- 06 Nov, 2020 13 commits
-
-
Nigel Christian authored
Clean up the check for irq. dev_err() is superfluous as platform_get_irq() already prints an error. Check for zero would indicate a bug. Remove curly braces to conform to styling requirements. Signed-off-by:
Nigel Christian <nigel.l.christian@gmail.com> Signed-off-by:
Herbert Xu <herbert@gondor.apana.org.au>
-
Horia Geantă authored
Loading the module deadlocks since: -local cbc(aes) implementation needs a fallback and -crypto API tries to find one but the request_module() resolves back to the same module Fix this by changing the module alias for cbc(aes) and using the NEED_FALLBACK flag when requesting for a fallback algorithm. Fixes: 00b99ad2 ("crypto: arm/aes-neonbs - Use generic cbc encryption path") Signed-off-by:
Horia Geantă <horia.geanta@nxp.com> Signed-off-by:
-
Tom Rix authored
A semicolon is not needed after a switch statement. Signed-off-by:
Tom Rix <trix@redhat.com> Signed-off-by:
Giovanni Cabiddu <giovanni.cabiddu@intel.com> Signed-off-by:
-
Tom Rix authored
A semicolon is not needed after a switch statement. Signed-off-by:
-
Ard Biesheuvel authored
PAC pointer authentication signs the return address against the value of the stack pointer, to prevent stack overrun exploits from corrupting the control flow. However, this requires that the AUTIASP is issued with SP holding the same value as it held when the PAC value was generated. The Poly1305 NEON code got this wrong, resulting in crashes on PAC capable hardware. Fixes: f569ca16 ("crypto: arm64/poly1305 - incorporate OpenSSL/CRYPTOGAMS ...") Signed-off-by:
Ard Biesheuvel <ardb@kernel.org> Signed-off-by:
-
Eric Biggers authored
Commit 3f69cc60 ("crypto: af_alg - Allow arbitrarily long algorithm names") made the kernel start accepting arbitrarily long algorithm names in sockaddr_alg. However, the actual length of the salg_name field stayed at the original 64 bytes. This is broken because the kernel can access indices >= 64 in salg_name, which is undefined behavior -- even though the memory that is accessed is still located within the sockaddr structure. It would only be defined behavior if the array were properly marked as arbitrary-length (either by making it a flexible array, which is the recommended way these days, or by making it an array of length 0 or 1). We can't simply change salg_name into a flexible array, since that would break source compatibility with userspace programs that embed sockaddr_alg into another struct, or (more commonly) declare a sockaddr_alg like 'struct sockaddr_alg sa = { .salg_name = "foo" };'. One solution would be to change salg_name into a flexible array only when '#ifdef __KERNEL__'. However, that would keep userspace without an easy way to actually use the longer algorithm names. Instead, add a new structure 'sockaddr_alg_new' that has the flexible array field, and expose it to both userspace and the kernel. Make the kernel use it correctly in alg_bind(). This addresses the syzbot report "UBSAN: array-index-out-of-bounds in alg_bind" (https://syzkaller.appspot.com/bug?extid=92ead4eb8e26a26d465e). Reported-by: syzbot+92ead4eb8e26a26d465e@syzkaller.appspotmail.com Fixes: 3f69cc60 ("crypto: af_alg - Allow arbitrarily long algorithm names") Cc: <stable@vger.kernel.org> # v4.12+ Signed-off-by:
Eric Biggers <ebiggers@google.com> Signed-off-by:
-
Iuliana Prodan authored
Use the new crypto_engine_alloc_init_and_set() function to initialize crypto-engine and enable retry mechanism. Set the maximum size for crypto-engine software queue based on Job Ring size (JOBR_DEPTH) and a threshold (reserved for the non-crypto-API requests that are not passed through crypto-engine). The callback for do_batch_requests is NULL, since CAAM doesn't support linked requests. Signed-off-by:
Iuliana Prodan <iuliana.prodan@nxp.com> Reviewed-by:
-
Eric Biggers authored
Currently, by default crypto self-test failures only result in a pr_warn() message and an "unknown" status in /proc/crypto. Both of these are easy to miss. There is also an option to panic the kernel when a test fails, but that can't be the default behavior. A crypto self-test failure always indicates a kernel bug, however, and there's already a standard way to report (recoverable) kernel bugs -- the WARN() family of macros. WARNs are noisier and harder to miss, and existing test systems already know to look for them in dmesg or via /proc/sys/kernel/tainted. Therefore, call WARN() when an algorithm fails its self-tests. Signed-off-by:
-
Eric Biggers authored
When alg_test() is called from tcrypt.ko rather than from the algorithm registration code, "driver" is actually the algorithm name, not the driver name. So it shouldn't be used in places where a driver name is wanted, e.g. when reporting a test failure or when checking whether the driver is the generic driver or not. Fix this for the skcipher algorithm tests by getting the driver name from the crypto_skcipher that actually got allocated. Signed-off-by:
-
Eric Biggers authored
When alg_test() is called from tcrypt.ko rather than from the algorithm registration code, "driver" is actually the algorithm name, not the driver name. So it shouldn't be used in places where a driver name is wanted, e.g. when reporting a test failure or when checking whether the driver is the generic driver or not. Fix this for the AEAD algorithm tests by getting the driver name from the crypto_aead that actually got allocated. Signed-off-by:
-
Eric Biggers authored
When alg_test() is called from tcrypt.ko rather than from the algorithm registration code, "driver" is actually the algorithm name, not the driver name. So it shouldn't be used in places where a driver name is wanted, e.g. when reporting a test failure or when checking whether the driver is the generic driver or not. Fix this for the hash algorithm tests by getting the driver name from the crypto_ahash or crypto_shash that actually got allocated. Signed-off-by:
-
Eric Biggers authored
Add crypto_aead_driver_name(), which is analogous to crypto_skcipher_driver_name(). Signed-off-by:
-
Tom Rix authored
A break is not needed if it is preceded by a return Signed-off-by:
Alexandre Belloni <alexandre.belloni@bootlin.com> Signed-off-by:
-
- 30 Oct, 2020 27 commits
-
-
Arvind Sankar authored
Unrolling the LOAD and BLEND loops improves performance by ~8% on x86_64 (tested on Broadwell Xeon) while not increasing code size too much. Signed-off-by:
Arvind Sankar <nivedita@alum.mit.edu> Reviewed-by:
-
Arvind Sankar authored
This reduces code size substantially (on x86_64 with gcc-10 the size of sha256_update() goes from 7593 bytes to 1952 bytes including the new SHA256_K array), and on x86 is slightly faster than the full unroll (tested on Broadwell Xeon). Signed-off-by:
-
Arvind Sankar authored
The temporary W[] array is currently zeroed out once every call to sha256_transform(), i.e. once every 64 bytes of input data. Moving it to sha256_update() instead so that it is cleared only once per update can save about 2-3% of the total time taken to compute the digest, with a reasonable memset() implementation, and considerably more (~20%) with a bad one (eg the x86 purgatory currently uses a memset() coded in C). Signed-off-by:
-
Arvind Sankar authored
The assignments to clear a through h and t1/t2 are optimized out by the compiler because they are unused after the assignments. Clearing individual scalar variables is unlikely to be useful, as they may have been assigned to registers, and even if stack spilling was required, there may be compiler-generated temporaries that are impossible to clear in any case. So drop the clearing of a through h and t1/t2. Signed-off-by:
-
Arvind Sankar authored
Without the barrier_data() inside memzero_explicit(), the compiler may optimize away the state-clearing if it can tell that the state is not used afterwards. Signed-off-by:
-
Arvind Sankar authored
Without the barrier_data() inside memzero_explicit(), the compiler may optimize away the state-clearing if it can tell that the state is not used afterwards. At least in lib/crypto/sha256.c:__sha256_final(), the function can get inlined into sha256(), in which case the memset is optimized away. Signed-off-by:
-
Zhang Qilong authored
pm_runtime_get_sync() will increment pm usage counter even when it returns an error code. We should call put operation in error handling paths of omap_aes_hw_init. Signed-off-by:
Zhang Qilong <zhangqilong3@huawei.com> Signed-off-by:
-
Tianjia Zhang authored
This is an algorithm optimization. The reset operation when setting the public key is repeated and redundant, so remove it. At the same time, `sm2_ecc_os2ec()` is optimized to make the function more simpler and more in line with the Linux code style. Signed-off-by:
Tianjia Zhang <tianjia.zhang@linux.alibaba.com> Signed-off-by:
-
Herbert Xu authored
This patch reduces the stack usage in sa2ul: 1. Move the exported sha state into sa_prepare_iopads so that it can occupy the same space as the k_pad buffer. 2. Use one buffer for ipad/opad in sa_prepare_iopads. 3. Remove ipad/opad buffer from sa_set_sc_auth. 4. Use async skcipher fallback and remove on-stack request from sa_cipher_run. Reported-by:
