1. 15 Jun, 2015 2 commits
    • Dan Streetman's avatar
      crypto: nx - replace NX842_MEM_COMPRESS with function · 2c6f6eab
      Dan Streetman authored
      Replace the NX842_MEM_COMPRESS define with a function that returns the
      specific platform driver's required working memory size.
      
      The common nx-842.c driver refuses to load if there is no platform
      driver present, so instead of defining an approximate working memory
      size that's the maximum approximate size of both platform driver's
      size requirements, the platform driver can directly provide its
      specific, i.e. sizeof(struct nx842_workmem), size requirements which
      the 842-nx crypto compression driver will use.
      
      This saves memory by both reducing the required size of each driver
      to the specific sizeof() amount, as well as using the specific loaded
      platform driver's required amount, instead of the maximum of both.
      Signed-off-by: default avatarDan Streetman <ddstreet@ieee.org>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      2c6f6eab
    • Dan Streetman's avatar
      crypto: nx - move include/linux/nx842.h into drivers/crypto/nx/nx-842.h · 32be6d3e
      Dan Streetman authored
      Move the contents of the include/linux/nx842.h header file into the
      drivers/crypto/nx/nx-842.h header file.  Remove the nx842.h header
      file and its entry in the MAINTAINERS file.
      
      The include/linux/nx842.h header originally was there because the
      crypto/842.c driver needed it to communicate with the nx-842 hw
      driver.  However, that crypto compression driver was moved into
      the drivers/crypto/nx/ directory, and now can directly include the
      nx-842.h header.  Nothing else needs the public include/linux/nx842.h
      header file, as all use of the nx-842 hardware driver will be through
      the "842-nx" crypto compression driver, since the direct nx-842 api is
      very limited in the buffer alignments and sizes that it will accept,
      and the crypto compression interface handles those limitations and
      allows any alignment and size buffers.
      Signed-off-by: default avatarDan Streetman <ddstreet@ieee.org>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      32be6d3e
  2. 12 Jun, 2015 3 commits
  3. 11 Jun, 2015 2 commits
  4. 10 Jun, 2015 4 commits
    • Stephan Mueller's avatar
      crypto: drbg - reseed often if seedsource is degraded · 42ea507f
      Stephan Mueller authored
      As required by SP800-90A, the DRBG implements are reseeding threshold.
      This threshold is at 2**48 (64 bit) and 2**32 bit (32 bit) as
      implemented in drbg_max_requests.
      
      With the recently introduced changes, the DRBG is now always used as a
      stdrng which is initialized very early in the boot cycle. To ensure that
      sufficient entropy is present, the Jitter RNG is added to even provide
      entropy at early boot time.
      
      However, the 2nd seed source, the nonblocking pool, is usually
      degraded at that time. Therefore, the DRBG is seeded with the Jitter RNG
      (which I believe contains good entropy, which however is questioned by
      others) and is seeded with a degradded nonblocking pool. This seed is
      now used for quasi the lifetime of the system (2**48 requests is a lot).
      
      The patch now changes the reseed threshold as follows: up until the time
      the DRBG obtains a seed from a fully iniitialized nonblocking pool, the
      reseeding threshold is lowered such that the DRBG is forced to reseed
      itself resonably often. Once it obtains the seed from a fully
      initialized nonblocking pool, the reseed threshold is set to the value
      required by SP800-90A.
      Signed-off-by: default avatarStephan Mueller <smueller@chronox.de>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      42ea507f
    • Herbert Xu's avatar
      random: Remove kernel blocking API · c2719503
      Herbert Xu authored
      This patch removes the kernel blocking API as it has been completely
      replaced by the callback API.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      c2719503
    • Stephan Mueller's avatar
      crypto: drbg - Use callback API for random readiness · 57225e67
      Stephan Mueller authored
      The get_blocking_random_bytes API is broken because the wait can
      be arbitrarily long (potentially forever) so there is no safe way
      of calling it from within the kernel.
      
      This patch replaces it with the new callback API which does not
      have this problem.
      
      The patch also removes the entropy buffer registered with the DRBG
      handle in favor of stack variables to hold the seed data.
      Signed-off-by: default avatarStephan Mueller <smueller@chronox.de>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      57225e67
    • Herbert Xu's avatar
      random: Add callback API for random pool readiness · 205a525c
      Herbert Xu authored
      The get_blocking_random_bytes API is broken because the wait can
      be arbitrarily long (potentially forever) so there is no safe way
      of calling it from within the kernel.
      
      This patch replaces it with a callback API instead.  The callback
      is invoked potentially from interrupt context so the user needs
      to schedule their own work thread if necessary.
      
      In addition to adding callbacks, they can also be removed as
      otherwise this opens up a way for user-space to allocate kernel
      memory with no bound (by opening algif_rng descriptors and then
      closing them).
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      205a525c
  5. 09 Jun, 2015 6 commits
  6. 04 Jun, 2015 20 commits
  7. 03 Jun, 2015 3 commits
    • Tom Lendacky's avatar
      crypto: ccp - Protect against poorly marked end of sg list · fb43f694
      Tom Lendacky authored
      Scatter gather lists can be created with more available entries than are
      actually used (e.g. using sg_init_table() to reserve a specific number
      of sg entries, but in actuality using something less than that based on
      the data length).  The caller sometimes fails to mark the last entry
      with sg_mark_end().  In these cases, sg_nents() will return the original
      size of the sg list as opposed to the actual number of sg entries that
      contain valid data.
      
      On arm64, if the sg_nents() value is used in a call to dma_map_sg() in
      this situation, then it causes a BUG_ON in lib/swiotlb.c because an
      "empty" sg list entry results in dma_capable() returning false and
      swiotlb trying to create a bounce buffer of size 0. This occurred in
      the userspace crypto interface before being fixed by
      
      0f477b65 ("crypto: algif - Mark sgl end at the end of data")
      
      Protect against this by using the new sg_nents_for_len() function which
      returns only the number of sg entries required to meet the desired
      length and supplying that value to dma_map_sg().
      Signed-off-by: default avatarTom Lendacky <thomas.lendacky@amd.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      fb43f694
    • Tom Lendacky's avatar
      scatterlist: introduce sg_nents_for_len · cfaed10d
      Tom Lendacky authored
      When performing a dma_map_sg() call, the number of sg entries to map is
      required. Using sg_nents to retrieve the number of sg entries will
      return the total number of entries in the sg list up to the entry marked
      as the end. If there happen to be unused entries in the list, these will
      still be counted. Some dma_map_sg() implementations will not handle the
      unused entries correctly (lib/swiotlb.c) and execute a BUG_ON.
      
      The sg_nents_for_len() function will traverse the sg list and return the
      number of entries required to satisfy the supplied length argument. This
      can then be supplied to the dma_map_sg() call to successfully map the
      sg.
      Signed-off-by: default avatarTom Lendacky <thomas.lendacky@amd.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      cfaed10d
    • Herbert Xu's avatar
      crypto: scatterwalk - Hide PageSlab call to optimise away flush_dcache_page · 16054407
      Herbert Xu authored
      On architectures where flush_dcache_page is not needed, we will
      end up generating all the code up to the PageSlab call.  This is
      because PageSlab operates on a volatile pointer and thus cannot
      be optimised away.
      
      This patch works around this by checking whether flush_dcache_page
      is needed before we call PageSlab which then allows PageSlab to be
      compiled awy.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      16054407