Re: UB in general ... and linux/bitops.h in particular

[Jeffrey Walton]

>-- Perhaps the compiler guys could be persuaded to support
> the needed features explicitly, perhaps via a command-line
> option: -std=vanilla
> This should be a no-cost option as things stand today, but
> it helps to prevent nasty surprises in the future.

It looks LLVM has the -rainbow option; see
http://blog.llvm.org/2016/04/undefined-behavior-is-magic.html :)

Jeff
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: better patch for linux/bitops.h

[H. Peter Anvin]

On 05/05/2016 03:18 PM, ty...@mit.edu wrote:
> 
> So this is why I tend to take a much more pragmatic viewpoint on
> things.  Sure, it makes sense to pay attention to what the C standard
> writers are trying to do to us; but if we need to suppress certain
> optimizations to write sane kernel code --- I'm ok with that.  And
> this is why using a trust-but-verify on a specific set of compilers
> and ranges of compiler versions is a really good idea
> 

For the record, the "portable" construct has apparently only been
supported since gcc 4.6.3.

-hpa


--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: better patch for linux/bitops.h

[H. Peter Anvin]

On May 5, 2016 3:18:09 PM PDT, ty...@mit.edu wrote:
>On Thu, May 05, 2016 at 05:34:50PM -0400, Sandy Harris wrote:
>> 
>> I completely fail to see why tests or compiler versions should be
>> part of the discussion. The C standard says the behaviour in
>> certain cases is undefined, so a standard-compliant compiler
>> can generate more-or-less any code there.
>> 
>
>> As long as any of portability, reliability or security are among our
>> goals, any code that can give undefined behaviour should be
>> considered problematic.
>
>Because compilers have been known not necessarily to obey the specs,
>and/or interpret the specs in way that not everyone agrees with.  It's
>also the case that we are *already* disabling certain C optimizations
>which are technically allowed by the spec, but which kernel
>programmers consider insane (e.g., strict aliasing).
>
>And of course, memzero_explicit() which crypto people understand is
>necessary, is something that technically compilers are allowed to
>optimize according to the spec.  So trying to write secure kernel code
>which will work on arbitrary compilers may well be impossible.
>
>And which is also why people have said (mostly in jest), "A
>sufficiently advanced compiler is indistinguishable from an
>adversary."  (I assume people will agree that optimizing away a memset
>needed to clear secrets from memory would be considered adversarial,
>at the very least!)
>
>So this is why I tend to take a much more pragmatic viewpoint on
>things.  Sure, it makes sense to pay attention to what the C standard
>writers are trying to do to us; but if we need to suppress certain
>optimizations to write sane kernel code --- I'm ok with that.  And
>this is why using a trust-but-verify on a specific set of compilers
>and ranges of compiler versions is a really good idea
>
>- Ted

I have filed a gcc bug to have the preexisting rotate idiom officially 
documented as a GNU C extension.

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70967
-- 
Sent from my Android device with K-9 Mail. Please excuse brevity and formatting.
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: better patch for linux/bitops.h

[H. Peter Anvin]

On 05/05/2016 03:18 PM, ty...@mit.edu wrote:
> On Thu, May 05, 2016 at 05:34:50PM -0400, Sandy Harris wrote:
>>
>> I completely fail to see why tests or compiler versions should be
>> part of the discussion. The C standard says the behaviour in
>> certain cases is undefined, so a standard-compliant compiler
>> can generate more-or-less any code there.
>>
> 
>> As long as any of portability, reliability or security are among our
>> goals, any code that can give undefined behaviour should be
>> considered problematic.
> 
> Because compilers have been known not necessarily to obey the specs,
> and/or interpret the specs in way that not everyone agrees with.  It's
> also the case that we are *already* disabling certain C optimizations
> which are technically allowed by the spec, but which kernel
> programmers consider insane (e.g., strict aliasing).
> 
> And of course, memzero_explicit() which crypto people understand is
> necessary, is something that technically compilers are allowed to
> optimize according to the spec.  So trying to write secure kernel code
> which will work on arbitrary compilers may well be impossible.
> 
> And which is also why people have said (mostly in jest), "A
> sufficiently advanced compiler is indistinguishable from an
> adversary."  (I assume people will agree that optimizing away a memset
> needed to clear secrets from memory would be considered adversarial,
> at the very least!)
> 
> So this is why I tend to take a much more pragmatic viewpoint on
> things.  Sure, it makes sense to pay attention to what the C standard
> writers are trying to do to us; but if we need to suppress certain
> optimizations to write sane kernel code --- I'm ok with that.  And
> this is why using a trust-but-verify on a specific set of compilers
> and ranges of compiler versions is a really good idea
> 

In theory, theory and practice should agree, but in practice, practice
is what counts.  I fully agree we should get rid of UD behavior where
doing so is practical, but not at the cost of breaking real-life
compilers, expecially not gcc, and to a lesser but still very real
extent icc and clang.

I would also agree that we should push the gcc developers to add to the
manual C-standard-UD behavior which are well-defined under the
gnu89/gnu99/gnu11 C dialects.

-hpa


--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: better patch for linux/bitops.h

[tytso]

On Thu, May 05, 2016 at 05:34:50PM -0400, Sandy Harris wrote:
> 
> I completely fail to see why tests or compiler versions should be
> part of the discussion. The C standard says the behaviour in
> certain cases is undefined, so a standard-compliant compiler
> can generate more-or-less any code there.
> 

> As long as any of portability, reliability or security are among our
> goals, any code that can give undefined behaviour should be
> considered problematic.

Because compilers have been known not necessarily to obey the specs,
and/or interpret the specs in way that not everyone agrees with.  It's
also the case that we are *already* disabling certain C optimizations
which are technically allowed by the spec, but which kernel
programmers consider insane (e.g., strict aliasing).

And of course, memzero_explicit() which crypto people understand is
necessary, is something that technically compilers are allowed to
optimize according to the spec.  So trying to write secure kernel code
which will work on arbitrary compilers may well be impossible.

And which is also why people have said (mostly in jest), "A
sufficiently advanced compiler is indistinguishable from an
adversary."  (I assume people will agree that optimizing away a memset
needed to clear secrets from memory would be considered adversarial,
at the very least!)

So this is why I tend to take a much more pragmatic viewpoint on
things.  Sure, it makes sense to pay attention to what the C standard
writers are trying to do to us; but if we need to suppress certain
optimizations to write sane kernel code --- I'm ok with that.  And
this is why using a trust-but-verify on a specific set of compilers
and ranges of compiler versions is a really good idea

 - Ted
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: better patch for linux/bitops.h

[Sandy Harris]

On Wed, May 4, 2016 at 11:50 PM, Theodore Ts'o  wrote:

> Instead of arguing over who's "sane" or "insane", can we come up with
> a agreed upon set of tests, and a set of compiler and compiler
> versions ...

I completely fail to see why tests or compiler versions should be
part of the discussion. The C standard says the behaviour in
certain cases is undefined, so a standard-compliant compiler
can generate more-or-less any code there.

As long as any of portability, reliability or security are among our
goals, any code that can give undefined behaviour should be
considered problematic.

> But instead of arguing over what works and doesn't, let's just create
> the the test set and just try it on a wide range of compilers and
> architectures, hmmm?

No. Let's just fix the code so that undefined behaviour cannot occur.

Creating test cases for a fix and trying them on a range of systems
would be useful, perhaps essential, work. Doing tests without a fix
would be a complete waste of time.
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH RESEND v5 3/6] crypto: AF_ALG -- add asymmetric cipher interface

[Tadeusz Struk]

From: Stephan Mueller 

This patch adds the user space interface for asymmetric ciphers. The
interface allows the use of sendmsg as well as vmsplice to provide data.

This version has been rebased on top of 4.6 and a few chackpatch issues
have been fixed.

Signed-off-by: Stephan Mueller 
Signed-off-by: Tadeusz Struk 
---
 crypto/algif_akcipher.c |  542 +++
 1 file changed, 542 insertions(+)
 create mode 100644 crypto/algif_akcipher.c

diff --git a/crypto/algif_akcipher.c b/crypto/algif_akcipher.c
new file mode 100644
index 000..6342b6e
--- /dev/null
+++ b/crypto/algif_akcipher.c
@@ -0,0 +1,542 @@
+/*
+ * algif_akcipher: User-space interface for asymmetric cipher algorithms
+ *
+ * Copyright (C) 2015, Stephan Mueller 
+ *
+ * This file provides the user-space API for asymmetric ciphers.
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation; either version 2 of the License, or (at your option)
+ * any later version.
+ */
+
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+
+struct akcipher_sg_list {
+   unsigned int cur;
+   struct scatterlist sg[ALG_MAX_PAGES];
+};
+
+struct akcipher_ctx {
+   struct akcipher_sg_list tsgl;
+   struct af_alg_sgl rsgl[ALG_MAX_PAGES];
+
+   struct af_alg_completion completion;
+
+   unsigned long used;
+
+   unsigned int len;
+   bool more;
+   bool merge;
+   int op;
+
+   struct akcipher_request req;
+};
+
+static inline int akcipher_sndbuf(struct sock *sk)
+{
+   struct alg_sock *ask = alg_sk(sk);
+   struct akcipher_ctx *ctx = ask->private;
+
+   return max_t(int, max_t(int, sk->sk_sndbuf & PAGE_MASK, PAGE_SIZE) -
+ ctx->used, 0);
+}
+
+static inline bool akcipher_writable(struct sock *sk)
+{
+   return akcipher_sndbuf(sk) >= PAGE_SIZE;
+}
+
+static inline int akcipher_calcsize(struct akcipher_ctx *ctx)
+{
+   return crypto_akcipher_maxsize(crypto_akcipher_reqtfm(>req));
+}
+
+static void akcipher_put_sgl(struct sock *sk)
+{
+   struct alg_sock *ask = alg_sk(sk);
+   struct akcipher_ctx *ctx = ask->private;
+   struct akcipher_sg_list *sgl = >tsgl;
+   struct scatterlist *sg = sgl->sg;
+   unsigned int i;
+
+   for (i = 0; i < sgl->cur; i++) {
+   if (!sg_page(sg + i))
+   continue;
+
+   put_page(sg_page(sg + i));
+   sg_assign_page(sg + i, NULL);
+   }
+   sg_init_table(sg, ALG_MAX_PAGES);
+   sgl->cur = 0;
+   ctx->used = 0;
+   ctx->more = 0;
+   ctx->merge = 0;
+}
+
+static void akcipher_wmem_wakeup(struct sock *sk)
+{
+   struct socket_wq *wq;
+
+   if (!akcipher_writable(sk))
+   return;
+
+   rcu_read_lock();
+   wq = rcu_dereference(sk->sk_wq);
+   if (wq_has_sleeper(>wait))
+   wake_up_interruptible_sync_poll(>wait, POLLIN |
+  POLLRDNORM |
+  POLLRDBAND);
+   sk_wake_async(sk, SOCK_WAKE_WAITD, POLL_IN);
+   rcu_read_unlock();
+}
+
+static int akcipher_wait_for_data(struct sock *sk, unsigned int flags)
+{
+   struct alg_sock *ask = alg_sk(sk);
+   struct akcipher_ctx *ctx = ask->private;
+   long timeout;
+   DEFINE_WAIT(wait);
+   int err = -ERESTARTSYS;
+
+   if (flags & MSG_DONTWAIT)
+   return -EAGAIN;
+
+   set_bit(SOCKWQ_ASYNC_WAITDATA, >sk_socket->flags);
+
+   for (;;) {
+   if (signal_pending(current))
+   break;
+   prepare_to_wait(sk_sleep(sk), , TASK_INTERRUPTIBLE);
+   timeout = MAX_SCHEDULE_TIMEOUT;
+   if (sk_wait_event(sk, , !ctx->more)) {
+   err = 0;
+   break;
+   }
+   }
+   finish_wait(sk_sleep(sk), );
+
+   clear_bit(SOCKWQ_ASYNC_WAITDATA, >sk_socket->flags);
+
+   return err;
+}
+
+static void akcipher_data_wakeup(struct sock *sk)
+{
+   struct alg_sock *ask = alg_sk(sk);
+   struct akcipher_ctx *ctx = ask->private;
+   struct socket_wq *wq;
+
+   if (ctx->more)
+   return;
+   if (!ctx->used)
+   return;
+
+   rcu_read_lock();
+   wq = rcu_dereference(sk->sk_wq);
+   if (wq_has_sleeper(>wait))
+   wake_up_interruptible_sync_poll(>wait, POLLOUT |
+  POLLRDNORM |
+  POLLRDBAND);
+   sk_wake_async(sk, SOCK_WAKE_SPACE, POLL_OUT);
+   rcu_read_unlock();
+}
+
+static int akcipher_sendmsg(struct socket *sock, struct 

[PATCH RESEND v5 4/6] crypto: algif_akcipher - enable compilation

[Tadeusz Struk]

From: Stephan Mueller 

Add the Makefile and Kconfig updates to allow algif_akcipher to be
compiled.

Signed-off-by: Stephan Mueller 
Signed-off-by: Tadeusz Struk 
---
 crypto/Kconfig  |9 +
 crypto/Makefile |1 +
 2 files changed, 10 insertions(+)

diff --git a/crypto/Kconfig b/crypto/Kconfig
index 93a1fdc..b932319 100644
--- a/crypto/Kconfig
+++ b/crypto/Kconfig
@@ -1626,6 +1626,15 @@ config CRYPTO_USER_API_AEAD
  This option enables the user-spaces interface for AEAD
  cipher algorithms.
 
+config CRYPTO_USER_API_AKCIPHER
+   tristate "User-space interface for asymmetric key cipher algorithms"
+   depends on NET
+   select CRYPTO_AKCIPHER2
+   select CRYPTO_USER_API
+   help
+ This option enables the user-spaces interface for asymmetric
+ key cipher algorithms.
+
 config CRYPTO_HASH_INFO
bool
 
diff --git a/crypto/Makefile b/crypto/Makefile
index 4f4ef7e..c51ac16 100644
--- a/crypto/Makefile
+++ b/crypto/Makefile
@@ -121,6 +121,7 @@ obj-$(CONFIG_CRYPTO_USER_API_HASH) += algif_hash.o
 obj-$(CONFIG_CRYPTO_USER_API_SKCIPHER) += algif_skcipher.o
 obj-$(CONFIG_CRYPTO_USER_API_RNG) += algif_rng.o
 obj-$(CONFIG_CRYPTO_USER_API_AEAD) += algif_aead.o
+obj-$(CONFIG_CRYPTO_USER_API_AKCIPHER) += algif_akcipher.o
 
 #
 # generic algorithms and the async_tx api

--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH RESEND v5 1/6] crypto: AF_ALG -- add sign/verify API

[Tadeusz Struk]

From: Stephan Mueller 

Add the flags for handling signature generation and signature
verification.

Also, the patch adds the interface for setting a public key.

Signed-off-by: Stephan Mueller 
Signed-off-by: Tadeusz Struk 
---
 include/uapi/linux/if_alg.h |3 +++
 1 file changed, 3 insertions(+)

diff --git a/include/uapi/linux/if_alg.h b/include/uapi/linux/if_alg.h
index f2acd2f..02e6162 100644
--- a/include/uapi/linux/if_alg.h
+++ b/include/uapi/linux/if_alg.h
@@ -34,9 +34,12 @@ struct af_alg_iv {
 #define ALG_SET_OP 3
 #define ALG_SET_AEAD_ASSOCLEN  4
 #define ALG_SET_AEAD_AUTHSIZE  5
+#define ALG_SET_PUBKEY 6
 
 /* Operations */
 #define ALG_OP_DECRYPT 0
 #define ALG_OP_ENCRYPT 1
+#define ALG_OP_SIGN2
+#define ALG_OP_VERIFY  3
 
 #endif /* _LINUX_IF_ALG_H */

--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH RESEND v5 5/6] crypto: algif_akcipher - add ops_nokey

[Tadeusz Struk]

Similar to algif_skcipher and algif_hash, algif_akcipher needs
to prevent user space from using the interface in an improper way.
This patch adds nokey ops handlers, which do just that.

Signed-off-by: Tadeusz Struk 
---
 crypto/algif_akcipher.c |  159 +--
 1 file changed, 152 insertions(+), 7 deletions(-)

diff --git a/crypto/algif_akcipher.c b/crypto/algif_akcipher.c
index 6342b6e..e00793d 100644
--- a/crypto/algif_akcipher.c
+++ b/crypto/algif_akcipher.c
@@ -27,6 +27,11 @@ struct akcipher_sg_list {
struct scatterlist sg[ALG_MAX_PAGES];
 };
 
+struct akcipher_tfm {
+   struct crypto_akcipher *akcipher;
+   bool has_key;
+};
+
 struct akcipher_ctx {
struct akcipher_sg_list tsgl;
struct af_alg_sgl rsgl[ALG_MAX_PAGES];
@@ -450,25 +455,151 @@ static struct proto_ops algif_akcipher_ops = {
.poll   =   akcipher_poll,
 };
 
+static int akcipher_check_key(struct socket *sock)
+{
+   int err = 0;
+   struct sock *psk;
+   struct alg_sock *pask;
+   struct akcipher_tfm *tfm;
+   struct sock *sk = sock->sk;
+   struct alg_sock *ask = alg_sk(sk);
+
+   lock_sock(sk);
+   if (ask->refcnt)
+   goto unlock_child;
+
+   psk = ask->parent;
+   pask = alg_sk(ask->parent);
+   tfm = pask->private;
+
+   err = -ENOKEY;
+   lock_sock_nested(psk, SINGLE_DEPTH_NESTING);
+   if (!tfm->has_key)
+   goto unlock;
+
+   if (!pask->refcnt++)
+   sock_hold(psk);
+
+   ask->refcnt = 1;
+   sock_put(psk);
+
+   err = 0;
+
+unlock:
+   release_sock(psk);
+unlock_child:
+   release_sock(sk);
+
+   return err;
+}
+
+static int akcipher_sendmsg_nokey(struct socket *sock, struct msghdr *msg,
+ size_t size)
+{
+   int err;
+
+   err = akcipher_check_key(sock);
+   if (err)
+   return err;
+
+   return akcipher_sendmsg(sock, msg, size);
+}
+
+static ssize_t akcipher_sendpage_nokey(struct socket *sock, struct page *page,
+  int offset, size_t size, int flags)
+{
+   int err;
+
+   err = akcipher_check_key(sock);
+   if (err)
+   return err;
+
+   return akcipher_sendpage(sock, page, offset, size, flags);
+}
+
+static int akcipher_recvmsg_nokey(struct socket *sock, struct msghdr *msg,
+ size_t ignored, int flags)
+{
+   int err;
+
+   err = akcipher_check_key(sock);
+   if (err)
+   return err;
+
+   return akcipher_recvmsg(sock, msg, ignored, flags);
+}
+
+static struct proto_ops algif_akcipher_ops_nokey = {
+   .family =   PF_ALG,
+
+   .connect=   sock_no_connect,
+   .socketpair =   sock_no_socketpair,
+   .getname=   sock_no_getname,
+   .ioctl  =   sock_no_ioctl,
+   .listen =   sock_no_listen,
+   .shutdown   =   sock_no_shutdown,
+   .getsockopt =   sock_no_getsockopt,
+   .mmap   =   sock_no_mmap,
+   .bind   =   sock_no_bind,
+   .accept =   sock_no_accept,
+   .setsockopt =   sock_no_setsockopt,
+
+   .release=   af_alg_release,
+   .sendmsg=   akcipher_sendmsg_nokey,
+   .sendpage   =   akcipher_sendpage_nokey,
+   .recvmsg=   akcipher_recvmsg_nokey,
+   .poll   =   akcipher_poll,
+};
+
 static void *akcipher_bind(const char *name, u32 type, u32 mask)
 {
-   return crypto_alloc_akcipher(name, type, mask);
+   struct akcipher_tfm *tfm;
+   struct crypto_akcipher *akcipher;
+
+   tfm = kzalloc(sizeof(*tfm), GFP_KERNEL);
+   if (!tfm)
+   return ERR_PTR(-ENOMEM);
+
+   akcipher = crypto_alloc_akcipher(name, type, mask);
+   if (IS_ERR(akcipher)) {
+   kfree(tfm);
+   return ERR_CAST(akcipher);
+   }
+
+   tfm->akcipher = akcipher;
+   return tfm;
 }
 
 static void akcipher_release(void *private)
 {
-   crypto_free_akcipher(private);
+   struct akcipher_tfm *tfm = private;
+   struct crypto_akcipher *akcipher = tfm->akcipher;
+
+   crypto_free_akcipher(akcipher);
+   kfree(tfm);
 }
 
 static int akcipher_setprivkey(void *private, const u8 *key,
   unsigned int keylen)
 {
-   return crypto_akcipher_set_priv_key(private, key, keylen);
+   struct akcipher_tfm *tfm = private;
+   struct crypto_akcipher *akcipher = tfm->akcipher;
+   int err;
+
+   err = crypto_akcipher_set_priv_key(akcipher, key, keylen);
+   tfm->has_key = !err;
+   return err;
 }
 
 static int akcipher_setpubkey(void *private, const u8 *key, unsigned int 
keylen)
 {
-   return crypto_akcipher_set_pub_key(private, key, keylen);
+   struct akcipher_tfm 

[PATCH RESEND v5 6/6] crypto: AF_ALG - add support for key_id

[Tadeusz Struk]

This patch adds support for asymmetric key type to AF_ALG.
It will work as follows: A new PF_ALG socket options are
added on top of existing ALG_SET_KEY and ALG_SET_PUBKEY, namely
ALG_SET_KEY_ID and ALG_SET_PUBKEY_ID for setting public and
private keys respectively. When these new options will be used
the user, instead of providing the key material, will provide a
key id and the key itself will be obtained from kernel keyring
subsystem. The user will use the standard tools (keyctl tool
or the keyctl syscall) for key instantiation and to obtain the
key id. The key id can also be obtained by reading the
/proc/keys file.

When a key corresponding to the given keyid is found, it is stored
in the socket context and subsequent crypto operation invoked by the
user will use the new asymmetric accessor functions instead of akcipher
api. The asymmetric subtype can internally use akcipher api or
invoke operations defined by a given subtype, depending on the
key type.

Signed-off-by: Tadeusz Struk 
---
 crypto/af_alg.c |   10 ++
 crypto/algif_akcipher.c |  207 ++-
 include/crypto/if_alg.h |1 
 include/uapi/linux/if_alg.h |2 
 4 files changed, 215 insertions(+), 5 deletions(-)

diff --git a/crypto/af_alg.c b/crypto/af_alg.c
index 24dc082..59c8244 100644
--- a/crypto/af_alg.c
+++ b/crypto/af_alg.c
@@ -260,6 +260,16 @@ static int alg_setsockopt(struct socket *sock, int level, 
int optname,
 
err = alg_setkey(sk, optval, optlen, type->setpubkey);
break;
+
+   case ALG_SET_KEY_ID:
+   case ALG_SET_PUBKEY_ID:
+   /* ALG_SET_KEY_ID is only for akcipher */
+   if (!strcmp(type->name, "akcipher") ||
+   sock->state == SS_CONNECTED)
+   goto unlock;
+
+   err = alg_setkey(sk, optval, optlen, type->setkeyid);
+   break;
case ALG_SET_AEAD_AUTHSIZE:
if (sock->state == SS_CONNECTED)
goto unlock;
diff --git a/crypto/algif_akcipher.c b/crypto/algif_akcipher.c
index e00793d..f486b6d 100644
--- a/crypto/algif_akcipher.c
+++ b/crypto/algif_akcipher.c
@@ -14,6 +14,8 @@
 #include 
 #include 
 #include 
+#include 
+#include 
 #include 
 #include 
 #include 
@@ -29,6 +31,7 @@ struct akcipher_sg_list {
 
 struct akcipher_tfm {
struct crypto_akcipher *akcipher;
+   char keyid[12];
bool has_key;
 };
 
@@ -37,6 +40,7 @@ struct akcipher_ctx {
struct af_alg_sgl rsgl[ALG_MAX_PAGES];
 
struct af_alg_completion completion;
+   struct key *key;
 
unsigned long used;
 
@@ -322,6 +326,153 @@ unlock:
return err ? err : size;
 }
 
+static int asym_key_encrypt(const struct key *key, struct akcipher_request 
*req)
+{
+   struct kernel_pkey_params params = {0};
+   char *src = NULL, *dst = NULL, *in, *out;
+   int ret;
+
+   if (!sg_is_last(req->src)) {
+   src = kmalloc(req->src_len, GFP_KERNEL);
+   if (!src)
+   return -ENOMEM;
+   scatterwalk_map_and_copy(src, req->src, 0, req->src_len, 0);
+   in = src;
+   } else {
+   in = sg_virt(req->src);
+   }
+   if (!sg_is_last(req->dst)) {
+   dst = kmalloc(req->dst_len, GFP_KERNEL);
+   if (!dst) {
+   kfree(src);
+   return -ENOMEM;
+   }
+   out = dst;
+   } else {
+   out = sg_virt(req->dst);
+   }
+   params.key = (struct key *)key;
+   params.data_len = req->src_len;
+   params.enc_len = req->dst_len;
+   ret = encrypt_blob(, in, out);
+   if (ret)
+   goto free;
+
+   if (dst)
+   scatterwalk_map_and_copy(dst, req->dst, 0, req->dst_len, 1);
+free:
+   kfree(src);
+   kfree(dst);
+   return ret;
+}
+
+static int asym_key_decrypt(const struct key *key, struct akcipher_request 
*req)
+{
+   struct kernel_pkey_params params = {0};
+   char *src = NULL, *dst = NULL, *in, *out;
+   int ret;
+
+   if (!sg_is_last(req->src)) {
+   src = kmalloc(req->src_len, GFP_KERNEL);
+   if (!src)
+   return -ENOMEM;
+   scatterwalk_map_and_copy(src, req->src, 0, req->src_len, 0);
+   in = src;
+   } else {
+   in = sg_virt(req->src);
+   }
+   if (!sg_is_last(req->dst)) {
+   dst = kmalloc(req->dst_len, GFP_KERNEL);
+   if (!dst) {
+   kfree(src);
+   return -ENOMEM;
+   }
+   out = dst;
+   } else {
+   out = sg_virt(req->dst);
+   }
+   params.key = (struct key *)key;
+   params.data_len = req->src_len;
+   params.enc_len = req->dst_len;
+   ret = decrypt_blob(, in, out);
+   if (ret)
+  

[PATCH RESEND v5 2/6] crypto: AF_ALG -- add setpubkey setsockopt call

[Tadeusz Struk]

From: Stephan Mueller 

For supporting asymmetric ciphers, user space must be able to set the
public key. The patch adds a new setsockopt call for setting the public
key.

Signed-off-by: Stephan Mueller 
---
 crypto/af_alg.c |   18 +-
 include/crypto/if_alg.h |1 +
 2 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/crypto/af_alg.c b/crypto/af_alg.c
index f5e18c2..24dc082 100644
--- a/crypto/af_alg.c
+++ b/crypto/af_alg.c
@@ -202,13 +202,17 @@ unlock:
 }
 
 static int alg_setkey(struct sock *sk, char __user *ukey,
- unsigned int keylen)
+ unsigned int keylen,
+ int (*setkey)(void *private, const u8 *key,
+   unsigned int keylen))
 {
struct alg_sock *ask = alg_sk(sk);
-   const struct af_alg_type *type = ask->type;
u8 *key;
int err;
 
+   if (!setkey)
+   return -ENOPROTOOPT;
+
key = sock_kmalloc(sk, keylen, GFP_KERNEL);
if (!key)
return -ENOMEM;
@@ -217,7 +221,7 @@ static int alg_setkey(struct sock *sk, char __user *ukey,
if (copy_from_user(key, ukey, keylen))
goto out;
 
-   err = type->setkey(ask->private, key, keylen);
+   err = setkey(ask->private, key, keylen);
 
 out:
sock_kzfree_s(sk, key, keylen);
@@ -247,10 +251,14 @@ static int alg_setsockopt(struct socket *sock, int level, 
int optname,
case ALG_SET_KEY:
if (sock->state == SS_CONNECTED)
goto unlock;
-   if (!type->setkey)
+
+   err = alg_setkey(sk, optval, optlen, type->setkey);
+   break;
+   case ALG_SET_PUBKEY:
+   if (sock->state == SS_CONNECTED)
goto unlock;
 
-   err = alg_setkey(sk, optval, optlen);
+   err = alg_setkey(sk, optval, optlen, type->setpubkey);
break;
case ALG_SET_AEAD_AUTHSIZE:
if (sock->state == SS_CONNECTED)
diff --git a/include/crypto/if_alg.h b/include/crypto/if_alg.h
index a2bfd78..6c3e6e7 100644
--- a/include/crypto/if_alg.h
+++ b/include/crypto/if_alg.h
@@ -52,6 +52,7 @@ struct af_alg_type {
void *(*bind)(const char *name, u32 type, u32 mask);
void (*release)(void *private);
int (*setkey)(void *private, const u8 *key, unsigned int keylen);
+   int (*setpubkey)(void *private, const u8 *key, unsigned int keylen);
int (*accept)(void *private, struct sock *sk);
int (*accept_nokey)(void *private, struct sock *sk);
int (*setauthsize)(void *private, unsigned int authsize);

--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH RESEND v5 0/6] crypto: algif - add akcipher

[Tadeusz Struk]

First four patches are a resend of the v3 algif_akcipher from
Stephan Mueller, with minor changes after rebase on top of 4.6-rc1.

The next three patches add support for keys stored in system
keyring subsystem.

First patch adds algif_akcipher nokey hadlers.

Second patch adds generic sign, verify, encrypt, decrypt accessors
functions to the asymmetric key type. These will be defined by
asymmetric subtypes, similarly to how public_key currently defines
the verify_signature function.

Third patch adds support for ALG_SET_KEY_ID and ALG_SET_PUBKEY_ID
commands to AF_ALG and setkeyid operation to the af_alg_type struct.
If the keyid is used then the afalg layer acquires the key for the
keyring subsystem and uses the new asymmetric accessor functions
instead of akcipher api. The asymmetric subtypes can use akcipher
api internally.

