From patchwork Fri May 31 08:13:06 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ard Biesheuvel X-Patchwork-Id: 165514 Delivered-To: patch@linaro.org Received: by 2002:a92:9e1a:0:0:0:0:0 with SMTP id q26csp403532ili; Fri, 31 May 2019 01:14:27 -0700 (PDT) X-Google-Smtp-Source: APXvYqwSPRS6rJE7puU11A3ZhqEWMOn/PR9hMZ99+hk+rGj4arFXxW1LnTxS8XgyQsAjzwlatXys X-Received: by 2002:a17:90a:b009:: with SMTP id x9mr2032308pjq.60.1559290467743; Fri, 31 May 2019 01:14:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1559290467; cv=none; d=google.com; s=arc-20160816; b=D8Wep6I5/lCNjuZOJuyrKb6RBc+ad/2MYB8PfRvYRH62EedUDrxzPKjmB5E3EmlQMW bBHEUa6gGi7psIwD/Y65JMWrTpF2h0DAT+jAuUjTfwwjMK0p6Zl/PKTHDsT253Bx65wy 1D0bVYab5vF49XI0eHxQ7Bf89ZESpLfNzWQAdPcqK59pryMavwXmqBEW2m4mXGWnKhUi kT6N1S9iowNpfXrC0q6ut3iAiOfZiR95oAsaSFAroVAIc8LkzjY9xe1vCWXJmnyhLdoc +76Y5gkzCKdgrwJl+gAm2atRdMz3tfDaxoI2O/SqGKbPnj+mPcR1J/zj8XeP3ulaYWSK rTdA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=2xX51WQIoP1+ZqR28S6jiUO+xuvJxJXjpCal4lbmyxE=; b=bB0YlL5O0R+k5a9Q6QZdy/v12zqUrkX/tuxcwPiLR8vDMUe4tj9FZtRqbtWfel4nk5 2NZkHAe9WHOTiO2AHEe0wNeBY52gMEeoaFzFIiq3+4PMKgss9+v+7tVJWWcGyUapiZOc l4nemKSmRUYqqDbdVthu+K4sJMC7NVfV6TXDaSHNAyfxygKTpVUdybKox8Q0KZYgr1zl cB/ogcgaykELmOnhn9mxpiOBgzq7gzL6jJmx8Ef+XF+UJ9ev9YyZeXfOsPnlvkfP/5hP QSTirmFlPSd/a6941krLr7RcDEfBYOz0Ak7yo/j/3JA6Y3pSfxJfveoCxFlu6oFTqK6A DCIA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=Tl2OcOqb; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d14si4371218pgg.169.2019.05.31.01.14.26; Fri, 31 May 2019 01:14:27 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=Tl2OcOqb; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726483AbfEaIOZ (ORCPT + 3 others); Fri, 31 May 2019 04:14:25 -0400 Received: from mail-wm1-f65.google.com ([209.85.128.65]:51807 "EHLO mail-wm1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726002AbfEaIOZ (ORCPT ); Fri, 31 May 2019 04:14:25 -0400 Received: by mail-wm1-f65.google.com with SMTP id f10so5450192wmb.1 for ; Fri, 31 May 2019 01:14:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=2xX51WQIoP1+ZqR28S6jiUO+xuvJxJXjpCal4lbmyxE=; b=Tl2OcOqbB8XjOC6BJxwKg+4cuNCQNR5SdpBqRJ9ngj8WJEbAEc94aZb0N7TVr+u7kv isicPM9PWHcLsw3e98KCvJUF0RrU6cFBrzxcbwXiKkOzlhRgg4W9Z9eJBBKZV3YFXmwD sgkGFndqw0klmAlBPJomzj2pjlhpQ1mpRLcCE8v1JWgJRbsp7tLC0kPO0+bGvVKLpph0 yLf1b16lJtxyhsNgZS9LR8gm+g93u+ToI9QsAK+dS/MqKrH2QFullEmcan6c8AfyiFOV Iuju4Ui6pBONdWNtP6rWbBLY7vXQVeVQUTMXmbQwfyu+Aic/GTk7iiugDUwEXltXOEHt /GpQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=2xX51WQIoP1+ZqR28S6jiUO+xuvJxJXjpCal4lbmyxE=; b=oH8XcI5xCK8GqvW+5wrUz2L7NPqp5DR6bfmQtJp26Y1In2RKTkrxL6MlAXMXUNWXU2 xDLqxJu4cOC0m5BnDjEoJhGMgcEtkzh9bPDMsparqau37Bppzkiy6bY1fHIH11DqWV7T 2W6DvNwBXvpgtatZgMLjR9plLTAu1fe4B/zr8h0s9+/cRwv+VjBxT4Rhg0O0u9icfaqB gnLovCoU01sDEqs6zLD+Bcxd379ZTgHQ3dHe02ntOe9YPoHGmg28YZ4nPkGR4MyAJKbG eJitWzaP1UieK42/B++4xyWLTJN6CgK9bCI558v3waPZ4GDJMQ3yPCPdhTQb0z5yS5RR w/Kg== X-Gm-Message-State: APjAAAUdFUDKCbCbJkXurlU/m++t5eZN0y/xAJRVopb1JCZnJ94LQdeK 2ztDNftjRwaARXkk11yCvMKhleofmacI5g== X-Received: by 2002:a1c:e356:: with SMTP id a83mr4941760wmh.38.1559290462493; Fri, 31 May 2019 01:14:22 -0700 (PDT) Received: from sudo.home ([2a01:cb1d:112:6f00:c225:e9ff:fe2e:ea8]) by smtp.gmail.com