From: Dennis Chen <dennis.chen@arm.com>
To: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: <Libo.Wang@arm.com>, Herbert Xu <herbert@gondor.apana.org.au>,
"David S. Miller" <davem@davemloft.net>,
"linux-crypto@vger.kernel.org" <linux-crypto@vger.kernel.org>,
<Ofir.Drang@arm.com>, <nd@arm.com>
Subject: Re: [PATCH] crypto: Fix next IV issue for CTS template
Date: Fri, 17 Feb 2017 17:17:27 +0800 [thread overview]
Message-ID: <20170217091724.GA28198@arm.com> (raw)
In-Reply-To: <CAKv+Gu8s6PrAv9ZMGa_TsRn2UYKoo8KhqERU0NZPjfBhMDK88Q@mail.gmail.com>
Hello Ard,
Morning!
On Fri, Feb 17, 2017 at 07:12:46AM +0000, Ard Biesheuvel wrote:
> Hello Libo,
>
> On 17 February 2017 at 03:47, <Libo.Wang@arm.com> wrote:
> > From: Libo Wang <Libo Wang@arm.com>
> >
> > CTS template assumes underlying CBC algorithm will carry out next IV for
> > further process.But some implementations of CBC algorithm in kernel break
> > this assumption, for example, some hardware crypto drivers ignore next IV
> > for performance consider, inthis case, tcry cts(cbc(aes)) test case will
> > fail. This patch is trying to fix it by getting next IV information ready
> > before last two blocks processed.
> >
> > Signed-off-by: Libo Wang <libo.wang@arm.com>
> > Signed-off-by: Dennis Chen <dennis.chen@arm.com>
>
> Which algorithms in particular break this assumption? I recently fixed
> some ARM accelerated software drivers for this reason. If there are
> others, we should fix those rather than try to fix it in the CTS
> driver.
>
There're some ARM HW accelerated drivers which are not upstream yet(IP license)
breaks this assumption. The current CTS template requires the underlying CBC
algorithm always fill the next IV, but in some cases like CBC standalone mode,
it doesn't need to fill the next IV, so apparently it will induce performance
degrade from the point of drivers, that's why we fix it in the CTS template,except
that it will also mitigate the potential defect of other HW-based CBC drivers.
>
> > ---
> > crypto/cts.c | 29 +++++++++++++++++++++++++----
> > 1 file changed, 25 insertions(+), 4 deletions(-)
> >
> > diff --git a/crypto/cts.c b/crypto/cts.c
> > index a1335d6..712164b 100644
> > --- a/crypto/cts.c
> > +++ b/crypto/cts.c
> > @@ -154,6 +154,7 @@ static int crypto_cts_encrypt(struct skcipher_request *req)
> > unsigned int nbytes = req->cryptlen;
> > int cbc_blocks = (nbytes + bsize - 1) / bsize - 1;
> > unsigned int offset;
> > + int ret = 0;
> >
> > skcipher_request_set_tfm(subreq, ctx->child);
> >
> > @@ -174,8 +175,17 @@ static int crypto_cts_encrypt(struct skcipher_request *req)
> > skcipher_request_set_crypt(subreq, req->src, req->dst,
> > offset, req->iv);
> >
> > - return crypto_skcipher_encrypt(subreq) ?:
> > - cts_cbc_encrypt(req);
> > + /* process CBC blocks */
> > + ret = crypto_skcipher_encrypt(subreq);
> > + /* process last two blocks */
> > + if (!ret) {
>
> What happens if an async driver returns -EINPROGRESS here?
For this case, the CTS will return -EINPROGRESS directly.
Thanks,
Dennis
>
> > + /* Get IVn-1 back */
> > + scatterwalk_map_and_copy(req->iv, req->dst, (offset - bsize), bsize, 0);
> > + /* Continue last two blocks */
> > + return cts_cbc_encrypt(req);
> > + }
> > +
> > + return ret;
> > }
> >
> > static int cts_cbc_decrypt(struct skcipher_request *req)
> > @@ -248,6 +258,8 @@ static int crypto_cts_decrypt(struct skcipher_request *req)
> > int cbc_blocks = (nbytes + bsize - 1) / bsize - 1;
> > unsigned int offset;
> > u8 *space;
> > + int ret = 0;
> > + u8 iv_next[bsize];
> >
> > skcipher_request_set_tfm(subreq, ctx->child);
> >
> > @@ -277,8 +289,17 @@ static int crypto_cts_decrypt(struct skcipher_request *req)
> > skcipher_request_set_crypt(subreq, req->src, req->dst,
> > offset, req->iv);
> >
> > - return crypto_skcipher_decrypt(subreq) ?:
> > - cts_cbc_decrypt(req);
> > + /* process last two blocks */
> > + scatterwalk_map_and_copy(iv_next, req->src, (offset - bsize), bsize, 0);
> > + ret = crypto_skcipher_decrypt(subreq);
> > + if (!ret) {
> > + /* Set Next IV */
> > + subreq->iv = iv_next;
> > + /* process last two blocks */
> > + return cts_cbc_decrypt(req);
> > + }
> > +
> > + return ret;
> > }
> >
> > static int crypto_cts_init_tfm(struct crypto_skcipher *tfm)
> > --
> > 1.8.3.1
> >
next prev parent reply other threads:[~2017-02-17 9:17 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-17 3:47 [PATCH] crypto: Fix next IV issue for CTS template Libo.Wang
2017-02-17 7:12 ` Ard Biesheuvel
2017-02-17 9:17 ` Dennis Chen [this message]
2017-02-17 9:23 ` Ard Biesheuvel
2017-02-17 10:06 ` Dennis Chen
2017-02-17 10:42 ` Ard Biesheuvel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170217091724.GA28198@arm.com \
--to=dennis.chen@arm.com \
--cc=Libo.Wang@arm.com \
--cc=Ofir.Drang@arm.com \
--cc=ard.biesheuvel@linaro.org \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=linux-crypto@vger.kernel.org \
--cc=nd@arm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox