From: sashiko-bot@kernel.org
To: "Saravanakrishnan Krishnamoorthy" <skrishnamoorthy@rambus.com>
Cc: conor+dt@kernel.org, robh@kernel.org, devicetree@vger.kernel.org
Subject: Re: [PATCH v2 11/19] crypto: cmh - add DRBG hwrng
Date: Thu, 09 Jul 2026 20:54:39 +0000 [thread overview]
Message-ID: <20260709205439.4E1B81F00A3A@smtp.kernel.org> (raw)
In-Reply-To: <20260709203037.1884436-12-skrishnamoorthy@rambus.com>
Thank you for your contribution! Sashiko AI review found 4 potential issue(s) to consider:
- [High] The `hwrng_quality` module parameter defaults to 0, which is documented as disabling CRNG seeding, but unintentionally grants full trust to the DRBG due to core framework fallback.
- [High] Lockless TOCTOU race on the g_cmh_dev singleton pointer allows concurrent probes to corrupt global device state.
- [Medium] Generated DRBG entropy is left uncleared in freed heap memory on the success and synchronous error paths.
- [Medium] Returning -EAGAIN on blocking reads violates POSIX semantics.
--
--- Patch [11]: [PATCH v2 11/19] crypto: cmh - add DRBG hwrng ---
commit 2408e2e670d0040cbc567d97d33eb49067cbda6f
Author: Alex Ousherovitch <aousherovitch@rambus.com>
crypto: cmh - add DRBG hwrng
Register the CMH DRBG core (core ID 0x0f) as an hwrng provider.
The hardware implements a NIST SP 800-90A compliant DRBG with
automatic self-seeding.
> diff --git a/drivers/crypto/cmh/cmh_main.c b/drivers/crypto/cmh/cmh_main.c
> index e5b2a86c3149b..40440e2b73b43 100644
> --- a/drivers/crypto/cmh/cmh_main.c
> +++ b/drivers/crypto/cmh/cmh_main.c
> @@ -230,6 +231,11 @@ static int cmh_probe(struct platform_device *pdev)
> if (ret)
> goto err_sm3_register;
>
> + /* Register hwrng backed by DRBG core */
> + ret = cmh_rng_register(pdev);
> + if (ret)
> + goto err_rng_register;
> +
[Severity: High]
While reviewing the new registration in cmh_probe(), I noticed a potential
issue with the global singleton g_cmh_dev.
At the start of cmh_probe(), there is a lockless check:
if (g_cmh_dev)
return -EBUSY;
But g_cmh_dev is only assigned at the very end of the function:
g_cmh_dev = dev;
Does this allow a time-of-check to time-of-use race where concurrent probes
could both see g_cmh_dev as NULL and proceed to register global algorithms,
potentially corrupting the crypto api lists and subsystem state?
[ ... ]
> diff --git a/drivers/crypto/cmh/cmh_rng.c b/drivers/crypto/cmh/cmh_rng.c
> new file mode 100644
> index 0000000000000..c9693f6cc3609
> --- /dev/null
> +++ b/drivers/crypto/cmh/cmh_rng.c
> @@ -0,0 +1,316 @@
[ ... ]
> +static int hwrng_quality;
> +module_param(hwrng_quality, int, 0444);
> +MODULE_PARM_DESC(hwrng_quality,
> + "hwrng quality (0=no CRNG seeding, 1-1024=enable; default: 0)");
[ ... ]
> +int cmh_rng_register(struct platform_device *pdev)
> +{
> + int ret;
> +
> + cmh_hwrng.quality = hwrng_quality;
[Severity: High]
The module parameter documentation indicates that a default value of 0 means
"no CRNG seeding".
If hwrng_quality is 0, this assigns 0 to cmh_hwrng.quality. The hwrng core
framework treats 0 as uninitialized and applies fallback logic:
rng->quality = min3(default_quality, 1024, rng->quality ?: 1024);
Does this fallback logic evaluate to 1024 when rng->quality is 0, silently
elevating the hardware rng to a fully trusted entropy source by default
and violating the documented security intent?
[ ... ]
> +static int cmh_rng_read(struct hwrng *rng, void *data, size_t max, bool wait)
> +{
[ ... ]
> + ret = cmh_tm_submit_sync_noabort(vcq, DRBG_READ_VCQ_CMDS, 1,
> + msecs_to_jiffies(drbg_timeout_ms),
> + cmh_dma_orphan_free, orphan);
> + if (ret == -EINPROGRESS) {
> + /* Orphan callback owns dmabuf -- will free on VCQ completion */
> + return -EAGAIN;
> + }
[Severity: Medium]
When wait is true, cmh_rng_read() is being called for a blocking read.
If a transient error like -EINPROGRESS is returned, propagating -EAGAIN back
to the hwrng core causes it to return -EAGAIN to userspace on a blocking
file descriptor.
Could returning -EAGAIN on a blocking read violate posix semantics for
blocking file descriptors?