This is the same v5 version as before rebased on top of
http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=keys-asym-keyctl

v5 changes:
- drop public key changes and use new version provided by David

v4 changes:
- don't use internal public_key struct in af_alg.
- add generic accessor functions to asymmetric key type, which take
  the generic struct key type and resolve the specific subtype internally

v3 changes:
- include Stephan's patches (rebased on 4.6-rc1)
- add algif_akcipher nokey hadlers
- add public_key info struct to public_key and helper query functions
- add a check if a key is a software accessible key on af_alg, and
  return -ENOKEY if it isn't

v2 changes:
- pass the original skcipher request in ablkcipher.base.data instead of
  casting it back from the ablkcipher request.
- rename _req to base_req
- dropped 3/3

---

Stephan Mueller (4):
  crypto: AF_ALG -- add sign/verify API
  crypto: AF_ALG -- add setpubkey setsockopt call
  crypto: AF_ALG -- add asymmetric cipher interface
  crypto: algif_akcipher - enable compilation

Tadeusz Struk (2):
  crypto: algif_akcipher - add ops_nokey
  crypto: AF_ALG - add support for key_id

 crypto/Kconfig  |9 
 crypto/Makefile |1 
 crypto/af_alg.c |   28 +
 crypto/algif_akcipher.c |  884 +++
 include/crypto/if_alg.h |2 
 include/uapi/linux/if_alg.h |5 
 6 files changed, 924 insertions(+), 5 deletions(-)
 create mode 100644 crypto/algif_akcipher.c

--
TS
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH v2 3/8] arm64: add io{read,write}64be accessors

[Catalin Marinas]

On Thu, May 05, 2016 at 06:36:04PM +0300, Horia Geantă wrote:
> This will allow device drivers to consistently use io{read,write}XXbe
> also for 64-bit accesses.
> 
> Signed-off-by: Alex Porosanu 
> Signed-off-by: Horia Geantă 

Acked-by: Catalin Marinas 
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: UB in general ... and linux/bitops.h in particular

[Andi Kleen]

> Suggestions:
> 
>  a) Going forward, I suggest that UB should not be invoked
>   unless there is a good solid reason.

Good luck rewriting most of the kernel source.

This discussion is insane!

-Andi
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH v2 2/8] asm-generic/io.h: add io{read,write}64 accessors

[Arnd Bergmann]

On Thursday 05 May 2016 18:35:56 Horia Geantă wrote:
> This will allow device drivers to consistently use io{read,write}XX
> also for 64-bit accesses.
> 
> Signed-off-by: Horia Geantă 
> 

Acked-by: Arnd Bergmann 
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [crypto / sparc64] cryptomgr_test OOPS

[Tadeusz Struk]

On 05/05/2016 02:50 AM, Herbert Xu wrote:
> On Thu, May 05, 2016 at 12:40:18PM +0300, Anatoly Pugachev wrote:
>>
>> sure, based on your cryptodev git, just tried 4.3 (6a13feb , good)
>> kernel in attempt to find (bisect) when RSA code break, already tested
>> 4.5 (44d1b6d , bad) , 4.4 (afd2ff9 , bad).
>> Going to try your patch soon (when I'm back home).
>> So far 4.3 passes RSA stage without OOPS, but for other reason does
>> not boot to login prompt. Boot log exempt (4.3), this is with
>> CONFIG_CRYPTO_RSA=y :
> 
> That jibes with this being a problem with the SG list since it
> was only added in 4.4.

Before 4.4 the rsa sw implementation kmalloced intermediate flat buffer
and copied the data internally.
Thanks,
-- 
TS
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [crypto / sparc64] cryptomgr_test OOPS

[Tadeusz Struk]

On 05/05/2016 08:31 AM, Anatoly Pugachev wrote:
> On Thu, May 5, 2016 at 6:00 PM, Tadeusz Struk  wrote:
>> On 05/05/2016 02:40 AM, Anatoly Pugachev wrote:
>>> sure, based on your cryptodev git, just tried 4.3 (6a13feb , good)
>>> kernel in attempt to find (bisect) when RSA code break, already tested
>>> 4.5 (44d1b6d , bad) , 4.4 (afd2ff9 , bad).
>>> Going to try your patch soon (when I'm back home).
>>> So far 4.3 passes RSA stage without OOPS, but for other reason does
>>> not boot to login prompt. Boot log exempt (4.3), this is with
>>> CONFIG_CRYPTO_RSA=y :
>>
>> Anatoly, could you also give this a try please:
>> Thanks
>>
>> diff --git a/crypto/testmgr.c b/crypto/testmgr.c
>> index b86883a..770970ff 100644
>> --- a/crypto/testmgr.c
>> +++ b/crypto/testmgr.c
>> @@ -1805,8 +1805,8 @@ static int do_test_rsa(struct crypto_akcipher *tfm,
>> goto free_req;
>>
>> sg_init_table(src_tab, 2);
>> -   sg_set_buf(_tab[0], vecs->m, 8);
>> -   sg_set_buf(_tab[1], vecs->m + 8, vecs->m_size - 8);
>> +   sg_set_buf(_tab[0], vecs->m, 4);
>> +   sg_set_buf(_tab[1], vecs->m + 4, vecs->m_size - 4);
>> sg_init_one(, outbuf_enc, out_len_max);
>> akcipher_request_set_crypt(req, src_tab, , vecs->m_size,
>>out_len_max);
> 
> 
> Tadeusz,
> 
> do you still want to test it , after I have reported that Herbert patch works?
> 

Hi Anatoly,
Since Herbert's patch fixes it for you here is no need to test this one.
Thanks,
-- 
TS
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] Bluetooth: convert smp module to crypto kpp API

[Marcel Holtmann]

Hi Salvatore,

> This patch has *not* been tested as I don't have the hardware.
> It's purpose is to show how to use the kpp API.
> 
> Based on https://patchwork.kernel.org/patch/9022371/

actually you should be able to verify this without hardware. The BlueZ 
userspace package contains tools/mgmt-tester and tools/smp-tester which should 
both exercise most of the Bluetooth Security Manager (SMP) pieces.

Regards

Marcel

--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH v2 6/8] crypto: caam - handle core endianness != caam endianness

[Horia Geantă]

There are SoCs like LS1043A where CAAM endianness (BE) does not match
the default endianness of the core (LE).
Moreover, there are requirements for the driver to handle cases like
CPU_BIG_ENDIAN=y on ARM-based SoCs.
This requires for a complete rewrite of the I/O accessors.

PPC-specific accessors - {in,out}_{le,be}XX - are replaced with
generic ones - io{read,write}[be]XX.

Endianness is detected dynamically (at runtime) to allow for
multiplatform kernels, for e.g. running the same kernel image
on LS1043A (BE CAAM) and LS2080A (LE CAAM) armv8-based SoCs.

While here: debugfs entries need to take into consideration the
endianness of the core when displaying data. Add the necessary
glue code so the entries remain the same, but they are properly
read, regardless of the core and/or SEC endianness.

Note: pdb.h fixes only what is currently being used (IPsec).

Signed-off-by: Horia Geantă 
Signed-off-by: Alex Porosanu 
---
 drivers/crypto/caam/Kconfig   |   4 -
 drivers/crypto/caam/caamhash.c|   5 +-
 drivers/crypto/caam/ctrl.c| 125 +++
 drivers/crypto/caam/desc.h|   7 +-
 drivers/crypto/caam/desc_constr.h |  44 +++
 drivers/crypto/caam/jr.c  |  22 +++---
 drivers/crypto/caam/pdb.h | 137 ++
 drivers/crypto/caam/regs.h| 151 +-
 drivers/crypto/caam/sg_sw_sec4.h  |  11 +--
 9 files changed, 340 insertions(+), 166 deletions(-)

diff --git a/drivers/crypto/caam/Kconfig b/drivers/crypto/caam/Kconfig
index 5652a53415dc..d2c2909a4020 100644
--- a/drivers/crypto/caam/Kconfig
+++ b/drivers/crypto/caam/Kconfig
@@ -116,10 +116,6 @@ config CRYPTO_DEV_FSL_CAAM_IMX
def_bool SOC_IMX6 || SOC_IMX7D
depends on CRYPTO_DEV_FSL_CAAM
 
-config CRYPTO_DEV_FSL_CAAM_LE
-   def_bool CRYPTO_DEV_FSL_CAAM_IMX || SOC_LS1021A
-   depends on CRYPTO_DEV_FSL_CAAM
-
 config CRYPTO_DEV_FSL_CAAM_DEBUG
bool "Enable debug output in CAAM driver"
depends on CRYPTO_DEV_FSL_CAAM
diff --git a/drivers/crypto/caam/caamhash.c b/drivers/crypto/caam/caamhash.c
index 5845d4a08797..f1ecc8df8d41 100644
--- a/drivers/crypto/caam/caamhash.c
+++ b/drivers/crypto/caam/caamhash.c
@@ -847,7 +847,7 @@ static int ahash_update_ctx(struct ahash_request *req)
 *next_buflen, 0);
} else {
(edesc->sec4_sg + sec4_sg_src_index - 1)->len |=
-   SEC4_SG_LEN_FIN;
+   cpu_to_caam32(SEC4_SG_LEN_FIN);
}
 
state->current_buf = !state->current_buf;
@@ -949,7 +949,8 @@ static int ahash_final_ctx(struct ahash_request *req)
state->buf_dma = try_buf_map_to_sec4_sg(jrdev, edesc->sec4_sg + 1,
buf, state->buf_dma, buflen,
last_buflen);
-   (edesc->sec4_sg + sec4_sg_src_index - 1)->len |= SEC4_SG_LEN_FIN;
+   (edesc->sec4_sg + sec4_sg_src_index - 1)->len |=
+   cpu_to_caam32(SEC4_SG_LEN_FIN);
 
edesc->sec4_sg_dma = dma_map_single(jrdev, edesc->sec4_sg,
sec4_sg_bytes, DMA_TO_DEVICE);
diff --git a/drivers/crypto/caam/ctrl.c b/drivers/crypto/caam/ctrl.c
index 44d30b45f3cc..1c8e764872ae 100644
--- a/drivers/crypto/caam/ctrl.c
+++ b/drivers/crypto/caam/ctrl.c
@@ -15,6 +15,9 @@
 #include "desc_constr.h"
 #include "error.h"
 
+bool caam_little_end;
+EXPORT_SYMBOL(caam_little_end);
+
 /*
  * i.MX targets tend to have clock control subsystems that can
  * enable/disable clocking to our device.
@@ -106,7 +109,7 @@ static inline int run_descriptor_deco0(struct device 
*ctrldev, u32 *desc,
 
 
if (ctrlpriv->virt_en == 1) {
-   setbits32(>deco_rsr, DECORSR_JR0);
+   clrsetbits_32(>deco_rsr, 0, DECORSR_JR0);
 
while (!(rd_reg32(>deco_rsr) & DECORSR_VALID) &&
   --timeout)
@@ -115,7 +118,7 @@ static inline int run_descriptor_deco0(struct device 
*ctrldev, u32 *desc,
timeout = 10;
}
 
-   setbits32(>deco_rq, DECORR_RQD0ENABLE);
+   clrsetbits_32(>deco_rq, 0, DECORR_RQD0ENABLE);
 
while (!(rd_reg32(>deco_rq) & DECORR_DEN0) &&
 --timeout)
@@ -123,12 +126,12 @@ static inline int run_descriptor_deco0(struct device 
*ctrldev, u32 *desc,
 
if (!timeout) {
dev_err(ctrldev, "failed to acquire DECO 0\n");
-   clrbits32(>deco_rq, DECORR_RQD0ENABLE);
+   clrsetbits_32(>deco_rq, DECORR_RQD0ENABLE, 0);
return -ENODEV;
}
 
for (i = 0; i < desc_len(desc); i++)
-   wr_reg32(>descbuf[i], *(desc + i));
+   wr_reg32(>descbuf[i], 

Re: [crypto / sparc64] cryptomgr_test OOPS

[John Paul Adrian Glaubitz]

On 05/05/2016 05:31 PM, Anatoly Pugachev wrote:
> do you still want to test it , after I have reported that Herbert patch works?

Maybe you should ack the patch with:

Tested-By: Anatoly Pugachev 

?

Adrian

-- 
 .''`.  John Paul Adrian Glaubitz
: :' :  Debian Developer - glaub...@debian.org
`. `'   Freie Universitaet Berlin - glaub...@physik.fu-berlin.de
  `-GPG: 62FF 8A75 84E0 2956 9546  0006 7426 3B37 F5B5 F913
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH v2 7/8] crypto: caam - add ARCH_LAYERSCAPE to supported architectures

[Horia Geantă]

This basically adds support for ls1043a platform.

Signed-off-by: Horia Geantă 
---
 drivers/crypto/caam/Kconfig | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/crypto/caam/Kconfig b/drivers/crypto/caam/Kconfig
index d2c2909a4020..ff54c42e6e51 100644
--- a/drivers/crypto/caam/Kconfig
+++ b/drivers/crypto/caam/Kconfig
@@ -1,6 +1,6 @@
 config CRYPTO_DEV_FSL_CAAM
tristate "Freescale CAAM-Multicore driver backend"
-   depends on FSL_SOC || ARCH_MXC
+   depends on FSL_SOC || ARCH_MXC || ARCH_LAYERSCAPE
help
  Enables the driver module for Freescale's Cryptographic Accelerator
  and Assurance Module (CAAM), also known as the SEC version 4 (SEC4).
-- 
2.4.4

--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH v2 8/8] arm64: dts: ls1043a: add crypto node

[Horia Geantă]

LS1043A has a SEC v5.4 security engine.
For now don't add rtic or sec_mon subnodes, since these features
haven't been tested yet.

Signed-off-by: Horia Geantă 
---
 arch/arm64/boot/dts/freescale/fsl-ls1043a-rdb.dts |  4 +++
 arch/arm64/boot/dts/freescale/fsl-ls1043a.dtsi| 43 +++
 2 files changed, 47 insertions(+)

diff --git a/arch/arm64/boot/dts/freescale/fsl-ls1043a-rdb.dts 
b/arch/arm64/boot/dts/freescale/fsl-ls1043a-rdb.dts
index ce235577e90f..9b5b75a4f02a 100644
--- a/arch/arm64/boot/dts/freescale/fsl-ls1043a-rdb.dts
+++ b/arch/arm64/boot/dts/freescale/fsl-ls1043a-rdb.dts
@@ -49,6 +49,10 @@
 
 / {
model = "LS1043A RDB Board";
+
+   aliases {
+   crypto = 
+   };
 };
 
  {
diff --git a/arch/arm64/boot/dts/freescale/fsl-ls1043a.dtsi 
b/arch/arm64/boot/dts/freescale/fsl-ls1043a.dtsi
index be72bf5b58b5..529c198494d5 100644
--- a/arch/arm64/boot/dts/freescale/fsl-ls1043a.dtsi
+++ b/arch/arm64/boot/dts/freescale/fsl-ls1043a.dtsi
@@ -159,6 +159,49 @@
big-endian;
};
 
+   crypto: crypto@170 {
+   compatible = "fsl,sec-v5.4", "fsl,sec-v5.0",
+"fsl,sec-v4.0";
+   fsl,sec-era = <3>;
+   #address-cells = <1>;
+   #size-cells = <1>;
+   ranges = <0x0 0x00 0x170 0x10>;
+   reg = <0x00 0x170 0x0 0x10>;
+   interrupts = <0 75 0x4>;
+
+   sec_jr0: jr@1 {
+   compatible = "fsl,sec-v5.4-job-ring",
+"fsl,sec-v5.0-job-ring",
+"fsl,sec-v4.0-job-ring";
+   reg= <0x1 0x1>;
+   interrupts = <0 71 0x4>;
+   };
+
+   sec_jr1: jr@2 {
+   compatible = "fsl,sec-v5.4-job-ring",
+"fsl,sec-v5.0-job-ring",
+"fsl,sec-v4.0-job-ring";
+   reg= <0x2 0x1>;
+   interrupts = <0 72 0x4>;
+   };
+
+   sec_jr2: jr@3 {
+   compatible = "fsl,sec-v5.4-job-ring",
+"fsl,sec-v5.0-job-ring",
+"fsl,sec-v4.0-job-ring";
+   reg= <0x3 0x1>;
+   interrupts = <0 73 0x4>;
+   };
+
+   sec_jr3: jr@4 {
+   compatible = "fsl,sec-v5.4-job-ring",
+"fsl,sec-v5.0-job-ring",
+"fsl,sec-v4.0-job-ring";
+   reg= <0x4 0x1>;
+   interrupts = <0 74 0x4>;
+   };
+   };
+
dcfg: dcfg@1ee {
compatible = "fsl,ls1043a-dcfg", "syscon";
reg = <0x0 0x1ee 0x0 0x1>;
-- 
2.4.4

--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH v2 0/8] crypto: caam - add support for LS1043A SoC

[Horia Geantă]

v2:
As suggested by Arnd, patch 1 fixes io{read,write}{16,32}be accessors
to prevent the case when {read,write}{w,l} are overriden by arch-specific
ones having barriers, while the BE accessors previously mentioned are not
(thus behaving differently, having no barriers).

