random(4) changes
Stephan has recently proposed some extensive changes to this driver, and I proposed a quite different set earlier. My set can be found at: https://github.com/sandy-harris This post tries to find the bits of both proposals that seem clearly worth doing and entail neither large implementation problems nor large risk of throwing out any babies with the bathwater. Unfortunately, nothing here deals with the elephant in the room -- the distinctly hard problem of making sure the driver is initialised well enough & early enough. That needs a separate post, probably a separate thread. I do not find Stepan's solution to this problem plausible and my stuff does not claim to deal with it, though it includes some things that might help. I really like Stephan's idea of simplifying the interrupt handling, replacing the multiple entropy-gathering calls in the current driver with one routine called for all interrupts. See section 1.2 of his doc. That seems to me a much cleaner design, easier both to analyse and to optimise as a fast interrupt handler. I also find Stephan's arguments that this will work better on modern systems -- VMs, machines with SSDs, etc. -- quite plausible. Note, though, that I am only talking about the actual interrupt handling, not the rest of Stephan's input handling code: the parity calculation and XORing the resulting single bit into the entropy pool. I'd be happier, at least initially, with a patch that only implemented a single-source interrupt handler that gave 32 or 64 bits to existing input-handling code. Stephan: would you want to provide such a patch? Ted: would you be inclined to accept it? I also quite like Stephan's idea of replacing the two output pools with a NIST-approved DBRG, mainly because this would probably make getting various certifications easier. I also like the idea of using crypto lib code for that since it makes both testing & maintenance easier. This strikes me, though, as a do-when-convenient sort of cleanup task, not at all urgent unless there are specific certifications we need soon. As for my proposals, I of course think they are full of good ideas, but there's only one I think is really important. In the current driver -- and I think in Stephan's, though I have not looked at his code in any detail, only his paper -- heavy use of /dev/urandom or the kernel get_random_bytes() call can deplete the entropy available to /dev/random. That can be a serious problem in some circumstances, but I think I have a fix. You have an input pool (I) plus a blocking pool (B) & a non-blocking pool (NB). The problem is what to do when NB must produce a lot of output but you do not want to deplete I too much. B & NB might be replaced by DBRGs and the problem would not change. B must be reseeded before very /dev/random output, NB after some number of output blocks. I used #define SAFE_OUT 503 but some other number might be better depending how NB is implemented & how paranoid/conservative one feels. B can only produce one full-entropy output, suitable for /dev/random, per reseed but B and NB are basically the same design so B can also produce SAFE_OUT reasonably good random numbers per reseed. Use those to reseed NB.and you reduce the load on I for reseeding NB from SAFE_OUT (use I every time NB is reseeded) to SAFE_OUT*SAFE_OUT (use I only to reseed B). This does need analysis by cryptographers, but at a minimum it is basically plausible and, even with some fairly small value for SAFE_OUT, it greatly alleviates the problem. -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
HELLO DEAR
