lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Thu, 30 May 2019 14:29:26 +0000
From:   Pascal Van Leeuwen <>
To:     Ard Biesheuvel <>,
        Herbert Xu <>
CC:     Iuliana Prodan <>,
        Eric Biggers <>,
        "David S. Miller" <>,
        Horia Geanta <>,
        Sascha Hauer <>,
        Linux Kernel Mailing List <>,
        dl-linux-imx <>
Subject: RE: [PATCH] crypto: gcm - fix cacheline sharing

> On Thu, 30 May 2019 at 15:58, Herbert Xu <>
> wrote:
> >
> > On Thu, May 30, 2019 at 01:45:47PM +0000, Iuliana Prodan wrote:
> > >
> > > On the current structure of caamalg, to work, iv needs to be copied
> > > before memcpy(iv, req->iv, ivsize), from skcipher_edesc_alloc
> function.
> > > For this we need edesc, but this cannot be allocated before knowing
> how
> > > much memory we need. So, to make it work, we'll need to modify more in
> >
> > All the copying does is:
> >
> >         if (ivsize)
> >                 scatterwalk_map_and_copy(req->iv, req->src, req-
> >cryptlen -
> >                                          ivsize, ivsize, 0);
> >
> > Why do you need to allocate the edesc before doing this?
> >
> Because that is where the incoming iv is currently consumed. Copying
> it out like this wipes the input IV from memory.

I had a similar problem for the Inside Secure driver: for decrypt operations,
you need to copy the output IV from your input data buffer (it's the last 
input data cipher block) but you need to do that *before* you start the
hardware, as for in-place operations, it is overwritten.

At the same time, you cannot store it to req->iv yet, because that still
contains the input IV that you need for processing the first block.

The only solution I could come up with, is to park it in some temporary
buffer in the skcipher_request_ctx *before* starting the hardware and copy 
it to req->iv *after* the operation completes.

Pascal van Leeuwen
Silicon IP Architect, Multi-Protocol Engines @ Inside Secure

Powered by blists - more mailing lists