GitHub/moto-9609/android_kernel_motorola_exynos9610.git
9 years agocrypto: arm - workaround for building with old binutils
Ard Biesheuvel [Sat, 11 Apr 2015 13:32:34 +0000 (15:32 +0200)]
crypto: arm - workaround for building with old binutils

Old versions of binutils (before 2.23) do not yet understand the
crypto-neon-fp-armv8 fpu instructions, and an attempt to build these
files results in a build failure:

arch/arm/crypto/aes-ce-core.S:133: Error: selected processor does not support ARM mode `vld1.8 {q10-q11},[ip]!'
arch/arm/crypto/aes-ce-core.S:133: Error: bad instruction `aese.8 q0,q8'
arch/arm/crypto/aes-ce-core.S:133: Error: bad instruction `aesmc.8 q0,q0'
arch/arm/crypto/aes-ce-core.S:133: Error: bad instruction `aese.8 q0,q9'
arch/arm/crypto/aes-ce-core.S:133: Error: bad instruction `aesmc.8 q0,q0'

Since the affected versions are still in widespread use, and this breaks
'allmodconfig' builds, we should try to at least get a successful kernel
build. Unfortunately, I could not come up with a way to make the Kconfig
symbol depend on the binutils version, which would be the nicest solution.

Instead, this patch uses the 'as-instr' Kbuild macro to find out whether
the support is present in the assembler, and otherwise emits a non-fatal
warning indicating which selected modules could not be built.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Link: http://storage.kernelci.org/next/next-20150410/arm-allmodconfig/build.log
Fixes: 864cbeed4ab22d ("crypto: arm - add support for SHA1 using ARMv8 Crypto Instructions")
[ard.biesheuvel:
 - omit modules entirely instead of building empty ones if binutils is too old
 - update commit log accordingly]
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: arm/sha256 - avoid sha256 code on ARMv7-M
Arnd Bergmann [Sat, 11 Apr 2015 08:48:44 +0000 (10:48 +0200)]
crypto: arm/sha256 - avoid sha256 code on ARMv7-M

The sha256 assembly implementation can deal with all architecture levels
from ARMv4 to ARMv7-A, but not with ARMv7-M. Enabling it in an
ARMv7-M kernel results in this build failure:

arm-linux-gnueabi-ld: error: arch/arm/crypto/sha256_glue.o: Conflicting architecture profiles M/A
arm-linux-gnueabi-ld: failed to merge target specific data of file arch/arm/crypto/sha256_glue.o

This adds a Kconfig dependency to prevent the code from being disabled
for ARMv7-M.

Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: x86/sha512_ssse3 - move SHA-384/512 SSSE3 implementation to base layer
Ard Biesheuvel [Thu, 9 Apr 2015 10:55:48 +0000 (12:55 +0200)]
crypto: x86/sha512_ssse3 - move SHA-384/512 SSSE3 implementation to base layer

This removes all the boilerplate from the existing implementation,
and replaces it with calls into the base layer.  It also changes the
prototypes of the core asm functions to be compatible with the base
prototype

  void (sha512_block_fn)(struct sha256_state *sst, u8 const *src, int blocks)

so that they can be passed to the base layer directly.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: x86/sha256_ssse3 - move SHA-224/256 SSSE3 implementation to base layer
Ard Biesheuvel [Thu, 9 Apr 2015 10:55:47 +0000 (12:55 +0200)]
crypto: x86/sha256_ssse3 - move SHA-224/256 SSSE3 implementation to base layer

This removes all the boilerplate from the existing implementation,
and replaces it with calls into the base layer. It also changes the
prototypes of the core asm functions to be compatible with the base
prototype

  void (sha256_block_fn)(struct sha256_state *sst, u8 const *src, int blocks)

so that they can be passed to the base layer directly.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: x86/sha1_ssse3 - move SHA-1 SSSE3 implementation to base layer
Ard Biesheuvel [Thu, 9 Apr 2015 10:55:46 +0000 (12:55 +0200)]
crypto: x86/sha1_ssse3 - move SHA-1 SSSE3 implementation to base layer

This removes all the boilerplate from the existing implementation,
and replaces it with calls into the base layer.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: arm64/sha2-ce - move SHA-224/256 ARMv8 implementation to base layer
Ard Biesheuvel [Thu, 9 Apr 2015 10:55:45 +0000 (12:55 +0200)]
crypto: arm64/sha2-ce - move SHA-224/256 ARMv8 implementation to base layer

This removes all the boilerplate from the existing implementation,
and replaces it with calls into the base layer.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: arm64/sha1-ce - move SHA-1 ARMv8 implementation to base layer
Ard Biesheuvel [Thu, 9 Apr 2015 10:55:44 +0000 (12:55 +0200)]
crypto: arm64/sha1-ce - move SHA-1 ARMv8 implementation to base layer

This removes all the boilerplate from the existing implementation,
and replaces it with calls into the base layer.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: arm/sha2-ce - move SHA-224/256 ARMv8 implementation to base layer
Ard Biesheuvel [Thu, 9 Apr 2015 10:55:43 +0000 (12:55 +0200)]
crypto: arm/sha2-ce - move SHA-224/256 ARMv8 implementation to base layer

This removes all the boilerplate from the existing implementation,
and replaces it with calls into the base layer.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: arm/sha256 - move SHA-224/256 ASM/NEON implementation to base layer
Ard Biesheuvel [Thu, 9 Apr 2015 10:55:42 +0000 (12:55 +0200)]
crypto: arm/sha256 - move SHA-224/256 ASM/NEON implementation to base layer

This removes all the boilerplate from the existing implementation,
and replaces it with calls into the base layer.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: arm/sha1-ce - move SHA-1 ARMv8 implementation to base layer
Ard Biesheuvel [Thu, 9 Apr 2015 10:55:41 +0000 (12:55 +0200)]
crypto: arm/sha1-ce - move SHA-1 ARMv8 implementation to base layer

This removes all the boilerplate from the existing implementation,
and replaces it with calls into the base layer.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: arm/sha1_neon - move SHA-1 NEON implementation to base layer
Ard Biesheuvel [Thu, 9 Apr 2015 10:55:40 +0000 (12:55 +0200)]
crypto: arm/sha1_neon - move SHA-1 NEON implementation to base layer

This removes all the boilerplate from the existing implementation,
and replaces it with calls into the base layer.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: arm/sha1 - move SHA-1 ARM asm implementation to base layer
Ard Biesheuvel [Thu, 9 Apr 2015 10:55:39 +0000 (12:55 +0200)]
crypto: arm/sha1 - move SHA-1 ARM asm implementation to base layer

This removes all the boilerplate from the existing implementation,
and replaces it with calls into the base layer.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: sha512-generic - move to generic glue implementation
Ard Biesheuvel [Thu, 9 Apr 2015 10:55:38 +0000 (12:55 +0200)]
crypto: sha512-generic - move to generic glue implementation

This updated the generic SHA-512 implementation to use the
generic shared SHA-512 glue code.

It also implements a .finup hook crypto_sha512_finup() and exports
it to other modules. The import and export() functions and the
.statesize member are dropped, since the default implementation
is perfectly suitable for this module.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: sha256-generic - move to generic glue implementation
Ard Biesheuvel [Thu, 9 Apr 2015 10:55:37 +0000 (12:55 +0200)]
crypto: sha256-generic - move to generic glue implementation

This updates the generic SHA-256 implementation to use the
new shared SHA-256 glue code.

It also implements a .finup hook crypto_sha256_finup() and exports
it to other modules. The import and export() functions and the
.statesize member are dropped, since the default implementation
is perfectly suitable for this module.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: sha1-generic - move to generic glue implementation
Ard Biesheuvel [Thu, 9 Apr 2015 10:55:36 +0000 (12:55 +0200)]
crypto: sha1-generic - move to generic glue implementation

This updated the generic SHA-1 implementation to use the generic
shared SHA-1 glue code.

It also implements a .finup hook crypto_sha1_finup() and exports
it to other modules. The import and export() functions and the
.statesize member are dropped, since the default implementation
is perfectly suitable for this module.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: sha512 - implement base layer for SHA-512
Ard Biesheuvel [Thu, 9 Apr 2015 10:55:35 +0000 (12:55 +0200)]
crypto: sha512 - implement base layer for SHA-512

To reduce the number of copies of boilerplate code throughout
the tree, this patch implements generic glue for the SHA-512
algorithm. This allows a specific arch or hardware implementation
to only implement the special handling that it needs.

The users need to supply an implementation of

  void (sha512_block_fn)(struct sha512_state *sst, u8 const *src, int blocks)

and pass it to the SHA-512 base functions. For easy casting between the
prototype above and existing block functions that take a 'u64 state[]'
as their first argument, the 'state' member of struct sha512_state is
moved to the base of the struct.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: sha256 - implement base layer for SHA-256
Ard Biesheuvel [Thu, 9 Apr 2015 10:55:34 +0000 (12:55 +0200)]
crypto: sha256 - implement base layer for SHA-256

To reduce the number of copies of boilerplate code throughout
the tree, this patch implements generic glue for the SHA-256
algorithm. This allows a specific arch or hardware implementation
to only implement the special handling that it needs.

The users need to supply an implementation of

  void (sha256_block_fn)(struct sha256_state *sst, u8 const *src, int blocks)

and pass it to the SHA-256 base functions. For easy casting between the
prototype above and existing block functions that take a 'u32 state[]'
as their first argument, the 'state' member of struct sha256_state is
moved to the base of the struct.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: sha1 - implement base layer for SHA-1
Ard Biesheuvel [Thu, 9 Apr 2015 10:55:33 +0000 (12:55 +0200)]
crypto: sha1 - implement base layer for SHA-1

To reduce the number of copies of boilerplate code throughout
the tree, this patch implements generic glue for the SHA-1
algorithm. This allows a specific arch or hardware implementation
to only implement the special handling that it needs.

The users need to supply an implementation of

  void (sha1_block_fn)(struct sha1_state *sst, u8 const *src, int blocks)

and pass it to the SHA-1 base functions. For easy casting between the
prototype above and existing block functions that take a 'u32 state[]'
as their first argument, the 'state' member of struct sha1_state is
moved to the base of the struct.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: api - remove instance when test failed
Stephan Mueller [Thu, 9 Apr 2015 10:09:55 +0000 (12:09 +0200)]
crypto: api - remove instance when test failed

A cipher instance is added to the list of instances unconditionally
regardless of whether the associated test failed. However, a failed
test implies that during another lookup, the cipher instance will
be added to the list again as it will not be found by the lookup
code.

That means that the list can be filled up with instances whose tests
failed.

Note: tests only fail in reality in FIPS mode when a cipher is not
marked as fips_allowed=1. This can be seen with cmac(des3_ede) that does
not have a fips_allowed=1. When allocating the cipher, the allocation
fails with -ENOENT due to the missing fips_allowed=1 flag (which
causes the testmgr to return EINVAL). Yet, the instance of
cmac(des3_ede) is shown in /proc/crypto. Allocating the cipher again
fails again, but a 2nd instance is listed in /proc/crypto.

The patch simply de-registers the instance when the testing failed.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: api - Move alg ref count init to crypto_check_alg
Herbert Xu [Thu, 9 Apr 2015 09:40:35 +0000 (17:40 +0800)]
crypto: api - Move alg ref count init to crypto_check_alg

We currently initialise the crypto_alg ref count in the function
__crypto_register_alg.  As one of the callers of that function
crypto_register_instance needs to obtain a ref count before it
calls __crypto_register_alg, we need to move the initialisation
out of there.

Since both callers of __crypto_register_alg call crypto_check_alg,
this is the logical place to perform the initialisation.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Acked-by: Stephan Mueller <smueller@chronox.de>
9 years agocrypto: sahara - fix AES descriptor create
Steffen Trumtrar [Tue, 7 Apr 2015 15:13:42 +0000 (17:13 +0200)]
crypto: sahara - fix AES descriptor create

The AES implementation still assumes, that the hw_desc[0] has a valid
key as long as no new key needs to be set; consequentialy it always
sets the AES key header for the first descriptor and puts data into
the second one (hw_desc[1]).

Change this to only update the key in the hardware, when a new key is
to be set and use the first descriptor for data otherwise.

Signed-off-by: Steffen Trumtrar <s.trumtrar@pengutronix.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: sahara - use the backlog
Steffen Trumtrar [Tue, 7 Apr 2015 15:13:41 +0000 (17:13 +0200)]
crypto: sahara - use the backlog

With commit

7e77bdebff5cb1e9876c561f69710b9ab8fa1f7e crypto: af_alg - fix backlog handling

in place, the backlog works under all circumstances where it previously failed, atleast
for the sahara driver. Use it.

Signed-off-by: Steffen Trumtrar <s.trumtrar@pengutronix.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: user - Fix crypto_alg_match race
Herbert Xu [Tue, 7 Apr 2015 13:27:01 +0000 (21:27 +0800)]
crypto: user - Fix crypto_alg_match race

The function crypto_alg_match returns an algorithm without taking
any references on it.  This means that the algorithm can be freed
at any time, therefore all users of crypto_alg_match are buggy.

This patch fixes this by taking a reference count on the algorithm
to prevent such races.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: atmel-aes - correct usage of dma_sync_* API
Leilei Zhao [Tue, 7 Apr 2015 09:45:11 +0000 (17:45 +0800)]
crypto: atmel-aes - correct usage of dma_sync_* API

The output buffer is used for CPU access, so
the API should be dma_sync_single_for_cpu which
makes the cache line invalid in order to reload
the value in memory.