Hello Dear, how are you doing hope fine, I am (Melissa Robert) by name. i will like to know more about you believing that friendship is a free gift of nature. Please get back to me as soon as possible through this my private Email. (mr4785...@gmail.com) thank you. -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: AEAD in TALITOS SEC1 versus TALITOS SEC2
On Thu, 21 Apr 2016 13:31:47 + Horia Ioan Geanta Neagwrote: > On 4/20/2016 3:04 PM, Christophe Leroy wrote: > > What's the best way to implement the selection of the proper descriptor > > type ? > > * We can duplicate the templates but it means that when both types are > > supported the driver with try to register each AEAD alg twice > > * We can "on the fly" change the DESC_HDR_TYPE_IPSEC_ESP type into > > DESC_HDR_TYPE_HMAC_SNOOP_NO_AFEU type ? > > * We can alter the templates at startup when we know we are on a SEC1, > > changing all templates based on DESC_HDR_TYPE_IPSEC_ESP into templates > > based on DESC_HDR_TYPE_HMAC_SNOOP_NO_AFEU > > > > What would be the best approach from your point of view ? > > > I would go with altering the relevant entries in the template array, of > course before the hw_supports() check. was wondering whether assigning a different cra_priority were another option? Kim IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: AEAD in TALITOS SEC1 versus TALITOS SEC2
On Thu, 21 Apr 2016 13:31:47 + Horia Ioan Geanta Neagwrote: > On 4/20/2016 3:04 PM, Christophe Leroy wrote: > > Today, in Talitos driver crypto alg registration is based on predefined > > templates with a predefined descriptor type and verification against the > > descriptors supported by the HW. This works well for ALG that require a > > unique descriptor. But for IPsec this is slightly different: > > * IPsec can be performed with both DESC_HDR_TYPE_IPSEC_ESP and > > DESC_HDR_TYPE_HMAC_SNOOP_NO_AFEU > > * DESC_HDR_TYPE_IPSEC_ESP is supported only by SEC2 > > * DESC_HDR_TYPE_HMAC_SNOOP_NO_AFEU is supported by both SEC1 and SEC2 > > * DESC_HDR_TYPE_HMAC_SNOOP_NO_AFEU is less performant than > > DESC_HDR_TYPE_IPSEC_ESP > > So it is natural to use DESC_HDR_TYPE_IPSEC_ESP when it is supported and > > use DESC_HDR_TYPE_HMAC_SNOOP_NO_AFEU otherwise ? > > > > What's the best way to implement the selection of the proper descriptor > > type ? > > * We can duplicate the templates but it means that when both types are > > supported the driver with try to register each AEAD alg twice > > * We can "on the fly" change the DESC_HDR_TYPE_IPSEC_ESP type into > > DESC_HDR_TYPE_HMAC_SNOOP_NO_AFEU type ? > > * We can alter the templates at startup when we know we are on a SEC1, > > changing all templates based on DESC_HDR_TYPE_IPSEC_ESP into templates > > based on DESC_HDR_TYPE_HMAC_SNOOP_NO_AFEU > > > > What would be the best approach from your point of view ? > > > I would go with altering the relevant entries in the template array, of > course before the hw_supports() check. > > IIUC, the "on the fly" option won't work. There has to be a valid > descriptor type for each template entry before hw_supports(). > > Regards, > Horia > -- > To unsubscribe from this list: send the line "unsubscribe linux-crypto" in > the body of a message to majord...@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you. -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [RFC][PATCH 0/6] /dev/random - a new approach
On Thu, Apr 21, 2016 at 10:51 PM, Theodore Ts'owrote: > I still have a massive problem with the claims that the "Jitter" RNG > provides any amount of entropy. Just because you and I might not be > able to analyze it doesn't mean that somebody else couldn't. After > all, DUAL-EC DRNG was very complicated and hard to analyze. So would > be something like > >AES(NSA_KEY, COUNTER++) > > Very hard to analyze indeed. Shall we run statistical tests? They'll > pass with flying colors. > > Secure? Not so much. > > - Ted Jitter, havege and my maxwell(8) all claim to get entropy from variations in timing of simple calculations, and the docs for all three give arguments that there really is some entropy there. Some of those arguments are quite strong. Mine are in the PDF at: https://github.com/sandy-harris/maxwell I find any of those plausible as an external RNG feeding random(4), though a hardware RNG or Turbid is preferable. -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 2/2] crypto: s5p-sss - Fix missed interrupts when working with 8 kB blocks
The tcrypt testing module on Exynos5422-based Odroid XU3/4 board failed on testing 8 kB size blocks: $ sudo modprobe tcrypt sec=1 mode=500 testing speed of async ecb(aes) (ecb-aes-s5p) encryption test 0 (128 bit key, 16 byte blocks): 21971 operations in 1 seconds (351536 bytes) test 1 (128 bit key, 64 byte blocks): 21731 operations in 1 seconds (1390784 bytes) test 2 (128 bit key, 256 byte blocks): 21932 operations in 1 seconds (5614592 bytes) test 3 (128 bit key, 1024 byte blocks): 21685 operations in 1 seconds (22205440 bytes) test 4 (128 bit key, 8192 byte blocks): This was caused by a race issue of missed BRDMA_DONE ("Block cipher Receiving DMA") interrupt. Device starts processing the data in DMA mode immediately after setting length of DMA block: receiving (FCBRDMAL) or transmitting (FCBTDMAL). The driver sets these lengths from interrupt handler through s5p_set_dma_indata() function (or xxx_setdata()). However the interrupt handler was first dealing with receive buffer (dma-unmap old, dma-map new, set receive block length which starts the operation), then with transmit buffer and finally was clearing pending interrupts (FCINTPEND). Because of the time window between setting receive buffer length and clearing pending interrupts, the operation on receive buffer could end already and driver would miss new interrupt. User manual for Exynos5422 confirms in example code that setting DMA block lengths should be the last operation. The tcrypt hang could be also observed in following blocked-task dmesg: INFO: task modprobe:258 blocked for more than 120 seconds. Not tainted 4.6.0-rc4-next-20160419-5-g9eac8b7b7753-dirty #42 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. modprobeD c06b09d8 0 258256 0x [] (__schedule) from [] (schedule+0x40/0xac) [] (schedule) from [] (schedule_timeout+0x124/0x178) [] (schedule_timeout) from [] (wait_for_common+0xb8/0x144) [] (wait_for_common) from [] (test_acipher_speed+0x49c/0x740 [tcrypt]) [] (test_acipher_speed [tcrypt]) from [] (do_test+0x2240/0x30ec [tcrypt]) [] (do_test [tcrypt]) from [] (tcrypt_mod_init+0x48/0xa4 [tcrypt]) [] (tcrypt_mod_init [tcrypt]) from [] (do_one_initcall+0x3c/0x16c) [] (do_one_initcall) from [] (do_init_module+0x5c/0x1ac) [] (do_init_module) from [] (load_module+0x1a30/0x1d08) [] (load_module) from [] (SyS_finit_module+0x8c/0x98) [] (SyS_finit_module) from [] (ret_fast_syscall+0x0/0x3c) Fixes: a49e490c7a8a ("crypto: s5p-sss - add S5PV210 advanced crypto engine support") Cc:Signed-off-by: Krzysztof Kozlowski --- Issue was easily reproduced on newer (faster?) SoCs, like Odroid XU3/XU4 (Exynos5422). Still it was kind of time-related (adding printks or kernel debug options sometimes "was fixing" the issue). On older like Odroid U3 with Exynos4412 this works fine... I am marking this cc-stable because invalid operation comes from the first version of the driver. --- drivers/crypto/s5p-sss.c | 53 +++- 1 file changed, 39 insertions(+), 14 deletions(-) diff --git a/drivers/crypto/s5p-sss.c b/drivers/crypto/s5p-sss.c index b96532078d0c..ac6d62b3be07 100644 --- a/drivers/crypto/s5p-sss.c +++ b/drivers/crypto/s5p-sss.c @@ -367,43 +367,55 @@ exit: return err; } -static void s5p_aes_tx(struct s5p_aes_dev *dev) +/* + * Returns true if new transmitting (output) data is ready and its + * address+length have to be written to device (by calling + * s5p_set_dma_outdata()). False otherwise. + */ +static bool s5p_aes_tx(struct s5p_aes_dev *dev) { int err = 0; + bool ret = false; s5p_unset_outdata(dev); if (!sg_is_last(dev->sg_dst)) { err = s5p_set_outdata(dev, sg_next(dev->sg_dst)); - if (err) { + if (err) s5p_aes_complete(dev, err); - return; - } - - s5p_set_dma_outdata(dev, dev->sg_dst); + else + ret = true; } else { s5p_aes_complete(dev, err); dev->busy = true; tasklet_schedule(>tasklet); } + + return ret; } -static void s5p_aes_rx(struct s5p_aes_dev *dev) +/* + * Returns true if new receiving (input) data is ready and its + * address+length have to be written to device (by calling + * s5p_set_dma_indata()). False otherwise. + */ +static bool s5p_aes_rx(struct s5p_aes_dev *dev) { int err; + bool ret = false; s5p_unset_indata(dev); if (!sg_is_last(dev->sg_src)) { err = s5p_set_indata(dev, sg_next(dev->sg_src)); - if (err) { + if (err) s5p_aes_complete(dev, err); - return; - } - - s5p_set_dma_indata(dev,
[PATCH 1/2] crypto: s5p-sss - Use common BIT macro
The BIT() macro is obvious and well known, so prefer to use it instead of crafted own macro. Signed-off-by: Krzysztof Kozlowski--- drivers/crypto/s5p-sss.c | 95 1 file changed, 47 insertions(+), 48 deletions(-) diff --git a/drivers/crypto/s5p-sss.c b/drivers/crypto/s5p-sss.c index 71ca6a5d636d..b96532078d0c 100644 --- a/drivers/crypto/s5p-sss.c +++ b/drivers/crypto/s5p-sss.c @@ -31,45 +31,44 @@ #include #define _SBF(s, v) ((v) << (s)) -#define _BIT(b) _SBF(b, 1) /* Feed control registers */ #define SSS_REG_FCINTSTAT 0x -#define SSS_FCINTSTAT_BRDMAINT _BIT(3) -#define SSS_FCINTSTAT_BTDMAINT _BIT(2) -#define SSS_FCINTSTAT_HRDMAINT _BIT(1) -#define SSS_FCINTSTAT_PKDMAINT _BIT(0) +#define SSS_FCINTSTAT_BRDMAINT BIT(3) +#define SSS_FCINTSTAT_BTDMAINT BIT(2) +#define SSS_FCINTSTAT_HRDMAINT BIT(1) +#define SSS_FCINTSTAT_PKDMAINT BIT(0) #define SSS_REG_FCINTENSET 0x0004 -#define SSS_FCINTENSET_BRDMAINTENSET_BIT(3) -#define SSS_FCINTENSET_BTDMAINTENSET_BIT(2) -#define SSS_FCINTENSET_HRDMAINTENSET_BIT(1) -#define SSS_FCINTENSET_PKDMAINTENSET_BIT(0) +#define SSS_FCINTENSET_BRDMAINTENSETBIT(3) +#define SSS_FCINTENSET_BTDMAINTENSETBIT(2) +#define SSS_FCINTENSET_HRDMAINTENSETBIT(1) +#define SSS_FCINTENSET_PKDMAINTENSETBIT(0) #define SSS_REG_FCINTENCLR 0x0008 -#define SSS_FCINTENCLR_BRDMAINTENCLR_BIT(3) -#define SSS_FCINTENCLR_BTDMAINTENCLR_BIT(2) -#define SSS_FCINTENCLR_HRDMAINTENCLR_BIT(1) -#define SSS_FCINTENCLR_PKDMAINTENCLR_BIT(0) +#define SSS_FCINTENCLR_BRDMAINTENCLRBIT(3) +#define SSS_FCINTENCLR_BTDMAINTENCLRBIT(2) +#define SSS_FCINTENCLR_HRDMAINTENCLRBIT(1) +#define SSS_FCINTENCLR_PKDMAINTENCLRBIT(0) #define SSS_REG_FCINTPEND 0x000C -#define SSS_FCINTPEND_BRDMAINTP _BIT(3) -#define SSS_FCINTPEND_BTDMAINTP _BIT(2) -#define SSS_FCINTPEND_HRDMAINTP _BIT(1) -#define SSS_FCINTPEND_PKDMAINTP _BIT(0) +#define SSS_FCINTPEND_BRDMAINTP BIT(3) +#define SSS_FCINTPEND_BTDMAINTP BIT(2) +#define SSS_FCINTPEND_HRDMAINTP BIT(1) +#define SSS_FCINTPEND_PKDMAINTP BIT(0) #define SSS_REG_FCFIFOSTAT 0x0010 -#define SSS_FCFIFOSTAT_BRFIFOFUL_BIT(7) -#define SSS_FCFIFOSTAT_BRFIFOEMP_BIT(6) -#define SSS_FCFIFOSTAT_BTFIFOFUL_BIT(5) -#define SSS_FCFIFOSTAT_BTFIFOEMP_BIT(4) -#define SSS_FCFIFOSTAT_HRFIFOFUL_BIT(3) -#define SSS_FCFIFOSTAT_HRFIFOEMP_BIT(2) -#define SSS_FCFIFOSTAT_PKFIFOFUL_BIT(1) -#define SSS_FCFIFOSTAT_PKFIFOEMP_BIT(0) +#define SSS_FCFIFOSTAT_BRFIFOFULBIT(7) +#define SSS_FCFIFOSTAT_BRFIFOEMPBIT(6) +#define SSS_FCFIFOSTAT_BTFIFOFULBIT(5) +#define SSS_FCFIFOSTAT_BTFIFOEMPBIT(4) +#define