- 06 Jun, 2019 23 commits
-
-
Eric Biggers authored
Commit c778f96b ("crypto: lrw - Optimize tweak computation") incorrectly reduced the alignmask of LRW instances from '__alignof__(u64) - 1' to '__alignof__(__be32) - 1'. However, xor_tweak() and setkey() assume that the data and key, respectively, are aligned to 'be128', which has u64 alignment. Fix the alignmask to be at least '__alignof__(be128) - 1'. Fixes: c778f96b ("crypto: lrw - Optimize tweak computation") Cc: <stable@vger.kernel.org> # v4.20+ Cc: Ondrej Mosnacek <omosnace@redhat.com> Signed-off-by:
Eric Biggers <ebiggers@google.com> Signed-off-by:
Herbert Xu <herbert@gondor.apana.org.au>
-
Eric Biggers authored
Changing ghash_mod_init() to be subsys_initcall made it start running before the alignment fault handler has been installed on ARM. In kernel builds where the keys in the ghash test vectors happened to be misaligned in the kernel image, this exposed the longstanding bug that ghash_setkey() is incorrectly casting the key buffer (which can have any alignment) to be128 for passing to gf128mul_init_4k_lle(). Fix this by memcpy()ing the key to a temporary buffer. Don't fix it by setting an alignmask on the algorithm instead because that would unnecessarily force alignment of the data too. Fixes: 2cdc6899 ("crypto: ghash - Add GHASH digest algorithm for GCM") Reported-by:
Peter Robinson <pbrobinson@gmail.com> Cc: stable@vger.kernel.org Signed-off-by:
-
Nikolay Borisov authored
xxhash is currently implemented as a self-contained module in /lib. This patch enables that module to be used as part of the generic kernel crypto framework. It adds a simple wrapper to the 64bit version. I've also added test vectors (with help from Nick Terrell). The upstream xxhash code is tested by running hashing operation on random 222 byte data with seed values of 0 and a prime number. The upstream test suite can be found at https://github.com/Cyan4973/xxHash/blob/cf46e0c/xxhsum.c#L664 Essentially hashing is run on data of length 0,1,14,222 with the aforementioned seed values 0 and prime 2654435761. The particular random 222 byte string was provided to me by Nick Terrell by reading /dev/random and the checksums were calculated by the upstream xxsum utility with the following bash script: dd if=/dev/random of=TEST_VECTOR bs=1 count=222 for a in 0 1; do for l in 0 1 14 222; do for s in 0 2654435761; do echo algo $a length $l seed $s; head -c $l TEST_VECTOR | ~/projects/kernel/xxHash/xxhsum -H$a -s$s done done done This produces output as follows: algo 0 length 0 seed 0 02cc5d05 stdin algo 0 length 0 seed 2654435761 02cc5d05 stdin algo 0 length 1 seed 0 25201171 stdin algo 0 length 1 seed 2654435761 25201171 stdin algo 0 length 14 seed 0 c1d95975 stdin algo 0 length 14 seed 2654435761 c1d95975 stdin algo 0 length 222 seed 0 b38662a6 stdin algo 0 length 222 seed 2654435761 b38662a6 stdin algo 1 length 0 seed 0 ef46db3751d8e999 stdin algo 1 length 0 seed 2654435761 ac75fda2929b17ef stdin algo 1 length 1 seed 0 27c3f04c2881203a stdin algo 1 length 1 seed 2654435761 4a15ed26415dfe4d stdin algo 1 length 14 seed 0 3d33dc700231dfad stdin algo 1 length 14 seed 2654435761 ea5f7ddef9a64f80 stdin algo 1 length 222 seed 0 5f3d3c08ec2bef34 stdin algo 1 length 222 seed 2654435761 6a9df59664c7ed62 stdin algo 1 is xx64 variant, algo 0 is the 32 bit variant which is currently not hooked up. Signed-off-by:
Nikolay Borisov <nborisov@suse.com> Reviewed-by:
Eric Biggers <ebiggers@kernel.org> Signed-off-by:
-
Stephan Müller authored
The Jitter RNG implementation is updated to comply with upstream version 2.1.2. The change covers the following aspects: * Time variation measurement is conducted over the LFSR operation instead of the XOR folding * Invcation of stuck test during initialization * Removal of the stirring functionality and the Von-Neumann unbiaser as the LFSR using a primitive and irreducible polynomial generates an identical distribution of random bits This implementation was successfully used in FIPS 140-2 validations as well as in German BSI evaluations. This kernel implementation was tested as follows: * The unchanged kernel code file jitterentropy.c is compiled as part of user space application to generate raw unconditioned noise data. That data is processed with the NIST SP800-90B non-IID test tool to verify that the kernel code exhibits an equal amount of noise as the upstream Jitter RNG version 2.1.2. * Using AF_ALG with the libkcapi tool of kcapi-rng the Jitter RNG was output tested with dieharder to verify that the output does not exhibit statistical weaknesses. The following command was used: kcapi-rng -n "jitterentropy_rng" -b 100000000000 | dieharder -a -g 200 * The unchanged kernel code file jitterentropy.c is compiled as part of user space application to test the LFSR implementation. The LFSR is injected a monotonically increasing counter as input and the output is fed into dieharder to verify that the LFSR operation does not exhibit statistical weaknesses. * The patch was tested on the Muen separation kernel which returns a more coarse time stamp to verify that the Jitter RNG does not cause regressions with its initialization test considering that the Jitter RNG depends on a high-resolution timer. Tested-by:
