From patchwork Wed Jul 24 19:19:15 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Greg Kroah-Hartman X-Patchwork-Id: 169651 Delivered-To: patch@linaro.org Received: by 2002:a92:4782:0:0:0:0:0 with SMTP id e2csp10701738ilk; Wed, 24 Jul 2019 13:27:51 -0700 (PDT) X-Google-Smtp-Source: APXvYqzHUSPTmwYXFQnMvOy4pEcctQYUyLvTn/clOjFE2UynHtUG2RxfRZou08mlsYspghOj65/y X-Received: by 2002:a17:902:2006:: with SMTP id n6mr89456380pla.232.1564000071496; Wed, 24 Jul 2019 13:27:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1564000071; cv=none; d=google.com; s=arc-20160816; b=ja8gYCHPiEmsGW9g4qh8qkNwQrVD/BRywU01R2o2eTSnvA1Rfa659AANuQK1F6wnoE 55zIho9lrTz8qjchotHJmoMUGNms1YvsnToq9TAHsF3Kkdmbp2g7+MyrJneqtHmD2t1U umzOGDJfNbISw3Ko+ZU0Ih/ujyg+RHpTnruR9sMCt9aTlttdL6VctHBq8lMxrgExQLhE peFaHoDokje1Hwa/f3vNMUxMfS6PJT8/hCTtx71Rw9WNlcxQHbagmOGL5hIItJwLwIUj 4P2cfWnvwTwV3biqiZ0irK4w9oawe1q9SxbB8e55iq4gHrCJ0xhWt+FwBycOg4yhy4Kv QgHA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=LA43Y+qJpSIwh4EzSlDVS2LeMD9bA7fSDFLTQ2y2EX0=; b=IJn971Z5ata5Ph02gpAZnRvEFHDVuK9x2Z4vQFssJKqcKdyxEvph/0LvDLNY0QsWck kmxIgrLKibyRPDUmggactQl0mB36o9FFPOnPIe5UkY4Th/Vra1RARpflKfy5/Pf4A7u5 g76Jf59nJjhy/t2TQ6zLkkvQdTWHMx0Z1vwe/gBCuewo9tmT6ZHhyv3MofUiaaMKGf8a H67EtZtNVFliRB9SImaFoMZHXntKQXI7BRYgE3aR2bq6tOWWijnfFygaZA8tbyTC9VPo m92H3vGyzANVyRCBd2+CcwxtkEWdkJdkeYiT6aGdlr6mnDl6v3Xjen72nyKcdVWoM9Lb eojg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=BtfoiRHJ; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u2si14320553pjb.25.2019.07.24.13.27.50; Wed, 24 Jul 2019 13:27:51 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=BtfoiRHJ; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2388365AbfGXU1t (ORCPT + 14 others); Wed, 24 Jul 2019 16:27:49 -0400 Received: from mail.kernel.org ([198.145.29.99]:60262 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2389201AbfGXTf0 (ORCPT ); Wed, 24 Jul 2019 15:35:26 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id C47B421951; Wed, 24 Jul 2019 19:35:24 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1563996925; bh=4g3R6gamTRzQOqVc+zMXK0Qvwcpv4izx9jeryaWRd/k=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=BtfoiRHJnAizXLZuButMETl0kn7uqbo9V+E4sI2z7iT7Shh815LUz9gSgKhq1WAFp E+GAB8tF4Sl/XHwKwqMEsY9Gc8tZrSd66QOhW5Jjpb+B60z/6K6thYJY2Efovlt+Ne aORVxJVx0VhKhzcQIqGpMKJtmL/TLA5G91zshUhw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Horia Geanta , Iuliana Prodan , Sascha Hauer , Ard Biesheuvel , Herbert Xu Subject: [PATCH 5.2 264/413] crypto: caam - limit output IV to CBC to work around CTR mode DMA issue Date: Wed, 24 Jul 2019 21:19:15 +0200 Message-Id: <20190724191755.063425339@linuxfoundation.org> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190724191735.096702571@linuxfoundation.org> References: <20190724191735.096702571@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Ard Biesheuvel commit ed527b13d800dd515a9e6c582f0a73eca65b2e1b upstream. The CAAM driver currently violates an undocumented and slightly controversial requirement imposed by the crypto stack that a buffer referred to by the request structure via its virtual address may not be modified while any scatterlists passed via the same request structure are mapped for inbound DMA. This may result in errors like alg: aead: decryption failed on test 1 for gcm_base(ctr-aes-caam,ghash-generic): ret=74 alg: aead: Failed to load transform for gcm(aes): -2 on non-cache coherent systems, due to the fact that the GCM driver passes an IV buffer by virtual address which shares a cacheline with the auth_tag buffer passed via a scatterlist, resulting in corruption of the auth_tag when the IV is updated while the DMA mapping is live. Since the IV that is returned to the caller is only valid for CBC mode, and given that the in-kernel users of CBC (such as CTS) don't trigger the same issue as the GCM driver, let's just disable the output IV generation for all modes except CBC for the time being. Fixes: 854b06f76879 ("crypto: caam - properly set IV after {en,de}crypt") Cc: Horia Geanta Cc: Iuliana Prodan Reported-by: Sascha Hauer Cc: Signed-off-by: Ard Biesheuvel Reviewed-by: Horia Geanta Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman --- drivers/crypto/caam/caamalg.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) --- a/drivers/crypto/caam/caamalg.c +++ b/drivers/crypto/caam/caamalg.c @@ -999,6 +999,7 @@ static void skcipher_encrypt_done(struct struct skcipher_request *req = context; struct skcipher_edesc *edesc; struct crypto_skcipher *skcipher = crypto_skcipher_reqtfm(req); + struct caam_ctx *ctx = crypto_skcipher_ctx(skcipher); int ivsize = crypto_skcipher_ivsize(skcipher); #ifdef DEBUG @@ -1023,9 +1024,9 @@ static void skcipher_encrypt_done(struct /* * The crypto API expects us to set the IV (req->iv) to the last - * ciphertext block. This is used e.g. by the CTS mode. + * ciphertext block when running in CBC mode. */ - if (ivsize) + if ((ctx->cdata.algtype & OP_ALG_AAI_MASK) == OP_ALG_AAI_CBC) scatterwalk_map_and_copy(req->iv, req->dst, req->cryptlen - ivsize, ivsize, 0); @@ -1843,9 +1844,9 @@ static int skcipher_decrypt(struct skcip /* * The crypto API expects us to set the IV (req->iv) to the last - * ciphertext block. + * ciphertext block when running in CBC mode. */ - if (ivsize) + if ((ctx->cdata.algtype & OP_ALG_AAI_MASK) == OP_ALG_AAI_CBC) scatterwalk_map_and_copy(req->iv, req->src, req->cryptlen - ivsize, ivsize, 0);