Signed-off-by: Leilei Zhao <leilei.zhao@atmel.com>
Acked-by: Nicolas Ferre <nicolas.ferre@atmel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: atmel-aes - sync the buf used in DMA or CPU
Leilei Zhao [Tue, 7 Apr 2015 09:45:10 +0000 (17:45 +0800)]
crypto: atmel-aes - sync the buf used in DMA or CPU

The input buffer and output buffer are mapped for DMA transfer
in Atmel AES driver. But they are also be used by CPU when
the requested crypt length is not bigger than the threshold
value 16. The buffers will be cached in cache line when CPU
accessed them. When DMA uses the buffers again, the memory
can happened to be flushed by cache while DMA starts transfer.

So using API dma_sync_single_for_device and dma_sync_single_for_cpu
in DMA to ensure DMA coherence and CPU always access the correct
value. This fix the issue that the encrypted result periodically goes
wrong when doing performance test with OpenSSH.

Signed-off-by: Leilei Zhao <leilei.zhao@atmel.com>
Acked-by: Nicolas Ferre <nicolas.ferre@atmel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: atmel-aes - initialize spinlock in probe
Leilei Zhao [Tue, 7 Apr 2015 09:45:09 +0000 (17:45 +0800)]
crypto: atmel-aes - initialize spinlock in probe

Kernel will report "BUG: spinlock lockup suspected on CPU#0"
when CONFIG_DEBUG_SPINLOCK is enabled in kernel config and the
spinlock is used at the first time. It's caused by uninitialized
spinlock, so just initialize it in probe.

Signed-off-by: Leilei Zhao <leilei.zhao@atmel.com>
Acked-by: Nicolas Ferre <nicolas.ferre@atmel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: atmel-tdes - initialize spinlock in probe
Leilei Zhao [Tue, 7 Apr 2015 09:45:08 +0000 (17:45 +0800)]
crypto: atmel-tdes - initialize spinlock in probe

Kernel will report "BUG: spinlock lockup suspected on CPU#0"
when CONFIG_DEBUG_SPINLOCK is enabled in kernel config and the
spinlock is used at the first time. It's caused by uninitialized
spinlock, so just initialize it in probe.

Signed-off-by: Leilei Zhao <leilei.zhao@atmel.com>
Acked-by: Nicolas Ferre <nicolas.ferre@atmel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: atmel-sha - correct the max burst size
Leilei Zhao [Tue, 7 Apr 2015 09:45:07 +0000 (17:45 +0800)]
crypto: atmel-sha - correct the max burst size

The maximum source and destination burst size is 16
according to the datasheet of Atmel DMA. And the value
is also checked in function at_xdmac_csize of Atmel
DMA driver. With the restrict, the value beyond maximum
value will not be processed in DMA driver, so SHA384 and
SHA512 will not work and the program will wait forever.

So here change the max burst size of all the cases to 16
in order to make SHA384 and SHA512 work and keep consistent
with DMA driver and datasheet.

Signed-off-by: Leilei Zhao <leilei.zhao@atmel.com>
Acked-by: Nicolas Ferre <nicolas.ferre@atmel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: atmel-sha - initialize spinlock in probe
Leilei Zhao [Tue, 7 Apr 2015 09:45:06 +0000 (17:45 +0800)]
crypto: atmel-sha - initialize spinlock in probe

Kernel will report "BUG: spinlock lockup suspected on CPU#0"
when CONFIG_DEBUG_SPINLOCK is enabled in kernel config and the
spinlock is used at the first time. It's caused by uninitialized
spinlock, so just initialize it in probe.

Signed-off-by: Leilei Zhao <leilei.zhao@atmel.com>
Acked-by: Nicolas Ferre <nicolas.ferre@atmel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: atmel-sha - fix sg list management
Leilei Zhao [Tue, 7 Apr 2015 09:45:05 +0000 (17:45 +0800)]
crypto: atmel-sha - fix sg list management

Having a zero length sg doesn't mean it is the end of the sg list. This
case happens when calculating HMAC of IPSec packet.

Signed-off-by: Leilei Zhao <leilei.zhao@atmel.com>
Signed-off-by: Ludovic Desroches <ludovic.desroches@atmel.com>
Acked-by: Nicolas Ferre <nicolas.ferre@atmel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: atmel-sha - correct the way data are split
Ludovic Desroches [Tue, 7 Apr 2015 09:45:04 +0000 (17:45 +0800)]
crypto: atmel-sha - correct the way data are split

When a hash is requested on data bigger than the buffer allocated by the
SHA driver, the way DMA transfers are performed is quite strange:
The buffer is filled at each update request. When full, a DMA transfer
is done. On next update request, another DMA transfer is done. Then we
wait to have a full buffer (or the end of the data) to perform the dma
transfer. Such a situation lead sometimes, on SAMA5D4, to a case where
dma transfer is finished but the data ready irq never comes. Moreover
hash was incorrect in this case.

With this patch, dma transfers are only performed when the buffer is
full or when there is no more data. So it removes the transfer whose size
is equal the update size after the full buffer transmission.

Signed-off-by: Ludovic Desroches <ludovic.desroches@atmel.com>
Signed-off-by: Leilei Zhao <leilei.zhao@atmel.com>
Acked-by: Nicolas Ferre <nicolas.ferre@atmel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: atmel-sha - add new version
Leilei Zhao [Tue, 7 Apr 2015 09:45:03 +0000 (17:45 +0800)]
crypto: atmel-sha - add new version

Add new version of atmel-sha available with SAMA5D4 devices.

Signed-off-by: Leilei Zhao <leilei.zhao@atmel.com>
Signed-off-by: Ludovic Desroches <ludovic.desroches@atmel.com>
Acked-by: Nicolas Ferre <nicolas.ferre@atmel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: atmel-aes - add new version
Leilei Zhao [Tue, 7 Apr 2015 09:45:02 +0000 (17:45 +0800)]
crypto: atmel-aes - add new version

Add new version of atmel-aes available with SAMA5D4 devices.

Signed-off-by: Leilei Zhao <leilei.zhao@atmel.com>
Signed-off-by: Ludovic Desroches <ludovic.desroches@atmel.com>
Acked-by: Nicolas Ferre <nicolas.ferre@atmel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: qat - fix double release_firmware on error path
Tadeusz Struk [Fri, 3 Apr 2015 15:41:17 +0000 (08:41 -0700)]
crypto: qat - fix double release_firmware on error path

release_firmware was called twice on error path causing an Oops.

