lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Wed, 8 Nov 2023 15:50:02 +0200
From:   "Radu Pirea (OSS)" <radu-nicolae.pirea@....nxp.com>
To:     Sabrina Dubroca <sd@...asysnail.net>
Cc:     davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org,
        pabeni@...hat.com, andrew@...n.ch, hkallweit1@...il.com,
        linux@...linux.org.uk, richardcochran@...il.com,
        linux-kernel@...r.kernel.org, netdev@...r.kernel.org,
        sebastian.tobuschat@....nxp.com
Subject: Re: [PATCH net-next v8 5/7] net: phy: nxp-c45-tja11xx: add MACsec
 support

On 27.10.2023 12:37, Sabrina Dubroca wrote:
>> +static int nxp_c45_mdo_add_secy(struct macsec_context *ctx)
>> +{
> [...]
>> +	phy_secy = kzalloc(sizeof(*phy_secy), GFP_KERNEL);
>> +	if (!phy_secy)
>> +		return -ENOMEM;
>> +
>> +	INIT_LIST_HEAD(&phy_secy->sa_list);
>> +	phy_secy->secy = ctx->secy;
>> +	phy_secy->secy_id = idx;
>> +
>> +	/* If the point to point mode should be enabled, we should have only
>> +	 * one SecY enabled, respectively the new one.
>> +	 */
>> +	can_rx_sc0_impl = list_count_nodes(&priv->macsec->secy_list) == 0;
>> +	if (!nxp_c45_secy_valid(phy_secy, can_rx_sc0_impl)) {
>> +		kfree_sensitive(phy_secy);
> 
> kfree is enough here, no keying information has been stored in
> phy_secy.

Agreed. No key is stored in the driver. Changed kfree_sensitive calls to 
kfree calls.

> 
>> +		return -EINVAL;
>> +	}
>> +
>> +	nxp_c45_select_secy(phydev, phy_secy->secy_id);
>> +	nxp_c45_set_sci(phydev, MACSEC_TXSC_SCI_1H, ctx->secy->sci);
>> +	nxp_c45_tx_sc_set_flt(phydev, phy_secy);
>> +	nxp_c45_tx_sc_update(phydev, phy_secy);
>> +	if (phy_interrupt_is_valid(phydev))
>> +		nxp_c45_secy_irq_en(phydev, phy_secy, true);
> 
> Can macsec be used reliably in case we skip enabling the IRQ?
> 

IMO yes. macsec_pn_wrapped will not be called anymore if the TX PN 
overflows and no frame will go out via controlled port reusing the PNs, 
but this should not be an issue. The MKA should not wait until 
macsec_pn_wrapped is called and should change the keys before the PN 
overflow happens.

-- 
Radu P.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