Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp6199704ybl;
        Mon, 23 Dec 2019 01:46:40 -0800 (PST)
X-Google-Smtp-Source: APXvYqyXfmoM3WU/ksYkFYiEwXmJdXh9XCcYIz2fuRiARfcfdY5++Ca/hrn7cNcwfv8uLpVpievc
X-Received: by 2002:a05:6830:1bda:: with SMTP id v26mr30722353ota.314.1577094400621;
        Mon, 23 Dec 2019 01:46:40 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1577094400; cv=none;
        d=google.com; s=arc-20160816;
        b=L+gbo685tKgBpUxSzmbDbRWqblMIcEXF0tuH6faBrl5rWB5VSr450VcFfypappF1bV
         0qs3jpVxXechqysJxAlRDwv13cTOHORGB2YYMZuvI6SkPx52bviEqi8OxcRTFFGWBmmZ
         oKv7SBqvNtc1VCjbNmBzp9hDeYiRvHH9CSjGpZbXnAIb7cPWvCwcfy+eWnw6Qt4QV/+y
         HXN5TzB21mL5345PJv1Qa980e3nlmsw5kI3wbnABZ8xpZhWicuxzKElKSCz8uuRWbQNP
         9c/RV2vDHBALjRNNjlyz6yc/aFLpu6ILwok16GMJ+Rf/S0wRBxhSfC3hzvkVYtsji3ep
         zgyA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=qHF9LlKxt3BnaA8wu8Ms+iGu1dYYnhu93cFgkjFC7J4=;
        b=aZy7aIEgE6Vrymwwj4iiDHsN7IPfmLFmFTgEdC7FByUJcmXSnBKBzqTsPv6vuPbfVN
         ZYzKHIJpTD8iTQulXXSGWAzgxRrdry7vE4XOlQ+XOzAG5CXCsGYT54nuPP4bViVBxMYM
         Zu2Bz0TK0mjxZ7LI9qX7nDQClbOKLDyE48QRslPvkGmDT5dhN8CgYSXDWCCaT7BiWkBp
         67EYFSlgzoY2fVfT2c7t1GLtn4DEwObVX4WA8kEvWMslbqBT+Opq2q//NRECpJb9fHTS
         2jWmwXlHGY1K1lPWlw2vXvPx7sVVoDlOTaG7GIUjh7tnTVGQM03f77tQDR64Eo+joJHY
         Rn7g==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linaro.org header.s=google header.b=IN5ucdOB;
       spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Return-Path: <linux-crypto-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 44si9285915otu.77.2019.12.23.01.46.19;
        Mon, 23 Dec 2019 01:46:40 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linaro.org header.s=google header.b=IN5ucdOB;
       spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726633AbfLWJqS (ORCPT <rfc822;vinayvnsup@gmail.com>
        + 99 others); Mon, 23 Dec 2019 04:46:18 -0500
Received: from mail-wm1-f66.google.com ([209.85.128.66]:34936 "EHLO
        mail-wm1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726632AbfLWJqS (ORCPT
        <rfc822;linux-crypto@vger.kernel.org>);
        Mon, 23 Dec 2019 04:46:18 -0500
Received: by mail-wm1-f66.google.com with SMTP id p17so15601119wmb.0
        for <linux-crypto@vger.kernel.org>; Mon, 23 Dec 2019 01:46:16 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=qHF9LlKxt3BnaA8wu8Ms+iGu1dYYnhu93cFgkjFC7J4=;
        b=IN5ucdOBkV23Iz0OUuaTWPxHHrwbmjSS9fvV9matG+xxjpcB84I5t2EvcCo9q1W+Cs
         qPcMaSJMvDqp8hNCk2VZvFJ+oz1uGHASn6B9kAkuLKaWnzkrBsnz8ktjy26YkQ/JbpBW
         a02vy9T7NxJ/eN2HpXA6A4AjSb/0FY0SpzU53SfQeEAxE/ROnIJLo7Z0oblP0Osz5c+B
         xEgN+holnPI+2vgJyWX2uYGCstRUQaioccCogxXnhD8UDapOJ8iqY7m5hNoxTNHa/sik
         O/mkLMWN30XjwOUQj4UBmfSap1ro5RzHirVe2Kvrg4bwdxAbnYIHpQY/QmT0COPuFdsn
         OHOg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=qHF9LlKxt3BnaA8wu8Ms+iGu1dYYnhu93cFgkjFC7J4=;
        b=YqCfRTz1RkBSSjVJC9SVtk9MB8AFMIYuMHdCKP7AWRpIBMwpVDeDn59LWYq7USW8qk
         DkRAEKTUpdjAqh8KLKG6UyTyNEnNbVwJcUmw8ooR9yJuc9gVFj25EUetxWLpwwbmMiOt
         WRAi+Y6Q2MqF0d8Sj7ULgn/ySAmwjHEItmqapoWagiJTuxmUThUfrUJa3pMAKC2Ctwty
         HasYV+lxQj/zDEek3x0567FKmPA2Ewsgm0IfA2ixeHL2mPSWhxhKBYbriUy4HmLrSa93
         V0hP3OKB1xPdTvUmGL5XBCYTHFs88g5HHN+X0HhUsFg5C17gid4sN5GHUgjBt+Ykxeq7
         5h3A==
X-Gm-Message-State: APjAAAUa1Y5bvkllm0yuqHWlYmYHhbHgq7JGP1wn/geIh4WYmwniH8s7
        xq1JijQ1qWv0gZqnm3Fs8EOxy5p6EZOp0+f9jiL/aqZ/xVOA8g==
X-Received: by 2002:a1c:7205:: with SMTP id n5mr31288683wmc.9.1577094375839;
 Mon, 23 Dec 2019 01:46:15 -0800 (PST)
MIME-Version: 1.0
References: <20191220190218.28884-1-cotequeiroz@gmail.com>
In-Reply-To: <20191220190218.28884-1-cotequeiroz@gmail.com>
From:   Ard Biesheuvel <ard.biesheuvel@linaro.org>
Date:   Mon, 23 Dec 2019 10:46:13 +0100
Message-ID: <CAKv+Gu9ZXCK41xOavw+2KEhhsZq9BFH6mxXKPNomzB6q+DP_FQ@mail.gmail.com>
Subject: Re: Subject: [PATCH 0/6] crypto: QCE hw-crypto fixes
To:     Eneas U de Queiroz <cotequeiroz@gmail.com>
Cc:     Herbert Xu <herbert@gondor.apana.org.au>,
        "David S. Miller" <davem@davemloft.net>,
        "open list:HARDWARE RANDOM NUMBER GENERATOR CORE" 
        <linux-crypto@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-crypto-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-crypto.vger.kernel.org>
X-Mailing-List: linux-crypto@vger.kernel.org

On Fri, 20 Dec 2019 at 20:02, Eneas U de Queiroz <cotequeiroz@gmail.com> wrote:
>
> I've been trying to make the Qualcomm Crypto Engine work with GCM-mode
> AES.  I fixed some bugs, and added an option to build only hashes or
> skciphers, as the VPN performance increases if you leave some of that to
> the CPU.
>
> A discussion about this can be found here:
> https://github.com/openwrt/openwrt/pull/2518
>
> I'm using openwrt to test this, and there's no support for kernel 5.x
> yet.  So I have backported the recent skcipher updates, and tested this
> with 4.19. I don't have the hardware with me, but I have run-tested
> everything, working remotely.
>
> All of the skciphers directly implemented by the driver work.  They pass
> the tcrypt tests, and also some tests from userspace using AF_ALG:
> https://github.com/cotequeiroz/afalg_tests
>
> However, I can't get gcm(aes) to work.  When setting the gcm-mode key,
> it sets the ctr(aes) key, then encrypt a block of zeroes, and uses that
> as the ghash key.  The driver fails to perform that encryption.  I've
> dumped the input and output data, and they apparently are not touched by
> the QCE.  The IV, which written to a buffer appended to the results sg
> list gets updated, but the results themselves are not.  I'm not sure
> what goes wrong, if it is a DMA/cache problem, memory alignment, or
> whatever.
>

This does sound like a DMA problem. I assume the accelerator is not
cache coherent?

In any case, it is dubious whether the round trip to the accelerator
is worth it when encrypting the GHASH key. Just call aes_encrypt()
instead, and do it in software.

> If I take 'be128 hash' out of the 'data' struct, and kzalloc them
> separately in crypto_gcm_setkey (crypto/gcm.c), it encrypts the data
> just fine--perhaps the payload and the request struct can't be in the
> same page?
>

Non-cache coherent DMA involves cache invalidation on inbound data. So
if both the device and the CPU write to the same cacheline while the
buffer is mapped for DMA from device to memory, one of the updates
gets lost.


> However, it still fails during decryption of the very first tcrypt test
> vector (I'm testing with the AF_ALG program, using the same vectors as
> the kernel), in the final encryption to compute the authentication tag,
> in the same fashion as it did in 'crypto_gcm_setkey'.  What this case
> has in common with the ghash key above is the input data, a single block
> of zeroes, so this may be a hardware bug.  However, if I perform the
> same encryption using the AF_ALG test, it completes OK.
>
> I am not experienced enough with the Linux Kernel, or with the ARM
> architecture to wrap this up on my own, so I need some pointers to what
> to try next.
>
> To come up a working setup, I am passing any AES requests whose length
> is less than or equal to one AES block to the fallback skcipher.  This
> hack is not a part of this series, but I can send it if there's any
> interest in it.
>
> Anyway, the patches in this series are complete enough on their own.
> With the exception of the last patch, they're all bugfixes.
>
> Cheers,
>
> Eneas
>
> Eneas U de Queiroz (6):
>   crypto: qce - fix ctr-aes-qce block, chunk sizes
>   crypto: qce - fix xts-aes-qce key sizes
>   crypto: qce - save a sg table slot for result buf
>   crypto: qce - update the skcipher IV
>   crypto: qce - initialize fallback only for AES
>   crypto: qce - allow building only hashes/ciphers
>
>  drivers/crypto/Kconfig        |  63 ++++++++-
>  drivers/crypto/qce/Makefile   |   7 +-
>  drivers/crypto/qce/common.c   | 244 ++++++++++++++++++----------------
>  drivers/crypto/qce/core.c     |   4 +
>  drivers/crypto/qce/dma.c      |   6 +-
>  drivers/crypto/qce/dma.h      |   3 +-
>  drivers/crypto/qce/skcipher.c |  41 ++++--
>  7 files changed, 229 insertions(+), 139 deletions(-)
>