GitHub/moto-9609/android_kernel_motorola_exynos9610.git
9 years agolib: memzero_explicit: use barrier instead of OPTIMIZER_HIDE_VAR
mancha security [Wed, 18 Mar 2015 17:47:25 +0000 (18:47 +0100)]
lib: memzero_explicit: use barrier instead of OPTIMIZER_HIDE_VAR

OPTIMIZER_HIDE_VAR(), as defined when using gcc, is insufficient to
ensure protection from dead store optimization.

For the random driver and crypto drivers, calls are emitted ...

  $ gdb vmlinux
  (gdb) disassemble memzero_explicit
  Dump of assembler code for function memzero_explicit:
    0xffffffff813a18b0 <+0>: push   %rbp
    0xffffffff813a18b1 <+1>: mov    %rsi,%rdx
    0xffffffff813a18b4 <+4>: xor    %esi,%esi
    0xffffffff813a18b6 <+6>: mov    %rsp,%rbp
    0xffffffff813a18b9 <+9>: callq  0xffffffff813a7120 <memset>
    0xffffffff813a18be <+14>: pop    %rbp
    0xffffffff813a18bf <+15>: retq
  End of assembler dump.

  (gdb) disassemble extract_entropy
  [...]
    0xffffffff814a5009 <+313>: mov    %r12,%rdi
    0xffffffff814a500c <+316>: mov    $0xa,%esi
    0xffffffff814a5011 <+321>: callq  0xffffffff813a18b0 <memzero_explicit>
    0xffffffff814a5016 <+326>: mov    -0x48(%rbp),%rax
  [...]

... but in case in future we might use facilities such as LTO, then
OPTIMIZER_HIDE_VAR() is not sufficient to protect gcc from a possible
eviction of the memset(). We have to use a compiler barrier instead.

Minimal test example when we assume memzero_explicit() would *not* be
a call, but would have been *inlined* instead:

  static inline void memzero_explicit(void *s, size_t count)
  {
    memset(s, 0, count);
    <foo>
  }

  int main(void)
  {
    char buff[20];

    snprintf(buff, sizeof(buff) - 1, "test");
    printf("%s", buff);

    memzero_explicit(buff, sizeof(buff));
    return 0;
  }

With <foo> := OPTIMIZER_HIDE_VAR():

  (gdb) disassemble main
  Dump of assembler code for function main:
  [...]
   0x0000000000400464 <+36>: callq  0x400410 <printf@plt>
   0x0000000000400469 <+41>: xor    %eax,%eax
   0x000000000040046b <+43>: add    $0x28,%rsp
   0x000000000040046f <+47>: retq
  End of assembler dump.

With <foo> := barrier():

  (gdb) disassemble main
  Dump of assembler code for function main:
  [...]
   0x0000000000400464 <+36>: callq  0x400410 <printf@plt>
   0x0000000000400469 <+41>: movq   $0x0,(%rsp)
   0x0000000000400471 <+49>: movq   $0x0,0x8(%rsp)
   0x000000000040047a <+58>: movl   $0x0,0x10(%rsp)
   0x0000000000400482 <+66>: xor    %eax,%eax
   0x0000000000400484 <+68>: add    $0x28,%rsp
   0x0000000000400488 <+72>: retq
  End of assembler dump.

As can be seen, movq, movq, movl are being emitted inlined
via memset().

Reference: http://thread.gmane.org/gmane.linux.kernel.cryptoapi/13764/
Fixes: d4c5efdb9777 ("random: add and use memzero_explicit() for clearing data")
Cc: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: mancha security <mancha1@zoho.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Acked-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agohwrng: core - allow perfect entropy from hardware devices
Keith Packard [Wed, 18 Mar 2015 07:17:00 +0000 (00:17 -0700)]
hwrng: core - allow perfect entropy from hardware devices

Hardware random number quality is measured from 0 (no entropy) to 1024
(perfect entropy). Allow hardware devices to assert the full range by
truncating the device-provided value at 1024 instead of 1023.

Signed-off-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agolinux-next: build failure after merge of the crypto tree
Herbert Xu [Tue, 17 Mar 2015 11:11:31 +0000 (22:11 +1100)]
linux-next: build failure after merge of the crypto tree

crypto: img-hash - Add missing semicolon to fix build error

There is a missing semicolon after MODULE_DEVICE_TABLE.

Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agohwrng: omap - Change RNG_CONFIG_REG to RNG_CONTROL_REG in init
Andre Wolokita [Mon, 16 Mar 2015 01:54:50 +0000 (12:54 +1100)]
hwrng: omap - Change RNG_CONFIG_REG to RNG_CONTROL_REG in init

omap4_rng_init() checks bit 10 of the RNG_CONFIG_REG to determine whether
the RNG is already running before performing any initiliasation. This is not
the correct register to check, as the enable bit is in RNG_CONFIG_CONTROL.
Read from RNG_CONTROL_REG instead.

Signed-off-by: Andre Wolokita <Andre.Wolokita@analog.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agohwrng: omap - Change RNG_CONFIG_REG to RNG_CONTROL_REG when checking and disabling...
Andre Wolokita [Sun, 15 Mar 2015 23:19:11 +0000 (10:19 +1100)]
hwrng: omap - Change RNG_CONFIG_REG to RNG_CONTROL_REG when checking and disabling TRNG

In omap4_rng_init(), a check of bit 10 of the RNG_CONFIG_REG is done to determine
whether the RNG is running. This is suspicious firstly due to the use of
RNG_CONTROL_ENABLE_TRNG_MASK and secondly because the same mask is written to
RNG_CONTROL_REG after configuration of the FROs. Similar suspicious logic is
repeated in omap4_rng_cleanup() when RNG_CONTROL_REG masked with
RNG_CONTROL_ENABLE_TRNG_MASK is read, the same mask bit is cleared, and then
written to RNG_CONFIG_REG. Unless the TRNG is enabled with one bit in RNG_CONTROL
and disabled with another in RNG_CONFIG and these bits are mirrored in some way,
I believe that the TRNG is not really shutting off.

Apart from the strange logic, I have reason to suspect that the OMAP4 related
code in this driver is driving an Inside Secure IP hardware RNG and strongly
suspect that bit 10 of RNG_CONFIG_REG is one of the bits configuring the
sampling rate of the FROs. This option is by default set to 0 and is not being
set anywhere in omap-rng.c. Reading this bit during omap4_rng_init() will
always return 0. It will remain 0 because ~(value of TRNG_MASK in control) will
always be 0, because the TRNG is never shut off. This is of course presuming
that the OMAP4 features the Inside Secure IP.

I'm interested in knowing what the guys at TI think about this, as only they
can confirm or deny the detailed structure of these registers.

Signed-off-by: Andre Wolokita <Andre.Wolokita@analog.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: sha1-mb - Syntax error
Ameen Ali [Fri, 13 Mar 2015 21:38:21 +0000 (23:38 +0200)]
crypto: sha1-mb - Syntax error

fixing a syntax-error .

Signed-off-by: Ameen Ali <AmeenAli023@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: algif_rng - zeroize buffer with random data
Stephan Mueller [Fri, 13 Mar 2015 10:44:07 +0000 (11:44 +0100)]
crypto: algif_rng - zeroize buffer with random data

Due to the change to RNGs to always return zero in success case, the RNG
interface must zeroize the buffer with the length provided by the
caller.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agoDocumentation: crypto: Add DT binding info for the img hw hash accelerator
James Hartley [Thu, 12 Mar 2015 23:17:27 +0000 (23:17 +0000)]
Documentation: crypto: Add DT binding info for the img hw hash accelerator

This adds the binding documentation for the Imagination Technologies hash
accelerator that provides hardware acceleration for SHA1/SHA224/SHA256/MD5
hashes.  This hardware will be present in the upcoming pistachio SoC.

Signed-off-by: James Hartley <james.hartley@imgtec.com>
Reviewed-by: Andrew Bresticker <abrestic@chromium.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: img-hash - Add Imagination Technologies hw hash accelerator
James Hartley [Thu, 12 Mar 2015 23:17:26 +0000 (23:17 +0000)]
crypto: img-hash - Add Imagination Technologies hw hash accelerator

This adds support for the Imagination Technologies hash accelerator which
provides hardware acceleration for SHA1 SHA224 SHA256 and MD5 hashes.

Signed-off-by: James Hartley <james.hartley@imgtec.com>
Reviewed-by: Andrew Bresticker <abrestic@chromium.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agohwrng: iproc-rng200 - make use of devm_hwrng_register
Dmitry Torokhov [Thu, 12 Mar 2015 21:00:07 +0000 (14:00 -0700)]
hwrng: iproc-rng200 - make use of devm_hwrng_register

This allows us to get rid of driver's remove() method.

Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agohwrng: iproc-rng200 - do not use static structure
Dmitry Torokhov [Thu, 12 Mar 2015 21:00:06 +0000 (14:00 -0700)]
hwrng: iproc-rng200 - do not use static structure

Instead of using static hwrng structure that is reused between
binds/unbinds of the device let's embed it into driver's private
structure that we allocate. This way we are guaranteed not to stumble
onto something left from previous bind attempt.

Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agohwrng: msm - make use of devm_hwrng_register
Dmitry Torokhov [Thu, 12 Mar 2015 21:00:05 +0000 (14:00 -0700)]
hwrng: msm - make use of devm_hwrng_register

This allows us to get rid of remove() method.

Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agohwrng: exynos - make use of devm_hwrng_register
Dmitry Torokhov [Thu, 12 Mar 2015 21:00:04 +0000 (14:00 -0700)]
hwrng: exynos - make use of devm_hwrng_register

This allows us to get rid of remove() method.

Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agohwrng: bcm63xx - make use of devm_hwrng_register
Dmitry Torokhov [Thu, 12 Mar 2015 21:00:03 +0000 (14:00 -0700)]
hwrng: bcm63xx - make use of devm_hwrng_register

This change converts bcm63xx-rng to use devm* API for managing all
resources, which allows us to dispense with the rest of error handling
path and remove() function. Also we combine hwern and driver-private
data into a single allocation, use clk_prepare_enable() instead
of "naked" clk_enable() and move clock enabling/disabling into hwrnd
inti(0 and cleanup() methods so the clock stays off until rng is
used.

Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agohwrng: add devm_* interfaces
Dmitry Torokhov [Thu, 12 Mar 2015 21:00:02 +0000 (14:00 -0700)]
hwrng: add devm_* interfaces

This change adds devm_hwrng_register and devm_hwrng_unregister which
use can simplify error unwinding and unbinding code paths in device
drivers.

Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: don't export static symbol
Julia Lawall [Wed, 11 Mar 2015 16:56:26 +0000 (17:56 +0100)]
crypto: don't export static symbol

The semantic patch that fixes this problem is as follows:
(http://coccinelle.lip6.fr/)

// <smpl>
@r@
type T;
identifier f;
@@

static T f (...) { ... }

@@
identifier r.f;
declarer name EXPORT_SYMBOL_GPL;
@@

-EXPORT_SYMBOL_GPL(f);
// </smpl>

Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: testmgr - fix RNG return code enforcement
Stephan Mueller [Tue, 10 Mar 2015 16:00:36 +0000 (17:00 +0100)]
crypto: testmgr - fix RNG return code enforcement

Due to the change to RNGs to always return zero in success case, the
invocation of the RNGs in the test manager must be updated as otherwise
the RNG self tests are not properly executed any more.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Alexander Bergmann <abergmann@suse.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agolinux-next: Tree for Mar 11 (powerpc build failure due to vmx crypto code)
Herbert Xu [Thu, 12 Mar 2015 03:28:29 +0000 (14:28 +1100)]
linux-next: Tree for Mar 11 (powerpc build failure due to vmx crypto code)

crypto: vmx - Fix assembler perl to use _GLOBAL

Rather than doing things by hand for global symbols to deal with
different calling conventions we already have a macro _GLOBAL in
Linux to handle this.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Tested-by: Guenter Roeck <linux@roeck-us.net>
9 years agohwrng: omap - remove #ifdefery around PM methods
Dmitry Torokhov [Wed, 11 Mar 2015 21:08:36 +0000 (14:08 -0700)]
hwrng: omap - remove #ifdefery around PM methods

Instead of using #ifdefs let's mark suspend and resume methods as
__maybe_unused which will suppress compiler warnings about them being
unused and provide better compile coverage.

Because SIMPLE_DEV_PM_OPS() produces an empty omap_rng_pm structure in
case of !CONFIG_PM_SLEEP neither omap_rng_suspend nor omap_rng_resume
will end up being referenced and the change will not result in
increasing image size.

Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: arm - add support for GHASH using ARMv8 Crypto Extensions
Ard Biesheuvel [Tue, 10 Mar 2015 08:47:48 +0000 (09:47 +0100)]
crypto: arm - add support for GHASH using ARMv8 Crypto Extensions

This implements the GHASH hash algorithm (as used by the GCM AEAD
chaining mode) using the AArch32 version of the 64x64 to 128 bit
polynomial multiplication instruction (vmull.p64) that is part of
the ARMv8 Crypto Extensions.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: arm - AES in ECB/CBC/CTR/XTS modes using ARMv8 Crypto Extensions
Ard Biesheuvel [Tue, 10 Mar 2015 08:47:47 +0000 (09:47 +0100)]
crypto: arm - AES in ECB/CBC/CTR/XTS modes using ARMv8 Crypto Extensions

This implements the ECB, CBC, CTR and XTS asynchronous block ciphers
using the AArch32 versions of the ARMv8 Crypto Extensions for AES.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: arm - add support for SHA-224/256 using ARMv8 Crypto Extensions
Ard Biesheuvel [Tue, 10 Mar 2015 08:47:46 +0000 (09:47 +0100)]
crypto: arm - add support for SHA-224/256 using ARMv8 Crypto Extensions

This implements the SHA-224/256 secure hash algorithm using the AArch32
versions of the ARMv8 Crypto Extensions for SHA2.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: arm - add support for SHA1 using ARMv8 Crypto Instructions
Ard Biesheuvel [Tue, 10 Mar 2015 08:47:45 +0000 (09:47 +0100)]
crypto: arm - add support for SHA1 using ARMv8 Crypto Instructions

This implements the SHA1 secure hash algorithm using the AArch32
versions of the ARMv8 Crypto Extensions for SHA1.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: arm - move ARM specific Kconfig definitions to a dedicated file
Ard Biesheuvel [Tue, 10 Mar 2015 08:47:44 +0000 (09:47 +0100)]
crypto: arm - move ARM specific Kconfig definitions to a dedicated file

This moves all Kconfig symbols defined in crypto/Kconfig that depend
on CONFIG_ARM to a dedicated Kconfig file in arch/arm/crypto, which is
where the code that implements those features resides as well.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: amcc - remove incorrect __init/__exit markups
Dmitry Torokhov [Mon, 9 Mar 2015 20:35:39 +0000 (13:35 -0700)]
crypto: amcc - remove incorrect __init/__exit markups

Even if bus is not hot-pluggable, the devices can be bound and unbound
from the driver via sysfs, so we should not be using __init/__exit
annotations on probe() and remove() methods. The only exception is
drivers registered with platform_driver_probe() which specifically
disables sysfs bind/unbind attributes.

Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: qat - remove incorrect __exit markup
Dmitry Torokhov [Mon, 9 Mar 2015 20:25:49 +0000 (13:25 -0700)]
crypto: qat - remove incorrect __exit markup

PCI bus is hot-pluggable, and even if it wasn't one can still unbind the
device from driver via sysfs, so we should not make driver's remove
method as __exit.

Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agohwrng: pseries - remove incorrect __init/__exit markups
Dmitry Torokhov [Mon, 9 Mar 2015 17:36:38 +0000 (10:36 -0700)]
hwrng: pseries - remove incorrect __init/__exit markups

Even if bus is not hot-pluggable, the devices can be unbound from the
driver via sysfs, so we should not be using __exit annotations on
remove() methods. The only exception is drivers registered with
platform_driver_probe() which specifically disables sysfs bind/unbind
attributes.

Similarly probe() methods should not be marked __init unless
platform_driver_probe() is used.

Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agohwrng: octeon - remove incorrect __exit markups
Dmitry Torokhov [Mon, 9 Mar 2015 17:36:37 +0000 (10:36 -0700)]
hwrng: octeon - remove incorrect __exit markups

Even if bus is not hot-pluggable, the devices can be unbound from the
driver via sysfs, so we should not be using __exit annotations on
remove() methods. The only exception is drivers registered with
platform_driver_probe() which specifically disables sysfs bind/unbind
attributes

Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agohwrng: omap - remove incorrect __exit markups
Dmitry Torokhov [Mon, 9 Mar 2015 17:36:35 +0000 (10:36 -0700)]
hwrng: omap - remove incorrect __exit markups

Even if bus is not hot-pluggable, the devices can be unbound from the
driver via sysfs, so we should not be using __exit annotations on
remove() methods. The only exception is drivers registered with
platform_driver_probe() which specifically disables sysfs bind/unbind
attributes.

Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: tcrypt - fix uninit sg entries in test_acipher_speed
Horia Geant? [Mon, 9 Mar 2015 14:14:58 +0000 (16:14 +0200)]
crypto: tcrypt - fix uninit sg entries in test_acipher_speed

Commit 5be4d4c94b1f ("crypto: replace scatterwalk_sg_next with sg_next")
did not consider the fact that scatterwalk_sg_next() was looking at
sg entry length, while sg_next() looks at the "chained" sg bit.

This should have no effect in theory. However in practice, there are
cases where the sg table is initialized to a number of entries and
some of them are not properly configured. While scatterwalk_sg_next()
would have returned NULL (since sg length = 0 and sg page_link = 0),
sg_next() happily returns the next unconfigured sg entry.

insmod tcrypt.ko mode=500 sec=1

testing speed of async cbc(aes) (cbc-aes-talitos) encryption
test 0 (128 bit key, 16 byte blocks):
Unable to handle kernel paging request for data at address 0x00000000
Faulting instruction address: 0xc00d79e4
Oops: Kernel access of bad area, sig: 11 [#1]
SMP NR_CPUS=8 P1022 DS
Modules linked in: tcrypt(+) talitos
CPU: 0 PID: 2670 Comm: insmod Not tainted 4.0.0-rc1-QorIQ-SDK-V1.6+g904f1ca82209 #1
task: e8de3200 ti: e70bc000 task.ti: e70bc000
NIP: c00d79e4 LR: f92d223c CTR: c00d79c8
REGS: e70bda00 TRAP: 0300   Not tainted  (4.0.0-rc1-QorIQ-SDK-V1.6+g904f1ca82209)
MSR: 00029000 <CE,EE,ME>  CR: 84428f22  XER: 00000000
DEAR: 00000000 ESR: 00000000
GPR00: f92d223c e70bdab0 e8de3200 00000000 e70bdbb8 00000001 00000000 00000000
GPR08: 00000000 00000000 c08b0380 27282010 c00d79c8 1003a634 00000000 e70bdf1c
GPR16: e70bdef0 00000020 00000000 c08c0000 00000010 00000000 e70bdbb8 00000010
GPR24: e976d3a8 00000010 00000000 e70bdbd8 e8961010 00000001 c086e560 00000000
NIP [c00d79e4] page_address+0x1c/0x110
LR [f92d223c] talitos_map_sg+0x130/0x184 [talitos]
Call Trace:
[e70bdab0] [00000010] 0x10 (unreliable)
[e70bdad0] [f92d223c] talitos_map_sg+0x130/0x184 [talitos]
[e70bdb00] [f92d30d8] common_nonsnoop.constprop.13+0xc0/0x304 [talitos]
[e70bdb30] [f933fd90] test_acipher_speed+0x434/0x7dc [tcrypt]
[e70bdcc0] [f934318c] do_test+0x2478/0x306c [tcrypt]
[e70bdd80] [f11fe058] tcrypt_mod_init+0x58/0x100 [tcrypt]
[e70bdda0] [c0002354] do_one_initcall+0x90/0x1f4
[e70bde10] [c061fe00] do_init_module+0x60/0x1ac
[e70bde30] [c00a79f0] load_module+0x185c/0x1f88
[e70bdee0] [c00a82b0] SyS_finit_module+0x7c/0x98
[e70bdf40] [c000e8b0] ret_from_syscall+0x0/0x3c

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: octeon - enable OCTEON SHA1/256/512 module selection
Aaro Koskinen [Sun, 8 Mar 2015 20:07:47 +0000 (22:07 +0200)]
crypto: octeon - enable OCTEON SHA1/256/512 module selection

Enable user to select OCTEON SHA1/256/512 modules.

Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: octeon - add SHA512 module
Aaro Koskinen [Sun, 8 Mar 2015 20:07:46 +0000 (22:07 +0200)]
crypto: octeon - add SHA512 module

Add OCTEON SHA512 module.

Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: octeon - add SHA256 module
Aaro Koskinen [Sun, 8 Mar 2015 20:07:45 +0000 (22:07 +0200)]
crypto: octeon - add SHA256 module

Add OCTEON SHA256 module.

Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: octeon - add SHA1 module
Aaro Koskinen [Sun, 8 Mar 2015 20:07:44 +0000 (22:07 +0200)]
crypto: octeon - add SHA1 module

Add OCTEON SHA1 module.

Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: octeon - add instruction definitions for SHA1/256/512
Aaro Koskinen [Sun, 8 Mar 2015 20:07:43 +0000 (22:07 +0200)]
crypto: octeon - add instruction definitions for SHA1/256/512

Add instruction definitions for SHA1/256/512.

Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: octeon - always disable preemption when using crypto engine
Aaro Koskinen [Sun, 8 Mar 2015 20:07:42 +0000 (22:07 +0200)]
crypto: octeon - always disable preemption when using crypto engine

Always disable preemption on behalf of the drivers when crypto engine
is taken into use. This will simplify the usage.

Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: octeon - don't disable bottom half in octeon-md5
Aaro Koskinen [Sun, 8 Mar 2015 20:07:41 +0000 (22:07 +0200)]
crypto: octeon - don't disable bottom half in octeon-md5

Don't disable bottom half while the crypto engine is in use, as it
should be unnecessary: All kernel crypto engine usage is wrapped with
crypto engine state save/restore, so if we get interrupted by softirq
that uses crypto they should save and restore our context.

This actually fixes an issue when running OCTEON MD5 with interrupts
disabled (tcrypt mode=302). There's a WARNING because the module is
trying to enable the bottom half with irqs disabled:

[   52.656610] ------------[ cut here ]------------
[   52.661439] WARNING: CPU: 1 PID: 428 at /home/aaro/git/linux/kernel/softirq.c:150 __local_bh_enable_ip+0x9c/0xd8()
[   52.671780] Modules linked in: tcrypt(+)
[...]
[   52.763539] [<ffffffff8114082c>] warn_slowpath_common+0x94/0xd8
[   52.769465] [<ffffffff81144614>] __local_bh_enable_ip+0x9c/0xd8
[   52.775390] [<ffffffff81119574>] octeon_md5_final+0x12c/0x1e8
[   52.781144] [<ffffffff81337050>] shash_compat_digest+0xd0/0x1b0

Signed-off-by: Aaro Koskinen <aaro.koskinen@iki.fi>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: powerpc - move files to fix build error
Kim Phillips [Sat, 7 Mar 2015 00:46:21 +0000 (18:46 -0600)]
crypto: powerpc - move files to fix build error

The current cryptodev-2.6 tree commits:

d9850fc529ef ("crypto: powerpc/sha1 - kernel config")
50ba29aaa7b0 ("crypto: powerpc/sha1 - glue")

failed to properly place files under arch/powerpc/crypto, which
leads to build errors:

make[1]: *** No rule to make target 'arch/powerpc/crypto/sha1-spe-asm.o', needed by 'arch/powerpc/crypto/sha1-ppc-spe.o'.  Stop.
make[1]: *** No rule to make target 'arch/powerpc/crypto/sha1_spe_glue.o', needed by 'arch/powerpc/crypto/sha1-ppc-spe.o'.  Stop.
Makefile:947: recipe for target 'arch/powerpc/crypto' failed

Move the two sha1 spe files under crypto/, and whilst there, rename
other powerpc crypto files with underscores to use dashes for
consistency.

Cc: Markus Stockhausen <stockhausen@collogia.de>
Signed-off-by: Kim Phillips <kim.phillips@freescale.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agohwrng: xgene - add ACPI support for APM X-Gene RNG unit
Feng Kan [Fri, 6 Mar 2015 22:53:15 +0000 (14:53 -0800)]
hwrng: xgene - add ACPI support for APM X-Gene RNG unit

This adds ACPI support for APM X-Gene RNG unit.

Signed-off-by: Feng Kan <fkan@apm.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agoMAINTAINERS: add crypto-API.tmpl
Stephan Mueller [Fri, 6 Mar 2015 20:36:21 +0000 (21:36 +0100)]
MAINTAINERS: add crypto-API.tmpl

The file Documentation/DocBook/crypto-API.tmpl documents the kernel
crypto API and is maintained.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: doc - AEAD / RNG AF_ALG interface
Stephan Mueller [Fri, 6 Mar 2015 20:34:22 +0000 (21:34 +0100)]
crypto: doc - AEAD / RNG AF_ALG interface

The patch moves the information provided in
Documentation/crypto/crypto-API-userspace.txt into a separate chapter in
the kernel crypto API DocBook. Some corrections are applied (such as
removing a reference to Netlink when the AF_ALG socket is referred to).

In addition, the AEAD and RNG interface description is now added.

Also, a brief description of the zero-copy interface with an example
code snippet is provided.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: rng - RNGs must return 0 in success case
Stephan Mueller [Fri, 6 Mar 2015 07:26:31 +0000 (08:26 +0100)]
crypto: rng - RNGs must return 0 in success case

Change the RNGs to always return 0 in success case.

This patch ensures that seqiv.c works with RNGs other than krng. seqiv
expects that any return code other than 0 is an error. Without the
patch, rfc4106(gcm(aes)) will not work when using a DRBG or an ANSI
X9.31 RNG.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agohwrng: caam - fix rng_unmap_ctx's DMA_UNMAP size problem
Yanjiang Jin [Fri, 6 Mar 2015 02:34:42 +0000 (10:34 +0800)]
hwrng: caam - fix rng_unmap_ctx's DMA_UNMAP size problem

Fix rng_unmap_ctx's DMA_UNMAP size problem for caam_rng, else system would
report the below calltrace during cleanup caam_rng.
Since rng_create_sh_desc() creates a fixed descriptor of exactly 4
command-lengths now, also update DESC_RNG_LEN to (4 * CAAM_CMD_SZ).

caam_jr ffe301000.jr: DMA-API: device driver frees DMA memory with different size [device address=0x000000007f080010] [map size=16 bytes] [unmap size=40 bytes]
------------[ cut here ]------------
WARNING: at lib/dma-debug.c:887
Modules linked in:
task: c0000000f7cdaa80 ti: c0000000e5340000 task.ti: c0000000e5340000
NIP: c0000000004f5bc8 LR: c0000000004f5bc4 CTR: c0000000005f69b0
REGS: c0000000e53433c0 TRAP: 0700   Not tainted
MSR: 0000000080029000 <CE,EE,ME>  CR: 24088482  XER: 00000000
SOFTE: 0

GPR00: c0000000004f5bc4 c0000000e5343640 c0000000012af360 000000000000009f
GPR04: 0000000000000000 00000000000000a0 c000000000d02070 c000000015980660
GPR08: c000000000cff360 0000000000000000 0000000000000000 c0000000012da018
GPR12: 00000000000001e3 c000000001fff780 00000000100f0000 0000000000000001
GPR16: 0000000000000002 0000000000000000 0000000000000000 0000000000000000
GPR20: 0000000000000000 0000000000000000 ffffffffffffffff 0000000000000001
GPR24: 0000000000000001 0000000000000001 0000000000000000 0000000000000001
GPR28: c000000001556b90 c000000001565b80 c0000000e5343750 c0000000f9427480
NIP [c0000000004f5bc8] .check_unmap+0x538/0x9c0
LR [c0000000004f5bc4] .check_unmap+0x534/0x9c0
Call Trace:
[c0000000e5343640] [c0000000004f5bc4] .check_unmap+0x534/0x9c0 (unreliable)
[c0000000e53436e0] [c0000000004f60d4] .debug_dma_unmap_page+0x84/0xb0
[c0000000e5343810] [c00000000082f9d4] .caam_cleanup+0x1d4/0x240
[c0000000e53438a0] [c00000000056cc88] .hwrng_unregister+0xd8/0x1c0
Instruction dump:
7c641b78 41de0410 e8a90050 2fa50000 419e0484 e8de0028 e8ff0030 3c62ff90
e91e0030 38638388 48546ed9 60000000 <0fe000003c62ff8f 38637fc8 48546ec5
---[ end trace e43fd1734d6600df ]---

