platform/kernel/linux-starfive.git
4 years agocrypto: ccp - rename psp-dev files to sev-dev
Rijo Thomas [Wed, 4 Dec 2019 06:18:58 +0000 (11:48 +0530)]
crypto: ccp - rename psp-dev files to sev-dev

This is a preliminary patch for creating a generic PSP device driver
file, which will have support for both SEV and TEE (Trusted Execution
Environment) interface.

This patch does not introduce any new functionality, but simply renames
psp-dev.c and psp-dev.h files to sev-dev.c and sev-dev.h files
respectively.

Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Jens Wiklander <jens.wiklander@linaro.org>
Co-developed-by: Devaraj Rangasamy <Devaraj.Rangasamy@amd.com>
Signed-off-by: Devaraj Rangasamy <Devaraj.Rangasamy@amd.com>
Signed-off-by: Rijo Thomas <Rijo-john.Thomas@amd.com>
Acked-by: Gary R Hook <gary.hook@amd.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: hmac - Use init_tfm/exit_tfm interface
Herbert Xu [Sun, 8 Dec 2019 05:42:53 +0000 (13:42 +0800)]
crypto: hmac - Use init_tfm/exit_tfm interface

This patch switches hmac over to the new init_tfm/exit_tfm interface
as opposed to cra_init/cra_exit.  This way the shash API can make
sure that descsize does not exceed the maximum.

This patch also adds the API helper shash_alg_instance.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Reviewed-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: padlock-sha - Use init_tfm/exit_tfm interface
Herbert Xu [Sun, 8 Dec 2019 05:42:52 +0000 (13:42 +0800)]
crypto: padlock-sha - Use init_tfm/exit_tfm interface

This patch switches padlock-sha over to the new init_tfm/exit_tfm
interface as opposed to cra_init/cra_exit.  This way the shash API
can make sure that descsize does not exceed the maximum.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Reviewed-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: shash - Add init_tfm/exit_tfm and verify descsize
Herbert Xu [Sun, 8 Dec 2019 05:42:51 +0000 (13:42 +0800)]
crypto: shash - Add init_tfm/exit_tfm and verify descsize

The shash interface supports a dynamic descsize field because of
the presence of fallbacks (it's just padlock-sha actually, perhaps
we can remove it one day).  As it is the API does not verify the
setting of descsize at all.  It is up to the individual algorithms
to ensure that descsize does not exceed the specified maximum value
of HASH_MAX_DESCSIZE (going above would cause stack corruption).

In order to allow the API to impose this limit directly, this patch
adds init_tfm/exit_tfm hooks to the shash_alg structure.  We can
then verify the descsize setting in the API directly.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Reviewed-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: api - Add more comments to crypto_remove_spawns
Herbert Xu [Sat, 7 Dec 2019 14:33:51 +0000 (22:33 +0800)]
crypto: api - Add more comments to crypto_remove_spawns

This patch explains the logic behind crypto_remove_spawns and its
underling crypto_more_spawns.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: api - Do not zap spawn->alg
Herbert Xu [Sat, 7 Dec 2019 14:15:17 +0000 (22:15 +0800)]
crypto: api - Do not zap spawn->alg

Currently when a spawn is removed we will zap its alg field.
This is racy because the spawn could belong to an unregistered
instance which may dereference the spawn->alg field.

This patch fixes this by keeping spawn->alg constant and instead
adding a new spawn->dead field to indicate that a spawn is going
away.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: api - Fix race condition in crypto_spawn_alg
Herbert Xu [Sat, 7 Dec 2019 14:15:15 +0000 (22:15 +0800)]
crypto: api - Fix race condition in crypto_spawn_alg

The function crypto_spawn_alg is racy because it drops the lock
before shooting the dying algorithm.  The algorithm could disappear
altogether before we shoot it.

This patch fixes it by moving the shooting into the locked section.

Fixes: 6bfd48096ff8 ("[CRYPTO] api: Added spawns")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: doc - remove references to ARC4
Eric Biggers [Sat, 7 Dec 2019 04:19:37 +0000 (20:19 -0800)]
crypto: doc - remove references to ARC4

arc4 is no longer considered secure, so it shouldn't be used, even as
just an example.  Mention serpent and chacha20 instead.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Acked-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: api - Check spawn->alg under lock in crypto_drop_spawn
Herbert Xu [Fri, 6 Dec 2019 05:55:17 +0000 (13:55 +0800)]
crypto: api - Check spawn->alg under lock in crypto_drop_spawn

We need to check whether spawn->alg is NULL under lock as otherwise
the algorithm could be removed from under us after we have checked
it and found it to be non-NULL.  This could cause us to remove the
spawn from a non-existent list.

Fixes: 7ede5a5ba55a ("crypto: api - Fix crypto_drop_spawn crash...")
Cc: <stable@vger.kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: chacha - fix warning message in header file
Valdis Klētnieks [Fri, 6 Dec 2019 01:58:36 +0000 (20:58 -0500)]
crypto: chacha - fix warning message in header file

Building with W=1 causes a warning:

  CC [M]  arch/x86/crypto/chacha_glue.o
In file included from arch/x86/crypto/chacha_glue.c:10:
./include/crypto/internal/chacha.h:37:1: warning: 'inline' is not at beginning of declaration [-Wold-style-declaration]
   37 | static int inline chacha12_setkey(struct crypto_skcipher *tfm, const u8 *key,
      | ^~~~~~

Straighten out the order to match the rest of the header file.

Signed-off-by: Valdis Kletnieks <valdis.kletnieks@vt.edu>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: atmel-{aes,sha,tdes} - Group common alg type init in dedicated methods
Tudor Ambarus [Thu, 5 Dec 2019 13:48:39 +0000 (13:48 +0000)]
crypto: atmel-{aes,sha,tdes} - Group common alg type init in dedicated methods

Move common alg type init to dedicated methods.

Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: atmel-aes - Use gcm helper to check authsize
Tudor Ambarus [Thu, 5 Dec 2019 09:54:08 +0000 (09:54 +0000)]
crypto: atmel-aes - Use gcm helper to check authsize

Use core helper functions.

Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: atmel-sha - Void return type for atmel_sha_update_dma_stop()
Tudor Ambarus [Thu, 5 Dec 2019 09:54:06 +0000 (09:54 +0000)]
crypto: atmel-sha - Void return type for atmel_sha_update_dma_stop()

No error handling, change return type to void.

Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: atmel-{sha,tdes} - Remove unused 'err' member of driver data
Tudor Ambarus [Thu, 5 Dec 2019 09:54:04 +0000 (09:54 +0000)]
crypto: atmel-{sha,tdes} - Remove unused 'err' member of driver data

'err' member was initialized to 0 but its value never changed.

Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: atmel-aes - Fix saving of IV for CTR mode
Tudor Ambarus [Thu, 5 Dec 2019 09:54:03 +0000 (09:54 +0000)]
crypto: atmel-aes - Fix saving of IV for CTR mode

The req->iv of the skcipher_request is expected to contain the
last used IV. Update the req->iv for CTR mode.

Fixes: bd3c7b5c2aba ("crypto: atmel - add Atmel AES driver")
Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: atmel-aes - Fix counter overflow in CTR mode
Tudor Ambarus [Thu, 5 Dec 2019 09:54:01 +0000 (09:54 +0000)]
crypto: atmel-aes - Fix counter overflow in CTR mode

32 bit counter is not supported by neither of our AES IPs, all implement
a 16 bit block counter. Drop the 32 bit block counter logic.

Fixes: fcac83656a3e ("crypto: atmel-aes - fix the counter overflow in CTR mode")
Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: atmel-{aes,tdes} - Do not save IV for ECB mode
Tudor Ambarus [Thu, 5 Dec 2019 09:54:00 +0000 (09:54 +0000)]
crypto: atmel-{aes,tdes} - Do not save IV for ECB mode

ECB mode does not use IV.

Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: atmel-tdes - Drop unnecessary passing of tfm
Tudor Ambarus [Thu, 5 Dec 2019 09:53:58 +0000 (09:53 +0000)]
crypto: atmel-tdes - Drop unnecessary passing of tfm

atmel_tdes_crypt_start() obtained a pointer to tfm from dd,
passed the tfm pointer to atmel_tdes_crypt_{dma,pdc}, and in
the calles we obtained dd back from the tfm. Pass pointer to
dd directly.

Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: atmel-tdes - Map driver data flags to Mode Register
Tudor Ambarus [Thu, 5 Dec 2019 09:53:56 +0000 (09:53 +0000)]
crypto: atmel-tdes - Map driver data flags to Mode Register

Simplifies the configuration of the TDES IP.

Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: atmel-tdes - Remove useless write in Control Register
Tudor Ambarus [Thu, 5 Dec 2019 09:53:55 +0000 (09:53 +0000)]
crypto: atmel-tdes - Remove useless write in Control Register

As claimed by the datasheet, writing 0 into the Control Register has no
effect. Remove this useless register access.

Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: atmel-{aes,sha,tdes} - Rename labels in probe()
Tudor Ambarus [Thu, 5 Dec 2019 09:53:53 +0000 (09:53 +0000)]
crypto: atmel-{aes,sha,tdes} - Rename labels in probe()

Choose label names which say what the goto does and not from where
the goto was issued. This avoids adding superfluous labels like
"err_aes_buff".

Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: atmel-{aes,sha,tdes} - Drop superfluous error message in probe()
Tudor Ambarus [Thu, 5 Dec 2019 09:53:51 +0000 (09:53 +0000)]
crypto: atmel-{aes,sha,tdes} - Drop superfluous error message in probe()

In case the probe fails, the device/driver core takes care of printing
the driver name, device name and error code. Drop superfluous error message
at probe.

Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: atmel-{sha,tdes} - Propagate error from _hw_version_init()
Tudor Ambarus [Thu, 5 Dec 2019 09:53:50 +0000 (09:53 +0000)]
crypto: atmel-{sha,tdes} - Propagate error from _hw_version_init()

atmel_{sha,tdes}_hw_version_init() calls atmel_{sha,tdes}_hw_init(),
which may fail. Check the return code of atmel_{sha,tdes}_hw_init()
and propagate the error if needed.

Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: atmel-tdes - Remove unused header includes
Tudor Ambarus [Thu, 5 Dec 2019 09:53:48 +0000 (09:53 +0000)]
crypto: atmel-tdes - Remove unused header includes

Hash headers are not used.

Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: atmel-{sha,tdes} - Change algorithm priorities
Tudor Ambarus [Thu, 5 Dec 2019 09:53:46 +0000 (09:53 +0000)]
crypto: atmel-{sha,tdes} - Change algorithm priorities

Increase the algorithm priorities so the hardware acceleration is now
preferred to the software computation: the generic drivers use 100
as priority.

Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: atmel-tdes - Constify value to write to hw
Tudor Ambarus [Thu, 5 Dec 2019 09:53:45 +0000 (09:53 +0000)]
crypto: atmel-tdes - Constify value to write to hw

atmel_tdes_write_n() should not modify its value argument.

Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: af_alg - Use bh_lock_sock in sk_destruct
Herbert Xu [Thu, 5 Dec 2019 05:45:05 +0000 (13:45 +0800)]
crypto: af_alg - Use bh_lock_sock in sk_destruct

As af_alg_release_parent may be called from BH context (most notably
due to an async request that only completes after socket closure,
or as reported here because of an RCU-delayed sk_destruct call), we
must use bh_lock_sock instead of lock_sock.

Reported-by: syzbot+c2f1558d49e25cc36e5e@syzkaller.appspotmail.com
Reported-by: Eric Dumazet <eric.dumazet@gmail.com>
Fixes: c840ac6af3f8 ("crypto: af_alg - Disallow bind/setkey/...")
Cc: <stable@vger.kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agopadata: update documentation
Daniel Jordan [Tue, 3 Dec 2019 19:31:14 +0000 (14:31 -0500)]
padata: update documentation

Remove references to unused functions, standardize language, update to
reflect new functionality, migrate to rst format, and fix all kernel-doc
warnings.

Fixes: 815613da6a67 ("kernel/padata.c: removed unused code")
Signed-off-by: Daniel Jordan <daniel.m.jordan@oracle.com>
Cc: Eric Biggers <ebiggers@kernel.org>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Cc: linux-crypto@vger.kernel.org
Cc: linux-doc@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Daniel Jordan <daniel.m.jordan@oracle.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agopadata: remove reorder_objects
Daniel Jordan [Tue, 3 Dec 2019 19:31:13 +0000 (14:31 -0500)]
padata: remove reorder_objects

reorder_objects is unused since the rework of padata's flushing, so
remove it.

Signed-off-by: Daniel Jordan <daniel.m.jordan@oracle.com>
Cc: Eric Biggers <ebiggers@kernel.org>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Cc: linux-crypto@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agopadata: remove cpumask change notifier
Daniel Jordan [Tue, 3 Dec 2019 19:31:12 +0000 (14:31 -0500)]
padata: remove cpumask change notifier

Since commit 63d3578892dc ("crypto: pcrypt - remove padata cpumask
notifier") this feature is unused, so get rid of it.

Signed-off-by: Daniel Jordan <daniel.m.jordan@oracle.com>
Cc: Eric Biggers <ebiggers@kernel.org>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Jonathan Corbet <corbet@lwn.net>
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Cc: linux-crypto@vger.kernel.org
Cc: linux-doc@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agopadata: always acquire cpu_hotplug_lock before pinst->lock
Daniel Jordan [Tue, 3 Dec 2019 19:31:11 +0000 (14:31 -0500)]
padata: always acquire cpu_hotplug_lock before pinst->lock

lockdep complains when padata's paths to update cpumasks via CPU hotplug
and sysfs are both taken:

  # echo 0 > /sys/devices/system/cpu/cpu1/online
  # echo ff > /sys/kernel/pcrypt/pencrypt/parallel_cpumask

  ======================================================
  WARNING: possible circular locking dependency detected
  5.4.0-rc8-padata-cpuhp-v3+ #1 Not tainted
  ------------------------------------------------------
  bash/205 is trying to acquire lock:
  ffffffff8286bcd0 (cpu_hotplug_lock.rw_sem){++++}, at: padata_set_cpumask+0x2b/0x120

  but task is already holding lock:
  ffff8880001abfa0 (&pinst->lock){+.+.}, at: padata_set_cpumask+0x26/0x120

  which lock already depends on the new lock.

padata doesn't take cpu_hotplug_lock and pinst->lock in a consistent
order.  Which should be first?  CPU hotplug calls into padata with
cpu_hotplug_lock already held, so it should have priority.

Fixes: 6751fb3c0e0c ("padata: Use get_online_cpus/put_online_cpus")
Signed-off-by: Daniel Jordan <daniel.m.jordan@oracle.com>
Cc: Eric Biggers <ebiggers@kernel.org>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Cc: linux-crypto@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agopadata: validate cpumask without removed CPU during offline
Daniel Jordan [Tue, 3 Dec 2019 19:31:10 +0000 (14:31 -0500)]
padata: validate cpumask without removed CPU during offline

Configuring an instance's parallel mask without any online CPUs...

  echo 2 > /sys/kernel/pcrypt/pencrypt/parallel_cpumask
  echo 0 > /sys/devices/system/cpu/cpu1/online

...makes tcrypt mode=215 crash like this:

  divide error: 0000 [#1] SMP PTI
  CPU: 4 PID: 283 Comm: modprobe Not tainted 5.4.0-rc8-padata-doc-v2+ #2
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS ?-20191013_105130-anatol 04/01/2014
  RIP: 0010:padata_do_parallel+0x114/0x300
  Call Trace:
   pcrypt_aead_encrypt+0xc0/0xd0 [pcrypt]
   crypto_aead_encrypt+0x1f/0x30
   do_mult_aead_op+0x4e/0xdf [tcrypt]
   test_mb_aead_speed.constprop.0.cold+0x226/0x564 [tcrypt]
   do_test+0x28c2/0x4d49 [tcrypt]
   tcrypt_mod_init+0x55/0x1000 [tcrypt]
   ...

cpumask_weight() in padata_cpu_hash() returns 0 because the mask has no
CPUs.  The problem is __padata_remove_cpu() checks for valid masks too
early and so doesn't mark the instance PADATA_INVALID as expected, which
would have made padata_do_parallel() return error before doing the
division.

Fix by introducing a second padata CPU hotplug state before
CPUHP_BRINGUP_CPU so that __padata_remove_cpu() sees the online mask
without @cpu.  No need for the second argument to padata_replace() since
@cpu is now already missing from the online mask.

Fixes: 33e54450683c ("padata: Handle empty padata cpumasks")
Signed-off-by: Daniel Jordan <daniel.m.jordan@oracle.com>
Cc: Eric Biggers <ebiggers@kernel.org>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: linux-crypto@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: cipher - remove crt_u.cipher (struct cipher_tfm)
Eric Biggers [Mon, 2 Dec 2019 21:42:30 +0000 (13:42 -0800)]
crypto: cipher - remove crt_u.cipher (struct cipher_tfm)

Of the three fields in crt_u.cipher (struct cipher_tfm), ->cit_setkey()
is pointless because it always points to setkey() in crypto/cipher.c.

->cit_decrypt_one() and ->cit_encrypt_one() are slightly less pointless,
since if the algorithm doesn't have an alignmask, they are set directly
to ->cia_encrypt() and ->cia_decrypt().  However, this "optimization"
isn't worthwhile because:

- The "cipher" algorithm type is the only algorithm still using crt_u,
  so it's bloating every struct crypto_tfm for every algorithm type.

- If the algorithm has an alignmask, this "optimization" actually makes
  things slower, as it causes 2 indirect calls per block rather than 1.

- It adds extra code complexity.

- Some templates already call ->cia_encrypt()/->cia_decrypt() directly
  instead of going through ->cit_encrypt_one()/->cit_decrypt_one().

- The "cipher" algorithm type never gives optimal performance anyway.
  For that, a higher-level type such as skcipher needs to be used.

Therefore, just remove the extra indirection, and make
crypto_cipher_setkey(), crypto_cipher_encrypt_one(), and
crypto_cipher_decrypt_one() be direct calls into crypto/cipher.c.

Also remove the unused function crypto_cipher_cast().

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: compress - remove crt_u.compress (struct compress_tfm)
Eric Biggers [Mon, 2 Dec 2019 21:42:29 +0000 (13:42 -0800)]
crypto: compress - remove crt_u.compress (struct compress_tfm)

crt_u.compress (struct compress_tfm) is pointless because its two
fields, ->cot_compress() and ->cot_decompress(), always point to
crypto_compress() and crypto_decompress().

Remove this pointless indirection, and just make crypto_comp_compress()
and crypto_comp_decompress() be direct calls to what used to be
crypto_compress() and crypto_decompress().

Also remove the unused function crypto_comp_cast().

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: testmgr - generate inauthentic AEAD test vectors
Eric Biggers [Sun, 1 Dec 2019 21:53:30 +0000 (13:53 -0800)]
crypto: testmgr - generate inauthentic AEAD test vectors

The whole point of using an AEAD over length-preserving encryption is
that the data is authenticated.  However currently the fuzz tests don't
test any inauthentic inputs to verify that the data is actually being
authenticated.  And only two algorithms ("rfc4543(gcm(aes))" and
"ccm(aes)") even have any inauthentic test vectors at all.

Therefore, update the AEAD fuzz tests to sometimes generate inauthentic
test vectors, either by generating a (ciphertext, AAD) pair without
using the key, or by mutating an authentic pair that was generated.

To avoid flakiness, only assume this works reliably if the auth tag is
at least 8 bytes.  Also account for the rfc4106, rfc4309, and rfc7539esp
algorithms intentionally ignoring the last 8 AAD bytes, and for some
algorithms doing extra checks that result in EINVAL rather than EBADMSG.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: testmgr - create struct aead_extra_tests_ctx
Eric Biggers [Sun, 1 Dec 2019 21:53:29 +0000 (13:53 -0800)]
crypto: testmgr - create struct aead_extra_tests_ctx

In preparation for adding inauthentic input fuzz tests, which don't
require that a generic implementation of the algorithm be available,
refactor test_aead_vs_generic_impl() so that instead there's a
higher-level function test_aead_extra() which initializes a struct
aead_extra_tests_ctx and then calls test_aead_vs_generic_impl() with a
pointer to that struct.

As a bonus, this reduces stack usage.

Also switch from crypto_aead_alg(tfm)->maxauthsize to
crypto_aead_maxauthsize(), now that the latter is available in
<crypto/aead.h>.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: testmgr - test setting misaligned keys
Eric Biggers [Sun, 1 Dec 2019 21:53:28 +0000 (13:53 -0800)]
crypto: testmgr - test setting misaligned keys

The alignment bug in ghash_setkey() fixed by commit 5c6bc4dfa515
("crypto: ghash - fix unaligned memory access in ghash_setkey()")
wasn't reliably detected by the crypto self-tests on ARM because the
tests only set the keys directly from the test vectors.

To improve test coverage, update the tests to sometimes pass misaligned
keys to setkey().  This applies to shash, ahash, skcipher, and aead.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: testmgr - check skcipher min_keysize
Eric Biggers [Sun, 1 Dec 2019 21:53:27 +0000 (13:53 -0800)]
crypto: testmgr - check skcipher min_keysize

When checking two implementations of the same skcipher algorithm for
consistency, require that the minimum key size be the same, not just the
maximum key size.  There's no good reason to allow different minimum key
sizes.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: testmgr - don't try to decrypt uninitialized buffers
Eric Biggers [Sun, 1 Dec 2019 21:53:26 +0000 (13:53 -0800)]
crypto: testmgr - don't try to decrypt uninitialized buffers

Currently if the comparison fuzz tests encounter an encryption error
when generating an skcipher or AEAD test vector, they will still test
the decryption side (passing it the uninitialized ciphertext buffer)
and expect it to fail with the same error.

This is sort of broken because it's not well-defined usage of the API to
pass an uninitialized buffer, and furthermore in the AEAD case it's
acceptable for the decryption error to be EBADMSG (meaning "inauthentic
input") even if the encryption error was something else like EINVAL.

Fix this for skcipher by explicitly initializing the ciphertext buffer
on error, and for AEAD by skipping the decryption test on error.

Reported-by: Pascal Van Leeuwen <pvanleeuwen@verimatrix.com>
Fixes: d435e10e67be ("crypto: testmgr - fuzz skciphers against their generic implementation")
Fixes: 40153b10d91c ("crypto: testmgr - fuzz AEADs against their generic implementation")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: skcipher - add crypto_skcipher_min_keysize()
Eric Biggers [Sun, 1 Dec 2019 21:53:25 +0000 (13:53 -0800)]
crypto: skcipher - add crypto_skcipher_min_keysize()

Add a helper function crypto_skcipher_min_keysize() to mirror
crypto_skcipher_max_keysize().

This will be used by the self-tests.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: aead - move crypto_aead_maxauthsize() to <crypto/aead.h>
Eric Biggers [Sun, 1 Dec 2019 21:53:24 +0000 (13:53 -0800)]
crypto: aead - move crypto_aead_maxauthsize() to <crypto/aead.h>

Move crypto_aead_maxauthsize() to <crypto/aead.h> so that it's available
to users of the API, not just AEAD implementations.

This will be used by the self-tests.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: omap-crypto - copy the temporary data to output buffer properly
Tero Kristo [Tue, 5 Nov 2019 14:01:11 +0000 (16:01 +0200)]
crypto: omap-crypto - copy the temporary data to output buffer properly

Both source and destination are scatterlists that can contain multiple
entries under the omap crypto cleanup handling. Current code only copies
data from the first source scatterlist entry to the target scatterlist,
potentially omitting any sg entries following the first one. Instead,
implement a new routine that walks through both source and target and
copies the data over once it goes.

Signed-off-by: Tero Kristo <t-kristo@ti.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: omap-des - handle NULL cipher request
Tero Kristo [Tue, 5 Nov 2019 14:01:10 +0000 (16:01 +0200)]
crypto: omap-des - handle NULL cipher request

If no data is provided for DES request, just return immediately. No
processing is needed in this case.

Signed-off-by: Tero Kristo <t-kristo@ti.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: omap-des - avoid unnecessary spam with bad cryptlen
Tero Kristo [Tue, 5 Nov 2019 14:01:09 +0000 (16:01 +0200)]
crypto: omap-des - avoid unnecessary spam with bad cryptlen

Remove the error print in this case, and just return the error.

Signed-off-by: Tero Kristo <t-kristo@ti.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: omap-aes-gcm - convert to use crypto engine
Tero Kristo [Tue, 5 Nov 2019 14:01:08 +0000 (16:01 +0200)]
crypto: omap-aes-gcm - convert to use crypto engine

Currently omap-aes-gcm algorithms are using local implementation for
crypto request queuing logic. Instead, implement this via usage of
crypto engine which is used already for rest of the omap aes algorithms.
This avoids some random conflicts / crashes also which can happen if
both aes and aes-gcm are attempted to be used simultaneously.

Signed-off-by: Tero Kristo <t-kristo@ti.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: omap-sham - fix unaligned sg list handling
Tero Kristo [Tue, 5 Nov 2019 14:01:07 +0000 (16:01 +0200)]
crypto: omap-sham - fix unaligned sg list handling

Currently the offset for unaligned sg lists is not handled properly
leading into wrong results with certain testmgr self tests. Fix the
handling to account for proper offset within the current sg list.

Signed-off-by: Tero Kristo <t-kristo@ti.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: omap-aes-gcm - fix failure with assocdata only
Tero Kristo [Tue, 5 Nov 2019 14:01:06 +0000 (16:01 +0200)]
crypto: omap-aes-gcm - fix failure with assocdata only

If we only have assocdata with an omap-aes-gcm, it currently just
completes it directly without passing it over to the crypto HW. This
produces wrong results.

Fix by passing the request down to the crypto HW, and fix the DMA
support code to accept a case where we don't expect any output data.
In the case where only assocdata is provided, it just passes through
the accelerator and provides authentication results, without any
encrypted/decrypted buffer via DMA.

Signed-off-by: Tero Kristo <t-kristo@ti.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: omap-aes-gcm - use the AES library to encrypt the tag
Ard Biesheuvel [Tue, 5 Nov 2019 14:01:05 +0000 (16:01 +0200)]
crypto: omap-aes-gcm - use the AES library to encrypt the tag

The OMAP AES-GCM implementation uses a fallback ecb(aes) skcipher to
produce the keystream to encrypt the output tag. Let's use the new
AES library instead - this is much simpler, and shouldn't affect
performance given that it only involves a single block.

Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Reviewed-by: Tero Kristo <t-kristo@ti.com>
Tested-by: Tero Kristo <t-kristo@ti.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: omap-aes-gcm - check length of assocdata in RFC4106 mode
Ard Biesheuvel [Tue, 5 Nov 2019 14:01:04 +0000 (16:01 +0200)]
crypto: omap-aes-gcm - check length of assocdata in RFC4106 mode

RFC4106 requires the associated data to be a certain size, so reject
inputs that are wrong. This also prevents crashes or other problems due
to assoclen becoming negative after subtracting 8 bytes.

Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Reviewed-by: Tero Kristo <t-kristo@ti.com>
Tested-by: Tero Kristo <t-kristo@ti.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: omap-aes-gcm - add missing .setauthsize hooks
Ard Biesheuvel [Tue, 5 Nov 2019 14:01:03 +0000 (16:01 +0200)]
crypto: omap-aes-gcm - add missing .setauthsize hooks

GCM only permits certain tag lengths, so populate the .setauthsize
hooks which ensure that only permitted sizes are accepted by the
implementation.

Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Reviewed-by: Tero Kristo <t-kristo@ti.com>
Tested-by: Tero Kristo <t-kristo@ti.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: omap-aes-gcm - deal with memory allocation failure
Ard Biesheuvel [Tue, 5 Nov 2019 14:01:02 +0000 (16:01 +0200)]
crypto: omap-aes-gcm - deal with memory allocation failure

The OMAP gcm(aes) driver invokes omap_crypto_align_sg() without
dealing with the errors it may return, resulting in a crash if
the routine fails in a __get_free_pages(GFP_ATOMIC) call. So
bail and return the error rather than limping on if one occurs.

Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Reviewed-by: Tero Kristo <t-kristo@ti.com>
Tested-by: Tero Kristo <t-kristo@ti.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: omap-aes-ctr - set blocksize to 1
Ard Biesheuvel [Tue, 5 Nov 2019 14:01:01 +0000 (16:01 +0200)]
crypto: omap-aes-ctr - set blocksize to 1

CTR is a streamcipher mode of AES, so set the blocksize accordingly.

Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Reviewed-by: Tero Kristo <t-kristo@ti.com>
Tested-by: Tero Kristo <t-kristo@ti.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: omap-aes - reject invalid input sizes for block modes
Ard Biesheuvel [Tue, 5 Nov 2019 14:01:00 +0000 (16:01 +0200)]
crypto: omap-aes - reject invalid input sizes for block modes

Block modes such as ECB and CBC only support input sizes that are
a round multiple of the block size, so align with the generic code
which returns -EINVAL when encountering inputs that violate this
rule.

Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Reviewed-by: Tero Kristo <t-kristo@ti.com>
Tested-by: Tero Kristo <t-kristo@ti.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: omap-aes - fixup aligned data cleanup
Tero Kristo [Tue, 5 Nov 2019 14:00:59 +0000 (16:00 +0200)]
crypto: omap-aes - fixup aligned data cleanup

Aligned data cleanup is using wrong pointers in the cleanup calls. Most
of the time these are right, but can cause mysterious problems in some
cases. Fix to use the same pointers that were used with the align call.

Signed-off-by: Tero Kristo <t-kristo@ti.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: omap-sham - fix split update cases with cryptomgr tests
Tero Kristo [Tue, 5 Nov 2019 14:00:57 +0000 (16:00 +0200)]
crypto: omap-sham - fix split update cases with cryptomgr tests

The updated crypto manager finds a couple of new bugs from the omap-sham
driver. Basically the split update cases fail to calculate the amount of
data to be sent properly, leading into failed results and hangs with the
hw accelerator.

To fix these, the buffer handling needs to be fixed, but we do some cleanup
for the code at the same time to cut away some unnecessary code so that
it is easier to fix.

Signed-off-by: Tero Kristo <t-kristo@ti.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: omap-aes-gcm - fix corner case with only auth data
Tero Kristo [Tue, 5 Nov 2019 14:00:56 +0000 (16:00 +0200)]
crypto: omap-aes-gcm - fix corner case with only auth data

Fix a corner case where only authdata is generated, without any provided
assocdata / cryptdata. Passing the empty scatterlists to OMAP AES core driver
in this case would confuse it, failing to map DMAs.

Signed-off-by: Tero Kristo <t-kristo@ti.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: omap-sham - fix buffer handling for split test cases
Tero Kristo [Tue, 5 Nov 2019 14:00:55 +0000 (16:00 +0200)]
crypto: omap-sham - fix buffer handling for split test cases

Current buffer handling logic fails in a case where the buffer contains
existing data from previous update which is divisible by block size.
This results in a block size of data to be left missing from the sg
list going out to the hw accelerator, ending up in stalling the
crypto accelerator driver (the last request never completes fully due
to missing data.)

Fix this by passing the total size of the data instead of the data size
of current request, and also parsing the buffer contents within the
prepare request handling.

Signed-off-by: Tero Kristo <t-kristo@ti.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: omap-aes - add IV output handling
Tero Kristo [Tue, 5 Nov 2019 14:00:54 +0000 (16:00 +0200)]
crypto: omap-aes - add IV output handling

Currently omap-aes driver does not copy end result IV out at all. This
is evident with the additional checks done at the crypto test manager.
Fix by copying out the IV values from HW.

Signed-off-by: Tero Kristo <t-kristo@ti.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: omap-des - add IV output handling
Tero Kristo [Tue, 5 Nov 2019 14:00:53 +0000 (16:00 +0200)]
crypto: omap-des - add IV output handling

Currently omap-des driver does not copy end result IV out at all. This
is evident with the additional checks done at the crypto test manager.
Fix by copying out the IV values from HW.

Signed-off-by: Tero Kristo <t-kristo@ti.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: omap-aes - remove the sysfs group during driver removal
Tero Kristo [Tue, 5 Nov 2019 14:00:52 +0000 (16:00 +0200)]
crypto: omap-aes - remove the sysfs group during driver removal

The driver removal should also cleanup the created sysfs group. If not,
the driver fails the subsequent probe as the files exist already. Also,
drop a completely unnecessary pointer assignment from the removal
function at the same time.

Signed-off-by: Tero Kristo <t-kristo@ti.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: omap-sham - remove the sysfs group during driver removal
Tero Kristo [Tue, 5 Nov 2019 14:00:51 +0000 (16:00 +0200)]
crypto: omap-sham - remove the sysfs group during driver removal

The driver removal should also cleanup the created sysfs group. If not,
the driver fails the subsequent probe as the files exist already.

Signed-off-by: Tero Kristo <t-kristo@ti.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: omap-sham - split up data to multiple sg elements with huge data
Tero Kristo [Tue, 5 Nov 2019 14:00:50 +0000 (16:00 +0200)]
crypto: omap-sham - split up data to multiple sg elements with huge data

When using huge data amount, allocating free pages fails as the kernel
isn't able to process get_free_page requests larger than MAX_ORDER.
Also, the DMA subsystem has an inherent limitation that data size
larger than some 2MB can't be handled properly. In these cases,
split up the data instead to smaller requests so that the kernel
can allocate the data, and also so that the DMA driver can handle
the separate SG elements.

Signed-off-by: Tero Kristo <t-kristo@ti.com>
Tested-by: Bin Liu <b-liu@ti.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: shash - allow essiv and hmac to use OPTIONAL_KEY algorithms
Eric Biggers [Fri, 29 Nov 2019 19:35:22 +0000 (11:35 -0800)]
crypto: shash - allow essiv and hmac to use OPTIONAL_KEY algorithms

The essiv and hmac templates refuse to use any hash algorithm that has a
->setkey() function, which includes not just algorithms that always need
a key, but also algorithms that optionally take a key.

Previously the only optionally-keyed hash algorithms in the crypto API
were non-cryptographic algorithms like crc32, so this didn't really
matter.  But that's changed with BLAKE2 support being added.  BLAKE2
should work with essiv and hmac, just like any other cryptographic hash.

Fix this by allowing the use of both algorithms without a ->setkey()
function and algorithms that have the OPTIONAL_KEY flag set.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Acked-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: skcipher - remove crypto_skcipher_extsize()
Eric Biggers [Fri, 29 Nov 2019 18:23:08 +0000 (10:23 -0800)]
crypto: skcipher - remove crypto_skcipher_extsize()

Due to the removal of the blkcipher and ablkcipher algorithm types,
crypto_skcipher_extsize() now simply calls crypto_alg_extsize().  So
remove it and just use crypto_alg_extsize().

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: skcipher - remove crypto_skcipher::decrypt
Eric Biggers [Fri, 29 Nov 2019 18:23:07 +0000 (10:23 -0800)]
crypto: skcipher - remove crypto_skcipher::decrypt

Due to the removal of the blkcipher and ablkcipher algorithm types,
crypto_skcipher::decrypt is now redundant since it always equals
crypto_skcipher_alg(tfm)->decrypt.

Remove it and update crypto_skcipher_decrypt() accordingly.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: skcipher - remove crypto_skcipher::encrypt
Eric Biggers [Fri, 29 Nov 2019 18:23:06 +0000 (10:23 -0800)]
crypto: skcipher - remove crypto_skcipher::encrypt

Due to the removal of the blkcipher and ablkcipher algorithm types,
crypto_skcipher::encrypt is now redundant since it always equals
crypto_skcipher_alg(tfm)->encrypt.

