lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Thu, 6 Jun 2019 07:10:06 +0000
From:   Horia Geanta <>
To:     Herbert Xu <>,
        Ard Biesheuvel <>
CC:     Iuliana Prodan <>,
        Eric Biggers <>,
        "David S. Miller" <>,
        Sascha Hauer <>,
        Linux Kernel Mailing List <>,
        dl-linux-imx <>
Subject: Re: [PATCH] crypto: gcm - fix cacheline sharing

On 6/6/2019 9:58 AM, Herbert Xu wrote:
> On Thu, Jun 06, 2019 at 08:53:10AM +0200, Ard Biesheuvel wrote:
>> That same patch 'fixes' CBC, since CBC was never broken to begin with.
>> The CTS driver does not have something like the auth_tag sharing the
>> same cacheline with the IV, so CBC has always worked fine.
> CBC is broken.  Any crypto API user is allowed to place the IV
> in the same position relative to the src/dst buffer.  So the driver
> must deal with it.
That's the theory.
In practice we haven't encountered any issue so far, but yes this case has to be
handled properly.

> It's just that the CTR/ghash combo happened to expose this first.
Yes, and that's what the patch is fixing.

>> So I guess what you are after is a patch that, instead of dodging the
>> issue by limiting the copy to CBC, does not perform the copy at all
>> while anything is mapped for DMA? Then we can leave it up to the NXP
>> engineers to fix CTR mode.
> Right, we definitely need to fix it for CBC, probably in the way that
> you suggested.
Not really.
I am in favor of using the HW to update the IV, which would work for all
skcipher algorithms.
I have the fix ready, will send it in a couple of days.


Powered by blists - more mailing lists