linux-2.6-microblaze.git
2 years agocrypto: hisilicon/qm - code movement
Weili Qian [Sat, 11 Dec 2021 11:25:15 +0000 (19:25 +0800)]
crypto: hisilicon/qm - code movement

This patch does not change any code, just code movement. Preparing for
next patch.

Signed-off-by: Weili Qian <qianweili@huawei.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: hisilicon/qm - remove unnecessary device memory reset
Weili Qian [Sat, 11 Dec 2021 11:25:14 +0000 (19:25 +0800)]
crypto: hisilicon/qm - remove unnecessary device memory reset

The internal memory of the device needs to be reset only when
the device is globally initialized. Other scenarios, such as
function reset, do not need to perform reset.

Signed-off-by: Weili Qian <qianweili@huawei.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: hisilicon/qm - fix deadlock for remove driver
Yang Shen [Sat, 11 Dec 2021 08:56:55 +0000 (16:56 +0800)]
crypto: hisilicon/qm - fix deadlock for remove driver

When remove the driver and executing the task occur at the same time,
the following deadlock will be triggered:

Chain exists of:
    sva_lock --> uacce_mutex --> &qm->qps_lock
    Possible unsafe locking scenario:
CPU0                    CPU1
----                    ----
lock(&qm->qps_lock);
lock(uacce_mutex);
lock(&qm->qps_lock);
lock(sva_lock);

And the lock 'qps_lock' is used to protect qp. Therefore, it's reasonable
cycle is to continue until the qp memory is released. So move the release
lock infront of 'uacce_remove'.

Signed-off-by: Yang Shen <shenyang39@huawei.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: hisilicon/zip - enable ssid for sva sgl
Yang Shen [Sat, 11 Dec 2021 08:52:05 +0000 (16:52 +0800)]
crypto: hisilicon/zip - enable ssid for sva sgl

For Kunpeng 920, the bit 0 of register 'HZIP_SGL_RUSER_32_63' stand for
whether the ssid is valid. So this bit should be set as valid for sva mode.

Signed-off-by: Yang Shen <shenyang39@huawei.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: hisilicon/hpre - fix memory leak in hpre_curve25519_src_init()
Weili Qian [Sat, 11 Dec 2021 08:17:19 +0000 (16:17 +0800)]
crypto: hisilicon/hpre - fix memory leak in hpre_curve25519_src_init()

hpre_curve25519_src_init() allocates memory for 'ptr' before calling
memcmp(). If memcmp() returns 0, the function will return '-EINVAL'
without freeing memory.

Signed-off-by: Weili Qian <qianweili@huawei.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: api - Replace kernel.h with the necessary inclusions
Andy Shevchenko [Fri, 10 Dec 2021 14:30:09 +0000 (16:30 +0200)]
crypto: api - Replace kernel.h with the necessary inclusions

When kernel.h is used in the headers it adds a lot into dependency hell,
especially when there are circular dependencies are involved.

Replace kernel.h inclusion with the list of what is really being used.

Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: marvell/octeontx - Use kcalloc() instead of kzalloc()
Gustavo A. R. Silva [Wed, 8 Dec 2021 04:17:21 +0000 (22:17 -0600)]
crypto: marvell/octeontx - Use kcalloc() instead of kzalloc()

Use 2-factor multiplication argument form kcalloc() instead
of kzalloc().

Link: https://github.com/KSPP/linux/issues/162
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: cavium - Use kcalloc() instead of kzalloc()
Gustavo A. R. Silva [Wed, 8 Dec 2021 01:24:59 +0000 (19:24 -0600)]
crypto: cavium - Use kcalloc() instead of kzalloc()

Use 2-factor multiplication argument form kcalloc() instead
of kzalloc().

Link: https://github.com/KSPP/linux/issues/162
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: ccp - Add SEV_INIT_EX support
David Rientjes [Tue, 7 Dec 2021 23:33:06 +0000 (15:33 -0800)]
crypto: ccp - Add SEV_INIT_EX support

Add new module parameter to allow users to use SEV_INIT_EX instead of
SEV_INIT. This helps users who lock their SPI bus to use the PSP for SEV
functionality. The 'init_ex_path' parameter defaults to NULL which means
the kernel will use SEV_INIT, if a path is specified SEV_INIT_EX will be
used with the data found at the path. On certain PSP commands this
file is written to as the PSP updates the NV memory region. Depending on
file system initialization this file open may fail during module init
but the CCP driver for SEV already has sufficient retries for platform
initialization. During normal operation of PSP system and SEV commands
if the PSP has not been initialized it is at run time. If the file at
'init_ex_path' does not exist the PSP will not be initialized. The user
must create the file prior to use with 32Kb of 0xFFs per spec.

Signed-off-by: David Rientjes <rientjes@google.com>
Co-developed-by: Peter Gonda <pgonda@google.com>
Signed-off-by: Peter Gonda <pgonda@google.com>
Reviewed-by: Marc Orr <marcorr@google.com>
Reported-by: kernel test robot <lkp@intel.com>
Acked-by: Brijesh Singh <brijesh.singh@amd.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Brijesh Singh <brijesh.singh@amd.com>
Cc: Marc Orr <marcorr@google.com>
Cc: Joerg Roedel <jroedel@suse.de>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: David Rientjes <rientjes@google.com>
Cc: John Allen <john.allen@amd.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: linux-crypto@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: ccp - Add psp_init_on_probe module parameter
Peter Gonda [Tue, 7 Dec 2021 23:33:05 +0000 (15:33 -0800)]
crypto: ccp - Add psp_init_on_probe module parameter

Add psp_init_on_probe module parameter that allows for skipping the
PSP's SEV platform initialization during module init. User may decouple
module init from PSP init due to use of the INIT_EX support in upcoming
patch which allows for users to save PSP's internal state to file. The
file may be unavailable at module init.

Also moves the PSP ABI version log message to after successful PSP init
instead of module init in case this new parameter is used.

Signed-off-by: Peter Gonda <pgonda@google.com>
Acked-by: Brijesh Singh <brijesh.singh@amd.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Brijesh Singh <brijesh.singh@amd.com>
Cc: Marc Orr <marcorr@google.com>
Cc: Joerg Roedel <jroedel@suse.de>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: David Rientjes <rientjes@google.com>
Cc: John Allen <john.allen@amd.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: linux-crypto@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: ccp - Refactor out sev_fw_alloc()
Peter Gonda [Tue, 7 Dec 2021 23:33:04 +0000 (15:33 -0800)]
crypto: ccp - Refactor out sev_fw_alloc()

Create a helper function sev_fw_alloc() which can be used to allocate
aligned memory regions for use by the PSP firmware. Currently only used
for the SEV-ES TMR region but will be used for the SEV_INIT_EX NV memory
region.

Signed-off-by: Peter Gonda <pgonda@google.com>
Reviewed-by: Marc Orr <marcorr@google.com>
Acked-by: David Rientjes <rientjes@google.com>
Acked-by: Brijesh Singh <brijesh.singh@amd.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Brijesh Singh <brijesh.singh@amd.com>
Cc: Marc Orr <marcorr@google.com>
Cc: Joerg Roedel <jroedel@suse.de>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: David Rientjes <rientjes@google.com>
Cc: John Allen <john.allen@amd.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: linux-crypto@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: ccp - Move SEV_INIT retry for corrupted data
Peter Gonda [Tue, 7 Dec 2021 23:33:03 +0000 (15:33 -0800)]
crypto: ccp - Move SEV_INIT retry for corrupted data

Move the data corrupted retry of SEV_INIT into the
__sev_platform_init_locked() function. This is for upcoming INIT_EX
support as well as helping direct callers of
__sev_platform_init_locked() which currently do not support the
retry.

Signed-off-by: Peter Gonda <pgonda@google.com>
Reviewed-by: Marc Orr <marcorr@google.com>
Acked-by: David Rientjes <rientjes@google.com>
Acked-by: Tom Lendacky <thomas.lendacky@amd.com>
Acked-by: Brijesh Singh <brijesh.singh@amd.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Brijesh Singh <brijesh.singh@amd.com>
Cc: Marc Orr <marcorr@google.com>
Cc: Joerg Roedel <jroedel@suse.de>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: David Rientjes <rientjes@google.com>
Cc: John Allen <john.allen@amd.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: linux-crypto@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: ccp - Add SEV_INIT rc error logging on init
Peter Gonda [Tue, 7 Dec 2021 23:33:02 +0000 (15:33 -0800)]
crypto: ccp - Add SEV_INIT rc error logging on init

Currently only the firmware error code is printed. This is incomplete
and also incorrect as error cases exists where the firmware is never
called and therefore does not set an error code.

Signed-off-by: Peter Gonda <pgonda@google.com>
Reviewed-by: Marc Orr <marcorr@google.com>
Acked-by: David Rientjes <rientjes@google.com>
Acked-by: Tom Lendacky <thomas.lendacky@amd.com>
Acked-by: Brijesh Singh <brijesh.singh@amd.com>
Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Brijesh Singh <brijesh.singh@amd.com>
Cc: Marc Orr <marcorr@google.com>
Cc: Joerg Roedel <jroedel@suse.de>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: David Rientjes <rientjes@google.com>
Cc: John Allen <john.allen@amd.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: linux-crypto@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: x86/des3 - remove redundant assignment of variable nbytes
Colin Ian King [Tue, 7 Dec 2021 18:58:09 +0000 (18:58 +0000)]
crypto: x86/des3 - remove redundant assignment of variable nbytes

The variable nbytes is being assigned a value that is never read, it is
being re-assigned in the following statement. The assignment is redundant
and can be removed.

Signed-off-by: Colin Ian King <colin.i.king@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: hisilicon/qm - fix incorrect return value of hisi_qm_resume()
Weili Qian [Sat, 4 Dec 2021 10:43:01 +0000 (18:43 +0800)]
crypto: hisilicon/qm - fix incorrect return value of hisi_qm_resume()

When hisi_qm_resume() returns 0, it indicates that the device has started
successfully.  If the device fails to start, hisi_qm_resume() needs to
return the actual error code to the caller instead of 0.

Fixes: d7ea53395b72 ("crypto: hisilicon - add runtime PM ops")
Signed-off-by: Weili Qian <qianweili@huawei.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: octeontx2 - parameters for custom engine groups
Srujana Challa [Wed, 1 Dec 2021 09:02:01 +0000 (14:32 +0530)]
crypto: octeontx2 - parameters for custom engine groups

Added devlink parameters to create and delete custom CPT engine groups.

Example:
devlink dev param set pci/0002:20:00.0 name egrp_create value \
                "se:32;se.out" cmode runtime
devlink dev param set pci/0002:20:00.0 name egrp_delete value \
                "egrp:1" cmode runtime

Signed-off-by: Srujana Challa <schalla@marvell.com>
Signed-off-by: Shijith Thotton <sthotton@marvell.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: octeontx2 - add apis for custom engine groups
Srujana Challa [Wed, 1 Dec 2021 09:02:00 +0000 (14:32 +0530)]
crypto: octeontx2 - add apis for custom engine groups

Octeon TX2 CPT has three type of engines to handle symmetric, asymmetric
and ipsec specific workload. For better utilization, these engines can
be grouped to custom groups at runtime.

This patch adds APIs to create and delete custom CPT engine groups.

Signed-off-by: Srujana Challa <schalla@marvell.com>
Signed-off-by: Shijith Thotton <sthotton@marvell.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: stm32 - Revert broken pm_runtime_resume_and_get changes
Herbert Xu [Wed, 1 Dec 2021 06:30:41 +0000 (17:30 +1100)]
crypto: stm32 - Revert broken pm_runtime_resume_and_get changes

We should not call pm_runtime_resume_and_get where the reference
count is expected to be incremented unconditionally.  This patch
reverts these calls to the original unconditional get_sync call.

Reported-by: Heiner Kallweit <hkallweit1@gmail.com>
Fixes: 747bf30fd944 ("crypto: stm32/cryp - Fix PM reference leak...")
Fixes: 1cb3ad701970 ("crypto: stm32/hash - Fix PM reference leak...")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Acked-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: jitter - quit sample collection loop upon RCT failure
Nicolai Stange [Tue, 30 Nov 2021 14:10:09 +0000 (15:10 +0100)]
crypto: jitter - quit sample collection loop upon RCT failure

The jitterentropy collection loop in jent_gen_entropy() can in principle
run indefinitely without making any progress if it only receives stuck
measurements as determined by jent_stuck(). After 31 consecutive stuck
samples, the Repetition Count Test (RCT) would fail anyway and the
jitterentropy RNG instances moved into ->health_failure == 1 state.
jent_gen_entropy()'s caller, jent_read_entropy() would then check for
this ->health_failure condition and return an error if found set. It
follows that there's absolutely no point in continuing the collection loop
in jent_gen_entropy() once the RCT has failed.

Make the jitterentropy collection loop more robust by terminating it upon
jent_health_failure() so that it won't continue to run indefinitely without
making any progress.

Signed-off-by: Nicolai Stange <nstange@suse.de>
Reviewed-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: jitter - don't limit ->health_failure check to FIPS mode
Nicolai Stange [Tue, 30 Nov 2021 14:10:08 +0000 (15:10 +0100)]
crypto: jitter - don't limit ->health_failure check to FIPS mode

The jitterentropy's Repetition Count Test (RCT) as well as the Adaptive
Proportion Test (APT) are run unconditionally on any collected samples.
However, their result, i.e. ->health_failure, will only get checked if
fips_enabled is set, c.f. the jent_health_failure() wrapper.

I would argue that a RCT or APT failure indicates that something's
seriously off and that this should always be reported as an error,
independently of whether FIPS mode is enabled or not: it should be up to
callers whether or not and how to handle jitterentropy failures.

Make jent_health_failure() to unconditionally return ->health_failure,
independent of whether fips_enabled is set.

Note that fips_enabled isn't accessed from the jitterentropy code anymore
now. Remove the linux/fips.h include as well as the jent_fips_enabled()
wrapper.

Signed-off-by: Nicolai Stange <nstange@suse.de>
Reviewed-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: drbg - ignore jitterentropy errors if not in FIPS mode
Nicolai Stange [Tue, 30 Nov 2021 14:10:07 +0000 (15:10 +0100)]
crypto: drbg - ignore jitterentropy errors if not in FIPS mode

A subsequent patch will make the jitterentropy RNG to unconditionally
report health test errors back to callers, independent of whether
fips_enabled is set or not. The DRBG needs access to a functional
jitterentropy instance only in FIPS mode (because it's the only SP800-90B
compliant entropy source as it currently stands). Thus, it is perfectly
fine for the DRBGs to obtain entropy from the jitterentropy source only
on a best effort basis if fips_enabled is off.

Make the DRBGs to ignore jitterentropy failures if fips_enabled is not set.

Signed-off-by: Nicolai Stange <nstange@suse.de>
Reviewed-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: stm32/cryp - reorder hw initialization
Nicolas Toromanoff [Tue, 30 Nov 2021 07:55:01 +0000 (08:55 +0100)]
crypto: stm32/cryp - reorder hw initialization

The CRYP IP checks the written key depending of the configuration, it's
safer to write the whole configuration to hardware then the key to avoid
unexpected key rejection.

Signed-off-by: Nicolas Toromanoff <nicolas.toromanoff@foss.st.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: stm32/cryp - fix bugs and crash in tests
Nicolas Toromanoff [Tue, 30 Nov 2021 07:55:00 +0000 (08:55 +0100)]
crypto: stm32/cryp - fix bugs and crash in tests

Extra crypto manager auto test were crashing or failling due
to 2 reasons:
- block in a dead loop (dues to issues in cipher end process management)
- crash due to read/write unmapped memory (this crash was also reported
when using openssl afalg engine)

Rework interrupt management, interrupts are masked as soon as they are
no more used: if input buffer is fully consumed, "Input FIFO not full"
interrupt is masked and if output buffer is full, "Output FIFO not
empty" interrupt is masked.
And crypto request finish when input *and* outpout buffer are fully
read/write.

About the crash due to unmapped memory, using scatterwalk_copychunks()
that will map and copy each block fix the issue.
Using this api and copying full block will also fix unaligned data
access, avoid early copy of in/out buffer, and make useless the extra
alignment constraint.

Fixes: 9e054ec21ef8 ("crypto: stm32 - Support for STM32 CRYP crypto module")

Reported-by: Marek Vasut <marex@denx.de>
Signed-off-by: Nicolas Toromanoff <nicolas.toromanoff@foss.st.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: stm32/cryp - fix lrw chaining mode
Nicolas Toromanoff [Tue, 30 Nov 2021 07:54:59 +0000 (08:54 +0100)]
crypto: stm32/cryp - fix lrw chaining mode

This fixes the lrw autotest if lrw uses the CRYP as the AES block cipher
provider (as ecb(aes)). At end of request, CRYP should not update the IV
in case of ECB chaining mode. Indeed the ECB chaining mode never uses
the IV, but the software LRW chaining mode uses the IV field as
a counter and due to the (unexpected) update done by CRYP while the AES
block process, the counter get a wrong value when the IV overflow.

Fixes: 5f49f18d27cd ("crypto: stm32/cryp - update to return iv_out")

Signed-off-by: Nicolas Toromanoff <nicolas.toromanoff@foss.st.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: stm32/cryp - fix double pm exit
Nicolas Toromanoff [Tue, 30 Nov 2021 07:54:58 +0000 (08:54 +0100)]
crypto: stm32/cryp - fix double pm exit

Delete extraneous lines in probe error handling code: pm was
disabled twice.

Fixes: 65f9aa36ee47 ("crypto: stm32/cryp - Add power management support")

Reported-by: Marek Vasut <marex@denx.de>
Signed-off-by: Nicolas Toromanoff <nicolas.toromanoff@foss.st.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: stm32/cryp - check early input data
Nicolas Toromanoff [Tue, 30 Nov 2021 07:54:57 +0000 (08:54 +0100)]
crypto: stm32/cryp - check early input data

Some auto tests failed because driver wasn't returning the expected
error with some input size/iv value/tag size.
Now:
 Return 0 early for empty buffer. (We don't need to start the engine for
 an empty input buffer).
 Accept any valid authsize for gcm(aes).
 Return -EINVAL if iv for ccm(aes) is invalid.
 Return -EINVAL if buffer size is a not a multiple of algorithm block size.

Fixes: 9e054ec21ef8 ("crypto: stm32 - Support for STM32 CRYP crypto module")

Signed-off-by: Nicolas Toromanoff <nicolas.toromanoff@foss.st.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: stm32/cryp - fix xts and race condition in crypto_engine requests
Nicolas Toromanoff [Tue, 30 Nov 2021 07:54:56 +0000 (08:54 +0100)]
crypto: stm32/cryp - fix xts and race condition in crypto_engine requests

Don't erase key:
If key is erased before the crypto_finalize_.*_request() call, some
pending process will run with a key={ 0 }.
Moreover if the key is reset at end of request, it breaks xts chaining
mode, as for last xts block (in case input len is not a multiple of
block) a new AES request is started without calling again set_key().

