Re: UB in general ... and linux/bitops.h in particular
>-- Perhaps the compiler guys could be persuaded to support > the needed features explicitly, perhaps via a command-line > option: -std=vanilla > This should be a no-cost option as things stand today, but > it helps to prevent nasty surprises in the future. It looks LLVM has the -rainbow option; see http://blog.llvm.org/2016/04/undefined-behavior-is-magic.html :) Jeff -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: better patch for linux/bitops.h
On 05/05/2016 03:18 PM, ty...@mit.edu wrote: > > So this is why I tend to take a much more pragmatic viewpoint on > things. Sure, it makes sense to pay attention to what the C standard > writers are trying to do to us; but if we need to suppress certain > optimizations to write sane kernel code --- I'm ok with that. And > this is why using a trust-but-verify on a specific set of compilers > and ranges of compiler versions is a really good idea > For the record, the "portable" construct has apparently only been supported since gcc 4.6.3. -hpa -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: better patch for linux/bitops.h
On May 5, 2016 3:18:09 PM PDT, ty...@mit.edu wrote: >On Thu, May 05, 2016 at 05:34:50PM -0400, Sandy Harris wrote: >> >> I completely fail to see why tests or compiler versions should be >> part of the discussion. The C standard says the behaviour in >> certain cases is undefined, so a standard-compliant compiler >> can generate more-or-less any code there. >> > >> As long as any of portability, reliability or security are among our >> goals, any code that can give undefined behaviour should be >> considered problematic. > >Because compilers have been known not necessarily to obey the specs, >and/or interpret the specs in way that not everyone agrees with. It's >also the case that we are *already* disabling certain C optimizations >which are technically allowed by the spec, but which kernel >programmers consider insane (e.g., strict aliasing). > >And of course, memzero_explicit() which crypto people understand is >necessary, is something that technically compilers are allowed to >optimize according to the spec. So trying to write secure kernel code >which will work on arbitrary compilers may well be impossible. > >And which is also why people have said (mostly in jest), "A >sufficiently advanced compiler is indistinguishable from an >adversary." (I assume people will agree that optimizing away a memset >needed to clear secrets from memory would be considered adversarial, >at the very least!) > >So this is why I tend to take a much more pragmatic viewpoint on >things. Sure, it makes sense to pay attention to what the C standard >writers are trying to do to us; but if we need to suppress certain >optimizations to write sane kernel code --- I'm ok with that. And >this is why using a trust-but-verify on a specific set of compilers >and ranges of compiler versions is a really good idea > >- Ted I have filed a gcc bug to have the preexisting rotate idiom officially documented as a GNU C extension. https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70967 -- Sent from my Android device with K-9 Mail. Please excuse brevity and formatting. -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: better patch for linux/bitops.h
On 05/05/2016 03:18 PM, ty...@mit.edu wrote: > On Thu, May 05, 2016 at 05:34:50PM -0400, Sandy Harris wrote: >> >> I completely fail to see why tests or compiler versions should be >> part of the discussion. The C standard says the behaviour in >> certain cases is undefined, so a standard-compliant compiler >> can generate more-or-less any code there. >> > >> As long as any of portability, reliability or security are among our >> goals, any code that can give undefined behaviour should be >> considered problematic. > > Because compilers have been known not necessarily to obey the specs, > and/or interpret the specs in way that not everyone agrees with. It's > also the case that we are *already* disabling certain C optimizations > which are technically allowed by the spec, but which kernel > programmers consider insane (e.g., strict aliasing). > > And of course, memzero_explicit() which crypto people understand is > necessary, is something that technically compilers are allowed to > optimize according to the spec. So trying to write secure kernel code > which will work on arbitrary compilers may well be impossible. > > And which is also why people have said (mostly in jest), "A > sufficiently advanced compiler is indistinguishable from an > adversary." (I assume people will agree that optimizing away a memset > needed to clear secrets from memory would be considered adversarial, > at the very least!) > > So this is why I tend to take a much more pragmatic viewpoint on > things. Sure, it makes sense to pay attention to what the C standard > writers are trying to do to us; but if we need to suppress certain > optimizations to write sane kernel code --- I'm ok with that. And > this is why using a trust-but-verify on a specific set of compilers > and ranges of compiler versions is a really good idea > In theory, theory and practice should agree, but in practice, practice is what counts. I fully agree we should get rid of UD behavior where doing so is practical, but not at the cost of breaking real-life compilers, expecially not gcc, and to a lesser but still very real extent icc and clang. I would also agree that we should push the gcc developers to add to the manual C-standard-UD behavior which are well-defined under the gnu89/gnu99/gnu11 C dialects. -hpa -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: better patch for linux/bitops.h
On Thu, May 05, 2016 at 05:34:50PM -0400, Sandy Harris wrote: > > I completely fail to see why tests or compiler versions should be > part of the discussion. The C standard says the behaviour in > certain cases is undefined, so a standard-compliant compiler > can generate more-or-less any code there. > > As long as any of portability, reliability or security are among our > goals, any code that can give undefined behaviour should be > considered problematic. Because compilers have been known not necessarily to obey the specs, and/or interpret the specs in way that not everyone agrees with. It's also the case that we are *already* disabling certain C optimizations which are technically allowed by the spec, but which kernel programmers consider insane (e.g., strict aliasing). And of course, memzero_explicit() which crypto people understand is necessary, is something that technically compilers are allowed to optimize according to the spec. So trying to write secure kernel code which will work on arbitrary compilers may well be impossible. And which is also why people have said (mostly in jest), "A sufficiently advanced compiler is indistinguishable from an adversary." (I assume people will agree that optimizing away a memset needed to clear secrets from memory would be considered adversarial, at the very least!) So this is why I tend to take a much more pragmatic viewpoint on things. Sure, it makes sense to pay attention to what the C standard writers are trying to do to us; but if we need to suppress certain optimizations to write sane kernel code --- I'm ok with that. And this is why using a trust-but-verify on a specific set of compilers and ranges of compiler versions is a really good idea - Ted -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: better patch for linux/bitops.h
On Wed, May 4, 2016 at 11:50 PM, Theodore Ts'owrote: > Instead of arguing over who's "sane" or "insane", can we come up with > a agreed upon set of tests, and a set of compiler and compiler > versions ... I completely fail to see why tests or compiler versions should be part of the discussion. The C standard says the behaviour in certain cases is undefined, so a standard-compliant compiler can generate more-or-less any code there. As long as any of portability, reliability or security are among our goals, any code that can give undefined behaviour should be considered problematic. > But instead of arguing over what works and doesn't, let's just create > the the test set and just try it on a wide range of compilers and > architectures, hmmm? No. Let's just fix the code so that undefined behaviour cannot occur. Creating test cases for a fix and trying them on a range of systems would be useful, perhaps essential, work. Doing tests without a fix would be a complete waste of time. -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH RESEND v5 3/6] crypto: AF_ALG -- add asymmetric cipher interface
From: Stephan MuellerThis patch adds the user space interface for asymmetric ciphers. The interface allows the use of sendmsg as well as vmsplice to provide data. This version has been rebased on top of 4.6 and a few chackpatch issues have been fixed. Signed-off-by: Stephan Mueller Signed-off-by: Tadeusz Struk --- crypto/algif_akcipher.c | 542 +++ 1 file changed, 542 insertions(+) create mode 100644 crypto/algif_akcipher.c diff --git a/crypto/algif_akcipher.c b/crypto/algif_akcipher.c new file mode 100644 index 000..6342b6e --- /dev/null +++ b/crypto/algif_akcipher.c @@ -0,0 +1,542 @@ +/* + * algif_akcipher: User-space interface for asymmetric cipher algorithms + * + * Copyright (C) 2015, Stephan Mueller + * + * This file provides the user-space API for asymmetric ciphers. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the Free + * Software Foundation; either version 2 of the License, or (at your option) + * any later version. + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +struct akcipher_sg_list { + unsigned int cur; + struct scatterlist sg[ALG_MAX_PAGES]; +}; + +struct akcipher_ctx { + struct akcipher_sg_list tsgl; + struct af_alg_sgl rsgl[ALG_MAX_PAGES]; + + struct af_alg_completion completion; + + unsigned long used; + + unsigned int len; + bool more; + bool merge; + int op; + + struct akcipher_request req; +}; + +static inline int akcipher_sndbuf(struct sock *sk) +{ + struct alg_sock *ask = alg_sk(sk); + struct akcipher_ctx *ctx = ask->private; + + return max_t(int, max_t(int, sk->sk_sndbuf & PAGE_MASK, PAGE_SIZE) - + ctx->used, 0); +} + +static inline bool akcipher_writable(struct sock *sk) +{ + return akcipher_sndbuf(sk) >= PAGE_SIZE; +} + +static inline int akcipher_calcsize(struct akcipher_ctx *ctx) +{ + return crypto_akcipher_maxsize(crypto_akcipher_reqtfm(>req)); +} + +static void akcipher_put_sgl(struct sock *sk) +{ + struct alg_sock *ask = alg_sk(sk); + struct akcipher_ctx *ctx = ask->private; + struct akcipher_sg_list *sgl = >tsgl; + struct scatterlist *sg = sgl->sg; + unsigned int i; + + for (i = 0; i < sgl->cur; i++) { + if (!sg_page(sg + i)) + continue; + + put_page(sg_page(sg + i)); + sg_assign_page(sg + i, NULL); + } + sg_init_table(sg, ALG_MAX_PAGES); + sgl->cur = 0; + ctx->used = 0; + ctx->more = 0; + ctx->merge = 0; +} + +static void akcipher_wmem_wakeup(struct sock *sk) +{ + struct socket_wq *wq; + + if (!akcipher_writable(sk)) + return; + + rcu_read_lock(); + wq = rcu_dereference(sk->sk_wq); + if (wq_has_sleeper(>wait)) + wake_up_interruptible_sync_poll(>wait, POLLIN | + POLLRDNORM | + POLLRDBAND); + sk_wake_async(sk, SOCK_WAKE_WAITD, POLL_IN); + rcu_read_unlock(); +} + +static int akcipher_wait_for_data(struct sock *sk, unsigned int flags) +{ + struct alg_sock *ask = alg_sk(sk); + struct akcipher_ctx *ctx = ask->private; + long timeout; + DEFINE_WAIT(wait); + int err = -ERESTARTSYS; + + if (flags & MSG_DONTWAIT) + return -EAGAIN; + + set_bit(SOCKWQ_ASYNC_WAITDATA, >sk_socket->flags); + + for (;;) { + if (signal_pending(current)) + break; + prepare_to_wait(sk_sleep(sk), , TASK_INTERRUPTIBLE); + timeout = MAX_SCHEDULE_TIMEOUT; + if (sk_wait_event(sk, , !ctx->more)) { + err = 0; + break; + } + } + finish_wait(sk_sleep(sk), ); + + clear_bit(SOCKWQ_ASYNC_WAITDATA, >sk_socket->flags); + + return err; +} + +static void akcipher_data_wakeup(struct sock *sk) +{ + struct alg_sock *ask = alg_sk(sk); + struct akcipher_ctx *ctx = ask->private; + struct socket_wq *wq; + + if (ctx->more) + return; + if (!ctx->used) + return; + + rcu_read_lock(); + wq = rcu_dereference(sk->sk_wq); + if (wq_has_sleeper(>wait)) + wake_up_interruptible_sync_poll(>wait, POLLOUT | + POLLRDNORM | + POLLRDBAND); + sk_wake_async(sk, SOCK_WAKE_SPACE, POLL_OUT); + rcu_read_unlock(); +} + +static int akcipher_sendmsg(struct socket *sock, struct
