1. 12 Jun, 2015 3 commits
  2. 11 Jun, 2015 2 commits
  3. 10 Jun, 2015 4 commits
    • Stephan Mueller's avatar
      crypto: drbg - reseed often if seedsource is degraded · 42ea507f
      Stephan Mueller authored
      As required by SP800-90A, the DRBG implements are reseeding threshold.
      This threshold is at 2**48 (64 bit) and 2**32 bit (32 bit) as
      implemented in drbg_max_requests.
      
      With the recently introduced changes, the DRBG is now always used as a
      stdrng which is initialized very early in the boot cycle. To ensure that
      sufficient entropy is present, the Jitter RNG is added to even provide
      entropy at early boot time.
      
      However, the 2nd seed source, the nonblocking pool, is usually
      degraded at that time. Therefore, the DRBG is seeded with the Jitter RNG
      (which I believe contains good entropy, which however is questioned by
      others) and is seeded with a degradded nonblocking pool. This seed is
      now used for quasi the lifetime of the system (2**48 requests is a lot).
      
      The patch now changes the reseed threshold as follows: up until the time
      the DRBG obtains a seed from a fully iniitialized nonblocking pool, the
      reseeding threshold is lowered such that the DRBG is forced to reseed
      itself resonably often. Once it obtains the seed from a fully
      initialized nonblocking pool, the reseed threshold is set to the value
      required by SP800-90A.
      Signed-off-by: default avatarStephan Mueller <smueller@chronox.de>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      42ea507f
    • Herbert Xu's avatar
      random: Remove kernel blocking API · c2719503
      Herbert Xu authored
      This patch removes the kernel blocking API as it has been completely
      replaced by the callback API.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      c2719503
    • Stephan Mueller's avatar
      crypto: drbg - Use callback API for random readiness · 57225e67
      Stephan Mueller authored
      The get_blocking_random_bytes API is broken because the wait can
      be arbitrarily long (potentially forever) so there is no safe way
      of calling it from within the kernel.
      
      This patch replaces it with the new callback API which does not
      have this problem.
      
      The patch also removes the entropy buffer registered with the DRBG
      handle in favor of stack variables to hold the seed data.
      Signed-off-by: default avatarStephan Mueller <smueller@chronox.de>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      57225e67
    • Herbert Xu's avatar
      random: Add callback API for random pool readiness · 205a525c
      Herbert Xu authored
      The get_blocking_random_bytes API is broken because the wait can
      be arbitrarily long (potentially forever) so there is no safe way
      of calling it from within the kernel.
      
      This patch replaces it with a callback API instead.  The callback
      is invoked potentially from interrupt context so the user needs
      to schedule their own work thread if necessary.
      
      In addition to adding callbacks, they can also be removed as
      otherwise this opens up a way for user-space to allocate kernel
      memory with no bound (by opening algif_rng descriptors and then
      closing them).
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      205a525c
  4. 09 Jun, 2015 6 commits
  5. 04 Jun, 2015 20 commits
  6. 03 Jun, 2015 5 commits
    • Tom Lendacky's avatar
      crypto: ccp - Protect against poorly marked end of sg list · fb43f694
      Tom Lendacky authored
      Scatter gather lists can be created with more available entries than are
      actually used (e.g. using sg_init_table() to reserve a specific number
      of sg entries, but in actuality using something less than that based on
      the data length).  The caller sometimes fails to mark the last entry
      with sg_mark_end().  In these cases, sg_nents() will return the original
      size of the sg list as opposed to the actual number of sg entries that
      contain valid data.
      
      On arm64, if the sg_nents() value is used in a call to dma_map_sg() in
      this situation, then it causes a BUG_ON in lib/swiotlb.c because an
      "empty" sg list entry results in dma_capable() returning false and
      swiotlb trying to create a bounce buffer of size 0. This occurred in
      the userspace crypto interface before being fixed by
      
      0f477b65 ("crypto: algif - Mark sgl end at the end of data")
      
      Protect against this by using the new sg_nents_for_len() function which
      returns only the number of sg entries required to meet the desired
      length and supplying that value to dma_map_sg().
      Signed-off-by: default avatarTom Lendacky <thomas.lendacky@amd.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      fb43f694
    • Tom Lendacky's avatar
      scatterlist: introduce sg_nents_for_len · cfaed10d
      Tom Lendacky authored
      When performing a dma_map_sg() call, the number of sg entries to map is
      required. Using sg_nents to retrieve the number of sg entries will
      return the total number of entries in the sg list up to the entry marked
      as the end. If there happen to be unused entries in the list, these will
      still be counted. Some dma_map_sg() implementations will not handle the
      unused entries correctly (lib/swiotlb.c) and execute a BUG_ON.
      
      The sg_nents_for_len() function will traverse the sg list and return the
      number of entries required to satisfy the supplied length argument. This
      can then be supplied to the dma_map_sg() call to successfully map the
      sg.
      Signed-off-by: default avatarTom Lendacky <thomas.lendacky@amd.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      cfaed10d
    • Herbert Xu's avatar
      crypto: scatterwalk - Hide PageSlab call to optimise away flush_dcache_page · 16054407
      Herbert Xu authored
      On architectures where flush_dcache_page is not needed, we will
      end up generating all the code up to the PageSlab call.  This is
      because PageSlab operates on a volatile pointer and thus cannot
      be optimised away.
      
      This patch works around this by checking whether flush_dcache_page
      is needed before we call PageSlab which then allows PageSlab to be
      compiled awy.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      16054407
    • Herbert Xu's avatar
      crypto: aesni - Convert rfc4106 to new AEAD interface · b7c89d9e
      Herbert Xu authored
      This patch converts the low-level __gcm-aes-aesni algorithm to
      the new AEAD interface.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      b7c89d9e
    • Dan Streetman's avatar
      crypto: nx - prevent nx 842 load if no hw driver · 3e648cbe
      Dan Streetman authored
      Change the nx-842 common driver to wait for loading of both platform
      drivers, and fail loading if the platform driver pointer is not set.
      Add an independent platform driver pointer, that the platform drivers
      set if they find they are able to load (i.e. if they find their platform
      devicetree node(s)).
      
      The problem is currently, the main nx-842 driver will stay loaded even
      if there is no platform driver and thus no possible way it can do any
      compression or decompression.  This allows the crypto 842-nx driver
      to load even if it won't actually work.  For crypto compression users
      (e.g. zswap) that expect an available crypto compression driver to
      actually work, this is bad.  This patch fixes that, so the 842-nx crypto
      compression driver won't load if it doesn't have the driver and hardware
      available to perform the compression.
      Signed-off-by: default avatarDan Streetman <ddstreet@ieee.org>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      3e648cbe