Remove it and update crypto_skcipher_encrypt() accordingly.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: skcipher - remove crypto_skcipher::setkey
Eric Biggers [Fri, 29 Nov 2019 18:23:05 +0000 (10:23 -0800)]
crypto: skcipher - remove crypto_skcipher::setkey

Due to the removal of the blkcipher and ablkcipher algorithm types,
crypto_skcipher::setkey now always points to skcipher_setkey().

Simplify by removing this function pointer and instead just making
skcipher_setkey() be crypto_skcipher_setkey() directly.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: skcipher - remove crypto_skcipher::keysize
Eric Biggers [Fri, 29 Nov 2019 18:23:04 +0000 (10:23 -0800)]
crypto: skcipher - remove crypto_skcipher::keysize

Due to the removal of the blkcipher and ablkcipher algorithm types,
crypto_skcipher::keysize is now redundant since it always equals
crypto_skcipher_alg(tfm)->max_keysize.

Remove it and update crypto_skcipher_default_keysize() accordingly.

Also rename crypto_skcipher_default_keysize() to
crypto_skcipher_max_keysize() to clarify that it specifically returns
the maximum key size, not some unspecified "default".

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: skcipher - remove crypto_skcipher::ivsize
Eric Biggers [Fri, 29 Nov 2019 18:23:03 +0000 (10:23 -0800)]
crypto: skcipher - remove crypto_skcipher::ivsize

Due to the removal of the blkcipher and ablkcipher algorithm types,
crypto_skcipher::ivsize is now redundant since it always equals
crypto_skcipher_alg(tfm)->ivsize.

Remove it and update crypto_skcipher_ivsize() accordingly.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: api - remove another reference to blkcipher
Eric Biggers [Fri, 29 Nov 2019 18:16:48 +0000 (10:16 -0800)]
crypto: api - remove another reference to blkcipher

Update a comment to refer to crypto_alloc_skcipher() rather than
crypto_alloc_blkcipher() (the latter having been removed).

Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: hisilicon - select CRYPTO_SKCIPHER, not CRYPTO_BLKCIPHER
Eric Biggers [Fri, 29 Nov 2019 18:15:56 +0000 (10:15 -0800)]
crypto: hisilicon - select CRYPTO_SKCIPHER, not CRYPTO_BLKCIPHER

Another instance of CRYPTO_BLKCIPHER made it in just after it was
renamed to CRYPTO_SKCIPHER.  Fix it.

Fixes: 416d82204df4 ("crypto: hisilicon - add HiSilicon SEC V2 driver")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: pcrypt - Do not clear MAY_SLEEP flag in original request
Herbert Xu [Fri, 29 Nov 2019 08:40:24 +0000 (16:40 +0800)]
crypto: pcrypt - Do not clear MAY_SLEEP flag in original request

We should not be modifying the original request's MAY_SLEEP flag
upon completion.  It makes no sense to do so anyway.

Reported-by: Eric Biggers <ebiggers@kernel.org>
Fixes: 5068c7a883d1 ("crypto: pcrypt - Add pcrypt crypto...")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Tested-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: arm64/ghash-neon - bump priority to 150
Ard Biesheuvel [Thu, 28 Nov 2019 12:55:31 +0000 (13:55 +0100)]
crypto: arm64/ghash-neon - bump priority to 150

The SIMD based GHASH implementation for arm64 is typically much faster
than the generic one, and doesn't use any lookup tables, so it is
clearly preferred when available. So bump the priority to reflect that.

Fixes: 5a22b198cd527447 ("crypto: arm64/ghash - register PMULL variants ...")
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: arm64/sha - fix function types
Sami Tolvanen [Wed, 27 Nov 2019 23:55:03 +0000 (15:55 -0800)]
crypto: arm64/sha - fix function types

Instead of casting pointers to callback functions, add C wrappers
to avoid type mismatch failures with Control-Flow Integrity (CFI)
checking.

Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
Reviewed-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: ccp - set max RSA modulus size for v3 platform devices as well
Ard Biesheuvel [Wed, 27 Nov 2019 12:01:36 +0000 (13:01 +0100)]
crypto: ccp - set max RSA modulus size for v3 platform devices as well

AMD Seattle incorporates a non-PCI version of the v3 CCP crypto
accelerator, and this version was left behind when the maximum
RSA modulus size was parameterized in order to support v5 hardware
which supports larger moduli than v3 hardware does. Due to this
oversight, RSA acceleration no longer works at all on these systems.

Fix this by setting the .rsamax property to the appropriate value
for v3 platform hardware.

Fixes: e28c190db66830c0 ("csrypto: ccp - Expand RSA support for a v5 ccp")
Cc: Gary R Hook <gary.hook@amd.com>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Acked-by: Gary R Hook <gary.hook@amd.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: ccree - fix backlog memory leak
Gilad Ben-Yossef [Wed, 27 Nov 2019 08:49:08 +0000 (10:49 +0200)]
crypto: ccree - fix backlog memory leak

Fix brown paper bag bug of not releasing backlog list item buffer
when backlog was consumed causing a memory leak when backlog is
used.

Signed-off-by: Gilad Ben-Yossef <gilad@benyossef.com>
Cc: stable@vger.kernel.org # v4.19+
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: ccree - fix typos in error msgs
Hadar Gat [Wed, 27 Nov 2019 08:49:07 +0000 (10:49 +0200)]
crypto: ccree - fix typos in error msgs

Fix some typos in error message text.

Signed-off-by: Hadar Gat <hadar.gat@arm.com>
Signed-off-by: Gilad Ben-Yossef <gilad@benyossef.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: ccree - fix typos in comments
Hadar Gat [Wed, 27 Nov 2019 08:49:06 +0000 (10:49 +0200)]
crypto: ccree - fix typos in comments

Fix some typos in code comments.

Signed-off-by: Hadar Gat <hadar.gat@arm.com>
Signed-off-by: Gilad Ben-Yossef <gilad@benyossef.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: ccree - remove useless define
Gilad Ben-Yossef [Wed, 27 Nov 2019 08:49:05 +0000 (10:49 +0200)]
crypto: ccree - remove useless define

The define of CC_DEV_SHA_MAX is not needed since we moved
to runtime detection of capabilities. Remove it.

Signed-off-by: Gilad Ben-Yossef <gilad@benyossef.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: x86 - Regularize glue function prototypes
Kees Cook [Wed, 27 Nov 2019 06:08:02 +0000 (22:08 -0800)]
crypto: x86 - Regularize glue function prototypes

The crypto glue performed function prototype casting via macros to make
indirect calls to assembly routines. Instead of performing casts at the
call sites (which trips Control Flow Integrity prototype checking), switch
each prototype to a common standard set of arguments which allows the
removal of the existing macros. In order to keep pointer math unchanged,
internal casting between u128 pointers and u8 pointers is added.

Co-developed-by: João Moreira <joao.moreira@intel.com>
Signed-off-by: João Moreira <joao.moreira@intel.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: caam - do not reset pointer size from MCFGR register
Iuliana Prodan [Tue, 26 Nov 2019 22:54:26 +0000 (00:54 +0200)]
crypto: caam - do not reset pointer size from MCFGR register

In commit 'a1cf573ee95 ("crypto: caam - select DMA address size at runtime")'
CAAM pointer size (caam_ptr_size) is changed from
sizeof(dma_addr_t) to runtime value computed from MCFGR register.
Therefore, do not reset MCFGR[PS].

