On 5/6/2019 11:06 AM, Horia Geanta wrote:
On 5/6/2019 9:40 AM, Herbert Xu wrote:
On Fri, May 03, 2019 at 03:05:48PM +0300, Horia Geantă wrote:
The detection whether DKP (Derived Key Protocol) is used relies on the setkey callback. Since "aead_setkey" was replaced in some cases with "des3_aead_setkey" (for 3DES weak key checking), the logic has to be updated - otherwise the DMA mapping direction is incorrect (leading to faults in case caam is behind an IOMMU).
Fixes: 1b52c40919e6 ("crypto: caam - Forbid 2-key 3DES in FIPS mode") Signed-off-by: Horia Geantă horia.geanta@nxp.com
This issue was noticed when testing with previously submitted IOMMU support: https://patchwork.kernel.org/project/linux-crypto/list/?series=110277&st...
Thanks for catching this Horia!
My preference would be to encode this logic separately rather than relying on the setkey test. How about this patch?
This is probably more reliable.
---8<--- The detection for DKP (Derived Key Protocol) relied on the value of the setkey function. This was broken by the recent change which added des3_aead_setkey.
This patch fixes this by introducing a new flag for DKP and setting that where needed.
Reported-by: Horia Geantă horia.geanta@nxp.com Signed-off-by: Herbert Xu herbert@gondor.apana.org.au
Tested-by: Horia Geantă horia.geanta@nxp.com
Unfortunately the commit message dropped the tag provided in v1: Fixes: 1b52c40919e6 ("crypto: caam - Forbid 2-key 3DES in FIPS mode")
This fix was merged in v5.2-rc1 (commit 24586b5feaf17ecf85ae6259fe3ea7815dee432d upstream) but should also be queued up for 5.1.y.
Thanks, Horia
On Thu, May 30, 2019 at 11:36:25AM +0000, Horia Geanta wrote:
On 5/6/2019 11:06 AM, Horia Geanta wrote:
On 5/6/2019 9:40 AM, Herbert Xu wrote:
On Fri, May 03, 2019 at 03:05:48PM +0300, Horia Geantă wrote:
The detection whether DKP (Derived Key Protocol) is used relies on the setkey callback. Since "aead_setkey" was replaced in some cases with "des3_aead_setkey" (for 3DES weak key checking), the logic has to be updated - otherwise the DMA mapping direction is incorrect (leading to faults in case caam is behind an IOMMU).
Fixes: 1b52c40919e6 ("crypto: caam - Forbid 2-key 3DES in FIPS mode") Signed-off-by: Horia Geantă horia.geanta@nxp.com
This issue was noticed when testing with previously submitted IOMMU support: https://patchwork.kernel.org/project/linux-crypto/list/?series=110277&st...
Thanks for catching this Horia!
My preference would be to encode this logic separately rather than relying on the setkey test. How about this patch?
This is probably more reliable.
---8<--- The detection for DKP (Derived Key Protocol) relied on the value of the setkey function. This was broken by the recent change which added des3_aead_setkey.
This patch fixes this by introducing a new flag for DKP and setting that where needed.
Reported-by: Horia Geantă horia.geanta@nxp.com Signed-off-by: Herbert Xu herbert@gondor.apana.org.au
Tested-by: Horia Geantă horia.geanta@nxp.com
Unfortunately the commit message dropped the tag provided in v1: Fixes: 1b52c40919e6 ("crypto: caam - Forbid 2-key 3DES in FIPS mode")
This fix was merged in v5.2-rc1 (commit 24586b5feaf17ecf85ae6259fe3ea7815dee432d upstream) but should also be queued up for 5.1.y.
I do not understand, sorry. What exact patches need to be applied to 5.1.y?
thanks,
greg k-h
On 6/3/2019 10:52 AM, Greg Kroah-Hartman wrote:
On Thu, May 30, 2019 at 11:36:25AM +0000, Horia Geanta wrote:
On 5/6/2019 11:06 AM, Horia Geanta wrote:
On 5/6/2019 9:40 AM, Herbert Xu wrote:
On Fri, May 03, 2019 at 03:05:48PM +0300, Horia Geantă wrote:
The detection whether DKP (Derived Key Protocol) is used relies on the setkey callback. Since "aead_setkey" was replaced in some cases with "des3_aead_setkey" (for 3DES weak key checking), the logic has to be updated - otherwise the DMA mapping direction is incorrect (leading to faults in case caam is behind an IOMMU).
Fixes: 1b52c40919e6 ("crypto: caam - Forbid 2-key 3DES in FIPS mode") Signed-off-by: Horia Geantă horia.geanta@nxp.com
This issue was noticed when testing with previously submitted IOMMU support: https://patchwork.kernel.org/project/linux-crypto/list/?series=110277&st...
Thanks for catching this Horia!
My preference would be to encode this logic separately rather than relying on the setkey test. How about this patch?
This is probably more reliable.
---8<--- The detection for DKP (Derived Key Protocol) relied on the value of the setkey function. This was broken by the recent change which added des3_aead_setkey.
This patch fixes this by introducing a new flag for DKP and setting that where needed.
Reported-by: Horia Geantă horia.geanta@nxp.com Signed-off-by: Herbert Xu herbert@gondor.apana.org.au
Tested-by: Horia Geantă horia.geanta@nxp.com
Unfortunately the commit message dropped the tag provided in v1: Fixes: 1b52c40919e6 ("crypto: caam - Forbid 2-key 3DES in FIPS mode")
This fix was merged in v5.2-rc1 (commit 24586b5feaf17ecf85ae6259fe3ea7815dee432d upstream) but should also be queued up for 5.1.y.
