** Description changed: + SRU Justification: + ================== + + [Impact] + + * Wrong encryption/decryption with gcm-aes-s390 on z14. + + * gcm-aes-s390 does not process scatter-gather input and output lists + correctly if list entries of sizes being not multiples of the blocksize + (16 bytes) are used, which results in wrong calculations. + + [Fix] + + * bef9f0ba300a55d79a69aa172156072182176515 bef9f0b "s390/crypto: fix + gcm-aes-s390 selftest failures" + + [Test Case] + + * z14 with kernel >= 5.1 needed + + * If disabled, enable the crypto self tests. + + * Monitor syslog during modprobe of the aes_s390 kernel module. As this + module usually gets automatically inserted during system startup you may + need to unload the aes_s390 kernel module before re-inserting it. + + * Without the fix a message like "kernel: alg: aead: gcm-aes-s390 + encryption test failed (wrong result) on test vector 1,..." will show + up. + + * With the fix, all selftests will pass and nothing is reported in + syslog. + + [Regression Potential] + + * The regression potential can be considered as low since this is purely + s390x specific + + * affects one mode of the hardware crypto facility CPACF + + * and happens only on z14 (since z14 is the only model that currently + supports the gcm-aes-s390 mode). + + * Applications using aes-gcm via the AF_ALG interface are not affected + since this API ensures scatter/gather list entries with chunk sizes in + multiples of 16 bytes. + + * Changes are limited to a single s390x crypto file + /arch/s390/crypto/aes_s390.c + + [Other Info] + + * Problem was found during tests at IBM and is a so called 'preventive + fix' + + * Since this affects z14 only, final test need to be done by IBM. + + * Applied cleanly for me on bionic master-next. + __________ + Description: kernel: Fix gcm-aes-s390 wrong scatter-gather list processing Symptom: gcm-aes-s390 wrong en/decryption processing Problem: The current gcm aes s390 implementation does not process - scatter-gather input and output lists correct when list - entries with sizes not multiples of the blocksize of 16 - bytes are used. Result may be wrong calculated encrypted - or decrypted data. - This can only happen on z14 (this is the only machine - which supports aes-gcm in hardware via CPACF). Please note - that applications using aes-gcm via the AF_ALG interface are - not affected as this API ensures scatter/gather list entries - with chunk sizes in multiples of 16 bytes. However, all - exploiters of aes-gcm within the kernel may be affected. + scatter-gather input and output lists correct when list + entries with sizes not multiples of the blocksize of 16 + bytes are used. Result may be wrong calculated encrypted + or decrypted data. + This can only happen on z14 (this is the only machine + which supports aes-gcm in hardware via CPACF). Please note + that applications using aes-gcm via the AF_ALG interface are + not affected as this API ensures scatter/gather list entries + with chunk sizes in multiples of 16 bytes. However, all + exploiters of aes-gcm within the kernel may be affected. Solution: Rework of the scatter/gather walk within the aes_s390 kernel - module implementation with the goal to support any list - entry size. + module implementation with the goal to support any list + entry size. Reproduction: With kernel 5.1 there has been an improvement on the crypto - selftests. There are now tests run with fragmented - scatter/gather lists. So: - 1. You need at least a z14 and kernel >= 5.1. - 2. If disabled, enable the crypto self tests. - 3. Watch for syslog entries during modprobe of the aes_s390 - kernel module. As this module usually gets automatically - inserted during system startup you may need to unload the - aes_s390 kernel module before re-inserting it. - 4. Without the fix something like - "kernel: alg: aead: gcm-aes-s390 encryption test failed - (wrong result) on test vector 1,..." - will show up. With the fix, all selftests will pass and - nothing is reported in syslog. + selftests. There are now tests run with fragmented + scatter/gather lists. So: + 1. You need at least a z14 and kernel >= 5.1. + 2. If disabled, enable the crypto self tests. + 3. Watch for syslog entries during modprobe of the aes_s390 + kernel module. As this module usually gets automatically + inserted during system startup you may need to unload the + aes_s390 kernel module before re-inserting it. + 4. Without the fix something like + "kernel: alg: aead: gcm-aes-s390 encryption test failed + (wrong result) on test vector 1,..." + will show up. With the fix, all selftests will pass and + nothing is reported in syslog. Component: kernel Upstream-ID: bef9f0ba300a55d79a69aa172156072182176515 This request is targeted for 19.10, but should also be applied to 18.04 and 19.04
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1832623 Title: [UBUNTU] kernel: Fix gcm-aes-s390 wrong scatter-gather list processing To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-z-systems/+bug/1832623/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
