From: Harald Freudenberger <freude@linux.ibm.com>
To: herbert@gondor.apana.org.au
Cc: linux-crypto@vger.kernel.org, linux-s390@vger.kernel.org,
hca@linux.ibm.com, gor@linux.ibm.com, agordeev@linux.ibm.com
Subject: [PATCH v2 0/4] Paes and Phmac: Refuse clear key material by default
Date: Thu, 15 Jan 2026 13:00:22 +0100 [thread overview]
Message-ID: <20260115120026.4286-1-freude@linux.ibm.com> (raw)
The modivation of these patches is to disable clear key usage
of the protected key implementations paes and phmac by default.
With a new kernel module parameter "clrkey" this behavior can be
controlled. By default clrkey is 'N' but for testing purpose on module
load a true value (1, 'Y') may be given to accept clear key tokens.
Note that during selftest clear keys are always used and thus as long
as the algorithm is in larval state indicated by
crypto_skcipher_tested() clear keys need to be accepted. However, in
this state there is no way to establish an instance of the tfm other
than for selftest reasons.
Changelog:
v0: Initial version. Request for internal feedback and review
Please note I assume that patch #1 goes via s390, whereas
patch #2, #3 and #4 may go via Herbert Xu's Linux Kernel Crypto.
v1: Sequence changed and feedback from Ingo, Holger and Heiko
integrated.
v2: Integrated the feedback from Holger and Ingo. First version
going out to the linux kernel crypto mailing list
Harald Freudenberger (4):
crypto: skcipher - Add new helper function crypto_skcipher_tested
s390/pkey: Support new xflag PKEY_XFLAG_NOCLEARKEY
crypto: s390/phmac - Refuse clear key material by default
crypto: s390/paes - Refuse clear key material by default
arch/s390/crypto/paes_s390.c | 93 ++++++++++++++++++------------
arch/s390/crypto/phmac_s390.c | 29 +++++++---
arch/s390/include/asm/pkey.h | 8 ++-
drivers/s390/crypto/pkey_cca.c | 5 ++
drivers/s390/crypto/pkey_ep11.c | 5 ++
drivers/s390/crypto/pkey_pckmo.c | 12 +++-
include/crypto/internal/skcipher.h | 7 +++
7 files changed, 110 insertions(+), 49 deletions(-)
base-commit: 9448598b22c50c8a5bb77a9103e2d49f134c9578
--
2.43.0
next reply other threads:[~2026-01-15 12:00 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-15 12:00 Harald Freudenberger [this message]
2026-01-15 12:00 ` [PATCH v2 1/4] crypto: skcipher - Add new helper function crypto_skcipher_tested Harald Freudenberger
2026-01-15 12:00 ` [PATCH v2 2/4] s390/pkey: Support new xflag PKEY_XFLAG_NOCLEARKEY Harald Freudenberger
2026-01-15 12:00 ` [PATCH v2 3/4] crypto: s390/phmac - Refuse clear key material by default Harald Freudenberger
2026-01-15 12:00 ` [PATCH v2 4/4] crypto: s390/paes " Harald Freudenberger
2026-01-31 2:57 ` [PATCH v2 0/4] Paes and Phmac: " Herbert Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260115120026.4286-1-freude@linux.ibm.com \
--to=freude@linux.ibm.com \
--cc=agordeev@linux.ibm.com \
--cc=gor@linux.ibm.com \
--cc=hca@linux.ibm.com \
--cc=herbert@gondor.apana.org.au \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-s390@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox