GitHub/moto-9609/android_kernel_motorola_exynos9610.git
8 years agocrypto: skcipher - fix crash in virtual walk
Ard Biesheuvel [Tue, 13 Dec 2016 13:34:02 +0000 (13:34 +0000)]
crypto: skcipher - fix crash in virtual walk

The new skcipher walk API may crash in the following way. (Interestingly,
the tcrypt boot time tests seem unaffected, while an explicit test using
the module triggers it)

  Unable to handle kernel NULL pointer dereference at virtual address 00000000
  ...
  [<ffff000008431d84>] __memcpy+0x84/0x180
  [<ffff0000083ec0d0>] skcipher_walk_done+0x328/0x340
  [<ffff0000080c5c04>] ctr_encrypt+0x84/0x100
  [<ffff000008406d60>] simd_skcipher_encrypt+0x88/0x98
  [<ffff0000083fa05c>] crypto_rfc3686_crypt+0x8c/0x98
  [<ffff0000009b0900>] test_skcipher_speed+0x518/0x820 [tcrypt]
  [<ffff0000009b31c0>] do_test+0x1408/0x3b70 [tcrypt]
  [<ffff0000009bd050>] tcrypt_mod_init+0x50/0x1000 [tcrypt]
  [<ffff0000080838f4>] do_one_initcall+0x44/0x138
  [<ffff0000081aee60>] do_init_module+0x68/0x1e0
  [<ffff0000081524d0>] load_module+0x1fd0/0x2458
  [<ffff000008152c38>] SyS_finit_module+0xe0/0xf0
  [<ffff0000080836f0>] el0_svc_naked+0x24/0x28

This is due to the fact that skcipher_done_slow() may be entered with
walk->buffer unset. Since skcipher_walk_done() already deals with the
case where walk->buffer == walk->page, it appears to be the intention
that walk->buffer point to walk->page after skcipher_next_slow(), so
ensure that is the case.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agosign-file: Fix inplace signing when src and dst names are both specified
Alex Yashchenko [Tue, 13 Dec 2016 09:26:25 +0000 (09:26 +0000)]
sign-file: Fix inplace signing when src and dst names are both specified

When src and dst both are specified and they point to the same file
the sign-file utility will write only signature to the dst file and
the module (.ko file) body will not be written.
That happens because we open the same file with "rb" and "wb" flags,
from fopen man:

 w      Truncate file to zero length or create text file for writing.
The stream is positioned at the beginning of the file.
...
bm = BIO_new_file(module_name, "rb");
...
bd = BIO_new_file(dest_name, "wb");
...
while ((n = BIO_read(bm, buf, sizeof(buf))),
       n > 0) {
ERR(BIO_write(bd, buf, n) < 0, "%s", dest_name);
}
...

Signed-off-by: Alex Yashchenko <alexhoppus111@gmail.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: asymmetric_keys - set error code on failure
Pan Bian [Tue, 13 Dec 2016 09:26:18 +0000 (09:26 +0000)]
crypto: asymmetric_keys - set error code on failure

In function public_key_verify_signature(), returns variable ret on
error paths. When the call to kmalloc() fails, the value of ret is 0,
and it is not set to an errno before returning. This patch fixes the
bug.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=188891

Signed-off-by: Pan Bian <bianpan2016@163.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: testmgr - fix overlap in chunked tests again
Ard Biesheuvel [Thu, 8 Dec 2016 08:23:52 +0000 (08:23 +0000)]
crypto: testmgr - fix overlap in chunked tests again

Commit 7e4c7f17cde2 ("crypto: testmgr - avoid overlap in chunked tests")
attempted to address a problem in the crypto testmgr code where chunked
test cases are copied to memory in a way that results in overlap.

However, the fix recreated the exact same issue for other chunked tests,
by putting IDX3 within 492 bytes of IDX1, which causes overlap if the
first chunk exceeds 492 bytes, which is the case for at least one of
the xts(aes) test cases.

So increase IDX3 by another 1000 bytes.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: arm/crc32 - accelerated support based on x86 SSE implementation
Ard Biesheuvel [Mon, 5 Dec 2016 18:42:28 +0000 (18:42 +0000)]
crypto: arm/crc32 - accelerated support based on x86 SSE implementation

This is a combination of the the Intel algorithm implemented using SSE
and PCLMULQDQ instructions from arch/x86/crypto/crc32-pclmul_asm.S, and
the new CRC32 extensions introduced for both 32-bit and 64-bit ARM in
version 8 of the architecture. Two versions of the above combo are
provided, one for CRC32 and one for CRC32C.

The PMULL/NEON algorithm is faster, but operates on blocks of at least
64 bytes, and on multiples of 16 bytes only. For the remaining input,
or for all input on systems that lack the PMULL 64x64->128 instructions,
the CRC32 instructions will be used.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: arm64/crc32 - accelerated support based on x86 SSE implementation
Ard Biesheuvel [Mon, 5 Dec 2016 18:42:27 +0000 (18:42 +0000)]
crypto: arm64/crc32 - accelerated support based on x86 SSE implementation

This is a combination of the the Intel algorithm implemented using SSE
and PCLMULQDQ instructions from arch/x86/crypto/crc32-pclmul_asm.S, and
the new CRC32 extensions introduced for both 32-bit and 64-bit ARM in
version 8 of the architecture. Two versions of the above combo are
provided, one for CRC32 and one for CRC32C.

The PMULL/NEON algorithm is faster, but operates on blocks of at least
64 bytes, and on multiples of 16 bytes only. For the remaining input,
or for all input on systems that lack the PMULL 64x64->128 instructions,
the CRC32 instructions will be used.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: arm/crct10dif - port x86 SSE implementation to ARM
Ard Biesheuvel [Mon, 5 Dec 2016 18:42:26 +0000 (18:42 +0000)]
crypto: arm/crct10dif - port x86 SSE implementation to ARM

This is a transliteration of the Intel algorithm implemented
using SSE and PCLMULQDQ instructions that resides in the file
arch/x86/crypto/crct10dif-pcl-asm_64.S, but simplified to only
operate on buffers that are 16 byte aligned (but of any size)

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: arm64/crct10dif - port x86 SSE implementation to arm64
Ard Biesheuvel [Mon, 5 Dec 2016 18:42:25 +0000 (18:42 +0000)]
crypto: arm64/crct10dif - port x86 SSE implementation to arm64

This is a transliteration of the Intel algorithm implemented
using SSE and PCLMULQDQ instructions that resides in the file
arch/x86/crypto/crct10dif-pcl-asm_64.S, but simplified to only
operate on buffers that are 16 byte aligned (but of any size)

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: testmgr - add/enhance test cases for CRC-T10DIF
Ard Biesheuvel [Mon, 5 Dec 2016 18:42:24 +0000 (18:42 +0000)]
crypto: testmgr - add/enhance test cases for CRC-T10DIF

The existing test cases only exercise a small slice of the various
possible code paths through the x86 SSE/PCLMULQDQ implementation,
and the upcoming ports of it for arm64. So add one that exceeds 256
bytes in size, and convert another to a chunked test.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: testmgr - avoid overlap in chunked tests
Ard Biesheuvel [Mon, 5 Dec 2016 18:42:23 +0000 (18:42 +0000)]
crypto: testmgr - avoid overlap in chunked tests

The IDXn offsets are chosen such that tap values (which may go up to
255) end up overlapping in the xbuf allocation. In particular, IDX1
and IDX3 are too close together, so update IDX3 to avoid this issue.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: chcr - checking for IS_ERR() instead of NULL
Dan Carpenter [Thu, 1 Dec 2016 20:49:37 +0000 (23:49 +0300)]
crypto: chcr - checking for IS_ERR() instead of NULL

The create_hash_wr() function never returns error pointers.  It returns
NULL on error.

Fixes: 358961d1cd1e ("crypto: chcr - Added new structure chcr_wr")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: caam - check caam_emi_slow instead of re-lookup platform
Marcus Folkesson [Mon, 28 Nov 2016 17:53:28 +0000 (12:53 -0500)]
crypto: caam - check caam_emi_slow instead of re-lookup platform

Signed-off-by: Marcus Folkesson <marcus.folkesson@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: algif_aead - fix AIO handling of zero buffer
Stephan Mueller [Thu, 1 Dec 2016 07:22:37 +0000 (08:22 +0100)]
crypto: algif_aead - fix AIO handling of zero buffer

Handle the case when the caller provided a zero buffer to
sendmsg/sendpage. Such scenario is legal for AEAD ciphers when no
plaintext / ciphertext and no AAD is provided and the caller only
requests the generation of the tag value.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: aes-ce - Make aes_simd_algs static
Herbert Xu [Thu, 1 Dec 2016 05:45:05 +0000 (13:45 +0800)]
crypto: aes-ce - Make aes_simd_algs static

The variable aes_simd_algs should be static.  In fact if it isn't
it causes build errors when multiple copies of aes-ce-glue.c are
built into the kernel.

Fixes: da40e7a4ba4d ("crypto: aes-ce - Convert to skcipher")
Reported-by: kbuild test robot <fengguang.wu@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: algif_skcipher - set error code when kcalloc fails
Pan Bian [Thu, 1 Dec 2016 02:04:43 +0000 (10:04 +0800)]
crypto: algif_skcipher - set error code when kcalloc fails

Fix bug https://bugzilla.kernel.org/show_bug.cgi?id=188521. In function
skcipher_recvmsg_async(), variable err takes the return value, and its
value should be negative on failures. Because variable err may be
reassigned and checked before calling kcalloc(), its value may be 0
(indicates no error) even if kcalloc() fails. This patch fixes the bug
by explicitly assigning -ENOMEM to err when kcalloc() returns a NULL
pointer.

Signed-off-by: Pan Bian <bianpan2016@163.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: caam - make aamalg_desc a proper module
Arnd Bergmann [Wed, 30 Nov 2016 21:02:00 +0000 (22:02 +0100)]
crypto: caam - make aamalg_desc a proper module

The drivers/crypto/caam/ directory is entered during build only
for building modules when CONFIG_CRYPTO_DEV_FSL_CAAM=m, but
CONFIG_CRYPTO_DEV_FSL_CAAM_CRYPTO_API_DESC is defined as a
'bool' symbol, meaning that caamalg_desc.c is always compiled
into built-in code, or not at all, leading to a link failure:

ERROR: "cnstr_shdsc_xts_ablkcipher_decap" [drivers/crypto/caam/caamalg.ko] undefined!
ERROR: "cnstr_shdsc_xts_ablkcipher_encap" [drivers/crypto/caam/caamalg.ko] undefined!
ERROR: "cnstr_shdsc_aead_givencap" [drivers/crypto/caam/caamalg.ko] undefined!
ERROR: "cnstr_shdsc_aead_decap" [drivers/crypto/caam/caamalg.ko] undefined!
ERROR: "cnstr_shdsc_aead_encap" [drivers/crypto/caam/caamalg.ko] undefined!
ERROR: "cnstr_shdsc_aead_null_decap" [drivers/crypto/caam/caamalg.ko] undefined!
ERROR: "cnstr_shdsc_aead_null_encap" [drivers/crypto/caam/caamalg.ko] undefined!
ERROR: "cnstr_shdsc_rfc4106_decap" [drivers/crypto/caam/caamalg.ko] undefined!
ERROR: "cnstr_shdsc_rfc4106_encap" [drivers/crypto/caam/caamalg.ko] undefined!
...

Making caamalg_desc itself a loadable module fixes this configuration
by ensuring the driver gets built. Aside from making the symbol
'tristate', I'm adding appropriate module metadata here.

Fixes: 8cea7b66b821 ("crypto: caam - refactor encryption descriptors generation")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: caam - pass key buffers with typesafe pointers
Arnd Bergmann [Wed, 30 Nov 2016 21:01:59 +0000 (22:01 +0100)]
crypto: caam - pass key buffers with typesafe pointers

The 'key' field is defined as a 'u64' and used for two different
pieces of information: either to store a pointer or a dma_addr_t.
The former leads to a build error on 32-bit machines:

drivers/crypto/caam/caamalg_desc.c: In function 'cnstr_shdsc_aead_null_encap':
drivers/crypto/caam/caamalg_desc.c:67:27: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]
drivers/crypto/caam/caamalg_desc.c: In function 'cnstr_shdsc_aead_null_decap':
drivers/crypto/caam/caamalg_desc.c:143:27: error: cast to pointer from integer of different size [-Werror=int-to-pointer-cast]

Using a union to provide correct types gets rid of the warnings
and as well as a couple of redundant casts.

Fixes: db57656b0072 ("crypto: caam - group algorithm related params")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: arm64/aes-ce-ccm - Fix AEAD decryption length
Herbert Xu [Wed, 30 Nov 2016 13:17:24 +0000 (21:17 +0800)]
crypto: arm64/aes-ce-ccm - Fix AEAD decryption length

This patch fixes the ARM64 CE CCM implementation decryption by
using skcipher_walk_aead_decrypt instead of skcipher_walk_aead,
which ensures the correct length is used when doing the walk.

