| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 27 Mar 2022 09:04:43 +0300
From: Gilad Ben-Yossef <gilad@...yossef.com>
To: Eric Biggers <ebiggers@...nel.org>
Cc: Linux Crypto Mailing List <linux-crypto@...r.kernel.org>,
Linux kernel mailing list <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] crypto: testmgr - test in-place en/decryption with two sglists
On Sat, Mar 26, 2022 at 10:13 AM Eric Biggers <ebiggers@...nel.org> wrote:
>
> From: Eric Biggers <ebiggers@...gle.com>
>
> As was established in the thread
> https://lore.kernel.org/linux-crypto/20220223080400.139367-1-gilad@benyossef.com/T/#u,
> many crypto API users doing in-place en/decryption don't use the same
> scatterlist pointers for the source and destination, but rather use
> separate scatterlists that point to the same memory. This case isn't
> tested by the self-tests, resulting in bugs.
>
> This is the natural usage of the crypto API in some cases, so requiring
> API users to avoid this usage is not reasonable.
>
> Therefore, update the self-tests to start testing this case.
>
> Signed-off-by: Eric Biggers <ebiggers@...gle.com>
Thank you Eric.
I have given this a lot of thought and here is what I predict will
happen thanks to this added test:
- We will not find a driver that this breaks, in the sense of
producing wrong results and triggering failure in this test.
- We probably will see drivers that when running this test when DMA
debug is compiled and enabled trigger the debug warning about double
DMA mapping of the same cache line.
The reason is that these double mapping stemming from this test will
be from mapping the same buffer as source and destination.
As such, the situation that is the cause for the DMA debug warning, of
a mapping causing cache flush invalidate, followed by DMA, followed
by another mapping causing cache flush/invalidate while the DMA is in
flight, will not happen. Instead we will have mapping ->
flush/invalidate -> another mapping -> flush/invalidate -> DMA ...
Note, this is certainly not a claim we should not add this test! on
the contrary ...
In fact, I would be tempted to claim that this means the real problem
is with an over zealous DMA debug logic. Unfortunately, I can think of
other scenarios where things are not so simple:
For example, what happens if a crypto API user has a buffer, which it
divides into two parts, and then submit a crypto op on one part and
another crypto op on the 2nd part (say encrypt and hash, just as an
example). For the best of my knowledge, there is nothing forcing the
split between the two parts to fall on a cache line. This can cause a
double mapping of the same cache line - and this time the warning is
real, because we are not guaranteed a single DMA operation following
the two mappings. There is nothing much a crypto driver can do even -
the two operations don't have to be done by the same driver at all...
I believe the scenario you are proposing to test is a benign example
of a larger issue. I also believe this is an example of Worse in
Better* and that the right solution is to dictate certain rules on the
callers of the crypto API. Whether these rules should or should not
include a limitation of not passing the same buffer via two different
scatter gather list to the same crypto op is debatable, but I think we
cannot run away from defining some rules.
I would really love for others to voice an opinion on this. It seems a
rather narrow discussion so far between the two of us on what I feel
is a broader issue.
Thanks!
Gilad
* https://dreamsongs.com/RiseOfWorseIsBetter.html
--
Gilad Ben-Yossef
Chief Coffee Drinker
values of β will give rise to dom!
Powered by blists - more mailing lists