Fixes: 9e054ec21ef8 ("crypto: stm32 - Support for STM32 CRYP crypto module")

Signed-off-by: Nicolas Toromanoff <nicolas.toromanoff@foss.st.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: stm32/cryp - fix CTR counter carry
Nicolas Toromanoff [Tue, 30 Nov 2021 07:54:55 +0000 (08:54 +0100)]
crypto: stm32/cryp - fix CTR counter carry

STM32 CRYP hardware doesn't manage CTR counter bigger than max U32, as
a workaround, at each block the current IV is saved, if the saved IV
lower u32 is 0xFFFFFFFF, the full IV is manually incremented, and set
in hardware.
Fixes: bbb2832620ac ("crypto: stm32 - Fix sparse warnings")

Signed-off-by: Nicolas Toromanoff <nicolas.toromanoff@foss.st.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: stm32/cryp - don't print error on probe deferral
Etienne Carriere [Tue, 30 Nov 2021 07:54:54 +0000 (08:54 +0100)]
crypto: stm32/cryp - don't print error on probe deferral

Change driver to not print an error message when the device
probe is deferred for a clock resource.

Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
Signed-off-by: Nicolas Toromanoff <nicolas.toromanoff@foss.st.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: stm32/cryp - defer probe for reset controller
Etienne Carriere [Tue, 30 Nov 2021 07:54:53 +0000 (08:54 +0100)]
crypto: stm32/cryp - defer probe for reset controller

Change stm32 CRYP driver to defer its probe operation when
reset controller device is registered but has not been probed yet.

Signed-off-by: Etienne Carriere <etienne.carriere@foss.st.com>
Signed-off-by: Nicolas Toromanoff <nicolas.toromanoff@foss.st.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: dh - remove duplicate includes
Guo Zhengkui [Mon, 29 Nov 2021 08:34:56 +0000 (16:34 +0800)]
crypto: dh - remove duplicate includes

Remove a duplicate #include <linux/fips.h>.

Signed-off-by: Guo Zhengkui <guozhengkui@vivo.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: octeontx2 - uninitialized variable in kvf_limits_store()
Dan Carpenter [Sat, 27 Nov 2021 14:10:27 +0000 (17:10 +0300)]
crypto: octeontx2 - uninitialized variable in kvf_limits_store()

If kstrtoint() fails then "lfs_num" is uninitialized and the warning
doesn't make any sense.  Just delete it.

Fixes: 8ec8015a3168 ("crypto: octeontx2 - add support to process the crypto request")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: sa2ul - Use bitfield helpers
Geert Uytterhoeven [Mon, 22 Nov 2021 15:54:02 +0000 (16:54 +0100)]
crypto: sa2ul - Use bitfield helpers

Use the FIELD_PREP() helper, instead of open-coding the same operation.

Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: caam - save caam memory to support crypto engine retry mechanism.
Gaurav Jain [Mon, 22 Nov 2021 11:32:34 +0000 (17:02 +0530)]
crypto: caam - save caam memory to support crypto engine retry mechanism.

When caam queue is full (-ENOSPC), caam frees descriptor memory.
crypto-engine checks if retry support is true and h/w queue
is full(-ENOSPC), then requeue the crypto request.
During processing the requested descriptor again, caam gives below error.
(caam_jr 30902000.jr: 40000006: DECO: desc idx 0: Invalid KEY Command).

This patch adds a check to return when caam input ring is full
and retry support is true. so descriptor memory is not freed
and requeued request can be processed again.

Fixes: 2d653936eb2cf ("crypto: caam - enable crypto-engine retry mechanism")
Signed-off-by: Gaurav Jain <gaurav.jain@nxp.com>
Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: des - disallow des3 in FIPS mode
Stephan Müller [Sun, 21 Nov 2021 15:10:33 +0000 (16:10 +0100)]
crypto: des - disallow des3 in FIPS mode

On Dec 31 2023 NIST sunsets TDES for FIPS use. To prevent FIPS
validations to be completed in the future to be affected by the TDES
sunsetting, disallow TDES already now. Otherwise a FIPS validation would
need to be "touched again" end 2023 to handle TDES accordingly.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: dh - limit key size to 2048 in FIPS mode
Stephan Müller [Sun, 21 Nov 2021 14:51:44 +0000 (15:51 +0100)]
crypto: dh - limit key size to 2048 in FIPS mode

FIPS disallows DH with keys < 2048 bits. Thus, the kernel should
consider the enforcement of this limit.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: rsa - limit key size to 2048 in FIPS mode
Stephan Müller [Sun, 21 Nov 2021 14:31:27 +0000 (15:31 +0100)]
crypto: rsa - limit key size to 2048 in FIPS mode

FIPS disallows RSA with keys < 2048 bits. Thus, the kernel should
consider the enforcement of this limit.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: jitter - consider 32 LSB for APT
Stephan Müller [Sun, 21 Nov 2021 14:14:20 +0000 (15:14 +0100)]
crypto: jitter - consider 32 LSB for APT

The APT compares the current time stamp with a pre-set value. The
current code only considered the 4 LSB only. Yet, after reviews by
mathematicians of the user space Jitter RNG version >= 3.1.0, it was
concluded that the APT can be calculated on the 32 LSB of the time
delta. Thi change is applied to the kernel.

This fixes a bug where an AMD EPYC fails this test as its RDTSC value
contains zeros in the LSB. The most appropriate fix would have been to
apply a GCD calculation and divide the time stamp by the GCD. Yet, this
is a significant code change that will be considered for a future
update. Note, tests showed that constantly the GCD always was 32 on
these systems, i.e. the 5 LSB were always zero (thus failing the APT
since it only considered the 4 LSB for its calculation).

Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: hisilicon/qm - simplified the calculation of qos shaper parameters
Kai Ye [Sat, 20 Nov 2021 04:47:39 +0000 (12:47 +0800)]
crypto: hisilicon/qm - simplified the calculation of qos shaper parameters

Some optimize for the calculation of qos shaper parameters.
and modify the comments.

Signed-off-by: Kai Ye <yekai13@huawei.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: hisilicon/qm - some optimizations of ths qos write process
Kai Ye [Sat, 20 Nov 2021 04:47:38 +0000 (12:47 +0800)]
crypto: hisilicon/qm - some optimizations of ths qos write process

1. Optimize overly long functions.
2. Fix the format symbol does not match the actual type.
3. Use the PCI_DEVFN to get the function id.

Signed-off-by: Kai Ye <yekai13@huawei.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: hisilicon/qm - modify the value of qos initialization
Kai Ye [Sat, 20 Nov 2021 04:47:37 +0000 (12:47 +0800)]
crypto: hisilicon/qm - modify the value of qos initialization

The value of qos should be reset after flr resetting or device
resetting. So set the max of qos value for every function. Then
update the value of qos when user writing the alg_qos.

Signed-off-by: Kai Ye <yekai13@huawei.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: hisilicon - modify the value of engine type rate
Kai Ye [Sat, 20 Nov 2021 04:47:36 +0000 (12:47 +0800)]
crypto: hisilicon - modify the value of engine type rate

Modify the value of type rate from new QM spec.

Signed-off-by: Kai Ye <yekai13@huawei.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agosecurity: DH - use KDF implementation from crypto API
Stephan Müller [Fri, 19 Nov 2021 06:59:09 +0000 (07:59 +0100)]
security: DH - use KDF implementation from crypto API

The kernel crypto API provides the SP800-108 counter KDF implementation.
Thus, the separate implementation provided as part of the keys subsystem
can be replaced with calls to the KDF offered by the kernel crypto API.

The keys subsystem uses the counter KDF with a hash primitive. Thus,
it only uses the call to crypto_kdf108_ctr_generate.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
Acked-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agosecurity: DH - remove dead code for zero padding
Stephan Müller [Fri, 19 Nov 2021 06:58:44 +0000 (07:58 +0100)]
security: DH - remove dead code for zero padding

Remove the specific code that adds a zero padding that was intended
to be invoked when the DH operation result was smaller than the
modulus. However, this cannot occur any more these days because the
function mpi_write_to_sgl is used in the code path that calculates the
shared secret in dh_compute_value. This MPI service function guarantees
that leading zeros are introduced as needed to ensure the resulting data
is exactly as long as the modulus. This implies that the specific code
to add zero padding is dead code which can be safely removed.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
Acked-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: kdf - add SP800-108 counter key derivation function
Stephan Müller [Fri, 19 Nov 2021 06:55:58 +0000 (07:55 +0100)]
crypto: kdf - add SP800-108 counter key derivation function

SP800-108 defines three KDFs - this patch provides the counter KDF
implementation.

The KDF is implemented as a service function where the caller has to
maintain the hash / HMAC state. Apart from this hash/HMAC state, no
additional state is required to be maintained by either the caller or
the KDF implementation.

The key for the KDF is set with the crypto_kdf108_setkey function which
is intended to be invoked before the caller requests a key derivation
operation via crypto_kdf108_ctr_generate.

SP800-108 allows the use of either a HMAC or a hash as crypto primitive
for the KDF. When a HMAC primtive is intended to be used,
crypto_kdf108_setkey must be used to set the HMAC key. Otherwise, for a
hash crypto primitve crypto_kdf108_ctr_generate can be used immediately
after allocating the hash handle.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: kdf - Add key derivation self-test support code
Stephan Müller [Fri, 19 Nov 2021 06:55:33 +0000 (07:55 +0100)]
crypto: kdf - Add key derivation self-test support code

As a preparation to add the key derivation implementations, the
self-test data structure definition and the common test code is made
available.

The test framework follows the testing applied by the NIST CAVP test
approach.

The structure of the test code follows the implementations found in
crypto/testmgr.c|h. In case the KDF implementations will be made
available via a kernel crypto API templates, the test code is intended
to be merged into testmgr.c|h.

Signed-off-by: Stephan Mueller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: sun8i-ce - Add support for the D1 variant
Corentin Labbe [Fri, 19 Nov 2021 05:10:25 +0000 (23:10 -0600)]
crypto: sun8i-ce - Add support for the D1 variant

The Allwinner D1 SoC has a crypto engine compatible with sun8i-ce.
Add support for it.

Signed-off-by: Corentin Labbe <clabbe.montjoie@gmail.com>
Signed-off-by: Samuel Holland <samuel@sholland.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: qat - improve logging of PFVF messages
Marco Chiappero [Wed, 17 Nov 2021 14:30:58 +0000 (14:30 +0000)]
crypto: qat - improve logging of PFVF messages

Improve and simplify logging of PFVF messages.

Signed-off-by: Marco Chiappero <marco.chiappero@intel.com>
Reviewed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: qat - fix VF IDs in PFVF log messages
Marco Chiappero [Wed, 17 Nov 2021 14:30:57 +0000 (14:30 +0000)]
crypto: qat - fix VF IDs in PFVF log messages

PFVF debug messages use a mix of zero and one based VF IDs.
Switch to zero based VF numbers in all log messages.

Signed-off-by: Marco Chiappero <marco.chiappero@intel.com>
Reviewed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: qat - do not rely on min version
Marco Chiappero [Wed, 17 Nov 2021 14:30:56 +0000 (14:30 +0000)]
crypto: qat - do not rely on min version

Remove min_iov_compat_ver field as for now all versions are compatible.

Compatibility is determined by a series of rules and dynamic conditions
such as specific configurations.
In any case the minimum version requirement for compatibility is
an inadequate and obsolete approach which should be removed.

At this time compatibility can be assured across the currently available
versions.

Signed-off-by: Marco Chiappero <marco.chiappero@intel.com>
Reviewed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: qat - refactor pfvf version request messages
Marco Chiappero [Wed, 17 Nov 2021 14:30:55 +0000 (14:30 +0000)]
crypto: qat - refactor pfvf version request messages

Refactor version handling logic for ADF_VF2PF_MSGTYPE_COMPAT_VER_REQ
and ADF_VF2PF_MSGTYPE_VERSION_REQ on the PF.
Response messages are now filled only after fully parsing the request,
in a consisted way with the rest of the PFVF codebase.

This patch also fixes a harmless double setting for VERSION in the
response for ADF_VF2PF_MSGTYPE_VERSION_REQ.

Signed-off-by: Marco Chiappero <marco.chiappero@intel.com>
Co-developed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: qat - pass the PF2VF responses back to the callers
Marco Chiappero [Wed, 17 Nov 2021 14:30:54 +0000 (14:30 +0000)]
crypto: qat - pass the PF2VF responses back to the callers

Currently, any PF response to a VF request is fully parsed during the
interrupt handling. This way the individual response values are stored
into the accel_dev structure, preventing the caller to access and decode
the full response message itself.

Change this behavior, by letting the API return back the entire message
to the caller, in order to:
  - keep correlated code together, that is, the (building of the)
    request and the (decoding of the) response;
  - avoid polluting the accel_dev data structure with unnecessary and at
    times temporary values; only the entire message is stored in a
    temporary buffer.

Signed-off-by: Marco Chiappero <marco.chiappero@intel.com>
Reviewed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: qat - use enums for PFVF protocol codes
Marco Chiappero [Wed, 17 Nov 2021 14:30:53 +0000 (14:30 +0000)]
crypto: qat - use enums for PFVF protocol codes

Replace PFVF constants with enumerations for valid protocol codes.

Signed-off-by: Marco Chiappero <marco.chiappero@intel.com>
Reviewed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: qat - reorganize PFVF protocol definitions
Marco Chiappero [Wed, 17 Nov 2021 14:30:52 +0000 (14:30 +0000)]
crypto: qat - reorganize PFVF protocol definitions

Organize PFVF protocol definitions by type rather than direction, by
keeping related fields close.
Also, make sure the order is consistent for both PF and VF definitions.

Signed-off-by: Marco Chiappero <marco.chiappero@intel.com>
Reviewed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: qat - reorganize PFVF code
Marco Chiappero [Wed, 17 Nov 2021 14:30:51 +0000 (14:30 +0000)]
crypto: qat - reorganize PFVF code

Reorganize the structure of the PFVF code by moving the content of
adf_pf2vf_msg.c and adf_vf2pf_msg.c.

The logic that handles high level messages has been moved to
adf_pfvf_pf_msg.c and adf_pfvf_vf_msg.c.
The implementation of low level communication primitives and the
protocol is now included in adf_pfvf_pf_proto.c and adf_pfvf_vf_proto.c.

In addition, the file adf_pf2vf_msg.h has been renamed in adf_pfvf_msg.h
since it common to PF and VF and the copyright date for the touched
files has been updated.

Signed-off-by: Marco Chiappero <marco.chiappero@intel.com>
Co-developed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: qat - abstract PFVF receive logic
Giovanni Cabiddu [Wed, 17 Nov 2021 14:30:50 +0000 (14:30 +0000)]
crypto: qat - abstract PFVF receive logic

Refactor the PFVF receive logic so it is common between PF and VF and
make it device specific.

This is in preparation for the introduction of PFVF support in the
qat_4xxx driver since the receive logic differs between QAT GEN2 and
QAT GEN4 devices.

Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Co-developed-by: Marco Chiappero <marco.chiappero@intel.com>
Signed-off-by: Marco Chiappero <marco.chiappero@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: qat - abstract PFVF send function
Marco Chiappero [Wed, 17 Nov 2021 14:30:49 +0000 (14:30 +0000)]
crypto: qat - abstract PFVF send function

Make the PFVF send function device specific.

This is in preparation for the introduction of PFVF support in the
qat_4xxx driver since the send logic differs between QAT GEN2 and
QAT GEN4 devices.

Signed-off-by: Marco Chiappero <marco.chiappero@intel.com>
Co-developed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: qat - differentiate between pf2vf and vf2pf offset
Marco Chiappero [Wed, 17 Nov 2021 14:30:48 +0000 (14:30 +0000)]
crypto: qat - differentiate between pf2vf and vf2pf offset

Add the function get_vf2pf_offset() to adf_pfvf_ops to differentiate the
CSRs used for pf2vf and vf2pf.

Offsets may or may not be direction specific depending on QAT
generation. Since in QAT GEN2 the CSR is not direction specific, i.e.
there is a single mailbox register shared for pf2vf and vf2pf, both
get_vf2pf_offset() and get_vf2pf_offset() will return the same offset.

This change is to make the direction explicit, so it is easier to
understand and debug and also in preparation for the introduction of
PFVF support in the qat_4xxx driver since QAT GEN4 devices have a
separate CSR for pf2vf and vf2pf communications.

Signed-off-by: Marco Chiappero <marco.chiappero@intel.com>
Reviewed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: qat - add pfvf_ops
Marco Chiappero [Wed, 17 Nov 2021 14:30:47 +0000 (14:30 +0000)]
crypto: qat - add pfvf_ops

Add pfvf_ops structure to isolate PFVF related functions inside the
adf_hw_device_data structure.

For GEN2, the structure is populated using one of the two helper
functions, adf_gen2_init_pf_pfvf_ops() or adf_gen2_init_vf_pfvf_ops(),
for the PF and VF driver respectively.

For the DH895XCC PF driver, the structure is populated using
adf_gen2_init_pf_pfvf_ops() but some of the functions are then
overwritten.

Signed-off-by: Marco Chiappero <marco.chiappero@intel.com>
Co-developed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: qat - relocate PFVF disabled function
Giovanni Cabiddu [Wed, 17 Nov 2021 14:30:46 +0000 (14:30 +0000)]
crypto: qat - relocate PFVF disabled function

Move the function pfvf_comms_disabled() from the qat_4xxx module to
intel_qat as it will be used by other components to keep the PFVF
feature disabled.

Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Reviewed-by: Marco Chiappero <marco.chiappero@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: qat - relocate PFVF VF related logic
Marco Chiappero [Wed, 17 Nov 2021 14:30:45 +0000 (14:30 +0000)]
crypto: qat - relocate PFVF VF related logic

Move device specific PFVF logic related to the VF to the newly created
adf_gen2_pfvf.c.
This refactory is done to isolate the GEN2 PFVF code into its own file
in preparation for the introduction of support for PFVF for GEN4
devices.

Signed-off-by: Marco Chiappero <marco.chiappero@intel.com>
Reviewed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: qat - relocate PFVF PF related logic
Marco Chiappero [Wed, 17 Nov 2021 14:30:44 +0000 (14:30 +0000)]
crypto: qat - relocate PFVF PF related logic

Move device specific PFVF logic related to the PF to the newly created
adf_gen2_pfvf.c.
This refactory is done to isolate the GEN2 PFVF code into its own file
in preparation for the introduction of support for PFVF for GEN4
devices.

In addition the PFVF PF logic for dh895xcc has been isolated to
adf_dh895xcc_hw_data.c.

Signed-off-by: Marco Chiappero <marco.chiappero@intel.com>
Co-developed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: qat - handle retries due to collisions in adf_iov_putmsg()
Marco Chiappero [Wed, 17 Nov 2021 14:30:43 +0000 (14:30 +0000)]
crypto: qat - handle retries due to collisions in adf_iov_putmsg()

Rework __adf_iov_putmsg() to handle retries due to collisions
internally, removing the need for an external retry loop.
The functions __adf_iov_putmsg() and adf_iov_putmsg() have been merged
together maintaining the adf_iov_putmsg() name.

This will allow to use this function only for GEN2 devices, since
collision are peculiar of this generation and therefore should be
confined to the actual implementation of the transport/medium access.

Note that now adf_iov_putmsg() will retry to send a message only in case
of collisions and will now fail if an ACK is not received from the
remote function.

Signed-off-by: Marco Chiappero <marco.chiappero@intel.com>
Co-developed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: qat - split PFVF message decoding from handling
Marco Chiappero [Wed, 17 Nov 2021 14:30:42 +0000 (14:30 +0000)]
crypto: qat - split PFVF message decoding from handling

Refactor the receive and handle logic to separate the parsing and
handling of the PFVF message from the initial retrieval and ACK.

This is to allow the intoduction of the recv function in a subsequent
patch.

Signed-off-by: Marco Chiappero <marco.chiappero@intel.com>
Co-developed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: qat - re-enable interrupts for legacy PFVF messages
Giovanni Cabiddu [Wed, 17 Nov 2021 14:30:41 +0000 (14:30 +0000)]
crypto: qat - re-enable interrupts for legacy PFVF messages

If a PFVF message with MSGORIGIN_SYSTEM not set is received, re-enable
interrupts allowing the processing of new messages.
This is to simplify the refactoring of the recv function in a subsequent
patch.

Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Reviewed-by: Marco Chiappero <marco.chiappero@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: qat - change PFVF ACK behaviour
Giovanni Cabiddu [Wed, 17 Nov 2021 14:30:40 +0000 (14:30 +0000)]
crypto: qat - change PFVF ACK behaviour

Change the PFVF receipt flow on the VF side to read, ack and handle the
message instead of read, handle and ack.
This is done for (1) consistency with the PF side, see the function
adf_recv_and_handle_vf2pf_msg() in adf_pf2vf_msg.c, and (2) performance
reasons, to avoid keeping the CSR busy while parsing the message.

In addition, do not ACK PFVF legacy messages, as this driver is not
capable of handling PFVF legacy messages.
If a PFVF message with MSGORIGIN not set is received, do nothing.

Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Reviewed-by: Marco Chiappero <marco.chiappero@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: qat - move interrupt code out of the PFVF handler
Marco Chiappero [Wed, 17 Nov 2021 14:30:39 +0000 (14:30 +0000)]
crypto: qat - move interrupt code out of the PFVF handler

Move the interrupt handling call from the PF specific protocol file,
adf_pf2vf_msg.c, to adf_sriov.c to maintain the PFVF files focused on
the protocol handling.

The function adf_vf2pf_req_hndl() has been renamed as
adf_recv_and_handle_vf2pf_msg() to reflect its actual purpose and
maintain consistency with the VF side. This function now returns a
boolean indicating to the caller if interrupts need to be re-enabled or
not.

Signed-off-by: Marco Chiappero <marco.chiappero@intel.com>
Co-developed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: qat - move VF message handler to adf_vf2pf_msg.c
Marco Chiappero [Wed, 17 Nov 2021 14:30:38 +0000 (14:30 +0000)]
crypto: qat - move VF message handler to adf_vf2pf_msg.c

Move the reading and parsing of a PF2VF message from the bottom half
function in adf_vf_isr.c, adf_pf2vf_bh_handler(), to the PFVF protocol
file adf_vf2pf_msg.c, for better code organization.

The receive and handle logic has been moved to a new function called
adf_recv_and_handle_pf2vf_msg() which returns a boolean indicating if
interrupts need to be re-enabled or not.
A slight refactoring has been done to avoid calculating the PF2VF CSR
offset twice and repeating the clearing of the PF2VFINT bit.

The "PF restarting" logic, now defined in the function
adf_pf2vf_handle_pf_restaring(), has been kept in adf_vf_isr.c due to
the dependencies with the adf_vf_stop_wq workqueue.

Signed-off-by: Marco Chiappero <marco.chiappero@intel.com>
Co-developed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: qat - move vf2pf interrupt helpers
Giovanni Cabiddu [Wed, 17 Nov 2021 14:30:37 +0000 (14:30 +0000)]
crypto: qat - move vf2pf interrupt helpers

Move vf2pf interrupt enable and disable functions from adf_pf2vf_msg.c
to adf_isr.c
This it to separate the interrupt related code from the PFVF protocol
logic.

With this change, the function adf_disable_vf2pf_interrupts_irq() is
only called from adf_isr.c and it has been marked as static.

Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Reviewed-by: Marco Chiappero <marco.chiappero@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: qat - refactor PF top half for PFVF
Marco Chiappero [Wed, 17 Nov 2021 14:30:36 +0000 (14:30 +0000)]
crypto: qat - refactor PF top half for PFVF

Move logic associated to handling VF2PF interrupt to its own function.
This will simplify the handling of multiple interrupt sources in the
function adf_msix_isr_ae() in the future.

Signed-off-by: Marco Chiappero <marco.chiappero@intel.com>
Co-developed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: qat - fix undetected PFVF timeout in ACK loop
Giovanni Cabiddu [Wed, 17 Nov 2021 14:30:35 +0000 (14:30 +0000)]
crypto: qat - fix undetected PFVF timeout in ACK loop

If the remote function did not ACK the reception of a message, the
function __adf_iov_putmsg() could detect it as a collision.

This was due to the fact that the collision and the timeout checks after
the ACK loop were in the wrong order. The timeout must be checked at the
end of the loop, so fix by swapping the order of the two checks.

Fixes: 9b768e8a3909 ("crypto: qat - detect PFVF collision after ACK")
Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Co-developed-by: Marco Chiappero <marco.chiappero@intel.com>
Signed-off-by: Marco Chiappero <marco.chiappero@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: qat - do not handle PFVF sources for qat_4xxx
Giovanni Cabiddu [Wed, 17 Nov 2021 14:30:34 +0000 (14:30 +0000)]
crypto: qat - do not handle PFVF sources for qat_4xxx

The QAT driver does not have support for PFVF interrupts for GEN4
devices, therefore report the vf2pf sources as 0.
This prevents a NULL pointer dereference in the function
adf_msix_isr_ae() if the device triggers a spurious interrupt.

Fixes: 993161d36ab5 ("crypto: qat - fix handling of VF to PF interrupts")
Reported-by: Adam Guerin <adam.guerin@intel.com>
Signed-off-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: drbg - reseed 'nopr' drbgs periodically from get_random_bytes()
Nicolai Stange [Mon, 15 Nov 2021 14:18:09 +0000 (15:18 +0100)]
crypto: drbg - reseed 'nopr' drbgs periodically from get_random_bytes()

In contrast to the fully prediction resistant 'pr' DRBGs, the 'nopr'
variants get seeded once at boot and reseeded only rarely thereafter,
namely only after 2^20 requests have been served each. AFAICT, this
reseeding based on the number of requests served is primarily motivated
by information theoretic considerations, c.f. NIST SP800-90Ar1,
sec. 8.6.8 ("Reseeding").

However, given the relatively large seed lifetime of 2^20 requests, the
'nopr' DRBGs can hardly be considered to provide any prediction resistance
whatsoever, i.e. to protect against threats like side channel leaks of the
internal DRBG state (think e.g. leaked VM snapshots). This is expected and
completely in line with the 'nopr' naming, but as e.g. the
"drbg_nopr_hmac_sha512" implementation is potentially being used for
providing the "stdrng" and thus, the crypto_default_rng serving the
in-kernel crypto, it would certainly be desirable to achieve at least the
same level of prediction resistance as get_random_bytes() does.

Note that the chacha20 rngs underlying get_random_bytes() get reseeded
every CRNG_RESEED_INTERVAL == 5min: the secondary, per-NUMA node rngs from
the primary one and the primary rng in turn from the entropy pool, provided
sufficient entropy is available.

The 'nopr' DRBGs do draw randomness from get_random_bytes() for their
initial seed already, so making them to reseed themselves periodically from
get_random_bytes() in order to let them benefit from the latter's
prediction resistance is not such a big change conceptually.

In principle, it would have been also possible to make the 'nopr' DRBGs to
periodically invoke a full reseeding operation, i.e. to also consider the
jitterentropy source (if enabled) in addition to get_random_bytes() for the
seed value. However, get_random_bytes() is relatively lightweight as
compared to the jitterentropy generation process and thus, even though the
'nopr' reseeding is supposed to get invoked infrequently, it's IMO still
worthwhile to avoid occasional latency spikes for drbg_generate() and
stick to get_random_bytes() only. As an additional remark, note that
drawing randomness from the non-SP800-90B-conforming get_random_bytes()
only won't adversely affect SP800-90A conformance either: the very same is
being done during boot via drbg_seed_from_random() already once
rng_is_initialized() flips to true and it follows that if the DRBG
implementation does conform to SP800-90A now, it will continue to do so.

Make the 'nopr' DRBGs to reseed themselves periodically from
get_random_bytes() every CRNG_RESEED_INTERVAL == 5min.

More specifically, introduce a new member ->last_seed_time to struct
drbg_state for recording in units of jiffies when the last seeding
operation had taken place. Make __drbg_seed() maintain it and let
drbg_generate() invoke a reseed from get_random_bytes() via
drbg_seed_from_random() if more than 5min have passed by since the last
seeding operation. Be careful to not to reseed if in testing mode though,
or otherwise the drbg related tests in crypto/testmgr.c would fail to
reproduce the expected output.

In order to keep the formatting clean in drbg_generate() wrap the logic
for deciding whether or not a reseed is due in a new helper,
drbg_nopr_reseed_interval_elapsed().

Signed-off-by: Nicolai Stange <nstange@suse.de>
Reviewed-by: Stephan Müller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: drbg - make drbg_prepare_hrng() handle jent instantiation errors
Nicolai Stange [Mon, 15 Nov 2021 14:18:08 +0000 (15:18 +0100)]
crypto: drbg - make drbg_prepare_hrng() handle jent instantiation errors

Now that drbg_prepare_hrng() doesn't do anything but to instantiate a
jitterentropy crypto_rng instance, it looks a little odd to have the
related error handling at its only caller, drbg_instantiate().

Move the handling of jitterentropy allocation failures from
drbg_instantiate() close to the allocation itself in drbg_prepare_hrng().

There is no change in behaviour.

Signed-off-by: Nicolai Stange <nstange@suse.de>
Reviewed-by: Stephan Müller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: drbg - make reseeding from get_random_bytes() synchronous
Nicolai Stange [Mon, 15 Nov 2021 14:18:07 +0000 (15:18 +0100)]
crypto: drbg - make reseeding from get_random_bytes() synchronous

get_random_bytes() usually hasn't full entropy available by the time DRBG
instances are first getting seeded from it during boot. Thus, the DRBG
implementation registers random_ready_callbacks which would in turn
schedule some work for reseeding the DRBGs once get_random_bytes() has
sufficient entropy available.

For reference, the relevant history around handling DRBG (re)seeding in
the context of a not yet fully seeded get_random_bytes() is:

  commit 16b369a91d0d ("random: Blocking API for accessing
                        nonblocking_pool")
  commit 4c7879907edd ("crypto: drbg - add async seeding operation")

  commit 205a525c3342 ("random: Add callback API for random pool
                        readiness")
  commit 57225e679788 ("crypto: drbg - Use callback API for random
                        readiness")
  commit c2719503f5e1 ("random: Remove kernel blocking API")

However, some time later, the initialization state of get_random_bytes()
has been made queryable via rng_is_initialized() introduced with commit
9a47249d444d ("random: Make crng state queryable"). This primitive now
allows for streamlining the DRBG reseeding from get_random_bytes() by
replacing that aforementioned asynchronous work scheduling from
random_ready_callbacks with some simpler, synchronous code in
drbg_generate() next to the related logic already present therein. Apart
from improving overall code readability, this change will also enable DRBG
users to rely on wait_for_random_bytes() for ensuring that the initial
seeding has completed, if desired.

The previous patches already laid the grounds by making drbg_seed() to
record at each DRBG instance whether it was being seeded at a time when
rng_is_initialized() still had been false as indicated by
->seeded == DRBG_SEED_STATE_PARTIAL.

All that remains to be done now is to make drbg_generate() check for this
condition, determine whether rng_is_initialized() has flipped to true in
the meanwhile and invoke a reseed from get_random_bytes() if so.

Make this move:
- rename the former drbg_async_seed() work handler, i.e. the one in charge
  of reseeding a DRBG instance from get_random_bytes(), to
  "drbg_seed_from_random()",
- change its signature as appropriate, i.e. make it take a struct
  drbg_state rather than a work_struct and change its return type from
  "void" to "int" in order to allow for passing error information from
  e.g. its __drbg_seed() invocation onwards to callers,
- make drbg_generate() invoke this drbg_seed_from_random() once it
  encounters a DRBG instance with ->seeded == DRBG_SEED_STATE_PARTIAL by
  the time rng_is_initialized() has flipped to true and
- prune everything related to the former, random_ready_callback based
  mechanism.

As drbg_seed_from_random() is now getting invoked from drbg_generate() with
the ->drbg_mutex being held, it must not attempt to recursively grab it
once again. Remove the corresponding mutex operations from what is now
drbg_seed_from_random(). Furthermore, as drbg_seed_from_random() can now
report errors directly to its caller, there's no need for it to temporarily
switch the DRBG's ->seeded state to DRBG_SEED_STATE_UNSEEDED so that a
failure of the subsequently invoked __drbg_seed() will get signaled to
drbg_generate(). Don't do it then.

Signed-off-by: Nicolai Stange <nstange@suse.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: drbg - move dynamic ->reseed_threshold adjustments to __drbg_seed()
Nicolai Stange [Mon, 15 Nov 2021 14:18:06 +0000 (15:18 +0100)]
crypto: drbg - move dynamic ->reseed_threshold adjustments to __drbg_seed()

Since commit 42ea507fae1a ("crypto: drbg - reseed often if seedsource is
degraded"), the maximum seed lifetime represented by ->reseed_threshold
gets temporarily lowered if the get_random_bytes() source cannot provide
sufficient entropy yet, as is common during boot, and restored back to
the original value again once that has changed.

More specifically, if the add_random_ready_callback() invoked from
drbg_prepare_hrng() in the course of DRBG instantiation does not return
-EALREADY, that is, if get_random_bytes() has not been fully initialized
at this point yet, drbg_prepare_hrng() will lower ->reseed_threshold
to a value of 50. The drbg_async_seed() scheduled from said
random_ready_callback will eventually restore the original value.

A future patch will replace the random_ready_callback based notification
mechanism and thus, there will be no add_random_ready_callback() return
value anymore which could get compared to -EALREADY.

However, there's __drbg_seed() which gets invoked in the course of both,
the DRBG instantiation as well as the eventual reseeding from
get_random_bytes() in aforementioned drbg_async_seed(), if any. Moreover,
it knows about the get_random_bytes() initialization state by the time the
seed data had been obtained from it: the new_seed_state argument introduced
with the previous patch would get set to DRBG_SEED_STATE_PARTIAL in case
get_random_bytes() had not been fully initialized yet and to
DRBG_SEED_STATE_FULL otherwise. Thus, __drbg_seed() provides a convenient
alternative for managing that ->reseed_threshold lowering and restoring at
a central place.

Move all ->reseed_threshold adjustment code from drbg_prepare_hrng() and
drbg_async_seed() respectively to __drbg_seed(). Make __drbg_seed()
lower the ->reseed_threshold to 50 in case its new_seed_state argument
equals DRBG_SEED_STATE_PARTIAL and let it restore the original value
otherwise.

There is no change in behaviour.

Signed-off-by: Nicolai Stange <nstange@suse.de>
Reviewed-by: Stephan Müller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: drbg - track whether DRBG was seeded with !rng_is_initialized()
Nicolai Stange [Mon, 15 Nov 2021 14:18:05 +0000 (15:18 +0100)]
crypto: drbg - track whether DRBG was seeded with !rng_is_initialized()

Currently, the DRBG implementation schedules asynchronous works from
random_ready_callbacks for reseeding the DRBG instances with output from
get_random_bytes() once the latter has sufficient entropy available.

However, as the get_random_bytes() initialization state can get queried by
means of rng_is_initialized() now, there is no real need for this
asynchronous reseeding logic anymore and it's better to keep things simple
by doing it synchronously when needed instead, i.e. from drbg_generate()
once rng_is_initialized() has flipped to true.

Of course, for this to work, drbg_generate() would need some means by which
it can tell whether or not rng_is_initialized() has flipped to true since
the last seeding from get_random_bytes(). Or equivalently, whether or not
the last seed from get_random_bytes() has happened when
rng_is_initialized() was still evaluating to false.

As it currently stands, enum drbg_seed_state allows for the representation
of two different DRBG seeding states: DRBG_SEED_STATE_UNSEEDED and
DRBG_SEED_STATE_FULL. The former makes drbg_generate() to invoke a full
reseeding operation involving both, the rather expensive jitterentropy as
well as the get_random_bytes() randomness sources. The DRBG_SEED_STATE_FULL
state on the other hand implies that no reseeding at all is required for a
!->pr DRBG variant.

Introduce the new DRBG_SEED_STATE_PARTIAL state to enum drbg_seed_state for
representing the condition that a DRBG was being seeded when
rng_is_initialized() had still been false. In particular, this new state
implies that
- the given DRBG instance has been fully seeded from the jitterentropy
  source (if enabled)
- and drbg_generate() is supposed to reseed from get_random_bytes()
  *only* once rng_is_initialized() turns to true.

Up to now, the __drbg_seed() helper used to set the given DRBG instance's
->seeded state to constant DRBG_SEED_STATE_FULL. Introduce a new argument
allowing for the specification of the to be written ->seeded value instead.
Make the first of its two callers, drbg_seed(), determine the appropriate
value based on rng_is_initialized(). The remaining caller,
drbg_async_seed(), is known to get invoked only once rng_is_initialized()
is true, hence let it pass constant DRBG_SEED_STATE_FULL for the new
argument to __drbg_seed().

There is no change in behaviour, except for that the pr_devel() in
drbg_generate() would now report "unseeded" for ->pr DRBG instances which
had last been seeded when rng_is_initialized() was still evaluating to
false.

Signed-off-by: Nicolai Stange <nstange@suse.de>
Reviewed-by: Stephan Müller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: drbg - prepare for more fine-grained tracking of seeding state
Nicolai Stange [Mon, 15 Nov 2021 14:18:04 +0000 (15:18 +0100)]
crypto: drbg - prepare for more fine-grained tracking of seeding state

There are two different randomness sources the DRBGs are getting seeded
from, namely the jitterentropy source (if enabled) and get_random_bytes().
At initial DRBG seeding time during boot, the latter might not have
collected sufficient entropy for seeding itself yet and thus, the DRBG
implementation schedules a reseed work from a random_ready_callback once
that has happened. This is particularly important for the !->pr DRBG
instances, for which (almost) no further reseeds are getting triggered
during their lifetime.

Because collecting data from the jitterentropy source is a rather expensive
operation, the aforementioned asynchronously scheduled reseed work
restricts itself to get_random_bytes() only. That is, it in some sense
amends the initial DRBG seed derived from jitterentropy output at full
(estimated) entropy with fresh randomness obtained from get_random_bytes()
once that has been seeded with sufficient entropy itself.

With the advent of rng_is_initialized(), there is no real need for doing
the reseed operation from an asynchronously scheduled work anymore and a
subsequent patch will make it synchronous by moving it next to related
logic already present in drbg_generate().

However, for tracking whether a full reseed including the jitterentropy
source is required or a "partial" reseed involving only get_random_bytes()
would be sufficient already, the boolean struct drbg_state's ->seeded
member must become a tristate value.

Prepare for this by introducing the new enum drbg_seed_state and change
struct drbg_state's ->seeded member's type from bool to that type.