[PATCH RESEND v5 4/6] crypto: algif_akcipher - enable compilation
From: Stephan MuellerAdd the Makefile and Kconfig updates to allow algif_akcipher to be compiled. Signed-off-by: Stephan Mueller Signed-off-by: Tadeusz Struk --- crypto/Kconfig |9 + crypto/Makefile |1 + 2 files changed, 10 insertions(+) diff --git a/crypto/Kconfig b/crypto/Kconfig index 93a1fdc..b932319 100644 --- a/crypto/Kconfig +++ b/crypto/Kconfig @@ -1626,6 +1626,15 @@ config CRYPTO_USER_API_AEAD This option enables the user-spaces interface for AEAD cipher algorithms. +config CRYPTO_USER_API_AKCIPHER + tristate "User-space interface for asymmetric key cipher algorithms" + depends on NET + select CRYPTO_AKCIPHER2 + select CRYPTO_USER_API + help + This option enables the user-spaces interface for asymmetric + key cipher algorithms. + config CRYPTO_HASH_INFO bool diff --git a/crypto/Makefile b/crypto/Makefile index 4f4ef7e..c51ac16 100644 --- a/crypto/Makefile +++ b/crypto/Makefile @@ -121,6 +121,7 @@ obj-$(CONFIG_CRYPTO_USER_API_HASH) += algif_hash.o obj-$(CONFIG_CRYPTO_USER_API_SKCIPHER) += algif_skcipher.o obj-$(CONFIG_CRYPTO_USER_API_RNG) += algif_rng.o obj-$(CONFIG_CRYPTO_USER_API_AEAD) += algif_aead.o +obj-$(CONFIG_CRYPTO_USER_API_AKCIPHER) += algif_akcipher.o # # generic algorithms and the async_tx api -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH RESEND v5 1/6] crypto: AF_ALG -- add sign/verify API
From: Stephan MuellerAdd the flags for handling signature generation and signature verification. Also, the patch adds the interface for setting a public key. Signed-off-by: Stephan Mueller Signed-off-by: Tadeusz Struk --- include/uapi/linux/if_alg.h |3 +++ 1 file changed, 3 insertions(+) diff --git a/include/uapi/linux/if_alg.h b/include/uapi/linux/if_alg.h index f2acd2f..02e6162 100644 --- a/include/uapi/linux/if_alg.h +++ b/include/uapi/linux/if_alg.h @@ -34,9 +34,12 @@ struct af_alg_iv { #define ALG_SET_OP 3 #define ALG_SET_AEAD_ASSOCLEN 4 #define ALG_SET_AEAD_AUTHSIZE 5 +#define ALG_SET_PUBKEY 6 /* Operations */ #define ALG_OP_DECRYPT 0 #define ALG_OP_ENCRYPT 1 +#define ALG_OP_SIGN2 +#define ALG_OP_VERIFY 3 #endif /* _LINUX_IF_ALG_H */ -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH RESEND v5 5/6] crypto: algif_akcipher - add ops_nokey
Similar to algif_skcipher and algif_hash, algif_akcipher needs to prevent user space from using the interface in an improper way. This patch adds nokey ops handlers, which do just that. Signed-off-by: Tadeusz Struk--- crypto/algif_akcipher.c | 159 +-- 1 file changed, 152 insertions(+), 7 deletions(-) diff --git a/crypto/algif_akcipher.c b/crypto/algif_akcipher.c index 6342b6e..e00793d 100644 --- a/crypto/algif_akcipher.c +++ b/crypto/algif_akcipher.c @@ -27,6 +27,11 @@ struct akcipher_sg_list { struct scatterlist sg[ALG_MAX_PAGES]; }; +struct akcipher_tfm { + struct crypto_akcipher *akcipher; + bool has_key; +}; + struct akcipher_ctx { struct akcipher_sg_list tsgl; struct af_alg_sgl rsgl[ALG_MAX_PAGES]; @@ -450,25 +455,151 @@ static struct proto_ops algif_akcipher_ops = { .poll = akcipher_poll, }; +static int akcipher_check_key(struct socket *sock) +{ + int err = 0; + struct sock *psk; + struct alg_sock *pask; + struct akcipher_tfm *tfm; + struct sock *sk = sock->sk; + struct alg_sock *ask = alg_sk(sk); + + lock_sock(sk); + if (ask->refcnt) + goto unlock_child; + + psk = ask->parent; + pask = alg_sk(ask->parent); + tfm = pask->private; + + err = -ENOKEY; + lock_sock_nested(psk, SINGLE_DEPTH_NESTING); + if (!tfm->has_key) + goto unlock; + + if (!pask->refcnt++) + sock_hold(psk); + + ask->refcnt = 1; + sock_put(psk); + + err = 0; + +unlock: + release_sock(psk); +unlock_child: + release_sock(sk); + + return err; +} + +static int akcipher_sendmsg_nokey(struct socket *sock, struct msghdr *msg, + size_t size) +{ + int err; + + err = akcipher_check_key(sock); + if (err) + return err; + + return akcipher_sendmsg(sock, msg, size); +} + +static ssize_t akcipher_sendpage_nokey(struct socket *sock, struct page *page, + int offset, size_t size, int flags) +{ + int err; + + err = akcipher_check_key(sock); + if (err) + return err; + + return akcipher_sendpage(sock, page, offset, size, flags); +} + +static int akcipher_recvmsg_nokey(struct socket *sock, struct msghdr *msg, + size_t ignored, int flags) +{ + int err; + + err = akcipher_check_key(sock); + if (err) + return err; + + return akcipher_recvmsg(sock, msg, ignored, flags); +} + +static struct proto_ops algif_akcipher_ops_nokey = { + .family = PF_ALG, + + .connect= sock_no_connect, + .socketpair = sock_no_socketpair, + .getname= sock_no_getname, + .ioctl = sock_no_ioctl, + .listen = sock_no_listen, + .shutdown = sock_no_shutdown, + .getsockopt = sock_no_getsockopt, + .mmap = sock_no_mmap, + .bind = sock_no_bind, + .accept = sock_no_accept, + .setsockopt = sock_no_setsockopt, + + .release= af_alg_release, + .sendmsg= akcipher_sendmsg_nokey, + .sendpage = akcipher_sendpage_nokey, + .recvmsg= akcipher_recvmsg_nokey, + .poll = akcipher_poll, +}; + static void *akcipher_bind(const char *name, u32 type, u32 mask) { - return crypto_alloc_akcipher(name, type, mask); + struct akcipher_tfm *tfm; + struct crypto_akcipher *akcipher; + + tfm = kzalloc(sizeof(*tfm), GFP_KERNEL); + if (!tfm) + return ERR_PTR(-ENOMEM); + + akcipher = crypto_alloc_akcipher(name, type, mask); + if (IS_ERR(akcipher)) { + kfree(tfm); + return ERR_CAST(akcipher); + } + + tfm->akcipher = akcipher; + return tfm; } static void akcipher_release(void *private) { - crypto_free_akcipher(private); + struct akcipher_tfm *tfm = private; + struct crypto_akcipher *akcipher = tfm->akcipher; + + crypto_free_akcipher(akcipher); + kfree(tfm); } static int akcipher_setprivkey(void *private, const u8 *key, unsigned int keylen) { - return crypto_akcipher_set_priv_key(private, key, keylen); + struct akcipher_tfm *tfm = private; + struct crypto_akcipher *akcipher = tfm->akcipher; + int err; + + err = crypto_akcipher_set_priv_key(akcipher, key, keylen); + tfm->has_key = !err; + return err; } static int akcipher_setpubkey(void *private, const u8 *key, unsigned int keylen) { - return crypto_akcipher_set_pub_key(private, key, keylen); + struct akcipher_tfm
[PATCH RESEND v5 6/6] crypto: AF_ALG - add support for key_id
This patch adds support for asymmetric key type to AF_ALG. It will work as follows: A new PF_ALG socket options are added on top of existing ALG_SET_KEY and ALG_SET_PUBKEY, namely ALG_SET_KEY_ID and ALG_SET_PUBKEY_ID for setting public and private keys respectively. When these new options will be used the user, instead of providing the key material, will provide a key id and the key itself will be obtained from kernel keyring subsystem. The user will use the standard tools (keyctl tool or the keyctl syscall) for key instantiation and to obtain the key id. The key id can also be obtained by reading the /proc/keys file. When a key corresponding to the given keyid is found, it is stored in the socket context and subsequent crypto operation invoked by the user will use the new asymmetric accessor functions instead of akcipher api. The asymmetric subtype can internally use akcipher api or invoke operations defined by a given subtype, depending on the key type. Signed-off-by: Tadeusz Struk--- crypto/af_alg.c | 10 ++ crypto/algif_akcipher.c | 207 ++- include/crypto/if_alg.h |1 include/uapi/linux/if_alg.h |2 4 files changed, 215 insertions(+), 5 deletions(-) diff --git a/crypto/af_alg.c b/crypto/af_alg.c index 24dc082..59c8244 100644 --- a/crypto/af_alg.c +++ b/crypto/af_alg.c @@ -260,6 +260,16 @@ static int alg_setsockopt(struct socket *sock, int level, int optname, err = alg_setkey(sk, optval, optlen, type->setpubkey); break; + + case ALG_SET_KEY_ID: + case ALG_SET_PUBKEY_ID: + /* ALG_SET_KEY_ID is only for akcipher */ + if (!strcmp(type->name, "akcipher") || + sock->state == SS_CONNECTED) + goto unlock; + + err = alg_setkey(sk, optval, optlen, type->setkeyid); + break; case ALG_SET_AEAD_AUTHSIZE: if (sock->state == SS_CONNECTED) goto unlock; diff --git a/crypto/algif_akcipher.c b/crypto/algif_akcipher.c index e00793d..f486b6d 100644 --- a/crypto/algif_akcipher.c +++ b/crypto/algif_akcipher.c @@ -14,6 +14,8 @@ #include #include #include +#include +#include #include #include #include @@ -29,6 +31,7 @@ struct akcipher_sg_list { struct akcipher_tfm { struct crypto_akcipher *akcipher; + char keyid[12]; bool has_key; }; @@ -37,6 +40,7 @@ struct akcipher_ctx { struct af_alg_sgl rsgl[ALG_MAX_PAGES]; struct af_alg_completion completion; + struct key *key; unsigned long used; @@ -322,6 +326,153 @@ unlock: return err ? err : size; } +static int asym_key_encrypt(const struct key *key, struct akcipher_request *req) +{ + struct kernel_pkey_params params = {0}; + char *src = NULL, *dst = NULL, *in, *out; + int ret; + + if (!sg_is_last(req->src)) { + src = kmalloc(req->src_len, GFP_KERNEL); + if (!src) + return -ENOMEM; + scatterwalk_map_and_copy(src, req->src, 0, req->src_len, 0); + in = src; + } else { + in = sg_virt(req->src); + } + if (!sg_is_last(req->dst)) { + dst = kmalloc(req->dst_len, GFP_KERNEL); + if (!dst) { + kfree(src); + return -ENOMEM; + } + out = dst; + } else { + out = sg_virt(req->dst); + } + params.key = (struct key *)key; + params.data_len = req->src_len; + params.enc_len = req->dst_len; + ret = encrypt_blob(, in, out); + if (ret) + goto free; + + if (dst) + scatterwalk_map_and_copy(dst, req->dst, 0, req->dst_len, 1); +free: + kfree(src); + kfree(dst); + return ret; +} + +static int asym_key_decrypt(const struct key *key, struct akcipher_request *req) +{ + struct kernel_pkey_params params = {0}; + char *src = NULL, *dst = NULL, *in, *out; + int ret; + + if (!sg_is_last(req->src)) { + src = kmalloc(req->src_len, GFP_KERNEL); + if (!src) + return -ENOMEM; + scatterwalk_map_and_copy(src, req->src, 0, req->src_len, 0); + in = src; + } else { + in = sg_virt(req->src); + } + if (!sg_is_last(req->dst)) { + dst = kmalloc(req->dst_len, GFP_KERNEL); + if (!dst) { + kfree(src); + return -ENOMEM; + } + out = dst; + } else { + out = sg_virt(req->dst); + } + params.key = (struct key *)key; + params.data_len = req->src_len; + params.enc_len = req->dst_len; + ret = decrypt_blob(, in, out); + if (ret) +
[PATCH RESEND v5 2/6] crypto: AF_ALG -- add setpubkey setsockopt call
From: Stephan MuellerFor supporting asymmetric ciphers, user space must be able to set the public key. The patch adds a new setsockopt call for setting the public key. Signed-off-by: Stephan Mueller --- crypto/af_alg.c | 18 +- include/crypto/if_alg.h |1 + 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/crypto/af_alg.c b/crypto/af_alg.c index f5e18c2..24dc082 100644 --- a/crypto/af_alg.c +++ b/crypto/af_alg.c @@ -202,13 +202,17 @@ unlock: } static int alg_setkey(struct sock *sk, char __user *ukey, - unsigned int keylen) + unsigned int keylen, + int (*setkey)(void *private, const u8 *key, + unsigned int keylen)) { struct alg_sock *ask = alg_sk(sk); - const struct af_alg_type *type = ask->type; u8 *key; int err; + if (!setkey) + return -ENOPROTOOPT; + key = sock_kmalloc(sk, keylen, GFP_KERNEL); if (!key) return -ENOMEM; @@ -217,7 +221,7 @@ static int alg_setkey(struct sock *sk, char __user *ukey, if (copy_from_user(key, ukey, keylen)) goto out; - err = type->setkey(ask->private, key, keylen); + err = setkey(ask->private, key, keylen); out: sock_kzfree_s(sk, key, keylen); @@ -247,10 +251,14 @@ static int alg_setsockopt(struct socket *sock, int level, int optname, case ALG_SET_KEY: if (sock->state == SS_CONNECTED) goto unlock; - if (!type->setkey) + + err = alg_setkey(sk, optval, optlen, type->setkey); + break; + case ALG_SET_PUBKEY: + if (sock->state == SS_CONNECTED) goto unlock; - err = alg_setkey(sk, optval, optlen); + err = alg_setkey(sk, optval, optlen, type->setpubkey); break; case ALG_SET_AEAD_AUTHSIZE: if (sock->state == SS_CONNECTED) diff --git a/include/crypto/if_alg.h b/include/crypto/if_alg.h index a2bfd78..6c3e6e7 100644 --- a/include/crypto/if_alg.h +++ b/include/crypto/if_alg.h @@ -52,6 +52,7 @@ struct af_alg_type { void *(*bind)(const char *name, u32 type, u32 mask); void (*release)(void *private); int (*setkey)(void *private, const u8 *key, unsigned int keylen); + int (*setpubkey)(void *private, const u8 *key, unsigned int keylen); int (*accept)(void *private, struct sock *sk); int (*accept_nokey)(void *private, struct sock *sk); int (*setauthsize)(void *private, unsigned int authsize); -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH RESEND v5 0/6] crypto: algif - add akcipher
