platform/kernel/linux-rpi.git
6 years agocrypto: bcm - Delete an error message for a failed memory allocation in do_shash()
Markus Elfring [Wed, 14 Feb 2018 21:05:11 +0000 (22:05 +0100)]
crypto: bcm - Delete an error message for a failed memory allocation in do_shash()

Omit an extra message for a memory allocation failure in this function.

This issue was detected by using the Coccinelle software.

Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: bfin_crc - Delete an error message for a failed memory allocation in bfin_cry...
Markus Elfring [Wed, 14 Feb 2018 20:34:54 +0000 (21:34 +0100)]
crypto: bfin_crc - Delete an error message for a failed memory allocation in bfin_crypto_crc_probe()

Omit an extra message for a memory allocation failure in this function.

This issue was detected by using the Coccinelle software.

Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: speck - add test vectors for Speck64-XTS
Eric Biggers [Wed, 14 Feb 2018 18:42:23 +0000 (10:42 -0800)]
crypto: speck - add test vectors for Speck64-XTS

Add test vectors for Speck64-XTS, generated in userspace using C code.
The inputs were borrowed from the AES-XTS test vectors, with key lengths
adjusted.

xts-speck64-neon passes these tests.  However, they aren't currently
applicable for the generic XTS template, as that only supports a 128-bit
block size.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: speck - add test vectors for Speck128-XTS
Eric Biggers [Wed, 14 Feb 2018 18:42:22 +0000 (10:42 -0800)]
crypto: speck - add test vectors for Speck128-XTS

Add test vectors for Speck128-XTS, generated in userspace using C code.
The inputs were borrowed from the AES-XTS test vectors.

Both xts(speck128-generic) and xts-speck128-neon pass these tests.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: arm/speck - add NEON-accelerated implementation of Speck-XTS
Eric Biggers [Wed, 14 Feb 2018 18:42:21 +0000 (10:42 -0800)]
crypto: arm/speck - add NEON-accelerated implementation of Speck-XTS

Add an ARM NEON-accelerated implementation of Speck-XTS.  It operates on
128-byte chunks at a time, i.e. 8 blocks for Speck128 or 16 blocks for
Speck64.  Each 128-byte chunk goes through XTS preprocessing, then is
encrypted/decrypted (doing one cipher round for all the blocks, then the
next round, etc.), then goes through XTS postprocessing.

The performance depends on the processor but can be about 3 times faster
than the generic code.  For example, on an ARMv7 processor we observe
the following performance with Speck128/256-XTS:

    xts-speck128-neon:     Encryption 107.9 MB/s, Decryption 108.1 MB/s
    xts(speck128-generic): Encryption  32.1 MB/s, Decryption  36.6 MB/s

In comparison to AES-256-XTS without the Cryptography Extensions:

    xts-aes-neonbs:        Encryption  41.2 MB/s, Decryption  36.7 MB/s
    xts(aes-asm):          Encryption  31.7 MB/s, Decryption  30.8 MB/s
    xts(aes-generic):      Encryption  21.2 MB/s, Decryption  20.9 MB/s

Speck64/128-XTS is even faster:

    xts-speck64-neon:      Encryption 138.6 MB/s, Decryption 139.1 MB/s

Note that as with the generic code, only the Speck128 and Speck64
variants are supported.  Also, for now only the XTS mode of operation is
supported, to target the disk and file encryption use cases.  The NEON
code also only handles the portion of the data that is evenly divisible
into 128-byte chunks, with any remainder handled by a C fallback.  Of
course, other modes of operation could be added later if needed, and/or
the NEON code could be updated to handle other buffer sizes.

The XTS specification is only defined for AES which has a 128-bit block
size, so for the GF(2^64) math needed for Speck64-XTS we use the
reducing polynomial 'x^64 + x^4 + x^3 + x + 1' given by the original XEX
paper.  Of course, when possible users should use Speck128-XTS, but even
that may be too slow on some processors; Speck64-XTS can be faster.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: speck - export common helpers
Eric Biggers [Wed, 14 Feb 2018 18:42:20 +0000 (10:42 -0800)]
crypto: speck - export common helpers

Export the Speck constants and transform context and the ->setkey(),
->encrypt(), and ->decrypt() functions so that they can be reused by the
ARM NEON implementation of Speck-XTS.  The generic key expansion code
will be reused because it is not performance-critical and is not
vectorizable, while the generic encryption and decryption functions are
needed as fallbacks and for the XTS tweak encryption.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: speck - add support for the Speck block cipher
Eric Biggers [Wed, 14 Feb 2018 18:42:19 +0000 (10:42 -0800)]
crypto: speck - add support for the Speck block cipher

Add a generic implementation of Speck, including the Speck128 and
Speck64 variants.  Speck is a lightweight block cipher that can be much
faster than AES on processors that don't have AES instructions.

We are planning to offer Speck-XTS (probably Speck128/256-XTS) as an
option for dm-crypt and fscrypt on Android, for low-end mobile devices
with older CPUs such as ARMv7 which don't have the Cryptography
Extensions.  Currently, such devices are unencrypted because AES is not
fast enough, even when the NEON bit-sliced implementation of AES is
used.  Other AES alternatives such as Twofish, Threefish, Camellia,
CAST6, and Serpent aren't fast enough either; it seems that only a
modern ARX cipher can provide sufficient performance on these devices.

This is a replacement for our original proposal
(https://patchwork.kernel.org/patch/10101451/) which was to offer
ChaCha20 for these devices.  However, the use of a stream cipher for
disk/file encryption with no space to store nonces would have been much
more insecure than we thought initially, given that it would be used on
top of flash storage as well as potentially on top of F2FS, neither of
which is guaranteed to overwrite data in-place.

Speck has been somewhat controversial due to its origin.  Nevertheless,
it has a straightforward design (it's an ARX cipher), and it appears to
be the leading software-optimized lightweight block cipher currently,
with the most cryptanalysis.  It's also easy to implement without side
channels, unlike AES.  Moreover, we only intend Speck to be used when
the status quo is no encryption, due to AES not being fast enough.

We've also considered a novel length-preserving encryption mode based on
ChaCha20 and Poly1305.  While theoretically attractive, such a mode
would be a brand new crypto construction and would be more complicated
and difficult to implement efficiently in comparison to Speck-XTS.

There is confusion about the byte and word orders of Speck, since the
original paper doesn't specify them.  But we have implemented it using
the orders the authors recommended in a correspondence with them.  The
test vectors are taken from the original paper but were mapped to byte
arrays using the recommended byte and word orders.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: aesni - Update aesni-intel_glue to use scatter/gather
Dave Watson [Wed, 14 Feb 2018 17:40:58 +0000 (09:40 -0800)]
crypto: aesni - Update aesni-intel_glue to use scatter/gather

Add gcmaes_crypt_by_sg routine, that will do scatter/gather
by sg. Either src or dst may contain multiple buffers, so
iterate over both at the same time if they are different.
If the input is the same as the output, iterate only over one.

Currently both the AAD and TAG must be linear, so copy them out
with scatterlist_map_and_copy.  If first buffer contains the
entire AAD, we can optimize and not copy.   Since the AAD
can be any size, if copied it must be on the heap.  TAG can
be on the stack since it is always < 16 bytes.

Only the SSE routines are updated so far, so leave the previous
gcmaes_en/decrypt routines, and branch to the sg ones if the
keysize is inappropriate for avx, or we are SSE only.

Signed-off-by: Dave Watson <davejwatson@fb.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: aesni - Introduce scatter/gather asm function stubs
Dave Watson [Wed, 14 Feb 2018 17:40:47 +0000 (09:40 -0800)]
crypto: aesni - Introduce scatter/gather asm function stubs

The asm macros are all set up now, introduce entry points.

GCM_INIT and GCM_COMPLETE have arguments supplied, so that
the new scatter/gather entry points don't have to take all the
arguments, and only the ones they need.