Signed-off-by: Yanjiang Jin <yanjiang.jin@windriver.com>
Acked-by: Kim Phillips <kim.phillips@freescale.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: caam - fix uninitialized edesc->sec4_sg_bytes field
Yanjiang Jin [Fri, 6 Mar 2015 02:34:41 +0000 (10:34 +0800)]
crypto: caam - fix uninitialized edesc->sec4_sg_bytes field

sec4_sg_bytes not being properly initialized causes ahash_done
to try to free unallocated DMA memory:

caam_jr ffe301000.jr: DMA-API: device driver tries to free DMA memory it has not allocated [device address=0xdeadbeefdeadbeef] [size=3735928559 bytes]
------------[ cut here ]------------
WARNING: at lib/dma-debug.c:1093
Modules linked in:
CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.0.0-rc1+ #6
task: e9598c00 ti: effca000 task.ti: e95a2000
NIP: c04ef24c LR: c04ef24c CTR: c0549730
REGS: effcbd40 TRAP: 0700   Not tainted  (4.0.0-rc1+)
MSR: 00029002 <CE,EE,ME>  CR: 22008084  XER: 20000000

GPR00: c04ef24c effcbdf0 e9598c00 00000096 c08f7424 c00ab2b0 00000000 00000001
GPR08: c0fe7510 effca000 00000000 000001c3 22008082 00000000 c1048e77 c1050000
GPR16: c0c36700 493c0040 0000002c e690e4a0 c1054fb4 c18bac40 00029002 c18b0788
GPR24: 00000014 e690e480 effcbe48 00000000 c0fde128 e6ffac10 deadbeef deadbeef
NIP [c04ef24c] check_unmap+0x93c/0xb40
LR [c04ef24c] check_unmap+0x93c/0xb40
Call Trace:
[effcbdf0] [c04ef24c] check_unmap+0x93c/0xb40 (unreliable)
[effcbe40] [c04ef4f4] debug_dma_unmap_page+0xa4/0xc0
[effcbec0] [c070cda8] ahash_done+0x128/0x1a0
[effcbef0] [c0700070] caam_jr_dequeue+0x1d0/0x290
[effcbf40] [c0045f40] tasklet_action+0x110/0x1f0
[effcbf80] [c0044bc8] __do_softirq+0x188/0x700
[effcbfe0] [c00455d8] irq_exit+0x108/0x120
[effcbff0] [c000f520] call_do_irq+0x24/0x3c
[e95a3e20] [c00059b8] do_IRQ+0xc8/0x170
[e95a3e50] [c0011bc8] ret_from_except+0x0/0x18

Signed-off-by: Yanjiang Jin <yanjiang.jin@windriver.com>
Acked-by: Kim Phillips <kim.phillips@freescale.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agohwrng: iproc-rng200 - Add Broadcom IPROC RNG driver
Scott Branden [Wed, 4 Mar 2015 20:42:14 +0000 (12:42 -0800)]
hwrng: iproc-rng200 - Add Broadcom IPROC RNG driver

This adds a driver for random number generator present on Broadcom
IPROC devices.

Reviewed-by: Ray Jui <rjui@broadcom.com>
Signed-off-by: Scott Branden <sbranden@broadcom.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agohwrng: iproc-rng200 - Add device tree bindings
Scott Branden [Wed, 4 Mar 2015 20:42:13 +0000 (12:42 -0800)]
hwrng: iproc-rng200 - Add device tree bindings

Documents the IPROC random number generator device tree bindings
used in some Broadcom chipsets.

Reviewed-by: Ray Jui <rjui@broadcom.com>
Signed-off-by: Scott Branden <sbranden@broadcom.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: ux500 - Update error message for dmaengine_prep_slave_sg() API
Geert Uytterhoeven [Wed, 4 Mar 2015 09:19:30 +0000 (10:19 +0100)]
crypto: ux500 - Update error message for dmaengine_prep_slave_sg() API

Commit 7e933d3b1e25b250 ("crypto: ux500: use dmaengine_prep_slave_sg
API") changed the code to use the new API, but forgot to update an error
message.

Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: talitos - Remove MD5_BLOCK_SIZE
Martin Hicks [Tue, 3 Mar 2015 13:21:34 +0000 (08:21 -0500)]
crypto: talitos - Remove MD5_BLOCK_SIZE

This is properly defined in the md5 header file.

Signed-off-by: Martin Hicks <mort@bork.org>
Acked-by: Kim Phillips <kim.phillips@freescale.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: talitos - Simplify per-channel initialization
Martin Hicks [Tue, 3 Mar 2015 13:21:33 +0000 (08:21 -0500)]
crypto: talitos - Simplify per-channel initialization

There were multiple loops in a row, for each separate step of the
initialization of the channels.  Simplify to a single loop.

Signed-off-by: Martin Hicks <mort@bork.org>
Acked-by: Kim Phillips <kim.phillips@freescale.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: drbg - remove superflowous memsets
Stephan Mueller [Sun, 1 Mar 2015 19:40:17 +0000 (20:40 +0100)]
crypto: drbg - remove superflowous memsets

The DRBG code contains memset(0) calls to initialize a varaible
that are not necessary as the variable is always overwritten by
the processing.

This patch increases the CTR and Hash DRBGs by about 5%.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: drbg - use single block cipher API
Stephan Mueller [Sun, 1 Mar 2015 19:39:17 +0000 (20:39 +0100)]
crypto: drbg - use single block cipher API

The CTR DRBG only encrypts one single block at a time. Thus, use the
single block crypto API to avoid additional overhead from the block
chaining modes.

With the patch, the speed of the DRBG increases between 30% and 40%.

The DRBG still passes the CTR DRBG CAVS test.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: powerpc/md5 - kernel config
Markus Stockhausen [Sun, 1 Mar 2015 18:30:46 +0000 (19:30 +0100)]
crypto: powerpc/md5 - kernel config

Integrate the module into the kernel config tree.

Signed-off-by: Markus Stockhausen <stockhausen@collogia.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: powerpc/md5 - glue
Markus Stockhausen [Sun, 1 Mar 2015 18:30:41 +0000 (19:30 +0100)]
crypto: powerpc/md5 - glue

Glue code for crypto infrastructure. Call the assembler
code where required. Take a little care about small input
data. Kick out early for input chunks < 64 bytes and replace
memset for context cleanup with simple loop.

Signed-off-by: Markus Stockhausen <stockhausen@collogia.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: powerpc/md5 - assembler
Markus Stockhausen [Sun, 1 Mar 2015 18:30:35 +0000 (19:30 +0100)]
crypto: powerpc/md5 - assembler

This is the assembler code for the MD5 implementation.
Handling of algorithm constants has been slightly
changed to reduce register usage and make better use
of cores with multiple ALUs. Thus they are stored as
delta values.

Signed-off-by: Markus Stockhausen <stockhausen@collogia.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: atmel - fix typo in dev_err error message
Colin Ian King [Sat, 28 Feb 2015 20:40:10 +0000 (20:40 +0000)]
crypto: atmel - fix typo in dev_err error message

Fix typo, "intialization" -> "initialization"

Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: algif - enable AEAD interface compilation
Stephan Mueller [Sat, 28 Feb 2015 19:50:40 +0000 (20:50 +0100)]
crypto: algif - enable AEAD interface compilation

Enable compilation of the AEAD AF_ALG support and provide a Kconfig
option to compile the AEAD AF_ALG support.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: algif - add AEAD support
Stephan Mueller [Sat, 28 Feb 2015 19:50:00 +0000 (20:50 +0100)]
crypto: algif - add AEAD support

This patch adds the AEAD support for AF_ALG.

