Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp769945ybi; Thu, 30 May 2019 06:31:18 -0700 (PDT) X-Google-Smtp-Source: APXvYqxDyqjpqwyEhzg3zGHGiKdNvS3HjaOMST8F4Ot1eq20z6bu/ZFttDXIsFvNOUhPS8DThJCy X-Received: by 2002:a63:fc5b:: with SMTP id r27mr3794601pgk.219.1559223078206; Thu, 30 May 2019 06:31:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1559223078; cv=none; d=google.com; s=arc-20160816; b=TLr07Blqzc828AqR12di4x6FFu48XiawEcwcw2CF/DQHyhMeCTehJyYDY0Fp+Pf+BH 2a+6xEw9oDu9ymyvNkfOg6YPbbzTe2qm+I85CxC03gNfBqhAak89A1kTGOgQWK6JeEuq LHFvJ/0g9+ur0/qkZ01K3ClPD7eO/WGYUh8UJ5gp/BEbnDxVCIUJAPs/NLwBgurOKJGi U0HLb6A9u6TlTnYpqAMFXpZyC+yAtl7rc3KPMt9WieUdW9qi3iLWQ17ADXqy2PYvkYOg mlIDwPRA8SzABIbo5yoaKGw8zNgABTnq1vjhjM6BAFHjC013jc6hPH31s6WjlL9Ns4YC U45Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:content-transfer-encoding :content-language:accept-language:references:message-id:date :thread-index:thread-topic:subject:cc:to:from:dkim-signature; bh=6+Q9LdKVyud2zOKYVwhv4HC8UOhhStGkt8AiQWexonM=; b=Nl4pq7rTQDA6R3SbRyygcU6LR3omB9yAEk8dwHSxbZm6UNFynzlV6OJZNNAqqhnoY/ /Sd97dRxsDw4dwz0DmPKWlE6fmYafKyqCHFjnCZySyc8pmYaIMkR0iwRQk9tt1y+uilI 6XTOH7u9G/ZOQ3rkp6DZa1YUwn4XQVLkTUgxHQGpZkv/gam2ebhTE00nDeVFV5Rke9NI 9DdMVWvkzFBfOvkzfSgGTemTITvUT/oil2F9v3Qi6/ZRmQvkIFkXpKM7ZPzOhBx0hYTv 1+GEOJ1qOQfNlVfMu+AqSDulhg4dYdIf51E0u9w91Iktuunz+QfGJVnJddR0yfQwso9c Is2Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@nxp.com header.s=selector2 header.b=fYORt5X7; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=nxp.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f11si3115541pgs.335.2019.05.30.06.31.01; Thu, 30 May 2019 06:31:18 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@nxp.com header.s=selector2 header.b=fYORt5X7; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=nxp.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727042AbfE3N3t (ORCPT + 99 others); Thu, 30 May 2019 09:29:49 -0400 Received: from mail-eopbgr70041.outbound.protection.outlook.com ([40.107.7.41]:23170 "EHLO EUR04-HE1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726825AbfE3N3s (ORCPT ); Thu, 30 May 2019 09:29:48 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nxp.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6+Q9LdKVyud2zOKYVwhv4HC8UOhhStGkt8AiQWexonM=; b=fYORt5X7qRD5M/E4C2ORqxF0q7xJe1N8cWrpBolI3AO9O8nF+luzx35Xib3jaWU6v+YmjolNfo3ND3lYbbyN1WBnANPPKc36DY0Slwx5tKz4NvAYAMwwNxgzzMLFKiERzdvzUvPvc12nX+02oQwzv19Exu1ems9bhmpYg7aq+aQ= Received: from VI1PR04MB4445.eurprd04.prod.outlook.com (20.177.55.161) by VI1PR04MB4815.eurprd04.prod.outlook.com (20.177.48.224) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1922.18; Thu, 30 May 2019 13:29:41 +0000 Received: from VI1PR04MB4445.eurprd04.prod.outlook.com ([fe80::39fd:f3c3:46fc:f872]) by VI1PR04MB4445.eurprd04.prod.outlook.com ([fe80::39fd:f3c3:46fc:f872%7]) with mapi id 15.20.1922.021; Thu, 30 May 2019 13:29:41 +0000 From: Iuliana Prodan To: Ard Biesheuvel , Eric Biggers CC: Herbert Xu , "David S. Miller" , Horia Geanta , Sascha Hauer , "open list:HARDWARE RANDOM NUMBER GENERATOR CORE" , Linux Kernel Mailing List , dl-linux-imx Subject: Re: [PATCH] crypto: gcm - fix cacheline sharing Thread-Topic: [PATCH] crypto: gcm - fix cacheline sharing Thread-Index: AQHVFkF/PjPULMOhfkiEXDJZ6fiBzQ== Date: Thu, 30 May 2019 13:29:41 +0000 Message-ID: References: <1559149856-7938-1-git-send-email-iuliana.prodan@nxp.com> <20190529202728.GA35103@gmail.