For facilitating review, enum drbg_seed_state is made to only contain
two members corresponding to the former ->seeded values of false and true
resp. at this point: DRBG_SEED_STATE_UNSEEDED and DRBG_SEED_STATE_FULL. A
third one for tracking the intermediate state of "seeded from jitterentropy
only" will be introduced with a subsequent patch.

There is no change in behaviour at this point.

Signed-off-by: Nicolai Stange <nstange@suse.de>
Reviewed-by: Stephan Müller <smueller@chronox.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: ccp - no need to initialise statics to 0
Jason Wang [Sat, 13 Nov 2021 06:30:23 +0000 (14:30 +0800)]
crypto: ccp - no need to initialise statics to 0

Static variables do not need to be initialized to 0.

Signed-off-by: Jason Wang <wangborong@cdjrlc.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: ccree - remove redundant 'flush_workqueue()' calls
Christophe JAILLET [Fri, 12 Nov 2021 16:49:23 +0000 (17:49 +0100)]
crypto: ccree - remove redundant 'flush_workqueue()' calls

'destroy_workqueue()' already drains the queue before destroying it, so
there is no need to flush it explicitly.

Remove the redundant 'flush_workqueue()' calls.

This was generated with coccinelle:

@@
expression E;
@@
-  flush_workqueue(E);
destroy_workqueue(E);

Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Reviewed-by: Cristian Marussi <cristian.marussi@arm.com>
Acked-by: Gilad Ben-Yossef <gilad@benyossef.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: octeontx2 - use swap() to make code cleaner
chiminghao [Tue, 9 Nov 2021 08:35:03 +0000 (08:35 +0000)]
crypto: octeontx2 - use swap() to make code cleaner

Fix the following coccicheck REVIEW:
./drivers/crypto/marvell/octeontx2/otx2_cptvf_algs.c:1688:16-17 use swap() to make code cleaner

Reported-by: Zeal Robot <zealci@zte.com.cn>
Signed-off-by: chiminghao <chi.minghao@zte.com.cn>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: testmgr - Fix wrong test case of RSA
Lei He [Fri, 5 Nov 2021 12:25:31 +0000 (20:25 +0800)]
crypto: testmgr - Fix wrong test case of RSA

According to the BER encoding rules, integer value should be encoded
as two's complement, and if the highest bit of a positive integer
is 1, should add a leading zero-octet.

The kernel's built-in RSA algorithm cannot recognize negative numbers
when parsing keys, so it can pass this test case.

Export the key to file and run the following command to verify the
fix result:

  openssl asn1parse -inform DER -in /path/to/key/file

Signed-off-by: Lei He <helei.sig11@bytedance.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: qce - fix uaf on qce_skcipher_register_one
Chengfeng Ye [Thu, 4 Nov 2021 13:46:42 +0000 (06:46 -0700)]
crypto: qce - fix uaf on qce_skcipher_register_one

Pointer alg points to sub field of tmpl, it
is dereferenced after tmpl is freed. Fix
this by accessing alg before free tmpl.

Fixes: ec8f5d8f ("crypto: qce - Qualcomm crypto engine driver")
Signed-off-by: Chengfeng Ye <cyeaa@connect.ust.hk>
Acked-by: Thara Gopinath <thara.gopinath@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: qce - fix uaf on qce_ahash_register_one
Chengfeng Ye [Thu, 4 Nov 2021 13:38:31 +0000 (06:38 -0700)]
crypto: qce - fix uaf on qce_ahash_register_one

Pointer base points to sub field of tmpl, it
is dereferenced after tmpl is freed. Fix
this by accessing base before free tmpl.

Fixes: ec8f5d8f ("crypto: qce - Qualcomm crypto engine driver")
Signed-off-by: Chengfeng Ye <cyeaa@connect.ust.hk>
Acked-by: Thara Gopinath <thara.gopinath@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: qce - fix uaf on qce_aead_register_one
Chengfeng Ye [Thu, 4 Nov 2021 13:28:07 +0000 (06:28 -0700)]
crypto: qce - fix uaf on qce_aead_register_one

Pointer alg points to sub field of tmpl, it
is dereferenced after tmpl is freed. Fix
this by accessing alg before free tmpl.

Fixes: 9363efb4 ("crypto: qce - Add support for AEAD algorithms")
Signed-off-by: Chengfeng Ye <cyeaa@connect.ust.hk>
Acked-by: Thara Gopinath <thara.gopinath@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: hisilicon/hpre - use swap() to make code cleaner
Yang Guang [Thu, 4 Nov 2021 06:19:10 +0000 (14:19 +0800)]
crypto: hisilicon/hpre - use swap() to make code cleaner

Use the macro 'swap()' defined in 'include/linux/minmax.h' to avoid
opencoding it.

Reported-by: Zeal Robot <zealci@zte.com.cn>
Signed-off-by: Yang Guang <yang.guang5@zte.com.cn>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agoMAINTAINERS: rectify entry for INTEL KEEM BAY OCS ECC CRYPTO DRIVER
Lukas Bulwahn [Wed, 3 Nov 2021 09:47:11 +0000 (10:47 +0100)]
MAINTAINERS: rectify entry for INTEL KEEM BAY OCS ECC CRYPTO DRIVER

Commit c9f608c38009 ("crypto: keembay-ocs-ecc - Add Keem Bay OCS ECC
Driver") only adds drivers/crypto/keembay/keembay-ocs-ecc.c, but adds a
file entry drivers/crypto/keembay/ocs-ecc-curve-defs.h in MAINTAINERS.

Hence, ./scripts/get_maintainer.pl --self-test=patterns warns:

  warning: no file matches  F:  drivers/crypto/keembay/ocs-ecc-curve-defs.h

Assuming that this header is obsolete and will not be included in the
repository, remove the unneeded file entry from MAINTAINERS.

Signed-off-by: Lukas Bulwahn <lukas.bulwahn@gmail.com>
Reviewed-by: Daniele Alessandrelli <daniele.alessandrelli@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: keembay-ocs-ecc - Fix error return code in kmb_ocs_ecc_probe()
Wei Yongjun [Mon, 1 Nov 2021 14:02:33 +0000 (14:02 +0000)]
crypto: keembay-ocs-ecc - Fix error return code in kmb_ocs_ecc_probe()

Fix to return negative error code -ENOMEM from the error handling
case instead of 0, as done elsewhere in this function.

Fixes: c9f608c38009 ("crypto: keembay-ocs-ecc - Add Keem Bay OCS ECC Driver")
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
Reviewed-by: Daniele Alessandrelli <daniele.alessandrelli@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: caam - replace this_cpu_ptr with raw_cpu_ptr
Meng Li [Mon, 1 Nov 2021 03:13:53 +0000 (11:13 +0800)]
crypto: caam - replace this_cpu_ptr with raw_cpu_ptr

When enable the kernel debug config, there is below calltrace detected:
BUG: using smp_processor_id() in preemptible [00000000] code: cryptomgr_test/339
caller is debug_smp_processor_id+0x20/0x30
CPU: 9 PID: 339 Comm: cryptomgr_test Not tainted 5.10.63-yocto-standard #1
Hardware name: NXP Layerscape LX2160ARDB (DT)
Call trace:
 dump_backtrace+0x0/0x1a0
 show_stack+0x24/0x30
 dump_stack+0xf0/0x13c
 check_preemption_disabled+0x100/0x110
 debug_smp_processor_id+0x20/0x30
 dpaa2_caam_enqueue+0x10c/0x25c
 ......
 cryptomgr_test+0x38/0x60
 kthread+0x158/0x164
 ret_from_fork+0x10/0x38
According to the comment in commit ac5d15b4519f("crypto: caam/qi2
 - use affine DPIOs "), because preemption is no longer disabled
while trying to enqueue an FQID, it might be possible to run the
enqueue on a different CPU(due to migration, when in process context),
however this wouldn't be a functionality issue. But there will be
above calltrace when enable kernel debug config. So, replace this_cpu_ptr
with raw_cpu_ptr to avoid above call trace.

Fixes: ac5d15b4519f ("crypto: caam/qi2 - use affine DPIOs")
Cc: stable@vger.kernel.org
Signed-off-by: Meng Li <Meng.Li@windriver.com>
Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agohwrng: cavium - Check health status while reading random data
Sunil Goutham [Fri, 29 Oct 2021 17:19:59 +0000 (22:49 +0530)]
hwrng: cavium - Check health status while reading random data

This RNG device is present on Marvell OcteonTx2 silicons as well and
also provides entropy health status.

HW continuously checks health condition of entropy and reports
faults. Fault is in terms of co-processor cycles since last fault
detected. This doesn't get cleared and only updated when new fault
is detected. Also there are chances of detecting false positives.
So to detect a entropy failure SW has to check if failures are
persistent ie cycles elapsed is frequently updated by HW.

This patch adds support to detect health failures using below algo.
1. Consider any fault detected before 10ms as a false positive and ignore.
   10ms is chosen randomly, no significance.
2. Upon first failure detection make a note of cycles elapsed and when this
   error happened in realtime (cntvct).
3. Upon subsequent failure, check if this is new or a old one by comparing
   current cycles with the ones since last failure. cycles or time since
   last failure is calculated using cycles and time info captured at (2).

HEALTH_CHECK status register is not available to VF, hence had to map
PF registers. Also since cycles are in terms of co-processor cycles,
had to retrieve co-processor clock rate from RST device.

Signed-off-by: Sunil Goutham <sgoutham@marvell.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agocrypto: atmel-aes - Reestablish the correct tfm context at dequeue
Tudor Ambarus [Wed, 27 Oct 2021 13:30:01 +0000 (16:30 +0300)]
crypto: atmel-aes - Reestablish the correct tfm context at dequeue

In case there were more requests from different tfms in the crypto
queue, only the context of the last initialized tfm was considered.

