Herbert Xu [Thu, 28 May 2015 14:07:55 +0000 (22:07 +0800)]
crypto: aead - Add aead_alg_instance
Now that type-safe init/exit functions exist, they often need
to access the underlying aead_instance. So this patch adds the
helper aead_alg_instance to access aead_instance from a crypto_aead
object.
Herbert Xu [Thu, 28 May 2015 14:07:53 +0000 (22:07 +0800)]
crypto: aead - Add type-safe init/exit functions
As it stands the only non-type safe functions left in the new
AEAD interface are the cra_init/cra_exit functions. It means
exposing the ugly __crypto_aead_cast to every AEAD implementor.
This patch adds type-safe init/exit functions to AEAD. Existing
algorithms are unaffected while new implementations can simply
fill in these two instead of cra_init/cra_exit.
This commit introduces a variant of the mv_mbus_dram_info() function
called mv_mbus_dram_info_nooverlap(). Both functions are used by
Marvell drivers supporting devices doing DMA, and provide them a
description the DRAM ranges that they need to configure their DRAM
windows.
The ranges provided by the mv_mbus_dram_info() function may overlap
with the I/O windows if there is a lot (>= 4 GB) of RAM
installed. This is not a problem for most of the DMA masters, except
for the upcoming new CESA crypto driver because it does DMA to the
SRAM, which is mapped through an I/O window. For this unit, we need to
have DRAM ranges that do not overlap with the I/O windows.
A first implementation done in commit 1737cac69369 ("bus: mvebu-mbus:
make sure SDRAM CS for DMA don't overlap the MBus bridge window"),
changed the information returned by mv_mbus_dram_info() to match this
requirement. However, it broke the requirement of the other DMA
masters than the DRAM ranges should have power of two sizes.
To solve this situation, this commit introduces a new
mv_mbus_dram_info_nooverlap() function, which returns the same
information as mv_mbus_dram_info(), but guaranteed to not overlap with
the I/O windows.
In the end, it gives us two variants of the mv_mbus_dram_info*()
functions:
- The normal one, mv_mbus_dram_info(), which has been around for many
years. This function returns the raw DRAM ranges, which are
guaranteed to use power of two sizes, but will overlap with I/O
windows. This function will therefore be used by all DMA masters
(SATA, XOR, Ethernet, etc.) except the CESA crypto driver.
- The new 'nooverlap' variant, mv_mbus_dram_info_nooverlap(). This
function returns DRAM ranges after they have been "tweaked" to make
sure they don't overlap with I/O windows. By doing this tweaking,
we remove the power of two size guarantee. This variant will be
used by the new CESA crypto driver.
Thomas Petazzoni [Thu, 28 May 2015 08:40:13 +0000 (10:40 +0200)]
Revert "bus: mvebu-mbus: make sure SDRAM CS for DMA don't overlap the MBus bridge window"
This reverts commit 1737cac69369 ("bus: mvebu-mbus: make sure SDRAM CS
for DMA don't overlap the MBus bridge window"), because it breaks DMA
on platforms having more than 2 GB of RAM.
This commit changed the information reported to DMA masters device
drivers through the mv_mbus_dram_info() function so that the returned
DRAM ranges do not overlap with I/O windows.
This was necessary as a preparation to support the new CESA Crypto
Engine driver, which will use DMA for cryptographic operations. But
since it does DMA with the SRAM which is mapped as an I/O window,
having DRAM ranges overlapping with I/O windows was problematic.
To solve this, the above mentioned commit changed the mvebu-mbus to
adjust the DRAM ranges so that they don't overlap with the I/O
windows. However, by doing this, we re-adjust the DRAM ranges in a way
that makes them have a size that is no longer a power of two. While
this is perfectly fine for the Crypto Engine, which supports DRAM
ranges with a granularity of 64 KB, it breaks basically all other DMA
masters, which expect power of two sizes for the DRAM ranges.
Due to this, if the installed system memory is 4 GB, in two
chip-selects of 2 GB, the second DRAM range will be reduced from 2 GB
to a little bit less than 2 GB to not overlap with the I/O windows, in
a way that results in a DRAM range that doesn't have a power of two
size. This means that whenever you do a DMA transfer with an address
located in the [ 2 GB ; 4 GB ] area, it will freeze the system. Any
serious DMA activity like simply running:
for i in $(seq 1 64) ; do dd if=/dev/urandom of=file$i bs=1M count=16 ; done
in an ext3 partition mounted over a SATA drive will freeze the system.