Fixes: cf2c0fe74084 ("crypto: aes-ce-ccm - Use skcipher walk interface")
Reported-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agoMAINTAINERS: add crypto headers to crypto entry
Baruch Siach [Wed, 30 Nov 2016 13:16:11 +0000 (15:16 +0200)]
MAINTAINERS: add crypto headers to crypto entry

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypt: doc - remove misleading mention of async API
Baruch Siach [Wed, 30 Nov 2016 13:16:10 +0000 (15:16 +0200)]
crypt: doc - remove misleading mention of async API

The asynchronous API is quite mature. Not mentioning is at all is probably
better than saying it is under development.

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: doc - fix header file name
Baruch Siach [Wed, 30 Nov 2016 13:16:09 +0000 (15:16 +0200)]
crypto: doc - fix header file name

Fixes: 8bc618d6a2e0 ("crypto: doc - Use ahash")
Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: api - fix comment typo
Baruch Siach [Wed, 30 Nov 2016 13:16:08 +0000 (15:16 +0200)]
crypto: api - fix comment typo

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: skcipher - Add separate walker for AEAD decryption
Herbert Xu [Wed, 30 Nov 2016 13:14:07 +0000 (21:14 +0800)]
crypto: skcipher - Add separate walker for AEAD decryption

The AEAD decrypt interface includes the authentication tag in
req->cryptlen.  Therefore we need to exlucde that when doing
a walk over it.

This patch adds separate walker functions for AEAD encryption
and decryption.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
8 years agocrypto: arm/aesbs - fix brokenness after skcipher conversion
Ard Biesheuvel [Tue, 29 Nov 2016 17:23:36 +0000 (17:23 +0000)]
crypto: arm/aesbs - fix brokenness after skcipher conversion

The CBC encryption routine should use the encryption round keys, not
the decryption round keys.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: chcr - Add AEAD algos.
Harsh Jain [Tue, 29 Nov 2016 13:30:43 +0000 (19:00 +0530)]
crypto: chcr - Add AEAD algos.

Add support for following AEAD algos.
 GCM,CCM,RFC4106,RFC4309,authenc(hmac(shaXXX),cbc(aes)).

Reviewed-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Harsh Jain <harsh@chelsio.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: chcr - Move tfm ctx variable to request context
Harsh Jain [Tue, 29 Nov 2016 13:30:42 +0000 (19:00 +0530)]
crypto: chcr - Move tfm ctx variable to request context

Move request specific data in request context.

Signed-off-by: Harsh Jain <harsh@chelsio.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: chcr - Use SHASH_DESC_ON_STACK
Harsh Jain [Tue, 29 Nov 2016 13:30:41 +0000 (19:00 +0530)]
crypto: chcr - Use SHASH_DESC_ON_STACK

Use SHASH_DESC_ON_STACK macro to allocate memory for ipad/opad
calculation.

Signed-off-by: Harsh Jain <harsh@chelsio.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: chcr - Adjust Dest. buffer size
Harsh Jain [Tue, 29 Nov 2016 13:30:40 +0000 (19:00 +0530)]
crypto: chcr - Adjust Dest. buffer size

Destination buffer size passed to hardware should not be greater
than crypto operation output.

Signed-off-by: Harsh Jain <harsh@chelsio.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: chcr - Calculate Reverse round key in setkey callback.
Harsh Jain [Tue, 29 Nov 2016 13:30:39 +0000 (19:00 +0530)]
crypto: chcr - Calculate Reverse round key in setkey callback.

Move reverse round key calculation logic in setkey operation.

Signed-off-by: Harsh Jain <harsh@chelsio.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: chcr - Remove dynamic allocation
Harsh Jain [Tue, 29 Nov 2016 13:30:38 +0000 (19:00 +0530)]
crypto: chcr - Remove dynamic allocation

Remove malloc/free in hash operation and allocate
 memory in chcr_ahash_req_ctx structure.

Signed-off-by: Jitendra Lulla <JLULLA@chelsio.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: chcr - Fixes Unchecked dereference inside function
Harsh Jain [Tue, 29 Nov 2016 13:30:37 +0000 (19:00 +0530)]
crypto: chcr - Fixes Unchecked dereference inside function

Fixes 324429d74127, Unchecked dereference inside function.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Jitendra Lulla <JLULLA@chelsio.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: chcr - Added new structure chcr_wr
Harsh Jain [Tue, 29 Nov 2016 13:30:36 +0000 (19:00 +0530)]
crypto: chcr - Added new structure chcr_wr

Added new structure chcr_wr to populate Work Request Header.

Signed-off-by: Jitendra Lulla <JLULLA@chelsio.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: chcr - Cosmetic change
Harsh Jain [Tue, 29 Nov 2016 13:30:35 +0000 (19:00 +0530)]
crypto: chcr - Cosmetic change

Moves get_aes_decrypt_key function to .c file and declare inline for
"aes_ks_subword"

Signed-off-by: Jitendra Lulla <JLULLA@chelsio.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: arm64/aes-ce-ctr - fix skcipher conversion
Ard Biesheuvel [Tue, 29 Nov 2016 13:05:33 +0000 (13:05 +0000)]
crypto: arm64/aes-ce-ctr - fix skcipher conversion

Fix a missing statement that got lost in the skcipher conversion of
the CTR transform.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: skcipher - fix crash in skcipher_walk_aead()
Ard Biesheuvel [Tue, 29 Nov 2016 13:05:31 +0000 (13:05 +0000)]
crypto: skcipher - fix crash in skcipher_walk_aead()

The new skcipher_walk_aead() may crash in the following way due to
the walk flag SKCIPHER_WALK_PHYS not being cleared at the start of the
walk:

Unable to handle kernel NULL pointer dereference at virtual address 00000001
[..]
Internal error: Oops: 96000044 [#1] PREEMPT SMP
[..]
PC is at skcipher_walk_next+0x208/0x450
LR is at skcipher_walk_next+0x1e4/0x450
pc : [<ffff2b93b7104e20>] lr : [<ffff2b93b7104dfc>] pstate: 40000045
sp : ffffb925fa517940
[...]
[<ffff2b93b7104e20>] skcipher_walk_next+0x208/0x450
[<ffff2b93b710535c>] skcipher_walk_first+0x54/0x148
[<ffff2b93b7105664>] skcipher_walk_aead+0xd4/0x108
[<ffff2b93b6e77928>] ccm_encrypt+0x68/0x158

So clear the flag at the appropriate time.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: arm/aes-ce - fix broken monolithic build
Ard Biesheuvel [Tue, 29 Nov 2016 13:05:30 +0000 (13:05 +0000)]
crypto: arm/aes-ce - fix broken monolithic build

When building the arm64 kernel with both CONFIG_CRYPTO_AES_ARM64_CE_BLK=y
and CONFIG_CRYPTO_AES_ARM64_NEON_BLK=y configured, the build breaks with
the following error:

arch/arm64/crypto/aes-neon-blk.o:(.bss+0x0): multiple definition of `aes_simd_algs'
arch/arm64/crypto/aes-ce-blk.o:(.bss+0x0): first defined here

Fix this by making aes_simd_algs 'static'.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: arm/aes - Add missing SIMD select for aesbs
Herbert Xu [Tue, 29 Nov 2016 08:43:33 +0000 (16:43 +0800)]
crypto: arm/aes - Add missing SIMD select for aesbs

This patch adds one more missing SIMD select for AES_ARM_BS.  It
also changes selects on ALGAPI to BLKCIPHER.

