From: Ahmad Fatoum <ahmad@kernel.org>
To: Vitor Soares <ivitro@gmail.com>, Ahmad Fatoum <ahmad@kernel.org>,
linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org,
imx@lists.linux.dev
Cc: horia.geanta@nxp.com, pankaj.gupta@nxp.com, gaurav.jain@nxp.com,
herbert@gondor.apana.org.au, john.ernberg@actia.se,
meenakshi.aggarwal@nxp.com
Subject: Re: CAAM RSA breaks cfg80211 certificate verification on iMX8QXP
Date: Fri, 28 Nov 2025 11:36:24 +0100 [thread overview]
Message-ID: <51e2de7a-5913-4c53-9637-6d60f875e3d8@kernel.org> (raw)
In-Reply-To: <82e78d56c7df6e1f93de29f9b3a70f7c132603c4.camel@gmail.com>
Hi Vitor,
On 11/26/25 7:35 PM, Vitor Soares wrote:
> On Wed, 2025-11-26 at 13:59 +0100, Ahmad Fatoum wrote:
>> Is the CAAM cache-coherent on your SoC? If so does the DT specify dma-coherent
>> as it should? On i.MX8M, it's not cache-coherent, but on Layerscape it was and
>> the mismatch with the DT leads to symptoms matching what you are observing.
>>
>
> Thanks for the suggestion. I tested with dma-coherent added to the CAAM and job
> ring nodes but the issue persists.
> I traced through the DMA path in caampkc.c and confirmed:
>
> - dma_map_sg() is called in rsa_edesc_alloc() with DMA_FROM_DEVICE
> - dma_unmap_sg() is called in rsa_io_unmap() from rsa_pub_done() before
> completion
> - CAAM returns status err=0x00000000 (success)
> - dst_nents=1
>
> Yet the output buffer remains untouched (still contains my 0xAA poison pattern).
> The kernel DMA handling appears correct. CAAM accepts the job and reports
> success, but never writes the RSA result. Given that CAAM reports success but
> does not populate the RSA output buffer, the problem appears to be somewhere in
> the RSA execution flow (possibly in how the result buffer is handled or
> returned), but I don't have enough insight into CAAM's RSA implementation.
Ok.. That was the only thing off the top of my head right now.
>> Off-topic remark: If you have performance comparison between running with and
>> without CAAM RSA acceleration, I'd be interested to hear about them.
>> At least for the hashing algorithms, using the Cortex-A53 (+ CE) CPU was a lot
>> faster than bothering with the CAAM "acceleration".
>>
>
> I haven't done a kernel-level CAAM vs software RSA comparison, but OpenSSL with
> ARM Crypto Extensions shows ~3100 verify ops/sec and ~80 sign ops/sec for RSA
> 2048 on the Cortex-A35.
I see, thanks.
Cheers,
Ahmad
>
> Regards,
> Vítor
>
>
>
>
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
prev parent reply other threads:[~2025-11-28 10:36 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <b017b6260075f7ba11c52e71bcc5cebe427e020f.camel@gmail.com>
2025-11-26 10:55 ` CAAM RSA breaks cfg80211 certificate verification on iMX8QXP Vitor Soares
2025-11-26 12:59 ` Ahmad Fatoum
2025-11-26 18:35 ` Vitor Soares
2025-11-28 10:36 ` Ahmad Fatoum [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=51e2de7a-5913-4c53-9637-6d60f875e3d8@kernel.org \
--to=ahmad@kernel.org \
--cc=gaurav.jain@nxp.com \
--cc=herbert@gondor.apana.org.au \
--cc=horia.geanta@nxp.com \
--cc=imx@lists.linux.dev \
--cc=ivitro@gmail.com \
--cc=john.ernberg@actia.se \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=meenakshi.aggarwal@nxp.com \
--cc=pankaj.gupta@nxp.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox