openwrt/staging/blogic.git
6 years agocrypto: arm64/sha2-ce - move the round constant table to .rodata section
Ard Biesheuvel [Wed, 10 Jan 2018 12:11:41 +0000 (12:11 +0000)]
crypto: arm64/sha2-ce - move the round constant table to .rodata section

Move the SHA2 round constant table to the .rodata section where it is
safe from being exploited by speculative execution.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: arm64/crct10dif - move literal data to .rodata section
Ard Biesheuvel [Wed, 10 Jan 2018 12:11:40 +0000 (12:11 +0000)]
crypto: arm64/crct10dif - move literal data to .rodata section

Move the CRC-T10DIF literal data to the .rodata section where it is
safe from being exploited by speculative execution.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: arm64/crc32 - move literal data to .rodata section
Ard Biesheuvel [Wed, 10 Jan 2018 12:11:39 +0000 (12:11 +0000)]
crypto: arm64/crc32 - move literal data to .rodata section

Move CRC32 literal data to the .rodata section where it is safe from
being exploited by speculative execution.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: arm64/aes-neon - move literal data to .rodata section
Ard Biesheuvel [Wed, 10 Jan 2018 12:11:38 +0000 (12:11 +0000)]
crypto: arm64/aes-neon - move literal data to .rodata section

Move the S-boxes and some other literals to the .rodata section where
it is safe from being exploited by speculative execution.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: arm64/aes-cipher - move S-box to .rodata section
Ard Biesheuvel [Wed, 10 Jan 2018 12:11:37 +0000 (12:11 +0000)]
crypto: arm64/aes-cipher - move S-box to .rodata section

Move the AES inverse S-box to the .rodata section where it is safe from
abuse by speculation.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agohwrng: imx-rngc - simplify the power management definitions
Martin Kaiser [Thu, 11 Jan 2018 21:06:39 +0000 (22:06 +0100)]
hwrng: imx-rngc - simplify the power management definitions

Use the SIMPLE_DEV_PM_OPS() macro instead of populating a struct
dev_pm_ops directly. The suspend and resume functions will now be used
for both hibernation and suspend to ram.

If power management is disabled, SIMPLE_DEV_PM_OPS() evaluates to
nothing, The two functions won't be used and won't be included in the
kernel. Mark them as __maybe_unused to clarify that this is intended
behaviour.

With these modifications in place, we don't need the #ifdefs for power
management any more.

Signed-off-by: Martin Kaiser <martin@kaiser.cx>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: chelsio - Remove dst sg size zero check
Harsh Jain [Thu, 11 Jan 2018 11:15:52 +0000 (16:45 +0530)]
crypto: chelsio - Remove dst sg size zero check

sg_nents_xlen will take care of zero length sg list.
Remove Destination sg list size zero check.

Signed-off-by: Harsh Jain <harsh@chelsio.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: chelsio - Add authenc versions of ctr and sha
Harsh Jain [Thu, 11 Jan 2018 11:15:51 +0000 (16:45 +0530)]
crypto: chelsio - Add authenc versions of ctr and sha

Add ctr and sha combination of algo in authenc mode.

Signed-off-by: Harsh Jain <harsh@chelsio.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: chelsio - Fix IV updated in XTS operation
Harsh Jain [Thu, 11 Jan 2018 11:15:50 +0000 (16:45 +0530)]
crypto: chelsio - Fix IV updated in XTS operation

Skip decrypt operation on IV received from HW for last request.

Signed-off-by: Harsh Jain <harsh@chelsio.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: chelsio - check for sg null
Harsh Jain [Thu, 11 Jan 2018 11:15:49 +0000 (16:45 +0530)]
crypto: chelsio - check for sg null

Add warning message if sg is NULL after skipping bytes.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Harsh Jain <harsh@chelsio.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: chelsio - Fix Indentation
Harsh Jain [Thu, 11 Jan 2018 11:15:48 +0000 (16:45 +0530)]
crypto: chelsio - Fix Indentation

Fix inconsistent Indenting.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Harsh Jain <harsh@chelsio.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: marvell/cesa - Fix DMA API misuse
Robin Murphy [Wed, 10 Jan 2018 15:15:43 +0000 (15:15 +0000)]
crypto: marvell/cesa - Fix DMA API misuse

phys_to_dma() is an internal helper for certain DMA API implementations,
and is not appropriate for drivers to use. It appears that what the CESA
driver really wants to be using is dma_map_resource() - admittedly that
didn't exist when the offending code was first merged, but it does now.

Signed-off-by: Robin Murphy <robin.murphy@arm.com>
Acked-by: Boris Brezillon <boris.brezillon@free-electrons.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agohwrng: exynos - remove redundant dev_err call in exynos_trng_probe()
weiyongjun \(A\) [Wed, 10 Jan 2018 13:30:59 +0000 (13:30 +0000)]
hwrng: exynos - remove redundant dev_err call in exynos_trng_probe()

There is a error message within devm_ioremap_resource
already, so remove the dev_err call to avoid redundant
error message.

Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
Reviewed-by: Krzysztof Kozlowski <krzk@kernel.org>
Acked-by: Łukasz Stelmach <l.stelmach@samsung.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agohwrng: exynos - Signedness bug in exynos_trng_do_read()
Dan Carpenter [Wed, 10 Jan 2018 09:36:58 +0000 (12:36 +0300)]
hwrng: exynos - Signedness bug in exynos_trng_do_read()

"val" needs to be signed for the error handling to work.

Fixes: 6cd225cc5d8a ("hwrng: exynos - add Samsung Exynos True RNG driver")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Krzysztof Kozlowski <krzk@kernel.org>
Acked-by: Łukasz Stelmach <l.stelmach@samsung.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agohwrng: mediatek - Setup default RNG quality
Sean Wang [Wed, 10 Jan 2018 04:02:46 +0000 (12:02 +0800)]
hwrng: mediatek - Setup default RNG quality

When hw_random device's quality is non-zero, it will automatically fill
the kernel's entropy pool at boot.  For the purpose, one conservative
quality value is being picked up as the default value.

Signed-off-by: Sean Wang <sean.wang@mediatek.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: arm64 - implement SHA-512 using special instructions
Ard Biesheuvel [Tue, 9 Jan 2018 18:23:02 +0000 (18:23 +0000)]
crypto: arm64 - implement SHA-512 using special instructions

Implement the SHA-512 using the new special instructions that have
been introduced as an optional extension in ARMv8.2.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Tested-by: Steve Capper <steve.capper@arm.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: s5p-sss - Add SPDX license identifier
Krzysztof Kozlowski [Tue, 9 Jan 2018 17:57:36 +0000 (18:57 +0100)]
crypto: s5p-sss - Add SPDX license identifier

Replace GPL license statement with SPDX GPL-2.0 license identifier.

Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: exynos-rng - Add SPDX license identifier and correct module license
Krzysztof Kozlowski [Tue, 9 Jan 2018 17:57:35 +0000 (18:57 +0100)]
crypto: exynos-rng - Add SPDX license identifier and correct module license

Replace GPL license statement with SPDX GPL-2.0 license identifier and
correct the module license to GPLv2.