Fixes: a1cf573ee95 ("crypto: caam - select DMA address size at runtime")
Signed-off-by: Iuliana Prodan <iuliana.prodan@nxp.com>
Cc: <stable@vger.kernel.org>
Cc: Andrey Smirnov <andrew.smirnov@gmail.com>
Cc: Alison Wang <alison.wang@nxp.com>
Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: pcrypt - Avoid deadlock by using per-instance padata queues
Herbert Xu [Tue, 26 Nov 2019 07:58:45 +0000 (15:58 +0800)]
crypto: pcrypt - Avoid deadlock by using per-instance padata queues

If the pcrypt template is used multiple times in an algorithm, then a
deadlock occurs because all pcrypt instances share the same
padata_instance, which completes requests in the order submitted.  That
is, the inner pcrypt request waits for the outer pcrypt request while
the outer request is already waiting for the inner.

This patch fixes this by allocating a set of queues for each pcrypt
instance instead of using two global queues.  In order to maintain
the existing user-space interface, the pinst structure remains global
so any sysfs modifications will apply to every pcrypt instance.

Note that when an update occurs we have to allocate memory for
every pcrypt instance.  Should one of the allocations fail we
will abort the update without rolling back changes already made.

The new per-instance data structure is called padata_shell and is
essentially a wrapper around parallel_data.

Reproducer:

#include <linux/if_alg.h>
#include <sys/socket.h>
#include <unistd.h>

int main()
{
struct sockaddr_alg addr = {
.salg_type = "aead",
.salg_name = "pcrypt(pcrypt(rfc4106-gcm-aesni))"
};
int algfd, reqfd;
char buf[32] = { 0 };

algfd = socket(AF_ALG, SOCK_SEQPACKET, 0);
bind(algfd, (void *)&addr, sizeof(addr));
setsockopt(algfd, SOL_ALG, ALG_SET_KEY, buf, 20);
reqfd = accept(algfd, 0, 0);
write(reqfd, buf, 32);
read(reqfd, buf, 16);
}

Reported-by: syzbot+56c7151cad94eec37c521f0e47d2eee53f9361c4@syzkaller.appspotmail.com
Fixes: 5068c7a883d1 ("crypto: pcrypt - Add pcrypt crypto parallelization wrapper")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Tested-by: Eric Biggers <ebiggers@kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: atmel-tdes - Retire dma_request_slave_channel_compat()
Peter Ujfalusi [Thu, 21 Nov 2019 10:16:02 +0000 (12:16 +0200)]
crypto: atmel-tdes - Retire dma_request_slave_channel_compat()

The driver no longer boots in legacy mode, only via DT. This makes the
dma_request_slave_channel_compat() redundant.
If ever the filter function would be executed it will return false as the
dma_slave is not really initialized.

Switch to use dma_request_chan() which would allow legacy boot if ever
needed again by configuring dma_slave_map for the DMA driver.

At the same time skip allocating memory for dma_slave as it is not used
anymore.

Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: atmel-sha - Retire dma_request_slave_channel_compat()
Peter Ujfalusi [Thu, 21 Nov 2019 10:16:01 +0000 (12:16 +0200)]
crypto: atmel-sha - Retire dma_request_slave_channel_compat()

The driver no longer boots in legacy mode, only via DT. This makes the
dma_request_slave_channel_compat() redundant.
If ever the filter function would be executed it will return false as the
dma_slave is not really initialized.

Switch to use dma_request_chan() which would allow legacy boot if ever
needed again by configuring dma_slave_map for the DMA driver.

At the same time skip allocating memory for dma_slave as it is not used
anymore.

Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: atmel-aes - Retire dma_request_slave_channel_compat()
Peter Ujfalusi [Thu, 21 Nov 2019 10:16:00 +0000 (12:16 +0200)]
crypto: atmel-aes - Retire dma_request_slave_channel_compat()

The driver no longer boots in legacy mode, only via DT. This makes the
dma_request_slave_channel_compat() redundant.
If ever the filter function would be executed it will return false as the
dma_slave is not really initialized.

Switch to use dma_request_chan() which would allow legacy boot if ever
needed again by configuring dma_slave_map for the DMA driver.

At the same time skip allocating memory for dma_slave as it is not used
anymore.

Signed-off-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: Kconfig - Fix indentation
Krzysztof Kozlowski [Thu, 21 Nov 2019 03:20:48 +0000 (04:20 +0100)]
crypto: Kconfig - Fix indentation

Adjust indentation from spaces to tab (+optional two spaces) as in
coding style with command like:
$ sed -e 's/^        /\t/' -i */Kconfig

Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: sun4i-ss - add the A33 variant of SS
Corentin Labbe [Wed, 20 Nov 2019 15:28:33 +0000 (16:28 +0100)]
crypto: sun4i-ss - add the A33 variant of SS

The A33 SS has a difference with all other SS, it give SHA1 digest
directly in BE.
So this patch adds variant support in sun4i-ss.

Fixes: 6298e948215f ("crypto: sunxi-ss - Add Allwinner Security System crypto accelerator")
Signed-off-by: Corentin Labbe <clabbe.montjoie@gmail.com>
Acked-by: Maxime Ripard <mripard@kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agoMAINTAINERS: update my e-mail address
Kamil Konieczny [Wed, 20 Nov 2019 13:55:27 +0000 (14:55 +0100)]
MAINTAINERS: update my e-mail address

Update my e-mail address to @samsung.com in maintainers.
Add also map in .mailmap to new e-mail.

Signed-off-by: Kamil Konieczny <k.konieczny@samsung.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agohwrng: iproc-rng200 - Add support for BCM2711
Stefan Wahren [Wed, 20 Nov 2019 03:16:20 +0000 (19:16 -0800)]
hwrng: iproc-rng200 - Add support for BCM2711

BCM2711 features a RNG200 hardware random number generator block.
So make the driver available.

Signed-off-by: Stefan Wahren <wahrenst@gmx.net>
Signed-off-by: Stephen Brennan <stephen@brennan.io>
Reviewed-by: Matthias Brugger <mbrugger@suse.com>
Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agodt-bindings: rng: add BCM2711 RNG compatible
Stefan Wahren [Wed, 20 Nov 2019 03:16:19 +0000 (19:16 -0800)]
dt-bindings: rng: add BCM2711 RNG compatible

The BCM2711 has a RNG200 block, so document its compatible string.

Signed-off-by: Stefan Wahren <wahrenst@gmx.net>
Signed-off-by: Stephen Brennan <stephen@brennan.io>
Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
Acked-by: Rob Herring <robh@kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agopadata: Remove unused padata_remove_cpu
Herbert Xu [Tue, 19 Nov 2019 22:32:50 +0000 (06:32 +0800)]
padata: Remove unused padata_remove_cpu

The function padata_remove_cpu was supposed to have been removed
along with padata_add_cpu but somehow it remained behind.  Let's
kill it now as it doesn't even have a prototype anymore.

