1. 25 Apr, 2019 5 commits
    • Horia Geantă's avatar
      crypto: caam/jr - update gcm detection logic · df80bfd3
      Horia Geantă authored
      GCM detection logic has to change for two reasons:
      -some CAAM instantiations with Era < 10, even though they have AES LP,
      they now support GCM mode
      -Era 10 upwards, there is a dedicated bit in AESA_VERSION[AESA_MISC]
      field for GCM support
      
      For Era 9 and earlier, all AES accelerator versions support GCM,
      except for AES LP (CHAVID_LS[AESVID]=3) with revision CRNR[AESRN] < 8.
      
      For Era 10 and later, bit 9 of the AESA_VERSION register should be used
      to detect GCM support in AES accelerator.
      
      Note: caam/qi and caam/qi2 are drivers for QI (Queue Interface), which
      is used in DPAA-based SoCs; for now, we rely on CAAM having an AES HP
      and this AES accelerator having support for GCM.
      Signed-off-by: default avatarHoria Geantă <horia.geanta@nxp.com>
      Reviewed-by: default avatarIuliana Prodan <iuliana.prodan@nxp.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      df80bfd3
    • Colin Ian King's avatar
      crypto: caam - fix spelling mistake "cannote" -> "cannot" · 6ddc8e31
      Colin Ian King authored
      There is a spelling mistake in an error message in the qi_error_list
      array. Fix this.
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Reviewed-by: default avatarMukesh Ojha <mojha@codeaurora.org>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      6ddc8e31
    • Eric Biggers's avatar
      crypto: shash - remove shash_desc::flags · 877b5691
      Eric Biggers authored
      The flags field in 'struct shash_desc' never actually does anything.
      The only ostensibly supported flag is CRYPTO_TFM_REQ_MAY_SLEEP.
      However, no shash algorithm ever sleeps, making this flag a no-op.
      
      With this being the case, inevitably some users who can't sleep wrongly
      pass MAY_SLEEP.  These would all need to be fixed if any shash algorithm
      actually started sleeping.  For example, the shash_ahash_*() functions,
      which wrap a shash algorithm with the ahash API, pass through MAY_SLEEP
      from the ahash API to the shash API.  However, the shash functions are
      called under kmap_atomic(), so actually they're assumed to never sleep.
      
      Even if it turns out that some users do need preemption points while
      hashing large buffers, we could easily provide a helper function
      crypto_shash_update_large() which divides the data into smaller chunks
      and calls crypto_shash_update() and cond_resched() for each chunk.  It's
      not necessary to have a flag in 'struct shash_desc', nor is it necessary
      to make individual shash algorithms aware of this at all.
      
      Therefore, remove shash_desc::flags, and document that the
      crypto_shash_*() functions can be called from any context.
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      877b5691
    • Eric Biggers's avatar
      crypto: nx - don't abuse shash MAY_SLEEP flag · 75f22228
      Eric Biggers authored
      The nx driver uses the MAY_SLEEP flag in shash_desc::flags as an
      indicator to not retry sending the operation to the hardware as many
      times before returning -EBUSY.  This is bogus because (1) that's not
      what the MAY_SLEEP flag is for, and (2) the shash API doesn't allow
      failing if the hardware is busy anyway.
      
      For now, just make it always retry the larger number of times.  This
      doesn't actually fix this driver, but it at least makes it not use the
      shash_desc::flags field anymore.  Then this field can be removed, as no
      other drivers use it.
      
      Cc: linuxppc-dev@lists.ozlabs.org
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      75f22228
    • Eric Biggers's avatar
      crypto: shash - remove useless crypto_yield() in shash_ahash_digest() · 54fe792b
      Eric Biggers authored
      The crypto_yield() in shash_ahash_digest() occurs after the entire
      digest operation already happened, so there's no real point.  Remove it.
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      54fe792b
  2. 19 Apr, 2019 2 commits
    • Eric Biggers's avatar
      crypto: ccm - fix incompatibility between "ccm" and "ccm_base" · 6a1faa4a
      Eric Biggers authored
      CCM instances can be created by either the "ccm" template, which only
      allows choosing the block cipher, e.g. "ccm(aes)"; or by "ccm_base",
      which allows choosing the ctr and cbcmac implementations, e.g.
      "ccm_base(ctr(aes-generic),cbcmac(aes-generic))".
      
      However, a "ccm_base" instance prevents a "ccm" instance from being
      registered using the same implementations.  Nor will the instance be
      found by lookups of "ccm".  This can be used as a denial of service.
      Moreover, "ccm_base" instances are never tested by the crypto
      self-tests, even if there are compatible "ccm" tests.
      
      The root cause of these problems is that instances of the two templates
      use different cra_names.  Therefore, fix these problems by making
      "ccm_base" instances set the same cra_name as "ccm" instances, e.g.
      "ccm(aes)" instead of "ccm_base(ctr(aes-generic),cbcmac(aes-generic))".
      
      This requires extracting the block cipher name from the name of the ctr
      and cbcmac algorithms.  It also requires starting to verify that the
      algorithms are really ctr and cbcmac using the same block cipher, not
      something else entirely.  But it would be bizarre if anyone were
      actually using non-ccm-compatible algorithms with ccm_base, so this
      shouldn't break anyone in practice.
      
      Fixes: 4a49b499 ("[CRYPTO] ccm: Added CCM mode")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      6a1faa4a
    • Eric Biggers's avatar
      crypto: gcm - fix incompatibility between "gcm" and "gcm_base" · f699594d
      Eric Biggers authored
      GCM instances can be created by either the "gcm" template, which only
      allows choosing the block cipher, e.g. "gcm(aes)"; or by "gcm_base",
      which allows choosing the ctr and ghash implementations, e.g.
      "gcm_base(ctr(aes-generic),ghash-generic)".
      
      However, a "gcm_base" instance prevents a "gcm" instance from being
      registered using the same implementations.  Nor will the instance be
      found by lookups of "gcm".  This can be used as a denial of service.
      Moreover, "gcm_base" instances are never tested by the crypto
      self-tests, even if there are compatible "gcm" tests.
      
      The root cause of these problems is that instances of the two templates
      use different cra_names.  Therefore, fix these problems by making
      "gcm_base" instances set the same cra_name as "gcm" instances, e.g.
      "gcm(aes)" instead of "gcm_base(ctr(aes-generic),ghash-generic)".
      
      This requires extracting the block cipher name from the name of the ctr
      algorithm.  It also requires starting to verify that the algorithms are
      really ctr and ghash, not something else entirely.  But it would be
      bizarre if anyone were actually using non-gcm-compatible algorithms with
      gcm_base, so this shouldn't break anyone in practice.
      
      Fixes: d00aa19b ("[CRYPTO] gcm: Allow block cipher parameter")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      f699594d
  3. 18 Apr, 2019 33 commits