Fixes: 211f41af534a ("crypto: aesbs - Convert to skcipher")
Reported-by: Horia Geantă <horia.geanta@nxp.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agoMerge git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6
Herbert Xu [Wed, 30 Nov 2016 11:53:12 +0000 (19:53 +0800)]
Merge git://git./linux/kernel/git/herbert/crypto-2.6

Merge the crypto tree to pull in chelsio chcr fix.

8 years agocrypto: rsa - Add Makefile dependencies to fix parallel builds
David Michael [Tue, 29 Nov 2016 19:15:12 +0000 (11:15 -0800)]
crypto: rsa - Add Makefile dependencies to fix parallel builds

Both asn1 headers are included by rsa_helper.c, so rsa_helper.o
should explicitly depend on them.

Signed-off-by: David Michael <david.michael@coreos.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: chcr - Fix memory corruption
Harsh Jain [Tue, 29 Nov 2016 13:30:34 +0000 (19:00 +0530)]
crypto: chcr - Fix memory corruption

Fix memory corruption done by  *((u32 *)dec_key + k)
 operation.

Signed-off-by: Jitendra Lulla <JLULLA@chelsio.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: drbg - prevent invalid SG mappings
Stephan Mueller [Tue, 29 Nov 2016 08:45:04 +0000 (09:45 +0100)]
crypto: drbg - prevent invalid SG mappings

When using SGs, only heap memory (memory that is valid as per
virt_addr_valid) is allowed to be referenced. The CTR DRBG used to
reference the caller-provided memory directly in an SG. In case the
caller provided stack memory pointers, the SG mapping is not considered
to be valid. In some cases, this would even cause a paging fault.

The change adds a new scratch buffer that is used unconditionally to
catch the cases where the caller-provided buffer is not suitable for
use in an SG. The crypto operation of the CTR DRBG produces its output
with that scratch buffer and finally copies the content of the
scratch buffer to the caller's buffer.

The scratch buffer is allocated during allocation time of the CTR DRBG
as its access is protected with the DRBG mutex.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: arm/aes - Select SIMD in Kconfig
Herbert Xu [Tue, 29 Nov 2016 07:08:40 +0000 (15:08 +0800)]
crypto: arm/aes - Select SIMD in Kconfig

The skcipher conversion for ARM missed the select on CRYPTO_SIMD,
causing build failures if SIMD was not otherwise enabled.

Fixes: da40e7a4ba4d ("crypto: aes-ce - Convert to skcipher")
Fixes: 211f41af534a ("crypto: aesbs - Convert to skcipher")
Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: arm64/sha2 - add generated .S files to .gitignore
Ard Biesheuvel [Mon, 28 Nov 2016 13:37:49 +0000 (14:37 +0100)]
crypto: arm64/sha2 - add generated .S files to .gitignore

Add the files that are generated by the recently merged OpenSSL
SHA-256/512 implementation to .gitignore so Git disregards them
when showing untracked files.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: testmgr - don't use stack buffer in test_acomp()
Eric Biggers [Wed, 23 Nov 2016 18:24:35 +0000 (10:24 -0800)]
crypto: testmgr - don't use stack buffer in test_acomp()

With virtually-mapped stacks (CONFIG_VMAP_STACK=y), using the
scatterlist crypto API with stack buffers is not allowed, and with
appropriate debugging options will cause the
'BUG_ON(!virt_addr_valid(buf));' in sg_set_buf() to be triggered.
Use a heap buffer instead.

Fixes: d7db7a882deb ("crypto: acomp - update testmgr with support for acomp")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agoMAINTAINERS: add maintainers for caam crypto driver
Horia Geantă [Tue, 22 Nov 2016 13:44:12 +0000 (15:44 +0200)]
MAINTAINERS: add maintainers for caam crypto driver

Add myself and Dan as maintainers of the caam crypto driver.

Cc: Dan Douglass <dan.douglass@nxp.com>
Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: caam - refactor ahash shared descriptor generation
Horia Geantă [Tue, 22 Nov 2016 13:44:11 +0000 (15:44 +0200)]
crypto: caam - refactor ahash shared descriptor generation

Move ahash shared descriptor generation into a single function.
Currently there is no plan to support ahash on any other interface
besides the Job Ring, thus for now the functionality is not exported.

Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: caam - consolidate split key length computation
Horia Geantă [Tue, 22 Nov 2016 13:44:10 +0000 (15:44 +0200)]
crypto: caam - consolidate split key length computation

Move split key length and padded length computation from caamalg.c
and caamhash.c to key_gen.c.

Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: caam - refactor encryption descriptors generation
Horia Geantă [Tue, 22 Nov 2016 13:44:09 +0000 (15:44 +0200)]
crypto: caam - refactor encryption descriptors generation

Refactor the generation of the authenc, ablkcipher shared descriptors
and exports the functionality, such that they could be shared
with the upcoming caam/qi (Queue Interface) driver.

Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: caam - remove unneded dependencies on CRYPTO_DEV_FSL_CAAM
Horia Geantă [Tue, 22 Nov 2016 13:44:08 +0000 (15:44 +0200)]
crypto: caam - remove unneded dependencies on CRYPTO_DEV_FSL_CAAM

Remove dependency on CRYPTO_DEV_FSL_CAAM where superfluous:
depends on CRYPTO_DEV_FSL_CAAM && CRYPTO_DEV_FSL_CAAM_JR
is equivalent to
depends on CRYPTO_DEV_FSL_CAAM_JR
since CRYPTO_DEV_FSL_CAAM_JR depends on CRYPTO_DEV_FSL_CAAM.

Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: caam - rewrite some generic inline append cmds
Horia Geantă [Tue, 22 Nov 2016 13:44:07 +0000 (15:44 +0200)]
crypto: caam - rewrite some generic inline append cmds

A few descriptor commands are generated using generic
inline append "append_cmd" function.
Rewrite them using specific inline append functions.

Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: caam - improve key inlining
Horia Geantă [Tue, 22 Nov 2016 13:44:06 +0000 (15:44 +0200)]
crypto: caam - improve key inlining

For authenc / stitched AEAD algorithms, check independently
each of the two (authentication, encryption) keys whether inlining
is possible.
Prioritize the inlining of the authentication key, since the length
of the (split) key is bigger than that of the encryption key.

