1. 26 Apr, 2024 12 commits
    • Eric Biggers's avatar
      crypto: x86/aes-xts - simplify loop in xts_crypt_slowpath() · 6a805864
      Eric Biggers authored
      Since the total length processed by the loop in xts_crypt_slowpath() is
      a multiple of AES_BLOCK_SIZE, just round the length down to
      AES_BLOCK_SIZE even on the last step.  This doesn't change behavior, as
      the last step will process a multiple of AES_BLOCK_SIZE regardless.
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      6a805864
    • Marek Vasut's avatar
      hwrng: stm32 - repair clock handling · c819d7b8
      Marek Vasut authored
      The clock management in this driver does not seem to be correct. The
      struct hwrng .init callback enables the clock, but there is no matching
      .cleanup callback to disable the clock. The clock get disabled as some
      later point by runtime PM suspend callback.
      
      Furthermore, both runtime PM and sleep suspend callbacks access registers
      first and disable clock which are used for register access second. If the
      IP is already in RPM suspend and the system enters sleep state, the sleep
      callback will attempt to access registers while the register clock are
      already disabled. This bug has been fixed once before already in commit
      9bae5494 ("hwrng: stm32 - fix pm_suspend issue"), and regressed in
      commit ff4e4610 ("hwrng: stm32 - rework power management sequences") .
      
      Fix this slightly differently, disable register clock at the end of .init
      callback, this way the IP is disabled after .init. On every access to the
      IP, which really is only stm32_rng_read(), do pm_runtime_get_sync() which
      is already done in stm32_rng_read() to bring the IP from RPM suspend, and
      pm_runtime_mark_last_busy()/pm_runtime_put_sync_autosuspend() to put it
      back into RPM suspend.
      
      Change sleep suspend/resume callbacks to enable and disable register clock
      around register access, as those cannot use the RPM suspend/resume callbacks
      due to slightly different initialization in those sleep callbacks. This way,
      the register access should always be performed with clock surely enabled.
      
      Fixes: ff4e4610 ("hwrng: stm32 - rework power management sequences")
      Signed-off-by: default avatarMarek Vasut <marex@denx.de>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      c819d7b8
    • Marek Vasut's avatar
      hwrng: stm32 - put IP into RPM suspend on failure · da62ed5c
      Marek Vasut authored
      In case of an irrecoverable failure, put the IP into RPM suspend
      to avoid RPM imbalance. I did not trigger this case, but it seems
      it should be done based on reading the code.
      
      Fixes: b17bc6eb ("hwrng: stm32 - rework error handling in stm32_rng_read()")
      Signed-off-by: default avatarMarek Vasut <marex@denx.de>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      da62ed5c
    • Marek Vasut's avatar
      hwrng: stm32 - use logical OR in conditional · 31b57788
      Marek Vasut authored
      The conditional is used to check whether err is non-zero OR whether
      reg variable is non-zero after clearing bits from it. This should be
      done using logical OR, not bitwise OR, fix it.
      
      Fixes: 6b85a7e1 ("hwrng: stm32 - implement STM32MP13x support")
      Signed-off-by: default avatarMarek Vasut <marex@denx.de>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      31b57788
    • Stefan Berger's avatar
      crypto: ecdh - Initialize ctx->private_key in proper byte order · 01474b70
      Stefan Berger authored
      The private key in ctx->private_key is currently initialized in reverse
      byte order in ecdh_set_secret and whenever the key is needed in proper
      byte order the variable priv is introduced and the bytes from
      ctx->private_key are copied into priv while being byte-swapped
      (ecc_swap_digits). To get rid of the unnecessary byte swapping initialize
      ctx->private_key in proper byte order and clean up all functions that were
      previously using priv or were called with ctx->private_key:
      
      - ecc_gen_privkey: Directly initialize the passed ctx->private_key with
        random bytes filling all the digits of the private key. Get rid of the
        priv variable. This function only has ecdh_set_secret as a caller to
        create NIST P192/256/384 private keys.
      
      - crypto_ecdh_shared_secret: Called only from ecdh_compute_value with
        ctx->private_key. Get rid of the priv variable and work with the passed
        private_key directly.
      
      - ecc_make_pub_key: Called only from ecdh_compute_value with
        ctx->private_key. Get rid of the priv variable and work with the passed
        private_key directly.
      
      Cc: Salvatore Benedetto <salvatore.benedetto@intel.com>
      Signed-off-by: default avatarStefan Berger <stefanb@linux.ibm.com>
      Acked-by: default avatarJarkko Sakkinen <jarkko@kernel.org>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      01474b70
    • Stefan Berger's avatar
      crypto: ecdh - Pass private key in proper byte order to check valid key · bd955a4e
      Stefan Berger authored
      ecc_is_key_valid expects a key with the most significant digit in the last
      entry of the digit array. Currently ecdh_set_secret passes a reversed key
      to ecc_is_key_valid that then passes the rather simple test checking
      whether the private key is in range [2, n-3]. For all current ecdh-
      supported curves (NIST P192/256/384) the 'n' parameter is a rather large
      number, therefore easily passing this test.
      
      Throughout the ecdh and ecc codebase the variable 'priv' is used for a
      private_key holding the bytes in proper byte order. Therefore, introduce
      priv in ecdh_set_secret and copy the bytes from ctx->private_key into
      priv in proper byte order by using ecc_swap_digits. Pass priv to
      ecc_is_valid_key.
      
