All of lore.kernel.org
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Saravanakrishnan Krishnamoorthy" <skrishnamoorthy@rambus.com>
Cc: robh@kernel.org, devicetree@vger.kernel.org, conor+dt@kernel.org
Subject: Re: [PATCH v2 15/19] crypto: cmh - add ML-KEM/ML-DSA (QSE)
Date: Thu, 09 Jul 2026 21:03:20 +0000	[thread overview]
Message-ID: <20260709210320.A31E61F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260709203037.1884436-16-skrishnamoorthy@rambus.com>

Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [High] Missing software fallback for oversized ML-DSA messages and incorrect rejection of 0-length messages.
- [Medium] Redundant DMA mappings and DMA API ownership violation for key buffers.
--

--- Patch [15]: [PATCH v2 15/19] crypto: cmh - add ML-KEM/ML-DSA (QSE) ---
commit c3b137e6f523e1962d3380a121a8e0166757ffb3
Author: Alex Ousherovitch <aousherovitch@rambus.com>

crypto: cmh - add ML-KEM/ML-DSA (QSE)

This patch registers ML-KEM and ML-DSA algorithms using the CMH QSE core.
It provides ML-DSA as a signature algorithm at priority 5001, overriding
the kernel's software implementation. It includes key generation, signing,
and verification capabilities.

> diff --git a/drivers/crypto/cmh/cmh_pqc_mldsa.c b/drivers/crypto/cmh/cmh_pqc_mldsa.c
> new file mode 100644
> index 0000000000000..cbe63c34a1c80
> --- /dev/null
> +++ b/drivers/crypto/cmh/cmh_pqc_mldsa.c
[ ... ]
> +static int cmh_mldsa_sign(struct crypto_sig *tfm,
> +			  const void *src, unsigned int slen,
> +			  void *dst, unsigned int dlen)
> +{
[ ... ]
> +	if (ctx->key.mode != CMH_KEY_RAW)
> +		return -EINVAL;
> +	if (dlen < sig_size)
> +		return -EINVAL;
> +	if (!slen || slen > ML_DSA_MAX_MLEN)
> +		return -EINVAL;

[Severity: High]
Does returning -EINVAL here permanently fail valid operations?

FIPS 204 allows 0-length messages, so rejecting slen == 0 might break valid
requests. Additionally, since this driver registers at priority 5001 and
overrides the generic software implementation (priority 5000), returning an
error for messages over ML_DSA_MAX_MLEN (10KB) means the crypto API won't
transparently fall back.

Should the driver internally allocate a fallback software tfm to handle
oversized messages, and properly support 0-length messages?

> +
> +	m_buf = kmemdup(src, slen, GFP_KERNEL);
> +	sig_buf = kzalloc(sig_size, GFP_KERNEL);
> +	if (!m_buf || !sig_buf) {
> +		ret = -ENOMEM;
> +		goto out_free;
> +	}
> +
> +	if (ctx->key.raw.len != sk_size) {
> +		ret = -EINVAL;
> +		goto out_free;
> +	}
> +
> +	sk_buf = kmemdup(ctx->key.raw.data, ctx->key.raw.len, GFP_KERNEL);

[Severity: Medium]
Does this redundantly copy and map the secret key?

The key in ctx->key.raw.data was already mapped as ctx->key.raw.dma in
cmh_key_setkey_raw() for the lifetime of the key. Also, since that buffer
is mapped to the device (DMA_TO_DEVICE), does reading from it here with
kmemdup() violate DMA API ownership rules?

Can this code just pass ctx->key.raw.dma directly to the VCQ command to
avoid the extra allocation and copy on the hot path?

> +	if (!sk_buf) {
> +		ret = -ENOMEM;
> +		goto out_free;
> +	}
[ ... ]
> +static int cmh_mldsa_verify(struct crypto_sig *tfm,
> +			    const void *src, unsigned int slen,
> +			    const void *digest, unsigned int dlen)
> +{
[ ... ]
> +	if (!ctx->pub_key)
> +		return -EINVAL;
> +	if (slen != sig_size)
> +		return -EINVAL;
> +	if (!dlen || dlen > ML_DSA_MAX_MLEN)
> +		return -EINVAL;

[Severity: High]
Similar to the signing path, does this incorrectly reject valid 0-length
messages and oversized messages?

Since the driver overrides the software fallback, it likely needs to handle
dlen == 0 and delegate messages larger than ML_DSA_MAX_MLEN to a software
fallback to maintain API contracts.

> +
> +	sig_buf = kmemdup(src, slen, GFP_KERNEL);
> +	m_buf = kmemdup(digest, dlen, GFP_KERNEL);
> +	pk_buf = kmemdup(ctx->pub_key, pk_size, GFP_KERNEL);

[Severity: Medium]
Does this redundantly allocate and map the public key on every verification?

Instead of copying it here, could the public key be mapped once in
cmh_mldsa_set_pub_key() and reused, avoiding this extra copy overhead
on every verify operation?

