- 31 Mar, 2015 6 commits
-
-
Stephan Mueller authored
Flag all ash clmulni helper ciphers as internal ciphers to prevent them from being called by normal users. Signed-off-by:
Stephan Mueller <smueller@chronox.de> Signed-off-by:
Herbert Xu <herbert@gondor.apana.org.au>
-
Stephan Mueller authored
Flag all AES-NI helper ciphers as internal ciphers to prevent them from being called by normal users. Signed-off-by:
-
Stephan Mueller authored
With ciphers that now cannot be accessed via the kernel crypto API, callers shall be able to identify the ciphers that are not callable. The /proc/crypto file is added a boolean field identifying that such internal ciphers. Signed-off-by:
-
Stephan Mueller authored
The cryptd is used as a wrapper around internal ciphers. Therefore, the cryptd must process the internal cipher by marking cryptd as internal if the underlying cipher is an internal cipher. Signed-off-by:
-
Stephan Mueller authored
Allocate the ciphers irrespectively if they are marked as internal or not. As all ciphers, including the internal ciphers will be processed by the testmgr, it needs to be able to allocate those ciphers. Signed-off-by:
-
Stephan Mueller authored
Several hardware related cipher implementations are implemented as follows: a "helper" cipher implementation is registered with the kernel crypto API. Such helper ciphers are never intended to be called by normal users. In some cases, calling them via the normal crypto API may even cause failures including kernel crashes. In a normal case, the "wrapping" ciphers that use the helpers ensure that these helpers are invoked such that they cannot cause any calamity. Considering the AF_ALG user space interface, unprivileged users can call all ciphers registered with the crypto API, including these helper ciphers that are not intended to be called directly. That means, with AF_ALG user space may invoke these helper ciphers and may cause undefined states or side effects. To avoid any potential side effects with such helpers, the patch prevents the helpers to be called directly. A new cipher type flag is added: CRYPTO_ALG_INTERNAL. This flag shall be used to mark helper ciphers. These ciphers can only be used if the caller invoke the cipher with CRYPTO_ALG_INTERNAL in the type and mask field. Signed-off-by:
-
- 24 Mar, 2015 1 commit
-
-
Ard Biesheuvel authored
This fixes a bug in the new v8 Crypto Extensions GHASH code that only manifests itself in big-endian mode. Signed-off-by:
Ard Biesheuvel <ard.biesheuvel@linaro.org> Signed-off-by:
-
- 23 Mar, 2015 6 commits
-
-
Dan Carpenter authored
"hdev->req->nbytes" is an unsigned int so we so we lose the upper 3 bits to the shift wrap bug. Signed-off-by:
Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by:
-
Dan Carpenter authored
GCC complains about that %u is the wrong format string for size_t and also that "ret" is unused. Signed-off-by:
-
Allan, Bruce W authored
Convert pr_info() and pr_err() log messages to dev_info() and dev_err(), respectively, where able. This adds the module name and PCI B:D:F to indicate which QAT device generated the log message. The "QAT:" is removed from these log messages as that is now unnecessary. A few of these log messages have additional spelling/contextual fixes. Signed-off-by:
Bruce Allan <bruce.w.allan@intel.com> Signed-off-by:
-
Allan, Bruce W authored
Signed-off-by:
-
Allan, Bruce W authored
This define is a duplicate of the one in ./include/linux/pci_ids.h Signed-off-by:
-
James Hartley authored
The Kconfig entry for CRYPTO_DEV_IMGTEC_HASH incorrectly selects CRYPTO_SHA224, which does not exist (and is covered by CRYPTO_SHA256 which covers both 224 and 256). Remove it. Also correct typo CRYPTO_ALG_API to be CRYPTO_ALGPI. Reported-by:
Valentin Rothberg <valentinrothberg@gmail.com> Signed-off-by:
James Hartley <james.hartley@imgtec.com> Signed-off-by:
-
- 19 Mar, 2015 1 commit
-
-
mancha security authored
OPTIMIZER_HIDE_VAR(), as defined when using gcc, is insufficient to ensure protection from dead store optimization. For the random driver and crypto drivers, calls are emitted ... $ gdb vmlinux (gdb) disassemble memzero_explicit Dump of assembler code for function memzero_explicit: 0xffffffff813a18b0 <+0>: push %rbp 0xffffffff813a18b1 <+1>: mov %rsi,%rdx 0xffffffff813a18b4 <+4>: xor %esi,%esi 0xffffffff813a18b6 <+6>: mov %rsp,%rbp 0xffffffff813a18b9 <+9>: callq 0xffffffff813a7120 <memset> 0xffffffff813a18be <+14>: pop %rbp 0xffffffff813a18bf <+15>: retq End of assembler dump. (gdb) disassemble extract_entropy [...] 0xffffffff814a5009 <+313>: mov %r12,%rdi 0xffffffff814a500c <+316>: mov $0xa,%esi 0xffffffff814a5011 <+321>: callq 0xffffffff813a18b0 <memzero_explicit> 0xffffffff814a5016 <+326>: mov -0x48(%rbp),%rax [...] ... but in case in future we might use facilities such as LTO, then OPTIMIZER_HIDE_VAR() is not sufficient to protect gcc from a possible eviction of the memset(). We have to use a compiler barrier instead. Minimal test example when we assume memzero_explicit() would *not* be a call, but would have been *inlined* instead: static inline void memzero_explicit(void *s, size_t count) { memset(s, 0, count); <foo> } int main(void) { char buff[20]; snprintf(buff, sizeof(buff) - 1, "test"); printf("%s", buff); memzero_explicit(buff, sizeof(buff)); return 0; } With <foo> := OPTIMIZER_HIDE_VAR(): (gdb) disassemble main Dump of assembler code for function main: [...] 0x0000000000400464 <+36>: callq 0x400410 <printf@plt> 0x0000000000400469 <+41>: xor %eax,%eax 0x000000000040046b <+43>: add $0x28,%rsp 0x000000000040046f <+47>: retq End of assembler dump. With <foo> := barrier(): (gdb) disassemble main Dump of assembler code for function main: [...] 0x0000000000400464 <+36>: callq 0x400410 <printf@plt> 0x0000000000400469 <+41>: movq $0x0,(%rsp) 0x0000000000400471 <+49>: movq $0x0,0x8(%rsp) 0x000000000040047a <+58>: movl $0x0,0x10(%rsp) 0x0000000000400482 <+66>: xor %eax,%eax 0x0000000000400484 <+68>: add $0x28,%rsp 0x0000000000400488 <+72>: retq End of assembler dump. As can be seen, movq, movq, movl are being emitted inlined via memset(). Reference: http://thread.gmane.org/gmane.linux.kernel.cryptoapi/13764/ Fixes: d4c5efdb ("random: add and use memzero_explicit() for clearing data") Cc: Theodore Ts'o <tytso@mit.edu> Signed-off-by:mancha security <mancha1@zoho.com> Signed-off-by:
Daniel Borkmann <daniel@iogearbox.net> Acked-by:
Hannes Frederic Sowa <hannes@stressinduktion.org> Acked-by:
-
- 18 Mar, 2015 1 commit
-
-
Keith Packard authored
Hardware random number quality is measured from 0 (no entropy) to 1024 (perfect entropy). Allow hardware devices to assert the full range by truncating the device-provided value at 1024 instead of 1023. Signed-off-by:
Keith Packard <keithp@keithp.com> Signed-off-by:
-
- 17 Mar, 2015 3 commits
-
-
Herbert Xu authored
crypto: img-hash - Add missing semicolon to fix build error There is a missing semicolon after MODULE_DEVICE_TABLE. Reported-by:
Stephen Rothwell <sfr@canb.auug.org.au> Signed-off-by:
-
Andre Wolokita authored
omap4_rng_init() checks bit 10 of the RNG_CONFIG_REG to determine whether the RNG is already running before performing any initiliasation. This is not the correct register to check, as the enable bit is in RNG_CONFIG_CONTROL. Read from RNG_CONTROL_REG instead. Signed-off-by:
Andre Wolokita <Andre.Wolokita@analog.com> Signed-off-by:
-
Andre Wolokita authored
In omap4_rng_init(), a check of bit 10 of the RNG_CONFIG_REG is done to determine whether the RNG is running. This is suspicious firstly due to the use of RNG_CONTROL_ENABLE_TRNG_MASK and secondly because the same mask is written to RNG_CONTROL_REG after configuration of the FROs. Similar suspicious logic is repeated in omap4_rng_cleanup() when RNG_CONTROL_REG masked with RNG_CONTROL_ENABLE_TRNG_MASK is read, the same mask bit is cleared, and then written to RNG_CONFIG_REG. Unless the TRNG is enabled with one bit in RNG_CONTROL and disabled with another in RNG_CONFIG and these bits are mirrored in some way, I believe that the TRNG is not really shutting off. Apart from the strange logic, I have reason to suspect that the OMAP4 related code in this driver is driving an Inside Secure IP hardware RNG and strongly suspect that bit 10 of RNG_CONFIG_REG is one of the bits configuring the sampling rate of the FROs. This option is by default set to 0 and is not being set anywhere in omap-rng.c. Reading this bit during omap4_rng_init() will always return 0. It will remain 0 because ~(value of TRNG_MASK in control) will always be 0, because the TRNG is never shut off. This is of course presuming that the OMAP4 features the Inside Secure IP. I'm interested in knowing what the guys at TI think about this, as only they can confirm or deny the detailed structure of these registers. Signed-off-by:
-
- 16 Mar, 2015 10 commits
-
-
Ameen Ali authored
fixing a syntax-error . Signed-off-by:
Ameen Ali <AmeenAli023@gmail.com> Signed-off-by:
-
Stephan Mueller authored
Due to the change to RNGs to always return zero in success case, the RNG interface must zeroize the buffer with the length provided by the caller. Signed-off-by:
-
James Hartley authored
This adds the binding documentation for the Imagination Technologies hash accelerator that provides hardware acceleration for SHA1/SHA224/SHA256/MD5 hashes. This hardware will be present in the upcoming pistachio SoC. Signed-off-by:
Andrew Bresticker <abrestic@chromium.org> Signed-off-by:
-
James Hartley authored