Since the new CESA crypto driver that uses DMA has not been merged
yet, the easiest fix is to simply revert this commit. A follow-up
commit will introduce a different solution for the CESA crypto driver.
Signed-off-by: Thomas Petazzoni <[email protected]> Fixes: 1737cac69369 ("bus: mvebu-mbus: make sure SDRAM CS for DMA don't overlap the MBus bridge window") Cc: <[email protected]> # v4.0+ Signed-off-by: Gregory CLEMENT <[email protected]>
Nicolas Schichan [Thu, 28 May 2015 08:40:12 +0000 (10:40 +0200)]
bus: mvebu-mbus: do not set WIN_CTRL_SYNCBARRIER on non io-coherent platforms.
Commit a0b5cd4ac2d6 ("bus: mvebu-mbus: use automatic I/O
synchronization barriers") enabled the usage of automatic I/O
synchronization barriers by enabling bit WIN_CTRL_SYNCBARRIER in the
control registers of MBus windows, but on non io-coherent platforms
(orion5x, kirkwood and dove) the WIN_CTRL_SYNCBARRIER bit in
the window control register is either reserved (all windows except 6
and 7) or enables read-only protection (windows 6 and 7).
The patch removes the use of timekeeping_valid_for_hres which is now
marked as internal for the time keeping subsystem. The jitterentropy
does not really require this verification as a coarse timer (when
random_get_entropy is absent) is discovered by the initialization test
of jent_entropy_init, which would cause the jitter rng to not load in
that case.
Herbert Xu [Wed, 27 May 2015 09:24:41 +0000 (17:24 +0800)]
crypto: algif_aead - Switch to new AEAD interface
This patch makes use of the new AEAD interface which uses a single
SG list instead of separate lists for the AD and plain text.
Note that the user-space interface now requires both input and
output to be of the same length, and both must include space for
the AD as well as the authentication tag.
Herbert Xu [Wed, 27 May 2015 08:03:47 +0000 (16:03 +0800)]
esp6: Switch to new AEAD interface
This patch makes use of the new AEAD interface which uses a single
SG list instead of separate lists for the AD and plain text. The
IV generation is also now carried out through normal AEAD methods.
Herbert Xu [Wed, 27 May 2015 08:03:46 +0000 (16:03 +0800)]
esp4: Switch to new AEAD interface
This patch makes use of the new AEAD interface which uses a single
SG list instead of separate lists for the AD and plain text. The
IV generation is also now carried out through normal AEAD methods.
Herbert Xu [Wed, 27 May 2015 06:37:30 +0000 (14:37 +0800)]
crypto: aead - Add common IV generation code
This patch adds some common IV generation code currently duplicated
by seqiv and echainiv. For example, the setkey and setauthsize
functions are completely identical.
Herbert Xu [Wed, 27 May 2015 06:37:26 +0000 (14:37 +0800)]
crypto: aead - Document behaviour of AD in destination buffer
This patch defines the behaviour of AD in the new interface more
clearly. In particular, it specifies that if the user must copy
the AD to the destination manually when src != dst if they wish
to guarantee that the destination buffer contains a copy of the
AD.
The reason for this is that otherwise every AEAD implementation
would have to perform such a copy when src != dst. In reality
most users do in-place processing where src == dst so this is
not an issue.
This patch also kills some remaining references to cryptoff.
Tom Lendacky [Tue, 26 May 2015 18:06:24 +0000 (13:06 -0500)]
crypto: ccp - Remove manual check and set of dma_mask pointer
The underlying device support will set the device dma_mask pointer
if DMA is set up properly for the device. Remove the check for and
assignment of dma_mask when it is null. Instead, just error out if
the dma_set_mask_and_coherent function fails because dma_mask is null.
Stephan Mueller [Mon, 25 May 2015 13:10:20 +0000 (15:10 +0200)]
crypto: jitterentropy - add jitterentropy RNG
The CPU Jitter RNG provides a source of good entropy by
collecting CPU executing time jitter. The entropy in the CPU
execution time jitter is magnified by the CPU Jitter Random
Number Generator. The CPU Jitter Random Number Generator uses
the CPU execution timing jitter to generate a bit stream
which complies with different statistical measurements that
determine the bit stream is random.