> +	if (!sig_buf || !m_buf || !pk_buf) {
> +		ret = -ENOMEM;
> +		goto out_free;
> +	}

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260709203037.1884436-1-skrishnamoorthy@rambus.com?part=15

  reply	other threads:[~2026-07-09 21:03 UTC|newest]

Thread overview: 68+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-09 20:30 [PATCH v2 00/19] crypto: cmh - add CRI CryptoManager Hub driver Saravanakrishnan Krishnamoorthy
2026-07-09 20:30 ` Saravanakrishnan Krishnamoorthy
2026-07-09 20:30 ` [PATCH v2 01/19] dt-bindings: crypto: add Rambus CryptoManager Hub Saravanakrishnan Krishnamoorthy
2026-07-09 20:30   ` Saravanakrishnan Krishnamoorthy
2026-07-09 20:38   ` sashiko-bot
2026-07-10  8:58   ` Conor Dooley
2026-07-10  8:58     ` Conor Dooley
2026-07-10 23:14     ` Ousherovitch, Alex
2026-07-10 23:14       ` Ousherovitch, Alex
2026-07-12 13:15       ` Conor Dooley
2026-07-12 13:15         ` Conor Dooley
2026-07-13 23:17         ` Ousherovitch, Alex
2026-07-13 23:17           ` Ousherovitch, Alex
2026-07-09 20:30 ` [PATCH v2 02/19] crypto: cmh - add core platform driver Saravanakrishnan Krishnamoorthy
2026-07-09 20:30   ` Saravanakrishnan Krishnamoorthy
2026-07-09 20:49   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 03/19] crypto: cmh - add key provisioning and management Saravanakrishnan Krishnamoorthy
2026-07-09 20:30   ` Saravanakrishnan Krishnamoorthy
2026-07-09 20:49   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 04/19] crypto: cmh - add SHA-2/SHA-3/SHAKE ahash Saravanakrishnan Krishnamoorthy
2026-07-09 20:30   ` Saravanakrishnan Krishnamoorthy
2026-07-09 20:45   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 05/19] crypto: cmh - add HMAC ahash Saravanakrishnan Krishnamoorthy
2026-07-09 20:30   ` Saravanakrishnan Krishnamoorthy
2026-07-09 20:42   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 06/19] crypto: cmh - add CSHAKE/KMAC ahash Saravanakrishnan Krishnamoorthy
2026-07-09 20:30   ` Saravanakrishnan Krishnamoorthy
2026-07-09 20:47   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 07/19] crypto: cmh - add SM3 ahash Saravanakrishnan Krishnamoorthy
2026-07-09 20:30   ` Saravanakrishnan Krishnamoorthy
2026-07-09 20:47   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 08/19] crypto: cmh - add AES skcipher/aead/cmac Saravanakrishnan Krishnamoorthy
2026-07-09 20:30   ` Saravanakrishnan Krishnamoorthy
2026-07-09 20:47   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 09/19] crypto: cmh - add SM4 skcipher/aead/cmac/xcbc Saravanakrishnan Krishnamoorthy
2026-07-09 20:30   ` Saravanakrishnan Krishnamoorthy
2026-07-09 20:49   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 10/19] crypto: cmh - add ChaCha20-Poly1305 Saravanakrishnan Krishnamoorthy
2026-07-09 20:30   ` Saravanakrishnan Krishnamoorthy
2026-07-09 20:46   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 11/19] crypto: cmh - add DRBG hwrng Saravanakrishnan Krishnamoorthy
2026-07-09 20:30   ` Saravanakrishnan Krishnamoorthy
2026-07-09 20:54   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 12/19] crypto: cmh - add RSA akcipher Saravanakrishnan Krishnamoorthy
2026-07-09 20:30   ` Saravanakrishnan Krishnamoorthy
2026-07-09 20:57   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 13/19] crypto: cmh - add ECDSA/SM2 sig Saravanakrishnan Krishnamoorthy
2026-07-09 20:30   ` Saravanakrishnan Krishnamoorthy
2026-07-09 21:04   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 14/19] crypto: cmh - add ECDH/X25519 kpp Saravanakrishnan Krishnamoorthy
2026-07-09 20:30   ` Saravanakrishnan Krishnamoorthy
2026-07-09 21:08   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 15/19] crypto: cmh - add ML-KEM/ML-DSA (QSE) Saravanakrishnan Krishnamoorthy
2026-07-09 20:30   ` Saravanakrishnan Krishnamoorthy
2026-07-09 21:03   ` sashiko-bot [this message]
2026-07-09 20:30 ` [PATCH v2 16/19] crypto: cmh - add SLH-DSA/LMS/XMSS (HCQ) Saravanakrishnan Krishnamoorthy
2026-07-09 20:30   ` Saravanakrishnan Krishnamoorthy
2026-07-09 21:02   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 17/19] Documentation: ioctl: add CMH ioctl documentation and register 'J' Saravanakrishnan Krishnamoorthy
2026-07-09 20:30   ` Saravanakrishnan Krishnamoorthy
2026-07-09 20:54   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 18/19] selftests: crypto: cmh - add kselftest for management ioctl Saravanakrishnan Krishnamoorthy
2026-07-09 20:30   ` Saravanakrishnan Krishnamoorthy
2026-07-09 20:54   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 19/19] MAINTAINERS: add Rambus CryptoManager Hub (CMH) Saravanakrishnan Krishnamoorthy
2026-07-09 20:30   ` Saravanakrishnan Krishnamoorthy
2026-07-10  1:04   ` Randy Dunlap
2026-07-10  1:04     ` Randy Dunlap

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260709210320.A31E61F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=conor+dt@kernel.org \
    --cc=devicetree@vger.kernel.org \
    --cc=robh@kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    --cc=skrishnamoorthy@rambus.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.