Hi,

[Patches 2-4 add io{read,write}64[be] accessors (generic, arm64, ppc64),
such that CAAM's accessors in regs.h are simplified a bit.
Patch 8 adds crypto node for LS1043A platform.
Let me know if it's ok to go with these through the cryptodev-2.6 tree.]

This is a follow-up on the following RFC patch set:
crypto: caam - Revamp I/O accessors
https://www.mail-archive.com/linux-crypto@vger.kernel.org/msg15878.html

There are platforms such as LS1043A (or LS1012A) where core endianness
does not match CAAM/SEC endianness (LE vs. BE).
Add support in caam driver for these cases.

Current patch set detects device endianness at runtime (as opposed to
compile-time endianness), in order to support multiplatform kernels.
Detection of device endianness is not device-tree based.
Instead, SSTA ("SEC STAtus") register has a property such that
reading it in any endianness and masking it properly, it's possible
to deduce device endianness.

The performance drop due to the runtime detection is < 1.0%.
(An alternative implementation using function pointers has been tried,
but lead to a bigger performance drop.)

Thanks,
Horia

Cristian Stoica (1):
  crypto: caam - fix offset field in hw sg entries

Horia Geantă (7):
  asm-generic/io.h: allow barriers in io{read,write}{16,32}be
  asm-generic/io.h: add io{read,write}64 accessors
  arm64: add io{read,write}64be accessors
  powerpc: add io{read,write}64 accessors
  crypto: caam - handle core endianness != caam endianness
  crypto: caam - add ARCH_LAYERSCAPE to supported architectures
  arm64: dts: ls1043a: add crypto node

 arch/arm64/boot/dts/freescale/fsl-ls1043a-rdb.dts |   4 +
 arch/arm64/boot/dts/freescale/fsl-ls1043a.dtsi|  43 ++
 arch/arm64/include/asm/io.h   |   4 +-
 arch/powerpc/kernel/iomap.c   |  24 
 drivers/crypto/caam/Kconfig   |   6 +-
 drivers/crypto/caam/caamhash.c|   5 +-
 drivers/crypto/caam/ctrl.c| 125 +++---
 drivers/crypto/caam/desc.h|   9 +-
 drivers/crypto/caam/desc_constr.h |  44 ---
 drivers/crypto/caam/jr.c  |  22 ++--
 drivers/crypto/caam/pdb.h | 137 +++-
 drivers/crypto/caam/regs.h| 151 +++---
 drivers/crypto/caam/sg_sw_sec4.h  |  17 +--
 include/asm-generic/io.h  |  71 +-
 include/asm-generic/iomap.h   |   8 ++
 15 files changed, 494 insertions(+), 176 deletions(-)

-- 
2.4.4

--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH v2 4/8] powerpc: add io{read,write}64 accessors

[Horia Geantă]

This will allow device drivers to consistently use io{read,write}XX
also for 64-bit accesses.

Signed-off-by: Horia Geantă 
---
 arch/powerpc/kernel/iomap.c | 24 
 1 file changed, 24 insertions(+)

diff --git a/arch/powerpc/kernel/iomap.c b/arch/powerpc/kernel/iomap.c
index 12e48d56f771..3963f0b68d52 100644
--- a/arch/powerpc/kernel/iomap.c
+++ b/arch/powerpc/kernel/iomap.c
@@ -38,6 +38,18 @@ EXPORT_SYMBOL(ioread16);
 EXPORT_SYMBOL(ioread16be);
 EXPORT_SYMBOL(ioread32);
 EXPORT_SYMBOL(ioread32be);
+#ifdef __powerpc64__
+u64 ioread64(void __iomem *addr)
+{
+   return readq(addr);
+}
+u64 ioread64be(void __iomem *addr)
+{
+   return readq_be(addr);
+}
+EXPORT_SYMBOL(ioread64);
+EXPORT_SYMBOL(ioread64be);
+#endif /* __powerpc64__ */
 
 void iowrite8(u8 val, void __iomem *addr)
 {
@@ -64,6 +76,18 @@ EXPORT_SYMBOL(iowrite16);
 EXPORT_SYMBOL(iowrite16be);
 EXPORT_SYMBOL(iowrite32);
 EXPORT_SYMBOL(iowrite32be);
+#ifdef __powerpc64__
+void iowrite64(u64 val, void __iomem *addr)
+{
+   writeq(val, addr);
+}
+void iowrite64be(u64 val, void __iomem *addr)
+{
+   writeq_be(val, addr);
+}
+EXPORT_SYMBOL(iowrite64);
+EXPORT_SYMBOL(iowrite64be);
+#endif /* __powerpc64__ */
 
 /*
  * These are the "repeat read/write" functions. Note the
-- 
2.4.4

--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH v2 5/8] crypto: caam - fix offset field in hw sg entries

[Horia Geantă]

From: Cristian Stoica 

The offset field is 13 bits wide; make sure we don't overwrite more than
that in the caam hardware scatter gather structure.

Signed-off-by: Cristian Stoica 
Signed-off-by: Horia Geantă 
---
 drivers/crypto/caam/desc.h   | 2 +-
 drivers/crypto/caam/sg_sw_sec4.h | 8 
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/drivers/crypto/caam/desc.h b/drivers/crypto/caam/desc.h
index 1e93c6af2275..fe30ff69088c 100644
--- a/drivers/crypto/caam/desc.h
+++ b/drivers/crypto/caam/desc.h
@@ -20,7 +20,7 @@
 #define SEC4_SG_BPID_MASK  0x00ff
 #define SEC4_SG_BPID_SHIFT 16
 #define SEC4_SG_LEN_MASK   0x3fff  /* Excludes EXT and FINAL */
-#define SEC4_SG_OFFS_MASK  0x1fff
+#define SEC4_SG_OFFSET_MASK0x1fff
 
 struct sec4_sg_entry {
 #ifdef CONFIG_CRYPTO_DEV_FSL_CAAM_IMX
diff --git a/drivers/crypto/caam/sg_sw_sec4.h b/drivers/crypto/caam/sg_sw_sec4.h
index 12ec6616e89d..2311341b7356 100644
--- a/drivers/crypto/caam/sg_sw_sec4.h
+++ b/drivers/crypto/caam/sg_sw_sec4.h
@@ -11,12 +11,12 @@ struct sec4_sg_entry;
  * convert single dma address to h/w link table format
  */
 static inline void dma_to_sec4_sg_one(struct sec4_sg_entry *sec4_sg_ptr,
- dma_addr_t dma, u32 len, u32 offset)
+ dma_addr_t dma, u32 len, u16 offset)
 {
sec4_sg_ptr->ptr = dma;
sec4_sg_ptr->len = len;
sec4_sg_ptr->buf_pool_id = 0;
-   sec4_sg_ptr->offset = offset;
+   sec4_sg_ptr->offset = offset & SEC4_SG_OFFSET_MASK;
 #ifdef DEBUG
print_hex_dump(KERN_ERR, "sec4_sg_ptr@: ",
   DUMP_PREFIX_ADDRESS, 16, 4, sec4_sg_ptr,
@@ -30,7 +30,7 @@ static inline void dma_to_sec4_sg_one(struct sec4_sg_entry 
*sec4_sg_ptr,
  */
 static inline struct sec4_sg_entry *
 sg_to_sec4_sg(struct scatterlist *sg, int sg_count,
- struct sec4_sg_entry *sec4_sg_ptr, u32 offset)
+ struct sec4_sg_entry *sec4_sg_ptr, u16 offset)
 {
while (sg_count) {
dma_to_sec4_sg_one(sec4_sg_ptr, sg_dma_address(sg),
@@ -48,7 +48,7 @@ sg_to_sec4_sg(struct scatterlist *sg, int sg_count,
  */
 static inline void sg_to_sec4_sg_last(struct scatterlist *sg, int sg_count,
  struct sec4_sg_entry *sec4_sg_ptr,
- u32 offset)
+ u16 offset)
 {
sec4_sg_ptr = sg_to_sec4_sg(sg, sg_count, sec4_sg_ptr, offset);
sec4_sg_ptr->len |= SEC4_SG_LEN_FIN;
-- 
2.4.4

--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH v2 3/8] arm64: add io{read,write}64be accessors

[Horia Geantă]

This will allow device drivers to consistently use io{read,write}XXbe
also for 64-bit accesses.

Signed-off-by: Alex Porosanu 
Signed-off-by: Horia Geantă 
---
 arch/arm64/include/asm/io.h | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/arch/arm64/include/asm/io.h b/arch/arm64/include/asm/io.h
index 44be1e03ed65..9b6e408cfa51 100644
--- a/arch/arm64/include/asm/io.h
+++ b/arch/arm64/include/asm/io.h
@@ -174,13 +174,15 @@ extern void __iomem *ioremap_cache(phys_addr_t phys_addr, 
size_t size);
 #define iounmap__iounmap
 
 /*
- * io{read,write}{16,32}be() macros
+ * io{read,write}{16,32,64}be() macros
  */
 #define ioread16be(p)  ({ __u16 __v = be16_to_cpu((__force 
__be16)__raw_readw(p)); __iormb(); __v; })
 #define ioread32be(p)  ({ __u32 __v = be32_to_cpu((__force 
__be32)__raw_readl(p)); __iormb(); __v; })
+#define ioread64be(p)  ({ __u64 __v = be64_to_cpu((__force 
__be64)__raw_readq(p)); __iormb(); __v; })
 
 #define iowrite16be(v,p)   ({ __iowmb(); __raw_writew((__force 
__u16)cpu_to_be16(v), p); })
 #define iowrite32be(v,p)   ({ __iowmb(); __raw_writel((__force 
__u32)cpu_to_be32(v), p); })
+#define iowrite64be(v,p)   ({ __iowmb(); __raw_writeq((__force 
__u64)cpu_to_be64(v), p); })
 
 /*
  * Convert a physical pointer to a virtual kernel pointer for /dev/mem
-- 
2.4.4

--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH v2 2/8] asm-generic/io.h: add io{read,write}64 accessors

[Horia Geantă]

This will allow device drivers to consistently use io{read,write}XX
also for 64-bit accesses.

Signed-off-by: Horia Geantă 
---
 include/asm-generic/io.h| 63 +
 include/asm-generic/iomap.h |  8 ++
 2 files changed, 71 insertions(+)

diff --git a/include/asm-generic/io.h b/include/asm-generic/io.h
index b79fb2c248a1..2af6ea95762d 100644
--- a/include/asm-generic/io.h
+++ b/include/asm-generic/io.h
@@ -585,6 +585,16 @@ static inline u32 ioread32(const volatile void __iomem 
*addr)
 }
 #endif
 
+#ifdef CONFIG_64BIT
+#ifndef ioread64
+#define ioread64 ioread64
+static inline u64 ioread64(const volatile void __iomem *addr)
+{
+   return readq(addr);
+}
+#endif
+#endif /* CONFIG_64BIT */
+
 #ifndef iowrite8
 #define iowrite8 iowrite8
 static inline void iowrite8(u8 value, volatile void __iomem *addr)
@@ -609,6 +619,16 @@ static inline void iowrite32(u32 value, volatile void 
__iomem *addr)
 }
 #endif
 
+#ifdef CONFIG_64BIT
+#ifndef iowrite64
+#define iowrite64 iowrite64
+static inline void iowrite64(u64 value, volatile void __iomem *addr)
+{
+   writeq(value, addr);
+}
+#endif
+#endif /* CONFIG_64BIT */
+
 #ifndef ioread16be
 #define ioread16be ioread16be
 static inline u16 ioread16be(const volatile void __iomem *addr)
@@ -625,6 +645,16 @@ static inline u32 ioread32be(const volatile void __iomem 
*addr)
 }
 #endif
 
+#ifdef CONFIG_64BIT
+#ifndef ioread64be
+#define ioread64be ioread64be
+static inline u64 ioread64be(const volatile void __iomem *addr)
+{
+   return swab64(readq(addr));
+}
+#endif
+#endif /* CONFIG_64BIT */
+
 #ifndef iowrite16be
 #define iowrite16be iowrite16be
 static inline void iowrite16be(u16 value, void volatile __iomem *addr)
@@ -641,6 +671,16 @@ static inline void iowrite32be(u32 value, volatile void 
__iomem *addr)
 }
 #endif
 
+#ifdef CONFIG_64BIT
+#ifndef iowrite64be
+#define iowrite64be iowrite64be
+static inline void iowrite64be(u64 value, volatile void __iomem *addr)
+{
+   writeq(swab64(value), addr);
+}
+#endif
+#endif /* CONFIG_64BIT */
+
 #ifndef ioread8_rep
 #define ioread8_rep ioread8_rep
 static inline void ioread8_rep(const volatile void __iomem *addr, void *buffer,
@@ -668,6 +708,17 @@ static inline void ioread32_rep(const volatile void 
__iomem *addr,
 }
 #endif
 
+#ifdef CONFIG_64BIT
+#ifndef ioread64_rep
+#define ioread64_rep ioread64_rep
+static inline void ioread64_rep(const volatile void __iomem *addr,
+   void *buffer, unsigned int count)
+{
+   readsq(addr, buffer, count);
+}
+#endif
+#endif /* CONFIG_64BIT */
+
 #ifndef iowrite8_rep
 #define iowrite8_rep iowrite8_rep
 static inline void iowrite8_rep(volatile void __iomem *addr,
@@ -697,6 +748,18 @@ static inline void iowrite32_rep(volatile void __iomem 
*addr,
writesl(addr, buffer, count);
 }
 #endif
+
+#ifdef CONFIG_64BIT
+#ifndef iowrite64_rep
+#define iowrite64_rep iowrite64_rep
+static inline void iowrite64_rep(volatile void __iomem *addr,
+const void *buffer,
+unsigned int count)
+{
+   writesq(addr, buffer, count);
+}
+#endif
+#endif /* CONFIG_64BIT */
 #endif /* CONFIG_GENERIC_IOMAP */
 