Signed-off-by: Dave Watson <davejwatson@fb.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: aesni - Add fast path for > 16 byte update
Dave Watson [Wed, 14 Feb 2018 17:40:31 +0000 (09:40 -0800)]
crypto: aesni - Add fast path for > 16 byte update

We can fast-path any < 16 byte read if the full message is > 16 bytes,
and shift over by the appropriate amount.  Usually we are
reading > 16 bytes, so this should be faster than the READ_PARTIAL
macro introduced in b20209c91e2 for the average case.

Signed-off-by: Dave Watson <davejwatson@fb.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: aesni - Introduce partial block macro
Dave Watson [Wed, 14 Feb 2018 17:40:19 +0000 (09:40 -0800)]
crypto: aesni - Introduce partial block macro

Before this diff, multiple calls to GCM_ENC_DEC will
succeed, but only if all calls are a multiple of 16 bytes.

Handle partial blocks at the start of GCM_ENC_DEC, and update
aadhash as appropriate.

The data offset %r11 is also updated after the partial block.

Signed-off-by: Dave Watson <davejwatson@fb.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: aesni - Move HashKey computation from stack to gcm_context
Dave Watson [Wed, 14 Feb 2018 17:40:10 +0000 (09:40 -0800)]
crypto: aesni - Move HashKey computation from stack to gcm_context

HashKey computation only needs to happen once per scatter/gather operation,
save it between calls in gcm_context struct instead of on the stack.
Since the asm no longer stores anything on the stack, we can use
%rsp directly, and clean up the frame save/restore macros a bit.

Hashkeys actually only need to be calculated once per key and could
be moved to when set_key is called, however, the current glue code
falls back to generic aes code if fpu is disabled.

Signed-off-by: Dave Watson <davejwatson@fb.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: aesni - Move ghash_mul to GCM_COMPLETE
Dave Watson [Wed, 14 Feb 2018 17:39:55 +0000 (09:39 -0800)]
crypto: aesni - Move ghash_mul to GCM_COMPLETE

Prepare to handle partial blocks between scatter/gather calls.
For the last partial block, we only want to calculate the aadhash
in GCM_COMPLETE, and a new partial block macro will handle both
aadhash update and encrypting partial blocks between calls.

Signed-off-by: Dave Watson <davejwatson@fb.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: aesni - Fill in new context data structures
Dave Watson [Wed, 14 Feb 2018 17:39:45 +0000 (09:39 -0800)]
crypto: aesni - Fill in new context data structures

Fill in aadhash, aadlen, pblocklen, curcount with appropriate values.
pblocklen, aadhash, and pblockenckey are also updated at the end
of each scatter/gather operation, to be carried over to the next
operation.

Signed-off-by: Dave Watson <davejwatson@fb.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: aesni - Split AAD hash calculation to separate macro
Dave Watson [Wed, 14 Feb 2018 17:39:36 +0000 (09:39 -0800)]
crypto: aesni - Split AAD hash calculation to separate macro

AAD hash only needs to be calculated once for each scatter/gather operation.
Move it to its own macro, and call it from GCM_INIT instead of
INITIAL_BLOCKS.

Signed-off-by: Dave Watson <davejwatson@fb.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: aesni - Introduce gcm_context_data
Dave Watson [Wed, 14 Feb 2018 17:39:23 +0000 (09:39 -0800)]
crypto: aesni - Introduce gcm_context_data

Introduce a gcm_context_data struct that will be used to pass
context data between scatter/gather update calls.  It is passed
as the second argument (after crypto keys), other args are
renumbered.

Signed-off-by: Dave Watson <davejwatson@fb.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: aesni - Merge encode and decode to GCM_ENC_DEC macro
Dave Watson [Wed, 14 Feb 2018 17:39:10 +0000 (09:39 -0800)]
crypto: aesni - Merge encode and decode to GCM_ENC_DEC macro

Make a macro for the main encode/decode routine.  Only a small handful
of lines differ for enc and dec.   This will also become the main
scatter/gather update routine.

Signed-off-by: Dave Watson <davejwatson@fb.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: aesni - Add GCM_COMPLETE macro
Dave Watson [Wed, 14 Feb 2018 17:38:57 +0000 (09:38 -0800)]
crypto: aesni - Add GCM_COMPLETE macro

Merge encode and decode tag calculations in GCM_COMPLETE macro.
Scatter/gather routines will call this once at the end of encryption
or decryption.

Signed-off-by: Dave Watson <davejwatson@fb.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: aesni - Add GCM_INIT macro
Dave Watson [Wed, 14 Feb 2018 17:38:45 +0000 (09:38 -0800)]
crypto: aesni - Add GCM_INIT macro

Reduce code duplication by introducting GCM_INIT macro.  This macro
will also be exposed as a function for implementing scatter/gather
support, since INIT only needs to be called once for the full
operation.

Signed-off-by: Dave Watson <davejwatson@fb.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: aesni - Macro-ify func save/restore
Dave Watson [Wed, 14 Feb 2018 17:38:35 +0000 (09:38 -0800)]
crypto: aesni - Macro-ify func save/restore

Macro-ify function save and restore.  These will be used in new functions
added for scatter/gather update operations.

Signed-off-by: Dave Watson <davejwatson@fb.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: aesni - Merge INITIAL_BLOCKS_ENC/DEC
Dave Watson [Wed, 14 Feb 2018 17:38:12 +0000 (09:38 -0800)]
crypto: aesni - Merge INITIAL_BLOCKS_ENC/DEC

Use macro operations to merge implemetations of INITIAL_BLOCKS,
since they differ by only a small handful of lines.

Use macro counter \@ to simplify implementation.

Signed-off-by: Dave Watson <davejwatson@fb.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: nx-842 - Delete an error message for a failed memory allocation in nx842_pser...
Markus Elfring [Wed, 14 Feb 2018 16:05:13 +0000 (17:05 +0100)]
crypto: nx-842 - Delete an error message for a failed memory allocation in nx842_pseries_init()

Omit an extra message for a memory allocation failure in this function.

This issue was detected by using the Coccinelle software.

Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
Reviewed-by: Dan Streetman <ddstreet@ieee.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: sahara - Improve a size determination in sahara_probe()
Markus Elfring [Wed, 14 Feb 2018 13:14:05 +0000 (14:14 +0100)]
crypto: sahara - Improve a size determination in sahara_probe()

Replace the specification of a data structure by a pointer dereference
as the parameter for the operator "sizeof" to make the corresponding size
determination a bit safer according to the Linux coding style convention.

This issue was detected by using the Coccinelle software.

Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: sahara - Delete an error message for a failed memory allocation in sahara_probe()
Markus Elfring [Wed, 14 Feb 2018 13:10:03 +0000 (14:10 +0100)]
crypto: sahara - Delete an error message for a failed memory allocation in sahara_probe()

Omit an extra message for a memory allocation failure in this function.

This issue was detected by using the Coccinelle software.

Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: ux500 - Delete two unnecessary variable initialisations in ux500_cryp_probe()
Markus Elfring [Wed, 14 Feb 2018 09:56:38 +0000 (10:56 +0100)]
crypto: ux500 - Delete two unnecessary variable initialisations in ux500_cryp_probe()

Two local variables will eventually be set to appropriate pointers
a bit later. Thus omit their explicit initialisation at the beginning.

Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: ux500 - Adjust an error message in ux500_cryp_probe()
Markus Elfring [Wed, 14 Feb 2018 09:47:31 +0000 (10:47 +0100)]
crypto: ux500 - Adjust an error message in ux500_cryp_probe()

Replace the function name in this error message so that the same name
is mentioned according to what was called before.

Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: ux500 - Adjust two condition checks in ux500_cryp_probe()
Markus Elfring [Wed, 14 Feb 2018 09:38:44 +0000 (10:38 +0100)]
crypto: ux500 - Adjust two condition checks in ux500_cryp_probe()

The local variable "cryp_error" was used only for two condition checks.

* Check the return values from these function calls directly instead.

* Delete this variable which became unnecessary with this refactoring.

Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: ux500 - Delete an error message for a failed memory allocation in ux500_cryp_...
Markus Elfring [Wed, 14 Feb 2018 09:12:38 +0000 (10:12 +0100)]
crypto: ux500 - Delete an error message for a failed memory allocation in ux500_cryp_probe()

Omit an extra message for a memory allocation failure in this function.

This issue was detected by using the Coccinelle software.

Signed-off-by: Markus Elfring <elfring@users.sourceforge.net>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: testmgr - Fix incorrect values in PKCS#1 test vector
Conor McLoughlin [Tue, 13 Feb 2018 08:29:56 +0000 (08:29 +0000)]
crypto: testmgr - Fix incorrect values in PKCS#1 test vector

The RSA private key for the first form should have
version, prime1, prime2, exponent1, exponent2, coefficient
values 0.
With non-zero values for prime1,2, exponent 1,2 and coefficient
the Intel QAT driver will assume that values are provided for the
private key second form. This will result in signature verification
failures for modules where QAT device is present and the modules
are signed with rsa,sha256.

Cc: <stable@vger.kernel.org>
Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Signed-off-by: Conor McLoughlin <conor.mcloughlin@intel.com>
Reviewed-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: inside-secure - unmap the result in the hash send error path
Antoine Tenart [Tue, 13 Feb 2018 08:26:57 +0000 (09:26 +0100)]
crypto: inside-secure - unmap the result in the hash send error path

This patch adds a label to unmap the result buffer in the hash send
function error path.

Fixes: 1b44c5a60c13 ("crypto: inside-secure - add SafeXcel EIP197 crypto engine driver")
Suggested-by: Ofer Heifetz <oferh@marvell.com>
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: inside-secure - keep the requests push/pop synced
Antoine Tenart [Tue, 13 Feb 2018 08:26:56 +0000 (09:26 +0100)]
crypto: inside-secure - keep the requests push/pop synced

This patch updates the Inside Secure SafeXcel driver to avoid being
out-of-sync between the number of requests sent and the one being
completed.

The number of requests acknowledged by the driver can be different than
the threshold that was configured if new requests were being pushed to
the h/w in the meantime. The driver wasn't taking those into account,
and the number of remaining requests to handled (to reconfigure the
interrupt threshold) could be out-of sync.

This patch fixes it by not taking in account the number of requests
left, but by taking in account the total number of requests being sent
to the hardware, so that new requests are being taken into account.

Fixes: dc7e28a3286e ("crypto: inside-secure - dequeue all requests at once")
Suggested-by: Ofer Heifetz <oferh@marvell.com>
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: inside-secure - fix the invalidation step during cra_exit
Antoine Tenart [Tue, 13 Feb 2018 08:26:55 +0000 (09:26 +0100)]
crypto: inside-secure - fix the invalidation step during cra_exit

When exiting a transformation, the cra_exit() helper is called in each
driver providing one. The Inside Secure SafeXcel driver has one, which
is responsible of freeing some areas and of sending one invalidation
request to the crypto engine, to invalidate the context that was used
during the transformation.

We could see in some setups (when lots of transformations were being
used with a short lifetime, and hence lots of cra_exit() calls) NULL
pointer dereferences and other weird issues. All these issues were
coming from accessing the tfm context.

The issue is the invalidation request completion is checked using a
wait_for_completion_interruptible() call in both the cipher and hash
cra_exit() helpers. In some cases this was interrupted while the
invalidation request wasn't processed yet. And then cra_exit() returned,
and its caller was freeing the tfm instance. Only then the request was
being handled by the SafeXcel driver, which lead to the said issues.

This patch fixes this by using wait_for_completion() calls in these
specific cases.

Fixes: 1b44c5a60c13 ("crypto: inside-secure - add SafeXcel EIP197 crypto engine driver")
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: inside-secure - do not process request if no command was issued
Antoine Tenart [Tue, 13 Feb 2018 08:26:54 +0000 (09:26 +0100)]
crypto: inside-secure - do not process request if no command was issued

This patch adds a check in the SafeXcel dequeue function, to avoid
processing request further if no hardware command was issued. This can
happen in certain cases where the ->send() function caches all the data
that would have been send.

Fixes: 809778e02cd4 ("crypto: inside-secure - fix hash when length is a multiple of a block")
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: inside-secure - fix the cache_len computation
Antoine Tenart [Tue, 13 Feb 2018 08:26:53 +0000 (09:26 +0100)]
crypto: inside-secure - fix the cache_len computation

This patch fixes the cache length computation as cache_len could end up
being a negative value. The check between the queued size and the
block size is updated to reflect the caching mechanism which can cache
up to a full block size (included!).

Fixes: 809778e02cd4 ("crypto: inside-secure - fix hash when length is a multiple of a block")
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: inside-secure - fix the extra cache computation
Antoine Tenart [Tue, 13 Feb 2018 08:26:52 +0000 (09:26 +0100)]
crypto: inside-secure - fix the extra cache computation

This patch fixes the extra cache computation when the queued data is a
multiple of a block size. This fixes the hash support in some cases.

Fixes: 809778e02cd4 ("crypto: inside-secure - fix hash when length is a multiple of a block")
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: inside-secure - do not overwrite the threshold value
Antoine Tenart [Tue, 13 Feb 2018 08:26:51 +0000 (09:26 +0100)]
crypto: inside-secure - do not overwrite the threshold value

This patch fixes the Inside Secure SafeXcel driver not to overwrite the
interrupt threshold value. In certain cases the value of this register,
which controls when to fire an interrupt, was overwritten. This lead to
packet not being processed or acked as the driver never was aware of
their completion.

This patch fixes this behaviour by not setting the threshold when
requests are being processed by the engine.

Fixes: dc7e28a3286e ("crypto: inside-secure - dequeue all requests at once")
Suggested-by: Ofer Heifetz <oferh@marvell.com>
Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agoMAINTAINERS: update the Inside Secure maintainer email
Antoine Tenart [Tue, 13 Feb 2018 08:26:50 +0000 (09:26 +0100)]
MAINTAINERS: update the Inside Secure maintainer email

Free Electrons became Bootlin. Update my email accordingly.

Signed-off-by: Antoine Tenart <antoine.tenart@bootlin.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agohwrng: bcm2835 - Handle deferred clock properly
Stefan Wahren [Mon, 12 Feb 2018 20:11:36 +0000 (21:11 +0100)]
hwrng: bcm2835 - Handle deferred clock properly

In case the probe of the clock is deferred, we would assume it is
optional. This is wrong, so defer the probe of this driver until
the clock is available.

Fixes: 791af4f4907a ("hwrng: bcm2835 - Manage an optional clock")
Signed-off-by: Stefan Wahren <stefan.wahren@i2se.com>
Acked-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: arm/aes-cipher - move S-box to .rodata section
Jinbum Park [Mon, 12 Feb 2018 13:52:37 +0000 (22:52 +0900)]
crypto: arm/aes-cipher - move S-box to .rodata section

Move the AES inverse S-box to the .rodata section
where it is safe from abuse by speculation.

Signed-off-by: Jinbum Park <jinb.park7@gmail.com>
Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: sunxi-ss - Add MODULE_ALIAS to sun4i-ss
Peter Robinson [Sun, 11 Feb 2018 23:15:37 +0000 (23:15 +0000)]
crypto: sunxi-ss - Add MODULE_ALIAS to sun4i-ss

The MODULE_ALIAS is required to enable the sun4i-ss driver to load
automatically when built at a module. Tested on a Cubietruck.

Fixes: 6298e948215f ("crypto: sunxi-ss - Add Allwinner Security System crypto accelerator")
Signed-off-by: Peter Robinson <pbrobinson@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: stm32/cryp - add stm32mp1 support
Fabien DESSENNE [Wed, 7 Feb 2018 13:08:55 +0000 (14:08 +0100)]
crypto: stm32/cryp - add stm32mp1 support

stm32mp1 differs from stm32f7 in the way it handles byte ordering and
padding for aes gcm & ccm algo.

Signed-off-by: Fabien Dessenne <fabien.dessenne@st.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: stm32/cryp - add aes gcm / ccm support
Fabien DESSENNE [Wed, 7 Feb 2018 13:08:54 +0000 (14:08 +0100)]
crypto: stm32/cryp - add aes gcm / ccm support

Add AEAD cipher algorithms for aes gcm and ccm.

Signed-off-by: Fabien Dessenne <fabien.dessenne@st.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: qat - Make several functions static
Colin Ian King [Tue, 6 Feb 2018 23:36:42 +0000 (23:36 +0000)]
crypto: qat - Make several functions static

Functions qat_rsa_set_n, qat_rsa_set_e and qat_rsa_set_n are local to
the source and do not need to be in global scope, so make them static.

Cleans up sparse warnings:
drivers/crypto/qat/qat_common/qat_asym_algs.c:972:5: warning: symbol
'qat_rsa_set_n' was not declared. Should it be static?
drivers/crypto/qat/qat_common/qat_asym_algs.c:1003:5: warning: symbol
'qat_rsa_set_e' was not declared. Should it be static?
drivers/crypto/qat/qat_common/qat_asym_algs.c:1027:5: warning: symbol
'qat_rsa_set_d' was not declared. Should it be static?

Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: ccp - Make function ccp_get_dma_chan_attr static
Colin Ian King [Tue, 6 Feb 2018 23:20:01 +0000 (23:20 +0000)]
crypto: ccp - Make function ccp_get_dma_chan_attr static

Function ccp_get_dma_chan_attr is local to the source and does not
need to be in global scope, so make it static.

Cleans up sparse warning:
drivers/crypto/ccp/ccp-dmaengine.c:41:14: warning: symbol
'ccp_get_dma_chan_attr' was not declared. Should it be static?

Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: chelsio - Make function aead_ccm_validate_input static
Colin Ian King [Tue, 6 Feb 2018 23:09:20 +0000 (23:09 +0000)]
crypto: chelsio - Make function aead_ccm_validate_input static

Function aead_ccm_validate_input is local to the source and does not
need to be in global scope, so make it static.

Cleans up sparse warning:
drivers/crypto/chelsio/chcr_algo.c:2627:5: warning: symbol
'aead_ccm_validate_input' was not declared. Should it be static?

Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agox86/crypto: Designate maintainer for SHA-1/256/512
Tim Chen [Mon, 29 Jan 2018 17:22:41 +0000 (09:22 -0800)]
x86/crypto: Designate maintainer for SHA-1/256/512

 multibuffer driver

Even though I created the original implementation of SHA1 multibuffer
driver, Megha extended it to SHA256 and SHA512 and she is now maintaining
the code for SHA1/SHA256/SHA512 multi-buffer driver.

Add the entry in the MAINTAINERS file so any update patch can find
its way properly to Megha.

Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: stm32/hash - rework padding length
Lionel Debieve [Mon, 29 Jan 2018 14:28:11 +0000 (15:28 +0100)]
crypto: stm32/hash - rework padding length

Due to another patch, the dma fails when padding is
needed as the given length is not correct.

Signed-off-by: Lionel Debieve <lionel.debieve@st.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: stm32/hash - fix performance issues
Lionel Debieve [Mon, 29 Jan 2018 14:28:10 +0000 (15:28 +0100)]
crypto: stm32/hash - fix performance issues

Fixing bugs link to stress tests. Bad results are
detected during testmgr selftests executing in a
faster environment. bufcnt value may be resetted and
false IT are sometimes detected.

Signed-off-by: Lionel Debieve <lionel.debieve@st.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: stm32/hash - avoid error if maxburst not defined
Lionel Debieve [Mon, 29 Jan 2018 14:28:09 +0000 (15:28 +0100)]
crypto: stm32/hash - avoid error if maxburst not defined

dma-maxburst is an optional value and must not return
error in case of dma not used (or max-burst not defined).

Signed-off-by: Lionel Debieve <lionel.debieve@st.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: caam/qi - add GCM support
Horia Geantă [Mon, 29 Jan 2018 08:38:37 +0000 (10:38 +0200)]
crypto: caam/qi - add GCM support

Add support for AES working in Galois Counter Mode.
The following algorithms are added:
gcm(aes)
rfc4106(gcm(aes))
rfc4543(gcm(aes))

There is a limitation related to IV size, similar to the one present in
SW implementation (crypto/gcm.c):
The only IV size allowed is 12 bytes. It will be padded by HW to the right
with 0x0000_0001 (up to 16 bytes - AES block size), according to the
GCM specification.

Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: caam - prepare for gcm(aes) support over QI interface
Horia Geantă [Mon, 29 Jan 2018 08:38:36 +0000 (10:38 +0200)]
crypto: caam - prepare for gcm(aes) support over QI interface

Update gcm(aes) descriptors (generic, rfc4106 and rfc4543) such that
they would also work when submitted via the QI interface.

Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: caam/qi - return -EBADMSG for ICV check failure
Horia Geantă [Mon, 29 Jan 2018 08:38:35 +0000 (10:38 +0200)]
crypto: caam/qi - return -EBADMSG for ICV check failure

Crypto drivers are expected to return -EBADMSG in case of
ICV check (authentication) failure.

In this case it also makes sense to suppress the error message
in the QI dequeue callback.

Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: stm32-cryp - convert to the new crypto engine API
Corentin LABBE [Fri, 26 Jan 2018 19:15:34 +0000 (20:15 +0100)]
crypto: stm32-cryp - convert to the new crypto engine API

This patch convert the stm32-cryp driver to the new crypto engine API.
Signed-off-by: Corentin Labbe <clabbe.montjoie@gmail.com>
Tested-by: Fabien Dessenne <fabien.dessenne@st.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: stm32-hash - convert to the new crypto engine API
Corentin LABBE [Fri, 26 Jan 2018 19:15:33 +0000 (20:15 +0100)]
crypto: stm32-hash - convert to the new crypto engine API

This patch convert the stm32-hash driver to the new crypto engine API.

Signed-off-by: Corentin Labbe <clabbe.montjoie@gmail.com>
Tested-by: Fabien Dessenne <fabien.dessenne@st.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: virtio - convert to new crypto engine API
Corentin LABBE [Fri, 26 Jan 2018 19:15:32 +0000 (20:15 +0100)]
crypto: virtio - convert to new crypto engine API

This patch convert the driver to the new crypto engine API.

Signed-off-by: Corentin Labbe <clabbe.montjoie@gmail.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: omap - convert to new crypto engine API
Corentin LABBE [Fri, 26 Jan 2018 19:15:31 +0000 (20:15 +0100)]
crypto: omap - convert to new crypto engine API

This patch convert the driver to the new crypto engine API.

Signed-off-by: Corentin Labbe <clabbe.montjoie@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: engine - Permit to enqueue all async requests
Corentin LABBE [Fri, 26 Jan 2018 19:15:30 +0000 (20:15 +0100)]
crypto: engine - Permit to enqueue all async requests

The crypto engine could actually only enqueue hash and ablkcipher request.
This patch permit it to enqueue any type of crypto_async_request.

Signed-off-by: Corentin Labbe <clabbe.montjoie@gmail.com>
Tested-by: Fabien Dessenne <fabien.dessenne@st.com>
Tested-by: Fabien Dessenne <fabien.dessenne@st.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: doc - document crypto engine API
Corentin LABBE [Fri, 26 Jan 2018 19:15:29 +0000 (20:15 +0100)]
crypto: doc - document crypto engine API

Signed-off-by: Corentin Labbe <clabbe.montjoie@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: user - Replace GFP_ATOMIC with GFP_KERNEL in crypto_report
Jia-Ju Bai [Thu, 25 Jan 2018 10:06:02 +0000 (18:06 +0800)]
crypto: user - Replace GFP_ATOMIC with GFP_KERNEL in crypto_report

After checking all possible call chains to crypto_report here,
my tool finds that crypto_report is never called in atomic context.
And crypto_report calls crypto_alg_match which calls down_read,
thus it proves again that crypto_report can call functions which may sleep.
Thus GFP_ATOMIC is not necessary, and it can be replaced with GFP_KERNEL.

This is found by a static analysis tool named DCNS written by myself.

Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: rsa-pkcs1pad - Replace GFP_ATOMIC with GFP_KERNEL in pkcs1pad_encrypt_sign_co...
Jia-Ju Bai [Thu, 25 Jan 2018 09:57:54 +0000 (17:57 +0800)]
crypto: rsa-pkcs1pad - Replace GFP_ATOMIC with GFP_KERNEL in pkcs1pad_encrypt_sign_complete

After checking all possible call chains to kzalloc here,
my tool finds that this kzalloc is never called in atomic context.
Thus GFP_ATOMIC is not necessary, and it can be replaced with GFP_KERNEL.

This is found by a static analysis tool named DCNS written by myself.

Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: sha512-mb - remove HASH_FIRST flag
Eric Biggers [Thu, 25 Jan 2018 03:10:21 +0000 (19:10 -0800)]
crypto: sha512-mb - remove HASH_FIRST flag

The HASH_FIRST flag is never set.  Remove it.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: sha256-mb - remove HASH_FIRST flag
Eric Biggers [Thu, 25 Jan 2018 03:10:15 +0000 (19:10 -0800)]
crypto: sha256-mb - remove HASH_FIRST flag

The HASH_FIRST flag is never set.  Remove it.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: sha1-mb - remove HASH_FIRST flag
Eric Biggers [Thu, 25 Jan 2018 03:10:08 +0000 (19:10 -0800)]
crypto: sha1-mb - remove HASH_FIRST flag

The HASH_FIRST flag is never set.  Remove it.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: mcryptd - remove pointless wrapper functions
Eric Biggers [Thu, 25 Jan 2018 03:09:07 +0000 (19:09 -0800)]
crypto: mcryptd - remove pointless wrapper functions

There is no need for ahash_mcryptd_{update,final,finup,digest}(); we
should just call crypto_ahash_*() directly.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Acked-by: Tim Chen <tim.c.chen@linux.intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agohwrng: imx-rngc - make symbol imx_rngc_pm_ops static
weiyongjun \(A\) [Tue, 23 Jan 2018 02:08:56 +0000 (02:08 +0000)]
hwrng: imx-rngc - make symbol imx_rngc_pm_ops static

Fixes the following sparse warnings:

drivers/char/hw_random/imx-rngc.c:303:1: warning:
 symbol 'imx_rngc_pm_ops' was not declared. Should it be static?

Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
Reviewed-by: Martin Kaiser <martin@kaiser.cx>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agoMAINTAINERS: update ccree entry
Gilad Ben-Yossef [Mon, 22 Jan 2018 09:27:05 +0000 (09:27 +0000)]
MAINTAINERS: update ccree entry

Update Arm TrustZone CryptoCell driver entry move into drivers/crypto/

Signed-off-by: Gilad Ben-Yossef <gilad@benyossef.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: ccree - add FIPS support
Gilad Ben-Yossef [Mon, 22 Jan 2018 09:27:04 +0000 (09:27 +0000)]
crypto: ccree - add FIPS support

Add FIPS mode support to CryptoCell driver

Signed-off-by: Gilad Ben-Yossef <gilad@benyossef.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: ccree - add AEAD support
Gilad Ben-Yossef [Mon, 22 Jan 2018 09:27:03 +0000 (09:27 +0000)]
crypto: ccree - add AEAD support

Add CryptoCell AEAD support

Signed-off-by: Gilad Ben-Yossef <gilad@benyossef.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: ccree - add ahash support
Gilad Ben-Yossef [Mon, 22 Jan 2018 09:27:02 +0000 (09:27 +0000)]
crypto: ccree - add ahash support

Add CryptoCell async. hash and HMAC support.

Signed-off-by: Gilad Ben-Yossef <gilad@benyossef.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: ccree - add skcipher support
Gilad Ben-Yossef [Mon, 22 Jan 2018 09:27:01 +0000 (09:27 +0000)]
crypto: ccree - add skcipher support

Add CryptoCell skcipher support

Signed-off-by: Gilad Ben-Yossef <gilad@benyossef.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: ccree - introduce CryptoCell driver
Gilad Ben-Yossef [Mon, 22 Jan 2018 09:27:00 +0000 (09:27 +0000)]
crypto: ccree - introduce CryptoCell driver

Introduce basic low level Arm TrustZone CryptoCell HW support.
This first patch doesn't actually register any Crypto API
transformations, these will follow up in the next patch.

This first revision supports the CC 712 REE component.

Signed-off-by: Gilad Ben-Yossef <gilad@benyossef.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agostaging: ccree: rename staging ver and mark as broken
Gilad Ben-Yossef [Mon, 22 Jan 2018 09:26:59 +0000 (09:26 +0000)]
staging: ccree: rename staging ver and mark as broken

Rename the Kconfig var of the staging tree version of the driver
in preparation of introducing the final version of the driver
into the cryptodev tree to avoid link time symbol collisions.

Signed-off-by: Gilad Ben-Yossef <gilad@benyossef.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: hash - Require export/import in ahash
Kamil Konieczny [Thu, 18 Jan 2018 18:34:04 +0000 (19:34 +0100)]
crypto: hash - Require export/import in ahash

Export and import are mandatory in async hash. As drivers were
rewritten, drop empty wrappers and correct init of ahash transformation.

Signed-off-by: Kamil Konieczny <k.konieczny@partner.samsung.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: bfin_crc - Add empty hash export and import
Kamil Konieczny [Thu, 18 Jan 2018 18:34:03 +0000 (19:34 +0100)]
crypto: bfin_crc - Add empty hash export and import

Crypto framework requires export/import in async hash. If driver do not
implement them, wrapper functions in framework will be used, and it will
cause error during ahash alg registration (unless one disables crypto
internal tests). To make change in framework and expose this requirement,
I will remove wrappers from crypto/ahash.c , but this can broke code which
depends on them.
Add empty hash export and import, with the same behaviour as in framework
and expose this directly in driver. This can also prevent OOPS when config
option in Cryptographic API 'Disable run-time self tests' will be enabled.

Signed-off-by: Kamil Konieczny <k.konieczny@partner.samsung.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: ux500/hash - Add empty export and import
Kamil Konieczny [Thu, 18 Jan 2018 18:34:02 +0000 (19:34 +0100)]
crypto: ux500/hash - Add empty export and import

Crypto framework requires export/import in async hash. If driver do not
implement them, wrapper functions in framework will be used, and it will
cause error during ahash alg registration (unless one disables crypto
internal tests). To make change in framework and expose this requirement,
I will remove wrappers from crypto/ahash.c , but this can broke code which
depends on them. Add empty hash export and import, with the same behaviour
as in framework and expose this directly in driver. This can also prevent
OOPS when config option in Cryptographic API 'Disable run-time self tests'
will be enabled.

Signed-off-by: Kamil Konieczny <k.konieczny@partner.samsung.com>
Acked-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: n2 - Add empty hash export and import
Kamil Konieczny [Thu, 18 Jan 2018 18:34:01 +0000 (19:34 +0100)]
crypto: n2 - Add empty hash export and import

Crypto framework requires export/import in async hash. If driver do not
implement them, wrapper functions in framework will be used, and it will
cause error during ahash alg registration (unless one disables crypto
internal tests). To make change in framework and expose this requirement,
I will remove wrappers from crypto/ahash.c , but this can broke code which
depends on them. Add empty hash export and import, with the same behaviour
as in framework and expose this directly in driver. This can also prevent
OOPS when config option in Cryptographic API 'Disable run-time self tests'
will be enabled.

