| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAMj1kXGQvjcN7gEH_fsxQ-0KW7_Mj93i0LQ8aT6WQTCPiMMcQA@mail.gmail.com> Date: Tue, 16 Dec 2025 09:15:21 +0100 From: Ard Biesheuvel <ardb@...nel.org> To: Eric Biggers <ebiggers@...nel.org> Cc: Diederik de Haas <diederik@...ow-tech.com>, linux-crypto@...r.kernel.org, linux-kernel@...r.kernel.org, "Jason A . Donenfeld" <Jason@...c4.com>, Herbert Xu <herbert@...dor.apana.org.au>, linux-arm-kernel@...ts.infradead.org, stable@...r.kernel.org Subject: Re: [PATCH] crypto: arm64/ghash - Fix incorrect output from ghash-neon On Mon, 15 Dec 2025 at 21:16, Eric Biggers <ebiggers@...nel.org> wrote: > > On Mon, Dec 15, 2025 at 04:54:34PM +0900, Ard Biesheuvel wrote: > > > > All 64-bit RPi models except the RPi5 are affected by this, as those > > > > do not implement the crypto extensions. So I would expect QEMU to do > > > > the same. > > > > > > > > It would be nice, though, if we could emulate this on the mach-virt > > > > machine model too. It should be fairly trivial to do, so if there is > > > > demand for this I can look into it. > > > > > > I'm definitely interested in it. I'm already testing multiple "-cpu" > > > options, and it's easy to add more. > > > > > > With qemu-system-aarch64 I'm currently only using "-M virt", since the > > > other machine models I've tried don't boot with arm64 defconfig, > > > including "-M raspi3b" and "-M raspi4b". > > > > > > There may be some tricks I'm missing. Regardless, expanding the > > > selection of available CPUs for "-M virt" would be helpful. Either by > > > adding "real" CPUs that have "interesting" combinations of features, or > > > by just allowing turning features off like > > > "-cpu max,aes=off,pmull=off,sha256=off". (Certain features like sve can > > > already be turned off in that way, but not the ones relevant to us.) > > > > > > > There are some architectural rules around which combinations of crypto > > extensions are permitted: > > - PMULL implies AES, and there is no way for the ID registers to > > describe a CPU that has PMULL but not AES > > - SHA256 implies SHA1 (but the ID register fields are independent) > > - SHA3 and SHA512 both imply SHA256+SHA1 > > - SVE versions are not allowed to be implemented unless the plain NEON > > version is implemented as well > > - FEAT_Crypto has different meanings for v8.0, v8.2 and v9.x > > > > So it would be much easier, also in terms of future maintenance, to > > have a simple 'crypto=off' setting that applies to all emulated CPU > > models, given that disabling all crypto on any given compliant CPU > > will never result in something that the architecture does not permit. > > > > Would that work for you? > > I thought it had been established that the "crypto" grouping of features > (as implemented by gcc and clang) doesn't reflect the actual hardware > feature fields and is misleading because additional crypto extensions > continue to be added. > > I'm not sure that applies here, but just something to consider. > You are right, this is why 'crypto=on' can never mean anything other than 'do not disable the crypto extensions that this particular CPU type provides' But that does not mean 'crypto=off' is equally problematic. > There's certainly no need to support emulating combinations of features > that no hardware actually implements. So yes, if that means "crypto" is > the right choice, that sounds fine. > OK, I'll have a stab at that and cc you on the patches.
Powered by blists - more mailing lists