All of lore.kernel.org
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Saravanakrishnan Krishnamoorthy" <skrishnamoorthy@rambus.com>
Cc: conor+dt@kernel.org, robh@kernel.org, devicetree@vger.kernel.org
Subject: Re: [PATCH v2 13/19] crypto: cmh - add ECDSA/SM2 sig
Date: Thu, 09 Jul 2026 21:04:18 +0000	[thread overview]
Message-ID: <20260709210419.E11241F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260709203037.1884436-14-skrishnamoorthy@rambus.com>

Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
- [High] `cmh_ecdsa_set_priv_key` incorrectly rejects valid P-521 private keys due to a strict length check.
- [High] A malicious user can provide an oversized ECDSA signature to trigger a WARN_ON_ONCE, potentially causing a kernel panic on systems with panic_on_warn enabled.
- [Medium] Unnecessary copying and DMA mapping of the private key on the fast path during `cmh_ecdsa_sign()`.
--

--- Patch [13]: [PATCH v2 13/19] crypto: cmh - add ECDSA/SM2 sig ---
commit 6d12540edcf70f967d4d40c53ce926233bb16875
Author: Alex Ousherovitch <aousherovitch@rambus.com>

crypto: cmh - add ECDSA/SM2 sig

This commit registers ECDSA and SM2 signature algorithms using the CMH PKE
core. It supports P-256, P-384, P-521, and SM2 curves for signing and
verification. SM2 is registered as verify-only via the crypto API.

> diff --git a/drivers/crypto/cmh/cmh_pke_ecdsa.c b/drivers/crypto/cmh/cmh_pke_ecdsa.c
> new file mode 100644
> index 0000000000000..6b65f7fb72cc9
> --- /dev/null
> +++ b/drivers/crypto/cmh/cmh_pke_ecdsa.c

[ ... ]

> +static void ecdsa_vli_to_be(const u64 *vli, unsigned int ndigits,
> +			    u8 *out, unsigned int out_len)
> +{

[ ... ]

> +	} else {
> +		/* VLI wider than out -- skip leading (zero) bytes */
> +		u8 tmp[ECC_MAX_BYTES];
> +
> +		for (i = 0; i < ndigits; i++)
> +			put_unaligned_be64(vli[ndigits - 1 - i],
> +					   &tmp[i * sizeof(u64)]);
> +		skip = full_len - out_len;
> +		WARN_ON_ONCE(memchr_inv(tmp, 0, skip));

[Severity: High]
Can an unprivileged user trigger this WARN_ON_ONCE by providing an
oversized signature (e.g., via keyctl or AF_ALG)?

If the user passes an r or s array padded with non-zero upper bytes during
signature verification, could this cause a kernel panic on systems with
panic_on_warn enabled?

Would it be safer to return -EINVAL here instead of warning?

> +		memcpy(out, tmp + skip, out_len);
> +	}
> +}

[ ... ]

> +static int cmh_ecdsa_sign(struct crypto_sig *tfm,
> +			  const void *src, unsigned int slen,
> +			  void *dst, unsigned int dlen)
> +{

[ ... ]

> +	dig_buf = kzalloc(clen, GFP_KERNEL);
> +	sig_buf = kzalloc(sig_raw_len, GFP_KERNEL);
> +	sk_buf = kmemdup(ctx->key.raw.data, ctx->key.raw.len, GFP_KERNEL);
> +	if (!dig_buf || !sig_buf || !sk_buf) {
> +		ret = -ENOMEM;
> +		goto out_free;
> +	}
> +
> +	/*
> +	 * Truncate or zero-pad digest to clen bytes, right-aligned.
> +	 * Matches ECDSA bits2int: use leftmost min(slen, clen) bytes,
> +	 * zero-pad on the left when slen < clen.
> +	 */
> +	memcpy(dig_buf + (clen - copy_len), src, copy_len);
> +
> +	dig_dma = cmh_dma_map_single(dig_buf, clen, DMA_TO_DEVICE);
> +	sig_dma = cmh_dma_map_single(sig_buf, sig_raw_len, DMA_FROM_DEVICE);
> +	sk_dma = cmh_dma_map_single(sk_buf, ctx->key.raw.len, DMA_TO_DEVICE);

[Severity: Medium]
Is it necessary to allocate and DMA map the private key on the fast path
during cmh_ecdsa_sign()?

Since cmh_key_setkey_raw() already pre-maps the key into ctx->key.raw.dma
for the lifetime of the transform, does duplicating this mapping here
cause unnecessary performance overhead, or unnecessarily expose the private
key material in a transient heap buffer?

> +
> +	if (cmh_dma_map_error(dig_dma) || cmh_dma_map_error(sig_dma) ||
> +	    cmh_dma_map_error(sk_dma)) {
> +		ret = -ENOMEM;

[ ... ]

> +static int cmh_ecdsa_set_priv_key(struct crypto_sig *tfm,
> +				  const void *key, unsigned int keylen)
> +{
> +	struct cmh_ecdsa_tfm_ctx *ctx = cmh_ecdsa_ctx(tfm);
> +
> +	if (keylen != ctx->clen)
> +		return -EINVAL;

[Severity: High]
Does this strict length equality check prevent P-521 signing?

The kernel crypto API passes exactly 66 bytes (ceil(521/8)) for P-521
coordinates, but ctx->clen for P-521 is 68. Would it be better to accept
lengths <= clen and left-pad them with zeroes, similar to how
cmh_ecdsa_set_pub_key() handles it?

> +
> +	return cmh_key_setkey_raw(&ctx->key, key, keylen, CORE_ID_PKE);
> +}

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260709203037.1884436-1-skrishnamoorthy@rambus.com?part=13

  reply	other threads:[~2026-07-09 21:04 UTC|newest]

Thread overview: 68+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-09 20:30 [PATCH v2 00/19] crypto: cmh - add CRI CryptoManager Hub driver Saravanakrishnan Krishnamoorthy
2026-07-09 20:30 ` Saravanakrishnan Krishnamoorthy
2026-07-09 20:30 ` [PATCH v2 01/19] dt-bindings: crypto: add Rambus CryptoManager Hub Saravanakrishnan Krishnamoorthy
2026-07-09 20:30   ` Saravanakrishnan Krishnamoorthy
2026-07-09 20:38   ` sashiko-bot
2026-07-10  8:58   ` Conor Dooley
2026-07-10  8:58     ` Conor Dooley
2026-07-10 23:14     ` Ousherovitch, Alex
2026-07-10 23:14       ` Ousherovitch, Alex
2026-07-12 13:15       ` Conor Dooley
2026-07-12 13:15         ` Conor Dooley
2026-07-13 23:17         ` Ousherovitch, Alex
2026-07-13 23:17           ` Ousherovitch, Alex
2026-07-09 20:30 ` [PATCH v2 02/19] crypto: cmh - add core platform driver Saravanakrishnan Krishnamoorthy
2026-07-09 20:30   ` Saravanakrishnan Krishnamoorthy
2026-07-09 20:49   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 03/19] crypto: cmh - add key provisioning and management Saravanakrishnan Krishnamoorthy
2026-07-09 20:30   ` Saravanakrishnan Krishnamoorthy
2026-07-09 20:49   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 04/19] crypto: cmh - add SHA-2/SHA-3/SHAKE ahash Saravanakrishnan Krishnamoorthy
2026-07-09 20:30   ` Saravanakrishnan Krishnamoorthy
2026-07-09 20:45   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 05/19] crypto: cmh - add HMAC ahash Saravanakrishnan Krishnamoorthy
2026-07-09 20:30   ` Saravanakrishnan Krishnamoorthy
2026-07-09 20:42   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 06/19] crypto: cmh - add CSHAKE/KMAC ahash Saravanakrishnan Krishnamoorthy
2026-07-09 20:30   ` Saravanakrishnan Krishnamoorthy
2026-07-09 20:47   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 07/19] crypto: cmh - add SM3 ahash Saravanakrishnan Krishnamoorthy
2026-07-09 20:30   ` Saravanakrishnan Krishnamoorthy
2026-07-09 20:47   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 08/19] crypto: cmh - add AES skcipher/aead/cmac Saravanakrishnan Krishnamoorthy
2026-07-09 20:30   ` Saravanakrishnan Krishnamoorthy
2026-07-09 20:47   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 09/19] crypto: cmh - add SM4 skcipher/aead/cmac/xcbc Saravanakrishnan Krishnamoorthy
2026-07-09 20:30   ` Saravanakrishnan Krishnamoorthy
2026-07-09 20:49   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 10/19] crypto: cmh - add ChaCha20-Poly1305 Saravanakrishnan Krishnamoorthy
2026-07-09 20:30   ` Saravanakrishnan Krishnamoorthy
2026-07-09 20:46   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 11/19] crypto: cmh - add DRBG hwrng Saravanakrishnan Krishnamoorthy
2026-07-09 20:30   ` Saravanakrishnan Krishnamoorthy
2026-07-09 20:54   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 12/19] crypto: cmh - add RSA akcipher Saravanakrishnan Krishnamoorthy
2026-07-09 20:30   ` Saravanakrishnan Krishnamoorthy
2026-07-09 20:57   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 13/19] crypto: cmh - add ECDSA/SM2 sig Saravanakrishnan Krishnamoorthy
2026-07-09 20:30   ` Saravanakrishnan Krishnamoorthy
2026-07-09 21:04   ` sashiko-bot [this message]
2026-07-09 20:30 ` [PATCH v2 14/19] crypto: cmh - add ECDH/X25519 kpp Saravanakrishnan Krishnamoorthy
2026-07-09 20:30   ` Saravanakrishnan Krishnamoorthy
2026-07-09 21:08   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 15/19] crypto: cmh - add ML-KEM/ML-DSA (QSE) Saravanakrishnan Krishnamoorthy
2026-07-09 20:30   ` Saravanakrishnan Krishnamoorthy
2026-07-09 21:03   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 16/19] crypto: cmh - add SLH-DSA/LMS/XMSS (HCQ) Saravanakrishnan Krishnamoorthy
2026-07-09 20:30   ` Saravanakrishnan Krishnamoorthy
2026-07-09 21:02   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 17/19] Documentation: ioctl: add CMH ioctl documentation and register 'J' Saravanakrishnan Krishnamoorthy
2026-07-09 20:30   ` Saravanakrishnan Krishnamoorthy
2026-07-09 20:54   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 18/19] selftests: crypto: cmh - add kselftest for management ioctl Saravanakrishnan Krishnamoorthy
2026-07-09 20:30   ` Saravanakrishnan Krishnamoorthy
2026-07-09 20:54   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 19/19] MAINTAINERS: add Rambus CryptoManager Hub (CMH) Saravanakrishnan Krishnamoorthy
2026-07-09 20:30   ` Saravanakrishnan Krishnamoorthy
2026-07-10  1:04   ` Randy Dunlap
2026-07-10  1:04     ` Randy Dunlap

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260709210419.E11241F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=conor+dt@kernel.org \
    --cc=devicetree@vger.kernel.org \
    --cc=robh@kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    --cc=skrishnamoorthy@rambus.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.