For the other algorithms, compute only once per tfm the remaining
available bytes and decide whether key inlining is possible
based on this.

Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: caam - remove superfluous alg_op algorithm param
Horia Geantă [Tue, 22 Nov 2016 13:44:05 +0000 (15:44 +0200)]
crypto: caam - remove superfluous alg_op algorithm param

Information carried by alg_op can be deduced from adata->algtype
plus some fixed flags.

Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: caam - group algorithm related params
Horia Geantă [Tue, 22 Nov 2016 13:44:04 +0000 (15:44 +0200)]
crypto: caam - group algorithm related params

In preparation of factoring out the shared descriptors,
struct alginfo is introduced to group the algorithm related
parameters.

Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: caam - move append_key_aead() into init_sh_desc_key_aead()
Horia Geantă [Tue, 22 Nov 2016 13:44:03 +0000 (15:44 +0200)]
crypto: caam - move append_key_aead() into init_sh_desc_key_aead()

append_key_aead() is used in only one place, thus inline it.

Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: aesbs - Convert to skcipher
Herbert Xu [Tue, 22 Nov 2016 12:08:46 +0000 (20:08 +0800)]
crypto: aesbs - Convert to skcipher

This patch converts aesbs over to the skcipher interface.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: cbc - Export CBC implementation
Herbert Xu [Tue, 22 Nov 2016 12:08:42 +0000 (20:08 +0800)]
crypto: cbc - Export CBC implementation

This patch moves the core CBC implementation into a header file
so that it can be reused by drivers implementing CBC.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: cbc - Convert to skcipher
Herbert Xu [Tue, 22 Nov 2016 12:08:39 +0000 (20:08 +0800)]
crypto: cbc - Convert to skcipher

This patch converts cbc over to the skcipher interface.  It also
rearranges the code to allow it to be reused by drivers.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: aes-ce - Convert to skcipher
Herbert Xu [Tue, 22 Nov 2016 12:08:37 +0000 (20:08 +0800)]
crypto: aes-ce - Convert to skcipher

This patch converts aes-ce over to the skcipher interface.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: arm64/aes - Convert to skcipher
Herbert Xu [Tue, 22 Nov 2016 12:08:35 +0000 (20:08 +0800)]
crypto: arm64/aes - Convert to skcipher

This patch converts arm64/aes over to the skcipher interface.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: aesni - Convert to skcipher
Herbert Xu [Tue, 22 Nov 2016 12:08:33 +0000 (20:08 +0800)]
crypto: aesni - Convert to skcipher

This patch converts aesni (including fpu) over to the skcipher
interface.  The LRW implementation has been removed as the generic
LRW code can now be used directly on top of the accelerated ECB
implementation.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: testmgr - Do not test internal algorithms
Herbert Xu [Tue, 22 Nov 2016 12:08:31 +0000 (20:08 +0800)]
crypto: testmgr - Do not test internal algorithms

Currently we manually filter out internal algorithms using a list
in testmgr.  This is dangerous as internal algorithms cannot be
safely used even by testmgr.  This patch ensures that they're never
processed by testmgr at all.

This patch also removes an obsolete bypass for nivciphers which
no longer exist.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: glue_helper - Add skcipher xts helpers
Herbert Xu [Tue, 22 Nov 2016 12:08:29 +0000 (20:08 +0800)]
crypto: glue_helper - Add skcipher xts helpers

This patch adds xts helpers that use the skcipher interface rather
than blkcipher.  This will be used by aesni_intel.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: pcbc - Convert to skcipher
Herbert Xu [Tue, 22 Nov 2016 12:08:27 +0000 (20:08 +0800)]
crypto: pcbc - Convert to skcipher

This patch converts lrw over to the skcipher interface.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: simd - Add simd skcipher helper
Herbert Xu [Tue, 22 Nov 2016 12:08:25 +0000 (20:08 +0800)]
crypto: simd - Add simd skcipher helper

This patch adds the simd skcipher helper which is meant to be
a replacement for ablk helper.  It replaces the underlying blkcipher
interface with skcipher, and also presents the top-level algorithm
as an skcipher.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: cryptd - Add support for skcipher
Herbert Xu [Tue, 22 Nov 2016 12:08:23 +0000 (20:08 +0800)]
crypto: cryptd - Add support for skcipher

This patch adds skcipher support to cryptd alongside ablkcipher.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: api - Do not clear type bits in crypto_larval_lookup
Herbert Xu [Tue, 22 Nov 2016 12:08:21 +0000 (20:08 +0800)]
crypto: api - Do not clear type bits in crypto_larval_lookup

Currently all bits not set in mask are cleared in crypto_larval_lookup.
This is unnecessary as wherever the type bits are used it is always
masked anyway.

This patch removes the clearing so that we may use bits set in the
type but not in the mask for special purposes, e.g., picking up
internal algorithms.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: xts - Convert to skcipher
Herbert Xu [Tue, 22 Nov 2016 12:08:19 +0000 (20:08 +0800)]
crypto: xts - Convert to skcipher

This patch converts xts over to the skcipher interface.  It also
optimises the implementation to be based on ECB instead of the
underlying cipher.  For compatibility the existing naming scheme
of xts(aes) is maintained as opposed to the more obvious one of
xts(ecb(aes)).

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: lrw - Convert to skcipher
Herbert Xu [Tue, 22 Nov 2016 12:08:16 +0000 (20:08 +0800)]
crypto: lrw - Convert to skcipher

This patch converts lrw over to the skcipher interface.  It also
optimises the implementation to be based on ECB instead of the
underlying cipher.  For compatibility the existing naming scheme
of lrw(aes) is maintained as opposed to the more obvious one of
lrw(ecb(aes)).

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: aes-ce-ccm - Use skcipher walk interface
Herbert Xu [Tue, 22 Nov 2016 12:08:14 +0000 (20:08 +0800)]
crypto: aes-ce-ccm - Use skcipher walk interface

This patch makes use of the new skcipher walk interface instead of
the obsolete blkcipher walk interface.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: skcipher - Add skcipher walk interface
Herbert Xu [Tue, 22 Nov 2016 12:08:12 +0000 (20:08 +0800)]
crypto: skcipher - Add skcipher walk interface

This patch adds the skcipher walk interface which replaces both
blkcipher walk and ablkcipher walk.  Just like blkcipher walk it
can also be used for AEAD algorithms.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: crc32c-vpmsum - Rename CRYPT_CRC32C_VPMSUM option
Jean Delvare [Tue, 22 Nov 2016 09:32:44 +0000 (10:32 +0100)]
crypto: crc32c-vpmsum - Rename CRYPT_CRC32C_VPMSUM option

For consistency with the other 246 kernel configuration options,
rename CRYPT_CRC32C_VPMSUM to CRYPTO_CRC32C_VPMSUM.