The license itself was a generic GPL because of copy-and-paste from old
drivers/char/hw_random/exynos-rng.c driver (on which this was based on).
However the module license indicated GPL-2.0 or later.  GPL-2.0 was
intended by author so fix up this mess.

Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agoDocumentation/bindings: crypto: document the SafeXcel EIP97 compatible
Antoine Tenart [Thu, 14 Dec 2017 14:26:59 +0000 (15:26 +0100)]
Documentation/bindings: crypto: document the SafeXcel EIP97 compatible

This patch adds the SafeXcel EIP97 compatible to the Inside Secure
device tree bindings documentation.

Signed-off-by: Antoine Tenart <antoine.tenart@free-electrons.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: doc - clear htmldocs build warnings for crypto/hash
tcharding [Sat, 6 Jan 2018 23:01:43 +0000 (10:01 +1100)]
crypto: doc - clear htmldocs build warnings for crypto/hash

SPHINX build emits multiple warnings of kind:

warning: duplicate section name 'Note'

(when building kernel via make target 'htmldocs')

This is caused by repeated use of comments of form:

* Note: soau soaeusoa uoe

We can change the format without loss of clarity and clear the build
warnings.

Add '**[mandatory]**' or '**[optional]**' as kernel-doc field element
description prefix

This renders in HTML as (prefixes in bold)

final
    [mandatory] Retrieve result from the driver. This function finalizes the
    transformation and retrieves the resulting hash from the driver and
    pushes it back to upper layers. No data processing happens at this
    point unless hardware requires it to finish the transformation (then
    the data buffered by the device driver is processed).

Signed-off-by: Tobin C. Harding <me@tobin.cc>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: x86/salsa20 - cleanup and convert to skcipher API
Eric Biggers [Fri, 5 Jan 2018 19:09:59 +0000 (11:09 -0800)]
crypto: x86/salsa20 - cleanup and convert to skcipher API

Convert salsa20-asm from the deprecated "blkcipher" API to the
"skcipher" API, in the process fixing it up to use the generic helpers.
This allows removing the salsa20_keysetup() and salsa20_ivsetup()
assembly functions, which aren't performance critical; the C versions do
just fine.

This also fixes the same bug that salsa20-generic had, where the state
array was being maintained directly in the transform context rather than
on the stack or in the request context.  Thus, if multiple threads used
the same Salsa20 transform concurrently they produced the wrong results.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: salsa20 - export generic helpers
Eric Biggers [Fri, 5 Jan 2018 19:09:58 +0000 (11:09 -0800)]
crypto: salsa20 - export generic helpers

Export the Salsa20 constants, transform context, and initialization
functions so that they can be reused by the x86 implementation.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: salsa20-generic - cleanup and convert to skcipher API
Eric Biggers [Fri, 5 Jan 2018 19:09:57 +0000 (11:09 -0800)]
crypto: salsa20-generic - cleanup and convert to skcipher API

Convert salsa20-generic from the deprecated "blkcipher" API to the
"skcipher" API, in the process fixing it up to be thread-safe (as the
crypto API expects) by maintaining each request's state separately from
the transform context.

Also remove the unnecessary cra_alignmask and tighten validation of the
key size by accepting only 16 or 32 bytes, not anything in between.

These changes bring the code close to the way chacha20-generic does
things, so hopefully it will be easier to maintain in the future.

However, the way Salsa20 interprets the IV is still slightly different;
that was not changed.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: aes-generic - build with -Os on gcc-7+
Arnd Bergmann [Wed, 3 Jan 2018 22:39:27 +0000 (23:39 +0100)]
crypto: aes-generic - build with -Os on gcc-7+

While testing other changes, I discovered that gcc-7.2.1 produces badly
optimized code for aes_encrypt/aes_decrypt. This is especially true when
CONFIG_UBSAN_SANITIZE_ALL is enabled, where it leads to extremely
large stack usage that in turn might cause kernel stack overflows:

crypto/aes_generic.c: In function 'aes_encrypt':
crypto/aes_generic.c:1371:1: warning: the frame size of 4880 bytes is larger than 2048 bytes [-Wframe-larger-than=]
crypto/aes_generic.c: In function 'aes_decrypt':
crypto/aes_generic.c:1441:1: warning: the frame size of 4864 bytes is larger than 2048 bytes [-Wframe-larger-than=]

I verified that this problem exists on all architectures that are
supported by gcc-7.2, though arm64 in particular is less affected than
the others. I also found that gcc-7.1 and gcc-8 do not show the extreme
stack usage but still produce worse code than earlier versions for this
file, apparently because of optimization passes that generally provide
a substantial improvement in object code quality but understandably fail
to find any shortcuts in the AES algorithm.

Possible workarounds include

a) disabling -ftree-pre and -ftree-sra optimizations, this was an earlier
   patch I tried, which reliably fixed the stack usage, but caused a
   serious performance regression in some versions, as later testing
   found.

b) disabling UBSAN on this file or all ciphers, as suggested by Ard
   Biesheuvel. This would lead to massively better crypto performance in
   UBSAN-enabled kernels and avoid the stack usage, but there is a concern
   over whether we should exclude arbitrary files from UBSAN at all.

c) Forcing the optimization level in a different way. Similar to a),
   but rather than deselecting specific optimization stages,
   this now uses "gcc -Os" for this file, regardless of the
   CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE/SIZE option. This is a reliable
   workaround for the stack consumption on all architecture, and I've
   retested the performance results now on x86, cycles/byte (lower is
   better) for cbc(aes-generic) with 256 bit keys:

-O2     -Os
gcc-6.3.1 14.9 15.1
gcc-7.0.1 14.7 15.3
gcc-7.1.1 15.3 14.7
gcc-7.2.1 16.8 15.9
gcc-8.0.0 15.5 15.6

This implements the option c) by enabling forcing -Os on all compiler
versions starting with gcc-7.1. As a workaround for PR83356, it would
only be needed for gcc-7.2+ with UBSAN enabled, but since it also shows
better performance on gcc-7.1 without UBSAN, it seems appropriate to
use the faster version here as well.

Side note: during testing, I also played with the AES code in libressl,
which had a similar performance regression from gcc-6 to gcc-7.2,
but was three times slower overall. It might be interesting to
investigate that further and possibly port the Linux implementation
into that.

Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=83356
Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=83651
Cc: Richard Biener <rguenther@suse.de>
Cc: Jakub Jelinek <jakub@gcc.gnu.org>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: aead - prevent using AEADs without setting key
Eric Biggers [Wed, 3 Jan 2018 19:16:30 +0000 (11:16 -0800)]
crypto: aead - prevent using AEADs without setting key

Similar to what was done for the hash API, update the AEAD API to track
whether each transform has been keyed, and reject encryption/decryption
if a key is needed but one hasn't been set.