The CPU Jitter Random Number Generator delivers entropy which
follows information theoretical requirements. Based on these
studies and the implementation, the caller can assume that
one bit of data extracted from the CPU Jitter Random Number
Generator holds one bit of entropy.
The CPU Jitter Random Number Generator provides a decentralized
source of entropy, i.e. every caller can operate on a private
state of the entropy pool.
The RNG does not have any dependencies on any other service
in the kernel. The RNG only needs a high-resolution time
stamp.
Further design details, the cryptographic assessment and
large array of test results are documented at
http://www.chronox.de/jent.html.
Stephan Mueller [Mon, 25 May 2015 13:09:59 +0000 (15:09 +0200)]
crypto: drbg - use Jitter RNG to obtain seed
During initialization, the DRBG now tries to allocate a handle of the
Jitter RNG. If such a Jitter RNG is available during seeding, the DRBG
pulls the required entropy/nonce string from get_random_bytes and
concatenates it with a string of equal size from the Jitter RNG. That
combined string is now the seed for the DRBG.
Written differently, the initial seed of the DRBG is now:
Stephan Mueller [Mon, 25 May 2015 13:09:36 +0000 (15:09 +0200)]
crypto: drbg - add async seeding operation
The async seeding operation is triggered during initalization right
after the first non-blocking seeding is completed. As required by the
asynchronous operation of random.c, a callback function is provided that
is triggered by random.c once entropy is available. That callback
function performs the actual seeding of the DRBG.
Stephan Mueller [Mon, 25 May 2015 13:09:14 +0000 (15:09 +0200)]
crypto: drbg - prepare for async seeding
In order to prepare for the addition of the asynchronous seeding call,
the invocation of seeding the DRBG is moved out into a helper function.
In addition, a block of memory is allocated during initialization time
that will be used as a scratchpad for obtaining entropy. That scratchpad
is used for the initial seeding operation as well as by the
asynchronous seeding call. The memory must be zeroized every time the
DRBG seeding call succeeds to avoid entropy data lingering in memory.
Stephan Mueller [Mon, 25 May 2015 13:08:47 +0000 (15:08 +0200)]
random: Blocking API for accessing nonblocking_pool
The added API calls provide a synchronous function call
get_blocking_random_bytes where the caller is blocked until
the nonblocking_pool is initialized.
Herbert Xu [Thu, 21 May 2015 08:19:54 +0000 (16:19 +0800)]
random: Wake up all getrandom(2) callers when pool is ready
If more than one application invokes getrandom(2) before the pool
is ready, then all bar one will be stuck forever because we use
wake_up_interruptible which wakes up a single task.
Herbert Xu [Tue, 26 May 2015 07:32:42 +0000 (15:32 +0800)]
crypto: algif_aead - Disable AEAD user-space for now
The newly added AEAD user-space isn't quite ready for prime time
just yet. In particular it is conflicting with the AEAD single
SG list interface change so this patch disables it now.
Once the SG list stuff is completely done we can then renable
this interface.
Herbert Xu [Sat, 23 May 2015 07:41:56 +0000 (15:41 +0800)]
crypto: seqiv - Stop using cryptoff
The cryptoff parameter was added to facilitate the skipping of
IVs that sit between the AD and the plain/cipher text. However,
it was never implemented correctly as and we do not handle users
such as IPsec setting cryptoff. It is simply ignored.
Implementing correctly is in fact more trouble than what it's
worth.
This patch removes the uses of cryptoff by moving the AD forward
to fill the gap left by the IV. The AD is moved back after the
underlying AEAD processing is finished.
This is in fact beter than the cryptoff solution because it allows
algorithms that use seqniv (i.e., GCM and CCM) to hash the whole
packet as a single piece, while cryptoff meant that there was
guaranteed to be a gap.
Herbert Xu [Sat, 23 May 2015 07:41:54 +0000 (15:41 +0800)]
crypto: echainiv - Stop using cryptoff
The cryptoff parameter was added to facilitate the skipping of
IVs that sit between the AD and the plain/cipher text. However,
it was never implemented correctly as and we do not handle users
such as IPsec setting cryptoff. It is simply ignored.