Signed-off-by: Kamil Konieczny <k.konieczny@partner.samsung.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: mxs-dcp - Add empty hash export and import
Kamil Konieczny [Thu, 18 Jan 2018 18:34:00 +0000 (19:34 +0100)]
crypto: mxs-dcp - Add empty hash export and import

Crypto framework requires export/import in async hash. If driver do not
implement them, wrapper functions in framework will be used, and it will
cause error during ahash alg registration (unless one disables crypto
internal tests). To make change in framework and expose this requirement,
I will remove wrappers from crypto/ahash.c , but this can broke code which
depends on them. Add empty hash export and import, with the same behaviour
as in framework and expose this directly in driver. This can also prevent
OOPS when config option in Cryptographic API 'Disable run-time self tests'
will be enabled.

Signed-off-by: Kamil Konieczny <k.konieczny@partner.samsung.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agocrypto: s5p-sss - Fix kernel Oops in AES-ECB mode
Kamil Konieczny [Wed, 7 Feb 2018 15:52:09 +0000 (16:52 +0100)]
crypto: s5p-sss - Fix kernel Oops in AES-ECB mode

In AES-ECB mode crypt is done with key only, so any use of IV
can cause kernel Oops. Use IV only in AES-CBC and AES-CTR.

Signed-off-by: Kamil Konieczny <k.konieczny@partner.samsung.com>
Reported-by: Anand Moon <linux.amoon@gmail.com>
Reviewed-by: Krzysztof Kozlowski <krzk@kernel.org>
Tested-by: Anand Moon <linux.amoon@gmail.com>
Cc: stable@vger.kernel.org # can be applied after commit 8f9702aad138
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
6 years agoMerge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6
Linus Torvalds [Mon, 12 Feb 2018 16:57:21 +0000 (08:57 -0800)]
Merge branch 'linus' of git://git./linux/kernel/git/herbert/crypto-2.6

Pull crypto fixes from Herbert Xu:
 "This fixes the following issues:

   - oversize stack frames on mn10300 in sha3-generic

   - warning on old compilers in sha3-generic

   - API error in sun4i_ss_prng

   - potential dead-lock in sun4i_ss_prng

   - null-pointer dereference in sha512-mb

   - endless loop when DECO acquire fails in caam

   - kernel oops when hashing empty message in talitos"

* 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
  crypto: sun4i_ss_prng - convert lock to _bh in sun4i_ss_prng_generate
  crypto: sun4i_ss_prng - fix return value of sun4i_ss_prng_generate
  crypto: caam - fix endless loop when DECO acquire fails
  crypto: sha3-generic - Use __optimize to support old compilers
  compiler-gcc.h: __nostackprotector needs gcc-4.4 and up
  compiler-gcc.h: Introduce __optimize function attribute
  crypto: sha3-generic - deal with oversize stack frames
  crypto: talitos - fix Kernel Oops on hashing an empty file
  crypto: sha512-mb - initialize pending lengths correctly

6 years agoLinux 4.16-rc1
Linus Torvalds [Sun, 11 Feb 2018 23:04:29 +0000 (15:04 -0800)]
Linux 4.16-rc1

6 years agounify {de,}mangle_poll(), get rid of kernel-side POLL...
Al Viro [Thu, 1 Feb 2018 20:13:18 +0000 (15:13 -0500)]
unify {de,}mangle_poll(), get rid of kernel-side POLL...

except, again, POLLFREE and POLL_BUSY_LOOP.

With this, we finally get to the promised end result:

 - POLL{IN,OUT,...} are plain integers and *not* in __poll_t, so any
   stray instances of ->poll() still using those will be caught by
   sparse.

 - eventpoll.c and select.c warning-free wrt __poll_t

 - no more kernel-side definitions of POLL... - userland ones are
   visible through the entire kernel (and used pretty much only for
   mangle/demangle)

 - same behavior as after the first series (i.e. sparc et.al. epoll(2)
   working correctly).

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
6 years agovfs: do bulk POLL* -> EPOLL* replacement
Linus Torvalds [Sun, 11 Feb 2018 22:34:03 +0000 (14:34 -0800)]
vfs: do bulk POLL* -> EPOLL* replacement

This is the mindless scripted replacement of kernel use of POLL*
variables as described by Al, done by this script:

    for V in IN OUT PRI ERR RDNORM RDBAND WRNORM WRBAND HUP RDHUP NVAL MSG; do
        L=`git grep -l -w POLL$V | grep -v '^t' | grep -v /um/ | grep -v '^sa' | grep -v '/poll.h$'|grep -v '^D'`
        for f in $L; do sed -i "-es/^\([^\"]*\)\(\<POLL$V\>\)/\\1E\\2/" $f; done
    done

with de-mangling cleanups yet to come.

NOTE! On almost all architectures, the EPOLL* constants have the same
values as the POLL* constants do.  But they keyword here is "almost".
For various bad reasons they aren't the same, and epoll() doesn't
actually work quite correctly in some cases due to this on Sparc et al.

The next patch from Al will sort out the final differences, and we
should be all done.

Scripted-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
6 years agoMerge branch 'work.poll2' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
Linus Torvalds [Sun, 11 Feb 2018 21:57:19 +0000 (13:57 -0800)]
Merge branch 'work.poll2' of git://git./linux/kernel/git/viro/vfs

Pull more poll annotation updates from Al Viro:
 "This is preparation to solving the problems you've mentioned in the
  original poll series.

  After this series, the kernel is ready for running

      for V in IN OUT PRI ERR RDNORM RDBAND WRNORM WRBAND HUP RDHUP NVAL MSG; do
            L=`git grep -l -w POLL$V | grep -v '^t' | grep -v /um/ | grep -v '^sa' | grep -v '/poll.h$'|grep -v '^D'`
            for f in $L; do sed -i "-es/^\([^\"]*\)\(\<POLL$V\>\)/\\1E\\2/" $f; done
      done

  as a for bulk search-and-replace.

  After that, the kernel is ready to apply the patch to unify
  {de,}mangle_poll(), and then get rid of kernel-side POLL... uses
  entirely, and we should be all done with that stuff.

  Basically, that's what you suggested wrt KPOLL..., except that we can
  use EPOLL... instead - they already are arch-independent (and equal to
  what is currently kernel-side POLL...).

  After the preparations (in this series) switch to returning EPOLL...
  from ->poll() instances is completely mechanical and kernel-side
  POLL... can go away. The last step (killing kernel-side POLL... and
  unifying {de,}mangle_poll() has to be done after the
  search-and-replace job, since we need userland-side POLL... for
  unified {de,}mangle_poll(), thus the cherry-pick at the last step.

  After that we will have:

   - POLL{IN,OUT,...} *not* in __poll_t, so any stray instances of
     ->poll() still using those will be caught by sparse.

   - eventpoll.c and select.c warning-free wrt __poll_t

   - no more kernel-side definitions of POLL... - userland ones are
     visible through the entire kernel (and used pretty much only for
     mangle/demangle)

   - same behavior as after the first series (i.e. sparc et.al. epoll(2)
     working correctly)"

* 'work.poll2' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
  annotate ep_scan_ready_list()
  ep_send_events_proc(): return result via esed->res
  preparation to switching ->poll() to returning EPOLL...
  add EPOLLNVAL, annotate EPOLL... and event_poll->event
  use linux/poll.h instead of asm/poll.h
  xen: fix poll misannotation
  smc: missing poll annotations

6 years agoMerge tag 'xtensa-20180211' of git://github.com/jcmvbkbc/linux-xtensa
Linus Torvalds [Sun, 11 Feb 2018 21:54:52 +0000 (13:54 -0800)]
Merge tag 'xtensa-20180211' of git://github.com/jcmvbkbc/linux-xtensa

Pull xtense fix from Max Filippov:
 "Build fix for xtensa architecture with KASAN enabled"

* tag 'xtensa-20180211' of git://github.com/jcmvbkbc/linux-xtensa:
  xtensa: fix build with KASAN

6 years agoMerge tag 'nios2-v4.16-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/lftan...
Linus Torvalds [Sun, 11 Feb 2018 21:52:32 +0000 (13:52 -0800)]
Merge tag 'nios2-v4.16-rc1' of git://git./linux/kernel/git/lftan/nios2

Pull nios2 update from Ley Foon Tan:

 - clean up old Kconfig options from defconfig

 - remove leading 0x and 0s from bindings notation in dts files

* tag 'nios2-v4.16-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/lftan/nios2:
  nios2: defconfig: Cleanup from old Kconfig options
  nios2: dts: Remove leading 0x and 0s from bindings notation

6 years agoxtensa: fix build with KASAN
Max Filippov [Sun, 11 Feb 2018 09:07:54 +0000 (01:07 -0800)]
xtensa: fix build with KASAN

The commit 917538e212a2 ("kasan: clean up KASAN_SHADOW_SCALE_SHIFT
usage") removed KASAN_SHADOW_SCALE_SHIFT definition from
include/linux/kasan.h and added it to architecture-specific headers,
except for xtensa. This broke the xtensa build with KASAN enabled.
Define KASAN_SHADOW_SCALE_SHIFT in arch/xtensa/include/asm/kasan.h

Reported by: kbuild test robot <fengguang.wu@intel.com>
Fixes: 917538e212a2 ("kasan: clean up KASAN_SHADOW_SCALE_SHIFT usage")
Acked-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Max Filippov <jcmvbkbc@gmail.com>
6 years agonios2: defconfig: Cleanup from old Kconfig options
Krzysztof Kozlowski [Sun, 11 Feb 2018 15:01:17 +0000 (23:01 +0800)]
nios2: defconfig: Cleanup from old Kconfig options

Remove old, dead Kconfig option INET_LRO. It is gone since
commit 7bbf3cae65b6 ("ipv4: Remove inet_lro library").

Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
Acked-by: Ley Foon Tan <ley.foon.tan@intel.com>
6 years agonios2: dts: Remove leading 0x and 0s from bindings notation
Mathieu Malaterre [Sun, 11 Feb 2018 14:59:18 +0000 (22:59 +0800)]
nios2: dts: Remove leading 0x and 0s from bindings notation

Improve the DTS files by removing all the leading "0x" and zeros to fix the
following dtc warnings:

Warning (unit_address_format): Node /XXX unit name should not have leading "0x"

and

Warning (unit_address_format): Node /XXX unit name should not have leading 0s

Converted using the following command:

find . -type f \( -iname *.dts -o -iname *.dtsi \) -exec sed -E -i -e "s/@0x([0-9a-fA-F\.]+)\s?\{/@\L\1 \{/g" -e "s/@0+([0-9a-fA-F\.]+)\s?\{/@\L\1 \{/g" {} +

For simplicity, two sed expressions were used to solve each warnings separately.

To make the regex expression more robust a few other issues were resolved,
namely setting unit-address to lower case, and adding a whitespace before the
the opening curly brace:

https://elinux.org/Device_Tree_Linux#Linux_conventions

This is a follow up to commit 4c9847b7375a ("dt-bindings: Remove leading 0x from bindings notation")

Reported-by: David Daney <ddaney@caviumnetworks.com>
Suggested-by: Rob Herring <robh@kernel.org>
Signed-off-by: Mathieu Malaterre <malat@debian.org>
Acked-by: Ley Foon Tan <ley.foon.tan@intel.com>
6 years agoMerge tag 'pci-v4.16-fixes-1' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaa...
Linus Torvalds [Sat, 10 Feb 2018 22:08:26 +0000 (14:08 -0800)]
Merge tag 'pci-v4.16-fixes-1' of git://git./linux/kernel/git/helgaas/pci

Pull PCI fix from Bjorn Helgaas:
 "Fix a POWER9/powernv INTx regression from the merge window (Alexey
  Kardashevskiy)"

* tag 'pci-v4.16-fixes-1' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci:
  powerpc/pci: Fix broken INTx configuration via OF

6 years agoMerge tag 'for-linus-20180210' of git://git.kernel.dk/linux-block
Linus Torvalds [Sat, 10 Feb 2018 22:05:11 +0000 (14:05 -0800)]
Merge tag 'for-linus-20180210' of git://git.kernel.dk/linux-block

Pull block fixes from Jens Axboe:
 "A few fixes to round off the merge window on the block side:

   - a set of bcache fixes by way of Michael Lyle, from the usual bcache
     suspects.

   - add a simple-to-hook-into function for bpf EIO error injection.

   - fix blk-wbt that mischarectized flushes as reads. Improve the logic
     so that flushes and writes are accounted as writes, and only reads
     as reads. From me.

   - fix requeue crash in BFQ, from Paolo"

* tag 'for-linus-20180210' of git://git.kernel.dk/linux-block:
  block, bfq: add requeue-request hook
  bcache: fix for data collapse after re-attaching an attached device
  bcache: return attach error when no cache set exist
  bcache: set writeback_rate_update_seconds in range [1, 60] seconds
  bcache: fix for allocator and register thread race
  bcache: set error_limit correctly
  bcache: properly set task state in bch_writeback_thread()
  bcache: fix high CPU occupancy during journal
  bcache: add journal statistic
  block: Add should_fail_bio() for bpf error injection
  blk-wbt: account flush requests correctly

6 years agoMerge tag 'platform-drivers-x86-v4.16-3' of git://github.com/dvhart/linux-pdx86
Linus Torvalds [Sat, 10 Feb 2018 21:55:33 +0000 (13:55 -0800)]
Merge tag 'platform-drivers-x86-v4.16-3' of git://github.com/dvhart/linux-pdx86

Pull x86 platform driver updates from Darren Hart:
 "Mellanox fixes and new system type support.

  Mostly data for new system types with a correction and an
  uninitialized variable fix"

[ Pulling from github because git.infradead.org currently seems to be
  down for some reason, but Darren had a backup location    - Linus ]

* tag 'platform-drivers-x86-v4.16-3' of git://github.com/dvhart/linux-pdx86:
  platform/x86: mlx-platform: Add support for new 200G IB and Ethernet systems
  platform/x86: mlx-platform: Add support for new msn201x system type
  platform/x86: mlx-platform: Add support for new msn274x system type
  platform/x86: mlx-platform: Fix power cable setting for msn21xx family
  platform/x86: mlx-platform: Add define for the negative bus
  platform/x86: mlx-platform: Use defines for bus assignment
  platform/mellanox: mlxreg-hotplug: Fix uninitialized variable

6 years agoMerge tag 'chrome-platform-for-linus-4.16' of git://git.kernel.org/pub/scm/linux...
Linus Torvalds [Sat, 10 Feb 2018 21:50:23 +0000 (13:50 -0800)]
Merge tag 'chrome-platform-for-linus-4.16' of git://git./linux/kernel/git/bleung/chrome-platform

Pull chrome platform updates from Benson Leung:

 - move cros_ec_dev to drivers/mfd

 - other small maintenance fixes

[ The cros_ec_dev movement came in earlier through the MFD tree  - Linus ]

* tag 'chrome-platform-for-linus-4.16' of git://git.kernel.org/pub/scm/linux/kernel/git/bleung/chrome-platform:
  platform/chrome: Use proper protocol transfer function
  platform/chrome: cros_ec_lpc: Add support for Google Glimmer
  platform/chrome: cros_ec_lpc: Register the driver if ACPI entry is missing.
  platform/chrome: cros_ec_lpc: remove redundant pointer request
  cros_ec: fix nul-termination for firmware build info
  platform/chrome: chromeos_laptop: make chromeos_laptop const

6 years agoMerge tag 'kvm-4.16-1' of git://git.kernel.org/pub/scm/virt/kvm/kvm
Linus Torvalds [Sat, 10 Feb 2018 21:16:35 +0000 (13:16 -0800)]
Merge tag 'kvm-4.16-1' of git://git./virt/kvm/kvm

Pull KVM updates from Radim Krčmář:
 "ARM:

   - icache invalidation optimizations, improving VM startup time

   - support for forwarded level-triggered interrupts, improving
     performance for timers and passthrough platform devices

   - a small fix for power-management notifiers, and some cosmetic
     changes

  PPC:

   - add MMIO emulation for vector loads and stores

   - allow HPT guests to run on a radix host on POWER9 v2.2 CPUs without
     requiring the complex thread synchronization of older CPU versions

   - improve the handling of escalation interrupts with the XIVE
     interrupt controller

   - support decrement register migration

   - various cleanups and bugfixes.

  s390:

   - Cornelia Huck passed maintainership to Janosch Frank

   - exitless interrupts for emulated devices

   - cleanup of cpuflag handling

   - kvm_stat counter improvements

   - VSIE improvements

   - mm cleanup

  x86:

   - hypervisor part of SEV

   - UMIP, RDPID, and MSR_SMI_COUNT emulation

   - paravirtualized TLB shootdown using the new KVM_VCPU_PREEMPTED bit

   - allow guests to see TOPOEXT, GFNI, VAES, VPCLMULQDQ, and more
     AVX512 features

   - show vcpu id in its anonymous inode name

   - many fixes and cleanups

   - per-VCPU MSR bitmaps (already merged through x86/pti branch)

   - stable KVM clock when nesting on Hyper-V (merged through
     x86/hyperv)"

* tag 'kvm-4.16-1' of git://git.kernel.org/pub/scm/virt/kvm/kvm: (197 commits)
  KVM: PPC: Book3S: Add MMIO emulation for VMX instructions
  KVM: PPC: Book3S HV: Branch inside feature section
  KVM: PPC: Book3S HV: Make HPT resizing work on POWER9
  KVM: PPC: Book3S HV: Fix handling of secondary HPTEG in HPT resizing code
  KVM: PPC: Book3S PR: Fix broken select due to misspelling
  KVM: x86: don't forget vcpu_put() in kvm_arch_vcpu_ioctl_set_sregs()
  KVM: PPC: Book3S PR: Fix svcpu copying with preemption enabled
  KVM: PPC: Book3S HV: Drop locks before reading guest memory
  kvm: x86: remove efer_reload entry in kvm_vcpu_stat
  KVM: x86: AMD Processor Topology Information
  x86/kvm/vmx: do not use vm-exit instruction length for fast MMIO when running nested
  kvm: embed vcpu id to dentry of vcpu anon inode
  kvm: Map PFN-type memory regions as writable (if possible)
  x86/kvm: Make it compile on 32bit and with HYPYERVISOR_GUEST=n
  KVM: arm/arm64: Fixup userspace irqchip static key optimization
  KVM: arm/arm64: Fix userspace_irqchip_in_use counting
  KVM: arm/arm64: Fix incorrect timer_is_pending logic
  MAINTAINERS: update KVM/s390 maintainers
  MAINTAINERS: add Halil as additional vfio-ccw maintainer
  MAINTAINERS: add David as a reviewer for KVM/s390
  ...

6 years agopowerpc/pci: Fix broken INTx configuration via OF
Alexey Kardashevskiy [Fri, 9 Feb 2018 06:23:58 +0000 (17:23 +1100)]
powerpc/pci: Fix broken INTx configuration via OF

59f47eff03a0 ("powerpc/pci: Use of_irq_parse_and_map_pci() helper")
replaced of_irq_parse_pci() + irq_create_of_mapping() with
of_irq_parse_and_map_pci(), but neglected to capture the virq
returned by irq_create_of_mapping(), so virq remained zero, which
caused INTx configuration to fail.

Save the virq value returned by of_irq_parse_and_map_pci() and correct
the virq declaration to match the of_irq_parse_and_map_pci() signature.

Fixes: 59f47eff03a0 "powerpc/pci: Use of_irq_parse_and_map_pci() helper"
Signed-off-by: Alexey Kardashevskiy <aik@ozlabs.ru>
[bhelgaas: changelog]
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
6 years agoMerge tag 'kbuild-v4.16-2' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy...
Linus Torvalds [Sat, 10 Feb 2018 03:32:41 +0000 (19:32 -0800)]
Merge tag 'kbuild-v4.16-2' of git://git./linux/kernel/git/masahiroy/linux-kbuild

Pull more Kbuild updates from Masahiro Yamada:
 "Makefile changes:
   - enable unused-variable warning that was wrongly disabled for clang

  Kconfig changes:
   - warn about blank 'help' and fix existing instances
   - fix 'choice' behavior to not write out invisible symbols
   - fix misc weirdness

  Coccinell changes:
   - fix false positive of free after managed memory alloc detection
   - improve performance of NULL dereference detection"

* tag 'kbuild-v4.16-2' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild: (21 commits)
  kconfig: remove const qualifier from sym_expand_string_value()
  kconfig: add xrealloc() helper
  kconfig: send error messages to stderr
  kconfig: echo stdin to stdout if either is redirected
  kconfig: remove check_stdin()
  kconfig: remove 'config*' pattern from .gitignnore
  kconfig: show '?' prompt even if no help text is available
  kconfig: do not write choice values when their dependency becomes n
  coccinelle: deref_null: avoid useless computation
  coccinelle: devm_free: reduce false positives
  kbuild: clang: disable unused variable warnings only when constant
  kconfig: Warn if help text is blank
  nios2: kconfig: Remove blank help text
  arm: vt8500: kconfig: Remove blank help text
  MIPS: kconfig: Remove blank help text
  MIPS: BCM63XX: kconfig: Remove blank help text
  lib/Kconfig.debug: Remove blank help text
  Staging: rtl8192e: kconfig: Remove blank help text
  Staging: rtl8192u: kconfig: Remove blank help text
  mmc: kconfig: Remove blank help text
  ...

6 years agomconsole_proc(): don't mess with file->f_pos
Al Viro [Sat, 10 Feb 2018 01:35:16 +0000 (01:35 +0000)]
mconsole_proc(): don't mess with file->f_pos

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
6 years agoMerge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
Linus Torvalds [Sat, 10 Feb 2018 03:22:17 +0000 (19:22 -0800)]
Merge branch 'for-linus' of git://git./linux/kernel/git/viro/vfs

Pull misc vfs fixes from Al Viro.

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs:
  seq_file: fix incomplete reset on read from zero offset
  kernfs: fix regression in kernfs_fop_write caused by wrong type

6 years agokconfig: remove const qualifier from sym_expand_string_value()
Masahiro Yamada [Thu, 8 Feb 2018 16:19:08 +0000 (01:19 +0900)]
kconfig: remove const qualifier from sym_expand_string_value()

This function returns realloc'ed memory, so the returned pointer
must be passed to free() when done.  So, 'const' qualifier is odd.
It is allowed to modify the expanded string.

Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
6 years agokconfig: add xrealloc() helper
Masahiro Yamada [Thu, 8 Feb 2018 16:19:07 +0000 (01:19 +0900)]
kconfig: add xrealloc() helper

We already have xmalloc(), xcalloc().  Add xrealloc() as well
to save tedious error handling.

Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
6 years agoplatform/x86: mlx-platform: Add support for new 200G IB and Ethernet systems
Vadim Pasternak [Fri, 9 Feb 2018 23:59:32 +0000 (23:59 +0000)]
platform/x86: mlx-platform: Add support for new 200G IB and Ethernet systems

It adds support for new Mellanox system types of basic classes qmb7, sn34,
sn37, containing systems QMB700 (40x200GbE InfiniBand switch), SN3700
(32x200GbE and 16x400GbE Ethernet switch) and SN3410 (6x400GbE plus
48x50GbE Ethernet switch). These are the Top of the Rack systems, equipped
with Mellanox COM-Express carrier board and switch board with Mellanox
Quantum device, which supports InfiniBand switching with 40X200G ports and
line rate of up to HDR speed or with Mellanox Spectrum-2 device, which
supports Ethernet switching with 32X200G ports line rate of up to HDR
speed.

Signed-off-by: Vadim Pasternak <vadimp@mellanox.com>
Signed-off-by: Darren Hart (VMware) <dvhart@infradead.org>