default avatarLongfang Liu <liulongfang@huawei.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      d0228aeb
    • Kai Ye's avatar
      crypto:hisilicon/sec2 - update busy processing logic · 9597efc3
      Kai Ye authored
      As before, if a SEC queue is at the 'fake busy' status,
      the request with a 'fake busy' flag will be sent into hardware
      and the sending function returns busy. After the request is
      finished, SEC driver's call back will identify the 'fake busy' flag,
      and notifies the user that hardware is not busy now by calling
      user's call back function.
      
      Now, a request sent into busy hardware will be cached in the
      SEC queue's backlog, return '-EBUSY' to user.
      After the request being finished, the cached requests will
      be processed in the call back function. to notify the
      corresponding user that SEC queue can process more requests.
      Signed-off-by: default avatarKai Ye <yekai13@huawei.com>
      Reviewed-by: default avatarLongfang Liu <liulongfang@huawei.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      9597efc3
    • Kai Ye's avatar
      crypto: hisilicon/sec2 - clear SEC debug regs · 7dc95d0e
      Kai Ye authored
      SEC debug registers aren't cleared even if its driver is removed,
      so add a clearing operation in driver removing.
      Signed-off-by: default avatarKai Ye <yekai13@huawei.com>
      Reviewed-by: default avatarLongfang Liu <liulongfang@huawei.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      7dc95d0e
    • Herbert Xu's avatar
      crypto: caam - Remove broken arc4 support · eeedb618
      Herbert Xu authored
      The arc4 algorithm requires storing state in the request context
      in order to allow more than one encrypt/decrypt operation.  As this
      driver does not seem to do that, it means that using it for more
      than one operation is broken.
      
      Fixes: eaed71a4 ("crypto: caam - add ecb(*) support")
      Link: https://lore.kernel.org/linux-crypto/CAMj1kXGvMe_A_iQ43Pmygg9xaAM-RLy=_M=v+eg--8xNmv9P+w@mail.gmail.com
      Link: https://lore.kernel.org/linux-crypto/20200702101947.682-1-ardb@kernel.orgSigned-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Acked-by: default avatarArd Biesheuvel <ardb@kernel.org>
      Acked-by: default avatarHoria Geantă <horia.geanta@nxp.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      eeedb618
  2. 09 Jul, 2020 18 commits