Implementing correctly is in fact more trouble than what it's
worth.
This patch removes the uses of cryptoff and simply falls back
to using the old AEAD interface as it's only needed for old AEAD
implementations.
Herbert Xu [Sat, 23 May 2015 07:41:53 +0000 (15:41 +0800)]
crypto: aead - Do not set cra_type for new style instances
The function aead_geniv_alloc currently sets cra_type even for
new style instances. This is unnecessary and may hide bugs such
as when our caller uses crypto_register_instance instead of the
correct aead_register_instance.
Boris BREZILLON [Fri, 22 May 2015 13:33:47 +0000 (15:33 +0200)]
crypto: mv_cesa - request registers memory region
The mv_cesa driver does not request the CESA registers memory region.
Since we're about to add a new CESA driver, we need to make sure only one
of these drivers probe the CESA device, and requesting the registers memory
region is a good way to achieve that.
AEAD algorithm implementors need to figure out a given algorithm's
IV size and maximum authentication size. During the transition
this is difficult to do as an algorithm could be new style or old
style.
This patch creates two helpers to make this easier.
Herbert Xu [Thu, 21 May 2015 07:11:14 +0000 (15:11 +0800)]
crypto: seqiv - Add seqniv
This patch adds a new IV generator seqniv which is identical to
seqiv except that it skips the IV when authenticating. This is
intended to be used by algorithms such as rfc4106 that does the
IV authentication implicitly.
Note that the code used for seqniv is in fact identical to the
compatibility case for seqiv.
Herbert Xu [Thu, 21 May 2015 07:11:13 +0000 (15:11 +0800)]
crypto: seqiv - Add support for new AEAD interface
This patch converts the seqiv IV generator to work with the new
AEAD interface where IV generators are just normal AEAD algorithms.
Full backwards compatibility is paramount at this point since
no users have yet switched over to the new interface. Nor can
they switch to the new interface until IV generation is fully
supported by it.
So this means we are adding two versions of seqiv alongside the
existing one. The first one is the one that will be used when
the underlying AEAD algorithm has switched over to the new AEAD
interface. The second one handles the current case where the
underlying AEAD algorithm still uses the old interface.
Both versions export themselves through the new AEAD interface.
Herbert Xu [Thu, 21 May 2015 07:11:12 +0000 (15:11 +0800)]
crypto: scatterwalk - Check for same address in map_and_copy
This patch adds a check for in scatterwalk_map_and_copy to avoid
copying from the same address to the same address. This is going
to be used for IV copying in AEAD IV generators.
There is no provision for partial overlaps.
This patch also uses the new scatterwalk_ffwd instead of doing
it by hand in scatterwalk_map_and_copy.
Herbert Xu [Thu, 21 May 2015 07:11:08 +0000 (15:11 +0800)]
crypto: aead - Add support for new AEAD implementations
This patch adds the basic structure of the new AEAD type. Unlike
the current version, there is no longer any concept of geniv. IV
generation will still be carried out by wrappers but they will be
normal AEAD algorithms that simply take the IPsec sequence number
as the IV.
Herbert Xu [Thu, 21 May 2015 07:11:02 +0000 (15:11 +0800)]
crypto: aead - Rename aead_alg to old_aead_alg
This patch is the first step in the introduction of a new AEAD
alg type. Unlike normal conversions this patch only renames the
existing aead_alg structure because there are external references
to it.
Those references will be removed after this patch.
Herbert Xu [Thu, 21 May 2015 07:11:01 +0000 (15:11 +0800)]
crypto: aead - Add new interface with single SG list
The primary user of AEAD, IPsec includes the IV in the AD in
most cases, except where it is implicitly authenticated by the
underlying algorithm.
The way it is currently implemented is a hack because we pass
the data in piecemeal and the underlying algorithms try to stitch
them back up into one piece.
This is why this patch is adding a new interface that allows a
single SG list to be passed in that contains everything so the
algorithm implementors do not have to stitch.
The new interface accepts a single source SG list and a single
destination SG list. Both must be laid out as follows:
AD, skipped data, plain/cipher text, ICV
The ICV is not present from the source during encryption and from
the destination during decryption.