kernel test robot <lkp@intel.com> Fixes: d2c8ac18 ("crypto: sa2ul - Add AEAD algorithm support") Signed-off-by:
-
Longfang Liu authored
Clean up extra blank lines Signed-off-by:
Longfang Liu <liulongfang@huawei.com> Signed-off-by:
-
Longfang Liu authored
1. Remove unused member‘pending_reqs' in‘sec_qp_ctx' structure. 2. Remove unused member‘status' in‘sec_dev' structure. Signed-off-by:
-
Eric Biggers authored
Commit 1d2c3279 ("crypto: x86/aes - drop scalar assembler implementations") was meant to remove aes_glue.c, but it actually left it as an unused one-line file. Remove this unused file. Cc: Ard Biesheuvel <ardb@kernel.org> Signed-off-by:
-
Giovanni Cabiddu authored
Change type of ae_mask in adf_hw_device_data to allow for devices with more than 16 Acceleration Engines (AEs). Signed-off-by:
Wojciech Ziemba <wojciech.ziemba@intel.com> Reviewed-by:
Fiona Trahe <fiona.trahe@intel.com> Reviewed-by:
Andy Shevchenko <andriy.shevchenko@linux.intel.com> Signed-off-by:
-
Giovanni Cabiddu authored
Allow for crypto instances to be configured with symmetric crypto rings that belong to a bank that is different from the one where asymmetric crypto rings are located. This is to allow for devices with banks made of a single ring pair. In these, crypto instances will be composed of two separate banks. Changed string literals are not exposed to the user space. Signed-off-by:
-
Giovanni Cabiddu authored
Refactor function qat_crypto_dev_config() to propagate errors to the caller. Suggested-by:
-
Giovanni Cabiddu authored
Refactor function qat_crypto_create_instances() to propagate errors to the caller. Suggested-by:
-
Giovanni Cabiddu authored
If a key is not found in the internal key value storage, return -ENODATA instead of -1 that is treated as -EPERM and may confuse. Suggested-by:
-
Giovanni Cabiddu authored
If the parameter type provided to adf_cfg_add_key_value_param() is invalid, return -EINVAL instead of -1 that is treated as -EPERM and may confuse. Suggested-by:
-
Giovanni Cabiddu authored
Remove superfluous casts to void* in function qat_crypto_dev_config(). Suggested-by:
-
Giovanni Cabiddu authored
Call the function configure_iov_threads(), adf_enable_vf2pf_interrupts() and adf_pf2vf_notify_restarting() only if present in the struct adf_hw_device_data of the device. This is to allow for QAT drivers that do not implement those functions. Signed-off-by:
Maksim Lukoshkov <maksim.lukoshkov@intel.com> Reviewed-by:
-
Giovanni Cabiddu authored
Replace hardcoded value of the bank interrupt clear flag mask with a value calculated on the fly which is based on the number of rings present in a bank. This is to support devices that have a number of rings per bank different than 16. Signed-off-by:
-
Giovanni Cabiddu authored
Abstract writes to the service arbiter enable register. This is in preparation for the introduction of the qat_4xxx driver since the arbitration enable register differes between QAT GEN2 and QAT GEN4 devices. Signed-off-by:
-
Giovanni Cabiddu authored
Replace occurrences of the pattern GENMASK_ULL(var - 1, 0)) with BIT_ULL(var) - 1 since it produces better code and it is easier to read. Suggested-by:
-
Giovanni Cabiddu authored
Replace constant 0xFFFFFFFFFFFFFFFFULL with GENMASK_ULL(63, 0) and 0xFFFFFFFF with GENMASK(31, 0) as they are masks. This makes code less error prone. Suggested-by:
-
Giovanni Cabiddu authored
Abstract the implementation of BUILD_RING_BASE_ADDR. This is in preparation for the introduction of the qat_4xxx driver since the value of the ring base differs between QAT GEN2 and QAT GEN4 devices. Signed-off-by:
-
Giovanni Cabiddu authored
Enable arbitration on the TX ring only after the RX ring is programmed. Before this change, arbitration was enabled on the TX ring before the RX ring was programmed allowing the HW to process a request before having the ring pair configured. With this change, the arbitration logic is programmed only if the TX half of the ring mask matches the RX half. This change does not affect QAT GEN2 devices (c62x, c3xxx and dh895xcc), but it is a must for QAT GEN4 devices since the CSRs of the ring pair are locked after arbitration is enabled on the TX ring. Signed-off-by:
-
Giovanni Cabiddu authored
Introduce the function adf_hw_dev_has_crypto() that returns true if a device supports symmetric crypto, asymmetric crypto and authentication services. If a device has crypto capabilities, add crypto instances to the configuration. This is done since the function that allows to retrieve crypto instances, qat_crypto_get_instance_node(), return instances that support all crypto services. Signed-off-by:
-
