From: Tadeusz Struk <tadeusz.struk@intel.com>
To: Stephan Mueller <smueller@chronox.de>,
aidan.o.mahony@intel.com, gabriele.paoloni@intel.com,
adrian.hoban@intel.com
Cc: linux-crypto@vger.kernel.org, herbert@gondor.apana.org.au,
'LKML' <linux-kernel@vger.kernel.org>
Subject: Re: Intel GCM: __driver-gcm-aes-aesni setkey missing
Date: Sat, 17 Jan 2015 17:37:06 -0800 [thread overview]
Message-ID: <54BB0E42.9070209@intel.com> (raw)
In-Reply-To: <1976848.LqsUs5V3zD@tachyon.chronox.de>
Hi Stephan,
On 01/17/2015 10:23 AM, Stephan Mueller wrote:
> during testing of my algif_aead patch with the different GCM implementations I
> am able to trigger a kernel crash from user space using __driver-gcm-aes-
> aesni.
>
> As I hope that algif_aead is going to be included, unprivileged userspace
> would then reliably crash the kernel -- with the current kernel code,
> userspace has no interface to trigger the issue.
Yes, that's a problem.
>
> As I am not sure what the purpose of __driver-gcm-aes-aesni is (only a backend
> for RFC4106 GCM or a regular cipher), I did not yet create a patch. IMHO there
> are two solutions:
>
> - either create a valid setkey callback so that a key is set
>
> - or create a noop setkey that returns -EOPNOTSUPP which effectively disables
> that cipher for regular consumption.
__driver-gcm-aes-aesni is only a helper for rfc4106-gcm-aesni and it
never supposed to be used on it's own. I think implementing a setkey
function that only returns an error would be a good solution for this.
Another question is what if someone will ignore the error or skip the
setsockopt(ALG_SET_KEY) altogether and still call the sendmsg() and
read() to trigger encrypt()?
> Note, if it is only a backend for the RFC4106 implementation, may I ask why
> __driver-gcm-aes-aesni is implemented as a separate cipher that is registered
> with the kernel crypto API?
This is because we need to have one instance of the helper tfm with its
context per each of the rfc4106-gcm-aesni tfm instance and that was one
convenient way to do this.
Tadeusz
next prev parent reply other threads:[~2015-01-18 1:40 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-01-17 18:23 Intel GCM: __driver-gcm-aes-aesni setkey missing Stephan Mueller
2015-01-18 1:37 ` Tadeusz Struk [this message]
2015-01-18 18:15 ` Stephan Mueller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=54BB0E42.9070209@intel.com \
--to=tadeusz.struk@intel.com \
--cc=adrian.hoban@intel.com \
--cc=aidan.o.mahony@intel.com \
--cc=gabriele.paoloni@intel.com \
--cc=herbert@gondor.apana.org.au \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=smueller@chronox.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.