The implementation is based on algif_skcipher, but contains heavy
modifications to streamline the interface for AEAD uses.

To use AEAD, the user space consumer has to use the salg_type named
"aead".

The AEAD implementation includes some overhead to calculate the size of
the ciphertext, because the AEAD implementation of the kernel crypto API
makes implied assumption on the location of the authentication tag. When
performing an encryption, the tag will be added to the created
ciphertext (note, the tag is placed adjacent to the ciphertext). For
decryption, the caller must hand in the ciphertext with the tag appended
to the ciphertext. Therefore, the selection of the used memory
needs to add/subtract the tag size from the source/destination buffers
depending on the encryption type. The code is provided with comments
explaining when and how that operation is performed.

A fully working example using all aspects of AEAD is provided at
http://www.chronox.de/libkcapi.html

Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: doc - describe internal structure
Stephan Mueller [Fri, 27 Feb 2015 19:00:00 +0000 (20:00 +0100)]
crypto: doc - describe internal structure

The kernel crypto API has many indirections which warrant a description
as otherwise one can get easily lost. The description explains the
layers of the kernel crypto API based on examples.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: powerpc/sha1 - kernel config
Markus Stockhausen [Tue, 24 Feb 2015 19:36:50 +0000 (20:36 +0100)]
crypto: powerpc/sha1 - kernel config

Integrate the module into the kernel config tree.

Signed-off-by: Markus Stockhausen <stockhausen@collogia.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: powerpc/sha1 - glue
Markus Stockhausen [Tue, 24 Feb 2015 19:36:45 +0000 (20:36 +0100)]
crypto: powerpc/sha1 - glue

Glue code for crypto infrastructure. Call the assembler
code where required. Disable preemption during calculation
and enable SPE instructions in the kernel prior to the
call. Avoid to disable preemption for too long.

Take a little care about small input data. Kick out early
for input chunks < 64 bytes and replace memset for context
cleanup with simple loop.

Signed-off-by: Markus Stockhausen <stockhausen@collogia.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: powerpc/sha1 - assembler
Markus Stockhausen [Tue, 24 Feb 2015 19:36:40 +0000 (20:36 +0100)]
crypto: powerpc/sha1 - assembler

This is the assembler code for SHA1 implementation with
the SIMD SPE instruction set. With the enhanced instruction
set we can operate on 2 32 bit words in parallel. That helps
reducing the time to calculate W16-W79. For increasing
performance even more the assembler function can compute
hashes for more than one 64 byte input block.

The state of the used SPE registers is preserved via the
stack so we can run from interrupt context. There might
be the case that we interrupt ourselves and push sensitive
data from another context onto our stack. Clear this area
in the stack afterwards to avoid information leakage.

The code is endian independant.

Signed-off-by: Markus Stockhausen <stockhausen@collogia.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: powerpc/aes - kernel config
Markus Stockhausen [Sun, 22 Feb 2015 09:00:10 +0000 (10:00 +0100)]
crypto: powerpc/aes - kernel config

Integrate the module into the kernel configuration

Signed-off-by: Markus Stockhausen <stockhausen@collogia.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocyprot: powerpc/aes - glue code
Markus Stockhausen [Sun, 22 Feb 2015 09:00:05 +0000 (10:00 +0100)]
cyprot: powerpc/aes - glue code

Integrate the assembler modules into the kernel crypto
framework. Take care to avoid long intervals of disabled
preemption.

Signed-off-by: Markus Stockhausen <stockhausen@collogia.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: powerpc/aes - ECB/CBC/CTR/XTS modes
Markus Stockhausen [Sun, 22 Feb 2015 09:00:00 +0000 (10:00 +0100)]
crypto: powerpc/aes - ECB/CBC/CTR/XTS modes

The assembler block cipher module that controls the core
AES functions.

Signed-off-by: Markus Stockhausen <stockhausen@collogia.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: powerpc/aes - key handling
Markus Stockhausen [Sun, 22 Feb 2015 08:59:54 +0000 (09:59 +0100)]
crypto: powerpc/aes - key handling

Key generation for big endian core routines.

Signed-off-by: Markus Stockhausen <stockhausen@collogia.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: powerpc/aes - assembler core
Markus Stockhausen [Sun, 22 Feb 2015 08:59:49 +0000 (09:59 +0100)]
crypto: powerpc/aes - assembler core

The assembler AES encryption and decryption core routines.
Implemented & optimized for big endian. Nevertheless they
work on little endian too.

For most efficient reuse in (higher level) block cipher
routines they are implemented as "fast" call modules without
any stack handling or register saving. The caller must
take care of that part.

Signed-off-by: Markus Stockhausen <stockhausen@collogia.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: powerpc/aes - aes tables
Markus Stockhausen [Sun, 22 Feb 2015 08:59:43 +0000 (09:59 +0100)]
crypto: powerpc/aes - aes tables

4K AES tables for big endian. To reduce the possiblity of
timing attacks, the size has been cut to 8KB + 256 bytes
in contrast to 16KB in the generic implementation. That
is not perfect but at least a good tradeoff for CPU limited
router devices.

Signed-off-by: Markus Stockhausen <stockhausen@collogia.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: powerpc/aes - register defines
Markus Stockhausen [Sun, 22 Feb 2015 08:59:38 +0000 (09:59 +0100)]
crypto: powerpc/aes - register defines

Define some register aliases for better readability.

Signed-off-by: Markus Stockhausen <stockhausen@collogia.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agohwrng: bcm63xx - use devm_* helpers
Florian Fainelli [Tue, 17 Feb 2015 02:09:16 +0000 (18:09 -0800)]
hwrng: bcm63xx - use devm_* helpers

Simplify the driver's probe function and error handling by using the
device managed allocators, while at it, drop the redundant "out of
memory" messages since these are already printed by the allocator.

Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agoMIPS: BCM63xx: remove RSET_RNG register definitions
Florian Fainelli [Tue, 17 Feb 2015 02:09:15 +0000 (18:09 -0800)]
MIPS: BCM63xx: remove RSET_RNG register definitions

Now that these definitions have been moved to
drivers/char/hw_random/bcm63xx-rng.c where they belong to make the
driver standalone, we can safely remove these definitions from
bcm63xx_regs.h.

Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agohwrng: bcm63xx - move register definitions to driver
Florian Fainelli [Tue, 17 Feb 2015 02:09:14 +0000 (18:09 -0800)]
hwrng: bcm63xx - move register definitions to driver

arch/mips/include/asm/mach-bcm63xx/bcm63xx_regs.h contains the register
definitions for this random number generator block, incorporate these
register definitions directly into the bcm63xx-rng driver so we do not
rely on this header to be provided.

Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agohwrng: bcm63xx - drop bcm_{readl,writel} macros
Florian Fainelli [Tue, 17 Feb 2015 02:09:13 +0000 (18:09 -0800)]
hwrng: bcm63xx - drop bcm_{readl,writel} macros

bcm_{readl,writel} macros expand to __raw_{readl,writel}, use these
directly such that we do not rely on the platform to provide these for
us. As a result, we no longer use bcm63xx_io.h, so remove that inclusion
too.

Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: sahara - drop unnecessary default assignment
Nicholas Mc Guire [Sat, 7 Feb 2015 11:16:46 +0000 (06:16 -0500)]
crypto: sahara - drop unnecessary default assignment

All possible code-paths will assign ret to suitable values so this
default value is not needed.

