1. 06 Apr, 2023 9 commits
    • Ryan Wanner's avatar
      crypto: atmel-sha - Add zero length message digest support for hmac · 232c1e8e
      Ryan Wanner authored
      Add softare padding to hmac-sha digest for zero length messages.
      Using the atmel_sha_fill_padding() to fill the buffer with a padded
      empty message with a length of the block size.
      
      Create a temporary scatter list from the padded buffer to pass into the
      data processing functions.
      Signed-off-by: default avatarRyan Wanner <Ryan.Wanner@microchip.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      232c1e8e
    • Tom Zanussi's avatar
      crypto: qat - Move driver to drivers/crypto/intel/qat · a4b16dad
      Tom Zanussi authored
      With the growing number of Intel crypto drivers, it makes sense to
      group them all into a single drivers/crypto/intel/ directory.
      Signed-off-by: default avatarTom Zanussi <tom.zanussi@linux.intel.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      a4b16dad
    • Tom Zanussi's avatar
      crypto: ixp4xx - Move driver to drivers/crypto/intel/ixp4xx · 1bc7fdbf
      Tom Zanussi authored
      With the growing number of Intel crypto drivers, it makes sense to
      group them all into a single drivers/crypto/intel/ directory.
      
      Create a separate drivers/crypto/intel/ixp4xx directory and move
      drivers/crypto/ixp4xx_crypto.c to it, along with a new Kconfig and
      Makefile to contain the config and make bits.
      
      Also add a COMPILE_TEST dependency to CRYPTO_DEV_IXP4XX so it can be
      more easily compile-tested.
      Signed-off-by: default avatarTom Zanussi <tom.zanussi@linux.intel.com>
      Acked-by: default avatarCorentin LABBE <clabbe@baylibre.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      1bc7fdbf
    • Tom Zanussi's avatar
      crypto: keembay - Move driver to drivers/crypto/intel/keembay · fbf31dd5
      Tom Zanussi authored
      With the growing number of Intel crypto drivers, it makes sense to
      group them all into a single drivers/crypto/intel/ directory.
      Signed-off-by: default avatarTom Zanussi <tom.zanussi@linux.intel.com>
      Acked-by: default avatarDaniele Alessandrelli <daniele.alessandrelli@intel.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      fbf31dd5
    • Jeremi Piotrowski's avatar
      crypto: ccp - Clear PSP interrupt status register before calling handler · 45121ad4
      Jeremi Piotrowski authored
      The PSP IRQ is edge-triggered (MSI or MSI-X) in all cases supported by
      the psp module so clear the interrupt status register early in the
      handler to prevent missed interrupts. sev_irq_handler() calls wake_up()
      on a wait queue, which can result in a new command being submitted from
      a different CPU. This then races with the clearing of isr and can result
      in missed interrupts. A missed interrupt results in a command waiting
      until it times out, which results in the psp being declared dead.
      
      This is unlikely on bare metal, but has been observed when running
      virtualized. In the cases where this is observed, sev->cmdresp_reg has
      PSP_CMDRESP_RESP set which indicates that the command was processed
      correctly but no interrupt was asserted.
      
      The full sequence of events looks like this:
      
      CPU 1: submits SEV cmd #1
      CPU 1: calls wait_event_timeout()
      CPU 0: enters psp_irq_handler()
      CPU 0: calls sev_handler()->wake_up()
      CPU 1: wakes up; finishes processing cmd #1
      CPU 1: submits SEV cmd #2
      CPU 1: calls wait_event_timeout()
      PSP:   finishes processing cmd #2; interrupt status is still set; no interrupt
      CPU 0: clears intsts
      CPU 0: exits psp_irq_handler()
      CPU 1: wait_event_timeout() times out; psp_dead=true
      
      Fixes: 200664d5 ("crypto: ccp: Add Secure Encrypted Virtualization (SEV) command support")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarJeremi Piotrowski <jpiotrowski@linux.microsoft.com>
      Acked-by: default avatarTom Lendacky <thomas.lendacky@amd.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      45121ad4
    • Herbert Xu's avatar
      crypto: hash - Remove maximum statesize limit · 9697b328
      Herbert Xu authored
      Remove the HASH_MAX_STATESIZE limit now that it is unused.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      9697b328
    • Herbert Xu's avatar
      crypto: algif_hash - Allocate hash state with kmalloc · acc03d89
      Herbert Xu authored
      Allocating the hash state on the stack limits its size.  Change
      this to use kmalloc so the limit can be removed for new drivers.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      acc03d89
    • Herbert Xu's avatar
      crypto: drbg - Only fail when jent is unavailable in FIPS mode · 686cd976
      Herbert Xu authored
      When jent initialisation fails for any reason other than ENOENT,
      the entire drbg fails to initialise, even when we're not in FIPS
      mode.  This is wrong because we can still use the kernel RNG when
      we're not in FIPS mode.
      
      Change it so that it only fails when we are in FIPS mode.
      
      Fixes: 57225e67 ("crypto: drbg - Use callback API for random readiness")
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Reviewed-by: default avatarStephan Mueller <smueller@chronox.de>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      686cd976
    • Stephan Müller's avatar
      crypto: jitter - permanent and intermittent health errors · 3fde2fe9
      Stephan Müller authored
      According to SP800-90B, two health failures are allowed: the intermittend
      and the permanent failure. So far, only the intermittent failure was
      implemented. The permanent failure was achieved by resetting the entire
      entropy source including its health test state and waiting for two or
      more back-to-back health errors.
      
      This approach is appropriate for RCT, but not for APT as APT has a
      non-linear cutoff value. Thus, this patch implements 2 cutoff values
      for both RCT/APT. This implies that the health state is left untouched
      when an intermittent failure occurs. The noise source is reset
      and a new APT powerup-self test is performed. Yet, whith the unchanged
      health test state, the counting of failures continues until a permanent
      failure is reached.
      
      Any non-failing raw entropy value causes the health tests to reset.
      
      The intermittent error has an unchanged significance level of 2^-30.
      The permanent error has a significance level of 2^-60. Considering that
      this level also indicates a false-positive rate (see SP800-90B section 4.2)
      a false-positive must only be incurred with a low probability when
      considering a fleet of Linux kernels as a whole. Hitting the permanent
      error may cause a panic(), the following calculation applies: Assuming
      that a fleet of 10^9 Linux kernels run concurrently with this patch in
      FIPS mode and on each kernel 2 health tests are performed every minute
      for one year, the chances of a false positive is about 1:1000
      based on the binomial distribution.
      
      In addition, any power-up health test errors triggered with
      jent_entropy_init are treated as permanent errors.
      
      A permanent failure causes the entire entropy source to permanently
      return an error. This implies that a caller can only remedy the situation
      by re-allocating a new instance of the Jitter RNG. In a subsequent
      patch, a transparent re-allocation will be provided which also changes
      the implied heuristic entropy assessment.
      
      In addition, when the kernel is booted with fips=1, the Jitter RNG
      is defined to be part of a FIPS module. The permanent error of the
      Jitter RNG is translated as a FIPS module error. In this case, the entire
      FIPS module must cease operation. This is implemented in the kernel by
      invoking panic().
      
      The patch also fixes an off-by-one in the RCT cutoff value which is now
      set to 30 instead of 31. This is because the counting of the values
      starts with 0.
      Reviewed-by: default avatarVladis Dronov <vdronov@redhat.com>
      Signed-off-by: default avatarStephan Mueller <smueller@chronox.de>
      Reviewed-by: default avatarMarcelo Henrique Cerri <marcelo.cerri@canonical.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      3fde2fe9
  2. 31 Mar, 2023 5 commits
  3. 24 Mar, 2023 13 commits
  4. 17 Mar, 2023 13 commits