Reported-by: Ahsan Atta <ahsan.atta@intel.com>
Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: qat - print ring name in debug output
Tadeusz Struk [Fri, 3 Apr 2015 15:40:58 +0000 (08:40 -0700)]
crypto: qat - print ring name in debug output

Ring name was allocated but never refenenced.
It was supposed to be printed out in debug output.

Signed-off-by: Tadeusz Struk <tadeusz.struk@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: serpent_sse2 - Fix a typo in Kconfig
Masanari Iida [Fri, 3 Apr 2015 15:20:30 +0000 (00:20 +0900)]
crypto: serpent_sse2 - Fix a typo in Kconfig

This patch fix a spelling typo in crypto/Kconfig.

Signed-off-by: Masanari Iida <standby24x7@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: arm/sha256 - Add optimized SHA-256/224
Sami Tolvanen [Fri, 3 Apr 2015 10:03:40 +0000 (18:03 +0800)]
crypto: arm/sha256 - Add optimized SHA-256/224

Add Andy Polyakov's optimized assembly and NEON implementations for
SHA-256/224.

The sha256-armv4.pl script for generating the assembly code is from
OpenSSL commit 51f8d095562f36cdaa6893597b5c609e943b0565.

Compared to sha256-generic these implementations have the following
tcrypt speed improvements on Motorola Nexus 6 (Snapdragon 805):

  bs    b/u      sha256-neon  sha256-asm
  16    16       x1.32        x1.19
  64    16       x1.27        x1.15
  64    64       x1.36        x1.20
  256   16       x1.22        x1.11
  256   64       x1.36        x1.19
  256   256      x1.59        x1.23
  1024  16       x1.21        x1.10
  1024  256      x1.65        x1.23
  1024  1024     x1.76        x1.25
  2048  16       x1.21        x1.10
  2048  256      x1.66        x1.23
  2048  1024     x1.78        x1.25
  2048  2048     x1.79        x1.25
  4096  16       x1.20        x1.09
  4096  256      x1.66        x1.23
  4096  1024     x1.79        x1.26
  4096  4096     x1.82        x1.26
  8192  16       x1.20        x1.09
  8192  256      x1.67        x1.23
  8192  1024     x1.80        x1.26
  8192  4096     x1.85        x1.28
  8192  8192     x1.85        x1.27

Where bs refers to block size and b/u to bytes per update.

Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Cc: Andy Polyakov <appro@openssl.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: api - Change crypto_unregister_instance argument type
Herbert Xu [Thu, 2 Apr 2015 14:39:40 +0000 (22:39 +0800)]
crypto: api - Change crypto_unregister_instance argument type

This patch makes crypto_unregister_instance take a crypto_instance
instead of a crypto_alg.  This allows us to remove a duplicate
CRYPTO_ALG_INSTANCE check in crypto_unregister_instance.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: api - Fix races in crypto_unregister_instance
Herbert Xu [Thu, 2 Apr 2015 14:31:22 +0000 (22:31 +0800)]
crypto: api - Fix races in crypto_unregister_instance

There are multiple problems in crypto_unregister_instance:

1) The cra_refcnt BUG_ON check is racy and can cause crashes.
2) The cra_refcnt check shouldn't exist at all.
3) There is no reference on tmpl to protect the tmpl->free call.

This patch rewrites the function using crypto_remove_spawn which
now morphs into crypto_remove_instance.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: omap-sham - Add the offset of sg page to vaddr
Vutla, Lokesh [Thu, 2 Apr 2015 10:02:45 +0000 (15:32 +0530)]
crypto: omap-sham - Add the offset of sg page to vaddr

kmap_atomic() gives only the page address of the input page.
Driver should take care of adding the offset of the scatterlist
within the page to the returned page address.
omap-sham driver is not adding the offset to page and directly operates
on the return vale of kmap_atomic(), because of which the following
error comes when running crypto tests:

00000000: d9 a1 1b 7c aa 90 3b aa 11 ab cb 25 00 b8 ac bf
[    2.338169] 00000010: c1 39 cd ff 48 d0 a8 e2 2b fa 33 a1
[    2.344008] alg: hash: Chunking test 1 failed for omap-sha256

So adding the scatterlist offset to vaddr.

Signed-off-by: Lokesh Vutla <lokeshvutla@ti.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: qat - fix checkpatch CODE_INDENT issue
Allan, Bruce W [Tue, 31 Mar 2015 16:30:55 +0000 (09:30 -0700)]
crypto: qat - fix checkpatch CODE_INDENT issue

ERROR:CODE_INDENT: code indent should use tabs where possible

Signed-off-by: Bruce Allan <bruce.w.allan@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: qat - fix checkpatch COMPARISON_TO_NULL issue
Allan, Bruce W [Tue, 31 Mar 2015 16:30:50 +0000 (09:30 -0700)]
crypto: qat - fix checkpatch COMPARISON_TO_NULL issue

CHECK:COMPARISON_TO_NULL: Comparison to NULL could be written
"!device_reset_wq"

Signed-off-by: Bruce Allan <bruce.w.allan@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: qat - fix checkpatch BIT_MACRO issues
Allan, Bruce W [Tue, 31 Mar 2015 16:30:45 +0000 (09:30 -0700)]
crypto: qat - fix checkpatch BIT_MACRO issues

CHECK:BIT_MACRO: Prefer using the BIT macro

Signed-off-by: Bruce Allan <bruce.w.allan@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: qat - fix checkpatch CONCATENATED_STRING issues
Allan, Bruce W [Tue, 31 Mar 2015 16:30:40 +0000 (09:30 -0700)]
crypto: qat - fix checkpatch CONCATENATED_STRING issues

CHECK:CONCATENATED_STRING: Concatenated strings should use spaces between
elements

Signed-off-by: Bruce Allan <bruce.w.allan@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: qat - checkpatch PARENTHESIS_ALIGNMENT and LOGICAL_CONTINUATIONS
Allan, Bruce W [Tue, 31 Mar 2015 16:30:35 +0000 (09:30 -0700)]
crypto: qat - checkpatch PARENTHESIS_ALIGNMENT and LOGICAL_CONTINUATIONS

Cleanup code to fix the subject checkpatch warnings

Signed-off-by: Bruce Allan <bruce.w.allan@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: qat - fix checkpatch CHECK_SPACING issues
Allan, Bruce W [Tue, 31 Mar 2015 16:30:29 +0000 (09:30 -0700)]
crypto: qat - fix checkpatch CHECK_SPACING issues

Signed-off-by: Bruce Allan <bruce.w.allan@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: qat - fix typo
Allan, Bruce W [Tue, 31 Mar 2015 16:30:24 +0000 (09:30 -0700)]
crypto: qat - fix typo

adt_ctl_drv should be adf_ctl_drv

Signed-off-by: Bruce Allan <bruce.w.allan@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: omap-aes - Fix support for unequal lengths
Vutla, Lokesh [Tue, 31 Mar 2015 04:22:25 +0000 (09:52 +0530)]
crypto: omap-aes - Fix support for unequal lengths

For cases where total length of an input SGs is not same as
length of the input data for encryption, omap-aes driver
crashes. This happens in the case when IPsec is trying to use
omap-aes driver.

