lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 11 May 2022 12:48:28 +0300 From: Horia Geantă <horia.geanta@....com> To: Michael Walle <michael@...le.cc>, Pankaj Gupta <pankaj.gupta@....com>, Ahmad Fatoum <a.fatoum@...gutronix.de> Cc: Herbert Xu <herbert@...dor.apana.org.au>, "David S. Miller" <davem@...emloft.net>, "kernel@...gutronix.de" <kernel@...gutronix.de>, James Bottomley <jejb@...ux.ibm.com>, Jarkko Sakkinen <jarkko@...nel.org>, Mimi Zohar <zohar@...ux.ibm.com>, David Howells <dhowells@...hat.com>, James Morris <jmorris@...ei.org>, Eric Biggers <ebiggers@...nel.org>, "Serge E. Hallyn" <serge@...lyn.com>, Jan Luebbe <j.luebbe@...gutronix.de>, David Gstir <david@...ma-star.at>, Richard Weinberger <richard@....at>, Franck Lenormand <franck.lenormand@....com>, Matthias Schiffer <matthias.schiffer@...tq-group.com>, Sumit Garg <sumit.garg@...aro.org>, "linux-integrity@...r.kernel.org" <linux-integrity@...r.kernel.org>, "keyrings@...r.kernel.org" <keyrings@...r.kernel.org>, "linux-crypto@...r.kernel.org" <linux-crypto@...r.kernel.org>, "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>, "linux-security-module@...r.kernel.org" <linux-security-module@...r.kernel.org> Subject: Re: [EXT] [PATCH v9 3/7] crypto: caam - determine whether CAAM supports blob encap/decap On 5/11/2022 12:21 PM, Michael Walle wrote: > Hi, > > Am 2022-05-11 11:16, schrieb Pankaj Gupta: >>> -----Original Message----- >>> From: Ahmad Fatoum <a.fatoum@...gutronix.de> >>> Sent: Monday, May 9, 2022 6:34 PM >>> To: Pankaj Gupta <pankaj.gupta@....com>; Horia Geanta >>> <horia.geanta@....com>; Herbert Xu <herbert@...dor.apana.org.au>; >>> David S. >>> Miller <davem@...emloft.net> >>> Cc: kernel@...gutronix.de; Michael Walle <michael@...le.cc>; James >>> Bottomley <jejb@...ux.ibm.com>; Jarkko Sakkinen <jarkko@...nel.org>; >>> Mimi >>> Zohar <zohar@...ux.ibm.com>; David Howells <dhowells@...hat.com>; >>> James >>> Morris <jmorris@...ei.org>; Eric Biggers <ebiggers@...nel.org>; Serge >>> E. >>> Hallyn <serge@...lyn.com>; Jan Luebbe <j.luebbe@...gutronix.de>; David >>> Gstir >>> <david@...ma-star.at>; Richard Weinberger <richard@....at>; Franck >>> Lenormand <franck.lenormand@....com>; Matthias Schiffer >>> <matthias.schiffer@...tq-group.com>; Sumit Garg >>> <sumit.garg@...aro.org>; >>> linux-integrity@...r.kernel.org; keyrings@...r.kernel.org; linux- >>> crypto@...r.kernel.org; linux-kernel@...r.kernel.org; linux-security- >>> module@...r.kernel.org >>> Subject: Re: [EXT] [PATCH v9 3/7] crypto: caam - determine whether >>> CAAM >>> supports blob encap/decap >>> >>> Caution: EXT Email >>> >>> Hello Pankaj, >>> >>> On Mon, 2022-05-09 at 12:39 +0000, Pankaj Gupta wrote: >>>>> - if (ctrlpriv->era < 10) >>>>> + comp_params = rd_reg32(&ctrl->perfmon.comp_parms_ls); >>>>> + ctrlpriv->blob_present = !!(comp_params & CTPR_LS_BLOB); >>>>> + >>>>> + if (ctrlpriv->era < 10) { >>>>> rng_vid = (rd_reg32(&ctrl->perfmon.cha_id_ls) & >>>>> CHA_ID_LS_RNG_MASK) >> >>>>> CHA_ID_LS_RNG_SHIFT; >>>> >>>> Check for AES CHAs for Era < 10, should be added. >>> >>> Do I need this? I only do this check for Era >= 10, because apparently >>> there are >>> Layerscape non-E processors that indicate BLOB support via >>> CTPR_LS_BLOB, but >>> fail at runtime. Are there any Era < 10 SoCs that are similarly >>> broken? >>> >> >> For non-E variants, it might happen that Blob protocol is enabled, but >> number of AES CHA are zero. >> If the output of below expression is > 0, then only blob_present >> should be marked present or true. >> For era > 10, you handled. But for era < 10, please add the below code. > > Are there any CAAMs which can be just enabled partially for era < 10? > I didn't found anything. To me it looks like the non-export controlled > CAAM is only available for era >= 10. For era < 10, the CAAM is either > fully featured there or it is not available at all and thus the node > is removed in the bootloader (at least that is the case for layerscape). > Qouting from our previous discussion in U-boot: https://patchwork.ozlabs.org/project/uboot/patch/20200602150904.1997-1-michael@walle.cc/#2457448 " Based on previous (NXP-internal) discussions, non-E crypto module is: -fully disabled on: LS1021A (ARMv7), LS1043A, LS1088A, LS2088A (and their personalities) -partially [*] disabled on: LS1012A, LS1028A, LS1046A, LX2160A (and their personalities) " >From the partially disabled list, LS1028A and LX2160A have CAAM Era 10, while LS1012A and LS1046A integrate CAAM Era 8. Horia
Powered by blists - more mailing lists