Reto Buerki <reet@codelabs.ch> Signed-off-by:
Stephan Mueller <smueller@chronox.de> Signed-off-by:
-
Eric Biggers authored
For hash algorithms implemented using the "shash" algorithm type, test both the ahash and shash APIs, not just the ahash API. Testing the ahash API already tests the shash API indirectly, which is normally good enough. However, there have been corner cases where there have been shash bugs that don't get exposed through the ahash API. So, update testmgr to test the shash API too. This would have detected the arm64 SHA-1 and SHA-2 bugs for which fixes were just sent out (https://patchwork.kernel.org/patch/10964843/ and https://patchwork.kernel.org/patch/10965089/): alg: shash: sha1-ce test failed (wrong result) on test vector 0, cfg="init+finup aligned buffer" alg: shash: sha224-ce test failed (wrong result) on test vector 0, cfg="init+finup aligned buffer" alg: shash: sha256-ce test failed (wrong result) on test vector 0, cfg="init+finup aligned buffer" This also would have detected the bugs fixed by commit 307508d1 ("crypto: crct10dif-generic - fix use via crypto_shash_digest()") and commit dec3d0b1 ("crypto: x86/crct10dif-pcl - fix use via crypto_shash_digest()"). Signed-off-by:
Ard Biesheuvel <ard.biesheuvel@linaro.org> Signed-off-by:
-
Elena Petrova authored
The sha256-ce finup implementation for ARM64 produces wrong digest for empty input (len=0). Expected: the actual digest, result: initial value of SHA internal state. The error is in sha256_ce_finup: for empty data `finalize` will be 1, so the code is relying on sha2_ce_transform to make the final round. However, in sha256_base_do_update, the block function will not be called when len == 0. Fix it by setting finalize to 0 if data is empty. Fixes: 03802f6a ("crypto: arm64/sha2-ce - move SHA-224/256 ARMv8 implementation to base layer") Cc: stable@vger.kernel.org Signed-off-by:
Elena Petrova <lenaptr@google.com> Reviewed-by:
-
Elena Petrova authored
The sha1-ce finup implementation for ARM64 produces wrong digest for empty input (len=0). Expected: da39a3ee..., result: 67452301... (initial value of SHA internal state). The error is in sha1_ce_finup: for empty data `finalize` will be 1, so the code is relying on sha1_ce_transform to make the final round. However, in sha1_base_do_update, the block function will not be called when len == 0. Fix it by setting finalize to 0 if data is empty. Fixes: 07eb54d3 ("crypto: arm64/sha1-ce - move SHA-1 ARMv8 implementation to base layer") Cc: stable@vger.kernel.org Signed-off-by:
-
Iuliana Prodan authored
For rsa and pkcs1pad, CAAM expects an input of modulus size. For this we strip the leading zeros in case the size is more than modulus. This commit avoids modifying the crypto request while stripping zeros from input, to comply with the crypto API requirement. This is done by adding a fixup input pointer and length. Signed-off-by:
Iuliana Prodan <iuliana.prodan@nxp.com> Reviewed-by:
Horia Geanta <horia.geanta@nxp.com> Signed-off-by:
-
Iuliana Prodan authored
The problem is with the input data size sent to CAAM for encrypt/decrypt. Pkcs1pad is failing due to pkcs1 padding done in SW starting with0x01 instead of 0x00 0x01. CAAM expects an input of modulus size. For this we strip the leading zeros in case the size is more than modulus or pad the input with zeros until the modulus size is reached. Signed-off-by:
-
Antoine Tenart authored
When performing a transformation the hardware is given result descriptors to save the result data. Those result descriptors are batched using a 'first' and a 'last' bit. There are cases were more descriptors than needed are given to the engine, leading to the engine only using some of them, and not setting the last bit on the last descriptor we gave. This causes issues were the driver and the hardware aren't in sync anymore about the number of result descriptors given (as the driver do not give a pool of descriptor to use for any transformation, but a pool of descriptors to use *per* transformation). This patch fixes it by attaching the number of given result descriptors to the requests, and by using this number instead of the 'last' bit found on the descriptors to process them. Signed-off-by:
Antoine Tenart <antoine.tenart@bootlin.com> Signed-off-by:
-
Antoine Tenart authored
Replace sg_nents_for_len by sg_nents when DMA mapping/unmapping buffers and when looping over the SG entries. This fix cases where the SG entries aren't used fully, which would in such cases led to using fewer SG entries than needed (and thus the engine wouldn't have access to the full input data and the result would be wrong). Signed-off-by:
-
Antoine Tenart authored
This patch adds support for HMAC updates in the Inside Secure SafeXcel crypto engine driver. Updates were supported for hash algorithms, but were never enabled for HMAC ones. This fixes boot time test issues. Signed-off-by:
-
Antoine Tenart authored
This patch adds support for retrieving intermediate IV from the crypto engine when using the CBC block mode with AES and (3)DES. The retrieved IV is copied to the request IV buffer, as requested by the kernel crypto API. This fix boot tests added by commit 8efd972e ("crypto: testmgr - support checking skcipher output IV"). Signed-off-by:
-
Antoine Tenart authored
This patch fixes the queued len computation, which could theoretically be wrong if req->len[1] - req->processed[1] > 1. Be future-proof here, and fix it. Fixes: b460edb6 ("crypto: inside-secure - sha512 support") Signed-off-by:
-
Antoine Tenart authored
A request is zeroed in safexcel_ahash_exit_inv(). This request total size is EIP197_AHASH_REQ_SIZE while the memset zeroing it uses sizeof(struct ahash_request), which happens to be less than EIP197_AHASH_REQ_SIZE. This patch fixes it. Fixes: f6beaea3 ("crypto: inside-secure - authenc(hmac(sha256), cbc(aes)) support") Signed-off-by:
-
Antoine Tenart authored
This patch unify the way the cache related data is zeroed when the cache buffer is DMA unmapped. It should not change the driver behaviour, but improves the code safety and readability. Signed-off-by:
-
Antoine Tenart authored
The context given to the crypto engine can be reused over time. While the driver was designed to allow this, the feature wasn't enabled in the hardware engine. This patch enables it. Signed-off-by:
-
Antoine Tenart authored
This patch changes the error reported by the Inside Secure SafeXcel driver when a result descriptor reports an error, from -EIO to -EINVAL, as this is what the crypto framework expects. This was found while running the crypto extra tests. Signed-off-by:
-
Antoine Tenart authored
The result descriptors contain errors, which are represented as a bitmap. This patch updates the error message to not treat the error as a decimal value, but as an hexadecimal one. This helps in knowing the value does not have a direct meaning (the set bits themselves have). Signed-off-by:
-
Antoine Tenart authored
When sending an ahash request, the code checks for the extra variable not to be 0. This check is useless as the extra variable can't be 0 at this point (it is checked on the line just before). This patch does not modify the driver behaviour in any way. Signed-off-by:
-
Antoine Tenart authored
This cosmetic patch fixes a cosmetic issue with if brackets. Signed-off-by:
-
Antoine Tenart authored
This cosmetic patch moves a comment before the condition it is related to. The patch does not change the driver behaviour in any way. Signed-off-by:
-
Antoine Tenart authored
Cosmetic patch removing an empty line in the skcipher token creation routine. Signed-off-by:
-
- 30 May, 2019 17 commits
-
-
Ard Biesheuvel authored
Move the binding for the discrete Atmel I2C Elliptic Curve h/w crypto module to trivial-devices.yaml, as it doesn't belong in atmel-crypto which describes unrelated on-SoC peripherals. Signed-off-by:
Rob Herring <robh@kernel.org> Signed-off-by:
-
Ard Biesheuvel authored
Add a compatible string for the Atmel SHA204A I2C crypto processor. Signed-off-by:
-
Ard Biesheuvel authored
The Linaro/96boards Secure96 mezzanine contains (among other things) an Atmel SHA204A symmetric crypto processor. This chip implements a number of different functionalities, but one that is highly useful for many different 96boards platforms is the random number generator. So let's implement a driver for the SHA204A, and for the time being, implement support for the random number generator only. Reviewed-by:
Linus Walleij <linus.walleij@linaro.org> Signed-off-by:
-
Ard Biesheuvel authored
In preparation of adding support for the random number generator in Atmel atsha204a devices, refactor the existing atmel-ecc driver (which drives hardware that is closely related) so we can share the basic I2C and command queuing routines. Reviewed-by:
-
Ard Biesheuvel authored
The Atmel/Microchip EC508A is a I2C device that could be wired into any platform, and is being used on the Linaro/96boards Secure96 mezzanine adapter. This means it could be found on any platform, even on ones that use ACPI enumeration (via PRP0001 devices). So update the code to enable this use case. This involves tweaking the bus rate discovery code to take ACPI probing into account, which records the maximum bus rate as a property of the slave device. For the atmel-ecc code, this means that the effective bus rate should never exceed the maximum rate, unless we are dealing with buggy firmware. Nonetheless, let's just use the existing plumbing to discover the bus rate and keep the existing logic intact. Signed-off-by:
-
Ard Biesheuvel authored
Currently, the I2C ACPI enumeration code only permits the max bus rate to be discovered before enumerating the slaves on the bus. In some cases, drivers for slave devices may require this information, e.g., some ATmel crypto drivers need to generate a so-called wake token of a fixed duration, regardless of the bus rate. So tweak the code so i2c_acpi_lookup_speed() is able to obtain this information after enumeration as well. Acked-by:
Mika Westerberg <mika.westerberg@linux.intel.com> Signed-off-by:
-
Sascha Hauer authored
caam_dump_sg() is only compiled in when DEBUG is defined, hence the messages are debug messages. Remove the @level argument from caam_dump_sg() and print all messages at debug level. Signed-off-by:
Sascha Hauer <s.hauer@pengutronix.de> Signed-off-by:
-
Sascha Hauer authored
The CAAM driver used to put its debug messages inside #ifdef DEBUG and then prints the messages at KERN_ERR level. Replace this with proper functions printing at KERN_DEBUG level. The #ifdef DEBUG gets unnecessary when the right functions are used. This replaces: - print_hex_dump(KERN_ERR ...) inside #ifdef DEBUG with print_hex_dump_debug(...) - dev_err() inside #ifdef DEBUG with dev_dbg() - printk(KERN_ERR ...) inside #ifdef DEBUG with dev_dbg() Some parts of the driver use these functions already, so it is only consequent to use the debug function consistently. Signed-off-by:
-
Sascha Hauer authored
The CAAM driver defines its own debug() macro, but it is unused. Remove it. Signed-off-by:
-
Sascha Hauer authored
Since eaed71a4 ("crypto: caam - add ecb(*) support") the IV can be NULL, so only dump it when it's non NULL as designated by the ivsize variable. Fixes: eaed71a4 ("crypto: caam - add ecb(*) support") Signed-off-by:
-
Herbert Xu authored
This patch changes multiple uses of u32s to dma_addr_t where the physical address is used. This fixes COMPILE_TEST errors on 64-bit platforms. Signed-off-by: -
Christophe Leroy authored
This patch drops the license text and replaces it with an SPDX-License-Identifier tag. Signed-off-by:
Christophe Leroy <christophe.leroy@c-s.fr> Signed-off-by:
-
Christophe Leroy authored
This patch rewrites has_ftr_sec1() using IS_ENABLED() instead of #ifdefs Signed-off-by:
-
Christophe Leroy authored
There is no other file using talitos_submit in the kernel tree, so it doesn't need to be exported nor made global. This reverts commit 865d5061. Signed-off-by:
-
Christophe Leroy authored
This driver is working well in 'simple cases', but as soon as more exotic SG lists are provided (dst different from src, auth part not in a single SG fragment, ...) there are wrong results, overruns, etc ... This patch cleans up the AEAD processing by: - Simplifying the location of 'out of line' ICV - Never using 'out of line' ICV on encryp - Always using 'out of line' ICV on decrypt - Forcing the generation of a SG table on decrypt Signed-off-by:
-
Christophe Leroy authored
The MPC885 reference manual states: SEC Lite-initiated 8xx writes can occur only on 32-bit-word boundaries, but reads can occur on any byte boundary. Writing back a header read from a non-32-bit-word boundary will yield unpredictable results. In order to ensure that, cra_alignmask is set to 3 for SEC1. Signed-off-by:
-
Christophe Leroy authored
The driver assumes that the ICV is as a single piece in the last element of the scatterlist. This assumption is wrong. This patch ensures that the ICV is properly handled regardless of the scatterlist layout. Fixes: 9c4a7965 ("crypto: talitos - Freescale integrated security engine (SEC) driver") Signed-off-by:
-
