1. 08 Feb, 2019 14 commits
    • Eric Biggers's avatar
      crypto: testmgr - add testvec_config struct and helper functions · 3f47a03d
      Eric Biggers authored
      Crypto algorithms must produce the same output for the same input
      regardless of data layout, i.e. how the src and dst scatterlists are
      divided into chunks and how each chunk is aligned.  Request flags such
      as CRYPTO_TFM_REQ_MAY_SLEEP must not affect the result either.
      
      However, testing of this currently has many gaps.  For example,
      individual algorithms are responsible for providing their own chunked
      test vectors.  But many don't bother to do this or test only one or two
      cases, providing poor test coverage.  Also, other things such as
      misaligned IVs and CRYPTO_TFM_REQ_MAY_SLEEP are never tested at all.
      
      Test code is also duplicated between the chunked and non-chunked cases,
      making it difficult to make other improvements.
      
      To improve the situation, this patch series basically moves the chunk
      descriptions into the testmgr itself so that they are shared by all
      algorithms.  However, it's done in an extensible way via a new struct
      'testvec_config', which describes not just the scaled chunk lengths but
      also all other aspects of the crypto operation besides the data itself
      such as the buffer alignments, the request flags, whether the operation
      is in-place or not, the IV alignment, and for hash algorithms when to
      do each update() and when to use finup() vs. final() vs. digest().
      
      Then, this patch series makes skcipher, aead, and hash algorithms be
      tested against a list of default testvec_configs, replacing the current
      test code.  This improves overall test coverage, without reducing test
      performance too much.  Note that the test vectors themselves are not
      changed, except for removing the chunk lists.
      
      This series also adds randomized fuzz tests, enabled by a new kconfig
      option intended for developer use only, where skcipher, aead, and hash
      algorithms are tested against many randomly generated testvec_configs.
      This provides much more comprehensive test coverage.
      
      These improved tests have already exposed many bugs.
      
      To start it off, this initial patch adds the testvec_config and various
      helper functions that will be used by the skcipher, aead, and hash test
      code that will be converted to use the new testvec_config framework.
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      3f47a03d
    • Eric Biggers's avatar
      crypto: arm64/aes-neonbs - fix returning final keystream block · 12455e32
      Eric Biggers authored
      The arm64 NEON bit-sliced implementation of AES-CTR fails the improved
      skcipher tests because it sometimes produces the wrong ciphertext.  The
      bug is that the final keystream block isn't returned from the assembly
      code when the number of non-final blocks is zero.  This can happen if
      the input data ends a few bytes after a page boundary.  In this case the
      last bytes get "encrypted" by XOR'ing them with uninitialized memory.
      
      Fix the assembly code to return the final keystream block when needed.
      
      Fixes: 88a3f582 ("crypto: arm64/aes - don't use IV buffer to return final keystream block")
      Cc: <stable@vger.kernel.org> # v4.11+
      Reviewed-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      12455e32
    • Eric Biggers's avatar
      crypto: ahash - fix another early termination in hash walk · 77568e53
      Eric Biggers authored
      Hash algorithms with an alignmask set, e.g. "xcbc(aes-aesni)" and
      "michael_mic", fail the improved hash tests because they sometimes
      produce the wrong digest.  The bug is that in the case where a
      scatterlist element crosses pages, not all the data is actually hashed
      because the scatterlist walk terminates too early.  This happens because
      the 'nbytes' variable in crypto_hash_walk_done() is assigned the number
      of bytes remaining in the page, then later interpreted as the number of
      bytes remaining in the scatterlist element.  Fix it.
      
      Fixes: 900a081f ("crypto: ahash - Fix early termination in hash walk")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      77568e53
    • Eric Biggers's avatar
      crypto: x86/aesni-gcm - fix crash on empty plaintext · 3af34963
      Eric Biggers authored
      gcmaes_crypt_by_sg() dereferences the NULL pointer returned by
      scatterwalk_ffwd() when encrypting an empty plaintext and the source
      scatterlist ends immediately after the associated data.
      
      Fix it by only fast-forwarding to the src/dst data scatterlists if the
      data length is nonzero.
      
      This bug is reproduced by the "rfc4543(gcm(aes))" test vectors when run
      with the new AEAD test manager.
      