 #ifdef __KERNEL__
diff --git a/include/asm-generic/iomap.h b/include/asm-generic/iomap.h
index d8f8622fa044..650fede33c25 100644
--- a/include/asm-generic/iomap.h
+++ b/include/asm-generic/iomap.h
@@ -30,12 +30,20 @@ extern unsigned int ioread16(void __iomem *);
 extern unsigned int ioread16be(void __iomem *);
 extern unsigned int ioread32(void __iomem *);
 extern unsigned int ioread32be(void __iomem *);
+#ifdef CONFIG_64BIT
+extern u64 ioread64(void __iomem *);
+extern u64 ioread64be(void __iomem *);
+#endif
 
 extern void iowrite8(u8, void __iomem *);
 extern void iowrite16(u16, void __iomem *);
 extern void iowrite16be(u16, void __iomem *);
 extern void iowrite32(u32, void __iomem *);
 extern void iowrite32be(u32, void __iomem *);
+#ifdef CONFIG_64BIT
+extern void iowrite64(u64, void __iomem *);
+extern void iowrite64be(u64, void __iomem *);
+#endif
 
 /*
  * "string" versions of the above. Note that they
-- 
2.4.4

--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [crypto / sparc64] cryptomgr_test OOPS

[Anatoly Pugachev]

On Thu, May 5, 2016 at 6:00 PM, Tadeusz Struk  wrote:
> On 05/05/2016 02:40 AM, Anatoly Pugachev wrote:
>> sure, based on your cryptodev git, just tried 4.3 (6a13feb , good)
>> kernel in attempt to find (bisect) when RSA code break, already tested
>> 4.5 (44d1b6d , bad) , 4.4 (afd2ff9 , bad).
>> Going to try your patch soon (when I'm back home).
>> So far 4.3 passes RSA stage without OOPS, but for other reason does
>> not boot to login prompt. Boot log exempt (4.3), this is with
>> CONFIG_CRYPTO_RSA=y :
>
> Anatoly, could you also give this a try please:
> Thanks
>
> diff --git a/crypto/testmgr.c b/crypto/testmgr.c
> index b86883a..770970ff 100644
> --- a/crypto/testmgr.c
> +++ b/crypto/testmgr.c
> @@ -1805,8 +1805,8 @@ static int do_test_rsa(struct crypto_akcipher *tfm,
> goto free_req;
>
> sg_init_table(src_tab, 2);
> -   sg_set_buf(_tab[0], vecs->m, 8);
> -   sg_set_buf(_tab[1], vecs->m + 8, vecs->m_size - 8);
> +   sg_set_buf(_tab[0], vecs->m, 4);
> +   sg_set_buf(_tab[1], vecs->m + 4, vecs->m_size - 4);
> sg_init_one(, outbuf_enc, out_len_max);
> akcipher_request_set_crypt(req, src_tab, , vecs->m_size,
>out_len_max);


Tadeusz,

do you still want to test it , after I have reported that Herbert patch works?

Thanks.
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [crypto / sparc64] cryptomgr_test OOPS

[John Paul Adrian Glaubitz]

On 05/05/2016 05:12 PM, Anatoly Pugachev wrote:
> this patch, applied to your cryptodev git kernel, fixes OOPS and my
> debian sparc64 installation boots successfully:

Awesome to hear, thanks for investigating and fixing this :).

Adrian

-- 
 .''`.  John Paul Adrian Glaubitz
: :' :  Debian Developer - glaub...@debian.org
`. `'   Freie Universitaet Berlin - glaub...@physik.fu-berlin.de
  `-GPG: 62FF 8A75 84E0 2956 9546  0006 7426 3B37 F5B5 F913
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [crypto / sparc64] cryptomgr_test OOPS

[Anatoly Pugachev]

On Thu, May 5, 2016 at 11:42 AM, Herbert Xu  wrote:
> On Wed, May 04, 2016 at 05:49:04PM +0300, Anatoly Pugachev wrote:
>>
>> just tested cryptodev (
>> http://git.kernel.org/pub/scm/linux/kernel/git/herbert/cryptodev-2.6.git
>> ) kernel, same OOPS, but kernel version is 4.6.0-rc2+ .
>> kernel OOPS message - https://paste.fedoraproject.org/362554/23732641/
>
> Anatoly, could you please test this patch on top of cryptodev?
> Thanks!
>
> ---8<---
> Subject: crypto: testmgr - Use kmalloc memory for RSA input
>
> As akcipher uses an SG interface, you must not use vmalloc memory
> as input for it.  This patch fixes testmgr to copy the vmalloc
> test vectors to kmalloc memory before running the test.
>
> This patch also removes a superfluous sg_virt call in do_test_rsa.


Herbert,

this patch, applied to your cryptodev git kernel, fixes OOPS and my
debian sparc64 installation boots successfully:

[5684721.625447] Unpacking initramfs...
[5684721.858235] Freeing initrd memory: 11720K (fff800203400 -
fff8002034b72000)
[5684721.867127] futex hash table entries: 65536 (order: 9, 4194304 bytes)
[5684721.868551] audit: initializing netlink subsys (disabled)
[5684721.868640] audit: type=2000 audit(0.476:1): initialized
[5684721.868868] Initialise system trusted keyring
[5684721.869765] workingset: timestamp_bits=45 max_order=21 bucket_order=0
[5684721.869879] zbud: loaded
[5684721.920120] Key type asymmetric registered
[5684721.920173] Asymmetric key parser 'x509' registered
[5684721.920582] Block layer SCSI generic (bsg) driver version 0.4
loaded (major 252)
[5684721.921249] io scheduler noop registered
[5684721.921297] io scheduler deadline registered
[5684721.921628] io scheduler cfq registered (default)
[5684721.922101] f029b808: ttyS0 at I/O 0x0 (irq = 1, base_baud =
115200) is a SUN4V HCONS
[5684721.922352] console [ttyHV0] enabled
[5684721.923480] sunvdc.c:v1.2 (November 24, 2014)


Thanks.
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [crypto / sparc64] cryptomgr_test OOPS

[Tadeusz Struk]

On 05/05/2016 02:40 AM, Anatoly Pugachev wrote:
> sure, based on your cryptodev git, just tried 4.3 (6a13feb , good)
> kernel in attempt to find (bisect) when RSA code break, already tested
> 4.5 (44d1b6d , bad) , 4.4 (afd2ff9 , bad).
> Going to try your patch soon (when I'm back home).
> So far 4.3 passes RSA stage without OOPS, but for other reason does
> not boot to login prompt. Boot log exempt (4.3), this is with
> CONFIG_CRYPTO_RSA=y :

Anatoly, could you also give this a try please: 
Thanks

diff --git a/crypto/testmgr.c b/crypto/testmgr.c
index b86883a..770970ff 100644
--- a/crypto/testmgr.c
+++ b/crypto/testmgr.c
@@ -1805,8 +1805,8 @@ static int do_test_rsa(struct crypto_akcipher *tfm,
goto free_req;
 
sg_init_table(src_tab, 2);
-   sg_set_buf(_tab[0], vecs->m, 8);
-   sg_set_buf(_tab[1], vecs->m + 8, vecs->m_size - 8);
+   sg_set_buf(_tab[0], vecs->m, 4);
+   sg_set_buf(_tab[1], vecs->m + 4, vecs->m_size - 4);
sg_init_one(, outbuf_enc, out_len_max);
akcipher_request_set_crypt(req, src_tab, , vecs->m_size,
   out_len_max);


-- 
TS
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH] crypto: vmx - comply with ABIs that specify vrsave as reserved.

[Paulo Flabiano Smorigo]

It gives significant improvements ( ~+15%) on some modes.

These code has been adopted from OpenSSL project in collaboration
with the original author (Andy Polyakov ).

Signed-off-by: Paulo Flabiano Smorigo 
---
 drivers/crypto/vmx/ppc-xlate.pl | 20 
 1 file changed, 20 insertions(+)

diff --git a/drivers/crypto/vmx/ppc-xlate.pl b/drivers/crypto/vmx/ppc-xlate.pl
index b999733..9f4994c 100644
--- a/drivers/crypto/vmx/ppc-xlate.pl
+++ b/drivers/crypto/vmx/ppc-xlate.pl
@@ -139,6 +139,26 @@ my $vmr = sub {
 "  vor $vx,$vy,$vy";
 };
 
+# Some ABIs specify vrsave, special-purpose register #256, as reserved
+# for system use.
+my $no_vrsave = ($flavour =~ /aix|linux64le/);
+my $mtspr = sub {
+my ($f,$idx,$ra) = @_;
+if ($idx == 256 && $no_vrsave) {
+   "   or  $ra,$ra,$ra";
+} else {
+   "   mtspr   $idx,$ra";
+}
+};
+my $mfspr = sub {
+my ($f,$rd,$idx) = @_;
+if ($idx == 256 && $no_vrsave) {
+   "   li  $rd,-1";
+} else {
+   "   mfspr   $rd,$idx";
+}
+};
+
 # PowerISA 2.06 stuff
 sub vsxmem_op {
 my ($f, $vrt, $ra, $rb, $op) = @_;
-- 
2.5.5

--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 1/4] random: replace non-blocking pool with a Chacha20-based CRNG

[Theodore Ts'o]

On Wed, May 04, 2016 at 09:10:07PM -0400, Theodore Ts'o wrote:
> On Wed, May 04, 2016 at 10:28:24PM +0200, Stephan Mueller wrote:
> > > +out:
> > > + spin_unlock_irqrestore(_crng.lock, flags);
> > > + return ret;
> > 
> > Where did you add the memzero_explict of tmp?
> 
> Oops, sorry, somehow that change got lost in the patch updates.  Fixed now.

Since that was the only change, instead of sending out the patch
series again, I've just updated it at:

git://git.kernel.org/pub/scm/linux/kernel/git/tytso/random.git dev


- Ted
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 1/7] asm-generic/io.h: add io{read,write}64 accessors

[Vineet Gupta]

On Thursday 05 May 2016 04:26 PM, Arnd Bergmann wrote:
> On Thursday 05 May 2016 08:16:47 Vineet Gupta wrote:
>> > Thx for noticing this Arnd and the heads up. Does the patch below look ok 
>> > to you ?
>> > 
>> > --->
>> > rom b7e719831c389ab4fa338b2e2e7c0d1ff90dabb0 Mon Sep 17 00:00:00 2001
>> > From: Vineet Gupta 
>> > Date: Thu, 5 May 2016 13:32:34 +0530
>> > Subject: [PATCH] ARC: Add missing io barriers to io{read,write}{16,32}be()
>> > 
>> > While reviewing a different change to asm-generic/io.h Arnd spotted that
>> > ARC ioread32 and ioread32be both of which come from asm-generic versions
>> > are not symmetrical in terms of calling the io barriers.
>> > 
>> > generic ioread32   -> ARC readl()  [ has barriers]
>> > generic ioread32be -> __be32_to_cpu(__raw_readl()) [ lacks barriers]
>> > 
>> > While generic ioread32be is being remediated to call readl(), that involves
>> > a swab32(), causing double swaps on ioread32be() on Big Endian systems.
>> > 
>> > So provide our versions of big endian IO accessors to ensure io barrier
>> > calls while also keeping them optimal
>> > 
>> > Suggested-by: Arnd Bergmann 
>> > Cc: sta...@vger.kernel.org  [4.2+]
>> > Signed-off-by: Vineet Gupta 
>
> Yes, that looks correct. We probably want this regardless of the change
> I proposed for the generic file, to avoid the double swap.

Indeed so - I've queued this for 4.6 fixes !

> Acked-by: Arnd Bergmann 

Thx !

--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

RE: [PATCH] crypto: rsa - return raw integer for the ASN.1 parser

[Tudor-Dan Ambarus]

Hi Herbert,

This is related to the suggestion to move the DMA primitives
in the driver.

Please see inline.

> -Original Message-
> From: Tudor Ambarus [mailto:tudor-dan.amba...@nxp.com]
> Sent: Friday, April 29, 2016 3:52 PM
> To: herb...@gondor.apana.org.au
> Cc: linux-crypto@vger.kernel.org; Tudor-Dan Ambarus
> Subject: [PATCH] crypto: rsa - return raw integer for the ASN.1 parser
> 
> Return the raw integer with no other processing.
> The scope is to have only one ANS.1 parser for the RSA keys.
> 
> Update the RSA software implementation so that it does
> the MPI conversion on top.
> 
> Signed-off-by: Tudor Ambarus 
> ---
>  crypto/rsa.c  | 122 ++-
>  crypto/rsa_helper.c   | 224 --
> 
>  include/crypto/internal/rsa.h |  41 +++-
>  3 files changed, 287 insertions(+), 100 deletions(-)
> 
> diff --git a/crypto/rsa_helper.c b/crypto/rsa_helper.c
> index d226f48..492f37f 100644
> --- a/crypto/rsa_helper.c
> +++ b/crypto/rsa_helper.c
> @@ -14,136 +14,256 @@
>  int rsa_get_n(void *context, size_t hdrlen, unsigned char tag,
> const void *value, size_t vlen)
>  {
> - struct rsa_key *key = context;
> + struct rsa_ctx *ctx = context;
> + struct rsa_key *key = >key;
> + const char *ptr = value;
> + int ret = -EINVAL;
> 
> - key->n = mpi_read_raw_data(value, vlen);
> -
> - if (!key->n)
> - return -ENOMEM;
> + while (!*ptr && vlen) {
> + ptr++;
> + vlen--;
> + }
> 
> + key->n_sz = vlen;
>   /* In FIPS mode only allow key size 2K & 3K */
> - if (fips_enabled && (mpi_get_size(key->n) != 256 &&
> -  mpi_get_size(key->n) != 384)) {
> - pr_err("RSA: key size not allowed in FIPS mode\n");
> - mpi_free(key->n);
> - key->n = NULL;
> - return -EINVAL;
> + if (fips_enabled && (key->n_sz != 256 && key->n_sz != 384)) {
> + dev_err(ctx->dev, "RSA: key size not allowed in FIPS mode\n");
> + goto err;
>   }
> + /* invalid key size provided */
> + ret = rsa_check_key_length(key->n_sz << 3);
> + if (ret)
> + goto err;
> +
> + if (key->coherent)
> + key->n = dma_zalloc_coherent(ctx->dev, key->n_sz, >dma_n,
> +  key->flags);
> + else
> + key->n = kzalloc(key->n_sz, key->flags);

RSA hw implementations that can't enforce hardware coherency may want
to enforce software coherency. As we want a single ASN.1 parser for all
implementations, we need to cover all the cases.

One solution would be to use a common rsa_ctx structure for all
implementations so that the parser's functions can dereference the key
and allocate memory as needed by the user.

Other solution is to move all the device related variables to the driver,
and enforce the software coherency there, by allocating new key members
and copying the parsed data to them.