First four patches are a resend of the v3 algif_akcipher from Stephan Mueller, with minor changes after rebase on top of 4.6-rc1. The next three patches add support for keys stored in system keyring subsystem. First patch adds algif_akcipher nokey hadlers. Second patch adds generic sign, verify, encrypt, decrypt accessors functions to the asymmetric key type. These will be defined by asymmetric subtypes, similarly to how public_key currently defines the verify_signature function. Third patch adds support for ALG_SET_KEY_ID and ALG_SET_PUBKEY_ID commands to AF_ALG and setkeyid operation to the af_alg_type struct. If the keyid is used then the afalg layer acquires the key for the keyring subsystem and uses the new asymmetric accessor functions instead of akcipher api. The asymmetric subtypes can use akcipher api internally. This is the same v5 version as before rebased on top of http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=keys-asym-keyctl v5 changes: - drop public key changes and use new version provided by David v4 changes: - don't use internal public_key struct in af_alg. - add generic accessor functions to asymmetric key type, which take the generic struct key type and resolve the specific subtype internally v3 changes: - include Stephan's patches (rebased on 4.6-rc1) - add algif_akcipher nokey hadlers - add public_key info struct to public_key and helper query functions - add a check if a key is a software accessible key on af_alg, and return -ENOKEY if it isn't v2 changes: - pass the original skcipher request in ablkcipher.base.data instead of casting it back from the ablkcipher request. - rename _req to base_req - dropped 3/3 --- Stephan Mueller (4): crypto: AF_ALG -- add sign/verify API crypto: AF_ALG -- add setpubkey setsockopt call crypto: AF_ALG -- add asymmetric cipher interface crypto: algif_akcipher - enable compilation Tadeusz Struk (2): crypto: algif_akcipher - add ops_nokey crypto: AF_ALG - add support for key_id crypto/Kconfig |9 crypto/Makefile |1 crypto/af_alg.c | 28 + crypto/algif_akcipher.c | 884 +++ include/crypto/if_alg.h |2 include/uapi/linux/if_alg.h |5 6 files changed, 924 insertions(+), 5 deletions(-) create mode 100644 crypto/algif_akcipher.c -- TS -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v2 3/8] arm64: add io{read,write}64be accessors
On Thu, May 05, 2016 at 06:36:04PM +0300, Horia Geantă wrote: > This will allow device drivers to consistently use io{read,write}XXbe > also for 64-bit accesses. > > Signed-off-by: Alex Porosanu> Signed-off-by: Horia Geantă Acked-by: Catalin Marinas -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: UB in general ... and linux/bitops.h in particular
> Suggestions: > > a) Going forward, I suggest that UB should not be invoked > unless there is a good solid reason. Good luck rewriting most of the kernel source. This discussion is insane! -Andi -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v2 2/8] asm-generic/io.h: add io{read,write}64 accessors
On Thursday 05 May 2016 18:35:56 Horia Geantă wrote: > This will allow device drivers to consistently use io{read,write}XX > also for 64-bit accesses. > > Signed-off-by: Horia Geantă> Acked-by: Arnd Bergmann -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [crypto / sparc64] cryptomgr_test OOPS
On 05/05/2016 02:50 AM, Herbert Xu wrote: > On Thu, May 05, 2016 at 12:40:18PM +0300, Anatoly Pugachev wrote: >> >> sure, based on your cryptodev git, just tried 4.3 (6a13feb , good) >> kernel in attempt to find (bisect) when RSA code break, already tested >> 4.5 (44d1b6d , bad) , 4.4 (afd2ff9 , bad). >> Going to try your patch soon (when I'm back home). >> So far 4.3 passes RSA stage without OOPS, but for other reason does >> not boot to login prompt. Boot log exempt (4.3), this is with >> CONFIG_CRYPTO_RSA=y : > > That jibes with this being a problem with the SG list since it > was only added in 4.4. Before 4.4 the rsa sw implementation kmalloced intermediate flat buffer and copied the data internally. Thanks, -- TS -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [crypto / sparc64] cryptomgr_test OOPS
On 05/05/2016 08:31 AM, Anatoly Pugachev wrote: > On Thu, May 5, 2016 at 6:00 PM, Tadeusz Strukwrote: >> On 05/05/2016 02:40 AM, Anatoly Pugachev wrote: >>> sure, based on your cryptodev git, just tried 4.3 (6a13feb , good) >>> kernel in attempt to find (bisect) when RSA code break, already tested >>> 4.5 (44d1b6d , bad) , 4.4 (afd2ff9 , bad). >>> Going to try your patch soon (when I'm back home). >>> So far 4.3 passes RSA stage without OOPS, but for other reason does >>> not boot to login prompt. Boot log exempt (4.3), this is with >>> CONFIG_CRYPTO_RSA=y : >> >> Anatoly, could you also give this a try please: >> Thanks >> >> diff --git a/crypto/testmgr.c b/crypto/testmgr.c >> index b86883a..770970ff 100644 >> --- a/crypto/testmgr.c >> +++ b/crypto/testmgr.c >> @@ -1805,8 +1805,8 @@ static int do_test_rsa(struct crypto_akcipher *tfm, >> goto free_req; >> >> sg_init_table(src_tab, 2); >> - sg_set_buf(_tab[0], vecs->m, 8); >> - sg_set_buf(_tab[1], vecs->m + 8, vecs->m_size - 8); >> + sg_set_buf(_tab[0], vecs->m, 4); >> + sg_set_buf(_tab[1], vecs->m + 4, vecs->m_size - 4); >> sg_init_one(, outbuf_enc, out_len_max); >> akcipher_request_set_crypt(req, src_tab, , vecs->m_size, >>out_len_max); > > > Tadeusz, > > do you still want to test it , after I have reported that Herbert patch works? > Hi Anatoly, Since Herbert's patch fixes it for you here is no need to test this one. Thanks, -- TS -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH] Bluetooth: convert smp module to crypto kpp API
Hi Salvatore, > This patch has *not* been tested as I don't have the hardware. > It's purpose is to show how to use the kpp API. > > Based on https://patchwork.kernel.org/patch/9022371/ actually you should be able to verify this without hardware. The BlueZ userspace package contains tools/mgmt-tester and tools/smp-tester which should both exercise most of the Bluetooth Security Manager (SMP) pieces. Regards Marcel -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH v2 6/8] crypto: caam - handle core endianness != caam endianness
There are SoCs like LS1043A where CAAM endianness (BE) does not match the default endianness of the core (LE). Moreover, there are requirements for the driver to handle cases like CPU_BIG_ENDIAN=y on ARM-based SoCs. This requires for a complete rewrite of the I/O accessors. PPC-specific accessors - {in,out}_{le,be}XX - are replaced with generic ones - io{read,write}[be]XX. Endianness is detected dynamically (at runtime) to allow for multiplatform kernels, for e.g. running the same kernel image on LS1043A (BE CAAM) and LS2080A (LE CAAM) armv8-based SoCs. While here: debugfs entries need to take into consideration the endianness of the core when displaying data. Add the necessary glue code so the entries remain the same, but they are properly read, regardless of the core and/or SEC endianness. Note: pdb.h fixes only what is currently being used (IPsec). Signed-off-by: Horia GeantăSigned-off-by: Alex Porosanu --- drivers/crypto/caam/Kconfig | 4 - drivers/crypto/caam/caamhash.c| 5 +- drivers/crypto/caam/ctrl.c| 125 +++ drivers/crypto/caam/desc.h| 7 +- drivers/crypto/caam/desc_constr.h | 44 +++ drivers/crypto/caam/jr.c | 22 +++--- drivers/crypto/caam/pdb.h | 137 ++ drivers/crypto/caam/regs.h| 151 +- drivers/crypto/caam/sg_sw_sec4.h | 11 +-- 9 files changed, 340 insertions(+), 166 deletions(-) diff --git a/drivers/crypto/caam/Kconfig b/drivers/crypto/caam/Kconfig index 5652a53415dc..d2c2909a4020 100644 --- a/drivers/crypto/caam/Kconfig +++ b/drivers/crypto/caam/Kconfig @@ -116,10 +116,6 @@ config CRYPTO_DEV_FSL_CAAM_IMX def_bool SOC_IMX6 || SOC_IMX7D depends on CRYPTO_DEV_FSL_CAAM -config CRYPTO_DEV_FSL_CAAM_LE - def_bool CRYPTO_DEV_FSL_CAAM_IMX || SOC_LS1021A - depends on CRYPTO_DEV_FSL_CAAM - config CRYPTO_DEV_FSL_CAAM_DEBUG bool "Enable debug output in CAAM driver" depends on CRYPTO_DEV_FSL_CAAM diff --git a/drivers/crypto/caam/caamhash.c b/drivers/crypto/caam/caamhash.c index 5845d4a08797..f1ecc8df8d41 100644 --- a/drivers/crypto/caam/caamhash.c +++ b/drivers/crypto/caam/caamhash.c @@ -847,7 +847,7 @@ static int ahash_update_ctx(struct ahash_request *req) *next_buflen, 0); } else { (edesc->sec4_sg + sec4_sg_src_index - 1)->len |= - SEC4_SG_LEN_FIN; + cpu_to_caam32(SEC4_SG_LEN_FIN); } state->current_buf = !state->current_buf; @@ -949,7 +949,8 @@ static int ahash_final_ctx(struct ahash_request *req) state->buf_dma = try_buf_map_to_sec4_sg(jrdev, edesc->sec4_sg + 1, buf, state->buf_dma, buflen, last_buflen); - (edesc->sec4_sg + sec4_sg_src_index - 1)->len |= SEC4_SG_LEN_FIN; + (edesc->sec4_sg + sec4_sg_src_index - 1)->len |= + cpu_to_caam32(SEC4_SG_LEN_FIN); edesc->sec4_sg_dma = dma_map_single(jrdev, edesc->sec4_sg, sec4_sg_bytes, DMA_TO_DEVICE); diff --git a/drivers/crypto/caam/ctrl.c b/drivers/crypto/caam/ctrl.c index 44d30b45f3cc..1c8e764872ae 100644 --- a/drivers/crypto/caam/ctrl.c +++ b/drivers/crypto/caam/ctrl.c @@ -15,6 +15,9 @@ #include "desc_constr.h" #include "error.h" +bool caam_little_end; +EXPORT_SYMBOL(caam_little_end); + /* * i.MX targets tend to have clock control subsystems that can * enable/disable clocking to our device. @@ -106,7 +109,7 @@ static inline int run_descriptor_deco0(struct device *ctrldev, u32 *desc, if (ctrlpriv->virt_en == 1) { - setbits32(>deco_rsr, DECORSR_JR0); + clrsetbits_32(>deco_rsr, 0, DECORSR_JR0); while (!(rd_reg32(>deco_rsr) & DECORSR_VALID) && --timeout) @@ -115,7 +118,7 @@ static inline int run_descriptor_deco0(struct device *ctrldev, u32 *desc, timeout = 10; } - setbits32(>deco_rq, DECORR_RQD0ENABLE); + clrsetbits_32(>deco_rq, 0, DECORR_RQD0ENABLE); while (!(rd_reg32(>deco_rq) & DECORR_DEN0) && --timeout) @@ -123,12 +126,12 @@ static inline int run_descriptor_deco0(struct device *ctrldev, u32 *desc, if (!timeout) { dev_err(ctrldev, "failed to acquire DECO 0\n"); - clrbits32(>deco_rq, DECORR_RQD0ENABLE); + clrsetbits_32(>deco_rq, DECORR_RQD0ENABLE, 0); return -ENODEV; } for (i = 0; i < desc_len(desc); i++) - wr_reg32(>descbuf[i], *(desc + i)); + wr_reg32(>descbuf[i],
Re: [crypto / sparc64] cryptomgr_test OOPS
On 05/05/2016 05:31 PM, Anatoly Pugachev wrote: > do you still want to test it , after I have reported that Herbert patch works? Maybe you should ack the patch with: Tested-By: Anatoly Pugachev? Adrian -- .''`. John Paul Adrian Glaubitz : :' : Debian Developer - glaub...@debian.org `. `' Freie Universitaet Berlin - glaub...@physik.fu-berlin.de `-GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913 -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH v2 7/8] crypto: caam - add ARCH_LAYERSCAPE to supported architectures
This basically adds support for ls1043a platform. Signed-off-by: Horia Geantă--- drivers/crypto/caam/Kconfig | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/crypto/caam/Kconfig b/drivers/crypto/caam/Kconfig index d2c2909a4020..ff54c42e6e51 100644 --- a/drivers/crypto/caam/Kconfig +++ b/drivers/crypto/caam/Kconfig @@ -1,6 +1,6 @@ config CRYPTO_DEV_FSL_CAAM tristate "Freescale CAAM-Multicore driver backend" - depends on FSL_SOC || ARCH_MXC + depends on FSL_SOC || ARCH_MXC || ARCH_LAYERSCAPE help Enables the driver module for Freescale's Cryptographic Accelerator and Assurance Module (CAAM), also known as the SEC version 4 (SEC4). -- 2.4.4 -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH v2 8/8] arm64: dts: ls1043a: add crypto node
