- 16 Jul, 2020 1 commit
-
-
Herbert Xu authored
The arc4 algorithm requires storing state in the request context in order to allow more than one encrypt/decrypt operation. As this driver does not seem to do that, it means that using it for more than one operation is broken. Fixes: eaed71a4 ("crypto: caam - add ecb(*) support") Link: https://lore.kernel.org/linux-crypto/CAMj1kXGvMe_A_iQ43Pmygg9xaAM-RLy=_M=v+eg--8xNmv9P+w@mail.gmail.com Link: https://lore.kernel.org/linux-crypto/20200702101947.682-1-ardb@kernel.orgSigned-off-by:
Herbert Xu <herbert@gondor.apana.org.au> Acked-by:
Ard Biesheuvel <ardb@kernel.org> Acked-by:
Horia Geantă <horia.geanta@nxp.com> Signed-off-by:
-
- 09 Jul, 2020 29 commits
-
-
Ard Biesheuvel authored
Of the two versions of GHASH that the ARM driver implements, only one performs aggregation, and so the other one has no use for the powers of H to be precomputed, or space to be allocated for them in the key struct. So make the context size dependent on which version is being selected, and while at it, use a static key to carry this decision, and get rid of the function pointer. Signed-off-by:
-
Ard Biesheuvel authored
Introduce an inline wrapper for ghash_do_update() that incorporates the indirect call to the asm routine that is passed as an argument, and keep the non-SIMD fallback code out of line. This ensures that all references to the function pointer are inlined where the address is taken, removing the need for any indirect calls to begin with. Signed-off-by:
-
Ard Biesheuvel authored
Now that the ghash and gcm drivers are split, we no longer need to allocate a key struct for the former that carries powers of H that are only used by the latter. Also, take this opportunity to clean up the code a little bit. Signed-off-by:
-
Ard Biesheuvel authored
The remaining ghash implementation does not support aggregation, and so there is no point in including the precomputed powers of H in the key struct. So move that into the GCM setkey routine, and get rid of the shared sub-routine entirely. Signed-off-by:
-
Ard Biesheuvel authored
There are two ways to implement SIMD accelerated GCM on arm64: - using the PMULL instructions for carryless 64x64->128 multiplication, in which case the architecture guarantees that the AES instructions are available as well, and so we can use the AEAD implementation that combines both, - using the PMULL instructions for carryless 8x8->16 bit multiplication, which is implemented as a shash, and can be combined with any ctr(aes) implementation by the generic GCM AEAD template driver. So let's drop the 64x64->128 shash driver, which is never needed for GCM, and not suitable for use anywhere else. Signed-off-by:
-
Barry Song authored
If users don't specify NUMA node, the driver will use the ZIP module near the CPU allocating acomp. Otherwise, it uses the ZIP module according to the requirement of users. Cc: Zhou Wang <wangzhou1@hisilicon.com> Signed-off-by:
Barry Song <song.bao.hua@hisilicon.com> Signed-off-by:
-
Barry Song authored
For a Linux server with NUMA, there are possibly multiple (de)compressors which are either local or remote to some NUMA node. Some drivers will automatically use the (de)compressor near the CPU calling acomp_alloc(). However, it is not necessarily correct because users who send acomp_req could be from different NUMA node with the CPU which allocates acomp. Just like kernel has kmalloc() and kmalloc_node(), here crypto can have same support. Cc: Seth Jennings <sjenning@redhat.com> Cc: Dan Streetman <ddstreet@ieee.org> Cc: Vitaly Wool <vitaly.wool@konsulko.com> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Jonathan Cameron <Jonathan.Cameron@huawei.com> Signed-off-by:
-
Sedat Dilek authored
When building with LLVM_IAS=1 means using Clang's Integrated Assembly (IAS) from LLVM/Clang >= v10.0.1-rc1+ instead of GNU/as from GNU/binutils I see the following breakage in Debian/testing AMD64: <instantiation>:15:74: error: too many positional arguments PRECOMPUTE 8*3+8(%rsp), %xmm1, %xmm2, %xmm3, %xmm4, %xmm5, %xmm6, %xmm7, ^ arch/x86/crypto/aesni-intel_asm.S:1598:2: note: while in macro instantiation GCM_INIT %r9, 8*3 +8(%rsp), 8*3 +16(%rsp), 8*3 +24(%rsp) ^ <instantiation>:47:2: error: unknown use of instruction mnemonic without a size suffix GHASH_4_ENCRYPT_4_PARALLEL_dec %xmm9, %xmm10, %xmm11, %xmm12, %xmm13, %xmm14, %xmm0, %xmm1, %xmm2, %xmm3, %xmm4, %xmm5, %xmm6, %xmm7, %xmm8, enc ^ arch/x86/crypto/aesni-intel_asm.S:1599:2: note: while in macro instantiation GCM_ENC_DEC dec ^ <instantiation>:15:74: error: too many positional arguments PRECOMPUTE 8*3+8(%rsp), %xmm1, %xmm2, %xmm3, %xmm4, %xmm5, %xmm6, %xmm7, ^ arch/x86/crypto/aesni-intel_asm.S:1686:2: note: while in macro instantiation GCM_INIT %r9, 8*3 +8(%rsp), 8*3 +16(%rsp), 8*3 +24(%rsp) ^ <instantiation>:47:2: error: unknown use of instruction mnemonic without a size suffix GHASH_4_ENCRYPT_4_PARALLEL_enc %xmm9, %xmm10, %xmm11, %xmm12, %xmm13, %xmm14, %xmm0, %xmm1, %xmm2, %xmm3, %xmm4, %xmm5, %xmm6, %xmm7, %xmm8, enc ^ arch/x86/crypto/aesni-intel_asm.S:1687:2: note: while in macro instantiation GCM_ENC_DEC enc Craig Topper suggested me in ClangBuiltLinux issue #1050: > I think the "too many positional arguments" is because the parser isn't able > to handle the trailing commas. > > The "unknown use of instruction mnemonic" is because the macro was named > GHASH_4_ENCRYPT_4_PARALLEL_DEC but its being instantiated with > GHASH_4_ENCRYPT_4_PARALLEL_dec I guess gas ignores case on the > macro instantiation, but llvm doesn't. First, I removed the trailing comma in the PRECOMPUTE line. Second, I substituted: 1. GHASH_4_ENCRYPT_4_PARALLEL_DEC -> GHASH_4_ENCRYPT_4_PARALLEL_dec 2. GHASH_4_ENCRYPT_4_PARALLEL_ENC -> GHASH_4_ENCRYPT_4_PARALLEL_enc With these changes I was able to build with LLVM_IAS=1 and boot on bare metal. I confirmed that this works with Linux-kernel v5.7.5 final. NOTE: This patch is on top of Linux v5.7 final. Thanks to Craig and especially Nick for double-checking and his comments. Suggested-by:Craig Topper <craig.topper@intel.com> Suggested-by:
Craig Topper <craig.topper@gmail.com> Suggested-by:
Nick Desaulniers <ndesaulniers@google.com> Reviewed-by:
Sedat Dilek <sedat.dilek@gmail.com> Signed-off-by:
-
Herbert Xu authored
This patch fixes a number of endianness marking issues in the ccp driver. Signed-off-by:
John Allen <john.allen@amd.com> Signed-off-by:
-
Herbert Xu authored
Some user-space programs rely on crypto requests that have no control metadata. This broke when a check was added to require the presence of control metadata with the ctx->init flag. This patch fixes the regression by setting ctx->init as long as one sendmsg(2) has been made, with or without a control message. Reported-by:
Sachin Sant <sachinp@linux.vnet.ibm.com> Reported-by:
Naresh Kamboju <naresh.kamboju@linaro.org> Fixes: f3c802a1 ("crypto: algif_aead - Only wake up when...") Signed-off-by:
-
Rikard Falkeborn authored
features[] and id_table[] are not modified and can be made const to allow the compiler to put them in read-only memory. Before: text data bss dec hex filename 11534 2056 160 13750 35b6 drivers/crypto/virtio/virtio_crypto_core.o After: text data bss dec hex filename 11630 1992 128 13750 35b6 drivers/crypto/virtio/virtio_crypto_core.o Signed-off-by:
Rikard Falkeborn <rikard.falkeborn@gmail.com> Signed-off-by:
-
Rikard Falkeborn authored
id_table[] is not modified and an be made const to allow the compiler to put it in read-only memory. Before: text data bss dec hex filename 1746 192 8 1946 79a drivers/char/hw_random/virtio-rng.o After: text data bss dec hex filename 1762 176 8 1946 79a drivers/char/hw_random/virtio-rng.o Signed-off-by:
-
Rikard Falkeborn authored
nmk_rng_ids[] is not modified and can be made const to allow the compiler to put it in read-only memory. Before: text data bss dec hex filename 652 216 4 872 368 drivers/char/hw_random/nomadik-rng.o After: text data bss dec hex filename 676 192 4 872 368 drivers/char/hw_random/nomadik-rng.o Signed-off-by:Arnd Bergmann <arnd@arndb.de> Signed-off-by:
-
Rikard Falkeborn authored
bcm2835_rng_devtype[] is not modified and can be made const to allow the compiler to put it in read-only memory. Before: text data bss dec hex filename 2392 176 0 2568 a08 drivers/char/hw_random/bcm2835-rng.o After: text data bss dec hex filename 2464 104 0 2568 a08 drivers/char/hw_random/bcm2835-rng.o Signed-off-by:
Florian Fainelli <f.fainelli@gmail.com> Signed-off-by:
-
Geert Uytterhoeven authored
As HW_RANDOM_BA431 does not have any platform dependency, it should not default to enabled. Fixes: 0289e9be ("hwrng: ba431 - add support for BA431 hwrng") Signed-off-by:
Geert Uytterhoeven <geert+renesas@glider.be> Signed-off-by:
-
Herbert Xu authored
The ba431 driver depends on HAS_IOMEM and this was missing from the Kconfig file. Reported-by:
kernel test robot <lkp@intel.com> Fixes: 0289e9be ("hwrng: ba431 - add support for BA431 hwrng") Signed-off-by:
-
Giovanni Cabiddu authored
Forward requests to another provider if the key length for AES-XTS is 192 bits as this is not supported by the QAT accelerators. This fixes the following issue reported with the option CONFIG_CRYPTO_MANAGER_EXTRA_TESTS: alg: skcipher: qat_aes_xts setkey failed on test vector "random: len=3204 klen=48"; expected_error=0, actual_error=-22, flags=0x1 Signed-off-by:
Giovanni Cabiddu <giovanni.cabiddu@intel.com> Signed-off-by:
-
Giovanni Cabiddu authored
Remove tfm field in qat_alg_skcipher_ctx structure. This is not used. Signed-off-by:
-
Giovanni Cabiddu authored
Validate AES-XTS key using the function xts_verify_key() to prevent malformed keys. Signed-off-by:
-
Giovanni Cabiddu authored
Allow AES-XTS requests that are not multiple of the block size. If a request is smaller than the block size, return -EINVAL. This fixes the following issue reported by the crypto testmgr self-test: alg: skcipher: qat_aes_xts encryption failed on test vector "random: len=116 klen=64"; expected_error=0, actual_error=-22, cfg="random: inplace may_sleep use_finup src_divs=[<reimport>45.85%@+4077, <flush>54.15%@alignmask+18]" Fixes: 96ee111a ("crypto: qat - return error for block...") Signed-off-by:
-
Herbert Xu authored
This patch fixes a bunch of sparse warnings by adding __force tags when casting __iomem poitners to u64. Signed-off-by: -
Herbert Xu authored
This patch fixes an unused variable warning when this driver is built-in with CONFIG_OF=n. Signed-off-by: -
Herbert Xu authored
This patch fixes an unused variable warning when this driver is built-in with CONFIG_OF=n. Signed-off-by: -
Herbert Xu authored
This patch fixes an unused variable warning when this driver is built with CONFIG_OF=n. Signed-off-by: -
Herbert Xu authored
This patch fixes an unused variable warning when this driver is built-in with CONFIG_OF=n. Signed-off-by: -
Herbert Xu authored
This patch fixes an unused variable warning when this driver is built-in with CONFIG_OF=n. While we're at it this patch also expands the compiler coverage when CONFIG_OF is off by removing all the CONFIG_OF ifdefs. Signed-off-by: -
Herbert Xu authored
This patch fixes an unused variable warning when this driver is built-in with CONFIG_OF=n. Reported-by:
-
Herbert Xu authored
The change on the ux500 branch is needed by the regulator API.
-
Lee Jones authored
A recent change to the Regulator consumer API (which this driver utilises) add prototypes for the some suspend functions. These functions require including header file include/linux/suspend.h. The following tree of includes affecting this driver will be present: In file included from include/linux/elevator.h:6, from include/linux/blkdev.h:288, from include/linux/blk-cgroup.h:23, from include/linux/writeback.h:14, from include/linux/memcontrol.h:22, from include/linux/swap.h:9, from include/linux/suspend.h:5, from include/linux/regulator/consumer.h:35, from drivers/crypto/ux500/hash/hash_core.c:28: include/linux/elevator.h pulls in include/linux/hashtable.h which contains its own version of hash_init(). This confuses the build system and results in the following error (amongst others): drivers/crypto/ux500/hash/hash_core.c:1362:19: error: passing argument 1 of '__hash_init' from incompatible pointer type [-Werror=incompatible-pointer-types] 1362 | return hash_init(req); Fix this by namespacing the local hash_init() such that the source of confusion is removed. Cc: Linus Walleij <linus.walleij@linaro.org> Cc: David S. Miller <davem@davemloft.net> Cc: linux-crypto@vger.kernel.org Signed-off-by:Lee Jones <lee.jones@linaro.org> Signed-off-by:
-
- 03 Jul, 2020 9 commits
-
-
Tom Lendacky authored
Add John Allen as a new CCP driver maintainer. Additionally, break out the driver SEV support and create a new maintainer entry, with Brijesh Singh and Tom Lendacky as maintainers. Cc: John Allen <john.allen@amd.com> Cc: Brijesh Singh <brijesh.singh@amd.com> Signed-off-by:
Tom Lendacky <thomas.lendacky@amd.com> Acked-by:
Brijesh Singh <brijesh.singh@amd.com> Signed-off-by:
-
Herbert Xu authored
This patch fixes all the sparse warnings in the octeontx driver. Some of these are just trivial type changes. However, some of the changes are non-trivial on little-endian hosts. Obviously the driver appears to be broken on either LE or BE as it was doing different things. I've taken the BE behaviour as the correct one. Signed-off-by: -
Fenghua Yu authored