SSS_FCFIFOSTAT_HRFIFOFULBIT(3) +#define SSS_FCFIFOSTAT_HRFIFOEMPBIT(2) +#define SSS_FCFIFOSTAT_PKFIFOFULBIT(1) +#define SSS_FCFIFOSTAT_PKFIFOEMPBIT(0) #define SSS_REG_FCFIFOCTRL 0x0014 -#define SSS_FCFIFOCTRL_DESSEL _BIT(2) +#define SSS_FCFIFOCTRL_DESSEL BIT(2) #define SSS_HASHIN_INDEPENDENT _SBF(0, 0x00) #define SSS_HASHIN_CIPHER_INPUT _SBF(0, 0x01) #define SSS_HASHIN_CIPHER_OUTPUT_SBF(0, 0x02) @@ -77,52 +76,52 @@ #define SSS_REG_FCBRDMAS0x0020 #define SSS_REG_FCBRDMAL0x0024 #define SSS_REG_FCBRDMAC0x0028 -#define SSS_FCBRDMAC_BYTESWAP _BIT(1) -#define SSS_FCBRDMAC_FLUSH _BIT(0) +#define SSS_FCBRDMAC_BYTESWAP BIT(1) +#define SSS_FCBRDMAC_FLUSH BIT(0) #define SSS_REG_FCBTDMAS0x0030 #define SSS_REG_FCBTDMAL0x0034 #define SSS_REG_FCBTDMAC0x0038 -#define SSS_FCBTDMAC_BYTESWAP _BIT(1) -#define SSS_FCBTDMAC_FLUSH _BIT(0) +#define SSS_FCBTDMAC_BYTESWAP BIT(1) +#define SSS_FCBTDMAC_FLUSH BIT(0) #define SSS_REG_FCHRDMAS0x0040 #define SSS_REG_FCHRDMAL0x0044 #define SSS_REG_FCHRDMAC0x0048 -#define SSS_FCHRDMAC_BYTESWAP _BIT(1) -#define SSS_FCHRDMAC_FLUSH _BIT(0) +#define SSS_FCHRDMAC_BYTESWAP BIT(1) +#define SSS_FCHRDMAC_FLUSH BIT(0) #define SSS_REG_FCPKDMAS0x0050 #define SSS_REG_FCPKDMAL0x0054 #define SSS_REG_FCPKDMAC0x0058 -#define SSS_FCPKDMAC_BYTESWAP _BIT(3) -#define SSS_FCPKDMAC_DESCEND_BIT(2) -#define SSS_FCPKDMAC_TRANSMIT _BIT(1) -#define SSS_FCPKDMAC_FLUSH _BIT(0) +#define SSS_FCPKDMAC_BYTESWAP BIT(3) +#define SSS_FCPKDMAC_DESCENDBIT(2)
[patch 2/2] crypto: mxc-scc - fix unwinding in mxc_scc_crypto_register()
There are two issues here: 1) We need to decrement "i" otherwise we unregister something that was not successfully registered. 2) The original code did not unregister the first element in the array where i is zero. Fixes: d293b640ebd5 ('crypto: mxc-scc - add basic driver for the MXC SCC') Signed-off-by: Dan Carpenterdiff --git a/drivers/crypto/mxc-scc.c b/drivers/crypto/mxc-scc.c index 9b348a7..ff383ef 100644 --- a/drivers/crypto/mxc-scc.c +++ b/drivers/crypto/mxc-scc.c @@ -616,7 +616,7 @@ static struct mxc_scc_crypto_tmpl *scc_crypto_algs[] = { static int mxc_scc_crypto_register(struct mxc_scc *scc) { - unsigned int i; + int i; int err = 0; for (i = 0; i < ARRAY_SIZE(scc_crypto_algs); i++) { @@ -629,7 +629,7 @@ static int mxc_scc_crypto_register(struct mxc_scc *scc) return 0; err_out: - for (; i > 0; i--) + while (--i >= 0) crypto_unregister_alg(_crypto_algs[i]->alg); return err; -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[patch 1/2] crypto: mxc-scc - signedness bugs in mxc_scc_ablkcipher_req_init()
->src_nents and ->dst_nents are unsigned so they can't be less than zero. I fixed this by introducing a temporary "nents" variable. Fixes: d293b640ebd5 ('crypto: mxc-scc - add basic driver for the MXC SCC') Signed-off-by: Dan Carpenterdiff --git a/drivers/crypto/mxc-scc.c b/drivers/crypto/mxc-scc.c index 38b01bf..9b348a7 100644 --- a/drivers/crypto/mxc-scc.c +++ b/drivers/crypto/mxc-scc.c @@ -210,18 +210,21 @@ static int mxc_scc_ablkcipher_req_init(struct ablkcipher_request *req, struct mxc_scc_ctx *ctx) { struct mxc_scc *scc = ctx->scc; + int nents; - ctx->src_nents = sg_nents_for_len(req->src, req->nbytes); - if (ctx->src_nents < 0) { + nents = sg_nents_for_len(req->src, req->nbytes); + if (nents < 0) { dev_err(scc->dev, "Invalid number of src SC"); - return ctx->src_nents; + return nents; } + ctx->src_nents = nents; - ctx->dst_nents = sg_nents_for_len(req->dst, req->nbytes); - if (ctx->dst_nents < 0) { + nents = sg_nents_for_len(req->dst, req->nbytes); + if (nents < 0) { dev_err(scc->dev, "Invalid number of dst SC"); - return ctx->dst_nents; + return nents; } + ctx->dst_nents = nents; ctx->size = 0; ctx->offset = 0; -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html