Fixes: 815613da6a67 ("kernel/padata.c: removed unused code")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Reviewed-by: Daniel Jordan <daniel.m.jordan@oracle.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: pcrypt - Fix user-after-free on module unload
Herbert Xu [Tue, 19 Nov 2019 09:41:31 +0000 (17:41 +0800)]
crypto: pcrypt - Fix user-after-free on module unload

On module unload of pcrypt we must unregister the crypto algorithms
first and then tear down the padata structure.  As otherwise the
crypto algorithms are still alive and can be used while the padata
structure is being freed.

Fixes: 5068c7a883d1 ("crypto: pcrypt - Add pcrypt crypto...")
Cc: <stable@vger.kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: hisilicon - Remove useless MODULE macros
Zhou Wang [Tue, 19 Nov 2019 05:42:58 +0000 (13:42 +0800)]
crypto: hisilicon - Remove useless MODULE macros

As we already merge hardware sgl into hisi_qm module, remove useless
MODULE macros.

Fixes: 48c1cd40fae3 (crypto: hisilicon - merge sgl support to hisi_qm module)
Signed-off-by: Zhou Wang <wangzhou1@hisilicon.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: hisilicon - Use the offset fields in sqe to avoid need to split scatterlists
Jonathan Cameron [Tue, 19 Nov 2019 05:42:57 +0000 (13:42 +0800)]
crypto: hisilicon - Use the offset fields in sqe to avoid need to split scatterlists

We can configure sgl offset fields in ZIP sqe to let ZIP engine read/write
sgl data with skipped data. Hence no need to splite the sgl.

Fixes: 62c455ca853e (crypto: hisilicon - add HiSilicon ZIP accelerator support)
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Zhou Wang <wangzhou1@hisilicon.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: hisilicon - Fix issue with wrong number of sg elements after dma map
Jonathan Cameron [Tue, 19 Nov 2019 05:42:56 +0000 (13:42 +0800)]
crypto: hisilicon - Fix issue with wrong number of sg elements after dma map

We fill the hardware scatter gather list assuming it will need the same
number of elements at the original scatterlist. If an IOMMU is involved,
then it may well need fewer. The return value of dma_map_sg tells us how
many.

Probably never caused visible problems as the hardware won't get to
the elements that are incorrect before it finds enough space.

Fixes: dfed0098ab91 (crypto: hisilicon - add hardware SGL support)
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Zhou Wang <wangzhou1@hisilicon.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agopadata: Remove broken queue flushing
Herbert Xu [Tue, 19 Nov 2019 05:17:31 +0000 (13:17 +0800)]
padata: Remove broken queue flushing

The function padata_flush_queues is fundamentally broken because
it cannot force padata users to complete the request that is
underway.  IOW padata has to passively wait for the completion
of any outstanding work.

As it stands flushing is used in two places.  Its use in padata_stop
is simply unnecessary because nothing depends on the queues to
be flushed afterwards.

The other use in padata_replace is more substantial as we depend
on it to free the old pd structure.  This patch instead uses the
pd->refcnt to dynamically free the pd structure once all requests
are complete.

Fixes: 2b73b07ab8a4 ("padata: Flush the padata queues actively")
Cc: <stable@vger.kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Reviewed-by: Daniel Jordan <daniel.m.jordan@oracle.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agocrypto: inside-secure - Use PTR_ERR_OR_ZERO() to simplify code
zhengbin [Mon, 18 Nov 2019 10:53:56 +0000 (18:53 +0800)]
crypto: inside-secure - Use PTR_ERR_OR_ZERO() to simplify code

Fixes coccicheck warning:

drivers/crypto/inside-secure/safexcel_cipher.c:2534:1-3: WARNING: PTR_ERR_OR_ZERO can be used

Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: zhengbin <zhengbin13@huawei.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4 years agoLinux 5.5-rc1
Linus Torvalds [Sun, 8 Dec 2019 22:57:55 +0000 (14:57 -0800)]
Linux 5.5-rc1

4 years agoMerge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net
Linus Torvalds [Sun, 8 Dec 2019 21:28:11 +0000 (13:28 -0800)]
Merge git://git./linux/kernel/git/netdev/net

Pull networking fixes from David Miller:

 1) More jumbo frame fixes in r8169, from Heiner Kallweit.

 2) Fix bpf build in minimal configuration, from Alexei Starovoitov.

 3) Use after free in slcan driver, from Jouni Hogander.

 4) Flower classifier port ranges don't work properly in the HW offload
    case, from Yoshiki Komachi.

 5) Use after free in hns3_nic_maybe_stop_tx(), from Yunsheng Lin.

 6) Out of bounds access in mqprio_dump(), from Vladyslav Tarasiuk.

 7) Fix flow dissection in dsa TX path, from Alexander Lobakin.

 8) Stale syncookie timestampe fixes from Guillaume Nault.

[ Did an evil merge to silence a warning introduced by this pull - Linus ]

* git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (84 commits)
  r8169: fix rtl_hw_jumbo_disable for RTL8168evl
  net_sched: validate TCA_KIND attribute in tc_chain_tmplt_add()
  r8169: add missing RX enabling for WoL on RTL8125
  vhost/vsock: accept only packets with the right dst_cid
  net: phy: dp83867: fix hfs boot in rgmii mode
  net: ethernet: ti: cpsw: fix extra rx interrupt
  inet: protect against too small mtu values.
  gre: refetch erspan header from skb->data after pskb_may_pull()
  pppoe: remove redundant BUG_ON() check in pppoe_pernet
  tcp: Protect accesses to .ts_recent_stamp with {READ,WRITE}_ONCE()
  tcp: tighten acceptance of ACKs not matching a child socket
  tcp: fix rejected syncookies due to stale timestamps
  lpc_eth: kernel BUG on remove
  tcp: md5: fix potential overestimation of TCP option space
  net: sched: allow indirect blocks to bind to clsact in TC
  net: core: rename indirect block ingress cb function
  net-sysfs: Call dev_hold always in netdev_queue_add_kobject
  net: dsa: fix flow dissection on Tx path
  net/tls: Fix return values to avoid ENOTSUPP
  net: avoid an indirect call in ____sys_recvmsg()
  ...

4 years agoMerge tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi
Linus Torvalds [Sun, 8 Dec 2019 20:23:42 +0000 (12:23 -0800)]
Merge tag 'scsi-misc' of git://git./linux/kernel/git/jejb/scsi

Pull more SCSI updates from James Bottomley:
 "Eleven patches, all in drivers (no core changes) that are either minor
  cleanups or small fixes.

  They were late arriving, but still safe for -rc1"

* tag 'scsi-misc' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
  scsi: MAINTAINERS: Add the linux-scsi mailing list to the ISCSI entry
  scsi: megaraid_sas: Make poll_aen_lock static
  scsi: sd_zbc: Improve report zones error printout
  scsi: qla2xxx: Fix qla2x00_request_irqs() for MSI
  scsi: qla2xxx: unregister ports after GPN_FT failure
  scsi: qla2xxx: fix rports not being mark as lost in sync fabric scan
  scsi: pm80xx: Remove unused include of linux/version.h
  scsi: pm80xx: fix logic to break out of loop when register value is 2 or 3
  scsi: scsi_transport_sas: Fix memory leak when removing devices
  scsi: lpfc: size cpu map by last cpu id set
  scsi: ibmvscsi_tgt: Remove unneeded variable rc