This isn't quite as important as the equivalent fix for the hash API
because AEADs always require a key, so are unlikely to be used without
one.  Still, tracking the key will prevent accidental unkeyed use.
algif_aead also had to track the key anyway, so the new flag replaces
that and slightly simplifies the algif_aead implementation.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: skcipher - prevent using skciphers without setting key
Eric Biggers [Wed, 3 Jan 2018 19:16:29 +0000 (11:16 -0800)]
crypto: skcipher - prevent using skciphers without setting key

Similar to what was done for the hash API, update the skcipher API to
track whether each transform has been keyed, and reject
encryption/decryption if a key is needed but one hasn't been set.

This isn't as important as the equivalent fix for the hash API because
symmetric ciphers almost always require a key (the "null cipher" is the
only exception), so are unlikely to be used without one.  Still,
tracking the key will prevent accidental unkeyed use.  algif_skcipher
also had to track the key anyway, so the new flag replaces that and
simplifies the algif_skcipher implementation.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: ghash - remove checks for key being set
Eric Biggers [Wed, 3 Jan 2018 19:16:28 +0000 (11:16 -0800)]
crypto: ghash - remove checks for key being set

Now that the crypto API prevents a keyed hash from being used without
setting the key, there's no need for GHASH to do this check itself.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: hash - prevent using keyed hashes without setting key
Eric Biggers [Wed, 3 Jan 2018 19:16:27 +0000 (11:16 -0800)]
crypto: hash - prevent using keyed hashes without setting key

Currently, almost none of the keyed hash algorithms check whether a key
has been set before proceeding.  Some algorithms are okay with this and
will effectively just use a key of all 0's or some other bogus default.
However, others will severely break, as demonstrated using
"hmac(sha3-512-generic)", the unkeyed use of which causes a kernel crash
via a (potentially exploitable) stack buffer overflow.

A while ago, this problem was solved for AF_ALG by pairing each hash
transform with a 'has_key' bool.  However, there are still other places
in the kernel where userspace can specify an arbitrary hash algorithm by
name, and the kernel uses it as unkeyed hash without checking whether it
is really unkeyed.  Examples of this include:

    - KEYCTL_DH_COMPUTE, via the KDF extension
    - dm-verity
    - dm-crypt, via the ESSIV support
    - dm-integrity, via the "internal hash" mode with no key given
    - drbd (Distributed Replicated Block Device)

This bug is especially bad for KEYCTL_DH_COMPUTE as that requires no
privileges to call.

Fix the bug for all users by adding a flag CRYPTO_TFM_NEED_KEY to the
->crt_flags of each hash transform that indicates whether the transform
still needs to be keyed or not.  Then, make the hash init, import, and
digest functions return -ENOKEY if the key is still needed.

The new flag also replaces the 'has_key' bool which algif_hash was
previously using, thereby simplifying the algif_hash implementation.

Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: hash - annotate algorithms taking optional key
Eric Biggers [Wed, 3 Jan 2018 19:16:26 +0000 (11:16 -0800)]
crypto: hash - annotate algorithms taking optional key

We need to consistently enforce that keyed hashes cannot be used without
setting the key.  To do this we need a reliable way to determine whether
a given hash algorithm is keyed or not.  AF_ALG currently does this by
checking for the presence of a ->setkey() method.  However, this is
actually slightly broken because the CRC-32 algorithms implement
->setkey() but can also be used without a key.  (The CRC-32 "key" is not
actually a cryptographic key but rather represents the initial state.
If not overridden, then a default initial state is used.)

Prepare to fix this by introducing a flag CRYPTO_ALG_OPTIONAL_KEY which
indicates that the algorithm has a ->setkey() method, but it is not
required to be called.  Then set it on all the CRC-32 algorithms.

The same also applies to the Adler-32 implementation in Lustre.

Also, the cryptd and mcryptd templates have to pass through the flag
from their underlying algorithm.

Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: poly1305 - remove ->setkey() method
Eric Biggers [Wed, 3 Jan 2018 19:16:25 +0000 (11:16 -0800)]
crypto: poly1305 - remove ->setkey() method

Since Poly1305 requires a nonce per invocation, the Linux kernel
implementations of Poly1305 don't use the crypto API's keying mechanism
and instead expect the key and nonce as the first 32 bytes of the data.
But ->setkey() is still defined as a stub returning an error code.  This
prevents Poly1305 from being used through AF_ALG and will also break it
completely once we start enforcing that all crypto API users (not just
AF_ALG) call ->setkey() if present.

Fix it by removing crypto_poly1305_setkey(), leaving ->setkey as NULL.

Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: mcryptd - pass through absence of ->setkey()
Eric Biggers [Wed, 3 Jan 2018 19:16:24 +0000 (11:16 -0800)]
crypto: mcryptd - pass through absence of ->setkey()

When the mcryptd template is used to wrap an unkeyed hash algorithm,
don't install a ->setkey() method to the mcryptd instance.  This change
is necessary for mcryptd to keep working with unkeyed hash algorithms
once we start enforcing that ->setkey() is called when present.

Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: cryptd - pass through absence of ->setkey()
Eric Biggers [Wed, 3 Jan 2018 19:16:23 +0000 (11:16 -0800)]
crypto: cryptd - pass through absence of ->setkey()

When the cryptd template is used to wrap an unkeyed hash algorithm,
don't install a ->setkey() method to the cryptd instance.  This change
is necessary for cryptd to keep working with unkeyed hash algorithms
once we start enforcing that ->setkey() is called when present.

Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: hash - introduce crypto_hash_alg_has_setkey()
Eric Biggers [Wed, 3 Jan 2018 19:16:22 +0000 (11:16 -0800)]
crypto: hash - introduce crypto_hash_alg_has_setkey()

Templates that use an shash spawn can use crypto_shash_alg_has_setkey()
to determine whether the underlying algorithm requires a key or not.
But there was no corresponding function for ahash spawns.  Add it.

Note that the new function actually has to support both shash and ahash
algorithms, since the ahash API can be used with either.

Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: tcrypt - free xoutbuf instead of axbuf
Colin Ian King [Tue, 2 Jan 2018 15:43:04 +0000 (15:43 +0000)]
crypto: tcrypt - free xoutbuf instead of axbuf

There seems to be a cut-n-paste bug with the name of the buffer being
free'd, xoutbuf should be used instead of axbuf.

Detected by CoverityScan, CID#1463420 ("Copy-paste error")

Fixes: 427988d981c4 ("crypto: tcrypt - add multibuf aead speed test")
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: tcrypt - fix spelling mistake: "bufufer"-> "buffer"
Colin Ian King [Tue, 2 Jan 2018 09:21:06 +0000 (09:21 +0000)]
crypto: tcrypt - fix spelling mistake: "bufufer"-> "buffer"

Trivial fix to spelling mistakes in pr_err error message text.

Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: af_alg - whitelist mask and type
Stephan Mueller [Tue, 2 Jan 2018 07:55:25 +0000 (08:55 +0100)]
crypto: af_alg - whitelist mask and type

The user space interface allows specifying the type and mask field used
to allocate the cipher. Only a subset of the possible flags are intended
for user space. Therefore, white-list the allowed flags.

In case the user space caller uses at least one non-allowed flag, EINVAL
is returned.

Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: testmgr - change `guard` to unsigned char
Joey Pabalinas [Mon, 1 Jan 2018 20:40:14 +0000 (10:40 -1000)]
crypto: testmgr - change `guard` to unsigned char

When char is signed, storing the values 0xba (186) and 0xad (173) in the
`guard` array produces signed overflow. Change the type of `guard` to
static unsigned char to correct undefined behavior and reduce function
stack usage.

Signed-off-by: Joey Pabalinas <joeypabalinas@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: chacha20 - use rol32() macro from bitops.h
Eric Biggers [Mon, 1 Jan 2018 00:02:45 +0000 (18:02 -0600)]
crypto: chacha20 - use rol32() macro from bitops.h

For chacha20_block(), use the existing 32-bit left-rotate function
instead of defining one ourselves.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: Use zeroing memory allocator instead of allocator/memset
Himanshu Jha [Sun, 31 Dec 2017 12:24:23 +0000 (17:54 +0530)]
crypto: Use zeroing memory allocator instead of allocator/memset

Use dma_zalloc_coherent for allocating zeroed
memory and remove unnecessary memset function.

Done using Coccinelle.
Generated-by: scripts/coccinelle/api/alloc/kzalloc-simple.cocci
0-day tested with no failures.

Signed-off-by: Himanshu Jha <himanshujha199640@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: x86/poly1305 - remove cra_alignmask
Eric Biggers [Fri, 29 Dec 2017 16:10:26 +0000 (10:10 -0600)]
crypto: x86/poly1305 - remove cra_alignmask

crypto_poly1305_final() no longer requires a cra_alignmask, and nothing
else in the x86 poly1305-simd implementation does either.  So remove the
cra_alignmask so that the crypto API does not have to unnecessarily
align the buffers.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: poly1305 - remove cra_alignmask
Eric Biggers [Fri, 29 Dec 2017 16:10:25 +0000 (10:10 -0600)]
crypto: poly1305 - remove cra_alignmask

Now that nothing in poly1305-generic assumes any special alignment,
remove the cra_alignmask so that the crypto API does not have to
unnecessarily align the buffers.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: poly1305 - use unaligned access macros to output digest
Eric Biggers [Fri, 29 Dec 2017 16:10:24 +0000 (10:10 -0600)]
crypto: poly1305 - use unaligned access macros to output digest

Currently the only part of poly1305-generic which is assuming special
alignment is the part where the final digest is written.  Switch this
over to the unaligned access macros so that we'll be able to remove the
cra_alignmask.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: algapi - remove unused notifications
Eric Biggers [Fri, 29 Dec 2017 16:06:46 +0000 (10:06 -0600)]
crypto: algapi - remove unused notifications

There is a message posted to the crypto notifier chain when an algorithm
is unregistered, and when a template is registered or unregistered.  But
nothing is listening for those messages; currently there are only
listeners for the algorithm request and registration messages.

Get rid of these unused notifications for now.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: algapi - convert cra_refcnt to refcount_t
Eric Biggers [Fri, 29 Dec 2017 16:00:46 +0000 (10:00 -0600)]
crypto: algapi - convert cra_refcnt to refcount_t

Reference counters should use refcount_t rather than atomic_t, since the
refcount_t implementation can prevent overflows, reducing the
exploitability of reference leak bugs.  crypto_alg.cra_refcount is a
reference counter with the usual semantics, so switch it over to
refcount_t.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: inside-secure - fix hash when length is a multiple of a block
Antoine Ténart [Tue, 26 Dec 2017 16:21:17 +0000 (17:21 +0100)]
crypto: inside-secure - fix hash when length is a multiple of a block

This patch fixes the hash support in the SafeXcel driver when the update
size is a multiple of a block size, and when a final call is made just
after with a size of 0. In such cases the driver should cache the last
block from the update to avoid handling 0 length data on the final call
(that's a hardware limitation).

Cc: stable@vger.kernel.org
Fixes: 1b44c5a60c13 ("crypto: inside-secure - add SafeXcel EIP197 crypto engine driver")
Signed-off-by: Antoine Tenart <antoine.tenart@free-electrons.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: inside-secure - avoid unmapping DMA memory that was not mapped
Antoine Ténart [Tue, 26 Dec 2017 16:21:16 +0000 (17:21 +0100)]
crypto: inside-secure - avoid unmapping DMA memory that was not mapped

This patch adds a parameter in the SafeXcel ahash request structure to
keep track of the number of SG entries mapped. This allows not to call
dma_unmap_sg() when dma_map_sg() wasn't called in the first place. This
also removes a warning when the debugging of the DMA-API is enabled in
the kernel configuration: "DMA-API: device driver tries to free DMA
memory it has not allocated".

Cc: stable@vger.kernel.org
Fixes: 1b44c5a60c13 ("crypto: inside-secure - add SafeXcel EIP197 crypto engine driver")
Signed-off-by: Antoine Tenart <antoine.tenart@free-electrons.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: crypto4xx - perform aead icv check in the driver
Christian Lamparter [Sat, 23 Dec 2017 18:45:46 +0000 (19:45 +0100)]
crypto: crypto4xx - perform aead icv check in the driver

The ccm-aes-ppc4xx now fails one of testmgr's expected
failure test cases as such:

|decryption failed on test 10 for ccm-aes-ppc4xx:
|ret was 0, |expected -EBADMSG

It doesn't look like the hardware sets the authentication failure
flag. The original vendor source from which this was ported does
not have any special code or notes about why this would happen or
if there are any WAs.

Hence, this patch converts the aead_done callback handler to
perform the icv check in the driver. And this fixes the false
negative and the ccm-aes-ppc4xx passes the selftests once again.

|name         : ccm(aes)
|driver       : ccm-aes-ppc4xx
|module       : crypto4xx
|priority     : 300
|refcnt       : 1
|selftest     : passed
|internal     : no
|type         : aead
|async        : yes
|blocksize    : 1
|ivsize       : 16
|maxauthsize  : 16
|geniv        : <none>

Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: crypto4xx - kill MODULE_NAME
Christian Lamparter [Fri, 22 Dec 2017 20:18:38 +0000 (21:18 +0100)]
crypto: crypto4xx - kill MODULE_NAME

KBUILD_MODNAME provides the same value.

Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: crypto4xx - fix missing irq devname
Christian Lamparter [Fri, 22 Dec 2017 20:18:37 +0000 (21:18 +0100)]
crypto: crypto4xx - fix missing irq devname

crypto4xx_device's name variable is not set to anything.
The common devname for request_irq seems to be the module
name. This will fix the seemingly anonymous interrupt
entry in /proc/interrupts for crypto4xx.

Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: crypto4xx - support Revision B parts
Christian Lamparter [Fri, 22 Dec 2017 20:18:36 +0000 (21:18 +0100)]
crypto: crypto4xx - support Revision B parts

This patch adds support for the crypto4xx RevB cores
found in the 460EX, 460SX and later cores (like the APM821xx).

Without this patch, the crypto4xx driver will not be
able to process any offloaded requests and simply hang
indefinitely.

Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: crypto4xx - shuffle iomap in front of request_irq
Christian Lamparter [Fri, 22 Dec 2017 20:18:35 +0000 (21:18 +0100)]
crypto: crypto4xx - shuffle iomap in front of request_irq

It is possible to avoid the ce_base null pointer check in the
drivers' interrupt handler routine "crypto4xx_ce_interrupt_handler()"
by simply doing the iomap in front of the IRQ registration.

This way, the ce_base will always be valid in the handler and
a branch in an critical path can be avoided.

Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agohwrng: exynos - add Samsung Exynos True RNG driver
Łukasz Stelmach [Fri, 22 Dec 2017 16:48:35 +0000 (17:48 +0100)]
hwrng: exynos - add Samsung Exynos True RNG driver

Add support for True Random Number Generator found in Samsung Exynos
5250+ SoCs.

Signed-off-by: Łukasz Stelmach <l.stelmach@samsung.com>
Reviewed-by: Krzysztof Kozlowski <krzk@kernel.org>
Acked-by: Philippe Ombredanne <pombredanne@nexb.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agopadata: add SPDX identifier
Cheah Kok Cheong [Thu, 21 Dec 2017 11:35:30 +0000 (19:35 +0800)]
padata: add SPDX identifier

Add SPDX license identifier according to the type of license text found
in the file.

Cc: Philippe Ombredanne <pombredanne@nexb.com>
Signed-off-by: Cheah Kok Cheong <thrust73@gmail.com>
Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: aesni - Fix out-of-bounds access of the AAD buffer in generic-gcm-aesni
Junaid Shahid [Thu, 21 Dec 2017 01:08:38 +0000 (17:08 -0800)]
crypto: aesni - Fix out-of-bounds access of the AAD buffer in generic-gcm-aesni

The aesni_gcm_enc/dec functions can access memory after the end of
the AAD buffer if the AAD length is not a multiple of 4 bytes.
It didn't matter with rfc4106-gcm-aesni as in that case the AAD was
always followed by the 8 byte IV, but that is no longer the case with
generic-gcm-aesni. This can potentially result in accessing a page that
is not mapped and thus causing the machine to crash. This patch fixes
that by reading the last <16 byte block of the AAD byte-by-byte and
optionally via an 8-byte load if the block was at least 8 bytes.

Fixes: 0487ccac ("crypto: aesni - make non-AVX AES-GCM work with any aadlen")
Cc: <stable@vger.kernel.org>
Signed-off-by: Junaid Shahid <junaids@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: aesni - Fix out-of-bounds access of the data buffer in generic-gcm-aesni
Junaid Shahid [Thu, 21 Dec 2017 01:08:37 +0000 (17:08 -0800)]
crypto: aesni - Fix out-of-bounds access of the data buffer in generic-gcm-aesni

The aesni_gcm_enc/dec functions can access memory before the start of
the data buffer if the length of the data buffer is less than 16 bytes.
This is because they perform the read via a single 16-byte load. This
can potentially result in accessing a page that is not mapped and thus
causing the machine to crash. This patch fixes that by reading the
partial block byte-by-byte and optionally an via 8-byte load if the block
was at least 8 bytes.

Fixes: 0487ccac ("crypto: aesni - make non-AVX AES-GCM work with any aadlen")
Cc: <stable@vger.kernel.org>
Signed-off-by: Junaid Shahid <junaids@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: stm32 - Use standard CONFIG name
Corentin Labbe [Wed, 20 Dec 2017 18:19:32 +0000 (18:19 +0000)]
crypto: stm32 - Use standard CONFIG name

All hardware crypto devices have their CONFIG names using the following
convention:
CRYPTO_DEV_name_algo

This patch apply this conventions on STM32 CONFIG names.

Signed-off-by: Corentin Labbe <clabbe@baylibre.com>
Reviewed-by: Fabien Dessenne <fabien.dessenne@st.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: scomp - delete unused comments
Zhou Wang [Wed, 20 Dec 2017 08:03:12 +0000 (16:03 +0800)]
crypto: scomp - delete unused comments

There are no init and exit callbacks, so delete its comments.

Signed-off-by: Zhou Wang <wangzhou1@hisilicon.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: caam - add Derived Key Protocol (DKP) support
Horia Geantă [Tue, 19 Dec 2017 10:16:07 +0000 (12:16 +0200)]
crypto: caam - add Derived Key Protocol (DKP) support

Offload split key generation in CAAM engine, using DKP.
DKP is supported starting with Era 6.

Note that the way assoclen is transmitted from the job descriptor
to the shared descriptor changes - DPOVRD register is used instead
of MATH3 (where available), since DKP protocol thrashes the MATH
registers.

The replacement of MDHA split key generation with DKP has the side
effect of the crypto engine writing the authentication key, and thus
the DMA mapping direction for the buffer holding the key has to change
from DMA_TO_DEVICE to DMA_BIDIRECTIONAL.
There are two cases:
-key is inlined in descriptor - descriptor buffer mapping changes
-key is referenced - key buffer mapping changes

Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: caam - save Era in driver's private data
Horia Geantă [Tue, 19 Dec 2017 10:16:06 +0000 (12:16 +0200)]
crypto: caam - save Era in driver's private data

Save Era in driver's private data for further usage,
like deciding whether an erratum applies or a feature is available
based on its value.

Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: caam - remove needless ablkcipher key copy
Horia Geantă [Tue, 19 Dec 2017 10:16:05 +0000 (12:16 +0200)]
crypto: caam - remove needless ablkcipher key copy

ablkcipher shared descriptors are relatively small, thus there is enough
space for the key to be inlined.
Accordingly, there is no need to copy the key in ctx->key.

Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: caam - constify key data
Horia Geantă [Tue, 19 Dec 2017 10:16:04 +0000 (12:16 +0200)]
crypto: caam - constify key data

Key data is not modified, it is copied in the shared descriptor.

Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: x86/twofish-3way - Fix %rbp usage
Eric Biggers [Tue, 19 Dec 2017 00:40:26 +0000 (16:40 -0800)]
crypto: x86/twofish-3way - Fix %rbp usage

Using %rbp as a temporary register breaks frame pointer convention and
breaks stack traces when unwinding from an interrupt in the crypto code.

In twofish-3way, we can't simply replace %rbp with another register
because there are none available.  Instead, we use the stack to hold the
values that %rbp, %r11, and %r12 were holding previously.  Each of these
values represents the half of the output from the previous Feistel round
that is being passed on unchanged to the following round.  They are only
used once per round, when they are exchanged with %rax, %rbx, and %rcx.

As a result, we free up 3 registers (one per block) and can reassign
them so that %rbp is not used, and additionally %r14 and %r15 are not
used so they do not need to be saved/restored.

There may be a small overhead caused by replacing 'xchg REG, REG' with
the needed sequence 'mov MEM, REG; mov REG, MEM; mov REG, REG' once per
round.  But, counterintuitively, when I tested "ctr-twofish-3way" on a
Haswell processor, the new version was actually about 2% faster.
(Perhaps 'xchg' is not as well optimized as plain moves.)

Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Reviewed-by: Josh Poimboeuf <jpoimboe@redhat.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: tcrypt - add multibuf aead speed test
Gilad Ben-Yossef [Sun, 17 Dec 2017 08:29:05 +0000 (08:29 +0000)]
crypto: tcrypt - add multibuf aead speed test

The performance of some aead tfm providers is affected by
the amount of parallelism possible with the processing.

Introduce an async aead concurrent multiple buffer
processing speed test to be able to test performance of such
tfm providers.

Signed-off-by: Gilad Ben-Yossef <gilad@benyossef.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: tcrypt - add multibuf skcipher speed test
Gilad Ben-Yossef [Sun, 17 Dec 2017 08:29:04 +0000 (08:29 +0000)]
crypto: tcrypt - add multibuf skcipher speed test

The performance of some skcipher tfm providers is affected by
the amount of parallelism possible with the processing.

Introduce an async skcipher concurrent multiple buffer
processing speed test to be able to test performance of such
tfm providers.

Signed-off-by: Gilad Ben-Yossef <gilad@benyossef.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: tcrypt - add multi buf ahash jiffies test
Gilad Ben-Yossef [Sun, 17 Dec 2017 08:29:03 +0000 (08:29 +0000)]
crypto: tcrypt - add multi buf ahash jiffies test

The multi buffer concurrent requests ahash speed test only
supported the cycles mode. Add support for the so called
jiffies mode that test performance of bytes/sec.

We only add support for digest mode at the moment.

Signed-off-by: Gilad Ben-Yossef <gilad@benyossef.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: tcrypt - allow setting num of bufs
Gilad Ben-Yossef [Sun, 17 Dec 2017 08:29:02 +0000 (08:29 +0000)]
crypto: tcrypt - allow setting num of bufs

For multiple buffers speed tests, the number of buffers, or
requests, used actually sets the level of parallelism a tfm
provider may utilize to hide latency. The existing number
(of 8) is good for some software based providers but not
enough for many HW providers with deep FIFOs.

Add a module parameter that allows setting the number of
multiple buffers/requests used, leaving the default at 8.

Signed-off-by: Gilad Ben-Yossef <gilad@benyossef.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: tcrypt - fix AEAD decryption speed test
Gilad Ben-Yossef [Sun, 17 Dec 2017 08:29:01 +0000 (08:29 +0000)]
crypto: tcrypt - fix AEAD decryption speed test

The AEAD speed test pretended to support decryption, however that support
was broken as decryption requires a valid auth field which the test did
not provide.

Fix this by running the encryption path once with inout/output sgls
switched to calculate the auth field prior to performing decryption
speed tests.

Signed-off-by: Gilad Ben-Yossef <gilad@benyossef.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: tcrypt - use multi buf for ahash mb test
Gilad Ben-Yossef [Sun, 17 Dec 2017 08:29:00 +0000 (08:29 +0000)]
crypto: tcrypt - use multi buf for ahash mb test

The multi buffer ahash speed test was allocating multiple
buffers for use with the multiple outstanding requests
it was starting but never actually using them (except
to free them), instead using a different single statically
allocated buffer for all requests.

Fix this by actually using the allocated buffers for the test.

It is noted that it may seem tempting to instead remove the
allocation and free of the multiple buffers and leave things as
they are since this is a hash test where the input is read
only. However, after consideration I believe that multiple
buffers better reflect real life scenario with regard
to data cache and TLB behaviours etc.

Signed-off-by: Gilad Ben-Yossef <gilad@benyossef.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agohwrng: core - Clean up RNG list when last hwrng is unregistered
Gary R Hook [Fri, 15 Dec 2017 19:55:59 +0000 (13:55 -0600)]
hwrng: core - Clean up RNG list when last hwrng is unregistered

Commit 142a27f0a731 added support for a "best" RNG, and in doing so
introduced a hang from rmmod/modprobe -r when the last RNG on the list
was unloaded.

When the hwrng list is depleted, return the global variables to their
original state and decrement all references to the object.

Fixes: 142a27f0a731 ("hwrng: core - Reset user selected rng by writing "" to rng_current")
Signed-off-by: Gary R Hook <gary.hook@amd.com>
Reviewed-by: PrasannaKumar Muralidharan <prasannatsmkumar@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: inside-secure - EIP97 support
Antoine Ténart [Thu, 14 Dec 2017 14:26:58 +0000 (15:26 +0100)]
crypto: inside-secure - EIP97 support

The Inside Secure SafeXcel driver was firstly designed to support the
EIP197 cryptographic engine which is an evolution (with much more
feature, better performances) of the EIP97 cryptographic engine. This
patch convert the Inside Secure SafeXcel driver to support both engines
(EIP97 + EIP197).

The main differences are the register offsets and the context
invalidation process which is EIP197 specific. This patch adds an
indirection on the register offsets and adds checks not to send any
invalidation request when driving the EIP97. A new compatible is added
as well to bind the driver from device trees.

Signed-off-by: Antoine Tenart <antoine.tenart@free-electrons.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: inside-secure - retry to proceed the request later on fail
Antoine Ténart [Thu, 14 Dec 2017 14:26:57 +0000 (15:26 +0100)]
crypto: inside-secure - retry to proceed the request later on fail

The dequeueing function was putting back a request in the crypto queue
on failure (when not enough resources are available) which is not
perfect as the request will be handled much later. This patch updates
this logic by keeping a reference on the failed request to try
proceeding it later when enough resources are available.

Signed-off-by: Antoine Tenart <antoine.tenart@free-electrons.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: inside-secure - handle more result requests when counter is full
Antoine Ténart [Thu, 14 Dec 2017 14:26:56 +0000 (15:26 +0100)]
crypto: inside-secure - handle more result requests when counter is full

This patch modifies the result handling logic to continue handling
results when the completed requests counter is full and not showing the
actual number of requests to handle.

Suggested-by: Ofer Heifetz <oferh@marvell.com>
Signed-off-by: Antoine Tenart <antoine.tenart@free-electrons.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: inside-secure - acknowledge the result requests all at once
Antoine Ténart [Thu, 14 Dec 2017 14:26:55 +0000 (15:26 +0100)]
crypto: inside-secure - acknowledge the result requests all at once

This patches moves the result request acknowledgment from a per request
process to acknowledging all the result requests handled at once.

Suggested-by: Ofer Heifetz <oferh@marvell.com>
Signed-off-by: Antoine Tenart <antoine.tenart@free-electrons.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: inside-secure - increase the ring size
Antoine Ténart [Thu, 14 Dec 2017 14:26:54 +0000 (15:26 +0100)]
crypto: inside-secure - increase the ring size

Increase the ring size to handle more requests in parallel, while
keeping the batch size (for interrupt coalescing) to its previous value.
The ring size and batch size are now unlinked.

Suggested-by: Ofer Heifetz <oferh@marvell.com>
Signed-off-by: Antoine Tenart <antoine.tenart@free-electrons.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: inside-secure - dequeue all requests at once
Antoine Ténart [Thu, 14 Dec 2017 14:26:53 +0000 (15:26 +0100)]
crypto: inside-secure - dequeue all requests at once

This patch updates the dequeueing logic to dequeue all requests at once.
Since we can have many requests in the queue, the interrupt coalescing
is kept so that the ring interrupt fires every EIP197_MAX_BATCH_SZ at
most.