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: authentication-results: spf=none (sender IP is ) smtp.mailfrom=iuliana.prodan@nxp.com; x-originating-ip: [212.146.100.6] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: b1320404-74f1-498a-d8a4-08d6e502df39 x-ms-office365-filtering-ht: Tenant x-microsoft-antispam: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(4618075)(2017052603328)(7193020);SRVR:VI1PR04MB4815; x-ms-traffictypediagnostic: VI1PR04MB4815: x-ms-exchange-purlcount: 1 x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:10000; x-forefront-prvs: 00531FAC2C x-forefront-antispam-report: SFV:NSPM;SFS:(10009020)(39860400002)(376002)(136003)(396003)(346002)(366004)(189003)(199004)(44832011)(7696005)(81166006)(99286004)(6306002)(2906002)(76176011)(33656002)(6506007)(66946007)(486006)(6246003)(76116006)(25786009)(66446008)(110136005)(7736002)(4326008)(476003)(305945005)(66476007)(8676002)(64756008)(53546011)(73956011)(81156014)(66556008)(446003)(54906003)(229853002)(45080400002)(74316002)(8936002)(6436002)(966005)(5660300002)(14454004)(71190400001)(86362001)(26005)(9686003)(256004)(66066001)(14444005)(102836004)(6116002)(52536014)(186003)(53936002)(71200400001)(55016002)(68736007)(478600001)(3846002)(316002);DIR:OUT;SFP:1101;SCL:1;SRVR:VI1PR04MB4815;H:VI1PR04MB4445.eurprd04.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;MX:1;A:1; received-spf: None (protection.outlook.com: nxp.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: nDS9QpVa+AAMrpPvAC3o+dgyHdjZJ6EUpdSzU1rkgxXe/Ybnsf8UfDdHGMH7aQ+pbASDCvQmJVIjBiitT7Xi5EYUODykroGPq7ft4qVss9P2jpDA42o94H7e3Yds4vlXXbuQ7HwqNqKieGij/XdSZXM8PxI++c2eF5jKWA1k27q5i/ndbKG/BIDaMOkkA86nQw7qqw0T1SnvzAzDgt6d6NJuG0TGbAPKVXjI8CEdEsw7XydmAVOn2NO8UoBgC5X0xLsZhPBCDUZL2fMTja1uuddXwUiHo5rqcn+AvB0WFsfwhVddgo8xLkakMl0LOoN+XGZ5ToQQtbJHl2vU1ngNBXBeO3uAM+2k8mxyqNUmd+mDXoA92PVDJrbybuX+FaqtiEuVLaQVssxTjo/3bHKX9A2SsZ6Jq25KzZ9yUuYceII= Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: nxp.com X-MS-Exchange-CrossTenant-Network-Message-Id: b1320404-74f1-498a-d8a4-08d6e502df39 X-MS-Exchange-CrossTenant-originalarrivaltime: 30 May 2019 13:29:41.6339 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 686ea1d3-bc2b-4c6f-a92c-d99c5c301635 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: iuliana.prodan@nxp.com X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR04MB4815 Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On 5/30/2019 1:16 AM, Ard Biesheuvel wrote:=0A= > On Wed, 29 May 2019 at 22:27, Eric Biggers wrote:= =0A= >>=0A= >> On Wed, May 29, 2019 at 08:10:56PM +0300, Iuliana Prodan wrote:=0A= >>> The generic GCM driver should ensure that whatever it passes into=0A= >>> scatterlists is safe for non-cache coherent DMA.=0A= >>> The issue was seen while running GCM on CAAM driver. But, since CAAM=0A= >>> does not support GHASH on i.MX6, only CTR skcipher part of the GCM is= =0A= >>> offloaded.=0A= >>> The skcipher request received by CAAM has req->src pointing to=0A= >>> auth_tag[16] and req->iv pointing to iv[16]. Problem is that when=0A= >>> the iv is updated (crypto API requires skcipher implementations to=0A= >>> update the IV with the last ciphertext block) is written in iv[16],=0A= >>> which is on the same cacheline as auth_tag[16] that was previously=0A= >>> DMA mapped.=0A= >>> Solution is to use a pointer, aligned to cache line, instead of auth_ta= g=0A= >>> buffer, for encryption/decryption and then free it on completion.=0A= >>>=0A= >>> Link: https://eur01.safelinks.protection.outlook.com/?url=3Dhttps%3A%2F= %2Flore.kernel.org%2Flinux-crypto%2F20190208114459.5nixe76xmmkhur75%40gondo= r.apana.org.au%2F&data=3D02%7C01%7Ciuliana.prodan%40nxp.com%7C8426e8db8= 5774c4e829308d6e4834cf6%7C686ea1d3bc2b4c6fa92cd99c5c301635%7C0%7C0%7C636947= 649914200400&sdata=3DFq%2F83lofKoEnz7HnzY1jjU1jUi0b2QmVZPfZrzWXtrk%3D&a= mp;reserved=3D0=0A= >>> Cc: # v4.19+=0A= >>> Fixes: adcbc688fe2f ("crypto: gcm - Convert to new AEAD interface")=0A= >>> Suggested-by: Ard Biesheuvel =0A= >>> Signed-off-by: Iuliana Prodan =0A= >>>=0A= > ...=0A= >> So what about the other places that also pass an IV located next to the = data,=0A= >> like crypto/ccm.c and crypto/adiantum.c? If we're actually going to mak= e this a=0A= >> new API requirement, then we need to add a debugging option that makes t= he API=0A= >> detect this violation so that the other places can be fixed too.=0A= >>=0A= >> Also, doing a kmalloc() per requset is inefficient and very error-prone.= In=0A= >> fact there are at least 3 bugs here: (1) not checking the return value, = (2)=0A= >> incorrectly using GFP_KERNEL when it may be atomic context, and (3) not = always=0A= >> freeing the memory. Why not use cacheline-aligned memory within the req= uest=0A= >> context, so that a separate kmalloc() isn't needed?=0A= >>=0A= >> Also, did you consider whether there's any way to make the crypto API ha= ndle=0A= >> this automatically, so that all the individual users don't have to?=0A= >>=0A= > =0A= > Reading back that old thread, it appears that the core issue is that=0A= > the IV is copied when the scatterlist is already mapped for DMA. This=0A= > means the cacheline covering the IV and the auth tag is dirty while=0A= > the non-coherent DMA transaction takes place, and given that we clean=0A= > rather than invalidate the start and end of DMA mappings if they are=0A= > not aligned to the cache writeback granule size, whatever sits in the=0A= > cacheline overwrites whatever the device wrote in there.=0A= > =0A= > Iuliana, did you try pulling the IV copy forward? I.e.,=0A= =0A= I've tried coping the IV before the extended descriptor allocation, but =0A= is not working and to make it work will need to make more changes in =0A= CAAM. We need the original iv, and if we move it before =0A= skcipher_edesc_alloc we lose it.=0A= The fix exclusively in CAAM drv, to copy iv before DMA map, is more complex= .=0A= =0A= > =0A= > diff --git a/drivers/crypto/caam/caamalg.c b/drivers/crypto/caam/caamalg.= c=0A= > index c0ece44f303b..11e91c0c9a96 100644=0A= > --- a/drivers/crypto/caam/caamalg.c=0A= > +++ b/drivers/crypto/caam/caamalg.c=0A= > @@ -1835,11 +1835,6 @@ static int skcipher_decrypt(struct skcipher_reques= t *req)=0A= > u32 *desc;=0A= > int ret =3D 0;=0A= > =0A= > - /* allocate extended descriptor */=0A= > - edesc =3D skcipher_edesc_alloc(req, DESC_JOB_IO_LEN * CAAM_CMD_SZ= );=0A= > - if (IS_ERR(edesc))=0A= > - return PTR_ERR(edesc);=0A= > -=0A= > /*=0A= > * The crypto API expects us to set the IV (req->iv) to the last= =0A= > * ciphertext block.=0A= > @@ -1848,6 +1843,11 @@ static int skcipher_decrypt(struct skcipher_reques= t *req)=0A= > scatterwalk_map_and_copy(req->iv, req->src, req->cryptle= n -=0A= > ivsize, ivsize, 0);=0A= > =0A= > + /* allocate extended descriptor */=0A= > + edesc =3D skcipher_edesc_alloc(req, DESC_JOB_IO_LEN * CAAM_CMD_SZ= );=0A= > + if (IS_ERR(edesc))=0A= > + return PTR_ERR(edesc);=0A= > +=0A= > /* Create and submit job descriptor*/=0A= > init_skcipher_job(req, edesc, false);=0A= > desc =3D edesc->hw_desc;=0A= > =0A= > This should ensure that the cacheline is cleaned when the DMA mapping=0A= > is created.=0A= > =0A= =0A= Thanks,=0A= Iulia=0A=