LS1043A has a SEC v5.4 security engine. For now don't add rtic or sec_mon subnodes, since these features haven't been tested yet. Signed-off-by: Horia Geantă--- arch/arm64/boot/dts/freescale/fsl-ls1043a-rdb.dts | 4 +++ arch/arm64/boot/dts/freescale/fsl-ls1043a.dtsi| 43 +++ 2 files changed, 47 insertions(+) diff --git a/arch/arm64/boot/dts/freescale/fsl-ls1043a-rdb.dts b/arch/arm64/boot/dts/freescale/fsl-ls1043a-rdb.dts index ce235577e90f..9b5b75a4f02a 100644 --- a/arch/arm64/boot/dts/freescale/fsl-ls1043a-rdb.dts +++ b/arch/arm64/boot/dts/freescale/fsl-ls1043a-rdb.dts @@ -49,6 +49,10 @@ / { model = "LS1043A RDB Board"; + + aliases { + crypto = + }; }; { diff --git a/arch/arm64/boot/dts/freescale/fsl-ls1043a.dtsi b/arch/arm64/boot/dts/freescale/fsl-ls1043a.dtsi index be72bf5b58b5..529c198494d5 100644 --- a/arch/arm64/boot/dts/freescale/fsl-ls1043a.dtsi +++ b/arch/arm64/boot/dts/freescale/fsl-ls1043a.dtsi @@ -159,6 +159,49 @@ big-endian; }; + crypto: crypto@170 { + compatible = "fsl,sec-v5.4", "fsl,sec-v5.0", +"fsl,sec-v4.0"; + fsl,sec-era = <3>; + #address-cells = <1>; + #size-cells = <1>; + ranges = <0x0 0x00 0x170 0x10>; + reg = <0x00 0x170 0x0 0x10>; + interrupts = <0 75 0x4>; + + sec_jr0: jr@1 { + compatible = "fsl,sec-v5.4-job-ring", +"fsl,sec-v5.0-job-ring", +"fsl,sec-v4.0-job-ring"; + reg= <0x1 0x1>; + interrupts = <0 71 0x4>; + }; + + sec_jr1: jr@2 { + compatible = "fsl,sec-v5.4-job-ring", +"fsl,sec-v5.0-job-ring", +"fsl,sec-v4.0-job-ring"; + reg= <0x2 0x1>; + interrupts = <0 72 0x4>; + }; + + sec_jr2: jr@3 { + compatible = "fsl,sec-v5.4-job-ring", +"fsl,sec-v5.0-job-ring", +"fsl,sec-v4.0-job-ring"; + reg= <0x3 0x1>; + interrupts = <0 73 0x4>; + }; + + sec_jr3: jr@4 { + compatible = "fsl,sec-v5.4-job-ring", +"fsl,sec-v5.0-job-ring", +"fsl,sec-v4.0-job-ring"; + reg= <0x4 0x1>; + interrupts = <0 74 0x4>; + }; + }; + dcfg: dcfg@1ee { compatible = "fsl,ls1043a-dcfg", "syscon"; reg = <0x0 0x1ee 0x0 0x1>; -- 2.4.4 -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH v2 0/8] crypto: caam - add support for LS1043A SoC
v2: As suggested by Arnd, patch 1 fixes io{read,write}{16,32}be accessors to prevent the case when {read,write}{w,l} are overriden by arch-specific ones having barriers, while the BE accessors previously mentioned are not (thus behaving differently, having no barriers). Hi, [Patches 2-4 add io{read,write}64[be] accessors (generic, arm64, ppc64), such that CAAM's accessors in regs.h are simplified a bit. Patch 8 adds crypto node for LS1043A platform. Let me know if it's ok to go with these through the cryptodev-2.6 tree.] This is a follow-up on the following RFC patch set: crypto: caam - Revamp I/O accessors https://www.mail-archive.com/linux-crypto@vger.kernel.org/msg15878.html There are platforms such as LS1043A (or LS1012A) where core endianness does not match CAAM/SEC endianness (LE vs. BE). Add support in caam driver for these cases. Current patch set detects device endianness at runtime (as opposed to compile-time endianness), in order to support multiplatform kernels. Detection of device endianness is not device-tree based. Instead, SSTA ("SEC STAtus") register has a property such that reading it in any endianness and masking it properly, it's possible to deduce device endianness. The performance drop due to the runtime detection is < 1.0%. (An alternative implementation using function pointers has been tried, but lead to a bigger performance drop.) Thanks, Horia Cristian Stoica (1): crypto: caam - fix offset field in hw sg entries Horia Geantă (7): asm-generic/io.h: allow barriers in io{read,write}{16,32}be asm-generic/io.h: add io{read,write}64 accessors arm64: add io{read,write}64be accessors powerpc: add io{read,write}64 accessors crypto: caam - handle core endianness != caam endianness crypto: caam - add ARCH_LAYERSCAPE to supported architectures arm64: dts: ls1043a: add crypto node arch/arm64/boot/dts/freescale/fsl-ls1043a-rdb.dts | 4 + arch/arm64/boot/dts/freescale/fsl-ls1043a.dtsi| 43 ++ arch/arm64/include/asm/io.h | 4 +- arch/powerpc/kernel/iomap.c | 24 drivers/crypto/caam/Kconfig | 6 +- drivers/crypto/caam/caamhash.c| 5 +- drivers/crypto/caam/ctrl.c| 125 +++--- drivers/crypto/caam/desc.h| 9 +- drivers/crypto/caam/desc_constr.h | 44 --- drivers/crypto/caam/jr.c | 22 ++-- drivers/crypto/caam/pdb.h | 137 +++- drivers/crypto/caam/regs.h| 151 +++--- drivers/crypto/caam/sg_sw_sec4.h | 17 +-- include/asm-generic/io.h | 71 +- include/asm-generic/iomap.h | 8 ++ 15 files changed, 494 insertions(+), 176 deletions(-) -- 2.4.4 -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH v2 4/8] powerpc: add io{read,write}64 accessors
This will allow device drivers to consistently use io{read,write}XX also for 64-bit accesses. Signed-off-by: Horia Geantă--- arch/powerpc/kernel/iomap.c | 24 1 file changed, 24 insertions(+) diff --git a/arch/powerpc/kernel/iomap.c b/arch/powerpc/kernel/iomap.c index 12e48d56f771..3963f0b68d52 100644 --- a/arch/powerpc/kernel/iomap.c +++ b/arch/powerpc/kernel/iomap.c @@ -38,6 +38,18 @@ EXPORT_SYMBOL(ioread16); EXPORT_SYMBOL(ioread16be); EXPORT_SYMBOL(ioread32); EXPORT_SYMBOL(ioread32be); +#ifdef __powerpc64__ +u64 ioread64(void __iomem *addr) +{ + return readq(addr); +} +u64 ioread64be(void __iomem *addr) +{ + return readq_be(addr); +} +EXPORT_SYMBOL(ioread64); +EXPORT_SYMBOL(ioread64be); +#endif /* __powerpc64__ */ void iowrite8(u8 val, void __iomem *addr) { @@ -64,6 +76,18 @@ EXPORT_SYMBOL(iowrite16); EXPORT_SYMBOL(iowrite16be); EXPORT_SYMBOL(iowrite32); EXPORT_SYMBOL(iowrite32be); +#ifdef __powerpc64__ +void iowrite64(u64 val, void __iomem *addr) +{ + writeq(val, addr); +} +void iowrite64be(u64 val, void __iomem *addr) +{ + writeq_be(val, addr); +} +EXPORT_SYMBOL(iowrite64); +EXPORT_SYMBOL(iowrite64be); +#endif /* __powerpc64__ */ /* * These are the "repeat read/write" functions. Note the -- 2.4.4 -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH v2 5/8] crypto: caam - fix offset field in hw sg entries
From: Cristian StoicaThe offset field is 13 bits wide; make sure we don't overwrite more than that in the caam hardware scatter gather structure. Signed-off-by: Cristian Stoica Signed-off-by: Horia Geantă --- drivers/crypto/caam/desc.h | 2 +- drivers/crypto/caam/sg_sw_sec4.h | 8 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/drivers/crypto/caam/desc.h b/drivers/crypto/caam/desc.h index 1e93c6af2275..fe30ff69088c 100644 --- a/drivers/crypto/caam/desc.h +++ b/drivers/crypto/caam/desc.h @@ -20,7 +20,7 @@ #define SEC4_SG_BPID_MASK 0x00ff #define SEC4_SG_BPID_SHIFT 16 #define SEC4_SG_LEN_MASK 0x3fff /* Excludes EXT and FINAL */ -#define SEC4_SG_OFFS_MASK 0x1fff +#define SEC4_SG_OFFSET_MASK0x1fff struct sec4_sg_entry { #ifdef CONFIG_CRYPTO_DEV_FSL_CAAM_IMX diff --git a/drivers/crypto/caam/sg_sw_sec4.h b/drivers/crypto/caam/sg_sw_sec4.h index 12ec6616e89d..2311341b7356 100644 --- a/drivers/crypto/caam/sg_sw_sec4.h +++ b/drivers/crypto/caam/sg_sw_sec4.h @@ -11,12 +11,12 @@ struct sec4_sg_entry; * convert single dma address to h/w link table format */ static inline void dma_to_sec4_sg_one(struct sec4_sg_entry *sec4_sg_ptr, - dma_addr_t dma, u32 len, u32 offset) + dma_addr_t dma, u32 len, u16 offset) { sec4_sg_ptr->ptr = dma; sec4_sg_ptr->len = len; sec4_sg_ptr->buf_pool_id = 0; - sec4_sg_ptr->offset = offset; + sec4_sg_ptr->offset = offset & SEC4_SG_OFFSET_MASK; #ifdef DEBUG print_hex_dump(KERN_ERR, "sec4_sg_ptr@: ", DUMP_PREFIX_ADDRESS, 16, 4, sec4_sg_ptr, @@ -30,7 +30,7 @@ static inline void dma_to_sec4_sg_one(struct sec4_sg_entry *sec4_sg_ptr, */ static inline struct sec4_sg_entry * sg_to_sec4_sg(struct scatterlist *sg, int sg_count, - struct sec4_sg_entry *sec4_sg_ptr, u32 offset) + struct sec4_sg_entry *sec4_sg_ptr, u16 offset) { while (sg_count) { dma_to_sec4_sg_one(sec4_sg_ptr, sg_dma_address(sg), @@ -48,7 +48,7 @@ sg_to_sec4_sg(struct scatterlist *sg, int sg_count, */ static inline void sg_to_sec4_sg_last(struct scatterlist *sg, int sg_count, struct sec4_sg_entry *sec4_sg_ptr, - u32 offset) + u16 offset) { sec4_sg_ptr = sg_to_sec4_sg(sg, sg_count, sec4_sg_ptr, offset); sec4_sg_ptr->len |= SEC4_SG_LEN_FIN; -- 2.4.4 -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH v2 3/8] arm64: add io{read,write}64be accessors
This will allow device drivers to consistently use io{read,write}XXbe also for 64-bit accesses. Signed-off-by: Alex PorosanuSigned-off-by: Horia Geantă --- arch/arm64/include/asm/io.h | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/arch/arm64/include/asm/io.h b/arch/arm64/include/asm/io.h index 44be1e03ed65..9b6e408cfa51 100644 --- a/arch/arm64/include/asm/io.h +++ b/arch/arm64/include/asm/io.h @@ -174,13 +174,15 @@ extern void __iomem *ioremap_cache(phys_addr_t phys_addr, size_t size); #define iounmap__iounmap /* - * io{read,write}{16,32}be() macros + * io{read,write}{16,32,64}be() macros */ #define ioread16be(p) ({ __u16 __v = be16_to_cpu((__force __be16)__raw_readw(p)); __iormb(); __v; }) #define ioread32be(p) ({ __u32 __v = be32_to_cpu((__force __be32)__raw_readl(p)); __iormb(); __v; }) +#define ioread64be(p) ({ __u64 __v = be64_to_cpu((__force __be64)__raw_readq(p)); __iormb(); __v; }) #define iowrite16be(v,p) ({ __iowmb(); __raw_writew((__force __u16)cpu_to_be16(v), p); }) #define iowrite32be(v,p) ({ __iowmb(); __raw_writel((__force __u32)cpu_to_be32(v), p); }) +#define iowrite64be(v,p) ({ __iowmb(); __raw_writeq((__force __u64)cpu_to_be64(v), p); }) /* * Convert a physical pointer to a virtual kernel pointer for /dev/mem -- 2.4.4 -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH v2 2/8] asm-generic/io.h: add io{read,write}64 accessors
This will allow device drivers to consistently use io{read,write}XX also for 64-bit accesses. Signed-off-by: Horia Geantă--- include/asm-generic/io.h| 63 + include/asm-generic/iomap.h | 8 ++ 2 files changed, 71 insertions(+) diff --git a/include/asm-generic/io.h b/include/asm-generic/io.h index b79fb2c248a1..2af6ea95762d 100644 --- a/include/asm-generic/io.h +++ b/include/asm-generic/io.h @@ -585,6 +585,16 @@ static inline u32 ioread32(const volatile void __iomem *addr) } #endif +#ifdef CONFIG_64BIT +#ifndef ioread64 +#define ioread64 ioread64 +static inline u64 ioread64(const volatile void __iomem *addr) +{ + return readq(addr); +} +#endif +#endif /* CONFIG_64BIT */ + #ifndef iowrite8 #define iowrite8 iowrite8 static inline void iowrite8(u8 value, volatile void __iomem *addr) @@ -609,6 +619,16 @@ static inline void iowrite32(u32 value, volatile void __iomem *addr) } #endif +#ifdef CONFIG_64BIT +#ifndef iowrite64 +#define iowrite64 iowrite64 +static inline void iowrite64(u64 value, volatile void __iomem *addr) +{ + writeq(value, addr); +} +#endif +#endif /* CONFIG_64BIT */ + #ifndef ioread16be #define ioread16be ioread16be static inline u16 ioread16be(const volatile void __iomem *addr) @@ -625,6 +645,16 @@ static inline u32 ioread32be(const volatile void __iomem *addr) } #endif +#ifdef CONFIG_64BIT +#ifndef ioread64be +#define ioread64be ioread64be +static inline u64 ioread64be(const volatile void __iomem *addr) +{ + return swab64(readq(addr)); +} +#endif +#endif /* CONFIG_64BIT */ + #ifndef iowrite16be #define iowrite16be iowrite16be static inline void iowrite16be(u16 value, void volatile __iomem *addr) @@ -641,6 +671,16 @@ static inline void iowrite32be(u32 value, volatile void __iomem *addr) } #endif +#ifdef CONFIG_64BIT +#ifndef iowrite64be +#define iowrite64be iowrite64be +static inline void iowrite64be(u64 value, volatile void __iomem *addr) +{ + writeq(swab64(value), addr); +} +#endif +#endif /* CONFIG_64BIT */ + #ifndef ioread8_rep #define ioread8_rep ioread8_rep static inline void ioread8_rep(const volatile void __iomem *addr, void *buffer, @@ -668,6 +708,17 @@ static inline void ioread32_rep(const volatile void __iomem *addr, } #endif +#ifdef CONFIG_64BIT +#ifndef ioread64_rep +#define ioread64_rep ioread64_rep +static inline void ioread64_rep(const volatile void __iomem *addr, + void *buffer, unsigned int count) +{ + readsq(addr, buffer, count); +} +#endif +#endif /* CONFIG_64BIT */ + #ifndef iowrite8_rep #define iowrite8_rep iowrite8_rep static inline void iowrite8_rep(volatile void __iomem *addr, @@ -697,6 +748,18 @@ static inline void iowrite32_rep(volatile void __iomem *addr, writesl(addr, buffer, count); } #endif + +#ifdef CONFIG_64BIT +#ifndef iowrite64_rep +#define iowrite64_rep iowrite64_rep +static inline void iowrite64_rep(volatile void __iomem *addr, +const void *buffer, +unsigned int count) +{ + writesq(addr, buffer, count); +} +#endif +#endif /* CONFIG_64BIT */ #endif /* CONFIG_GENERIC_IOMAP */ #ifdef __KERNEL__ diff --git a/include/asm-generic/iomap.h b/include/asm-generic/iomap.h index d8f8622fa044..650fede33c25 100644 --- a/include/asm-generic/iomap.h +++ b/include/asm-generic/iomap.h @@ -30,12 +30,20 @@ extern unsigned int ioread16(void __iomem *); extern unsigned int ioread16be(void __iomem *); extern unsigned int ioread32(void __iomem *); extern unsigned int ioread32be(void __iomem *); +#ifdef CONFIG_64BIT +extern u64 ioread64(void __iomem *); +extern u64 ioread64be(void __iomem *); +#endif extern void iowrite8(u8, void __iomem *); extern void iowrite16(u16, void __iomem *); extern void iowrite16be(u16, void __iomem *); extern void iowrite32(u32, void __iomem *); extern void iowrite32be(u32, void __iomem *); +#ifdef CONFIG_64BIT +extern void iowrite64(u64, void __iomem *); +extern void iowrite64be(u64, void __iomem *); +#endif /* * "string" versions of the above. Note that they -- 2.4.4 -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [crypto / sparc64] cryptomgr_test OOPS
On Thu, May 5, 2016 at 6:00 PM, Tadeusz Strukwrote: > On 05/05/2016 02:40 AM, Anatoly Pugachev wrote: >> sure, based on your cryptodev git, just tried 4.3 (6a13feb , good) >> kernel in attempt to find (bisect) when RSA code break, already tested >> 4.5 (44d1b6d , bad) , 4.4 (afd2ff9 , bad). >> Going to try your patch soon (when I'm back home). >> So far 4.3 passes RSA stage without OOPS, but for other reason does >> not boot to login prompt. Boot log exempt (4.3), this is with >> CONFIG_CRYPTO_RSA=y : > > Anatoly, could you also give this a try please: > Thanks > > diff --git a/crypto/testmgr.c b/crypto/testmgr.c > index b86883a..770970ff 100644 > --- a/crypto/testmgr.c > +++ b/crypto/testmgr.c > @@ -1805,8 +1805,8 @@ static int do_test_rsa(struct crypto_akcipher *tfm, > goto free_req; > > sg_init_table(src_tab, 2); > - sg_set_buf(_tab[0], vecs->m, 8); > - sg_set_buf(_tab[1], vecs->m + 8, vecs->m_size - 8); > + sg_set_buf(_tab[0], vecs->m, 4); > + sg_set_buf(_tab[1], vecs->m + 4, vecs->m_size - 4); > sg_init_one(, outbuf_enc, out_len_max); > akcipher_request_set_crypt(req, src_tab, , vecs->m_size, >out_len_max); Tadeusz, do you still want to test it , after I have reported that Herbert patch works? Thanks. -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [crypto / sparc64] cryptomgr_test OOPS
On 05/05/2016 05:12 PM, Anatoly Pugachev wrote: > this patch, applied to your cryptodev git kernel, fixes OOPS and my > debian sparc64 installation boots successfully: Awesome to hear, thanks for investigating and fixing this :). Adrian -- .''`. John Paul Adrian Glaubitz : :' : Debian Developer - glaub...@debian.org `. `' Freie Universitaet Berlin - glaub...@physik.fu-berlin.de `-GPG: 62FF 8A75 84E0 2956 9546 0006 7426 3B37 F5B5 F913 -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [crypto / sparc64] cryptomgr_test OOPS
On Thu, May 5, 2016 at 11:42 AM, Herbert Xuwrote: > On Wed, May 04, 2016 at 05:49:04PM +0300, Anatoly Pugachev wrote: >> >> just tested cryptodev ( >> http://git.kernel.org/pub/scm/linux/kernel/git/herbert/cryptodev-2.6.git >> ) kernel, same OOPS, but kernel version is 4.6.0-rc2+ . >> kernel OOPS message - https://paste.fedoraproject.org/362554/23732641/ > > Anatoly, could you please test this patch on top of cryptodev? > Thanks! > > ---8<--- > Subject: crypto: testmgr - Use kmalloc memory for RSA input > > As akcipher uses an SG interface, you must not use vmalloc memory > as input for it. This patch fixes testmgr to copy the vmalloc > test vectors to kmalloc memory before running the test. > > This patch also removes a superfluous sg_virt call in do_test_rsa. Herbert, this patch, applied to your cryptodev git kernel, fixes OOPS and my debian sparc64 installation boots successfully: [5684721.625447] Unpacking initramfs... [5684721.858235] Freeing initrd memory: 11720K (fff800203400 - fff8002034b72000) [5684721.867127] futex hash table entries: 65536 (order: 9, 4194304 bytes) [5684721.868551] audit: initializing netlink subsys (disabled) [5684721.868640] audit: type=2000 audit(0.476:1): initialized [5684721.868868] Initialise system trusted keyring [5684721.869765] workingset: timestamp_bits=45 max_order=21 bucket_order=0 [5684721.869879] zbud: loaded [5684721.920120] Key type asymmetric registered [5684721.920173] Asymmetric key parser 'x509' registered [5684721.920582] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 252) [5684721.921249] io scheduler noop registered [5684721.921297] io scheduler deadline registered [5684721.921628] io scheduler cfq registered (default) [5684721.922101] f029b808: ttyS0 at I/O 0x0 (irq = 1, base_baud = 115200) is a SUN4V HCONS [5684721.922352] console [ttyHV0] enabled [5684721.923480] sunvdc.c:v1.2 (November 24, 2014) Thanks. -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [crypto / sparc64] cryptomgr_test OOPS
On 05/05/2016 02:40 AM, Anatoly Pugachev wrote: > sure, based on your cryptodev git, just tried 4.3 (6a13feb , good) > kernel in attempt to find (bisect) when RSA code break, already tested > 4.5 (44d1b6d , bad) , 4.4 (afd2ff9 , bad). > Going to try your patch soon (when I'm back home). > So far 4.3 passes RSA stage without OOPS, but for other reason does > not boot to login prompt. Boot log exempt (4.3), this is with > CONFIG_CRYPTO_RSA=y : Anatoly, could you also give this a try please: Thanks diff --git a/crypto/testmgr.c b/crypto/testmgr.c index b86883a..770970ff 100644 --- a/crypto/testmgr.c +++ b/crypto/testmgr.c @@ -1805,8 +1805,8 @@ static int do_test_rsa(struct crypto_akcipher *tfm, goto free_req; sg_init_table(src_tab, 2); - sg_set_buf(_tab[0], vecs->m, 8); - sg_set_buf(_tab[1], vecs->m + 8, vecs->m_size - 8); + sg_set_buf(_tab[0], vecs->m, 4); + sg_set_buf(_tab[1], vecs->m + 4, vecs->m_size - 4); sg_init_one(, outbuf_enc, out_len_max); akcipher_request_set_crypt(req, src_tab, , vecs->m_size, out_len_max); -- TS -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH] crypto: vmx - comply with ABIs that specify vrsave as reserved.
It gives significant improvements ( ~+15%) on some modes. These code has been adopted from OpenSSL project in collaboration with the original author (Andy Polyakov). Signed-off-by: Paulo Flabiano Smorigo --- drivers/crypto/vmx/ppc-xlate.pl | 20 1 file changed, 20 insertions(+) diff --git a/drivers/crypto/vmx/ppc-xlate.pl b/drivers/crypto/vmx/ppc-xlate.pl index b999733..9f4994c 100644 --- a/drivers/crypto/vmx/ppc-xlate.pl +++ b/drivers/crypto/vmx/ppc-xlate.pl @@ -139,6 +139,26 @@ my $vmr = sub { " vor $vx,$vy,$vy"; }; +# Some ABIs specify vrsave, special-purpose register #256, as reserved +# for system use. +my $no_vrsave = ($flavour =~ /aix|linux64le/); +my $mtspr = sub { +my ($f,$idx,$ra) = @_; +if ($idx == 256 && $no_vrsave) { + " or $ra,$ra,$ra"; +} else { + " mtspr $idx,$ra"; +} +}; +my $mfspr = sub { +my ($f,$rd,$idx) = @_; +if ($idx == 256 && $no_vrsave) { + " li $rd,-1"; +} else { + " mfspr $rd,$idx"; +} +}; + # PowerISA 2.06 stuff sub vsxmem_op { my ($f, $vrt, $ra, $rb, $op) = @_; -- 2.5.5 -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 1/4] random: replace non-blocking pool with a Chacha20-based CRNG
On Wed, May 04, 2016 at 09:10:07PM -0400, Theodore Ts'o wrote: > On Wed, May 04, 2016 at 10:28:24PM +0200, Stephan Mueller wrote: > > > +out: > > > + spin_unlock_irqrestore(_crng.lock, flags); > > > + return ret; > > > > Where did you add the memzero_explict of tmp? > > Oops, sorry, somehow that change got lost in the patch updates. Fixed now. Since that was the only change, instead of sending out the patch series again, I've just updated it at: git://git.kernel.org/pub/scm/linux/kernel/git/tytso/random.git dev - Ted -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 1/7] asm-generic/io.h: add io{read,write}64 accessors
On Thursday 05 May 2016 04:26 PM, Arnd Bergmann wrote: > On Thursday 05 May 2016 08:16:47 Vineet Gupta wrote: >> > Thx for noticing this Arnd and the heads up. Does the patch below look ok >> > to you ? >> > >> > ---> >> > rom b7e719831c389ab4fa338b2e2e7c0d1ff90dabb0 Mon Sep 17 00:00:00 2001 >> > From: Vineet Gupta>> > Date: Thu, 5 May 2016 13:32:34 +0530 >> > Subject: [PATCH] ARC: Add missing io barriers to io{read,write}{16,32}be() >> > >> > While reviewing a different change to asm-generic/io.h Arnd spotted that >> > ARC ioread32 and ioread32be both of which come from asm-generic versions >> > are not symmetrical in terms of calling the io barriers. >> > >> > generic ioread32 -> ARC readl() [ has barriers] >> > generic ioread32be -> __be32_to_cpu(__raw_readl()) [ lacks barriers] >> > >> > While generic ioread32be is being remediated to call readl(), that involves >> > a swab32(), causing double swaps on ioread32be() on Big Endian systems. >> > >> > So provide our versions of big endian IO accessors to ensure io barrier >> > calls while also keeping them optimal >> > >> > Suggested-by: Arnd Bergmann >> > Cc: sta...@vger.kernel.org [4.2+] >> > Signed-off-by: Vineet Gupta > > Yes, that looks correct. We probably want this regardless of the change > I proposed for the generic file, to avoid the double swap. Indeed so - I've queued this for 4.6 fixes ! > Acked-by: Arnd Bergmann Thx ! -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
RE: [PATCH] crypto: rsa - return raw integer for the ASN.1 parser
Hi Herbert, This is related to the suggestion to move the DMA primitives in the driver. Please see inline. > -Original Message- > From: Tudor Ambarus [mailto:tudor-dan.amba...@nxp.com] > Sent: Friday, April 29, 2016 3:52 PM > To: herb...@gondor.apana.org.au > Cc: linux-crypto@vger.kernel.org; Tudor-Dan Ambarus > Subject: [PATCH] crypto: rsa - return raw integer for the ASN.1 parser > > Return the raw integer with no other processing. > The scope is to have only one ANS.1 parser for the RSA keys. > > Update the RSA software implementation so that it does > the MPI conversion on top. > > Signed-off-by: Tudor Ambarus> --- > crypto/rsa.c | 122 ++- > crypto/rsa_helper.c | 224 -- > > include/crypto/internal/rsa.h | 41 +++- > 3 files changed, 287 insertions(+), 100 deletions(-) > > diff --git a/crypto/rsa_helper.c b/crypto/rsa_helper.c > index d226f48..492f37f 100644 > --- a/crypto/rsa_helper.c > +++ b/crypto/rsa_helper.c > @@ -14,136 +14,256 @@ > int rsa_get_n(void *context, size_t hdrlen, unsigned char tag, > const void *value, size_t vlen) > { > - struct rsa_key *key = context; > + struct rsa_ctx *ctx = context; > + struct rsa_key *key = >key; > + const char *ptr = value; > + int ret = -EINVAL; > > - key->n = mpi_read_raw_data(value, vlen); > - > - if (!key->n) > - return -ENOMEM; > + while (!*ptr && vlen) { > + ptr++; > + vlen--; > + } > > + key->n_sz = vlen; > /* In FIPS mode only allow key size 2K & 3K */ > - if (fips_enabled && (mpi_get_size(key->n) != 256 && > - mpi_get_size(key->n) != 384)) { > - pr_err("RSA: key size not allowed in FIPS mode\n"); > - mpi_free(key->n); > - key->n = NULL; > - return -EINVAL; > + if (fips_enabled && (key->n_sz != 256 && key->n_sz != 384)) { > + dev_err(ctx->dev, "RSA: key size not allowed in FIPS mode\n"); > + goto err; > } > + /* invalid key size provided */ > + ret = rsa_check_key_length(key->n_sz << 3); > + if (ret) > + goto err; > + > + if (key->coherent) > + key->n = dma_zalloc_coherent(ctx->dev, key->n_sz, >dma_n, > + key->flags); > + else > + key->n = kzalloc(key->n_sz, key->flags); RSA hw implementations that can't enforce hardware coherency may want to enforce software coherency. As we want a single ASN.1 parser for all implementations, we need to cover all the cases. One solution would be to use a common rsa_ctx structure for all implementations so that the parser's functions can dereference the key and allocate memory as needed by the user. Other solution is to move all the device related variables to the driver, and enforce the software coherency there, by allocating new key members and copying the parsed data to them. > + > + if (!key->n) { > + ret = -ENOMEM; > + goto err; > + } > + > + memcpy(key->n, ptr, key->n_sz); > + > return 0; > +err: > + key->n_sz = 0; > + key->n = NULL; > + return ret; > } > > diff --git a/include/crypto/internal/rsa.h b/include/crypto/internal/rsa.h > index c7585bd..a0a7431 100644 > --- a/include/crypto/internal/rsa.h > +++ b/include/crypto/internal/rsa.h > @@ -14,19 +14,52 @@ > #define _RSA_HELPER_ > #include > > +/** > + * rsa_key - RSA key structure > + * @n : RSA modulus raw byte stream > + * @e : RSA public exponent raw byte stream > + * @d : RSA private exponent raw byte stream > + * @dma_n : DMA address of RSA modulus > + * @dma_e : DMA address of RSA public exponent > + * @dma_d : DMA address of RSA private exponent > + * @n_sz: length in bytes of RSA modulus n > + * @e_sz: length in bytes of RSA public exponent > + * @coherent: set true to enforce software coherency for all key > members > + * @flags : gfp_t key allocation flags > + */ > struct rsa_key { > + u8 *n; > + u8 *e; > + u8 *d; > + dma_addr_t dma_n; > + dma_addr_t dma_e; > + dma_addr_t dma_d; > + size_t n_sz; > + size_t e_sz; > + bool coherent; > + gfp_t flags; > +}; > + > +struct rsa_mpi_key { > MPI n; > MPI e; > MPI d; > }; > > +struct rsa_ctx { > + struct rsa_key key; > + struct rsa_mpi_key mpi_key; > + struct device *dev; > +}; If we go with the first solution we can move all the device related variables to the rsa_ctx structure: struct rsa_key { u8 *n; u8 *e; u8 *d; size_t n_sz; size_t e_sz; gfp_t flags; }; struct rsa_mpi_key { MPI n; MPI e; MPI d; }; struct rsa_ctx { struct rsa_key key; struct rsa_mpi_key mpi_key;
Re: [PATCH 1/7] asm-generic/io.h: add io{read,write}64 accessors
On Thursday 05 May 2016 08:16:47 Vineet Gupta wrote: > Thx for noticing this Arnd and the heads up. Does the patch below look ok to > you ? > > ---> > rom b7e719831c389ab4fa338b2e2e7c0d1ff90dabb0 Mon Sep 17 00:00:00 2001 > From: Vineet Gupta> Date: Thu, 5 May 2016 13:32:34 +0530 > Subject: [PATCH] ARC: Add missing io barriers to io{read,write}{16,32}be() > > While reviewing a different change to asm-generic/io.h Arnd spotted that > ARC ioread32 and ioread32be both of which come from asm-generic versions > are not symmetrical in terms of calling the io barriers. > > generic ioread32 -> ARC readl() [ has barriers] > generic ioread32be -> __be32_to_cpu(__raw_readl()) [ lacks barriers] > > While generic ioread32be is being remediated to call readl(), that involves > a swab32(), causing double swaps on ioread32be() on Big Endian systems. > > So provide our versions of big endian IO accessors to ensure io barrier > calls while also keeping them optimal > > Suggested-by: Arnd Bergmann > Cc: sta...@vger.kernel.org [4.2+] > Signed-off-by: Vineet Gupta Yes, that looks correct. We probably want this regardless of the change I proposed for the generic file, to avoid the double swap. Acked-by: Arnd Bergmann -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [RFC PATCH 2/5] KEYS: Provide keyctls to drive the new key type ops for asymmetric keys
I've pushed a fix to #include in keyctl_pkey.c into the git tree. David -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [crypto / sparc64] cryptomgr_test OOPS
On Thu, May 05, 2016 at 12:40:18PM +0300, Anatoly Pugachev wrote: > > sure, based on your cryptodev git, just tried 4.3 (6a13feb , good) > kernel in attempt to find (bisect) when RSA code break, already tested > 4.5 (44d1b6d , bad) , 4.4 (afd2ff9 , bad). > Going to try your patch soon (when I'm back home). > So far 4.3 passes RSA stage without OOPS, but for other reason does > not boot to login prompt. Boot log exempt (4.3), this is with > CONFIG_CRYPTO_RSA=y : That jibes with this being a problem with the SG list since it was only added in 4.4. Cheers, -- Email: Herbert XuHome Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [crypto / sparc64] cryptomgr_test OOPS
On Thu, May 5, 2016 at 11:42 AM, Herbert Xuwrote: > On Wed, May 04, 2016 at 05:49:04PM +0300, Anatoly Pugachev wrote: >> >> just tested cryptodev ( >> http://git.kernel.org/pub/scm/linux/kernel/git/herbert/cryptodev-2.6.git >> ) kernel, same OOPS, but kernel version is 4.6.0-rc2+ . >> kernel OOPS message - https://paste.fedoraproject.org/362554/23732641/ > > Anatoly, could you please test this patch on top of cryptodev? Herbert, sure, based on your cryptodev git, just tried 4.3 (6a13feb , good) kernel in attempt to find (bisect) when RSA code break, already tested 4.5 (44d1b6d , bad) , 4.4 (afd2ff9 , bad). Going to try your patch soon (when I'm back home). So far 4.3 passes RSA stage without OOPS, but for other reason does not boot to login prompt. Boot log exempt (4.3), this is with CONFIG_CRYPTO_RSA=y : [0.00] PROMLIB: Sun IEEE Boot Prom 'OBP 4.38.3 2015/11/11 10:38' [0.00] PROMLIB: Root node compatible: sun4v [0.00] Initializing cgroup subsys cpuset [0.00] Initializing cgroup subsys cpu [0.00] Initializing cgroup subsys cpuacct [0.00] Linux version 4.3.0+ (mator@ttip) (gcc version 6.0.1 20160423 (prerelease) (Debian 6.0.1-2) ) #4 SMP Thu May 5 05:26:2 8 EDT 2016 [0.00] debug: skip boot console de-registration. [0.00] bootconsole [earlyprom0] enabled [0.00] ARCH: SUN4V [0.00] Ethernet address: 00:14:4f:f8:be:54 [0.00] MM: PAGE_OFFSET is 0xfff8 (max_phys_bits == 47) [0.00] MM: VMALLOC [0x0001 --> 0x0006] [0.00] MM: VMEMMAP [0x0006 --> 0x000c] [0.00] Kernel: Using 3 locked TLB entries for main kernel image. [0.00] Remapping the kernel... done. [0.00] OF stdout device is: /virtual-devices@100/console@1 [0.00] PROM: Built device tree with 76231 bytes of memory. [0.00] MDESC: Size is 35264 bytes. [0.00] PLATFORM: banner-name [SPARC T5-2] [0.00] PLATFORM: name [ORCL,SPARC-T5-2] [0.00] PLATFORM: hostid [84f8be54] [0.00] PLATFORM: serial# [0035260e] [0.00] PLATFORM: stick-frequency [3b9aca00] [0.00] PLATFORM: mac-address [144ff8be54] [0.00] PLATFORM: watchdog-resolution [1000 ms] [0.00] PLATFORM: watchdog-max-timeout [3153600 ms] [0.00] PLATFORM: max-cpus [1024] [0.00] Top of RAM: 0x20afff, Total RAM: 0x2ffa06000 [0.00] Memory hole size: 121605MB [0.00] Allocated 32768 bytes for kernel page tables. [0.00] Zone ranges: [0.00] Normal [mem 0x3040-0x0020affe] [0.00] Movable zone start for each node [0.00] Early memory node ranges [0.00] node 0: [mem 0x3040-0x6fe7] [0.00] node 0: [mem 0x6ff0-0x6ff25fff] [0.00] node 0: [mem 0x7000-0x0002afff] [0.00] node 0: [mem 0x00203000-0x0020aff3] [0.00] node 0: [mem 0x0020affc-0x0020affd5fff] [0.00] node 0: [mem 0x0020affe6000-0x0020affe] [0.00] Initmem setup node 0 [mem 0x3040-0x0020affe] [0.00] Booting Linux... [0.00] CPU CAPS: [flush,stbar,swap,muldiv,v9,blkinit,n2,mul32] [0.00] CPU CAPS: [div32,v8plus,popc,vis,vis2,ASIBlkInit,fmaf,vis3] [0.00] CPU CAPS: [hpc,ima,pause,cbcond,aes,des,kasumi,camellia] [0.00] CPU CAPS: [md5,sha1,sha256,sha512,mpmul,montmul,montsqr,crc32c] [0.00] PERCPU: Embedded 8 pages/cpu @fff80020ae40 s28184 r8192 d29160 u65536 [0.00] SUN4V: Mondo queue sizes [cpu(131072) dev(16384) r(8192) nr(256)] [0.00] Built 1 zonelists in Zone order, mobility grouping on. Total pages: 1558281 [0.00] Kernel command line: root=/dev/vdiska2 ro keep_bootcon noresume debug loglevel=7 [0.00] log_buf_len individual max cpu contribution: 4096 bytes [0.00] log_buf_len total cpu_extra contributions: 1044480 bytes [0.00] log_buf_len min size: 131072 bytes [0.00] log_buf_len: 2097152 bytes [0.00] early log buf free: 126168(96%) [0.00] PID hash table entries: 4096 (order: 2, 32768 bytes) [0.00] Dentry cache hash table entries: 2097152 (order: 11, 16777216 bytes) [0.00] Inode-cache hash table entries: 1048576 (order: 10, 8388608 bytes) [0.00] Sorting __ex_table... [0.00] Memory: 12364272K/12576792K available (5381K kernel code, 702K rwdata, 1424K rodata, 440K init, 747K bss, 212520K rese rved, 0K cma-reserved) [0.00] Hierarchical RCU implementation. [0.00] Build-time adjustment of leaf fanout to 64. [0.00] NR_IRQS:2048 nr_irqs:2048 1 [0.00] SUN4V: Using IRQ API major 3, cookie only virqs enabled [5664484.612319] clocksource: stick: mask: 0x max_cycles: 0x1cd42e4dffb, max_idle_ns: 881590591483
RE: [PATCH 0/3 v3] Key-agreement Protocol Primitives (KPP) API
> -Original Message- > From: Herbert Xu [mailto:herb...@gondor.apana.org.au] > Sent: Thursday, May 5, 2016 7:22 AM > To: Benedetto, Salvatore> Cc: linux-crypto@vger.kernel.org > Subject: Re: [PATCH 0/3 v3] Key-agreement Protocol Primitives (KPP) API > > On Tue, May 03, 2016 at 12:44:00PM +0100, Salvatore Benedetto wrote: > > Hi Herb, > > > > the following patchset introduces a new API for abstracting > > key-agreement protocols such as DH and ECDH. It provides the > > primitives required for implementing the protocol, thus the name KPP > (Key-agreement Protocol Primitives). > > > > Regards, > > Salvatore > > > > Changes from v1: > > * Change check in dh_check_params_length based on Stephan review > > > > Changed from v2: > > * Add support for ECDH (curve P192 and P256). I reused the ecc module > >already present in net/bluetooth and extended it in order to select > >different curves at runtime. Code for P192 was taken from tinycrypt. > > Are you going to post the patches to use this as well? > I just sent v4 which contains a small change plus an illustrative patch that converts SMP BT to KPP api. I can't test the patch as I don't have the hardware. BT guys should be OK in converting their code properly to kpp once merged. Is that good enough for you? Regards, Salvatore -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH] Bluetooth: convert smp module to crypto kpp API
This patch has *not* been tested as I don't have the hardware. It's purpose is to show how to use the kpp API. Based on https://patchwork.kernel.org/patch/9022371/ Signed-off-by: Salvatore Benedetto--- net/bluetooth/smp.c | 99 - 1 file changed, 98 insertions(+), 1 deletion(-) diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c index 50976a6..25844a2 100644 --- a/net/bluetooth/smp.c +++ b/net/bluetooth/smp.c @@ -25,6 +25,8 @@ #include #include #include +#include +#include #include #include @@ -2591,6 +2593,101 @@ static u8 sc_select_method(struct smp_chan *smp) return method; } +struct ecdh_completion { + struct completion completion; + int err; +}; + +static void ecdh_complete(struct crypto_async_request *req, int err) +{ + struct ecdh_completion *res = req->data; + + if (err == -EINPROGRESS) + return; + + res->err = err; + complete(>completion); +} + +static inline void swap_digits(u64 *in, u64 *out, unsigned int ndigits) +{ + int i; + + for (i = 0; i < ndigits; i++) + out[i] = __swab64(in[ndigits - 1 - i]); +} + +static bool compute_ecdh_shared_secret(const u8 public_key[64], + const u8 private_key[32], u8 secret[32]) +{ + struct crypto_kpp *tfm; + struct kpp_request *req; + struct ecdh_params p; + struct ecdh_completion result; + struct scatterlist src, dst; + u8 tmp[64]; + int err = -ENOMEM; + + tfm = crypto_alloc_kpp("ecdh", CRYPTO_ALG_INTERNAL, 0); + if (IS_ERR(tfm)) { + pr_err("alg: kpp: Failed to load tfm for kpp: %ld\n", + PTR_ERR(tfm)); + return false; + } + + req = kpp_request_alloc(tfm, GFP_KERNEL); + if (!req) + goto free_kpp; + + init_completion(); + + /* Set curve_id */ + p.curve_id = ECC_CURVE_NIST_P256; + err = crypto_kpp_set_params(tfm, (void *), sizeof(p)); + if (err) + goto free_req; + + /* Security Manager Protocol holds digits in litte-endian order +* while ECC API expect big-endian data +*/ + swap_digits((u64 *)private_key, (u64 *)tmp, 4); + + /* Set A private Key */ + err = crypto_kpp_set_secret(tfm, (void *)tmp, 32); + if (err) + goto free_all; + + swap_digits((u64 *)public_key, (u64 *)tmp, 4); /* x */ + swap_digits((u64 *)_key[32], (u64 *)[32], 4); /* y */ + + sg_init_one(, tmp, 64); + sg_init_one(, secret, 32); + kpp_request_set_input(req, , 64); + kpp_request_set_output(req, , 32); + kpp_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG, +ecdh_complete, ); + err = crypto_kpp_compute_shared_secret(req); + if (err == -EINPROGRESS) { + wait_for_completion(); + err = result.err; + } + if (err < 0) { + pr_err("alg: ecdh: compute shard secret test failed. err %d\n", + err); + goto free_all; + } + + swap_digits((u64 *)secret, (u64 *)tmp, 4); + memcpy(secret, tmp, 32); + +free_all: +free_req: + kpp_request_free(req); +free_kpp: + crypto_free_kpp(tfm); + return (err == 0); +} + static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb) { struct smp_cmd_public_key *key = (void *) skb->data; @@ -2630,7 +2727,7 @@ static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb) SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk); SMP_DBG("Remote Public Key Y: %32phN", smp->remote_pk + 32); - if (!ecdh_shared_secret(smp->remote_pk, smp->local_sk, smp->dhkey)) + if (!compute_ecdh_shared_secret(smp->remote_pk, smp->local_sk, smp->dhkey)) return SMP_UNSPECIFIED; SMP_DBG("DHKey %32phN", smp->dhkey); -- 1.9.1 -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 3/3 v4] crypto: kpp - Add ECDH software support
