From patchwork Tue Jul 23 13:19:47 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Horia Geanta X-Patchwork-Id: 169530 Delivered-To: patch@linaro.org Received: by 2002:a92:4782:0:0:0:0:0 with SMTP id e2csp8869192ilk; Tue, 23 Jul 2019 06:20:04 -0700 (PDT) X-Google-Smtp-Source: APXvYqywJ9KGXiTX+9UqGIAB9y+yYp6nye0AKjsoInOUDqe522XLJrzOVwDXfKTmVIn12wukrY/q X-Received: by 2002:a17:90a:2627:: with SMTP id l36mr84329061pje.71.1563888004537; Tue, 23 Jul 2019 06:20:04 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1563888004; cv=none; d=google.com; s=arc-20160816; b=almlFw7ZFxT1JGu3wZgcVUihRkynWTnlbqKxNlDscRp3yaZKq+Mmi8Z49A5HrPKjNQ wYGmICXptUp7B0jcw4TvhFnSxefhRFqN0G7Pq7InYcETZZZO1oa5iWpGt28l8r8Zt8SE Xx3SgZXOCtfswnV0hEcwMdu6lPPC6Vi5rNVooMT577WClS5FxtrIZlM1CFj1LT6tqp6y WnVa1irKvhi/NvZCfUOBq6lhozidxSoGgyXzL/oBFgF981Jk7zU+T6zK89sghUDY0XhV 7W69jUEvYmcCPJY9tAuu0+Htuvrn8EK8hJdmpfPQOl3rdPOsDKHlhgMY54akp6Ps3ZN5 tYuQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=NAkRSHnvYGXWd3gjHEtgzkkiXWDetvc2IHfDjJtSkIQ=; b=b0d8q8mGXszc5SfSGA36sZWc39cWGdpGs7w82TO49DmfiLyuY7Kgc5PCTGVwCik9xp vSjFOSH0WODM8UamHrplshv7AHT6IFjkJygXYMzc53Jn+RaOncYFP5tlboFvhGEnb44n akCjRKPW//32ZUdyyXnnLLED/YjO2ffMRRUAShmFXbhvAsALHG2vrL98SbMd99g7X3lN FrhRWOP4LbnGAUVC6BPQfr6d8c/+B8kOvboHU2Z2naymiJKeGas71ENnChxV7N3kbN08 W/9bcNqvRvZiaet9Gkte93spC+j3deGWIOjWvedHrZAUMjNfiLFsdq+f+x/JcDuukMnW mgwA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=nxp.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t9si12132350pjw.22.2019.07.23.06.20.03; Tue, 23 Jul 2019 06:20:04 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=stable-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=nxp.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727681AbfGWNUC (ORCPT + 14 others); Tue, 23 Jul 2019 09:20:02 -0400 Received: from inva020.nxp.com ([92.121.34.13]:36518 "EHLO inva020.nxp.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731258AbfGWNUB (ORCPT ); Tue, 23 Jul 2019 09:20:01 -0400 Received: from inva020.nxp.com (localhost [127.0.0.1]) by inva020.eu-rdc02.nxp.com (Postfix) with ESMTP id 9AEB31A00C6; Tue, 23 Jul 2019 15:19:58 +0200 (CEST) Received: from inva024.eu-rdc02.nxp.com (inva024.eu-rdc02.nxp.com [134.27.226.22]) by inva020.eu-rdc02.nxp.com (Postfix) with ESMTP id 8DB1C1A0029; Tue, 23 Jul 2019 15:19:58 +0200 (CEST) Received: from fsr-ub1864-014.ea.freescale.net (fsr-ub1864-014.ea.freescale.net [10.171.95.219]) by inva024.eu-rdc02.nxp.com (Postfix) with ESMTP id 4364E205DD; Tue, 23 Jul 2019 15:19:58 +0200 (CEST) From: =?utf-8?q?Horia_Geant=C4=83?= To: stable@vger.kernel.org, Ard Biesheuvel , Herbert Xu , Iuliana Prodan , Sascha Hauer Cc: gregkh@linuxfoundation.org Subject: [PATCH 4.9] crypto: caam - limit output IV to CBC to work around CTR mode DMA issue Date: Tue, 23 Jul 2019 16:19:47 +0300 Message-Id: <20190723131947.27871-1-horia.geanta@nxp.com> X-Mailer: git-send-email 2.17.1 MIME-Version: 1.0 X-Virus-Scanned: ClamAV using ClamSMTP Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Ard Biesheuvel commit ed527b13d800dd515a9e6c582f0a73eca65b2e1b upstream. The CAAM driver currently violates an undocumented and slightly controversial requirement imposed by the crypto stack that a buffer