      Fixes: e8455207 ("crypto: aesni - Update aesni-intel_glue to use scatter/gather")
      Cc: <stable@vger.kernel.org> # v4.17+
      Cc: Dave Watson <davejwatson@fb.com>
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      3af34963
    • Eric Biggers's avatar
      crypto: x86/morus - fix handling chunked inputs and MAY_SLEEP · 2060e284
      Eric Biggers authored
      The x86 MORUS implementations all fail the improved AEAD tests because
      they produce the wrong result with some data layouts.  The issue is that
      they assume that if the skcipher_walk API gives 'nbytes' not aligned to
      the walksize (a.k.a. walk.stride), then it is the end of the data.  In
      fact, this can happen before the end.
      
      Also, when the CRYPTO_TFM_REQ_MAY_SLEEP flag is given, they can
      incorrectly sleep in the skcipher_walk_*() functions while preemption
      has been disabled by kernel_fpu_begin().
      
      Fix these bugs.
      
      Fixes: 56e8e57f ("crypto: morus - Add common SIMD glue code for MORUS")
      Cc: <stable@vger.kernel.org> # v4.18+
      Cc: Ondrej Mosnacek <omosnace@redhat.com>
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Reviewed-by: default avatarOndrej Mosnacek <omosnace@redhat.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      2060e284
    • Eric Biggers's avatar
      crypto: x86/aegis - fix handling chunked inputs and MAY_SLEEP · ba6771c0
      Eric Biggers authored
      The x86 AEGIS implementations all fail the improved AEAD tests because
      they produce the wrong result with some data layouts.  The issue is that
      they assume that if the skcipher_walk API gives 'nbytes' not aligned to
      the walksize (a.k.a. walk.stride), then it is the end of the data.  In
      fact, this can happen before the end.
      
      Also, when the CRYPTO_TFM_REQ_MAY_SLEEP flag is given, they can
      incorrectly sleep in the skcipher_walk_*() functions while preemption
      has been disabled by kernel_fpu_begin().
      
      Fix these bugs.
      
      Fixes: 1d373d4e ("crypto: x86 - Add optimized AEGIS implementations")
      Cc: <stable@vger.kernel.org> # v4.18+
      Cc: Ondrej Mosnacek <omosnace@redhat.com>
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Reviewed-by: default avatarOndrej Mosnacek <omosnace@redhat.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      ba6771c0
    • Eric Biggers's avatar
      crypto: morus - fix handling chunked inputs · d644f1c8
      Eric Biggers authored
      The generic MORUS implementations all fail the improved AEAD tests
      because they produce the wrong result with some data layouts.  The issue
      is that they assume that if the skcipher_walk API gives 'nbytes' not
      aligned to the walksize (a.k.a. walk.stride), then it is the end of the
      data.  In fact, this can happen before the end.  Fix them.
      
      Fixes: 396be41f ("crypto: morus - Add generic MORUS AEAD implementations")
      Cc: <stable@vger.kernel.org> # v4.18+
      Cc: Ondrej Mosnacek <omosnace@redhat.com>
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Reviewed-by: default avatarOndrej Mosnacek <omosnace@redhat.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      d644f1c8
    • Eric Biggers's avatar
      crypto: aegis - fix handling chunked inputs · 0f533e67
      Eric Biggers authored
      The generic AEGIS implementations all fail the improved AEAD tests
      because they produce the wrong result with some data layouts.  The issue
      is that they assume that if the skcipher_walk API gives 'nbytes' not
      aligned to the walksize (a.k.a. walk.stride), then it is the end of the
      data.  In fact, this can happen before the end.  Fix them.
      
      Fixes: f606a88e ("crypto: aegis - Add generic AEGIS AEAD implementations")
      Cc: <stable@vger.kernel.org> # v4.18+
      Cc: Ondrej Mosnacek <omosnace@redhat.com>
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Reviewed-by: default avatarOndrej Mosnacek <omosnace@redhat.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      0f533e67
    • Pankaj Gupta's avatar
      crypto: caam - fixed handling of sg list · 42e95d1f
      Pankaj Gupta authored
      when the source sg contains more than 1 fragment and
      destination sg contains 1 fragment, the caam driver
      mishandle the buffers to be sent to caam.
      
      Fixes: f2147b88 ("crypto: caam - Convert GCM to new AEAD interface")
      Cc: <stable@vger.kernel.org> # 4.2+
      Signed-off-by: default avatarPankaj Gupta <pankaj.gupta@nxp.com>
      Signed-off-by: default avatarArun Pathak <arun.pathak@nxp.com>
      Reviewed-by: default avatarHoria Geanta <horia.geanta@nxp.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      42e95d1f
    • Eric Biggers's avatar
      crypto: arm64/crct10dif-ce - cleanup and optimizations · 6227cd12
      Eric Biggers authored
      The x86, arm, and arm64 asm implementations of crct10dif are very
      difficult to understand partly because many of the comments, labels, and
      macros are named incorrectly: the lengths mentioned are usually off by a
      factor of two from the actual code.  Many other things are unnecessarily
      convoluted as well, e.g. there are many more fold constants than
      actually needed and some aren't fully reduced.
      
      This series therefore cleans up all these implementations to be much
      more maintainable.  I also made some small optimizations where I saw
      opportunities, resulting in slightly better performance.
      
      This patch cleans up the arm64 version.
      Acked-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      6227cd12
    • Eric Biggers's avatar
      crypto: arm/crct10dif-ce - cleanup and optimizations · e7b3ed33
      Eric Biggers authored
      The x86, arm, and arm64 asm implementations of crct10dif are very
      difficult to understand partly because many of the comments, labels, and
      macros are named incorrectly: the lengths mentioned are usually off by a
      factor of two from the actual code.  Many other things are unnecessarily
      convoluted as well, e.g. there are many more fold constants than
      actually needed and some aren't fully reduced.
      
      This series therefore cleans up all these implementations to be much
      more maintainable.  I also made some small optimizations where I saw
      opportunities, resulting in slightly better performance.
      
      This patch cleans up the arm version.
      
      (Also moved the constants to .rodata as suggested by Ard Biesheuvel.)
      Acked-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      e7b3ed33
    • Eric Biggers's avatar
      crypto: x86/crct10dif-pcl - cleanup and optimizations · 0974037f
      Eric Biggers authored
      The x86, arm, and arm64 asm implementations of crct10dif are very
      difficult to understand partly because many of the comments, labels, and
      macros are named incorrectly: the lengths mentioned are usually off by a
      factor of two from the actual code.  Many other things are unnecessarily
      convoluted as well, e.g. there are many more fold constants than
      actually needed and some aren't fully reduced.
      
      This series therefore cleans up all these implementations to be much
      more maintainable.  I also made some small optimizations where I saw
      opportunities, resulting in slightly better performance.
      
      This patch cleans up the x86 version.
      
      As part of this, I removed support for len < 16 from the x86 assembly;
      now the glue code falls back to the generic table-based implementation
      in this case.  Due to the overhead of kernel_fpu_begin(), this actually
      significantly improves performance on these lengths.  (And even if
      kernel_fpu_begin() were free, the generic code is still faster for about
      len < 11.)  This removal also eliminates error-prone special cases and
      makes the x86, arm32, and arm64 ports of the code match more closely.
      Acked-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      0974037f
    • Singh, Brijesh's avatar
      crypto: ccp - fix the SEV probe in kexec boot path · f8903b3e
      Singh, Brijesh authored
      A kexec reboot may leave the firmware in INIT or WORKING state.
      Currently, we issue PLATFORM_INIT command during the probe without
      checking the current state. The PLATFORM_INIT command fails if the
      FW is already in INIT state. Lets check the current state, if FW
      is not in UNINIT state then transition it to UNINIT before
      initializing or upgrading the FW.
      Signed-off-by: default avatarBrijesh Singh <brijesh.singh@amd.com>
      Cc: Tom Lendacky <thomas.lendacky@amd.com>
      Cc: Gary Hook <gary.hook@amd.com>
      Reviewed-by: default avatarTom Lendacky <thomas.lendacky@amd.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      f8903b3e
    • Christopher Diaz Riveros's avatar
      crypto: testmgr - use kmemdup · e3d90e52
      Christopher Diaz Riveros authored
      Fixes coccinnelle alerts:
      
      /crypto/testmgr.c:2112:13-20: WARNING opportunity for kmemdup
      /crypto/testmgr.c:2130:13-20: WARNING opportunity for kmemdup
      /crypto/testmgr.c:2152:9-16: WARNING opportunity for kmemdup
      Signed-off-by: default avatarChristopher Diaz Riveros <chrisadr@gentoo.org>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      e3d90e52
  2. 01 Feb, 2019 26 commits