      Cc: Ard Biesheuvel <ardb@kernel.org>
      Cc: Salvatore Benedetto <salvatore.benedetto@intel.com>
      Signed-off-by: default avatarStefan Berger <stefanb@linux.ibm.com>
      Acked-by: default avatarJarkko Sakkinen <jarkko@kernel.org>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      bd955a4e
    • Dan Carpenter's avatar
      crypto: tegra - Fix some error codes · 5ae6d3f5
      Dan Carpenter authored
      Return negative -ENOMEM, instead of positive ENOMEM.
      
      Fixes: 0880bb3b ("crypto: tegra - Add Tegra Security Engine driver")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@linaro.org>
      Reviewed-by: default avatarJon Hunter <jonathanh@nvidia.com>
      Acked-by: default avatarAkhil R <akhilrajeev@nvidia.com>
      Acked-by: default avatarThierry Reding <treding@nvidia.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      5ae6d3f5
    • Geert Uytterhoeven's avatar
      dt-bindings: crypto: starfive: Restore sort order · ee2615fa
      Geert Uytterhoeven authored
      Restore alphabetical sort order of the list of supported compatible
      values.
      
      Fixes: 2ccf7a5d ("dt-bindings: crypto: starfive: Add jh8100 support")
      Signed-off-by: default avatarGeert Uytterhoeven <geert+renesas@glider.be>
      Acked-by: default avatarConor Dooley <conor.dooley@microchip.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      ee2615fa
    • Lucas Segarra Fernandez's avatar
      crypto: qat - validate slices count returned by FW · 483fd65c
      Lucas Segarra Fernandez authored
      The function adf_send_admin_tl_start() enables the telemetry (TL)
      feature on a QAT device by sending the ICP_QAT_FW_TL_START message to
      the firmware. This triggers the FW to start writing TL data to a DMA
      buffer in memory and returns an array containing the number of
      accelerators of each type (slices) supported by this HW.
      The pointer to this array is stored in the adf_tl_hw_data data
      structure called slice_cnt.
      
      The array slice_cnt is then used in the function tl_print_dev_data()
      to report in debugfs only statistics about the supported accelerators.
      An incorrect value of the elements in slice_cnt might lead to an out
      of bounds memory read.
      At the moment, there isn't an implementation of FW that returns a wrong
      value, but for robustness validate the slice count array returned by FW.
      
      Fixes: 69e7649f ("crypto: qat - add support for device telemetry")
      Signed-off-by: default avatarLucas Segarra Fernandez <lucas.segarra.fernandez@intel.com>
      Reviewed-by: default avatarDamian Muszynski <damian.muszynski@intel.com>
      Reviewed-by: default avatarGiovanni Cabiddu <giovanni.cabiddu@intel.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      483fd65c
    • Hailey Mothershead's avatar
      crypto: aead,cipher - zeroize key buffer after use · 23e4099b
      Hailey Mothershead authored
      I.G 9.7.B for FIPS 140-3 specifies that variables temporarily holding
      cryptographic information should be zeroized once they are no longer
      needed. Accomplish this by using kfree_sensitive for buffers that
      previously held the private key.
      Signed-off-by: default avatarHailey Mothershead <hailmo@amazon.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      23e4099b
    • Ard Biesheuvel's avatar
      crypto: arm64/aes-ce - Simplify round key load sequence · 571e557c
      Ard Biesheuvel authored
      Tweak the round key logic so that they can be loaded using a single
      branchless sequence using overlapping loads. This is shorter and
      simpler, and puts the conditional branches based on the key size further
      apart, which might benefit microarchitectures that cannot record taken
      branches at every instruction. For these branches, use test-bit-branch
      instructions that don't clobber the condition flags.
      
      Note that none of this has any impact on performance, positive or
      otherwise (and the branch prediction benefit would only benefit AES-192
      which nobody uses). It does make for nicer code, though.
      
      While at it, use \@ to generate the labels inside the macros, which is
      more robust than using fixed numbers, which could clash inadvertently.
      Also, bring aes-neon.S in line with these changes, including the switch
      to test-and-branch instructions, to avoid surprises in the future when
      we might start relying on the condition flags being preserved in the
      chaining mode wrappers in aes-modes.S
      Signed-off-by: default avatarArd Biesheuvel <ardb@kernel.org>
      Reviewed-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      571e557c
    • Uwe Kleine-König's avatar
      crypto: tegra - Convert to platform remove callback returning void · 3f4d1482
      Uwe Kleine-König authored
      The .remove() callback for a platform driver returns an int which makes
      many driver authors wrongly assume it's possible to do error handling by
      returning an error code. However the value returned is ignored (apart
      from emitting a warning) and this typically results in resource leaks.
      
      To improve here there is a quest to make the remove callback return
      void. In the first step of this quest all drivers are converted to
      .remove_new(), which already returns void. Eventually after all drivers
      are converted, .remove_new() will be renamed to .remove().
      
      Trivially convert this driver from always returning zero in the remove
      callback to the void returning variant.
      
      Fixes: 0880bb3b ("crypto: tegra - Add Tegra Security Engine driver")
      Signed-off-by: default avatarUwe Kleine-König <u.kleine-koenig@pengutronix.de>
      Acked-by: default avatarAkhil R <akhilrajeev@nvidia.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      3f4d1482
  2. 19 Apr, 2024 15 commits
  3. 12 Apr, 2024 13 commits