For the top-level IPsec AEAD algorithm the plain/cipher text will
contain the generated (or received) IV.
Herbert Xu [Thu, 21 May 2015 07:10:59 +0000 (15:10 +0800)]
crypto: scatterwalk - Add scatterwalk_ffwd helper
This patch adds the scatterwalk_ffwd helper which can create an
SG list that starts in the middle of an existing SG list. The
new list may either be part of the existing list or be a chain
that latches onto part of the existing list.
Herbert Xu [Thu, 21 May 2015 07:10:58 +0000 (15:10 +0800)]
crypto: pcrypt - Use crypto_grab_aead
As AEAD has switched over to using frontend types, the function
crypto_init_spawn must not be used since it does not specify a
frontend type. Otherwise it leads to a crash when the spawn is
used.
This patch fixes it by switching over to crypto_grab_aead instead.
Fixes: 5d1d65f8bea6 ("crypto: aead - Convert top level interface to new style") Signed-off-by: Herbert Xu <[email protected]>
Herbert Xu [Thu, 21 May 2015 07:10:57 +0000 (15:10 +0800)]
crypto: cryptd - Use crypto_grab_aead
As AEAD has switched over to using frontend types, the function
crypto_init_spawn must not be used since it does not specify a
frontend type. Otherwise it leads to a crash when the spawn is
used.
This patch fixes it by switching over to crypto_grab_aead instead.
Fixes: 5d1d65f8bea6 ("crypto: aead - Convert top level interface to new style") Signed-off-by: Herbert Xu <[email protected]>
crypto: s390/ghash - Fix incorrect ghash icv buffer handling.
Multitheaded tests showed that the icv buffer in the current ghash
implementation is not handled correctly. A move of this working ghash
buffer value to the descriptor context fixed this. Code is tested and
verified with an multithreaded application via af_alg interface.
Gregory CLEMENT [Fri, 15 May 2015 12:25:43 +0000 (14:25 +0200)]
MAINTAINERS: Add dts entries for some of the Marvell SoCs
Since many releases, the modifications of the mvebu and berlin device
tree files are merged through the mvebu subsystem. This patch makes it
official in order to help the contributors using the get_maintainer.pl
to find the accurate peoples.
In the same time, updated the mvebu description which now includes the
kirkwood SoCs and new Armada SoCs.
Horia Geant? [Mon, 11 May 2015 17:04:56 +0000 (20:04 +0300)]
crypto: talitos - static code checker fixes
-change req_ctx->nbuf from u64 to unsigned int to silence checker
warnings; this is safe since nbuf value is <= HASH_MAX_BLOCK_SIZE
-remove unused value read from TALITOS_CCPSR; there is no requirement
to read upper 32b before reading lower 32b of a 64b register;
SEC RM mentions: "reads can always be done by byte, word, or dword"
-remove unused return value of sg_to_link_tbl()
-change "len" parameter of map_single_talitos_ptr() and
to_talitos_ptr_len() to unsigned int; later, cpu_to_be16 will __force
downcast the value to unsigned short without any checker warning
The conversion to be16_add_cpu() is incorrect in case cryptlen is
negative due to premature (i.e. before addition / subtraction)
implicit conversion of cryptlen (int -> u16) leading to sign loss.
Horia Geant? [Mon, 11 May 2015 17:03:24 +0000 (20:03 +0300)]
crypto: talitos - avoid memleak in talitos_alg_alloc()
Cc: <[email protected]> # 3.2+ Fixes: 1d11911a8c57 ("crypto: talitos - fix warning: 'alg' may be used uninitialized in this function") Signed-off-by: Horia Geanta <[email protected]> Signed-off-by: Herbert Xu <[email protected]>
Dan Carpenter [Mon, 11 May 2015 10:10:09 +0000 (13:10 +0300)]
crypto: talitos - fix size calculation in talitos_edesc_alloc()
The + operation has higher precedence than ?: so we need parentheses
here. Otherwise we may end up allocating a max of only one "cryptlen"
instead of two.
Fixes: 6f65f6ac5fb3 ('crypto: talitos - implement scatter/gather copy for SEC1') Signed-off-by: Dan Carpenter <[email protected]> Acked-by: Christophe Leroy <[email protected]> Signed-off-by: Herbert Xu <[email protected]>
projects / linux.git / log