referred to by the request structure via its virtual address may not be modified while any scatterlists passed via the same request structure are mapped for inbound DMA. This may result in errors like alg: aead: decryption failed on test 1 for gcm_base(ctr-aes-caam,ghash-generic): ret=74 alg: aead: Failed to load transform for gcm(aes): -2 on non-cache coherent systems, due to the fact that the GCM driver passes an IV buffer by virtual address which shares a cacheline with the auth_tag buffer passed via a scatterlist, resulting in corruption of the auth_tag when the IV is updated while the DMA mapping is live. Since the IV that is returned to the caller is only valid for CBC mode, and given that the in-kernel users of CBC (such as CTS) don't trigger the same issue as the GCM driver, let's just disable the output IV generation for all modes except CBC for the time being. Fixes: 854b06f76879 ("crypto: caam - properly set IV after {en,de}crypt") Cc: Horia Geanta Cc: Iuliana Prodan Reported-by: Sascha Hauer Cc: Signed-off-by: Ard Biesheuvel Reviewed-by: Horia Geanta Signed-off-by: Herbert Xu [ Horia: backported to 4.9 ] Signed-off-by: Horia Geantă --- drivers/crypto/caam/caamalg.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) -- 2.17.1 diff --git a/drivers/crypto/caam/caamalg.c b/drivers/crypto/caam/caamalg.c index 88caca3370f2..f8ac768ed5d7 100644 --- a/drivers/crypto/caam/caamalg.c +++ b/drivers/crypto/caam/caamalg.c @@ -2015,6 +2015,7 @@ static void ablkcipher_encrypt_done(struct device *jrdev, u32 *desc, u32 err, struct ablkcipher_request *req = context; struct ablkcipher_edesc *edesc; struct crypto_ablkcipher *ablkcipher = crypto_ablkcipher_reqtfm(req); + struct caam_ctx *ctx = crypto_ablkcipher_ctx(ablkcipher); int ivsize = crypto_ablkcipher_ivsize(ablkcipher); #ifdef DEBUG @@ -2040,10 +2041,11 @@ static void ablkcipher_encrypt_done(struct device *jrdev, u32 *desc, u32 err, /* * The crypto API expects us to set the IV (req->info) to the last - * ciphertext block. This is used e.g. by the CTS mode. + * ciphertext block when running in CBC mode. */ - scatterwalk_map_and_copy(req->info, req->dst, req->nbytes - ivsize, - ivsize, 0); + if ((ctx->class1_alg_type & OP_ALG_AAI_MASK) == OP_ALG_AAI_CBC) + scatterwalk_map_and_copy(req->info, req->dst, req->nbytes - + ivsize, ivsize, 0); kfree(edesc); @@ -2056,6 +2058,7 @@ static void ablkcipher_decrypt_done(struct device *jrdev, u32 *desc, u32 err, struct ablkcipher_request *req = context; struct ablkcipher_edesc *edesc; struct crypto_ablkcipher *ablkcipher = crypto_ablkcipher_reqtfm(req); + struct caam_ctx *ctx = crypto_ablkcipher_ctx(ablkcipher); int ivsize = crypto_ablkcipher_ivsize(ablkcipher); #ifdef DEBUG @@ -2080,10 +2083,11 @@ static void ablkcipher_decrypt_done(struct device *jrdev, u32 *desc, u32 err, /* * The crypto API expects us to set the IV (req->info) to the last - * ciphertext block. + * ciphertext block when running in CBC mode. */ - scatterwalk_map_and_copy(req->info, req->src, req->nbytes - ivsize, - ivsize, 0); + if ((ctx->class1_alg_type & OP_ALG_AAI_MASK) == OP_ALG_AAI_CBC) + scatterwalk_map_and_copy(req->info, req->src, req->nbytes - + ivsize, ivsize, 0); kfree(edesc);