Signed-off-by: Nicholas Mc Guire <hofrat@osadl.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: sahara - pass on error condition
Nicholas Mc Guire [Sat, 7 Feb 2015 11:27:45 +0000 (06:27 -0500)]
crypto: sahara - pass on error condition

A failure of sahara_hw_descriptor_create() with -EINVAL due to scatter list
out of bounds/invalid would not be reported back. This patch just passes on
the -EINVAL so it is visible in sahara_queue_manage().

Signed-off-by: Nicholas Mc Guire <hofrat@osadl.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: sahara - fix type of ret for wait_for_completion_timeout
Nicholas Mc Guire [Sat, 7 Feb 2015 11:17:13 +0000 (06:17 -0500)]
crypto: sahara - fix type of ret for wait_for_completion_timeout

return type of wait_for_completion_timeout is unsigned long not int, this
patch adds appropriate variables of type unsigned long.

Signed-off-by: Nicholas Mc Guire <hofrat@osadl.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: mxs-dcp - fix type of ret for wait_for_completion_timeout
Nicholas Mc Guire [Sat, 7 Feb 2015 08:09:41 +0000 (03:09 -0500)]
crypto: mxs-dcp - fix type of ret for wait_for_completion_timeout

return type of wait_for_completion_timeout is unsigned long not int, this
patch changes the type of ret from int to unsigned long.

Signed-off-by: Nicholas Mc Guire <hofrat@osadl.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: aesni - make driver-gcm-aes-aesni helper a proper aead alg
Tadeusz Struk [Fri, 6 Feb 2015 18:25:20 +0000 (10:25 -0800)]
crypto: aesni - make driver-gcm-aes-aesni helper a proper aead alg

Changed the __driver-gcm-aes-aesni to be a proper aead algorithm.
This required a valid setkey and setauthsize functions to be added and also
some changes to make sure that math context is not corrupted when the alg is
used directly.
Note that the __driver-gcm-aes-aesni should not be used directly by modules
that can use it in interrupt context as we don't have a good fallback mechanism
in this case.

Signed-off-by: Adrian Hoban <adrian.hoban@intel.com>
Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: vmx - Enabling VMX module for PPC64
Leonidas S. Barbosa [Fri, 6 Feb 2015 16:59:48 +0000 (14:59 -0200)]
crypto: vmx - Enabling VMX module for PPC64

This patch enables VMX module in PPC64.

Signed-off-by: Leonidas S. Barbosa <leosilva@linux.vnet.ibm.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: vmx - Add support for VMS instructions by ASM
Leonidas S. Barbosa [Fri, 6 Feb 2015 16:59:35 +0000 (14:59 -0200)]
crypto: vmx - Add support for VMS instructions by ASM

OpenSSL implements optimized ASM algorithms which support
VMX instructions on Power 8 CPU.

These scripts generate an endian-agnostic ASM implementation
in order to support both big and little-endian.
- aesp8-ppc.pl: implements suport for AES instructions
implemented by POWER8 processor.
- ghashp8-ppc.pl: implements support for  GHASH for Power8.
- ppc-xlate.pl:  ppc assembler distiller.

These code has been adopted from OpenSSL project in collaboration
with the original author (Andy Polyakov <appro@openssl.org>).

Signed-off-by: Leonidas S. Barbosa <leosilva@linux.vnet.ibm.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: vmx - Adding GHASH routines for VMX module
Marcelo H. Cerri [Fri, 6 Feb 2015 16:59:05 +0000 (14:59 -0200)]
crypto: vmx - Adding GHASH routines for VMX module

This patch adds GHASH routines to VMX module in order to
make use of VMX cryptographic acceleration instructions
on Power 8 CPU.

Signed-off-by: Leonidas S. Barbosa <leosilva@linux.vnet.ibm.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: vmx - Adding CTR routines for VMX module
Marcelo H. Cerri [Fri, 6 Feb 2015 16:58:31 +0000 (14:58 -0200)]
crypto: vmx - Adding CTR routines for VMX module

This patch adds AES CTR routines to VMX module in order to
make use of VMX cryptographic acceleration instructions
on Power 8 CPU.

Signed-off-by: Leonidas S. Barbosa <leosilva@linux.vnet.ibm.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: vmx - Adding CBC routines for VMX module
Marcelo H. Cerri [Fri, 6 Feb 2015 16:57:53 +0000 (14:57 -0200)]
crypto: vmx - Adding CBC routines for VMX module

This patch adds AES CBC routines to VMX module in order to
make use of VMX cryptographic acceleration instructions
on Power 8 CPU.

Signed-off-by: Leonidas S. Barbosa <leosilva@linux.vnet.ibm.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: vmx - Adding AES routines for VMX module
Marcelo H. Cerri [Fri, 6 Feb 2015 16:57:22 +0000 (14:57 -0200)]
crypto: vmx - Adding AES routines for VMX module

This patch adds AES routines to VMX module in order to
make use of VMX cryptographic acceleration instructions
on Power 8 CPU.

Signed-off-by: Leonidas S. Barbosa <leosilva@linux.vnet.ibm.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: vmx - Adding VMX module for Power 8
Marcelo H. Cerri [Fri, 6 Feb 2015 16:56:50 +0000 (14:56 -0200)]
crypto: vmx - Adding VMX module for Power 8

This patch adds routines supporting VMX instructions on the
Power 8.

Signed-off-by: Leonidas S. Barbosa <leosilva@linux.vnet.ibm.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: sha-mb - Fix big integer constant sparse warning
Lad, Prabhakar [Thu, 5 Feb 2015 10:29:35 +0000 (10:29 +0000)]
crypto: sha-mb - Fix big integer constant sparse warning

this patch fixes following sparse warning:

sha1_mb_mgr_init_avx2.c:59:31: warning: constant 0xF76543210 is so big it is long

Signed-off-by: Lad, Prabhakar <prabhakar.csengg@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: ccp - Add ACPI support
Tom Lendacky [Tue, 3 Feb 2015 19:07:29 +0000 (13:07 -0600)]
crypto: ccp - Add ACPI support

Add support for ACPI to the CCP platform driver.

Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: ccp - Convert calls to their devm_ counterparts
Tom Lendacky [Tue, 3 Feb 2015 19:07:23 +0000 (13:07 -0600)]
crypto: ccp - Convert calls to their devm_ counterparts

Where applicable, convert calls to their devm_ counterparts, e.g. kzalloc
to devm_kzalloc.

Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: ccp - Use dma_set_mask_and_coherent to set DMA mask
Tom Lendacky [Tue, 3 Feb 2015 19:07:17 +0000 (13:07 -0600)]
crypto: ccp - Use dma_set_mask_and_coherent to set DMA mask

Replace the setting of the DMA masks with the dma_set_mask_and_coherent
function call.

Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: ccp - Update CCP build support
Tom Lendacky [Tue, 3 Feb 2015 19:07:11 +0000 (13:07 -0600)]
crypto: ccp - Update CCP build support

Add HAS_IOMEM as a Kconfig dependency. Always include ccp-platform.c
in the CCP build and conditionally include ccp-pci.c.

Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: ccp - Updates for checkpatch warnings/errors
Tom Lendacky [Tue, 3 Feb 2015 19:07:05 +0000 (13:07 -0600)]
crypto: ccp - Updates for checkpatch warnings/errors

Changes to address warnings and errors reported by the checkpatch
script.

Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: ppc/sha256 - kernel config
Markus Stockhausen [Fri, 30 Jan 2015 14:39:34 +0000 (15:39 +0100)]
crypto: ppc/sha256 - kernel config

Integrate the module into the kernel config tree.

Signed-off-by: Markus Stockhausen <stockhausen@collogia.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: ppc/sha256 - glue
Markus Stockhausen [Fri, 30 Jan 2015 14:39:29 +0000 (15:39 +0100)]
crypto: ppc/sha256 - glue

Glue code for crypto infrastructure. Call the assembler
code where required. Disable preemption during calculation
and enable SPE instructions in the kernel prior to the
call. Avoid to disable preemption for too long.

Take a little care about small input data. Kick out early
for input chunks < 64 bytes and replace memset for context
cleanup with simple loop.

Signed-off-by: Markus Stockhausen <stockhausen@collogia.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: ppc/sha256 - assembler
Markus Stockhausen [Fri, 30 Jan 2015 14:39:23 +0000 (15:39 +0100)]
crypto: ppc/sha256 - assembler

This is the assembler code for SHA256 implementation with
the SIMD SPE instruction set. Although being only a 32 bit
architecture GPRs are extended to 64 bit presenting two
32 bit values. With the enhanced instruction set we can
operate on them in parallel. That helps reducing the time
to calculate W16-W64. For increasing performance even more
the assembler function can compute hashes for more than
one 64 byte input block. That saves a lot of register
saving/restoring

The state of the used SPE registers is preserved via the
stack so we can run from interrupt context. There might
be the case that we interrupt ourselves and push sensitive
data from another context onto our stack. Clear this area
in the stack afterwards to avoid information leakage.

The code is endian independant.

Signed-off-by: Markus Stockhausen <stockhausen@collogia.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agoLinux 4.0-rc1
Linus Torvalds [Mon, 23 Feb 2015 02:21:14 +0000 (18:21 -0800)]
Linux 4.0-rc1

.. after extensive statistical analysis of my G+ polling, I've come to
the inescapable conclusion that internet polls are bad.

Big surprise.

But "Hurr durr I'ma sheep" trounced "I like online polls" by a 62-to-38%
margin, in a poll that people weren't even supposed to participate in.
Who can argue with solid numbers like that? 5,796 votes from people who
can't even follow the most basic directions?

In contrast, "v4.0" beat out "v3.20" by a slimmer margin of 56-to-44%,
but with a total of 29,110 votes right now.

Now, arguably, that vote spread is only about 3,200 votes, which is less
than the almost six thousand votes that the "please ignore" poll got, so
it could be considered noise.

But hey, I asked, so I'll honor the votes.

9 years agoMerge tag 'ext4_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso...
Linus Torvalds [Mon, 23 Feb 2015 02:05:13 +0000 (18:05 -0800)]
Merge tag 'ext4_for_linus' of git://git./linux/kernel/git/tytso/ext4

Pull ext4 fixes from Ted Ts'o:
 "Ext4 bug fixes.

  We also reserved code points for encryption and read-only images (for
  which the implementation is mostly just the reserved code point for a
  read-only feature :-)"

* tag 'ext4_for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4:
  ext4: fix indirect punch hole corruption
  ext4: ignore journal checksum on remount; don't fail
  ext4: remove duplicate remount check for JOURNAL_CHECKSUM change
  ext4: fix mmap data corruption in nodelalloc mode when blocksize < pagesize
  ext4: support read-only images
  ext4: change to use setup_timer() instead of init_timer()
  ext4: reserve codepoints used by the ext4 encryption feature
  jbd2: complain about descriptor block checksum errors

9 years agoMerge branch 'for-linus-2' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
Linus Torvalds [Mon, 23 Feb 2015 01:42:14 +0000 (17:42 -0800)]
Merge branch 'for-linus-2' of git://git./linux/kernel/git/viro/vfs

Pull more vfs updates from Al Viro:
 "Assorted stuff from this cycle.  The big ones here are multilayer
  overlayfs from Miklos and beginning of sorting ->d_inode accesses out
  from David"

* 'for-linus-2' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: (51 commits)
  autofs4 copy_dev_ioctl(): keep the value of ->size we'd used for allocation
  procfs: fix race between symlink removals and traversals
  debugfs: leave freeing a symlink body until inode eviction
  Documentation/filesystems/Locking: ->get_sb() is long gone
  trylock_super(): replacement for grab_super_passive()
  fanotify: Fix up scripted S_ISDIR/S_ISREG/S_ISLNK conversions
  Cachefiles: Fix up scripted S_ISDIR/S_ISREG/S_ISLNK conversions
  VFS: (Scripted) Convert S_ISLNK/DIR/REG(dentry->d_inode) to d_is_*(dentry)
  SELinux: Use d_is_positive() rather than testing dentry->d_inode
  Smack: Use d_is_positive() rather than testing dentry->d_inode
  TOMOYO: Use d_is_dir() rather than d_inode and S_ISDIR()
  Apparmor: Use d_is_positive/negative() rather than testing dentry->d_inode
  Apparmor: mediated_filesystem() should use dentry->d_sb not inode->i_sb
  VFS: Split DCACHE_FILE_TYPE into regular and special types
  VFS: Add a fallthrough flag for marking virtual dentries
  VFS: Add a whiteout dentry type
  VFS: Introduce inode-getting helpers for layered/unioned fs environments
  Infiniband: Fix potential NULL d_inode dereference
  posix_acl: fix reference leaks in posix_acl_create
  autofs4: Wrong format for printing dentry
  ...

9 years agoMerge branch 'fixes' of git://ftp.arm.linux.org.uk/~rmk/linux-arm
Linus Torvalds [Sun, 22 Feb 2015 17:57:16 +0000 (09:57 -0800)]
Merge branch 'fixes' of git://ftp.arm.linux.org.uk/~rmk/linux-arm

Pull ARM fix from Russell King:
 "Just one fix this time around.  __iommu_alloc_buffer() can cause a
  BUG() if dma_alloc_coherent() is called with either __GFP_DMA32 or
  __GFP_HIGHMEM set.  The patch from Alexandre addresses this"

* 'fixes' of git://ftp.arm.linux.org.uk/~rmk/linux-arm:
  ARM: 8305/1: DMA: Fix kzalloc flags in __iommu_alloc_buffer()

9 years agoautofs4 copy_dev_ioctl(): keep the value of ->size we'd used for allocation
Al Viro [Sun, 22 Feb 2015 03:19:57 +0000 (22:19 -0500)]
autofs4 copy_dev_ioctl(): keep the value of ->size we'd used for allocation

X-Coverup: just ask spender
Cc: stable@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
9 years agoprocfs: fix race between symlink removals and traversals
Al Viro [Sun, 22 Feb 2015 03:16:11 +0000 (22:16 -0500)]
procfs: fix race between symlink removals and traversals

use_pde()/unuse_pde() in ->follow_link()/->put_link() resp.

Cc: stable@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
9 years agodebugfs: leave freeing a symlink body until inode eviction
Al Viro [Sun, 22 Feb 2015 03:05:11 +0000 (22:05 -0500)]
debugfs: leave freeing a symlink body until inode eviction

As it is, we have debugfs_remove() racing with symlink traversals.
Supply ->evict_inode() and do freeing there - inode will remain
pinned until we are done with the symlink body.

And rip the idiocy with checking if dentry is positive right after
we'd verified debugfs_positive(), which is a stronger check...

Cc: stable@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>