[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 6 Jun 2019 07:10:06 +0000
From: Horia Geanta <horia.geanta@....com>
To: Herbert Xu <herbert@...dor.apana.org.au>,
Ard Biesheuvel <ard.biesheuvel@...aro.org>
CC: Iuliana Prodan <iuliana.prodan@....com>,
Eric Biggers <ebiggers@...nel.org>,
"David S. Miller" <davem@...emloft.net>,
Sascha Hauer <s.hauer@...gutronix.de>,
"open list:HARDWARE RANDOM NUMBER GENERATOR CORE"
<linux-crypto@...r.kernel.org>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
dl-linux-imx <linux-imx@....com>
Subject: Re: [PATCH] crypto: gcm - fix cacheline sharing
On 6/6/2019 9:58 AM, Herbert Xu wrote:
> On Thu, Jun 06, 2019 at 08:53:10AM +0200, Ard Biesheuvel wrote:
>>
>> That same patch 'fixes' CBC, since CBC was never broken to begin with.
>> The CTS driver does not have something like the auth_tag sharing the
>> same cacheline with the IV, so CBC has always worked fine.
>
> CBC is broken. Any crypto API user is allowed to place the IV
> in the same position relative to the src/dst buffer. So the driver
> must deal with it.
>
That's the theory.
In practice we haven't encountered any issue so far, but yes this case has to be
handled properly.
> It's just that the CTR/ghash combo happened to expose this first.
>
Yes, and that's what the patch is fixing.
>> So I guess what you are after is a patch that, instead of dodging the
>> issue by limiting the copy to CBC, does not perform the copy at all
>> while anything is mapped for DMA? Then we can leave it up to the NXP
>> engineers to fix CTR mode.
>
> Right, we definitely need to fix it for CBC, probably in the way that
> you suggested.
>
Not really.
I am in favor of using the HW to update the IV, which would work for all
skcipher algorithms.
I have the fix ready, will send it in a couple of days.
Thanks,
Horia
Powered by blists - more mailing lists