lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <346d4d20-d42d-46eb-b25a-8fb9d0390892@quicinc.com>
Date: Fri, 6 Sep 2024 12:36:17 +0530
From: Md Sadre Alam <quic_mdalam@...cinc.com>
To: Bjorn Andersson <andersson@...nel.org>
CC: Caleb Connolly <caleb.connolly@...aro.org>, <vkoul@...nel.org>,
        <robh@...nel.org>, <krzk+dt@...nel.org>, <conor+dt@...nel.org>,
        <konradybcio@...nel.org>, <thara.gopinath@...il.com>,
        <herbert@...dor.apana.org.au>, <davem@...emloft.net>,
        <gustavoars@...nel.org>, <u.kleine-koenig@...gutronix.de>,
        <kees@...nel.org>, <agross@...nel.org>,
        <linux-arm-msm@...r.kernel.org>, <dmaengine@...r.kernel.org>,
        <devicetree@...r.kernel.org>, <linux-kernel@...r.kernel.org>,
        <linux-crypto@...r.kernel.org>, <quic_srichara@...cinc.com>,
        <quic_varada@...cinc.com>, <quic_utiwari@...cinc.com>
Subject: Re: [PATCH v2 00/16] Add cmd descriptor support



On 8/16/2024 9:15 PM, Bjorn Andersson wrote:
> On Fri, Aug 16, 2024 at 05:33:43PM GMT, Md Sadre Alam wrote:
>> On 8/15/2024 6:38 PM, Caleb Connolly wrote:
> [..]
>>> On 15/08/2024 10:57, Md Sadre Alam wrote:
> [..]
>>>>
>>>> tested with "tcrypt.ko" and "kcapi" tool.
>>>>
>>>> Need help to test these all the patches on msm platform
>>>
>>> DT changes here are only for a few IPQ platforms, please explain in the cover letter if this is some IPQ specific feature which doesn't exist on other platforms, or if you're only enabling it on IPQ.
>>
>>     This feature is BAM hardware feature so its applicable for all the QCOM Soc where bam is there. Its not IPQ specific. Will add all the explanation in cover letter in next patch
> 
> Please configure your email client such that your replies follow the
> typical style of mail list discussions. I believe go/upstream has
> instructions for this.
   Ok
> 
>>>
>>> Some broad strokes testing instructions (at the very least) and requirements (testing on what hardware?) aren't made obvious at all here.
>>
>>     Sure will update in cover letter in next patch.
> 
> I'm interested in these instructions as well, but no need to wait for
> another version to provide these instructions. Please just reply here
> (and then include them if there are future versions)

   Requirements:
   In QCE crypto driver we are accessing the crypto engine registers directly via CPU read/write so its possible
   if other subsystem possibly Trust Zone also tries to perform some crypto operations simultaneously, a race
   condition will be created and this could result in undefined behavior.

   To avoid this behavior we need to use BAM HW LOCK/UNLOCK feature on BAM pipes, and this LOCK/UNLOCK will
   be set via sending a command descriptor, where the HLOS/TZ QCE crypto driver prepares a command descriptor
   with a dummy write operation on one of the QCE crypto engine register and pass the LOCK/UNLOCK flag along
   with it.

   This feature tested with tcrypt.ko and "libkcapi" with all the AES algorithm supported by QCE crypto engine.
   Tested on IPQ9574 and qcm6490.LE chipset.

   insmod tcrypt.ko mode=101
   insmod tcrypt.ko mode=102
   insmod tcrypt.ko mode=155
   insmod tcrypt.ko mode=180
   insmod tcrypt.ko mode=181
   insmod tcrypt.ko mode=182
   insmod tcrypt.ko mode=185
   insmod tcrypt.ko mode=186
   insmod tcrypt.ko mode=212
   insmod tcrypt.ko mode=216
   insmod tcrypt.ko mode=403
   insmod tcrypt.ko mode=404
   insmod tcrypt.ko mode=500
   insmod tcrypt.ko mode=501
   insmod tcrypt.ko mode=502
   insmod tcrypt.ko mode=600
   insmod tcrypt.ko mode=601
   insmod tcrypt.ko mode=602

   Encryption command line:
  ./kcapi -x 1 -e -c "cbc(aes)" -k
  8d7dd9b0170ce0b5f2f8e1aa768e01e91da8bfc67fd486d081b28254c99eb423 -i
  7fbc02ebf5b93322329df9bfccb635af -p 48981da18e4bb9ef7e2e3162d16b1910
  * 8b19050f66582cb7f7e4b6c873819b71
  *
  Decryption command line:
  * $ ./kcapi -x 1 -c "cbc(aes)" -k
  3023b2418ea59a841757dcf07881b3a8def1c97b659a4dad -i
  95aa5b68130be6fcf5cabe7d9f898a41 -q c313c6b50145b69a77b33404cb422598
  * 836de0065f9d6f6a3dd2c53cd17e33a

  * $ ./kcapi -x 3 -c sha256 -p 38f86d
  * cc42f645c5aa76ac3154b023359b665375fc3ae42f025fe961fb0f65205ad70e
  * $ ./kcapi -x 3 -c sha256 -p bbb300ac5eda9d
  * 61f7b48577a613fbdfe0d6d90b49985e07a42c99e7a439b6efb76d5ec71b3d30

  ./kcapi -x 12 -c "hmac(sha256)" -k
  0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b -i
  000102030405060708090a0b0c -p f0f1f2f3f4f5f6f7f8f9 -b 42
  *
  3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf3400720
  8d5b887185865

  Paraller test with two different EE's (Execution Environment)

        EE1 (Trust Zone)                                               EE2 (HLOS)

  There is a TZ application which                             "libkcapi" or "tcrypt.ko" will run in continous loop
  will do continious enc/dec with                                  to do enc/dec with different algorithm supported
  different AES algorithm supported                                QCE crypto engine.
  by QCE crypto engine.

     1) dummy write with LOCK bit set                           1) dummy write with LOCK bit set

     2) bam will lock all other pipes which not                 2) bam will lock all other pipes which not
        belongs to current EE's, i.e HLOS pipe                     belongs to current EE's, i.e tz pipe and
        and keep handling current pipe only.                       keep handling current pipe only.

     3) tz prepare data descriptor and submit to CE5            3) hlos prepare data descriptor and submit to CE5

     4) dummy write with UNLOCK bit set                         4) dummy write with UNLOCK bit set

     5) bam will release all the locked pipes                   5) bam will release all the locked pipes

  Upon encountering a descriptor with Lock bit set, the BAM will lock all other pipes not related to the current pipe group,
  and keep handling the current pipe only until it sees the Un-Lock set (then it will release all locked pipes). The actual
  locking is done on the new descriptor fetching for publishing, i.e. locked pipe will not fetch new descriptors even if it
  got event/events adding more descriptors for this pipe.

> 
> Regards,
> Bjorn

Powered by blists - more mailing lists