| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 19 Jul 2019 15:38:58 +0000
From: Horia Geanta <horia.geanta@....com>
To: Iuliana Prodan <iuliana.prodan@....com>,
Herbert Xu <herbert@...dor.apana.org.au>,
Aymen Sghaier <aymen.sghaier@....com>
CC: "David S. Miller" <davem@...emloft.net>,
"linux-crypto@...r.kernel.org" <linux-crypto@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
dl-linux-imx <linux-imx@....com>
Subject: Re: [PATCH v2 08/14] crypto: caam - update rfc4106 sh desc to support
zero length input
On 7/19/2019 2:58 AM, Iuliana Prodan wrote:
> Update share descriptor for rfc4106 to skip instructions in case
> cryptlen is zero. If no instructions are jumped the DECO hangs and a
> timeout error is thrown.
>
> Signed-off-by: Iuliana Prodan <iuliana.prodan@....com>
> ---
> drivers/crypto/caam/caamalg_desc.c | 46 +++++++++++++++++++++++++-------------
> drivers/crypto/caam/caamalg_desc.h | 2 +-
> 2 files changed, 31 insertions(+), 17 deletions(-)
>
> diff --git a/drivers/crypto/caam/caamalg_desc.c b/drivers/crypto/caam/caamalg_desc.c
> index 7253183..99f419a 100644
> --- a/drivers/crypto/caam/caamalg_desc.c
> +++ b/drivers/crypto/caam/caamalg_desc.c
> @@ -843,13 +843,16 @@ EXPORT_SYMBOL(cnstr_shdsc_gcm_decap);
> * @ivsize: initialization vector size
> * @icvsize: integrity check value (ICV) size (truncated or full)
> * @is_qi: true when called from caam/qi
> + *
> + * Input sequence: AAD | PTXT
> + * Output sequence: AAD | CTXT | ICV
> + * AAD length (assoclen), which includes the IV length, is available in Math3.
> */
> void cnstr_shdsc_rfc4106_encap(u32 * const desc, struct alginfo *cdata,
> unsigned int ivsize, unsigned int icvsize,
> const bool is_qi)
> {
> - u32 *key_jump_cmd;
> -
> + u32 *key_jump_cmd, *zero_cryptlen_jump_cmd, *skip_instructions;
> init_sh_desc(desc, HDR_SHARE_SERIAL);
>
> /* Skip key loading if it is loaded due to sharing */
> @@ -890,26 +893,25 @@ void cnstr_shdsc_rfc4106_encap(u32 * const desc, struct alginfo *cdata,
> }
>
> append_math_sub_imm_u32(desc, VARSEQINLEN, REG3, IMM, ivsize);
> - append_math_add(desc, VARSEQOUTLEN, ZERO, REG3, CAAM_CMD_SZ);
> + append_math_add(desc, VARSEQOUTLEN, REG0, REG3, CAAM_CMD_SZ);
>
Why is this needed?
-all math registers are zero when descriptors start execution
-all caam hw revisions have support for math instruction
with ZERO as first operand
-descriptor size stays the same
> - /* Read assoc data */
> + /* Skip AAD */
> + append_seq_fifo_store(desc, 0, FIFOST_TYPE_SKIP | FIFOLDST_VLF);
> +
> + /* Read cryptlen and set this value into VARSEQOUTLEN */
> + append_math_sub(desc, VARSEQOUTLEN, SEQINLEN, REG3, CAAM_CMD_SZ);
> +
> + /* If cryptlen is ZERO jump to AAD command */
> + zero_cryptlen_jump_cmd = append_jump(desc, JUMP_TEST_ALL |
> + JUMP_COND_MATH_Z);
> +
> + /* Read AAD data */
> append_seq_fifo_load(desc, 0, FIFOLD_CLASS_CLASS1 | FIFOLDST_VLF |
> FIFOLD_TYPE_AAD | FIFOLD_TYPE_FLUSH1);
>
> /* Skip IV */
> append_seq_fifo_load(desc, ivsize, FIFOLD_CLASS_SKIP);
> -
> - /* Will read cryptlen bytes */
> - append_math_sub(desc, VARSEQINLEN, SEQINLEN, REG0, CAAM_CMD_SZ);
> -
> - /* Workaround for erratum A-005473 (simultaneous SEQ FIFO skips) */
> - append_seq_fifo_load(desc, 0, FIFOLD_CLASS_CLASS1 | FIFOLD_TYPE_MSG);
> -
Erratum workaround is dropped without any explanation.
The trigger condition (SKIPs both in input and output sequence) still exists.
The descriptor should be validated on a caam with erratum not fixed (era < 6).
Horia
Powered by blists - more mailing lists