with ESMTPSA id j2sm7013804wrx.65.2019.05.31.01.14.21 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 31 May 2019 01:14:21 -0700 (PDT) From: Ard Biesheuvel To: linux-crypto@vger.kernel.org Cc: herbert@gondor.apana.org.au, ebiggers@kernel.org, pvanleeuwen@insidesecure.com, linux-imx@nxp.com, Ard Biesheuvel , Horia Geanta , Iuliana Prodan , Sascha Hauer Subject: [PATCH] crypto: caam - limit output IV to CBC to work around CTR mode DMA issue Date: Fri, 31 May 2019 10:13:06 +0200 Message-Id: <20190531081306.30359-1-ard.biesheuvel@linaro.org> X-Mailer: git-send-email 2.20.1 MIME-Version: 1.0 Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org The CAAM driver currently violates an undocumented and slightly controversial requirement imposed by the crypto stack that a buffer referred to by the request structure via its virtual address may not be modified while any scatterlists passed via the same request structure are mapped for inbound DMA. This may result in errors like alg: aead: decryption failed on test 1 for gcm_base(ctr-aes-caam,ghash-generic): ret=74 alg: aead: Failed to load transform for gcm(aes): -2 on non-cache coherent systems, due to the fact that the GCM driver passes an IV buffer by virtual address which shares a cacheline with the auth_tag buffer passed via a scatterlist, resulting in corruption of the auth_tag when the IV is updated while the DMA mapping is live. Since the IV that is returned to the caller is only valid for CBC mode, and given that the in-kernel users of CBC (such as CTS) don't trigger the same issue as the GCM driver, let's just disable the output IV generation for all modes except CBC for the time being. Cc: Horia Geanta Cc: Iuliana Prodan Reported-by: Sascha Hauer Signed-off-by: Ard Biesheuvel --- drivers/crypto/caam/caamalg.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) -- 2.20.1 Reviewed-by: Horia Geanta diff --git a/drivers/crypto/caam/caamalg.c b/drivers/crypto/caam/caamalg.c index c0ece44f303b..e1778e209ea2 100644 --- a/drivers/crypto/caam/caamalg.c +++ b/drivers/crypto/caam/caamalg.c @@ -999,6 +999,7 @@ static void skcipher_encrypt_done(struct device *jrdev, u32 *desc, u32 err, struct skcipher_request *req = context; struct skcipher_edesc *edesc; struct crypto_skcipher *skcipher = crypto_skcipher_reqtfm(req); + struct caam_ctx *ctx = crypto_skcipher_ctx(skcipher); int ivsize = crypto_skcipher_ivsize(skcipher); #ifdef DEBUG @@ -1023,9 +1024,9 @@ static void skcipher_encrypt_done(struct device *jrdev, u32 *desc, u32 err, /* * The crypto API expects us to set the IV (req->iv) to the last - * ciphertext block. This is used e.g. by the CTS mode. + * ciphertext block when running in CBC mode. */ - if (ivsize) + if ((ctx->cdata.algtype & OP_ALG_AAI_MASK) == OP_ALG_AAI_CBC) scatterwalk_map_and_copy(req->iv, req->dst, req->cryptlen - ivsize, ivsize, 0); @@ -1842,9 +1843,9 @@ static int skcipher_decrypt(struct skcipher_request *req) /* * The crypto API expects us to set the IV (req->iv) to the last - * ciphertext block. + * ciphertext block when running in CBC mode. */ - if (ivsize) + if ((ctx->cdata.algtype & OP_ALG_AAI_MASK) == OP_ALG_AAI_CBC) scatterwalk_map_and_copy(req->iv, req->src, req->cryptlen - ivsize, ivsize, 0);