To allow dequeueing all requests at once while still using reasonable
settings for the interrupt coalescing, the result handling function was
updated to setup the threshold interrupt when needed (i.e. when more
requests than EIP197_MAX_BATCH_SZ are in the queue). When using this
capability the ring is marked as busy so that the dequeue function
enqueue new requests without setting the threshold interrupt.

Suggested-by: Ofer Heifetz <oferh@marvell.com>
Signed-off-by: Antoine Tenart <antoine.tenart@free-electrons.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: inside-secure - use threaded IRQs for result handling
Antoine Ténart [Thu, 14 Dec 2017 14:26:52 +0000 (15:26 +0100)]
crypto: inside-secure - use threaded IRQs for result handling

This patch moves the result handling from an IRQ handler to a threaded
IRQ handler, to improve the number of complete requests being handled at
once.

Suggested-by: Ofer Heifetz <oferh@marvell.com>
Signed-off-by: Antoine Tenart <antoine.tenart@free-electrons.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: inside-secure - move request dequeueing into a workqueue
Antoine Ténart [Thu, 14 Dec 2017 14:26:51 +0000 (15:26 +0100)]
crypto: inside-secure - move request dequeueing into a workqueue

This patch moves the request dequeueing into a workqueue to improve the
coalescing of interrupts when sending requests to the engine; as the
engine is capable of having one single interrupt for n requests sent.
Using a workqueue allows to send more request at once.

Suggested-by: Ofer Heifetz <oferh@marvell.com>
Signed-off-by: Antoine Tenart <antoine.tenart@free-electrons.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: inside-secure - remove unused parameter in invalidate_cache
Ofer Heifetz [Thu, 14 Dec 2017 14:26:50 +0000 (15:26 +0100)]
crypto: inside-secure - remove unused parameter in invalidate_cache

The SafeXcel context isn't used in the cache invalidation function. This
cosmetic patch removes it (as well as from the function prototype in the
header file and when the function is called).

Signed-off-by: Ofer Heifetz <oferh@marvell.com>
[Antoine: commit message]
Signed-off-by: Antoine Tenart <antoine.tenart@free-electrons.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: inside-secure - move cipher crypto mode to request context
Ofer Heifetz [Thu, 14 Dec 2017 14:26:49 +0000 (15:26 +0100)]
crypto: inside-secure - move cipher crypto mode to request context

The cipher direction can be different for requests within the same
transformation context. This patch moves the direction flag from the
context to the request scope.

Signed-off-by: Ofer Heifetz <oferh@marvell.com>
[Antoine: commit message]
Signed-off-by: Antoine Tenart <antoine.tenart@free-electrons.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: inside-secure - EBUSY is not an error on async request
Ofer Heifetz [Thu, 14 Dec 2017 14:26:48 +0000 (15:26 +0100)]
crypto: inside-secure - EBUSY is not an error on async request

When initializing the IVs crypto_ahash_update() is called, which at some
point will call crypto_enqueue_request(). This function can return
-EBUSY when no resource is available and the request is queued. Since
this is a valid case, -EBUSY shouldn't be treated as an error.

Signed-off-by: Ofer Heifetz <oferh@marvell.com>
[Antoine: commit message]
Signed-off-by: Antoine Tenart <antoine.tenart@free-electrons.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: inside-secure - refrain from unneeded invalidations
Ofer Heifetz [Thu, 14 Dec 2017 14:26:47 +0000 (15:26 +0100)]
crypto: inside-secure - refrain from unneeded invalidations

The check to know if an invalidation is needed (i.e. when the context
changes) is done even if the context does not exist yet. This happens
when first setting a key for ciphers and/or hmac operations.

This commits adds a check in the _setkey functions to only check if an
invalidation is needed when a context exists, as there is no need to
perform this check otherwise.

Signed-off-by: Ofer Heifetz <oferh@marvell.com>
[Antoine: commit message and added a comment and reworked one of the
checks]
Signed-off-by: Antoine Tenart <antoine.tenart@free-electrons.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: inside-secure - comment the caching function
Antoine Ténart [Thu, 14 Dec 2017 14:26:46 +0000 (15:26 +0100)]
crypto: inside-secure - comment the caching function

Cosmetic patch adding a few comments to the ahash caching function to
understand easily what calculations are made in the functions; and how
the function is working.

Signed-off-by: Antoine Tenart <antoine.tenart@free-electrons.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: inside-secure - remove useless memset
Antoine Ténart [Thu, 14 Dec 2017 14:26:45 +0000 (15:26 +0100)]
crypto: inside-secure - remove useless memset

This patch removes an useless memset in the ahash_export function, as
the zeroed buffer will be entirely overridden the next line.

Suggested-by: Ofer Heifetz <oferh@marvell.com>
Signed-off-by: Antoine Tenart <antoine.tenart@free-electrons.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: inside-secure - fix typo in a comment
Antoine Ténart [Thu, 14 Dec 2017 14:26:44 +0000 (15:26 +0100)]
crypto: inside-secure - fix typo in a comment

Cosmetic patch fixing one typo in one of the driver's comments.

Signed-off-by: Antoine Tenart <antoine.tenart@free-electrons.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: inside-secure - remove extra empty line
Antoine Ténart [Thu, 14 Dec 2017 14:26:43 +0000 (15:26 +0100)]
crypto: inside-secure - remove extra empty line

Cosmetic patch removing an extra empty line between header inclusions.

Signed-off-by: Antoine Tenart <antoine.tenart@free-electrons.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agoMerge git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6
Herbert Xu [Fri, 22 Dec 2017 09:00:50 +0000 (20:00 +1100)]
Merge git://git./linux/kernel/git/herbert/crypto-2.6

Merge the crypto tree to pick up inside-secure fixes.

6 years agocrypto: aesni - add wrapper for generic gcm(aes)
Sabrina Dubroca [Wed, 13 Dec 2017 13:54:36 +0000 (14:54 +0100)]
crypto: aesni - add wrapper for generic gcm(aes)

When I added generic-gcm-aes I didn't add a wrapper like the one
provided for rfc4106(gcm(aes)). We need to add a cryptd wrapper to fall
back on in case the FPU is not available, otherwise we might corrupt the
FPU state.

Fixes: cce2ea8d90fe ("crypto: aesni - add generic gcm(aes)")
Cc: <stable@vger.kernel.org>
Reported-by: Ilya Lesokhin <ilyal@mellanox.com>
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: aesni - fix typo in generic_gcmaes_decrypt
Sabrina Dubroca [Wed, 13 Dec 2017 13:53:43 +0000 (14:53 +0100)]
crypto: aesni - fix typo in generic_gcmaes_decrypt

generic_gcmaes_decrypt needs to use generic_gcmaes_ctx, not
aesni_rfc4106_gcm_ctx. This is actually harmless because the fields in
struct generic_gcmaes_ctx share the layout of the same fields in
aesni_rfc4106_gcm_ctx.