Signed-off-by: Jean Delvare <jdelvare@suse.de>
Cc: Anton Blanchard <anton@samba.org>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Acked-by: Anton Blanchard <anton@samba.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: arm64/sha2 - integrate OpenSSL implementations of SHA256/SHA512
Ard Biesheuvel [Sun, 20 Nov 2016 11:42:01 +0000 (11:42 +0000)]
crypto: arm64/sha2 - integrate OpenSSL implementations of SHA256/SHA512

This integrates both the accelerated scalar and the NEON implementations
of SHA-224/256 as well as SHA-384/512 from the OpenSSL project.

Relative performance compared to the respective generic C versions:

                 |  SHA256-scalar  | SHA256-NEON* |  SHA512  |
     ------------+-----------------+--------------+----------+
     Cortex-A53  |      1.63x      |     1.63x    |   2.34x  |
     Cortex-A57  |      1.43x      |     1.59x    |   1.95x  |
     Cortex-A73  |      1.26x      |     1.56x    |     ?    |

The core crypto code was authored by Andy Polyakov of the OpenSSL
project, in collaboration with whom the upstream code was adapted so
that this module can be built from the same version of sha512-armv8.pl.

The version in this patch was taken from OpenSSL commit 32bbb62ea634
("sha/asm/sha512-armv8.pl: fix big-endian support in __KERNEL__ case.")

* The core SHA algorithm is fundamentally sequential, but there is a
  secondary transformation involved, called the schedule update, which
  can be performed independently. The NEON version of SHA-224/SHA-256
  only implements this part of the algorithm using NEON instructions,
  the sequential part is always done using scalar instructions.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: scatterwalk - Remove unnecessary aliasing check in map_and_copy
Herbert Xu [Mon, 21 Nov 2016 08:26:19 +0000 (16:26 +0800)]
crypto: scatterwalk - Remove unnecessary aliasing check in map_and_copy

The aliasing check in map_and_copy is no longer necessary because
the IPsec ESP code no longer provides an IV that points into the
actual request data.  As this check is now triggering BUG checks
due to the vmalloced stack code, I'm removing it.

Reported-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: algif_hash - Fix result clobbering in recvmsg
Herbert Xu [Mon, 21 Nov 2016 07:34:00 +0000 (15:34 +0800)]
crypto: algif_hash - Fix result clobbering in recvmsg

Recently an init call was added to hash_recvmsg so as to reset
the hash state in case a sendmsg call was never made.

Unfortunately this ended up clobbering the result if the previous
sendmsg was done with a MSG_MORE flag.  This patch fixes it by
excluding that case when we make the init call.

Fixes: a8348bca2944 ("algif_hash - Fix NULL hash crash with shash")
Reported-by: Patrick Steinhardt <ps@pks.im>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agohwrng: Make explicit that max >= 32 always
PrasannaKumar Muralidharan [Fri, 18 Nov 2016 17:30:10 +0000 (23:00 +0530)]
hwrng: Make explicit that max >= 32 always

As hw_random core calls ->read with max > 32 or more, make it explicit.
Also remove checks involving 'max' being less than 8.

Signed-off-by: PrasannaKumar Muralidharan <prasannatsmkumar@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: drbg - advance output buffer pointer
Stephan Mueller [Fri, 18 Nov 2016 11:27:56 +0000 (12:27 +0100)]
crypto: drbg - advance output buffer pointer

The CTR DRBG segments the number of random bytes to be generated into
128 byte blocks. The current code misses the advancement of the output
buffer pointer when the requestor asks for more than 128 bytes of data.
In this case, the next 128 byte block of random numbers is copied to
the beginning of the output buffer again. This implies that only the
first 128 bytes of the output buffer would ever be filled.

The patch adds the advancement of the buffer pointer to fill the entire
buffer.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: algif_hash - Fix NULL hash crash with shash
Herbert Xu [Thu, 17 Nov 2016 14:07:58 +0000 (22:07 +0800)]
crypto: algif_hash - Fix NULL hash crash with shash

Recently algif_hash has been changed to allow null hashes.  This
triggers a bug when used with an shash algorithm whereby it will
cause a crash during the digest operation.

This patch fixes it by avoiding the digest operation and instead
doing an init followed by a final which avoids the buggy code in
shash.

This patch also ensures that the result buffer is freed after an
error so that it is not returned as a genuine hash result on the
next recv call.

The shash/ahash wrapper code will be fixed later to handle this
case correctly.

Fixes: 493b2ed3f760 ("crypto: algif_hash - Handle NULL hashes correctly")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Tested-by: Laura Abbott <labbott@redhat.com>
8 years agocrypto: vmx - various build fixes
Naveen N. Rao [Wed, 16 Nov 2016 15:11:46 +0000 (20:41 +0530)]
crypto: vmx - various build fixes

First up, clean up the generated .S files properly on a 'make clean'.
Secondly, force re-generation of these files when building for different
endian-ness than what was built previously. Finally, generate the new
files in the build tree, rather than the source tree.

Signed-off-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: sha-mb - Fix total_len for correct hash when larger than 512MB
Greg Tucker [Mon, 14 Nov 2016 23:11:44 +0000 (16:11 -0700)]
crypto: sha-mb - Fix total_len for correct hash when larger than 512MB

Current multi-buffer hash implementations have a restriction on the total
length of a hash job to 512MB. Hashing larger buffers will result in an
incorrect hash. This extends the limit to 2^62 - 1.

Signed-off-by: Greg Tucker <greg.b.tucker@intel.com>
Acked-by: Tim Chen <tim.c.chen@linux.intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: gf128mul - Zero memory when freeing multiplication table
Alex Cope [Mon, 14 Nov 2016 19:02:54 +0000 (11:02 -0800)]
crypto: gf128mul - Zero memory when freeing multiplication table

GF(2^128) multiplication tables are typically used for secret
information, so it's a good idea to zero them on free.

Signed-off-by: Alex Cope <alexcope@google.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agohwrng: atmel - use clk_disable_unprepare instead of clk_disable
Wei Yongjun [Fri, 11 Nov 2016 14:56:47 +0000 (14:56 +0000)]
hwrng: atmel - use clk_disable_unprepare instead of clk_disable

Since clk_prepare_enable() is used to get trng->clk, we should
use clk_disable_unprepare() to release it for the error path.

Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
Acked-by: Nicolas Ferre <nicolas.ferre@atmel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: nx - drop duplicate header types.h
Geliang Tang [Fri, 11 Nov 2016 12:50:38 +0000 (20:50 +0800)]
crypto: nx - drop duplicate header types.h

Drop duplicate header types.h from nx.c.