To avoid this, we copy all the pages from the input SG list
into a contiguous buffer and prepare a single element SG list
for this buffer with length as the total bytes to crypt, which is
similar thing that is done in case of unaligned lengths.

Fixes: 6242332ff2f3 ("crypto: omap-aes - Add support for cases of unaligned lengths")
Signed-off-by: Lokesh Vutla <lokeshvutla@ti.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: omap-sham - Use pm_runtime_irq_safe()
Vutla, Lokesh [Tue, 31 Mar 2015 04:22:24 +0000 (09:52 +0530)]
crypto: omap-sham - Use pm_runtime_irq_safe()

omap_sham_handle_queue() can be called as part of done_task tasklet.
During this its atomic and any calls to pm functions cannot sleep.

But there is a call to pm_runtime_get_sync() (which can sleep) in
omap_sham_handle_queue(), because of which the following appears:
" [  116.169969] BUG: scheduling while atomic: kworker/0:2/2676/0x00000100"

Add pm_runtime_irq_safe() to avoid this.

Signed-off-by: Lokesh Vutla <lokeshvutla@ti.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: sha-mb - mark Multi buffer SHA1 helper cipher
Stephan Mueller [Mon, 30 Mar 2015 20:11:46 +0000 (22:11 +0200)]
crypto: sha-mb - mark Multi buffer SHA1 helper cipher

Flag all Multi buffer SHA1 helper ciphers as internal ciphers
to prevent them from being called by normal users.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: mcryptd - process CRYPTO_ALG_INTERNAL
Stephan Mueller [Mon, 30 Mar 2015 20:10:58 +0000 (22:10 +0200)]
crypto: mcryptd - process CRYPTO_ALG_INTERNAL

The mcryptd is used as a wrapper around internal ciphers. Therefore,
the mcryptd must process the internal cipher by marking mcryptd as
internal if the underlying cipher is an internal cipher.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: arm64/aes - mark 64 bit ARMv8 AES helper ciphers
Stephan Mueller [Mon, 30 Mar 2015 20:10:27 +0000 (22:10 +0200)]
crypto: arm64/aes - mark 64 bit ARMv8 AES helper ciphers

Flag all 64 bit ARMv8 AES helper ciphers as internal ciphers to
prevent them from being called by normal users.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: aes-ce - mark ARMv8 AES helper ciphers
Stephan Mueller [Mon, 30 Mar 2015 20:09:53 +0000 (22:09 +0200)]
crypto: aes-ce - mark ARMv8 AES helper ciphers

Flag all ARMv8 AES helper ciphers as internal ciphers to prevent
them from being called by normal users.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: aesbs - mark NEON bit sliced AES helper ciphers
Stephan Mueller [Mon, 30 Mar 2015 20:09:27 +0000 (22:09 +0200)]
crypto: aesbs - mark NEON bit sliced AES helper ciphers

Flag all NEON bit sliced AES helper ciphers as internal ciphers to
prevent them from being called by normal users.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: twofish_avx - mark Twofish AVX helper ciphers
Stephan Mueller [Mon, 30 Mar 2015 20:08:53 +0000 (22:08 +0200)]
crypto: twofish_avx - mark Twofish AVX helper ciphers

Flag all Twofish AVX helper ciphers as internal ciphers to prevent
them from being called by normal users.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: serpent_sse2 - mark Serpent SSE2 helper ciphers
Stephan Mueller [Mon, 30 Mar 2015 20:07:45 +0000 (22:07 +0200)]
crypto: serpent_sse2 - mark Serpent SSE2 helper ciphers

Flag all Serpent SSE2 helper ciphers as internal ciphers to prevent
them from being called by normal users.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: serpent_avx - mark Serpent AVX helper ciphers
Stephan Mueller [Mon, 30 Mar 2015 20:07:05 +0000 (22:07 +0200)]
crypto: serpent_avx - mark Serpent AVX helper ciphers

Flag all Serpent AVX helper ciphers as internal ciphers to prevent
them from being called by normal users.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: serpent_avx2 - mark Serpent AVX2 helper ciphers
Stephan Mueller [Mon, 30 Mar 2015 20:06:13 +0000 (22:06 +0200)]
crypto: serpent_avx2 - mark Serpent AVX2 helper ciphers

Flag all Serpent AVX2 helper ciphers as internal ciphers to prevent
them from being called by normal users.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: cast6_avx - mark CAST6 helper ciphers
Stephan Mueller [Mon, 30 Mar 2015 20:05:35 +0000 (22:05 +0200)]
crypto: cast6_avx - mark CAST6 helper ciphers

Flag all CAST6 helper ciphers as internal ciphers to prevent them
from being called by normal users.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: camellia_aesni_avx - mark AVX Camellia helper ciphers
Stephan Mueller [Mon, 30 Mar 2015 20:04:49 +0000 (22:04 +0200)]
crypto: camellia_aesni_avx - mark AVX Camellia helper ciphers

Flag all AVX Camellia helper ciphers as internal ciphers to prevent
them from being called by normal users.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: cast5_avx - mark CAST5 helper ciphers
Stephan Mueller [Mon, 30 Mar 2015 20:03:57 +0000 (22:03 +0200)]
crypto: cast5_avx - mark CAST5 helper ciphers

Flag all CAST5 helper ciphers as internal ciphers to prevent them
from being called by normal users.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: camellia_aesni_avx2 - mark AES-NI Camellia helper ciphers
Stephan Mueller [Mon, 30 Mar 2015 20:03:17 +0000 (22:03 +0200)]
crypto: camellia_aesni_avx2 - mark AES-NI Camellia helper ciphers

Flag all AES-NI Camellia helper ciphers as internal ciphers to
prevent them from being called by normal users.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: ghash-ce - mark GHASH ARMv8 vmull.p64 helper ciphers
Stephan Mueller [Mon, 30 Mar 2015 20:02:36 +0000 (22:02 +0200)]
crypto: ghash-ce - mark GHASH ARMv8 vmull.p64 helper ciphers

Flag all GHASH ARMv8 vmull.p64 helper ciphers as internal ciphers
to prevent them from being called by normal users.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: clmulni - mark ghash clmulni helper ciphers
Stephan Mueller [Mon, 30 Mar 2015 20:01:49 +0000 (22:01 +0200)]
crypto: clmulni - mark ghash clmulni helper ciphers

Flag all ash clmulni helper ciphers as internal ciphers to prevent them
from being called by normal users.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: aesni - mark AES-NI helper ciphers
Stephan Mueller [Mon, 30 Mar 2015 19:58:17 +0000 (21:58 +0200)]
crypto: aesni - mark AES-NI helper ciphers

Flag all AES-NI helper ciphers as internal ciphers to prevent them from
being called by normal users.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: proc - identify internal ciphers
Stephan Mueller [Mon, 30 Mar 2015 19:57:42 +0000 (21:57 +0200)]
crypto: proc - identify internal ciphers

With ciphers that now cannot be accessed via the kernel crypto API,
callers shall be able to identify the ciphers that are not callable. The
/proc/crypto file is added a boolean field identifying that such
internal ciphers.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: cryptd - process CRYPTO_ALG_INTERNAL
Stephan Mueller [Mon, 30 Mar 2015 19:57:06 +0000 (21:57 +0200)]
crypto: cryptd - process CRYPTO_ALG_INTERNAL

The cryptd is used as a wrapper around internal ciphers. Therefore, the
cryptd must process the internal cipher by marking cryptd as internal if
the underlying cipher is an internal cipher.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: testmgr - use CRYPTO_ALG_INTERNAL
Stephan Mueller [Mon, 30 Mar 2015 19:56:31 +0000 (21:56 +0200)]
crypto: testmgr - use CRYPTO_ALG_INTERNAL

Allocate the ciphers irrespectively if they are marked as internal
or not. As all ciphers, including the internal ciphers will be
processed by the testmgr, it needs to be able to allocate those
ciphers.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: api - prevent helper ciphers from being used
Stephan Mueller [Mon, 30 Mar 2015 19:55:52 +0000 (21:55 +0200)]
crypto: api - prevent helper ciphers from being used

Several hardware related cipher implementations are implemented as
follows: a "helper" cipher implementation is registered with the
kernel crypto API.

Such helper ciphers are never intended to be called by normal users. In
some cases, calling them via the normal crypto API may even cause
failures including kernel crashes. In a normal case, the "wrapping"
ciphers that use the helpers ensure that these helpers are invoked
such that they cannot cause any calamity.

Considering the AF_ALG user space interface, unprivileged users can
call all ciphers registered with the crypto API, including these
helper ciphers that are not intended to be called directly. That
means, with AF_ALG user space may invoke these helper ciphers
and may cause undefined states or side effects.

To avoid any potential side effects with such helpers, the patch
prevents the helpers to be called directly. A new cipher type
flag is added: CRYPTO_ALG_INTERNAL. This flag shall be used
to mark helper ciphers. These ciphers can only be used if the
caller invoke the cipher with CRYPTO_ALG_INTERNAL in the type and
mask field.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: arm/ghash - fix big-endian bug in ghash
Ard Biesheuvel [Mon, 23 Mar 2015 20:33:09 +0000 (21:33 +0100)]
crypto: arm/ghash - fix big-endian bug in ghash

This fixes a bug in the new v8 Crypto Extensions GHASH code
that only manifests itself in big-endian mode.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: img-hash - shift wrapping bug in img_hash_hw_init()
Dan Carpenter [Mon, 23 Mar 2015 11:03:55 +0000 (14:03 +0300)]
crypto: img-hash - shift wrapping bug in img_hash_hw_init()

"hdev->req->nbytes" is an unsigned int so we so we lose the upper 3 bits
to the shift wrap bug.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: img-hash - fix some compile warnings
Dan Carpenter [Fri, 20 Mar 2015 14:21:12 +0000 (17:21 +0300)]
crypto: img-hash - fix some compile warnings

GCC complains about that %u is the wrong format string for size_t and
also that "ret" is unused.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: qat - make error and info log messages more descriptive
Allan, Bruce W [Thu, 19 Mar 2015 23:03:44 +0000 (16:03 -0700)]
crypto: qat - make error and info log messages more descriptive

Convert pr_info() and pr_err() log messages to dev_info() and dev_err(),
respectively, where able.  This adds the module name and PCI B:D:F to
indicate which QAT device generated the log message.  The "QAT:" is removed
from these log messages as that is now unnecessary.  A few of these log
messages have additional spelling/contextual fixes.

Signed-off-by: Bruce Allan <bruce.w.allan@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: qat - fix typo in string
Allan, Bruce W [Thu, 19 Mar 2015 23:03:39 +0000 (16:03 -0700)]
crypto: qat - fix typo in string

Signed-off-by: Bruce Allan <bruce.w.allan@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: qat - remove duplicate definition of Intel PCI vendor id
Allan, Bruce W [Thu, 19 Mar 2015 23:03:33 +0000 (16:03 -0700)]
crypto: qat - remove duplicate definition of Intel PCI vendor id

This define is a duplicate of the one in ./include/linux/pci_ids.h

Signed-off-by: Bruce Allan <bruce.w.allan@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: img-hash - Fix Kconfig selections
James Hartley [Thu, 19 Mar 2015 16:46:24 +0000 (16:46 +0000)]
crypto: img-hash - Fix Kconfig selections

The Kconfig entry for CRYPTO_DEV_IMGTEC_HASH incorrectly selects
CRYPTO_SHA224, which does not exist (and is covered by CRYPTO_SHA256
which covers both 224 and 256). Remove it.

Also correct typo CRYPTO_ALG_API to be CRYPTO_ALGPI.

Reported-by: Valentin Rothberg <valentinrothberg@gmail.com>
Signed-off-by: James Hartley <james.hartley@imgtec.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agolib: memzero_explicit: use barrier instead of OPTIMIZER_HIDE_VAR
mancha security [Wed, 18 Mar 2015 17:47:25 +0000 (18:47 +0100)]
lib: memzero_explicit: use barrier instead of OPTIMIZER_HIDE_VAR

OPTIMIZER_HIDE_VAR(), as defined when using gcc, is insufficient to
ensure protection from dead store optimization.

For the random driver and crypto drivers, calls are emitted ...

  $ gdb vmlinux
  (gdb) disassemble memzero_explicit
  Dump of assembler code for function memzero_explicit:
    0xffffffff813a18b0 <+0>: push   %rbp
    0xffffffff813a18b1 <+1>: mov    %rsi,%rdx
    0xffffffff813a18b4 <+4>: xor    %esi,%esi
    0xffffffff813a18b6 <+6>: mov    %rsp,%rbp
    0xffffffff813a18b9 <+9>: callq  0xffffffff813a7120 <memset>
    0xffffffff813a18be <+14>: pop    %rbp
    0xffffffff813a18bf <+15>: retq
  End of assembler dump.

  (gdb) disassemble extract_entropy
  [...]
    0xffffffff814a5009 <+313>: mov    %r12,%rdi
    0xffffffff814a500c <+316>: mov    $0xa,%esi
    0xffffffff814a5011 <+321>: callq  0xffffffff813a18b0 <memzero_explicit>
    0xffffffff814a5016 <+326>: mov    -0x48(%rbp),%rax
  [...]

