lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Thu, 6 Jun 2019 14:57:57 +0800
From:   Herbert Xu <>
To:     Ard Biesheuvel <>
Cc:     Iuliana Prodan <>,
        Eric Biggers <>,
        "David S. Miller" <>,
        Horia Geanta <>,
        Sascha Hauer <>,
        Linux Kernel Mailing List <>,
        dl-linux-imx <>
Subject: Re: [PATCH] crypto: gcm - fix cacheline sharing

On Thu, Jun 06, 2019 at 08:53:10AM +0200, Ard Biesheuvel wrote:
> That same patch 'fixes' CBC, since CBC was never broken to begin with.
> The CTS driver does not have something like the auth_tag sharing the
> same cacheline with the IV, so CBC has always worked fine.

CBC is broken.  Any crypto API user is allowed to place the IV
in the same position relative to the src/dst buffer.  So the driver
must deal with it.

It's just that the CTR/ghash combo happened to expose this first.

> So I guess what you are after is a patch that, instead of dodging the
> issue by limiting the copy to CBC, does not perform the copy at all
> while anything is mapped for DMA? Then we can leave it up to the NXP
> engineers to fix CTR mode.

Right, we definitely need to fix it for CBC, probably in the way that
you suggested.

We should fix CTR too but at least it should be obviously broken as
the self-test should catch this case now.

Email: Herbert Xu <>
Home Page:
PGP Key:

Powered by blists - more mailing lists