> +
> + if (!key->n) {
> + ret = -ENOMEM;
> + goto err;
> + }
> +
> + memcpy(key->n, ptr, key->n_sz);
> +
>   return 0;
> +err:
> + key->n_sz = 0;
> + key->n = NULL;
> + return ret;
>  }
> 

> diff --git a/include/crypto/internal/rsa.h b/include/crypto/internal/rsa.h
> index c7585bd..a0a7431 100644
> --- a/include/crypto/internal/rsa.h
> +++ b/include/crypto/internal/rsa.h
> @@ -14,19 +14,52 @@
>  #define _RSA_HELPER_
>  #include 
> 
> +/**
> + * rsa_key - RSA key structure
> + * @n   : RSA modulus raw byte stream
> + * @e   : RSA public exponent raw byte stream
> + * @d   : RSA private exponent raw byte stream
> + * @dma_n   : DMA address of RSA modulus
> + * @dma_e   : DMA address of RSA public exponent
> + * @dma_d   : DMA address of RSA private exponent
> + * @n_sz: length in bytes of RSA modulus n
> + * @e_sz: length in bytes of RSA public exponent
> + * @coherent: set true to enforce software coherency for all key
> members
> + * @flags   : gfp_t key allocation flags
> + */
>  struct rsa_key {
> + u8 *n;
> + u8 *e;
> + u8 *d;
> + dma_addr_t dma_n;
> + dma_addr_t dma_e;
> + dma_addr_t dma_d;
> + size_t n_sz;
> + size_t e_sz;
> + bool coherent;
> + gfp_t flags;
> +};
> +
> +struct rsa_mpi_key {
>   MPI n;
>   MPI e;
>   MPI d;
>  };
> 
> +struct rsa_ctx {
> + struct rsa_key key;
> + struct rsa_mpi_key mpi_key;
> + struct device *dev;
> +};

If we go with the first solution we can move all the device related
variables to the rsa_ctx structure:

struct rsa_key {
u8 *n;
u8 *e;
u8 *d;
size_t n_sz;
size_t e_sz;
gfp_t flags;
};

struct rsa_mpi_key {
MPI n;
MPI e;
MPI d;
};

struct rsa_ctx {
struct rsa_key key;
struct rsa_mpi_key mpi_key;

Re: [PATCH 1/7] asm-generic/io.h: add io{read,write}64 accessors

[Arnd Bergmann]

On Thursday 05 May 2016 08:16:47 Vineet Gupta wrote:
> Thx for noticing this Arnd and the heads up. Does the patch below look ok to 
> you ?
> 
> --->
> rom b7e719831c389ab4fa338b2e2e7c0d1ff90dabb0 Mon Sep 17 00:00:00 2001
> From: Vineet Gupta 
> Date: Thu, 5 May 2016 13:32:34 +0530
> Subject: [PATCH] ARC: Add missing io barriers to io{read,write}{16,32}be()
> 
> While reviewing a different change to asm-generic/io.h Arnd spotted that
> ARC ioread32 and ioread32be both of which come from asm-generic versions
> are not symmetrical in terms of calling the io barriers.
> 
> generic ioread32   -> ARC readl()  [ has barriers]
> generic ioread32be -> __be32_to_cpu(__raw_readl()) [ lacks barriers]
> 
> While generic ioread32be is being remediated to call readl(), that involves
> a swab32(), causing double swaps on ioread32be() on Big Endian systems.
> 
> So provide our versions of big endian IO accessors to ensure io barrier
> calls while also keeping them optimal
> 
> Suggested-by: Arnd Bergmann 
> Cc: sta...@vger.kernel.org  [4.2+]
> Signed-off-by: Vineet Gupta 

Yes, that looks correct. We probably want this regardless of the change
I proposed for the generic file, to avoid the double swap.

Acked-by: Arnd Bergmann 
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [RFC PATCH 2/5] KEYS: Provide keyctls to drive the new key type ops for asymmetric keys

[David Howells]

I've pushed a fix to #include  in keyctl_pkey.c into the git
tree.

David
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [crypto / sparc64] cryptomgr_test OOPS

[Herbert Xu]

On Thu, May 05, 2016 at 12:40:18PM +0300, Anatoly Pugachev wrote:
> 
> sure, based on your cryptodev git, just tried 4.3 (6a13feb , good)
> kernel in attempt to find (bisect) when RSA code break, already tested
> 4.5 (44d1b6d , bad) , 4.4 (afd2ff9 , bad).
> Going to try your patch soon (when I'm back home).
> So far 4.3 passes RSA stage without OOPS, but for other reason does
> not boot to login prompt. Boot log exempt (4.3), this is with
> CONFIG_CRYPTO_RSA=y :

That jibes with this being a problem with the SG list since it
was only added in 4.4.

Cheers,
-- 
Email: Herbert Xu 
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [crypto / sparc64] cryptomgr_test OOPS

[Anatoly Pugachev]

On Thu, May 5, 2016 at 11:42 AM, Herbert Xu  wrote:
> On Wed, May 04, 2016 at 05:49:04PM +0300, Anatoly Pugachev wrote:
>>
>> just tested cryptodev (
>> http://git.kernel.org/pub/scm/linux/kernel/git/herbert/cryptodev-2.6.git
>> ) kernel, same OOPS, but kernel version is 4.6.0-rc2+ .
>> kernel OOPS message - https://paste.fedoraproject.org/362554/23732641/
>
> Anatoly, could you please test this patch on top of cryptodev?

Herbert,

sure, based on your cryptodev git, just tried 4.3 (6a13feb , good)
kernel in attempt to find (bisect) when RSA code break, already tested
4.5 (44d1b6d , bad) , 4.4 (afd2ff9 , bad).
Going to try your patch soon (when I'm back home).
So far 4.3 passes RSA stage without OOPS, but for other reason does
not boot to login prompt. Boot log exempt (4.3), this is with
CONFIG_CRYPTO_RSA=y :

[0.00] PROMLIB: Sun IEEE Boot Prom 'OBP 4.38.3 2015/11/11 10:38'
[0.00] PROMLIB: Root node compatible: sun4v
[0.00] Initializing cgroup subsys cpuset
[0.00] Initializing cgroup subsys cpu
[0.00] Initializing cgroup subsys cpuacct
[0.00] Linux version 4.3.0+ (mator@ttip) (gcc version 6.0.1
20160423 (prerelease) (Debian 6.0.1-2) ) #4 SMP Thu May 5 05:26:2
8 EDT 2016
[0.00] debug: skip boot console de-registration.
[0.00] bootconsole [earlyprom0] enabled
[0.00] ARCH: SUN4V
[0.00] Ethernet address: 00:14:4f:f8:be:54
[0.00] MM: PAGE_OFFSET is 0xfff8 (max_phys_bits == 47)
[0.00] MM: VMALLOC [0x0001 --> 0x0006]
[0.00] MM: VMEMMAP [0x0006 --> 0x000c]
[0.00] Kernel: Using 3 locked TLB entries for main kernel image.
[0.00] Remapping the kernel... done.
[0.00] OF stdout device is: /virtual-devices@100/console@1
[0.00] PROM: Built device tree with 76231 bytes of memory.
[0.00] MDESC: Size is 35264 bytes.
[0.00] PLATFORM: banner-name [SPARC T5-2]
[0.00] PLATFORM: name [ORCL,SPARC-T5-2]
[0.00] PLATFORM: hostid [84f8be54]
[0.00] PLATFORM: serial# [0035260e]
[0.00] PLATFORM: stick-frequency [3b9aca00]
[0.00] PLATFORM: mac-address [144ff8be54]
[0.00] PLATFORM: watchdog-resolution [1000 ms]
[0.00] PLATFORM: watchdog-max-timeout [3153600 ms]
[0.00] PLATFORM: max-cpus [1024]
[0.00] Top of RAM: 0x20afff, Total RAM: 0x2ffa06000
[0.00] Memory hole size: 121605MB
[0.00] Allocated 32768 bytes for kernel page tables.
[0.00] Zone ranges:
[0.00]   Normal   [mem 0x3040-0x0020affe]
[0.00] Movable zone start for each node
[0.00] Early memory node ranges
[0.00]   node   0: [mem 0x3040-0x6fe7]
[0.00]   node   0: [mem 0x6ff0-0x6ff25fff]
[0.00]   node   0: [mem 0x7000-0x0002afff]
[0.00]   node   0: [mem 0x00203000-0x0020aff3]
[0.00]   node   0: [mem 0x0020affc-0x0020affd5fff]
[0.00]   node   0: [mem 0x0020affe6000-0x0020affe]
[0.00] Initmem setup node 0 [mem 0x3040-0x0020affe]
[0.00] Booting Linux...
[0.00] CPU CAPS: [flush,stbar,swap,muldiv,v9,blkinit,n2,mul32]
[0.00] CPU CAPS: [div32,v8plus,popc,vis,vis2,ASIBlkInit,fmaf,vis3]
[0.00] CPU CAPS: [hpc,ima,pause,cbcond,aes,des,kasumi,camellia]
[0.00] CPU CAPS: [md5,sha1,sha256,sha512,mpmul,montmul,montsqr,crc32c]
[0.00] PERCPU: Embedded 8 pages/cpu @fff80020ae40 s28184
r8192 d29160 u65536
[0.00] SUN4V: Mondo queue sizes [cpu(131072) dev(16384) r(8192) nr(256)]
[0.00] Built 1 zonelists in Zone order, mobility grouping on.
Total pages: 1558281
[0.00] Kernel command line: root=/dev/vdiska2 ro keep_bootcon
noresume debug loglevel=7
[0.00] log_buf_len individual max cpu contribution: 4096 bytes
[0.00] log_buf_len total cpu_extra contributions: 1044480 bytes
[0.00] log_buf_len min size: 131072 bytes
[0.00] log_buf_len: 2097152 bytes
[0.00] early log buf free: 126168(96%)
[0.00] PID hash table entries: 4096 (order: 2, 32768 bytes)
[0.00] Dentry cache hash table entries: 2097152 (order: 11,
16777216 bytes)
[0.00] Inode-cache hash table entries: 1048576 (order: 10,
8388608 bytes)
[0.00] Sorting __ex_table...
[0.00] Memory: 12364272K/12576792K available (5381K kernel
code, 702K rwdata, 1424K rodata, 440K init, 747K bss, 212520K rese
rved, 0K cma-reserved)
[0.00] Hierarchical RCU implementation.
[0.00]  Build-time adjustment of leaf fanout to 64.
[0.00] NR_IRQS:2048 nr_irqs:2048 1
[0.00] SUN4V: Using IRQ API major 3, cookie only virqs enabled
[5664484.612319] clocksource: stick: mask: 0x
max_cycles: 0x1cd42e4dffb, max_idle_ns: 881590591483 

RE: [PATCH 0/3 v3] Key-agreement Protocol Primitives (KPP) API

[Benedetto, Salvatore]

> -Original Message-
> From: Herbert Xu [mailto:herb...@gondor.apana.org.au]
> Sent: Thursday, May 5, 2016 7:22 AM
> To: Benedetto, Salvatore 
> Cc: linux-crypto@vger.kernel.org
> Subject: Re: [PATCH 0/3 v3] Key-agreement Protocol Primitives (KPP) API
> 
> On Tue, May 03, 2016 at 12:44:00PM +0100, Salvatore Benedetto wrote:
> > Hi Herb,
> >
> > the following patchset introduces a new API for abstracting
> > key-agreement protocols such as DH and ECDH. It provides the
> > primitives required for implementing the protocol, thus the name KPP
> (Key-agreement Protocol Primitives).
> >
> > Regards,
> > Salvatore
> >
> > Changes from v1:
> >  * Change check in dh_check_params_length based on Stephan review
> >
> > Changed from v2:
> >  * Add support for ECDH (curve P192 and P256). I reused the ecc module
> >already present in net/bluetooth and extended it in order to select
> >different curves at runtime. Code for P192 was taken from tinycrypt.
> 
> Are you going to post the patches to use this as well?
> 

I just sent v4 which contains a small change plus an illustrative patch that
converts SMP BT to KPP api. I can't test the patch as I don't have the hardware.
BT guys should be OK in converting their code properly to kpp once merged.
Is that good enough for you?

Regards,
Salvatore 
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH] Bluetooth: convert smp module to crypto kpp API

[Salvatore Benedetto]

This patch has *not* been tested as I don't have the hardware.
It's purpose is to show how to use the kpp API.

Based on https://patchwork.kernel.org/patch/9022371/

Signed-off-by: Salvatore Benedetto 
---
 net/bluetooth/smp.c | 99 -
 1 file changed, 98 insertions(+), 1 deletion(-)

diff --git a/net/bluetooth/smp.c b/net/bluetooth/smp.c
index 50976a6..25844a2 100644
--- a/net/bluetooth/smp.c
+++ b/net/bluetooth/smp.c
@@ -25,6 +25,8 @@
 #include 
 #include 
 #include 
+#include 
+#include 
 
 #include 
 #include 
@@ -2591,6 +2593,101 @@ static u8 sc_select_method(struct smp_chan *smp)
return method;
 }
 
+struct ecdh_completion {
+   struct completion completion;
+   int err;
+};
+
+static void ecdh_complete(struct crypto_async_request *req, int err)
+{
+   struct ecdh_completion *res = req->data;
+
+   if (err == -EINPROGRESS)
+   return;
+
+   res->err = err;
+   complete(>completion);
+}
+
+static inline void swap_digits(u64 *in, u64 *out, unsigned int ndigits)
+{
+   int i;
+
+   for (i = 0; i < ndigits; i++)
+   out[i] = __swab64(in[ndigits - 1 - i]);
+}
+
+static bool compute_ecdh_shared_secret(const u8 public_key[64],
+  const u8 private_key[32], u8 secret[32])
+{
+   struct crypto_kpp *tfm;
+   struct kpp_request *req;
+   struct ecdh_params p;
+   struct ecdh_completion result;
+   struct scatterlist src, dst;
+   u8 tmp[64];
+   int err = -ENOMEM;
+
+   tfm = crypto_alloc_kpp("ecdh", CRYPTO_ALG_INTERNAL, 0);
+   if (IS_ERR(tfm)) {
+   pr_err("alg: kpp: Failed to load tfm for kpp: %ld\n",
+  PTR_ERR(tfm));
+   return false;
+   }
+
+   req = kpp_request_alloc(tfm, GFP_KERNEL);
+   if (!req)
+   goto free_kpp;
+
+   init_completion();
+
+   /* Set curve_id */
+   p.curve_id = ECC_CURVE_NIST_P256;
+   err = crypto_kpp_set_params(tfm, (void *), sizeof(p));
+   if (err)
+   goto free_req;
+
+   /* Security Manager Protocol holds digits in litte-endian order
+* while ECC API expect big-endian data
+*/
+   swap_digits((u64 *)private_key, (u64 *)tmp, 4);
+
+   /* Set A private Key */
+   err = crypto_kpp_set_secret(tfm, (void *)tmp, 32);
+   if (err)
+   goto free_all;
+
+   swap_digits((u64 *)public_key, (u64 *)tmp, 4); /* x */
+   swap_digits((u64 *)_key[32], (u64 *)[32], 4); /* y */
+
+   sg_init_one(, tmp, 64);
+   sg_init_one(, secret, 32);
+   kpp_request_set_input(req, , 64);
+   kpp_request_set_output(req, , 32);
+   kpp_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG,
+ecdh_complete, );
+   err = crypto_kpp_compute_shared_secret(req);
+   if (err == -EINPROGRESS) {
+   wait_for_completion();
+   err = result.err;
+   }
+   if (err < 0) {
+   pr_err("alg: ecdh: compute shard secret test failed. err %d\n",
+  err);
+   goto free_all;
+   }
+
+   swap_digits((u64 *)secret, (u64 *)tmp, 4);
+   memcpy(secret, tmp, 32);
+
+free_all:
+free_req:
+   kpp_request_free(req);
+free_kpp:
+   crypto_free_kpp(tfm);
+   return (err == 0);
+}
+
 static int smp_cmd_public_key(struct l2cap_conn *conn, struct sk_buff *skb)
 {
struct smp_cmd_public_key *key = (void *) skb->data;
@@ -2630,7 +2727,7 @@ static int smp_cmd_public_key(struct l2cap_conn *conn, 
struct sk_buff *skb)
SMP_DBG("Remote Public Key X: %32phN", smp->remote_pk);
SMP_DBG("Remote Public Key Y: %32phN", smp->remote_pk + 32);
 
-   if (!ecdh_shared_secret(smp->remote_pk, smp->local_sk, smp->dhkey))
+   if (!compute_ecdh_shared_secret(smp->remote_pk, smp->local_sk, 
smp->dhkey))
return SMP_UNSPECIFIED;
 
SMP_DBG("DHKey %32phN", smp->dhkey);
-- 
1.9.1

--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[PATCH 3/3 v4] crypto: kpp - Add ECDH software support

[Salvatore Benedetto]

 * Implement ECDH under kpp API
 * Provide ECC software support for curve P-192 and
   P-256.
 * Add kpp test for ECDH with data generated by OpenSSL

Signed-off-by: Salvatore Benedetto 
---
 crypto/Kconfig  |5 +
 crypto/Makefile |3 +
 crypto/ecc.c| 1038 +++
 crypto/ecc.h|   70 
 crypto/ecc_curve_defs.h |   57 +++
 crypto/ecdh.c   |  171 
 crypto/testmgr.c|  136 ++-
 crypto/testmgr.h|   73 
 include/crypto/ecdh.h   |   24 ++
 9 files changed, 1568 insertions(+), 9 deletions(-)
 create mode 100644 crypto/ecc.c
 create mode 100644 crypto/ecc.h
 create mode 100644 crypto/ecc_curve_defs.h
 create mode 100644 crypto/ecdh.c
 create mode 100644 include/crypto/ecdh.h

diff --git a/crypto/Kconfig b/crypto/Kconfig
index 89db25c..08a1a3b 100644
--- a/crypto/Kconfig
+++ b/crypto/Kconfig
@@ -117,6 +117,11 @@ config CRYPTO_DH
help
  Generic implementation of the Diffie-Hellman algorithm.
 
+config CRYPTO_ECDH
+   tristate "ECDH algorithm"
+   select CRYTPO_KPP
+   help
+ Generic implementation of the ECDH algorithm
 
 config CRYPTO_MANAGER
tristate "Cryptographic algorithm manager"
diff --git a/crypto/Makefile b/crypto/Makefile
index 101f8fd..ba03079 100644
--- a/crypto/Makefile
+++ b/crypto/Makefile
@@ -33,6 +33,9 @@ obj-$(CONFIG_CRYPTO_AKCIPHER2) += akcipher.o
 obj-$(CONFIG_CRYPTO_KPP2) += kpp.o
 
 obj-$(CONFIG_CRYPTO_DH) += dh.o
+ecdh_generic-y := ecc.o
+ecdh_generic-y += ecdh.o
+obj-$(CONFIG_CRYPTO_ECDH) += ecdh_generic.o
 
 $(obj)/rsapubkey-asn1.o: $(obj)/rsapubkey-asn1.c $(obj)/rsapubkey-asn1.h
 $(obj)/rsaprivkey-asn1.o: $(obj)/rsaprivkey-asn1.c $(obj)/rsaprivkey-asn1.h
diff --git a/crypto/ecc.c b/crypto/ecc.c
new file mode 100644
index 000..c50f9c8
--- /dev/null
+++ b/crypto/ecc.c
@@ -0,0 +1,1038 @@
+/*
+ * Copyright (c) 2013, Kenneth MacKay
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ *  * Redistributions of source code must retain the above copyright
+ *   notice, this list of conditions and the following disclaimer.
+ *  * Redistributions in binary form must reproduce the above copyright
+ *notice, this list of conditions and the following disclaimer in the
+ *documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include 
+#include 
+#include 
+#include 
+
+#include "ecc.h"
+#include "ecc_curve_defs.h"
+
+#define MAX_TRIES 16
+
+typedef struct {
+   u64 m_low;
+   u64 m_high;
+} uint128_t;
+
+static inline const struct ecc_curve *ecc_get_curve(unsigned int curve_id)
+{
+   switch (curve_id) {
+   case ECC_CURVE_NIST_P192: return _p192;
+   case ECC_CURVE_NIST_P256: return _p256;
+   default: return NULL;
+   }
+}
+
+static u64 *ecc_alloc_digits_space(unsigned int ndigits)
+{
+   size_t len = ndigits * sizeof(u64);
+
+   if (!len)
+   return NULL;
+
+   return kmalloc(len, GFP_KERNEL);
+}
+
+static void ecc_free_digits_space(u64 *space)
+{
+   kzfree(space);
+}
+
+static struct ecc_point *ecc_alloc_point(unsigned int ndigits)
+{
+   struct ecc_point *p = kmalloc(sizeof(*p), GFP_KERNEL);
+
+   if (!p)
+   return NULL;
+
+   p->x = ecc_alloc_digits_space(ndigits);
+   if (!p->x)
+   goto err_alloc_x;
+
+   p->y = ecc_alloc_digits_space(ndigits);
+   if (!p->y)
+   goto err_alloc_y;
+
+   p->ndigits = ndigits;
+
+   return p;
+
+err_alloc_y:
+   ecc_free_digits_space(p->x);
+err_alloc_x:
+   kfree(p);
+   return NULL;
+}
+
+static void ecc_free_point(struct ecc_point *p)
+{
+   if (!p)
+   return;
+
+   kzfree(p->x);
+   kzfree(p->y);
+   kzfree(p);
+}
+
+static void vli_clear(u64 *vli, unsigned int ndigits)
+{
+   int i;
+
+   for (i = 0; i < ndigits; i++)
+   vli[i] = 0;
+}
+
+/* Returns true if vli == 0, false otherwise. */
+static bool vli_is_zero(const u64 

[PATCH 2/3 v4] crypto: kpp - Add DH software implementation

[Salvatore Benedetto]

 * Implement MPI based Diffie-Hellman under kpp API
 * Test provided uses data generad by OpenSSL

Signed-off-by: Salvatore Benedetto 
---
 crypto/Kconfig  |   8 ++
 crypto/Makefile |   2 +
 crypto/dh.c | 224 
 crypto/testmgr.c| 157 
 crypto/testmgr.h| 208 
 include/crypto/dh.h |  23 ++
 6 files changed, 622 insertions(+)
 create mode 100644 crypto/dh.c
 create mode 100644 include/crypto/dh.h

diff --git a/crypto/Kconfig b/crypto/Kconfig
index 31bf962..89db25c 100644
--- a/crypto/Kconfig
+++ b/crypto/Kconfig
@@ -110,6 +110,14 @@ config CRYPTO_RSA
help
  Generic implementation of the RSA public key algorithm.
 
+config CRYPTO_DH
+   tristate "Diffie-Hellman algorithm"
+   select CRYPTO_KPP
+   select MPILIB
+   help
+ Generic implementation of the Diffie-Hellman algorithm.
+
+
 config CRYPTO_MANAGER
tristate "Cryptographic algorithm manager"
select CRYPTO_MANAGER2
diff --git a/crypto/Makefile b/crypto/Makefile
index 5b60890..101f8fd 100644
--- a/crypto/Makefile
+++ b/crypto/Makefile
@@ -32,6 +32,8 @@ obj-$(CONFIG_CRYPTO_HASH2) += crypto_hash.o
 obj-$(CONFIG_CRYPTO_AKCIPHER2) += akcipher.o
 obj-$(CONFIG_CRYPTO_KPP2) += kpp.o
 
+obj-$(CONFIG_CRYPTO_DH) += dh.o
+
 $(obj)/rsapubkey-asn1.o: $(obj)/rsapubkey-asn1.c $(obj)/rsapubkey-asn1.h
 $(obj)/rsaprivkey-asn1.o: $(obj)/rsaprivkey-asn1.c $(obj)/rsaprivkey-asn1.h
 clean-files += rsapubkey-asn1.c rsapubkey-asn1.h
diff --git a/crypto/dh.c b/crypto/dh.c
new file mode 100644
index 000..06e4805
--- /dev/null
+++ b/crypto/dh.c
@@ -0,0 +1,224 @@
+/*  Diffie-Hellman Key Agreement Method [RFC2631]
+ *
+ * Copyright (c) 2016, Intel Corporation
+ * Authors: Salvatore Benedetto 
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public Licence
+ * as published by the Free Software Foundation; either version
+ * 2 of the Licence, or (at your option) any later version.
+ */
+
+#include 
+#include 
+#include 
+#include 
+#include 
+
+struct dh_ctx {
+   MPI p;
+   MPI g;
+   MPI xa;
+};
+
+static void dh_free_ctx(struct dh_ctx *ctx)
+{
+   mpi_free(ctx->p);
+   mpi_free(ctx->g);
+   mpi_free(ctx->xa);
+   ctx->p = NULL;
+   ctx->g = NULL;
+   ctx->xa = NULL;
+}
+
+/*
+ * Public key generation function [RFC2631 sec 2.1.1]
+ * ya = g^xa mod p;
+ */
+static int _generate_public_key(const struct dh_ctx *ctx, MPI ya)
+{
+   /* ya = g^xa mod p */
+   return mpi_powm(ya, ctx->g, ctx->xa, ctx->p);
+}
+
+/*
+ * ZZ generation function [RFC2631 sec 2.1.1]
+ * ZZ = yb^xa mod p;
+ */
+static int _compute_shared_secret(const struct dh_ctx *ctx, MPI yb,
+ MPI zz)
+{
+   /* ZZ = yb^xa mod p */
+   return mpi_powm(zz, yb, ctx->xa, ctx->p);
+}
+
+static inline struct dh_ctx *dh_get_ctx(struct crypto_kpp *tfm)
+{
+   return kpp_tfm_ctx(tfm);
+}
+
+static int dh_check_params_length(unsigned int p_len)
+{
+   return (p_len < 1536) ? -EINVAL : 0;
+}
+
+static int dh_set_params(struct crypto_kpp *tfm, void *buffer,
+unsigned int len)
+{
+   struct dh_ctx *ctx = dh_get_ctx(tfm);
+   struct dh_params *params = (struct dh_params *)buffer;
+
+   if (unlikely(!buffer || !len))
+   return -EINVAL;
+
+   if (unlikely(!params->p || !params->g))
+   return -EINVAL;
+
+   if (dh_check_params_length(params->p_size << 3))
+   return -EINVAL;
+
+   ctx->p = mpi_read_raw_data(params->p, params->p_size);
+   if (!ctx->p)
+   return -EINVAL;
+
+   ctx->g = mpi_read_raw_data(params->g, params->g_size);
+   if (!ctx->g) {
+   mpi_free(ctx->p);
+   return -EINVAL;
+   }
+
+   return 0;
+}
+
+static int dh_set_secret(struct crypto_kpp *tfm, void *buffer,
+unsigned int len)
+{
+   struct dh_ctx *ctx = dh_get_ctx(tfm);
+
+   if (unlikely(!buffer || !len))
+   return -EINVAL;
+
+   ctx->xa = mpi_read_raw_data(buffer, len);
+
+   if (!ctx->xa)
+   return -EINVAL;
+
+   return 0;
+}
+
+static int dh_generate_public_key(struct kpp_request *req)
+{
+   struct crypto_kpp *tfm = crypto_kpp_reqtfm(req);
+   const struct dh_ctx *ctx = dh_get_ctx(tfm);
+   MPI ya = mpi_alloc(0);
+   int ret = 0;
+   int sign;
+
+   if (!ya)
+   return -ENOMEM;
+
+   if (unlikely(!ctx->p || !ctx->g || !ctx->xa)) {
+   ret = -EINVAL;
+   goto err_free_ya;
+   }
+   ret = _generate_public_key(ctx, ya);
+   if (ret)
+   goto err_free_ya;
+
+   ret = mpi_write_to_sgl(ya, req->dst, >dst_len, );
+   if (ret)
+ 

[PATCH 1/3 v4] crypto: Key-agreement Protocol Primitives API (KPP)

[Salvatore Benedetto]

Add key-agreement protocol primitives (kpp) API which allows to
implement primitives required by protocols such as DH and ECDH.
The API is composed mainly by the following functions
 * set_params() - It allows the user to set the parameters known to
   both parties involved in the key-agreement session
 * set_secret() - It allows the user to set his secret, also
   referred to as his private key
 * generate_public_key() - It generates the public key to be sent to
   the other counterpart involved in the key-agreement session. The
   function has to be called after set_params() and set_secret()
 * generate_secret() - It generates the shared secret for the session

Other functions such as init() and exit() are provided for allowing
cryptographic hardware to be inizialized properly before use

Signed-off-by: Salvatore Benedetto 
---
 crypto/Kconfig  |  10 ++
 crypto/Makefile |   1 +
 crypto/crypto_user.c|  20 +++
 crypto/kpp.c| 123 +++
 include/crypto/internal/kpp.h   |  64 
 include/crypto/kpp.h| 333 
 include/linux/crypto.h  |   1 +
 include/uapi/linux/cryptouser.h |   5 +
 8 files changed, 557 insertions(+)
 create mode 100644 crypto/kpp.c
 create mode 100644 include/crypto/internal/kpp.h
 create mode 100644 include/crypto/kpp.h

diff --git a/crypto/Kconfig b/crypto/Kconfig
index 93a1fdc..31bf962 100644
--- a/crypto/Kconfig
+++ b/crypto/Kconfig
@@ -93,6 +93,15 @@ config CRYPTO_AKCIPHER
select CRYPTO_AKCIPHER2
select CRYPTO_ALGAPI
 
+config CRYPTO_KPP2
+   tristate
+   select CRYPTO_ALGAPI2
+
+config CRYPTO_KPP
+   tristate
+   select CRYPTO_ALGAPI
+   select CRYPTO_KPP2
+
 config CRYPTO_RSA
tristate "RSA algorithm"
select CRYPTO_AKCIPHER
@@ -114,6 +123,7 @@ config CRYPTO_MANAGER2
select CRYPTO_HASH2
select CRYPTO_BLKCIPHER2
select CRYPTO_AKCIPHER2
+   select CRYPTO_KPP2
 
 config CRYPTO_USER
tristate "Userspace cryptographic algorithm configuration"
diff --git a/crypto/Makefile b/crypto/Makefile
index 4f4ef7e..5b60890 100644
--- a/crypto/Makefile
+++ b/crypto/Makefile
@@ -30,6 +30,7 @@ crypto_hash-y += shash.o
 obj-$(CONFIG_CRYPTO_HASH2) += crypto_hash.o
 
 obj-$(CONFIG_CRYPTO_AKCIPHER2) += akcipher.o
+obj-$(CONFIG_CRYPTO_KPP2) += kpp.o
 
 $(obj)/rsapubkey-asn1.o: $(obj)/rsapubkey-asn1.c $(obj)/rsapubkey-asn1.h
 $(obj)/rsaprivkey-asn1.o: $(obj)/rsaprivkey-asn1.c $(obj)/rsaprivkey-asn1.h
diff --git a/crypto/crypto_user.c b/crypto/crypto_user.c
index 43fe85f..d28513fb 100644
--- a/crypto/crypto_user.c
+++ b/crypto/crypto_user.c
@@ -28,6 +28,7 @@
 #include 
 #include 
 #include 
+#include 
 
 #include "internal.h"
 