* Implement ECDH under kpp API * Provide ECC software support for curve P-192 and P-256. * Add kpp test for ECDH with data generated by OpenSSL Signed-off-by: Salvatore Benedetto--- crypto/Kconfig |5 + crypto/Makefile |3 + crypto/ecc.c| 1038 +++ crypto/ecc.h| 70 crypto/ecc_curve_defs.h | 57 +++ crypto/ecdh.c | 171 crypto/testmgr.c| 136 ++- crypto/testmgr.h| 73 include/crypto/ecdh.h | 24 ++ 9 files changed, 1568 insertions(+), 9 deletions(-) create mode 100644 crypto/ecc.c create mode 100644 crypto/ecc.h create mode 100644 crypto/ecc_curve_defs.h create mode 100644 crypto/ecdh.c create mode 100644 include/crypto/ecdh.h diff --git a/crypto/Kconfig b/crypto/Kconfig index 89db25c..08a1a3b 100644 --- a/crypto/Kconfig +++ b/crypto/Kconfig @@ -117,6 +117,11 @@ config CRYPTO_DH help Generic implementation of the Diffie-Hellman algorithm. +config CRYPTO_ECDH + tristate "ECDH algorithm" + select CRYTPO_KPP + help + Generic implementation of the ECDH algorithm config CRYPTO_MANAGER tristate "Cryptographic algorithm manager" diff --git a/crypto/Makefile b/crypto/Makefile index 101f8fd..ba03079 100644 --- a/crypto/Makefile +++ b/crypto/Makefile @@ -33,6 +33,9 @@ obj-$(CONFIG_CRYPTO_AKCIPHER2) += akcipher.o obj-$(CONFIG_CRYPTO_KPP2) += kpp.o obj-$(CONFIG_CRYPTO_DH) += dh.o +ecdh_generic-y := ecc.o +ecdh_generic-y += ecdh.o +obj-$(CONFIG_CRYPTO_ECDH) += ecdh_generic.o $(obj)/rsapubkey-asn1.o: $(obj)/rsapubkey-asn1.c $(obj)/rsapubkey-asn1.h $(obj)/rsaprivkey-asn1.o: $(obj)/rsaprivkey-asn1.c $(obj)/rsaprivkey-asn1.h diff --git a/crypto/ecc.c b/crypto/ecc.c new file mode 100644 index 000..c50f9c8 --- /dev/null +++ b/crypto/ecc.c @@ -0,0 +1,1038 @@ +/* + * Copyright (c) 2013, Kenneth MacKay + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions are + * met: + * * Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * * Redistributions in binary form must reproduce the above copyright + *notice, this list of conditions and the following disclaimer in the + *documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS + * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT + * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR + * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT + * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT + * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE + * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include +#include +#include +#include + +#include "ecc.h" +#include "ecc_curve_defs.h" + +#define MAX_TRIES 16 + +typedef struct { + u64 m_low; + u64 m_high; +} uint128_t; + +static inline const struct ecc_curve *ecc_get_curve(unsigned int curve_id) +{ + switch (curve_id) { + case ECC_CURVE_NIST_P192: return _p192; + case ECC_CURVE_NIST_P256: return _p256; + default: return NULL; + } +} + +static u64 *ecc_alloc_digits_space(unsigned int ndigits) +{ + size_t len = ndigits * sizeof(u64); + + if (!len) + return NULL; + + return kmalloc(len, GFP_KERNEL); +} + +static void ecc_free_digits_space(u64 *space) +{ + kzfree(space); +} + +static struct ecc_point *ecc_alloc_point(unsigned int ndigits) +{ + struct ecc_point *p = kmalloc(sizeof(*p), GFP_KERNEL); + + if (!p) + return NULL; + + p->x = ecc_alloc_digits_space(ndigits); + if (!p->x) + goto err_alloc_x; + + p->y = ecc_alloc_digits_space(ndigits); + if (!p->y) + goto err_alloc_y; + + p->ndigits = ndigits; + + return p; + +err_alloc_y: + ecc_free_digits_space(p->x); +err_alloc_x: + kfree(p); + return NULL; +} + +static void ecc_free_point(struct ecc_point *p) +{ + if (!p) + return; + + kzfree(p->x); + kzfree(p->y); + kzfree(p); +} + +static void vli_clear(u64 *vli, unsigned int ndigits) +{ + int i; + + for (i = 0; i < ndigits; i++) + vli[i] = 0; +} + +/* Returns true if vli == 0, false otherwise. */ +static bool vli_is_zero(const u64
[PATCH 2/3 v4] crypto: kpp - Add DH software implementation
* Implement MPI based Diffie-Hellman under kpp API * Test provided uses data generad by OpenSSL Signed-off-by: Salvatore Benedetto--- crypto/Kconfig | 8 ++ crypto/Makefile | 2 + crypto/dh.c | 224 crypto/testmgr.c| 157 crypto/testmgr.h| 208 include/crypto/dh.h | 23 ++ 6 files changed, 622 insertions(+) create mode 100644 crypto/dh.c create mode 100644 include/crypto/dh.h diff --git a/crypto/Kconfig b/crypto/Kconfig index 31bf962..89db25c 100644 --- a/crypto/Kconfig +++ b/crypto/Kconfig @@ -110,6 +110,14 @@ config CRYPTO_RSA help Generic implementation of the RSA public key algorithm. +config CRYPTO_DH + tristate "Diffie-Hellman algorithm" + select CRYPTO_KPP + select MPILIB + help + Generic implementation of the Diffie-Hellman algorithm. + + config CRYPTO_MANAGER tristate "Cryptographic algorithm manager" select CRYPTO_MANAGER2 diff --git a/crypto/Makefile b/crypto/Makefile index 5b60890..101f8fd 100644 --- a/crypto/Makefile +++ b/crypto/Makefile @@ -32,6 +32,8 @@ obj-$(CONFIG_CRYPTO_HASH2) += crypto_hash.o obj-$(CONFIG_CRYPTO_AKCIPHER2) += akcipher.o obj-$(CONFIG_CRYPTO_KPP2) += kpp.o +obj-$(CONFIG_CRYPTO_DH) += dh.o + $(obj)/rsapubkey-asn1.o: $(obj)/rsapubkey-asn1.c $(obj)/rsapubkey-asn1.h $(obj)/rsaprivkey-asn1.o: $(obj)/rsaprivkey-asn1.c $(obj)/rsaprivkey-asn1.h clean-files += rsapubkey-asn1.c rsapubkey-asn1.h diff --git a/crypto/dh.c b/crypto/dh.c new file mode 100644 index 000..06e4805 --- /dev/null +++ b/crypto/dh.c @@ -0,0 +1,224 @@ +/* Diffie-Hellman Key Agreement Method [RFC2631] + * + * Copyright (c) 2016, Intel Corporation + * Authors: Salvatore Benedetto + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public Licence + * as published by the Free Software Foundation; either version + * 2 of the Licence, or (at your option) any later version. + */ + +#include +#include +#include +#include +#include + +struct dh_ctx { + MPI p; + MPI g; + MPI xa; +}; + +static void dh_free_ctx(struct dh_ctx *ctx) +{ + mpi_free(ctx->p); + mpi_free(ctx->g); + mpi_free(ctx->xa); + ctx->p = NULL; + ctx->g = NULL; + ctx->xa = NULL; +} + +/* + * Public key generation function [RFC2631 sec 2.1.1] + * ya = g^xa mod p; + */ +static int _generate_public_key(const struct dh_ctx *ctx, MPI ya) +{ + /* ya = g^xa mod p */ + return mpi_powm(ya, ctx->g, ctx->xa, ctx->p); +} + +/* + * ZZ generation function [RFC2631 sec 2.1.1] + * ZZ = yb^xa mod p; + */ +static int _compute_shared_secret(const struct dh_ctx *ctx, MPI yb, + MPI zz) +{ + /* ZZ = yb^xa mod p */ + return mpi_powm(zz, yb, ctx->xa, ctx->p); +} + +static inline struct dh_ctx *dh_get_ctx(struct crypto_kpp *tfm) +{ + return kpp_tfm_ctx(tfm); +} + +static int dh_check_params_length(unsigned int p_len) +{ + return (p_len < 1536) ? -EINVAL : 0; +} + +static int dh_set_params(struct crypto_kpp *tfm, void *buffer, +unsigned int len) +{ + struct dh_ctx *ctx = dh_get_ctx(tfm); + struct dh_params *params = (struct dh_params *)buffer; + + if (unlikely(!buffer || !len)) + return -EINVAL; + + if (unlikely(!params->p || !params->g)) + return -EINVAL; + + if (dh_check_params_length(params->p_size << 3)) + return -EINVAL; + + ctx->p = mpi_read_raw_data(params->p, params->p_size); + if (!ctx->p) + return -EINVAL; + + ctx->g = mpi_read_raw_data(params->g, params->g_size); + if (!ctx->g) { + mpi_free(ctx->p); + return -EINVAL; + } + + return 0; +} + +static int dh_set_secret(struct crypto_kpp *tfm, void *buffer, +unsigned int len) +{ + struct dh_ctx *ctx = dh_get_ctx(tfm); + + if (unlikely(!buffer || !len)) + return -EINVAL; + + ctx->xa = mpi_read_raw_data(buffer, len); + + if (!ctx->xa) + return -EINVAL; + + return 0; +} + +static int dh_generate_public_key(struct kpp_request *req) +{ + struct crypto_kpp *tfm = crypto_kpp_reqtfm(req); + const struct dh_ctx *ctx = dh_get_ctx(tfm); + MPI ya = mpi_alloc(0); + int ret = 0; + int sign; + + if (!ya) + return -ENOMEM; + + if (unlikely(!ctx->p || !ctx->g || !ctx->xa)) { + ret = -EINVAL; + goto err_free_ya; + } + ret = _generate_public_key(ctx, ya); + if (ret) + goto err_free_ya; + + ret = mpi_write_to_sgl(ya, req->dst, >dst_len, ); + if (ret) +
[PATCH 1/3 v4] crypto: Key-agreement Protocol Primitives API (KPP)
Add key-agreement protocol primitives (kpp) API which allows to implement primitives required by protocols such as DH and ECDH. The API is composed mainly by the following functions * set_params() - It allows the user to set the parameters known to both parties involved in the key-agreement session * set_secret() - It allows the user to set his secret, also referred to as his private key * generate_public_key() - It generates the public key to be sent to the other counterpart involved in the key-agreement session. The function has to be called after set_params() and set_secret() * generate_secret() - It generates the shared secret for the session Other functions such as init() and exit() are provided for allowing cryptographic hardware to be inizialized properly before use Signed-off-by: Salvatore Benedetto--- crypto/Kconfig | 10 ++ crypto/Makefile | 1 + crypto/crypto_user.c| 20 +++ crypto/kpp.c| 123 +++ include/crypto/internal/kpp.h | 64 include/crypto/kpp.h| 333 include/linux/crypto.h | 1 + include/uapi/linux/cryptouser.h | 5 + 8 files changed, 557 insertions(+) create mode 100644 crypto/kpp.c create mode 100644 include/crypto/internal/kpp.h create mode 100644 include/crypto/kpp.h diff --git a/crypto/Kconfig b/crypto/Kconfig index 93a1fdc..31bf962 100644 --- a/crypto/Kconfig +++ b/crypto/Kconfig @@ -93,6 +93,15 @@ config CRYPTO_AKCIPHER select CRYPTO_AKCIPHER2 select CRYPTO_ALGAPI +config CRYPTO_KPP2 + tristate + select CRYPTO_ALGAPI2 + +config CRYPTO_KPP + tristate + select CRYPTO_ALGAPI + select CRYPTO_KPP2 + config CRYPTO_RSA tristate "RSA algorithm" select CRYPTO_AKCIPHER @@ -114,6 +123,7 @@ config CRYPTO_MANAGER2 select CRYPTO_HASH2 select CRYPTO_BLKCIPHER2 select CRYPTO_AKCIPHER2 + select CRYPTO_KPP2 config CRYPTO_USER tristate "Userspace cryptographic algorithm configuration" diff --git a/crypto/Makefile b/crypto/Makefile index 4f4ef7e..5b60890 100644 --- a/crypto/Makefile +++ b/crypto/Makefile @@ -30,6 +30,7 @@ crypto_hash-y += shash.o obj-$(CONFIG_CRYPTO_HASH2) += crypto_hash.o obj-$(CONFIG_CRYPTO_AKCIPHER2) += akcipher.o +obj-$(CONFIG_CRYPTO_KPP2) += kpp.o $(obj)/rsapubkey-asn1.o: $(obj)/rsapubkey-asn1.c $(obj)/rsapubkey-asn1.h $(obj)/rsaprivkey-asn1.o: $(obj)/rsaprivkey-asn1.c $(obj)/rsaprivkey-asn1.h diff --git a/crypto/crypto_user.c b/crypto/crypto_user.c index 43fe85f..d28513fb 100644 --- a/crypto/crypto_user.c +++ b/crypto/crypto_user.c @@ -28,6 +28,7 @@ #include #include #include +#include #include "internal.h" @@ -126,6 +127,21 @@ nla_put_failure: return -EMSGSIZE; } +static int crypto_report_kpp(struct sk_buff *skb, struct crypto_alg *alg) +{ + struct crypto_report_kpp rkpp; + + strncpy(rkpp.type, "kpp", sizeof(rkpp.type)); + + if (nla_put(skb, CRYPTOCFGA_REPORT_KPP, + sizeof(struct crypto_report_kpp), )) + goto nla_put_failure; + return 0; + +nla_put_failure: + return -EMSGSIZE; +} + static int crypto_report_one(struct crypto_alg *alg, struct crypto_user_alg *ualg, struct sk_buff *skb) { @@ -176,6 +192,10 @@ static int crypto_report_one(struct crypto_alg *alg, goto nla_put_failure; break; + case CRYPTO_ALG_TYPE_KPP: + if (crypto_report_kpp(skb, alg)) + goto nla_put_failure; + break; } out: diff --git a/crypto/kpp.c b/crypto/kpp.c new file mode 100644 index 000..d36ce05 --- /dev/null +++ b/crypto/kpp.c @@ -0,0 +1,123 @@ +/* + * Key-agreement Protocol Primitives (KPP) + * + * Copyright (c) 2016, Intel Corporation + * Authors: Salvatore Benedetto + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the Free + * Software Foundation; either version 2 of the License, or (at your option) + * any later version. + * + */ +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include "internal.h" + +#ifdef CONFIG_NET +static int crypto_kpp_report(struct sk_buff *skb, struct crypto_alg *alg) +{ + struct crypto_report_kpp rkpp; + + strncpy(rkpp.type, "kpp", sizeof(rkpp.type)); + + if (nla_put(skb, CRYPTOCFGA_REPORT_KPP, + sizeof(struct crypto_report_kpp), )) + goto nla_put_failure; + return 0; + +nla_put_failure: + return -EMSGSIZE; +} +#else +static int crypto_kpp_report(struct sk_buff *skb, struct crypto_alg *alg) +{ + return -ENOSYS; +} +#endif + +static void
Re: [crypto / sparc64] cryptomgr_test OOPS
On Wed, May 04, 2016 at 05:49:04PM +0300, Anatoly Pugachev wrote: > > just tested cryptodev ( > http://git.kernel.org/pub/scm/linux/kernel/git/herbert/cryptodev-2.6.git > ) kernel, same OOPS, but kernel version is 4.6.0-rc2+ . > kernel OOPS message - https://paste.fedoraproject.org/362554/23732641/ Anatoly, could you please test this patch on top of cryptodev? Thanks! ---8<--- Subject: crypto: testmgr - Use kmalloc memory for RSA input As akcipher uses an SG interface, you must not use vmalloc memory as input for it. This patch fixes testmgr to copy the vmalloc test vectors to kmalloc memory before running the test. This patch also removes a superfluous sg_virt call in do_test_rsa. Cc:Reported-by: Anatoly Pugachev Signed-off-by: Herbert Xu diff --git a/crypto/testmgr.c b/crypto/testmgr.c index fcd89fe..c727fb0 100644 --- a/crypto/testmgr.c +++ b/crypto/testmgr.c @@ -1780,6 +1780,7 @@ static int alg_test_drbg(const struct alg_test_desc *desc, const char *driver, static int do_test_rsa(struct crypto_akcipher *tfm, struct akcipher_testvec *vecs) { + char *xbuf[XBUFSIZE]; struct akcipher_request *req; void *outbuf_enc = NULL; void *outbuf_dec = NULL; @@ -1788,9 +1789,12 @@ static int do_test_rsa(struct crypto_akcipher *tfm, int err = -ENOMEM; struct scatterlist src, dst, src_tab[2]; + if (testmgr_alloc_buf(xbuf)) + return err; + req = akcipher_request_alloc(tfm, GFP_KERNEL); if (!req) - return err; + goto free_xbuf; init_completion(); @@ -1808,9 +1812,14 @@ static int do_test_rsa(struct crypto_akcipher *tfm, if (!outbuf_enc) goto free_req; + if (WARN_ON(vecs->m_size > PAGE_SIZE)) + goto free_all; + + memcpy(xbuf[0], vecs->m, vecs->m_size); + sg_init_table(src_tab, 2); - sg_set_buf(_tab[0], vecs->m, 8); - sg_set_buf(_tab[1], vecs->m + 8, vecs->m_size - 8); + sg_set_buf(_tab[0], xbuf[0], 8); + sg_set_buf(_tab[1], xbuf[0] + 8, vecs->m_size - 8); sg_init_one(, outbuf_enc, out_len_max); akcipher_request_set_crypt(req, src_tab, , vecs->m_size, out_len_max); @@ -1829,7 +1838,7 @@ static int do_test_rsa(struct crypto_akcipher *tfm, goto free_all; } /* verify that encrypted message is equal to expected */ - if (memcmp(vecs->c, sg_virt(req->dst), vecs->c_size)) { + if (memcmp(vecs->c, outbuf_enc, vecs->c_size)) { pr_err("alg: rsa: encrypt test failed. Invalid output\n"); err = -EINVAL; goto free_all; @@ -1844,7 +1853,13 @@ static int do_test_rsa(struct crypto_akcipher *tfm, err = -ENOMEM; goto free_all; } - sg_init_one(, vecs->c, vecs->c_size); + + if (WARN_ON(vecs->c_size > PAGE_SIZE)) + goto free_all; + + memcpy(xbuf[0], vecs->c, vecs->c_size); + + sg_init_one(, xbuf[0], vecs->c_size); sg_init_one(, outbuf_dec, out_len_max); init_completion(); akcipher_request_set_crypt(req, , , vecs->c_size, out_len_max); @@ -1871,6 +1886,8 @@ free_all: kfree(outbuf_enc); free_req: akcipher_request_free(req); +free_xbuf: + testmgr_free_buf(xbuf); return err; } -- Email: Herbert Xu Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 1/7] asm-generic/io.h: add io{read,write}64 accessors
On Thursday 05 May 2016 04:06 AM, Arnd Bergmann wrote: > On Wednesday 04 May 2016 20:16:19 Horia Geantă wrote: >> @@ -625,6 +645,16 @@ static inline u32 ioread32be(const volatile void >> __iomem *addr) >> } >> #endif >> >> +#ifdef CONFIG_64BIT >> +#ifndef ioread64be >> +#define ioread64be ioread64be >> +static inline u64 ioread64be(const volatile void __iomem *addr) >> +{ >> + return __be64_to_cpu(__raw_readq(addr)); >> +} >> +#endif >> +#endif /* CONFIG_64BIT */ >> + >> #ifndef iowrite16be >> #define iowrite16be iowrite16be >> static inline void iowrite16be(u16 value, void volatile __iomem *addr) >> @@ -641,6 +671,16 @@ static inline void iowrite32be(u32 value, volatile void >> __iomem *addr) >> } >> #endif >> >> +#ifdef CONFIG_64BIT >> +#ifndef iowrite64be >> +#define iowrite64be iowrite64be >> +static inline void iowrite64be(u64 value, volatile void __iomem *addr) >> +{ >> + __raw_writeq(__cpu_to_be64(value), addr); >> +} >> +#endif >> +#endif /* CONFIG_64BIT */ >> + >> > I just noticed that these two are both a bit wrong, but they copy the > mistake that already exists in the 16 and 32 bit versions: If an > architecture overrides readq/writeq to have barriers but does not override > ioread64be/iowrite64be, this will lack the barriers and behave differently > from the little-endian version. I think the only affected architecture > is ARC, since ARM and ARM64 both override the big-endian accessors to > have the correct barriers, and all others don't use barriers at all. > > Maybe you can add a patch before this one to replace the 16/32-bit accessors > with ones that do a > > static inline void iowrite32be(u32 value, volatile void __iomem *addr) > { > writel(swab32(value), addr); > } > > This will lead to a double-swap on architectures that don't override it, > but it will work correctly on all architectures without them having > to override the big-endian accessors. Thx for noticing this Arnd and the heads up. Does the patch below look ok to you ? ---> rom b7e719831c389ab4fa338b2e2e7c0d1ff90dabb0 Mon Sep 17 00:00:00 2001 From: Vineet GuptaDate: Thu, 5 May 2016 13:32:34 +0530 Subject: [PATCH] ARC: Add missing io barriers to io{read,write}{16,32}be() While reviewing a different change to asm-generic/io.h Arnd spotted that ARC ioread32 and ioread32be both of which come from asm-generic versions are not symmetrical in terms of calling the io barriers. generic ioread32 -> ARC readl() [ has barriers] generic ioread32be -> __be32_to_cpu(__raw_readl()) [ lacks barriers] While generic ioread32be is being remediated to call readl(), that involves a swab32(), causing double swaps on ioread32be() on Big Endian systems. So provide our versions of big endian IO accessors to ensure io barrier calls while also keeping them optimal Suggested-by: Arnd Bergmann Cc: sta...@vger.kernel.org [4.2+] Signed-off-by: Vineet Gupta --- arch/arc/include/asm/io.h | 27 ++- 1 file changed, 18 insertions(+), 9 deletions(-) diff --git a/arch/arc/include/asm/io.h b/arch/arc/include/asm/io.h index 17f85c9c73cf..c22b181e8206 100644 --- a/arch/arc/include/asm/io.h +++ b/arch/arc/include/asm/io.h @@ -13,6 +13,15 @@ #include #include +#ifdef CONFIG_ISA_ARCV2 +#include +#define __iormb()rmb() +#define __iowmb()wmb() +#else +#define __iormb()do { } while (0) +#define __iowmb()do { } while (0) +#endif + extern void __iomem *ioremap(phys_addr_t paddr, unsigned long size); extern void __iomem *ioremap_prot(phys_addr_t paddr, unsigned long size, unsigned long flags); @@ -31,6 +40,15 @@ extern void iounmap(const void __iomem *addr); #define ioremap_wc(phy, sz)ioremap(phy, sz) #define ioremap_wt(phy, sz)ioremap(phy, sz) +/* + * io{read,write}{16,32}be() macros + */ +#define ioread16be(p)({ u16 __v = be16_to_cpu((__force __be16)__raw_readw(p)); __iormb(); __v; }) +#define ioread32be(p)({ u32 __v = be32_to_cpu((__force __be32)__raw_readl(p)); __iormb(); __v; }) + +#define iowrite16be(v,p)({ __iowmb(); __raw_writew((__force u16)cpu_to_be16(v), p); }) +#define iowrite32be(v,p)({ __iowmb(); __raw_writel((__force u32)cpu_to_be32(v), p); }) + /* Change struct page to physical address */ #define page_to_phys(page)(page_to_pfn(page) << PAGE_SHIFT) @@ -108,15 +126,6 @@ static inline void __raw_writel(u32 w, volatile void __iomem *addr) } -#ifdef CONFIG_ISA_ARCV2 -#include -#define __iormb()rmb() -#define __iowmb()wmb() -#else -#define __iormb()do { } while (0) -#define __iowmb()do { } while (0) -#endif - /* * MMIO can also get buffered/optimized in micro-arch, so barriers needed * Based on ARM model for the typical use case -- 2.5.0 -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to
Re: v4.6-rc1 regression bisected, Problem loading in-kernel X.509 certificate (-2)
On Wed, May 04, 2016 at 06:38:46AM -0700, Tadeusz Struk wrote: > Hi David > On 05/04/2016 02:01 AM, David Howells wrote: > > Do you want to push this via Herbert's tree? > > > > Yes, I think Herbert has some more patches queued for rc-7. > Let me also send a proper one with the signed-off tag. > > ---8<--- > Subject: crypto: rsa - select crypto mgr dependency > > The pkcs1pad template needs CRYPTO_MANAGER so it needs > to be explicitly selected by CRYPTO_RSA. > > Reported-by: Jamie Heilman> Signed-off-by: Tadeusz Struk Applied. -- Email: Herbert Xu Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v3] crypto: Add a flag allowing the self-tests to be disabled at runtime.
On Tue, May 03, 2016 at 10:00:17AM +0100, Richard W.M. Jones wrote: > Running self-tests for a short-lived KVM VM takes 28ms on my laptop. > This commit adds a flag 'cryptomgr.notests' which allows them to be > disabled. > > However if fips=1 as well, we ignore this flag as FIPS mode mandates > that the self-tests are run. > > Signed-off-by: Richard W.M. JonesApplied. -- Email: Herbert Xu Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: better patch for linux/bitops.h
On 05/04/16 21:03, Jeffrey Walton wrote: On Wed, May 4, 2016 at 11:50 PM, Theodore Ts'owrote: ... But instead of arguing over what works and doesn't, let's just create the the test set and just try it on a wide range of compilers and architectures, hmmm? What are the requirements? Here's a short list: * No undefined behavior - important because the compiler writers use the C standard * Compiles to native "rotate IMMEDIATE" if the rotate amount is a "constant expression" and the machine provides it - translates to a native rotate instruction if available - "rotate IMM" can be 3 times faster than "rotate REG" - do any architectures *not* provide a rotate? * Compiles to native "rotate REGISTER" if the rotate is variable and the machine provides it - do any architectures *not* provide a rotate? * Constant time - important to high-integrity code - Non-security code paths probably don't care Maybe the first thing to do is provide a different rotates for the constant-time requirement when its in effect? The disagreement here is the priority between these points. In my very strong opinion, "no undefined behavior" per the C standard is way less important than the others; what matters is what gcc and the other compilers we care about do. The kernel relies on various versions of C-standard-undefined behavior *all over the place*; for one thing sizeof(void *) == sizeof(size_t) == sizeof(unsigned long)!! but they are well-defined in the subcontext we care about. (And no, not all architectures provide a rotate instruction.) -hpa -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 0/3 v3] Key-agreement Protocol Primitives (KPP) API
On Tue, May 03, 2016 at 12:44:00PM +0100, Salvatore Benedetto wrote: > Hi Herb, > > the following patchset introduces a new API for abstracting key-agreement > protocols such as DH and ECDH. It provides the primitives required for > implementing > the protocol, thus the name KPP (Key-agreement Protocol Primitives). > > Regards, > Salvatore > > Changes from v1: > * Change check in dh_check_params_length based on Stephan review > > Changed from v2: > * Add support for ECDH (curve P192 and P256). I reused the ecc module >already present in net/bluetooth and extended it in order to select >different curves at runtime. Code for P192 was taken from tinycrypt. Are you going to post the patches to use this as well? Thanks, -- Email: Herbert XuHome Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html