> +
> + /* Normal path or cancelled-from-queue: caller owns DMA */
> + cmh_dma_unmap_single(dma_addr, nbytes, DMA_FROM_DEVICE);
> + kfree(orphan);
> +
> + if (ret) {
[ ... ]
> + case -ENODEV:
> + dev_dbg_ratelimited(cmh_dev(),
> + "rng: transient DRBG failure (rc=%d)\n",
> + ret);
> + kfree(dmabuf);
> + return -EAGAIN;
[Severity: Medium]
Similar to the -EINPROGRESS check above, this path returns -EAGAIN without
checking the wait parameter, which can leak non-blocking error codes to a
blocking read.
Additionally, dmabuf is freed here using a standard kfree(). Since dmabuf
might contain sensitive pseudo-random material from a partially completed
or failed operation, would it be safer to use kfree_sensitive() to ensure
the buffer is zeroized?
> + default:
> + dev_err_ratelimited(cmh_dev(),
> + "rng: DRBG generate failed (rc=%d)\n",
> + ret);
> + kfree(dmabuf);
[Severity: Medium]
Does this error path also need kfree_sensitive() to clear potentially
sensitive entropy data left in dmabuf?
> + return ret;
> + }
> + }
> +
> + memcpy(data, dmabuf, nbytes);
> + kfree(dmabuf);
[Severity: Medium]
After successfully copying the generated entropy to the caller's buffer,
dmabuf is freed with kfree().
Could this leave uncleared generated entropy in the kernel heap, and should
kfree_sensitive() be used here instead?
> +
> + return nbytes;
> +}
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260709203037.1884436-1-skrishnamoorthy@rambus.com?part=11
next prev parent reply other threads:[~2026-07-09 20:54 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-09 20:30 [PATCH v2 00/19] crypto: cmh - add CRI CryptoManager Hub driver Saravanakrishnan Krishnamoorthy
2026-07-09 20:30 ` [PATCH v2 01/19] dt-bindings: crypto: add Rambus CryptoManager Hub Saravanakrishnan Krishnamoorthy
2026-07-09 20:38 ` sashiko-bot
2026-07-10 8:58 ` Conor Dooley
2026-07-10 23:14 ` Ousherovitch, Alex
2026-07-09 20:30 ` [PATCH v2 02/19] crypto: cmh - add core platform driver Saravanakrishnan Krishnamoorthy
2026-07-09 20:49 ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 03/19] crypto: cmh - add key provisioning and management Saravanakrishnan Krishnamoorthy
2026-07-09 20:49 ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 04/19] crypto: cmh - add SHA-2/SHA-3/SHAKE ahash Saravanakrishnan Krishnamoorthy
2026-07-09 20:45 ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 05/19] crypto: cmh - add HMAC ahash Saravanakrishnan Krishnamoorthy
2026-07-09 20:42 ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 06/19] crypto: cmh - add CSHAKE/KMAC ahash Saravanakrishnan Krishnamoorthy
2026-07-09 20:47 ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 07/19] crypto: cmh - add SM3 ahash Saravanakrishnan Krishnamoorthy
2026-07-09 20:47 ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 08/19] crypto: cmh - add AES skcipher/aead/cmac Saravanakrishnan Krishnamoorthy
2026-07-09 20:47 ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 09/19] crypto: cmh - add SM4 skcipher/aead/cmac/xcbc Saravanakrishnan Krishnamoorthy
2026-07-09 20:49 ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 10/19] crypto: cmh - add ChaCha20-Poly1305 Saravanakrishnan Krishnamoorthy
2026-07-09 20:46 ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 11/19] crypto: cmh - add DRBG hwrng Saravanakrishnan Krishnamoorthy
2026-07-09 20:54 ` sashiko-bot [this message]
2026-07-09 20:30 ` [PATCH v2 12/19] crypto: cmh - add RSA akcipher Saravanakrishnan Krishnamoorthy
2026-07-09 20:57 ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 13/19] crypto: cmh - add ECDSA/SM2 sig Saravanakrishnan Krishnamoorthy
2026-07-09 21:04 ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 14/19] crypto: cmh - add ECDH/X25519 kpp Saravanakrishnan Krishnamoorthy
2026-07-09 21:08 ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 15/19] crypto: cmh - add ML-KEM/ML-DSA (QSE) Saravanakrishnan Krishnamoorthy
2026-07-09 21:03 ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 16/19] crypto: cmh - add SLH-DSA/LMS/XMSS (HCQ) Saravanakrishnan Krishnamoorthy
2026-07-09 21:02 ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 17/19] Documentation: ioctl: add CMH ioctl documentation and register 'J' Saravanakrishnan Krishnamoorthy
2026-07-09 20:54 ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 18/19] selftests: crypto: cmh - add kselftest for management ioctl Saravanakrishnan Krishnamoorthy
2026-07-09 20:54 ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 19/19] MAINTAINERS: add Rambus CryptoManager Hub (CMH) Saravanakrishnan Krishnamoorthy
2026-07-10 1:04 ` Randy Dunlap
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260709205439.4E1B81F00A3A@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=robh@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=skrishnamoorthy@rambus.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox