lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <aC1fY6IP-8MzVIbx@gondor.apana.org.au>
Date: Wed, 21 May 2025 13:06:43 +0800
From: Herbert Xu <herbert@...dor.apana.org.au>
To: Corentin Labbe <clabbe.montjoie@...il.com>
Cc: Klaus Kudielka <klaus.kudielka@...il.com>,
	Eric Biggers <ebiggers@...nel.org>, regressions@...ts.linux.dev,
	linux-kernel@...r.kernel.org,
	Linux Crypto Mailing List <linux-crypto@...r.kernel.org>,
	Boris Brezillon <bbrezillon@...nel.org>,
	EBALARD Arnaud <Arnaud.Ebalard@....gouv.fr>,
	Romain Perier <romain.perier@...il.com>,
	Arnd Bergmann <arnd@...db.de>
Subject: Re: [PATCH] crypto: marvell/cesa - Avoid empty transfer descriptor

On Sun, May 18, 2025 at 03:58:58PM +0800, Herbert Xu wrote:
>
> Hah my debug patch was broken.  It didn't take into account the
> partial block when recalculating the hash with the fallback.
> 
> However, this seems to suggest that my hunch was incorrect.  The
> partial hash wasn't being corrupted and it's actually the final
> calculation that was wrong.
> 
> This could be good news.  Because if it is a hardware bug causing
> this, then the final calculation can be easily worked around by
> turning the final hash into a partial update.

Further investigation shows that it's not so simple.  While one
hash (md5) was definitely a final hash, the sha ones aren't.
Indeed the sha256 hash was definitely corrupted at the partial
stage and correctly identified by my printk.

So we'll have to look elsewhere for a solution.

One thing that may or may not be a coincidence is that all the
failed tests involve a partial block of data somewhere along
the line.  I might just be grasping at straws but perhaps the
partial block is the key?

Can you please try this patch to see if it makes a difference?

Thanks,
-- 
Email: Herbert Xu <herbert@...dor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
--
diff --git a/drivers/crypto/marvell/cesa/hash.c b/drivers/crypto/marvell/cesa/hash.c
index 6815eddc9068..7a50b31d94b3 100644
--- a/drivers/crypto/marvell/cesa/hash.c
+++ b/drivers/crypto/marvell/cesa/hash.c
@@ -532,6 +532,7 @@ mv_cesa_ahash_dma_add_cache(struct mv_cesa_tdma_chain *chain,
 		return ret;
 
 	memcpy(ahashdreq->cache, creq->cache, creq->cache_ptr);
+	wmb();
 
 	return mv_cesa_dma_add_data_transfer(chain,
 					     CESA_SA_DATA_SRAM_OFFSET,

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