I do not understand, sorry. What exact patches need to be applied to 5.1.y?
Commit 24586b5feaf1 ("crypto: caam - fix DKP detection logic").
Thanks, Horia
On Mon, Jun 03, 2019 at 08:10:15AM +0000, Horia Geanta wrote:
On 6/3/2019 10:52 AM, Greg Kroah-Hartman wrote:
On Thu, May 30, 2019 at 11:36:25AM +0000, Horia Geanta wrote:
On 5/6/2019 11:06 AM, Horia Geanta wrote:
On 5/6/2019 9:40 AM, Herbert Xu wrote:
On Fri, May 03, 2019 at 03:05:48PM +0300, Horia Geantă wrote:
The detection whether DKP (Derived Key Protocol) is used relies on the setkey callback. Since "aead_setkey" was replaced in some cases with "des3_aead_setkey" (for 3DES weak key checking), the logic has to be updated - otherwise the DMA mapping direction is incorrect (leading to faults in case caam is behind an IOMMU).
Fixes: 1b52c40919e6 ("crypto: caam - Forbid 2-key 3DES in FIPS mode") Signed-off-by: Horia Geantă horia.geanta@nxp.com
This issue was noticed when testing with previously submitted IOMMU support: https://patchwork.kernel.org/project/linux-crypto/list/?series=110277&st...
Thanks for catching this Horia!
My preference would be to encode this logic separately rather than relying on the setkey test. How about this patch?
This is probably more reliable.
---8<--- The detection for DKP (Derived Key Protocol) relied on the value of the setkey function. This was broken by the recent change which added des3_aead_setkey.
This patch fixes this by introducing a new flag for DKP and setting that where needed.
Reported-by: Horia Geantă horia.geanta@nxp.com Signed-off-by: Herbert Xu herbert@gondor.apana.org.au
Tested-by: Horia Geantă horia.geanta@nxp.com
Unfortunately the commit message dropped the tag provided in v1: Fixes: 1b52c40919e6 ("crypto: caam - Forbid 2-key 3DES in FIPS mode")
This fix was merged in v5.2-rc1 (commit 24586b5feaf17ecf85ae6259fe3ea7815dee432d upstream) but should also be queued up for 5.1.y.
I do not understand, sorry. What exact patches need to be applied to 5.1.y?
Commit 24586b5feaf1 ("crypto: caam - fix DKP detection logic").
But that commit says: Fixes: 1b52c40919e6 ("crypto: caam - Forbid 2-key 3DES in FIPS mode") which is only contained in 5.2-rc1, so why would I want to apply the first one to 5.1.y?
Still confused,
greg k-h
On 6/3/2019 11:43 AM, Greg Kroah-Hartman wrote:
On Mon, Jun 03, 2019 at 08:10:15AM +0000, Horia Geanta wrote:
On 6/3/2019 10:52 AM, Greg Kroah-Hartman wrote:
On Thu, May 30, 2019 at 11:36:25AM +0000, Horia Geanta wrote:
On 5/6/2019 11:06 AM, Horia Geanta wrote:
On 5/6/2019 9:40 AM, Herbert Xu wrote:
On Fri, May 03, 2019 at 03:05:48PM +0300, Horia Geantă wrote: > The detection whether DKP (Derived Key Protocol) is used relies on > the setkey callback. > Since "aead_setkey" was replaced in some cases with "des3_aead_setkey" > (for 3DES weak key checking), the logic has to be updated - otherwise > the DMA mapping direction is incorrect (leading to faults in case caam > is behind an IOMMU). > > Fixes: 1b52c40919e6 ("crypto: caam - Forbid 2-key 3DES in FIPS mode") > Signed-off-by: Horia Geantă horia.geanta@nxp.com > --- > > This issue was noticed when testing with previously submitted IOMMU support: > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpatchwork....
Thanks for catching this Horia!
My preference would be to encode this logic separately rather than relying on the setkey test. How about this patch?
This is probably more reliable.
---8<--- The detection for DKP (Derived Key Protocol) relied on the value of the setkey function. This was broken by the recent change which added des3_aead_setkey.
This patch fixes this by introducing a new flag for DKP and setting that where needed.
Reported-by: Horia Geantă horia.geanta@nxp.com Signed-off-by: Herbert Xu herbert@gondor.apana.org.au
Tested-by: Horia Geantă horia.geanta@nxp.com
Unfortunately the commit message dropped the tag provided in v1: Fixes: 1b52c40919e6 ("crypto: caam - Forbid 2-key 3DES in FIPS mode")
This fix was merged in v5.2-rc1 (commit 24586b5feaf17ecf85ae6259fe3ea7815dee432d upstream) but should also be queued up for 5.1.y.
I do not understand, sorry. What exact patches need to be applied to 5.1.y?
Commit 24586b5feaf1 ("crypto: caam - fix DKP detection logic").
But that commit says: Fixes: 1b52c40919e6 ("crypto: caam - Forbid 2-key 3DES in FIPS mode") which is only contained in 5.2-rc1, so why would I want to apply the first one to 5.1.y?
Sorry, my bad.
I've looked at the failing kernel version: 5.1.0-09365-g8ea5b2abd07e and seeing that commit 1b52c40919e6 ("crypto: caam - Forbid 2-key 3DES in FIPS mode") is in the tree, concluded it was delivered in 5.1 and would need the fix.
Please disregard the request.
Thanks, Horia
linux-stable-mirror@lists.linaro.org
-
Greg Kroah-Hartman -
Horia Geanta