Fixes: ec2088b66f7a ("crypto: atmel-aes - Allocate aes dev at tfm init time")
Reported-by: Wolfgang Ocker <weo@reccoware.de>
Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2 years agoLinux 5.16-rc1
Linus Torvalds [Sun, 14 Nov 2021 21:56:52 +0000 (13:56 -0800)]
Linux 5.16-rc1

2 years agokconfig: Add support for -Wimplicit-fallthrough
Gustavo A. R. Silva [Sun, 14 Nov 2021 00:57:25 +0000 (18:57 -0600)]
kconfig: Add support for -Wimplicit-fallthrough

Add Kconfig support for -Wimplicit-fallthrough for both GCC and Clang.

The compiler option is under configuration CC_IMPLICIT_FALLTHROUGH,
which is enabled by default.

Special thanks to Nathan Chancellor who fixed the Clang bug[1][2]. This
bugfix only appears in Clang 14.0.0, so older versions still contain
the bug and -Wimplicit-fallthrough won't be enabled for them, for now.

This concludes a long journey and now we are finally getting rid
of the unintentional fallthrough bug-class in the kernel, entirely. :)

Link: https://github.com/llvm/llvm-project/commit/9ed4a94d6451046a51ef393cd62f00710820a7e8
Link: https://bugs.llvm.org/show_bug.cgi?id=51094
Link: https://github.com/KSPP/linux/issues/115
Link: https://github.com/ClangBuiltLinux/linux/issues/236
Co-developed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Kees Cook <keescook@chromium.org>
Co-developed-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Reviewed-by: Nathan Chancellor <nathan@kernel.org>
Tested-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2 years agoMerge tag 'xfs-5.16-merge-5' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux
Linus Torvalds [Sun, 14 Nov 2021 20:18:22 +0000 (12:18 -0800)]
Merge tag 'xfs-5.16-merge-5' of git://git./fs/xfs/xfs-linux

Pull xfs cleanups from Darrick Wong:
 "The most 'exciting' aspect of this branch is that the xfsprogs
  maintainer and I have worked through the last of the code
  discrepancies between kernel and userspace libxfs such that there are
  no code differences between the two except for #includes.

  IOWs, diff suffices to demonstrate that the userspace tools behave the
  same as the kernel, and kernel-only bits are clearly marked in the
  /kernel/ source code instead of just the userspace source.

  Summary:

   - Clean up open-coded swap() calls.

   - A little bit of #ifdef golf to complete the reunification of the
     kernel and userspace libxfs source code"

* tag 'xfs-5.16-merge-5' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux:
  xfs: sync xfs_btree_split macros with userspace libxfs
  xfs: #ifdef out perag code for userspace
  xfs: use swap() to make dabtree code cleaner

2 years agoMerge tag 'for-5.16/parisc-3' of git://git.kernel.org/pub/scm/linux/kernel/git/deller...
Linus Torvalds [Sun, 14 Nov 2021 19:53:59 +0000 (11:53 -0800)]
Merge tag 'for-5.16/parisc-3' of git://git./linux/kernel/git/deller/parisc-linux

Pull more parisc fixes from Helge Deller:
 "Fix a build error in stracktrace.c, fix resolving of addresses to
  function names in backtraces, fix single-stepping in assembly code and
  flush userspace pte's when using set_pte_at()"

* tag 'for-5.16/parisc-3' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux:
  parisc/entry: fix trace test in syscall exit path
  parisc: Flush kernel data mapping in set_pte_at() when installing pte for user page
  parisc: Fix implicit declaration of function '__kernel_text_address'
  parisc: Fix backtrace to always include init funtion names

2 years agoMerge tag 'sh-for-5.16' of git://git.libc.org/linux-sh
Linus Torvalds [Sun, 14 Nov 2021 19:37:49 +0000 (11:37 -0800)]
Merge tag 'sh-for-5.16' of git://git.libc.org/linux-sh

Pull arch/sh updates from Rich Felker.

* tag 'sh-for-5.16' of git://git.libc.org/linux-sh:
  sh: pgtable-3level: Fix cast to pointer from integer of different size
  sh: fix READ/WRITE redefinition warnings
  sh: define __BIG_ENDIAN for math-emu
  sh: math-emu: drop unused functions
  sh: fix kconfig unmet dependency warning for FRAME_POINTER
  sh: Cleanup about SPARSE_IRQ
  sh: kdump: add some attribute to function
  maple: fix wrong return value of maple_bus_init().
  sh: boot: avoid unneeded rebuilds under arch/sh/boot/compressed/
  sh: boot: add intermediate vmlinux.bin* to targets instead of extra-y
  sh: boards: Fix the cacography in irq.c
  sh: check return code of request_irq
  sh: fix trivial misannotations

2 years agoMerge tag 'for-linus' of git://git.armlinux.org.uk/~rmk/linux-arm
Linus Torvalds [Sun, 14 Nov 2021 19:30:50 +0000 (11:30 -0800)]
Merge tag 'for-linus' of git://git.armlinux.org.uk/~rmk/linux-arm

Pull ARM fixes from Russell King:

 - Fix early_iounmap

 - Drop cc-option fallbacks for architecture selection

* tag 'for-linus' of git://git.armlinux.org.uk/~rmk/linux-arm:
  ARM: 9156/1: drop cc-option fallbacks for architecture selection
  ARM: 9155/1: fix early early_iounmap()

2 years agoMerge tag 'devicetree-fixes-for-5.16-1' of git://git.kernel.org/pub/scm/linux/kernel...
Linus Torvalds [Sun, 14 Nov 2021 19:11:51 +0000 (11:11 -0800)]
Merge tag 'devicetree-fixes-for-5.16-1' of git://git./linux/kernel/git/robh/linux

Pull devicetree fixes from Rob Herring:

 - Two fixes due to DT node name changes on Arm, Ltd. boards

 - Treewide rename of Ingenic CGU headers

 - Update ST email addresses

 - Remove Netlogic DT bindings

 - Dropping few more cases of redundant 'maxItems' in schemas

 - Convert toshiba,tc358767 bridge binding to schema

* tag 'devicetree-fixes-for-5.16-1' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux:
  dt-bindings: watchdog: sunxi: fix error in schema
  bindings: media: venus: Drop redundant maxItems for power-domain-names
  dt-bindings: Remove Netlogic bindings
  clk: versatile: clk-icst: Ensure clock names are unique
  of: Support using 'mask' in making device bus id
  dt-bindings: treewide: Update @st.com email address to @foss.st.com
  dt-bindings: media: Update maintainers for st,stm32-hwspinlock.yaml
  dt-bindings: media: Update maintainers for st,stm32-cec.yaml
  dt-bindings: mfd: timers: Update maintainers for st,stm32-timers
  dt-bindings: timer: Update maintainers for st,stm32-timer
  dt-bindings: i2c: imx: hardware do not restrict clock-frequency to only 100 and 400 kHz
  dt-bindings: display: bridge: Convert toshiba,tc358767.txt to yaml
  dt-bindings: Rename Ingenic CGU headers to ingenic,*.h

2 years agoMerge tag 'timers-urgent-2021-11-14' of git://git.kernel.org/pub/scm/linux/kernel...
Linus Torvalds [Sun, 14 Nov 2021 18:43:38 +0000 (10:43 -0800)]
Merge tag 'timers-urgent-2021-11-14' of git://git./linux/kernel/git/tip/tip

Pull timer fix from Thomas Gleixner:
 "A single fix for POSIX CPU timers to address a problem where POSIX CPU
  timer delivery stops working for a new child task because
  copy_process() copies state information which is only valid for the
  parent task"

* tag 'timers-urgent-2021-11-14' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  posix-cpu-timers: Clear task::posix_cputimers_work in copy_process()

2 years agoMerge tag 'irq-urgent-2021-11-14' of git://git.kernel.org/pub/scm/linux/kernel/git...
Linus Torvalds [Sun, 14 Nov 2021 18:38:27 +0000 (10:38 -0800)]
Merge tag 'irq-urgent-2021-11-14' of git://git./linux/kernel/git/tip/tip

Pull irq fixes from Thomas Gleixner:
 "A set of fixes for the interrupt subsystem

  Core code:

   - A regression fix for the Open Firmware interrupt mapping code where
     a interrupt controller property in a node caused a map property in
     the same node to be ignored.

  Interrupt chip drivers:

   - Workaround a limitation in SiFive PLIC interrupt chip which
     silently ignores an EOI when the interrupt line is masked.

   - Provide the missing mask/unmask implementation for the CSKY MP
     interrupt controller.

  PCI/MSI:

   - Prevent a use after free when PCI/MSI interrupts are released by
     destroying the sysfs entries before freeing the memory which is
     accessed in the sysfs show() function.

   - Implement a mask quirk for the Nvidia ION AHCI chip which does not
     advertise masking capability despite implementing it. Even worse
     the chip comes out of reset with all MSI entries masked, which due
     to the missing masking capability never get unmasked.

   - Move the check which prevents accessing the MSI[X] masking for XEN
     back into the low level accessors. The recent consolidation missed
     that these accessors can be invoked from places which do not have
     that check which broke XEN. Move them back to he original place
     instead of sprinkling tons of these checks all over the code"

* tag 'irq-urgent-2021-11-14' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
  of/irq: Don't ignore interrupt-controller when interrupt-map failed
  irqchip/sifive-plic: Fixup EOI failed when masked
  irqchip/csky-mpintc: Fixup mask/unmask implementation
  PCI/MSI: Destroy sysfs before freeing entries
  PCI: Add MSI masking quirk for Nvidia ION AHCI
  PCI/MSI: Deal with devices lying about their MSI mask capability
  PCI/MSI: Move non-mask check back into low level accessors