Fixes: cce2ea8d90fe ("crypto: aesni - add generic gcm(aes)")
Cc: <stable@vger.kernel.org>
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: seqiv - Remove unused alg/spawn variable
Corentin Labbe [Tue, 12 Dec 2017 19:30:14 +0000 (19:30 +0000)]
crypto: seqiv - Remove unused alg/spawn variable

This patch remove two unused variable and some dead "code" using it.

Fixes: 92932d03c2b3 ("crypto: seqiv - Remove AEAD compatibility code")
Signed-off-by: Corentin Labbe <clabbe@baylibre.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: echainiv - Remove unused alg/spawn variable
Corentin Labbe [Tue, 12 Dec 2017 19:30:13 +0000 (19:30 +0000)]
crypto: echainiv - Remove unused alg/spawn variable

This patch remove two unused variable and some dead "code" using it.

Fixes: 66008d4230f6 ("crypto: echainiv - Remove AEAD compatibility code")
Signed-off-by: Corentin Labbe <clabbe@baylibre.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: exynos - Introduce mutex to prevent concurrent access to hardware
Łukasz Stelmach [Tue, 12 Dec 2017 16:36:07 +0000 (17:36 +0100)]
crypto: exynos - Introduce mutex to prevent concurrent access to hardware

Hardware operations like reading random numbers and setting a seed need
to be conducted in a single thread. Therefore a mutex is required to
prevent multiple threads (processes) from accessing the hardware at the
same time.

The sequence of mutex_lock() and mutex_unlock() in the exynos_rng_reseed()
function enables switching between different threads waiting for the
driver to generate random numbers for them.

Signed-off-by: Łukasz Stelmach <l.stelmach@samsung.com>
Reviewed-by: Krzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: exynos - Reseed PRNG after generating 2^16 random bytes
Łukasz Stelmach [Tue, 12 Dec 2017 16:36:06 +0000 (17:36 +0100)]
crypto: exynos - Reseed PRNG after generating 2^16 random bytes

Reseed PRNG after reading 65 kB of randomness. Although this may reduce
performance, in most cases the loss is not noticeable. Also the time
based threshold for reseeding is changed to one second. Reseeding is
performed whenever either limit is exceeded.

Reseeding of a PRNG does not increase entropy, but it helps preventing
backtracking the internal state of the device from its output sequence,
and hence, prevents potential attacker from predicting numbers to be
generated.

Signed-off-by: Łukasz Stelmach <l.stelmach@samsung.com>
Reviewed-by: Stephan Mueller <smueller@chronox.de>
Reviewed-by: Krzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: exynos - Improve performance of PRNG
Łukasz Stelmach [Tue, 12 Dec 2017 16:36:05 +0000 (17:36 +0100)]
crypto: exynos - Improve performance of PRNG

Use memcpy_fromio() instead of custom exynos_rng_copy_random() function
to retrieve generated numbers from the registers of PRNG.

Signed-off-by: Łukasz Stelmach <l.stelmach@samsung.com>
Reviewed-by: Krzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: exynos - Support Exynos5250+ SoCs
Łukasz Stelmach [Tue, 12 Dec 2017 16:36:04 +0000 (17:36 +0100)]
crypto: exynos - Support Exynos5250+ SoCs

Add support for PRNG in Exynos5250+ SoCs.

Signed-off-by: Łukasz Stelmach <l.stelmach@samsung.com>
Reviewed-by: Krzysztof Kozlowski <krzk@kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: artpec6 - set correct iv size for gcm(aes)
Lars Persson [Tue, 12 Dec 2017 11:40:22 +0000 (12:40 +0100)]
crypto: artpec6 - set correct iv size for gcm(aes)

The IV size should not include the 32 bit counter. Because we had the
IV size set as 16 the transform only worked when the IV input was zero
padded.

Fixes: a21eb94fc4d3 ("crypto: axis - add ARTPEC-6/7 crypto accelerator driver")
Signed-off-by: Lars Persson <larper@axis.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: gf128mul - remove incorrect comment
Eric Biggers [Mon, 11 Dec 2017 21:58:26 +0000 (13:58 -0800)]
crypto: gf128mul - remove incorrect comment

The comment in gf128mul_x8_ble() was copy-and-pasted from gf128mul.h and
makes no sense in the new context.  Remove it.

Cc: Harsh Jain <harsh@chelsio.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: qat - reduce stack size with KASAN
Arnd Bergmann [Mon, 11 Dec 2017 12:07:00 +0000 (13:07 +0100)]
crypto: qat - reduce stack size with KASAN

Passing the register value by reference here leads a large amount of stack being
used when CONFIG_KASAN is enabled:

drivers/crypto/qat/qat_common/qat_hal.c: In function 'qat_hal_exec_micro_inst.constprop':
drivers/crypto/qat/qat_common/qat_hal.c:963:1: error: the frame size of 1792 bytes is larger than 1536 bytes [-Werror=frame-larger-than=]

Changing the register-read function to return the value instead reduces the stack
size to around 800 bytes, most of which is for the 'savuwords' array. The function
now no longer returns an error code, but nothing ever evaluated that anyway.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: inside-secure - do not use areq->result for partial results
Antoine Ténart [Mon, 11 Dec 2017 11:10:58 +0000 (12:10 +0100)]
crypto: inside-secure - do not use areq->result for partial results

This patches update the SafeXcel driver to stop using the crypto
ahash_request result field for partial results (i.e. on updates).
Instead the driver local safexcel_ahash_req state field is used, and
only on final operations the ahash_request result buffer is updated.

Fixes: 1b44c5a60c13 ("crypto: inside-secure - add SafeXcel EIP197 crypto engine driver")
Signed-off-by: Antoine Tenart <antoine.tenart@free-electrons.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: inside-secure - fix request allocations in invalidation path
Antoine Ténart [Mon, 11 Dec 2017 11:10:57 +0000 (12:10 +0100)]
crypto: inside-secure - fix request allocations in invalidation path

This patch makes use of the SKCIPHER_REQUEST_ON_STACK and
AHASH_REQUEST_ON_STACK helpers to allocate enough memory to contain both
the crypto request structures and their embedded context (__ctx).

Fixes: 1b44c5a60c13 ("crypto: inside-secure - add SafeXcel EIP197 crypto engine driver")
Suggested-by: Ofer Heifetz <oferh@marvell.com>
Signed-off-by: Antoine Tenart <antoine.tenart@free-electrons.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: inside-secure - free requests even if their handling failed
Antoine Ténart [Mon, 11 Dec 2017 11:10:56 +0000 (12:10 +0100)]
crypto: inside-secure - free requests even if their handling failed

This patch frees the request private data even if its handling failed,
as it would never be freed otherwise.

Fixes: 1b44c5a60c13 ("crypto: inside-secure - add SafeXcel EIP197 crypto engine driver")
Suggested-by: Ofer Heifetz <oferh@marvell.com>
Signed-off-by: Antoine Tenart <antoine.tenart@free-electrons.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>