| Message ID | 20200228065123.13216-1-horia.geanta@nxp.com (mailing list archive) |
|---|---|
| State | Accepted |
| Delegated to: | Herbert Xu |
| Headers | show |
| Series | [v2] crypto: caam/qi2 - fix chacha20 data size error | expand |
> -----Original Message----- > From: Horia Geantă <horia.geanta@nxp.com> > Sent: Friday, February 28, 2020 08:51 > To: Herbert Xu <herbert@gondor.apana.org.au> > Cc: David S. Miller <davem@davemloft.net>; Aymen Sghaier > <aymen.sghaier@nxp.com>; Valentin Ciocoi Radulescu > <valentin.ciocoi@nxp.com>; linux-crypto@vger.kernel.org; dl-linux-imx > <linux-imx@nxp.com> > Subject: [PATCH v2] crypto: caam/qi2 - fix chacha20 data size error > > HW generates a Data Size error for chacha20 requests that are not > a multiple of 64B, since algorithm state (AS) does not have > the FINAL bit set. > > Since updating req->iv (for chaining) is not required, > modify skcipher descriptors to set the FINAL bit for chacha20. > > [Note that for skcipher decryption we know that ctx1_iv_off is 0, > which allows for an optimization by not checking algorithm type, > since append_dec_op1() sets FINAL bit for all algorithms except AES.] > > Also drop the descriptor operations that save the IV. > However, in order to keep code logic simple, things like > S/G tables generation etc. are not touched. > > Cc: <stable@vger.kernel.org> # v5.3+ > Fixes: 334d37c9e263 ("crypto: caam - update IV using HW support") > Signed-off-by: Horia Geantă <horia.geanta@nxp.com> Tested-by: Valentin Ciocoi Radulescu <valentin.ciocoi@nxp.com> Tested on LX2160ARDB board with cryptodev-2.6 tree: root@TinyLinux:~# cat /proc/crypto | grep chacha20-caam -A 5 driver : chacha20-caam-qi2 module : kernel priority : 2000 refcnt : 1 selftest : passed internal : no
On Fri, Feb 28, 2020 at 08:51:23AM +0200, Horia Geantă wrote: > HW generates a Data Size error for chacha20 requests that are not > a multiple of 64B, since algorithm state (AS) does not have > the FINAL bit set. > > Since updating req->iv (for chaining) is not required, > modify skcipher descriptors to set the FINAL bit for chacha20. > > [Note that for skcipher decryption we know that ctx1_iv_off is 0, > which allows for an optimization by not checking algorithm type, > since append_dec_op1() sets FINAL bit for all algorithms except AES.] > > Also drop the descriptor operations that save the IV. > However, in order to keep code logic simple, things like > S/G tables generation etc. are not touched. > > Cc: <stable@vger.kernel.org> # v5.3+ > Fixes: 334d37c9e263 ("crypto: caam - update IV using HW support") > Signed-off-by: Horia Geantă <horia.geanta@nxp.com> > --- > drivers/crypto/caam/caamalg_desc.c | 14 ++++++++++---- > 1 file changed, 10 insertions(+), 4 deletions(-) Patch applied. Thanks.
diff --git a/drivers/crypto/caam/caamalg_desc.c b/drivers/crypto/caam/caamalg_desc.c index aa9ccca67045..6171a8118b5a 100644 --- a/drivers/crypto/caam/caamalg_desc.c +++ b/drivers/crypto/caam/caamalg_desc.c @@ -1379,6 +1379,9 @@ void cnstr_shdsc_skcipher_encap(u32 * const desc, struct alginfo *cdata, const u32 ctx1_iv_off) { u32 *key_jump_cmd; + u32 options = cdata->algtype | OP_ALG_AS_INIT | OP_ALG_ENCRYPT; + bool is_chacha20 = ((cdata->algtype & OP_ALG_ALGSEL_MASK) == + OP_ALG_ALGSEL_CHACHA20); init_sh_desc(desc, HDR_SHARE_SERIAL | HDR_SAVECTX); /* Skip if already shared */ @@ -1417,14 +1420,15 @@ void cnstr_shdsc_skcipher_encap(u32 * const desc, struct alginfo *cdata, LDST_OFFSET_SHIFT)); /* Load operation */ - append_operation(desc, cdata->algtype | OP_ALG_AS_INIT | - OP_ALG_ENCRYPT); + if (is_chacha20) + options |= OP_ALG_AS_FINALIZE; + append_operation(desc, options); /* Perform operation */ skcipher_append_src_dst(desc); /* Store IV */ - if (ivsize) + if (!is_chacha20 && ivsize) append_seq_store(desc, ivsize, LDST_SRCDST_BYTE_CONTEXT | LDST_CLASS_1_CCB | (ctx1_iv_off << LDST_OFFSET_SHIFT)); @@ -1451,6 +1455,8 @@ void cnstr_shdsc_skcipher_decap(u32 * const desc, struct alginfo *cdata, const u32 ctx1_iv_off) { u32 *key_jump_cmd; + bool is_chacha20 = ((cdata->algtype & OP_ALG_ALGSEL_MASK) == + OP_ALG_ALGSEL_CHACHA20); init_sh_desc(desc, HDR_SHARE_SERIAL | HDR_SAVECTX); /* Skip if already shared */ @@ -1499,7 +1505,7 @@ void cnstr_shdsc_skcipher_decap(u32 * const desc, struct alginfo *cdata, skcipher_append_src_dst(desc); /* Store IV */ - if (ivsize) + if (!is_chacha20 && ivsize) append_seq_store(desc, ivsize, LDST_SRCDST_BYTE_CONTEXT | LDST_CLASS_1_CCB | (ctx1_iv_off << LDST_OFFSET_SHIFT));
HW generates a Data Size error for chacha20 requests that are not a multiple of 64B, since algorithm state (AS) does not have the FINAL bit set. Since updating req->iv (for chaining) is not required, modify skcipher descriptors to set the FINAL bit for chacha20. [Note that for skcipher decryption we know that ctx1_iv_off is 0, which allows for an optimization by not checking algorithm type, since append_dec_op1() sets FINAL bit for all algorithms except AES.] Also drop the descriptor operations that save the IV. However, in order to keep code logic simple, things like S/G tables generation etc. are not touched. Cc: <stable@vger.kernel.org> # v5.3+ Fixes: 334d37c9e263 ("crypto: caam - update IV using HW support") Signed-off-by: Horia Geantă <horia.geanta@nxp.com> --- drivers/crypto/caam/caamalg_desc.c | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-)