This adds support for the Imagination Technologies hash accelerator which provides hardware acceleration for SHA1 SHA224 SHA256 and MD5 hashes. Signed-off-by:
-
Dmitry Torokhov authored
This allows us to get rid of driver's remove() method. Signed-off-by:
Dmitry Torokhov <dmitry.torokhov@gmail.com> Signed-off-by:
-
Dmitry Torokhov authored
Instead of using static hwrng structure that is reused between binds/unbinds of the device let's embed it into driver's private structure that we allocate. This way we are guaranteed not to stumble onto something left from previous bind attempt. Signed-off-by:
-
Dmitry Torokhov authored
This allows us to get rid of remove() method. Signed-off-by:
-
Dmitry Torokhov authored
This allows us to get rid of remove() method. Signed-off-by:
-
Dmitry Torokhov authored
This change converts bcm63xx-rng to use devm* API for managing all resources, which allows us to dispense with the rest of error handling path and remove() function. Also we combine hwern and driver-private data into a single allocation, use clk_prepare_enable() instead of "naked" clk_enable() and move clock enabling/disabling into hwrnd inti(0 and cleanup() methods so the clock stays off until rng is used. Signed-off-by:
-
Dmitry Torokhov authored
This change adds devm_hwrng_register and devm_hwrng_unregister which use can simplify error unwinding and unbinding code paths in device drivers. Signed-off-by:
-
- 13 Mar, 2015 2 commits
-
-
Julia Lawall authored
The semantic patch that fixes this problem is as follows: (http://coccinelle.lip6.fr/) // <smpl> @r@ type T; identifier f; @@ static T f (...) { ... } @@ identifier r.f; declarer name EXPORT_SYMBOL_GPL; @@ -EXPORT_SYMBOL_GPL(f); // </smpl> Signed-off-by:
Julia Lawall <Julia.Lawall@lip6.fr> Signed-off-by:
-
Stephan Mueller authored
Due to the change to RNGs to always return zero in success case, the invocation of the RNGs in the test manager must be updated as otherwise the RNG self tests are not properly executed any more. Signed-off-by:
Alexander Bergmann <abergmann@suse.com> Signed-off-by:
-
- 12 Mar, 2015 7 commits
-
-
Herbert Xu authored
crypto: vmx - Fix assembler perl to use _GLOBAL Rather than doing things by hand for global symbols to deal with different calling conventions we already have a macro _GLOBAL in Linux to handle this. Signed-off-by:
Guenter Roeck <linux@roeck-us.net>
-
Dmitry Torokhov authored
Instead of using #ifdefs let's mark suspend and resume methods as __maybe_unused which will suppress compiler warnings about them being unused and provide better compile coverage. Because SIMPLE_DEV_PM_OPS() produces an empty omap_rng_pm structure in case of !CONFIG_PM_SLEEP neither omap_rng_suspend nor omap_rng_resume will end up being referenced and the change will not result in increasing image size. Signed-off-by:
-
Ard Biesheuvel authored
This implements the GHASH hash algorithm (as used by the GCM AEAD chaining mode) using the AArch32 version of the 64x64 to 128 bit polynomial multiplication instruction (vmull.p64) that is part of the ARMv8 Crypto Extensions. Signed-off-by:
-
Ard Biesheuvel authored
This implements the ECB, CBC, CTR and XTS asynchronous block ciphers using the AArch32 versions of the ARMv8 Crypto Extensions for AES. Signed-off-by:
-
Ard Biesheuvel authored
This implements the SHA-224/256 secure hash algorithm using the AArch32 versions of the ARMv8 Crypto Extensions for SHA2. Signed-off-by:
-
Ard Biesheuvel authored
This implements the SHA1 secure hash algorithm using the AArch32 versions of the ARMv8 Crypto Extensions for SHA1. Signed-off-by:
-
Ard Biesheuvel authored
This moves all Kconfig symbols defined in crypto/Kconfig that depend on CONFIG_ARM to a dedicated Kconfig file in arch/arm/crypto, which is where the code that implements those features resides as well. Signed-off-by:
-
- 11 Mar, 2015 3 commits
-
-
Dmitry Torokhov authored
Even if bus is not hot-pluggable, the devices can be bound and unbound from the driver via sysfs, so we should not be using __init/__exit annotations on probe() and remove() methods. The only exception is drivers registered with platform_driver_probe() which specifically disables sysfs bind/unbind attributes. Signed-off-by:
-
Dmitry Torokhov authored
PCI bus is hot-pluggable, and even if it wasn't one can still unbind the device from driver via sysfs, so we should not make driver's remove method as __exit. Signed-off-by:
-
Dmitry Torokhov authored
Even if bus is not hot-pluggable, the devices can be unbound from the driver via sysfs, so we should not be using __exit annotations on remove() methods. The only exception is drivers registered with platform_driver_probe() which specifically disables sysfs bind/unbind attributes. Similarly probe() methods should not be marked __init unless platform_driver_probe() is used. Signed-off-by:
-
