lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAMj1kXHesHJ2oFzGPewp2V=rA0-BU2Y_PffuDDhxioftOKZYHg@mail.gmail.com>
Date: Sun, 30 Nov 2025 11:59:58 +0100
From: Ard Biesheuvel <ardb@...nel.org>
To: Vivian Wang <wangruikang@...as.ac.cn>
Cc: Jerry Shih <jerry.shih@...ive.com>, Eric Biggers <ebiggers@...nel.org>, 
	Herbert Xu <herbert@...dor.apana.org.au>, "David S. Miller" <davem@...emloft.net>, 
	"Jason A. Donenfeld" <Jason@...c4.com>, Palmer Dabbelt <palmer@...belt.com>, Paul Walmsley <pjw@...nel.org>, 
	Alexandre Ghiti <alex@...ti.fr>, "Martin K. Petersen" <martin.petersen@...cle.com>, Han Gao <gaohan@...as.ac.cn>, 
	linux-crypto@...r.kernel.org, linux-riscv@...ts.infradead.org, 
	linux-kernel@...r.kernel.org
Subject: Re: lib/crypto: riscv: crypto_zvkb crashes on selftest if no
 misaligned vector support

On Sun, 30 Nov 2025 at 10:13, Vivian Wang <wangruikang@...as.ac.cn> wrote:
>
> Hi,
>
> We ran into a problem with chacha_zvkb, where having:
>
> - OpenSBI 1.7+ (for FWFT support)
> - CRYPTO_CHACHA20POLY1305=y and CRYPTO_SELFTESTS=y (and deps, of course)
> - Hardware with Zvkb support
> - Hardware *without* misaligned vector load/store support
>
> Leads to a crash on boot during selftest on a vlsseg8e32.v instruction,
> because it requires 4-byte alignment of the buffers.
>
> OpenSBI by default emulates vector misaligned operations, however Linux
> explicitly disables it with SBI FWFT while not providing vector
> misaligned emulation of its own.
>
> This can be reproduced by running everything in Spike without
> --misaligned, and is reproducible on stable 6.17.9, 6.18-rc1 and
> 6.18-rc7. See log at the end. Note that I had to fix chacha_zvkb
> somewhat to have it retain a frame pointer to get a stack trace - patch
> will be sent later.
>
> Setting cra_alignmask to 3 for everything in crypto/chacha.c "fixes"
> this, but there seems to be no obvious way to say "if use_zvkb then
> cra_alignmask = 3", and, not being familiar with the crypto API stuff, I
> can't figure out a good way to say "if riscv then cra_alignmask = 3" either.
>
> AFAICT, this problem was missed from the very start since commit
> bb54668837a0 ("crypto: riscv - add vector crypto accelerated ChaCha20").
>
> Please advise.
>

I'd suggest to only enable this version of the code if both Zicclsm
and Zvkb are supported (assuming that Zicclsm is the extension that
would result in these misaligned accesses to be permitted).

Playing with the cra_alignmask is likely insufficient, because it does
not fix the use cases that call the library interface directly.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