From: Harald Freudenberger <freude@linux.ibm.com>
To: Thomas Huth <thuth@redhat.com>
Cc: hca@linux.ibm.com, gor@linux.ibm.com, agordeev@linux.ibm.com,
linux-s390@vger.kernel.org, dengler@linux.ibm.com
Subject: Re: [PATCH v5 2/2] s390/crypto: Rework protected key AES for true asynch support
Date: Tue, 27 May 2025 09:31:41 +0200 [thread overview]
Message-ID: <9939f4a9dcabae4c739b73b3f9e6cdb1@linux.ibm.com> (raw)
In-Reply-To: <f958f869-8da3-48d9-a118-f3cf9a9ea75c@redhat.com>
On 2025-05-26 17:25, Thomas Huth wrote:
> On 14/05/2025 11.09, Harald Freudenberger wrote:
>> This is a complete rework of the protected key AES (PAES)
>> implementation.
>> The goal of this rework is to implement the 4 modes (ecb, cbc, ctr,
>> xts)
>> in a real asynchronous fashion:
>> - init(), exit() and setkey() are synchronous and don't allocate any
>> memory.
>> - the encrypt/decrypt functions first try to do the job in a
>> synchronous
>> manner. If this fails, for example the protected key got invalid
>> caused
>> by a guest suspend/resume or guest migration action, the
>> encrypt/decrypt
>> is transferred to an instance of the crypto engine (see below) for
>> asynchronous processing.
>> These postponed requests are then handled by the crypto engine by
>> invoking the do_one_request() callback but may of course again run
>> into
>> a still not converted key or the key is getting invalid. If the key
>> is
>> still not converted, the first thread does the conversion and
>> updates
>> the key status in the transformation context. The conversion is
>> invoked via pkey API with a new flag PKEY_XFLAG_NOMEMALLOC.
>> Note that once there is an active requests enqueued to get async
>> processed via crypto engine, further requests also need to go via
>> crypto engine to keep the request sequence.
>>
>> This patch together with the pkey/zcrypt/AP extensions to support
>> the new PKEY_XFLAG_NOMEMMALOC should toughen the paes crypto
>> algorithms
>> to truly meet the requirements for in-kernel skcipher implementations
>> and the usage patterns for the dm-crypt and dm-integrity layers.
>>
>> Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
>> Reviewed-by: Holger Dengler <dengler@linux.ibm.com>
>> Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
>> ---
>> arch/s390/crypto/paes_s390.c | 1812
>> ++++++++++++++++++++++++----------
>> 1 file changed, 1270 insertions(+), 542 deletions(-)
>
> Hi Harald,
>
> I'm currently facing these errors when building linux-next:
>
> ERROR: modpost: "crypto_engine_stop" [arch/s390/crypto/paes_s390.ko]
> undefined!
> ERROR: modpost: "crypto_engine_exit" [arch/s390/crypto/paes_s390.ko]
> undefined!
> ERROR: modpost: "crypto_engine_unregister_skcipher"
> [arch/s390/crypto/paes_s390.ko] undefined!
> ERROR: modpost: "crypto_engine_alloc_init_and_set"
> [arch/s390/crypto/paes_s390.ko] undefined!
> ERROR: modpost: "crypto_engine_start" [arch/s390/crypto/paes_s390.ko]
> undefined!
> ERROR: modpost: "crypto_engine_register_skcipher"
> [arch/s390/crypto/paes_s390.ko] undefined!
> ERROR: modpost: "crypto_finalize_skcipher_request"
> [arch/s390/crypto/paes_s390.ko] undefined!
> ERROR: modpost: "crypto_transfer_skcipher_request_to_engine"
> [arch/s390/crypto/paes_s390.ko] undefined!
>
> I think the Kconfig is missing a "select CRYPTO_ENGINE" somewhere?
>
> Thomas
Well, with the rework the paes_s390 module has a dependency to the
crypto engine which is the kernel module "crypto_engine". There is
a kernel config CONFIG_CRYPTO_ENGINE but this is not defined in our
defconfig and debug_defconfig. However, when I build a defconfig
kernel I automatically get CONFIG_CRYPTO_ENGINE=m in my .config.
However, I'll check if there is a
SELECT CRYPTO_ENGINE
needed in the paes entry in drivers/crypto/Kconfig
Thanks for this hint
next prev parent reply other threads:[~2025-05-27 7:31 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-14 9:09 [PATCH v5 0/2] Rework protected key AES for true asynch support Harald Freudenberger
2025-05-14 9:09 ` [PATCH v5 1/2] s390/cpacf: Rework cpacf_pcc() to return condition code Harald Freudenberger
2025-05-14 9:09 ` [PATCH v5 2/2] s390/crypto: Rework protected key AES for true asynch support Harald Freudenberger
2025-05-26 15:25 ` Thomas Huth
2025-05-27 7:31 ` Harald Freudenberger [this message]
2025-05-27 8:21 ` Thomas Huth
2025-05-14 10:39 ` [PATCH v5 0/2] " Heiko Carstens
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9939f4a9dcabae4c739b73b3f9e6cdb1@linux.ibm.com \
--to=freude@linux.ibm.com \
--cc=agordeev@linux.ibm.com \
--cc=dengler@linux.ibm.com \
--cc=gor@linux.ibm.com \
--cc=hca@linux.ibm.com \
--cc=linux-s390@vger.kernel.org \
--cc=thuth@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.