@@ -126,6 +127,21 @@ nla_put_failure:
return -EMSGSIZE;
 }
 
+static int crypto_report_kpp(struct sk_buff *skb, struct crypto_alg *alg)
+{
+   struct crypto_report_kpp rkpp;
+
+   strncpy(rkpp.type, "kpp", sizeof(rkpp.type));
+
+   if (nla_put(skb, CRYPTOCFGA_REPORT_KPP,
+   sizeof(struct crypto_report_kpp), ))
+   goto nla_put_failure;
+   return 0;
+
+nla_put_failure:
+   return -EMSGSIZE;
+}
+
 static int crypto_report_one(struct crypto_alg *alg,
 struct crypto_user_alg *ualg, struct sk_buff *skb)
 {
@@ -176,6 +192,10 @@ static int crypto_report_one(struct crypto_alg *alg,
goto nla_put_failure;
 
break;
+   case CRYPTO_ALG_TYPE_KPP:
+   if (crypto_report_kpp(skb, alg))
+   goto nla_put_failure;
+   break;
}
 
 out:
diff --git a/crypto/kpp.c b/crypto/kpp.c
new file mode 100644
index 000..d36ce05
--- /dev/null
+++ b/crypto/kpp.c
@@ -0,0 +1,123 @@
+/*
+ * Key-agreement Protocol Primitives (KPP)
+ *
+ * Copyright (c) 2016, Intel Corporation
+ * Authors: Salvatore Benedetto 
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation; either version 2 of the License, or (at your option)
+ * any later version.
+ *
+ */
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include 
+#include "internal.h"
+
+#ifdef CONFIG_NET
+static int crypto_kpp_report(struct sk_buff *skb, struct crypto_alg *alg)
+{
+   struct crypto_report_kpp rkpp;
+
+   strncpy(rkpp.type, "kpp", sizeof(rkpp.type));
+
+   if (nla_put(skb, CRYPTOCFGA_REPORT_KPP,
+   sizeof(struct crypto_report_kpp), ))
+   goto nla_put_failure;
+   return 0;
+
+nla_put_failure:
+   return -EMSGSIZE;
+}
+#else
+static int crypto_kpp_report(struct sk_buff *skb, struct crypto_alg *alg)
+{
+   return -ENOSYS;
+}
+#endif
+
+static void 

Re: [crypto / sparc64] cryptomgr_test OOPS

[Herbert Xu]

On Wed, May 04, 2016 at 05:49:04PM +0300, Anatoly Pugachev wrote:
>
> just tested cryptodev (
> http://git.kernel.org/pub/scm/linux/kernel/git/herbert/cryptodev-2.6.git
> ) kernel, same OOPS, but kernel version is 4.6.0-rc2+ .
> kernel OOPS message - https://paste.fedoraproject.org/362554/23732641/

Anatoly, could you please test this patch on top of cryptodev?
Thanks!

---8<---
Subject: crypto: testmgr - Use kmalloc memory for RSA input

As akcipher uses an SG interface, you must not use vmalloc memory
as input for it.  This patch fixes testmgr to copy the vmalloc
test vectors to kmalloc memory before running the test.

This patch also removes a superfluous sg_virt call in do_test_rsa.

Cc: 
Reported-by: Anatoly Pugachev 
Signed-off-by: Herbert Xu 

diff --git a/crypto/testmgr.c b/crypto/testmgr.c
index fcd89fe..c727fb0 100644
--- a/crypto/testmgr.c
+++ b/crypto/testmgr.c
@@ -1780,6 +1780,7 @@ static int alg_test_drbg(const struct alg_test_desc 
*desc, const char *driver,
 static int do_test_rsa(struct crypto_akcipher *tfm,
   struct akcipher_testvec *vecs)
 {
+   char *xbuf[XBUFSIZE];
struct akcipher_request *req;
void *outbuf_enc = NULL;
void *outbuf_dec = NULL;
@@ -1788,9 +1789,12 @@ static int do_test_rsa(struct crypto_akcipher *tfm,
int err = -ENOMEM;
struct scatterlist src, dst, src_tab[2];
 
+   if (testmgr_alloc_buf(xbuf))
+   return err;
+
req = akcipher_request_alloc(tfm, GFP_KERNEL);
if (!req)
-   return err;
+   goto free_xbuf;
 
init_completion();
 
@@ -1808,9 +1812,14 @@ static int do_test_rsa(struct crypto_akcipher *tfm,
if (!outbuf_enc)
goto free_req;
 
+   if (WARN_ON(vecs->m_size > PAGE_SIZE))
+   goto free_all;
+
+   memcpy(xbuf[0], vecs->m, vecs->m_size);
+
sg_init_table(src_tab, 2);
-   sg_set_buf(_tab[0], vecs->m, 8);
-   sg_set_buf(_tab[1], vecs->m + 8, vecs->m_size - 8);
+   sg_set_buf(_tab[0], xbuf[0], 8);
+   sg_set_buf(_tab[1], xbuf[0] + 8, vecs->m_size - 8);
sg_init_one(, outbuf_enc, out_len_max);
akcipher_request_set_crypt(req, src_tab, , vecs->m_size,
   out_len_max);
@@ -1829,7 +1838,7 @@ static int do_test_rsa(struct crypto_akcipher *tfm,
goto free_all;
}
/* verify that encrypted message is equal to expected */
-   if (memcmp(vecs->c, sg_virt(req->dst), vecs->c_size)) {
+   if (memcmp(vecs->c, outbuf_enc, vecs->c_size)) {
pr_err("alg: rsa: encrypt test failed. Invalid output\n");
err = -EINVAL;
goto free_all;
@@ -1844,7 +1853,13 @@ static int do_test_rsa(struct crypto_akcipher *tfm,
err = -ENOMEM;
goto free_all;
}
-   sg_init_one(, vecs->c, vecs->c_size);
+
+   if (WARN_ON(vecs->c_size > PAGE_SIZE))
+   goto free_all;
+
+   memcpy(xbuf[0], vecs->c, vecs->c_size);
+
+   sg_init_one(, xbuf[0], vecs->c_size);
sg_init_one(, outbuf_dec, out_len_max);
init_completion();
akcipher_request_set_crypt(req, , , vecs->c_size, out_len_max);
@@ -1871,6 +1886,8 @@ free_all:
kfree(outbuf_enc);
 free_req:
akcipher_request_free(req);
+free_xbuf:
+   testmgr_free_buf(xbuf);
return err;
 }
 
-- 
Email: Herbert Xu 
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 1/7] asm-generic/io.h: add io{read,write}64 accessors

[Vineet Gupta]

On Thursday 05 May 2016 04:06 AM, Arnd Bergmann wrote:
> On Wednesday 04 May 2016 20:16:19 Horia Geantă wrote:
>> @@ -625,6 +645,16 @@ static inline u32 ioread32be(const volatile void 
>> __iomem *addr)
>>  }
>>  #endif
>>  
>> +#ifdef CONFIG_64BIT
>> +#ifndef ioread64be
>> +#define ioread64be ioread64be
>> +static inline u64 ioread64be(const volatile void __iomem *addr)
>> +{
>> +   return __be64_to_cpu(__raw_readq(addr));
>> +}
>> +#endif
>> +#endif /* CONFIG_64BIT */
>> +
>>  #ifndef iowrite16be
>>  #define iowrite16be iowrite16be
>>  static inline void iowrite16be(u16 value, void volatile __iomem *addr)
>> @@ -641,6 +671,16 @@ static inline void iowrite32be(u32 value, volatile void 
>> __iomem *addr)
>>  }
>>  #endif
>>  
>> +#ifdef CONFIG_64BIT
>> +#ifndef iowrite64be
>> +#define iowrite64be iowrite64be
>> +static inline void iowrite64be(u64 value, volatile void __iomem *addr)
>> +{
>> +   __raw_writeq(__cpu_to_be64(value), addr);
>> +}
>> +#endif
>> +#endif /* CONFIG_64BIT */
>> +
>>
> I just noticed that these two are both a bit wrong, but they copy the
> mistake that already exists in the 16 and 32 bit versions: If an
> architecture overrides readq/writeq to have barriers but does not override
> ioread64be/iowrite64be, this will lack the barriers and behave differently
> from the little-endian version. I think the only affected architecture
> is ARC, since ARM and ARM64 both override the big-endian accessors to
> have the correct barriers, and all others don't use barriers at all.
>
> Maybe you can add a patch before this one to replace the 16/32-bit accessors
> with ones that do a
>
> static inline void iowrite32be(u32 value, volatile void __iomem *addr)
> {
>   writel(swab32(value), addr);
> }
>
> This will lead to a double-swap on architectures that don't override it,
> but it will work correctly on all architectures without them having
> to override the big-endian accessors.

Thx for noticing this Arnd and the heads up. Does the patch below look ok to 
you ?

--->
rom b7e719831c389ab4fa338b2e2e7c0d1ff90dabb0 Mon Sep 17 00:00:00 2001
From: Vineet Gupta 
Date: Thu, 5 May 2016 13:32:34 +0530
Subject: [PATCH] ARC: Add missing io barriers to io{read,write}{16,32}be()

While reviewing a different change to asm-generic/io.h Arnd spotted that
ARC ioread32 and ioread32be both of which come from asm-generic versions
are not symmetrical in terms of calling the io barriers.

generic ioread32   -> ARC readl()  [ has barriers]
generic ioread32be -> __be32_to_cpu(__raw_readl()) [ lacks barriers]

While generic ioread32be is being remediated to call readl(), that involves
a swab32(), causing double swaps on ioread32be() on Big Endian systems.

So provide our versions of big endian IO accessors to ensure io barrier
calls while also keeping them optimal

Suggested-by: Arnd Bergmann 
Cc: sta...@vger.kernel.org  [4.2+]
Signed-off-by: Vineet Gupta 
---
 arch/arc/include/asm/io.h | 27 ++-
 1 file changed, 18 insertions(+), 9 deletions(-)

diff --git a/arch/arc/include/asm/io.h b/arch/arc/include/asm/io.h
index 17f85c9c73cf..c22b181e8206 100644
--- a/arch/arc/include/asm/io.h
+++ b/arch/arc/include/asm/io.h
@@ -13,6 +13,15 @@
 #include 
 #include 
 
+#ifdef CONFIG_ISA_ARCV2
+#include 
+#define __iormb()rmb()
+#define __iowmb()wmb()
+#else
+#define __iormb()do { } while (0)
+#define __iowmb()do { } while (0)
+#endif
+
 extern void __iomem *ioremap(phys_addr_t paddr, unsigned long size);
 extern void __iomem *ioremap_prot(phys_addr_t paddr, unsigned long size,
   unsigned long flags);
@@ -31,6 +40,15 @@ extern void iounmap(const void __iomem *addr);
 #define ioremap_wc(phy, sz)ioremap(phy, sz)
 #define ioremap_wt(phy, sz)ioremap(phy, sz)
 
+/*
+ * io{read,write}{16,32}be() macros
+ */
+#define ioread16be(p)({ u16 __v = be16_to_cpu((__force
__be16)__raw_readw(p)); __iormb(); __v; })
+#define ioread32be(p)({ u32 __v = be32_to_cpu((__force
__be32)__raw_readl(p)); __iormb(); __v; })
+
+#define iowrite16be(v,p)({ __iowmb(); __raw_writew((__force
u16)cpu_to_be16(v), p); })
+#define iowrite32be(v,p)({ __iowmb(); __raw_writel((__force
u32)cpu_to_be32(v), p); })
+
 /* Change struct page to physical address */
 #define page_to_phys(page)(page_to_pfn(page) << PAGE_SHIFT)
 
@@ -108,15 +126,6 @@ static inline void __raw_writel(u32 w, volatile void 
__iomem
*addr)
 
 }
 
-#ifdef CONFIG_ISA_ARCV2
-#include 
-#define __iormb()rmb()
-#define __iowmb()wmb()
-#else
-#define __iormb()do { } while (0)
-#define __iowmb()do { } while (0)
-#endif
-
 /*
  * MMIO can also get buffered/optimized in micro-arch, so barriers needed
  * Based on ARM model for the typical use case
-- 
2.5.0

--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to 

Re: v4.6-rc1 regression bisected, Problem loading in-kernel X.509 certificate (-2)

[Herbert Xu]

On Wed, May 04, 2016 at 06:38:46AM -0700, Tadeusz Struk wrote:
> Hi David
> On 05/04/2016 02:01 AM, David Howells wrote:
> > Do you want to push this via Herbert's tree?
> > 
> 
> Yes, I think Herbert has some more patches queued for rc-7.
> Let me also send a proper one with the signed-off tag.
> 
> ---8<---
> Subject: crypto: rsa - select crypto mgr dependency
> 
> The pkcs1pad template needs CRYPTO_MANAGER so it needs
> to be explicitly selected by CRYPTO_RSA.
> 
> Reported-by: Jamie Heilman 
> Signed-off-by: Tadeusz Struk 

Applied.
-- 
Email: Herbert Xu 
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH v3] crypto: Add a flag allowing the self-tests to be disabled at runtime.

[Herbert Xu]

On Tue, May 03, 2016 at 10:00:17AM +0100, Richard W.M. Jones wrote:
> Running self-tests for a short-lived KVM VM takes 28ms on my laptop.
> This commit adds a flag 'cryptomgr.notests' which allows them to be
> disabled.
> 
> However if fips=1 as well, we ignore this flag as FIPS mode mandates
> that the self-tests are run.
> 
> Signed-off-by: Richard W.M. Jones 

Applied.
-- 
Email: Herbert Xu 
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: better patch for linux/bitops.h

[H. Peter Anvin]

On 05/04/16 21:03, Jeffrey Walton wrote:

On Wed, May 4, 2016 at 11:50 PM, Theodore Ts'o  wrote:

...
But instead of arguing over what works and doesn't, let's just create
the the test set and just try it on a wide range of compilers and
architectures, hmmm?


What are the requirements? Here's a short list:

   * No undefined behavior
 - important because the compiler writers use the C standard
   * Compiles to native "rotate IMMEDIATE" if the rotate amount is a
"constant expression" and the machine provides it
 - translates to a native rotate instruction if available
 - "rotate IMM" can be 3 times faster than "rotate REG"
 - do any architectures *not* provide a rotate?
   * Compiles to native "rotate REGISTER" if the rotate is variable and
the machine provides it
 - do any architectures *not* provide a rotate?
   * Constant time
 - important to high-integrity code
 - Non-security code paths probably don't care

Maybe the first thing to do is provide a different rotates for the
constant-time requirement when its in effect?



The disagreement here is the priority between these points.  In my very 
strong opinion, "no undefined behavior" per the C standard is way less 
important than the others; what matters is what gcc and the other 
compilers we care about do.  The kernel relies on various versions of 
C-standard-undefined behavior *all over the place*; for one thing 
sizeof(void *) == sizeof(size_t) == sizeof(unsigned long)!! but they are 
well-defined in the subcontext we care about.


(And no, not all architectures provide a rotate instruction.)

-hpa

--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH 0/3 v3] Key-agreement Protocol Primitives (KPP) API

[Herbert Xu]

On Tue, May 03, 2016 at 12:44:00PM +0100, Salvatore Benedetto wrote:
> Hi Herb,
> 
> the following patchset introduces a new API for abstracting key-agreement
> protocols such as DH and ECDH. It provides the primitives required for 
> implementing
> the protocol, thus the name KPP (Key-agreement Protocol Primitives).
> 
> Regards,
> Salvatore
> 
> Changes from v1:
>  * Change check in dh_check_params_length based on Stephan review
> 
> Changed from v2:
>  * Add support for ECDH (curve P192 and P256). I reused the ecc module
>already present in net/bluetooth and extended it in order to select
>different curves at runtime. Code for P192 was taken from tinycrypt.

Are you going to post the patches to use this as well?

Thanks,
-- 
Email: Herbert Xu 
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html