... but in case in future we might use facilities such as LTO, then
OPTIMIZER_HIDE_VAR() is not sufficient to protect gcc from a possible
eviction of the memset(). We have to use a compiler barrier instead.

Minimal test example when we assume memzero_explicit() would *not* be
a call, but would have been *inlined* instead:

  static inline void memzero_explicit(void *s, size_t count)
  {
    memset(s, 0, count);
    <foo>
  }

  int main(void)
  {
    char buff[20];

    snprintf(buff, sizeof(buff) - 1, "test");
    printf("%s", buff);

    memzero_explicit(buff, sizeof(buff));
    return 0;
  }

With <foo> := OPTIMIZER_HIDE_VAR():

  (gdb) disassemble main
  Dump of assembler code for function main:
  [...]
   0x0000000000400464 <+36>: callq  0x400410 <printf@plt>
   0x0000000000400469 <+41>: xor    %eax,%eax
   0x000000000040046b <+43>: add    $0x28,%rsp
   0x000000000040046f <+47>: retq
  End of assembler dump.

With <foo> := barrier():

  (gdb) disassemble main
  Dump of assembler code for function main:
  [...]
   0x0000000000400464 <+36>: callq  0x400410 <printf@plt>
   0x0000000000400469 <+41>: movq   $0x0,(%rsp)
   0x0000000000400471 <+49>: movq   $0x0,0x8(%rsp)
   0x000000000040047a <+58>: movl   $0x0,0x10(%rsp)
   0x0000000000400482 <+66>: xor    %eax,%eax
   0x0000000000400484 <+68>: add    $0x28,%rsp
   0x0000000000400488 <+72>: retq
  End of assembler dump.

As can be seen, movq, movq, movl are being emitted inlined
via memset().

Reference: http://thread.gmane.org/gmane.linux.kernel.cryptoapi/13764/
Fixes: d4c5efdb9777 ("random: add and use memzero_explicit() for clearing data")
Cc: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: mancha security <mancha1@zoho.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Acked-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agohwrng: core - allow perfect entropy from hardware devices
Keith Packard [Wed, 18 Mar 2015 07:17:00 +0000 (00:17 -0700)]
hwrng: core - allow perfect entropy from hardware devices

Hardware random number quality is measured from 0 (no entropy) to 1024
(perfect entropy). Allow hardware devices to assert the full range by
truncating the device-provided value at 1024 instead of 1023.

Signed-off-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agolinux-next: build failure after merge of the crypto tree
Herbert Xu [Tue, 17 Mar 2015 11:11:31 +0000 (22:11 +1100)]
linux-next: build failure after merge of the crypto tree

crypto: img-hash - Add missing semicolon to fix build error

There is a missing semicolon after MODULE_DEVICE_TABLE.

Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agohwrng: omap - Change RNG_CONFIG_REG to RNG_CONTROL_REG in init
Andre Wolokita [Mon, 16 Mar 2015 01:54:50 +0000 (12:54 +1100)]
hwrng: omap - Change RNG_CONFIG_REG to RNG_CONTROL_REG in init

omap4_rng_init() checks bit 10 of the RNG_CONFIG_REG to determine whether
the RNG is already running before performing any initiliasation. This is not
the correct register to check, as the enable bit is in RNG_CONFIG_CONTROL.
Read from RNG_CONTROL_REG instead.

Signed-off-by: Andre Wolokita <Andre.Wolokita@analog.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agohwrng: omap - Change RNG_CONFIG_REG to RNG_CONTROL_REG when checking and disabling...
Andre Wolokita [Sun, 15 Mar 2015 23:19:11 +0000 (10:19 +1100)]
hwrng: omap - Change RNG_CONFIG_REG to RNG_CONTROL_REG when checking and disabling TRNG

In omap4_rng_init(), a check of bit 10 of the RNG_CONFIG_REG is done to determine
whether the RNG is running. This is suspicious firstly due to the use of
RNG_CONTROL_ENABLE_TRNG_MASK and secondly because the same mask is written to
RNG_CONTROL_REG after configuration of the FROs. Similar suspicious logic is
repeated in omap4_rng_cleanup() when RNG_CONTROL_REG masked with
RNG_CONTROL_ENABLE_TRNG_MASK is read, the same mask bit is cleared, and then
written to RNG_CONFIG_REG. Unless the TRNG is enabled with one bit in RNG_CONTROL
and disabled with another in RNG_CONFIG and these bits are mirrored in some way,
I believe that the TRNG is not really shutting off.

Apart from the strange logic, I have reason to suspect that the OMAP4 related
code in this driver is driving an Inside Secure IP hardware RNG and strongly
suspect that bit 10 of RNG_CONFIG_REG is one of the bits configuring the
sampling rate of the FROs. This option is by default set to 0 and is not being
set anywhere in omap-rng.c. Reading this bit during omap4_rng_init() will
always return 0. It will remain 0 because ~(value of TRNG_MASK in control) will
always be 0, because the TRNG is never shut off. This is of course presuming
that the OMAP4 features the Inside Secure IP.

I'm interested in knowing what the guys at TI think about this, as only they
can confirm or deny the detailed structure of these registers.

Signed-off-by: Andre Wolokita <Andre.Wolokita@analog.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: sha1-mb - Syntax error
Ameen Ali [Fri, 13 Mar 2015 21:38:21 +0000 (23:38 +0200)]
crypto: sha1-mb - Syntax error

fixing a syntax-error .

Signed-off-by: Ameen Ali <AmeenAli023@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: algif_rng - zeroize buffer with random data
Stephan Mueller [Fri, 13 Mar 2015 10:44:07 +0000 (11:44 +0100)]
crypto: algif_rng - zeroize buffer with random data

Due to the change to RNGs to always return zero in success case, the RNG
interface must zeroize the buffer with the length provided by the
caller.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agoDocumentation: crypto: Add DT binding info for the img hw hash accelerator
James Hartley [Thu, 12 Mar 2015 23:17:27 +0000 (23:17 +0000)]
Documentation: crypto: Add DT binding info for the img hw hash accelerator

This adds the binding documentation for the Imagination Technologies hash
accelerator that provides hardware acceleration for SHA1/SHA224/SHA256/MD5
hashes.  This hardware will be present in the upcoming pistachio SoC.

Signed-off-by: James Hartley <james.hartley@imgtec.com>
Reviewed-by: Andrew Bresticker <abrestic@chromium.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: img-hash - Add Imagination Technologies hw hash accelerator
James Hartley [Thu, 12 Mar 2015 23:17:26 +0000 (23:17 +0000)]
crypto: img-hash - Add Imagination Technologies hw hash accelerator

This adds support for the Imagination Technologies hash accelerator which
provides hardware acceleration for SHA1 SHA224 SHA256 and MD5 hashes.

Signed-off-by: James Hartley <james.hartley@imgtec.com>
Reviewed-by: Andrew Bresticker <abrestic@chromium.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agohwrng: iproc-rng200 - make use of devm_hwrng_register
Dmitry Torokhov [Thu, 12 Mar 2015 21:00:07 +0000 (14:00 -0700)]
hwrng: iproc-rng200 - make use of devm_hwrng_register

This allows us to get rid of driver's remove() method.

Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agohwrng: iproc-rng200 - do not use static structure
Dmitry Torokhov [Thu, 12 Mar 2015 21:00:06 +0000 (14:00 -0700)]
hwrng: iproc-rng200 - do not use static structure

Instead of using static hwrng structure that is reused between
binds/unbinds of the device let's embed it into driver's private
structure that we allocate. This way we are guaranteed not to stumble
onto something left from previous bind attempt.

Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agohwrng: msm - make use of devm_hwrng_register
Dmitry Torokhov [Thu, 12 Mar 2015 21:00:05 +0000 (14:00 -0700)]
hwrng: msm - make use of devm_hwrng_register

This allows us to get rid of remove() method.

Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agohwrng: exynos - make use of devm_hwrng_register
Dmitry Torokhov [Thu, 12 Mar 2015 21:00:04 +0000 (14:00 -0700)]
hwrng: exynos - make use of devm_hwrng_register

This allows us to get rid of remove() method.

Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agohwrng: bcm63xx - make use of devm_hwrng_register
Dmitry Torokhov [Thu, 12 Mar 2015 21:00:03 +0000 (14:00 -0700)]
hwrng: bcm63xx - make use of devm_hwrng_register

This change converts bcm63xx-rng to use devm* API for managing all
resources, which allows us to dispense with the rest of error handling
path and remove() function. Also we combine hwern and driver-private
data into a single allocation, use clk_prepare_enable() instead
of "naked" clk_enable() and move clock enabling/disabling into hwrnd
inti(0 and cleanup() methods so the clock stays off until rng is
used.

Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agohwrng: add devm_* interfaces
Dmitry Torokhov [Thu, 12 Mar 2015 21:00:02 +0000 (14:00 -0700)]
hwrng: add devm_* interfaces

This change adds devm_hwrng_register and devm_hwrng_unregister which
use can simplify error unwinding and unbinding code paths in device
drivers.

Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: don't export static symbol
Julia Lawall [Wed, 11 Mar 2015 16:56:26 +0000 (17:56 +0100)]
crypto: don't export static symbol

The semantic patch that fixes this problem is as follows:
(http://coccinelle.lip6.fr/)

// <smpl>
@r@
type T;
identifier f;
@@

static T f (...) { ... }

@@
identifier r.f;
declarer name EXPORT_SYMBOL_GPL;
@@

-EXPORT_SYMBOL_GPL(f);
// </smpl>

Signed-off-by: Julia Lawall <Julia.Lawall@lip6.fr>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: testmgr - fix RNG return code enforcement
Stephan Mueller [Tue, 10 Mar 2015 16:00:36 +0000 (17:00 +0100)]
crypto: testmgr - fix RNG return code enforcement

Due to the change to RNGs to always return zero in success case, the
invocation of the RNGs in the test manager must be updated as otherwise
the RNG self tests are not properly executed any more.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Alexander Bergmann <abergmann@suse.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agolinux-next: Tree for Mar 11 (powerpc build failure due to vmx crypto code)
Herbert Xu [Thu, 12 Mar 2015 03:28:29 +0000 (14:28 +1100)]
linux-next: Tree for Mar 11 (powerpc build failure due to vmx crypto code)

crypto: vmx - Fix assembler perl to use _GLOBAL

Rather than doing things by hand for global symbols to deal with
different calling conventions we already have a macro _GLOBAL in
Linux to handle this.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Tested-by: Guenter Roeck <linux@roeck-us.net>
9 years agohwrng: omap - remove #ifdefery around PM methods
Dmitry Torokhov [Wed, 11 Mar 2015 21:08:36 +0000 (14:08 -0700)]
hwrng: omap - remove #ifdefery around PM methods

Instead of using #ifdefs let's mark suspend and resume methods as
__maybe_unused which will suppress compiler warnings about them being
unused and provide better compile coverage.

Because SIMPLE_DEV_PM_OPS() produces an empty omap_rng_pm structure in
case of !CONFIG_PM_SLEEP neither omap_rng_suspend nor omap_rng_resume
will end up being referenced and the change will not result in
increasing image size.

Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: arm - add support for GHASH using ARMv8 Crypto Extensions
Ard Biesheuvel [Tue, 10 Mar 2015 08:47:48 +0000 (09:47 +0100)]
crypto: arm - add support for GHASH using ARMv8 Crypto Extensions

This implements the GHASH hash algorithm (as used by the GCM AEAD
chaining mode) using the AArch32 version of the 64x64 to 128 bit
polynomial multiplication instruction (vmull.p64) that is part of
the ARMv8 Crypto Extensions.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: arm - AES in ECB/CBC/CTR/XTS modes using ARMv8 Crypto Extensions
Ard Biesheuvel [Tue, 10 Mar 2015 08:47:47 +0000 (09:47 +0100)]
crypto: arm - AES in ECB/CBC/CTR/XTS modes using ARMv8 Crypto Extensions

This implements the ECB, CBC, CTR and XTS asynchronous block ciphers
using the AArch32 versions of the ARMv8 Crypto Extensions for AES.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: arm - add support for SHA-224/256 using ARMv8 Crypto Extensions
Ard Biesheuvel [Tue, 10 Mar 2015 08:47:46 +0000 (09:47 +0100)]
crypto: arm - add support for SHA-224/256 using ARMv8 Crypto Extensions

This implements the SHA-224/256 secure hash algorithm using the AArch32
versions of the ARMv8 Crypto Extensions for SHA2.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: arm - add support for SHA1 using ARMv8 Crypto Instructions
Ard Biesheuvel [Tue, 10 Mar 2015 08:47:45 +0000 (09:47 +0100)]
crypto: arm - add support for SHA1 using ARMv8 Crypto Instructions

This implements the SHA1 secure hash algorithm using the AArch32
versions of the ARMv8 Crypto Extensions for SHA1.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
9 years agocrypto: arm - move ARM specific Kconfig definitions to a dedicated file
Ard Biesheuvel [Tue, 10 Mar 2015 08:47:44 +0000 (09:47 +0100)]
crypto: arm - move ARM specific Kconfig definitions to a dedicated file

This moves all Kconfig symbols defined in crypto/Kconfig that depend
on CONFIG_ARM to a dedicated Kconfig file in arch/arm/crypto, which is
where the code that implements those features resides as well.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>