Signed-off-by: Geliang Tang <geliangtang@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: jitterentropy - drop duplicate header module.h
Geliang Tang [Fri, 11 Nov 2016 12:45:00 +0000 (20:45 +0800)]
crypto: jitterentropy - drop duplicate header module.h

Drop duplicate header module.h from jitterentropy-kcapi.c.

Signed-off-by: Geliang Tang <geliangtang@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: caam - fix type mismatch warning
Arnd Bergmann [Tue, 25 Oct 2016 21:29:10 +0000 (23:29 +0200)]
crypto: caam - fix type mismatch warning

Building the caam driver on arm64 produces a harmless warning:

drivers/crypto/caam/caamalg.c:140:139: warning: comparison of distinct pointer types lacks a cast

We can use min_t to tell the compiler which type we want it to use
here.

Fixes: 5ecf8ef9103c ("crypto: caam - fix sg dump")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: caam - merge identical ahash_final/finup shared desc
Horia Geantă [Wed, 9 Nov 2016 08:46:24 +0000 (10:46 +0200)]
crypto: caam - merge identical ahash_final/finup shared desc

Shared descriptors used by ahash_final() and ahash_finup()
are identical, thus get rid of one of them (sh_desc_finup).

Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: caam - constify pointer to descriptor buffer
Horia Geantă [Wed, 9 Nov 2016 08:46:23 +0000 (10:46 +0200)]
crypto: caam - constify pointer to descriptor buffer

The pointer to the descriptor buffer is not touched,
it always points to start of the descriptor buffer.
Thus, make it const.

Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: caam - move sec4_sg_entry to sg_sw_sec4.h
Horia Geantă [Wed, 9 Nov 2016 08:46:22 +0000 (10:46 +0200)]
crypto: caam - move sec4_sg_entry to sg_sw_sec4.h

sec4_sg_entry structure is used only by helper functions in sg_sw_sec4.h.
Since SEC HW S/G entries are to be manipulated only indirectly, via these
functions, move sec4_sg_entry to the corresponding header.

Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agoRevert "crypto: caam - get rid of tasklet"
Horia Geantă [Wed, 9 Nov 2016 08:46:21 +0000 (10:46 +0200)]
Revert "crypto: caam - get rid of tasklet"

This reverts commit 66d2e2028091a074aa1290d2eeda5ddb1a6c329c.

Quoting from Russell's findings:
https://www.mail-archive.com/linux-crypto@vger.kernel.org/msg21136.html

[quote]
Okay, I've re-tested, using a different way of measuring, because using
openssl speed is impractical for off-loaded engines.  I've decided to
use this way to measure the performance:

dd if=/dev/zero bs=1048576 count=128 | /usr/bin/time openssl dgst -md5

For the threaded IRQs case gives:

0.05user 2.74system 0:05.30elapsed 52%CPU (0avgtext+0avgdata 2400maxresident)k
0.06user 2.52system 0:05.18elapsed 49%CPU (0avgtext+0avgdata 2404maxresident)k
0.12user 2.60system 0:05.61elapsed 48%CPU (0avgtext+0avgdata 2460maxresident)k
=> 5.36s => 25.0MB/s

and the tasklet case:

0.08user 2.53system 0:04.83elapsed 54%CPU (0avgtext+0avgdata 2468maxresident)k
0.09user 2.47system 0:05.16elapsed 49%CPU (0avgtext+0avgdata 2368maxresident)k
0.10user 2.51system 0:04.87elapsed 53%CPU (0avgtext+0avgdata 2460maxresident)k
=> 4.95 => 27.1MB/s

which corresponds to an 8% slowdown for the threaded IRQ case.  So,
tasklets are indeed faster than threaded IRQs.

[...]

I think I've proven from the above that this patch needs to be reverted
due to the performance regression, and that there _is_ most definitely
a deterimental effect of switching from tasklets to threaded IRQs.
[/quote]

Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: caam - fix DMA API mapping leak in ablkcipher code
Horia Geantă [Wed, 9 Nov 2016 08:46:20 +0000 (10:46 +0200)]
crypto: caam - fix DMA API mapping leak in ablkcipher code

alkcipher_edesc_alloc() and ablkcipher_giv_edesc_alloc() don't
free / unmap resources on error path:
- dmap_map_sg() could fail, thus make sure the return value is checked
- unmap DMA mappings in case of error

Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: caam - remove unreachable code in report_ccb_status()
Horia Geantă [Wed, 9 Nov 2016 08:46:19 +0000 (10:46 +0200)]
crypto: caam - remove unreachable code in report_ccb_status()

ERRID is a 4-bit field.
Since err_id values are in [0..15] and err_id_list array size is 16,
the condition "err_id < ARRAY_SIZE(err_id_list)" is always true.

Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: caam - trivial code clean-up
Horia Geantă [Wed, 9 Nov 2016 08:46:18 +0000 (10:46 +0200)]
crypto: caam - trivial code clean-up

-replace offsetof with container_of
-remove unused "assoc_nents", "iv_dma" from aead_edesc
and fix comments
-remove unused CAAM_MAX_IV_LENGTH #define

Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: caam - remove unused command from aead givencrypt
Horia Geantă [Wed, 9 Nov 2016 08:46:17 +0000 (10:46 +0200)]
crypto: caam - remove unused command from aead givencrypt

REG3 no longer needs to be updated, since it's not used after that.
This shared descriptor command is a leftover of the conversion to
AEAD interface.

Fixes: 479bcc7c5b9e1 "crypto: caam - Convert authenc to new AEAD interface"
Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: caam - remove unused may_sleep in dbg_dump_sg()
Horia Geantă [Wed, 9 Nov 2016 08:46:16 +0000 (10:46 +0200)]
crypto: caam - remove unused may_sleep in dbg_dump_sg()

Fixes: 5ecf8ef9103cb "crypto: caam - fix sg dump"
Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: caam - fix smatch warnings
Horia Geantă [Wed, 9 Nov 2016 08:46:15 +0000 (10:46 +0200)]
crypto: caam - fix smatch warnings

Fix the following smatch warnings:

drivers/crypto/caam/caamalg.c:2350 aead_edesc_alloc() warn: we tested 'src_nents' before and it was 'true'
drivers/crypto/caam/caamrng.c:351 caam_rng_init() error: no modifiers for allocation.

Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: caam - fix sparse warnings
Horia Geantă [Wed, 9 Nov 2016 08:46:14 +0000 (10:46 +0200)]
crypto: caam - fix sparse warnings

Fix the following sparse warning (note that endianness issues
are not not addressed in current patch):

drivers/crypto/caam/ctrl.c:388:24: warning: incorrect type in argument 1 (different address spaces)
drivers/crypto/caam/ctrl.c:388:24:    expected void [noderef] <asn:2>*reg
drivers/crypto/caam/ctrl.c:388:24:    got unsigned int *<noident>
drivers/crypto/caam/ctrl.c:390:24: warning: incorrect type in argument 1 (different address spaces)
drivers/crypto/caam/ctrl.c:390:24:    expected void [noderef] <asn:2>*reg
drivers/crypto/caam/ctrl.c:390:24:    got unsigned int *<noident>
drivers/crypto/caam/ctrl.c:548:24: warning: incorrect type in assignment (different address spaces)
drivers/crypto/caam/ctrl.c:548:24:    expected struct caam_ctrl [noderef] <asn:2>*ctrl
drivers/crypto/caam/ctrl.c:548:24:    got struct caam_ctrl *<noident>
drivers/crypto/caam/ctrl.c:550:30: warning: cast removes address space of expression
drivers/crypto/caam/ctrl.c:549:26: warning: incorrect type in assignment (different address spaces)
drivers/crypto/caam/ctrl.c:549:26:    expected struct caam_assurance [noderef] <asn:2>*assure
drivers/crypto/caam/ctrl.c:549:26:    got struct caam_assurance *<noident>
drivers/crypto/caam/ctrl.c:554:28: warning: cast removes address space of expression
drivers/crypto/caam/ctrl.c:553:24: warning: incorrect type in assignment (different address spaces)
drivers/crypto/caam/ctrl.c:553:24:    expected struct caam_deco [noderef] <asn:2>*deco
drivers/crypto/caam/ctrl.c:553:24:    got struct caam_deco *<noident>
drivers/crypto/caam/ctrl.c:634:48: warning: cast removes address space of expression
drivers/crypto/caam/ctrl.c:633:44: warning: incorrect type in assignment (different address spaces)
drivers/crypto/caam/ctrl.c:633:44:    expected struct caam_job_ring [noderef] <asn:2>*<noident>
drivers/crypto/caam/ctrl.c:633:44:    got struct caam_job_ring *<noident>
drivers/crypto/caam/ctrl.c:648:34: warning: cast removes address space of expression
drivers/crypto/caam/ctrl.c:647:30: warning: incorrect type in assignment (different address spaces)
drivers/crypto/caam/ctrl.c:647:30:    expected struct caam_queue_if [noderef] <asn:2>*qi
drivers/crypto/caam/ctrl.c:647:30:    got struct caam_queue_if *<noident>
drivers/crypto/caam/ctrl.c:806:37: warning: incorrect type in assignment (different address spaces)
drivers/crypto/caam/ctrl.c:806:37:    expected void *data
drivers/crypto/caam/ctrl.c:806:37:    got unsigned int [noderef] <asn:2>*
drivers/crypto/caam/ctrl.c:814:38: warning: incorrect type in assignment (different address spaces)
drivers/crypto/caam/ctrl.c:814:38:    expected void *data
drivers/crypto/caam/ctrl.c:814:38:    got unsigned int [noderef] <asn:2>*
drivers/crypto/caam/ctrl.c:822:38: warning: incorrect type in assignment (different address spaces)
drivers/crypto/caam/ctrl.c:822:38:    expected void *data
drivers/crypto/caam/ctrl.c:822:38:    got unsigned int [noderef] <asn:2>*
drivers/crypto/caam/jr.c:492:23: warning: incorrect type in assignment (different address spaces)
drivers/crypto/caam/jr.c:492:23:    expected struct caam_job_ring [noderef] <asn:2>*rregs
drivers/crypto/caam/jr.c:492:23:    got struct caam_job_ring *<noident>
drivers/crypto/caam/caampkc.c:398:35: warning: Using plain integer as NULL pointer
drivers/crypto/caam/caampkc.c:444:35: warning: Using plain integer as NULL pointer

Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: caam - desc.h fixes
Horia Geantă [Wed, 9 Nov 2016 08:46:13 +0000 (10:46 +0200)]
crypto: caam - desc.h fixes

1. fix HDR_START_IDX_MASK, HDR_SD_SHARE_MASK, HDR_JD_SHARE_MASK
Define HDR_START_IDX_MASK consistently with the other masks:
mask = bitmask << offset

2. OP_ALG_TYPE_CLASS1 and OP_ALG_TYPE_CLASS2 must be shifted.

3. fix FIFO_STORE output data type value for AFHA S-Box

4. fix OPERATION pkha modular arithmetic source mask

5. rename LDST_SRCDST_WORD_CLASS1_ICV_SZ to
LDST_SRCDST_WORD_CLASS1_IV_SZ (it refers to IV, not ICV).

Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: caam - completely remove error propagation handling
Horia Geantă [Wed, 9 Nov 2016 08:46:12 +0000 (10:46 +0200)]
crypto: caam - completely remove error propagation handling

Commit 4464a7d4f53d756101291da26563f37f7fce40f3
("crypto: caam - remove error propagation handling")
removed error propagation handling only from caamalg.

Do this in all other places: caamhash, caamrng.
Update descriptors' lengths appropriately.

Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: caam - fix AEAD givenc descriptors
Alex Porosanu [Wed, 9 Nov 2016 08:46:11 +0000 (10:46 +0200)]
crypto: caam - fix AEAD givenc descriptors

The AEAD givenc descriptor relies on moving the IV through the
output FIFO and then back to the CTX2 for authentication. The
SEQ FIFO STORE could be scheduled before the data can be
read from OFIFO, especially since the SEQ FIFO LOAD needs
to wait for the SEQ FIFO LOAD SKIP to finish first. The
SKIP takes more time when the input is SG than when it's
a contiguous buffer. If the SEQ FIFO LOAD is not scheduled
before the STORE, the DECO will hang waiting for data
to be available in the OFIFO so it can be transferred to C2.
In order to overcome this, first force transfer of IV to C2
by starting the "cryptlen" transfer first and then starting to
store data from OFIFO to the output buffer.

Fixes: 1acebad3d8db8 ("crypto: caam - faster aead implementation")
Cc: <stable@vger.kernel.org> # 3.2+
Signed-off-by: Alex Porosanu <alexandru.porosanu@nxp.com>
Signed-off-by: Horia Geantă <horia.geanta@nxp.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: gf128mul - remove dead gf128mul_64k_lle code
Alex Cope [Wed, 9 Nov 2016 01:16:58 +0000 (17:16 -0800)]
crypto: gf128mul - remove dead gf128mul_64k_lle code

This code is unlikely to be useful in the future because transforms
don't know how often keys will be changed, new algorithms are unlikely
to use lle representation, and tables should be replaced with
carryless multiplication instructions when available.

Signed-off-by: Alex Cope <alexcope@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
8 years agocrypto: dh - Consistenly return negative error codes
Mat Martineau [Tue, 8 Nov 2016 23:48:22 +0000 (15:48 -0800)]
crypto: dh - Consistenly return negative error codes

Fix the single instance where a positive EINVAL was returned.

Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>