PASID is defined as "int" although it's a 20-bit value and shouldn't be negative int. To be consistent with PASID type in iommu, define PASID as "u32". Suggested-by:
Thomas Gleixner <tglx@linutronix.de> Signed-off-by:
Fenghua Yu <fenghua.yu@intel.com> Signed-off-by:
-
Jian Cai authored
Clang's integrated assembler complains "invalid reassignment of non-absolute variable 'var_ddq_add'" while assembling arch/x86/crypto/aes_ctrby8_avx-x86_64.S. It was because var_ddq_add was reassigned with non-absolute values several times, which IAS did not support. We can avoid the reassignment by replacing the uses of var_ddq_add with its definitions accordingly to have compatilibility with IAS. Link: https://github.com/ClangBuiltLinux/linux/issues/1008Reported-by:
Fangrui Song <maskray@google.com> Tested-by: Sedat Dilek <sedat.dilek@gmail.com> # build+boot Linux v5.7.5; clang v11.0.0-git Signed-off-by:
Jian Cai <caij2003@gmail.com> Signed-off-by:
-
John Allen authored
Running the crypto manager self tests with CONFIG_CRYPTO_MANAGER_EXTRA_TESTS may result in several types of errors when using the ccp-crypto driver: alg: skcipher: cbc-des3-ccp encryption failed on test vector 0; expected_error=0, actual_error=-5 ... alg: skcipher: ctr-aes-ccp decryption overran dst buffer on test vector 0 ... alg: ahash: sha224-ccp test failed (wrong result) on test vector ... These errors are the result of improper processing of scatterlists mapped for DMA. Given a scatterlist in which entries are merged as part of mapping the scatterlist for DMA, the DMA length of a merged entry will reflect the combined length of the entries that were merged. The subsequent scatterlist entry will contain DMA information for the scatterlist entry after the last merged entry, but the non-DMA information will be that of the first merged entry. The ccp driver does not take this scatterlist merging into account. To address this, add a second scatterlist pointer to track the current position in the DMA mapped representation of the scatterlist. Both the DMA representation and the original representation of the scatterlist must be tracked as while most of the driver can use just the DMA representation, scatterlist_map_and_copy() must use the original representation and expects the scatterlist pointer to be accurate to the original representation. In order to properly walk the original scatterlist, the scatterlist must be walked until the combined lengths of the entries seen is equal to the DMA length of the current entry being processed in the DMA mapped representation. Fixes: 63b94509 ("crypto: ccp - CCP device driver and interface support") Signed-off-by:
-
Sivaprakash Murugesan authored
Crypto test driver's test_ahash_speed calls crypto_ahash_update and crypto_ahash_final APIs repeatedly for all the available test vector buffer lengths. if we mark the end for scatterlist based on the current vector size then the subsequent vectors might fail if the later buffer lengths are higher. To avoid this, in qce do not mark the end of scatterlist in update API, the qce_ahash_async_req_handle API already takes care of this copying right amount of buffer from the request scatter list. Signed-off-by:
Sivaprakash Murugesan <sivaprak@codeaurora.org> Signed-off-by:
-
Sivaprakash Murugesan authored
crypto testmgr deliberately corrupts the request context while passing vectors to the import. This is to make sure that drivers do not rely on request but they take all the necessary input from io vec passed to it. qce casts the request context from request parameter, since it is corrupted the sub squent hash request fails and qce hangs. To avoid this re-initialize request context on import. The qce import API alreasy takes care of taking the input vectors from passed io vec. Signed-off-by:
-
Sivaprakash Murugesan authored
crypto test module passes zero length vectors as test input to sha-1 and sha-256. To provide correct output for these vectors, hash zero support has been added as in other crypto drivers. Signed-off-by:
-
Dinghao Liu authored
pm_runtime_get_sync() increments the runtime PM usage counter even the call returns an error code. Thus a corresponding decrement is needed on the error handling path to keep the counter balanced. Fix this by adding the missed function call. Signed-off-by:
Dinghao Liu <dinghao.liu@zju.edu.cn> Signed-off-by:
-
- 26 Jun, 2020 1 commit
-
-
Gilad Ben-Yossef authored
Remove yet another unused field left over from times gone by. Signed-off-by:
Gilad Ben-Yossef <gilad@benyossef.com> Signed-off-by:
-
