2020-02-28 06:51:55

by Horia Geanta

[permalink] [raw]
Subject: [PATCH v2] crypto: caam/qi2 - fix chacha20 data size error

HW generates a Data Size error for chacha20 requests that are not
a multiple of 64B, since algorithm state (AS) does not have
the FINAL bit set.

Since updating req->iv (for chaining) is not required,
modify skcipher descriptors to set the FINAL bit for chacha20.

[Note that for skcipher decryption we know that ctx1_iv_off is 0,
which allows for an optimization by not checking algorithm type,
since append_dec_op1() sets FINAL bit for all algorithms except AES.]

Also drop the descriptor operations that save the IV.
However, in order to keep code logic simple, things like
S/G tables generation etc. are not touched.

Cc: <[email protected]> # v5.3+
Fixes: 334d37c9e263 ("crypto: caam - update IV using HW support")
Signed-off-by: Horia Geantă <[email protected]>
---
drivers/crypto/caam/caamalg_desc.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)

diff --git a/drivers/crypto/caam/caamalg_desc.c b/drivers/crypto/caam/caamalg_desc.c
index aa9ccca67045..6171a8118b5a 100644
--- a/drivers/crypto/caam/caamalg_desc.c
+++ b/drivers/crypto/caam/caamalg_desc.c
@@ -1379,6 +1379,9 @@ void cnstr_shdsc_skcipher_encap(u32 * const desc, struct alginfo *cdata,
const u32 ctx1_iv_off)
{
u32 *key_jump_cmd;
+ u32 options = cdata->algtype | OP_ALG_AS_INIT | OP_ALG_ENCRYPT;
+ bool is_chacha20 = ((cdata->algtype & OP_ALG_ALGSEL_MASK) ==
+ OP_ALG_ALGSEL_CHACHA20);

init_sh_desc(desc, HDR_SHARE_SERIAL | HDR_SAVECTX);
/* Skip if already shared */
@@ -1417,14 +1420,15 @@ void cnstr_shdsc_skcipher_encap(u32 * const desc, struct alginfo *cdata,
LDST_OFFSET_SHIFT));

/* Load operation */
- append_operation(desc, cdata->algtype | OP_ALG_AS_INIT |
- OP_ALG_ENCRYPT);
+ if (is_chacha20)
+ options |= OP_ALG_AS_FINALIZE;
+ append_operation(desc, options);

/* Perform operation */
skcipher_append_src_dst(desc);

/* Store IV */
- if (ivsize)
+ if (!is_chacha20 && ivsize)
append_seq_store(desc, ivsize, LDST_SRCDST_BYTE_CONTEXT |
LDST_CLASS_1_CCB | (ctx1_iv_off <<
LDST_OFFSET_SHIFT));
@@ -1451,6 +1455,8 @@ void cnstr_shdsc_skcipher_decap(u32 * const desc, struct alginfo *cdata,
const u32 ctx1_iv_off)
{
u32 *key_jump_cmd;
+ bool is_chacha20 = ((cdata->algtype & OP_ALG_ALGSEL_MASK) ==
+ OP_ALG_ALGSEL_CHACHA20);

init_sh_desc(desc, HDR_SHARE_SERIAL | HDR_SAVECTX);
/* Skip if already shared */
@@ -1499,7 +1505,7 @@ void cnstr_shdsc_skcipher_decap(u32 * const desc, struct alginfo *cdata,
skcipher_append_src_dst(desc);

/* Store IV */
- if (ivsize)
+ if (!is_chacha20 && ivsize)
append_seq_store(desc, ivsize, LDST_SRCDST_BYTE_CONTEXT |
LDST_CLASS_1_CCB | (ctx1_iv_off <<
LDST_OFFSET_SHIFT));
--
2.17.1


Subject: RE: [PATCH v2] crypto: caam/qi2 - fix chacha20 data size error

> -----Original Message-----
> From: Horia Geantă <[email protected]>
> Sent: Friday, February 28, 2020 08:51
> To: Herbert Xu <[email protected]>
> Cc: David S. Miller <[email protected]>; Aymen Sghaier
> <[email protected]>; Valentin Ciocoi Radulescu
> <[email protected]>; [email protected]; dl-linux-imx
> <[email protected]>
> Subject: [PATCH v2] crypto: caam/qi2 - fix chacha20 data size error
>
> HW generates a Data Size error for chacha20 requests that are not
> a multiple of 64B, since algorithm state (AS) does not have
> the FINAL bit set.
>
> Since updating req->iv (for chaining) is not required,
> modify skcipher descriptors to set the FINAL bit for chacha20.
>
> [Note that for skcipher decryption we know that ctx1_iv_off is 0,
> which allows for an optimization by not checking algorithm type,
> since append_dec_op1() sets FINAL bit for all algorithms except AES.]
>
> Also drop the descriptor operations that save the IV.
> However, in order to keep code logic simple, things like
> S/G tables generation etc. are not touched.
>
> Cc: <[email protected]> # v5.3+
> Fixes: 334d37c9e263 ("crypto: caam - update IV using HW support")
> Signed-off-by: Horia Geantă <[email protected]>

Tested-by: Valentin Ciocoi Radulescu <[email protected]>

Tested on LX2160ARDB board with cryptodev-2.6 tree:
root@TinyLinux:~# cat /proc/crypto | grep chacha20-caam -A 5
driver : chacha20-caam-qi2
module : kernel
priority : 2000
refcnt : 1
selftest : passed
internal : no

2020-03-06 01:52:04

by Herbert Xu

[permalink] [raw]
Subject: Re: [PATCH v2] crypto: caam/qi2 - fix chacha20 data size error

On Fri, Feb 28, 2020 at 08:51:23AM +0200, Horia Geantă wrote:
> HW generates a Data Size error for chacha20 requests that are not
> a multiple of 64B, since algorithm state (AS) does not have
> the FINAL bit set.
>
> Since updating req->iv (for chaining) is not required,
> modify skcipher descriptors to set the FINAL bit for chacha20.
>
> [Note that for skcipher decryption we know that ctx1_iv_off is 0,
> which allows for an optimization by not checking algorithm type,
> since append_dec_op1() sets FINAL bit for all algorithms except AES.]
>
> Also drop the descriptor operations that save the IV.
> However, in order to keep code logic simple, things like
> S/G tables generation etc. are not touched.
>
> Cc: <[email protected]> # v5.3+
> Fixes: 334d37c9e263 ("crypto: caam - update IV using HW support")
> Signed-off-by: Horia Geantă <[email protected]>
> ---
> drivers/crypto/caam/caamalg_desc.c | 14 ++++++++++----
> 1 file changed, 10 insertions(+), 4 deletions(-)

Patch applied. Thanks.
--
Email: Herbert Xu <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt