From: Eric Biggers <ebiggers@kernel.org>
To: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Pascal Van Leeuwen <pvanleeuwen@insidesecure.com>,
Zhang Zhijie <zhangzj@rock-chips.com>,
Heiko Stuebner <heiko@sntech.de>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Zain Wang <wzz@rock-chips.com>, Arnd Bergmann <arnd@arndb.de>,
"linux-rockchip@lists.infradead.org"
<linux-rockchip@lists.infradead.org>,
"open list:HARDWARE RANDOM NUMBER GENERATOR CORE"
<linux-crypto@vger.kernel.org>, Olof Johansson <olof@lixom.net>,
"ezequiel@collabora.com" <ezequiel@collabora.com>,
linux-arm-kernel <linux-arm-kernel@lists.infradead.org>,
Tao Huang <huangtao@rock-chips.com>
Subject: Re: [Bug] Rockchip crypto driver sometimes produces wrong ciphertext
Date: Thu, 4 Apr 2019 10:12:05 -0700 [thread overview]
Message-ID: <20190404171204.GA121392@gmail.com> (raw)
In-Reply-To: <AM5PR0901MB115570ABE89DC1285AE07E60D2500@AM5PR0901MB1155.eurprd09.prod.outlook.com>
On Thu, Apr 04, 2019 at 01:41:50PM +0000, Pascal Van Leeuwen wrote:
> > The issue is that the self-tests now verify that CBC implementations update the
> > IV buffer to contain the next IV, aka the last ciphertext block. But the Rockchip
> > crypto driver doesn't do that, so it needs to be fixed.
> >
> > This has always been a requirement for CBC implementations so that users can
> > chain CBC requests. Unfortunately it was just never tested for...
> >
> This did not immediately trigger me when it came flying past a couple of weeks
> ago, but I ran into the same issue today with the inside_secure driver I'm playing
> with: it does NOT return correct IV outputs for CBC modes.
>
> However ... I'd like to question that very requirement ... if I may :-)
>
> My reasoning is that this IV output *is* available as the last block of either the
> output (for encrypt) or input (for decrypt) datastream. So requiring it to be
> updated in the IV buffer as well seems redundant to me. It burdens the driver
> with an extra data copy operation, while in the majority of practicle use cases
> you would not even *need* this output IV. (chaining IV's would not work on
> a hardware accelerator anyway, because you would need to serialize the
> datastream, meaning you run at the speed of the round-trip latency instead
> of the throughput, which is typically one to two orders of a magnitude slower)
>
> And in the odd case you do need it, you can just grab it from the data buffer
> yourself.
>
> Pascal van Leeuwen
> Silicon IP Architect, Multi-Protocol Engines
>
Herbert, can you explain what users actually rely on the next IV being returned?
I don't know all the historical context behind this.
- Eric
WARNING: multiple messages have this Message-ID (diff)
From: Eric Biggers <ebiggers@kernel.org>
To: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Tao Huang <huangtao@rock-chips.com>,
Zain Wang <wzz@rock-chips.com>, Heiko Stuebner <heiko@sntech.de>,
Arnd Bergmann <arnd@arndb.de>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Pascal Van Leeuwen <pvanleeuwen@insidesecure.com>,
Zhang Zhijie <zhangzj@rock-chips.com>,
"linux-rockchip@lists.infradead.org"
<linux-rockchip@lists.infradead.org>,
"open list:HARDWARE RANDOM NUMBER GENERATOR CORE"
<linux-crypto@vger.kernel.org>, Olof Johansson <olof@lixom.net>,
"ezequiel@collabora.com" <ezequiel@collabora.com>,
linux-arm-kernel <linux-arm-kernel@lists.infradead.org>
Subject: Re: [Bug] Rockchip crypto driver sometimes produces wrong ciphertext
Date: Thu, 4 Apr 2019 10:12:05 -0700 [thread overview]
Message-ID: <20190404171204.GA121392@gmail.com> (raw)
In-Reply-To: <AM5PR0901MB115570ABE89DC1285AE07E60D2500@AM5PR0901MB1155.eurprd09.prod.outlook.com>
On Thu, Apr 04, 2019 at 01:41:50PM +0000, Pascal Van Leeuwen wrote:
> > The issue is that the self-tests now verify that CBC implementations update the
> > IV buffer to contain the next IV, aka the last ciphertext block. But the Rockchip
> > crypto driver doesn't do that, so it needs to be fixed.
> >
> > This has always been a requirement for CBC implementations so that users can
> > chain CBC requests. Unfortunately it was just never tested for...
> >
> This did not immediately trigger me when it came flying past a couple of weeks
> ago, but I ran into the same issue today with the inside_secure driver I'm playing
> with: it does NOT return correct IV outputs for CBC modes.
>
> However ... I'd like to question that very requirement ... if I may :-)
>
> My reasoning is that this IV output *is* available as the last block of either the
> output (for encrypt) or input (for decrypt) datastream. So requiring it to be
> updated in the IV buffer as well seems redundant to me. It burdens the driver
> with an extra data copy operation, while in the majority of practicle use cases
> you would not even *need* this output IV. (chaining IV's would not work on
> a hardware accelerator anyway, because you would need to serialize the
> datastream, meaning you run at the speed of the round-trip latency instead
> of the throughput, which is typically one to two orders of a magnitude slower)
>
> And in the odd case you do need it, you can just grab it from the data buffer
> yourself.
>
> Pascal van Leeuwen
> Silicon IP Architect, Multi-Protocol Engines
>
Herbert, can you explain what users actually rely on the next IV being returned?
I don't know all the historical context behind this.
- Eric
WARNING: multiple messages have this Message-ID (diff)
From: Eric Biggers <ebiggers@kernel.org>
To: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Tao Huang <huangtao@rock-chips.com>,
Zain Wang <wzz@rock-chips.com>, Heiko Stuebner <heiko@sntech.de>,
Arnd Bergmann <arnd@arndb.de>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Pascal Van Leeuwen <pvanleeuwen@insidesecure.com>,
Zhang Zhijie <zhangzj@rock-chips.com>,
"linux-rockchip@lists.infradead.org"
<linux-rockchip@lists.infradead.org>,
"open list:HARDWARE RANDOM NUMBER GENERATOR CORE"
<linux-crypto@vger.kernel.org>, Olof Johansson <olof@lixom.net>,
"ezequiel@collabora.com" <ezequiel@collabora.com>,
linux-arm-kernel <linux-arm-kernel@lists.infradead.org>
Subject: Re: [Bug] Rockchip crypto driver sometimes produces wrong ciphertext
Date: Thu, 4 Apr 2019 10:12:05 -0700 [thread overview]
Message-ID: <20190404171204.GA121392@gmail.com> (raw)
In-Reply-To: <AM5PR0901MB115570ABE89DC1285AE07E60D2500@AM5PR0901MB1155.eurprd09.prod.outlook.com>
On Thu, Apr 04, 2019 at 01:41:50PM +0000, Pascal Van Leeuwen wrote:
> > The issue is that the self-tests now verify that CBC implementations update the
> > IV buffer to contain the next IV, aka the last ciphertext block. But the Rockchip
> > crypto driver doesn't do that, so it needs to be fixed.
> >
> > This has always been a requirement for CBC implementations so that users can
> > chain CBC requests. Unfortunately it was just never tested for...
> >
> This did not immediately trigger me when it came flying past a couple of weeks
> ago, but I ran into the same issue today with the inside_secure driver I'm playing
> with: it does NOT return correct IV outputs for CBC modes.
>
> However ... I'd like to question that very requirement ... if I may :-)
>
> My reasoning is that this IV output *is* available as the last block of either the
> output (for encrypt) or input (for decrypt) datastream. So requiring it to be
> updated in the IV buffer as well seems redundant to me. It burdens the driver
> with an extra data copy operation, while in the majority of practicle use cases
> you would not even *need* this output IV. (chaining IV's would not work on
> a hardware accelerator anyway, because you would need to serialize the
> datastream, meaning you run at the speed of the round-trip latency instead
> of the throughput, which is typically one to two orders of a magnitude slower)
>
> And in the odd case you do need it, you can just grab it from the data buffer
> yourself.
>
> Pascal van Leeuwen
> Silicon IP Architect, Multi-Protocol Engines
>
Herbert, can you explain what users actually rely on the next IV being returned?
I don't know all the historical context behind this.
- Eric
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2019-04-04 17:12 UTC|newest]
Thread overview: 65+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-26 21:05 [Bug] Rockchip crypto driver sometimes produces wrong ciphertext Eric Biggers
2019-01-26 21:05 ` Eric Biggers
2019-01-27 8:54 ` Ard Biesheuvel
2019-01-27 8:54 ` Ard Biesheuvel
2019-01-27 8:54 ` Ard Biesheuvel
2019-01-27 10:29 ` Heiko Stuebner
2019-01-27 10:29 ` Heiko Stuebner
2019-01-27 10:29 ` Heiko Stuebner
2019-01-28 3:14 ` Tao Huang
2019-01-28 3:14 ` Tao Huang
2019-01-28 3:14 ` Tao Huang
2019-03-15 3:31 ` Eric Biggers
2019-03-15 3:31 ` Eric Biggers
2019-03-15 3:31 ` Eric Biggers
2019-03-16 22:31 ` Ezequiel Garcia
2019-03-16 22:31 ` Ezequiel Garcia
2019-03-16 22:31 ` Ezequiel Garcia
2019-03-18 15:03 ` Gael PORTAY
2019-03-18 15:03 ` Gael PORTAY
2019-03-18 15:03 ` Gael PORTAY
2019-03-21 17:04 ` Gael PORTAY
2019-03-21 17:04 ` Gael PORTAY
2019-03-25 6:31 ` Zhang Zhijie
2019-03-25 6:31 ` Zhang Zhijie
2019-04-04 13:41 ` Pascal Van Leeuwen
2019-04-04 13:41 ` Pascal Van Leeuwen
2019-04-04 13:41 ` Pascal Van Leeuwen
2019-04-04 17:12 ` Eric Biggers [this message]
2019-04-04 17:12 ` Eric Biggers
2019-04-04 17:12 ` Eric Biggers
2019-04-07 12:42 ` Herbert Xu
2019-04-07 12:42 ` Herbert Xu
2019-04-07 12:42 ` Herbert Xu
2019-04-07 19:12 ` Pascal Van Leeuwen
2019-04-07 19:12 ` Pascal Van Leeuwen
2019-04-07 19:12 ` Pascal Van Leeuwen
2019-04-08 5:58 ` Herbert Xu
2019-04-08 5:58 ` Herbert Xu
2019-04-08 5:58 ` Herbert Xu
2019-04-08 8:59 ` Pascal Van Leeuwen
2019-04-08 8:59 ` Pascal Van Leeuwen
2019-04-08 8:59 ` Pascal Van Leeuwen
2019-04-08 9:06 ` Herbert Xu
2019-04-08 9:06 ` Herbert Xu
2019-04-08 9:06 ` Herbert Xu
2019-04-09 15:53 ` Pascal Van Leeuwen
2019-04-09 15:53 ` Pascal Van Leeuwen
2019-04-09 15:53 ` Pascal Van Leeuwen
2019-04-08 18:09 ` Eric Biggers
2019-04-08 18:09 ` Eric Biggers
2019-04-08 18:09 ` Eric Biggers
2019-04-09 16:43 ` Pascal Van Leeuwen
2019-04-09 16:43 ` Pascal Van Leeuwen
2019-04-09 16:43 ` Pascal Van Leeuwen
2019-04-08 18:27 ` Eric Biggers
2019-04-08 18:27 ` Eric Biggers
2019-04-08 18:27 ` Eric Biggers
2019-04-08 21:17 ` Ard Biesheuvel
2019-04-08 21:17 ` Ard Biesheuvel
2019-04-08 21:17 ` Ard Biesheuvel
2019-04-09 16:58 ` Pascal Van Leeuwen
2019-04-09 16:58 ` Pascal Van Leeuwen
2019-04-09 16:58 ` Pascal Van Leeuwen
2019-03-21 10:46 ` [Bug] STM32 crc driver failed on selftest 1 Lionel DEBIEVE
2019-03-21 13:41 ` Eric Biggers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190404171204.GA121392@gmail.com \
--to=ebiggers@kernel.org \
--cc=ard.biesheuvel@linaro.org \
--cc=arnd@arndb.de \
--cc=ezequiel@collabora.com \
--cc=heiko@sntech.de \
--cc=herbert@gondor.apana.org.au \
--cc=huangtao@rock-chips.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-rockchip@lists.infradead.org \
--cc=olof@lixom.net \
--cc=pvanleeuwen@insidesecure.com \
--cc=wzz@rock-chips.com \
--cc=zhangzj@rock-chips.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.