Devicetree
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Saravanakrishnan Krishnamoorthy" <skrishnamoorthy@rambus.com>
Cc: conor+dt@kernel.org, robh@kernel.org, devicetree@vger.kernel.org
Subject: Re: [PATCH v2 11/19] crypto: cmh - add DRBG hwrng
Date: Thu, 09 Jul 2026 20:54:39 +0000	[thread overview]
Message-ID: <20260709205439.4E1B81F00A3A@smtp.kernel.org> (raw)
In-Reply-To: <20260709203037.1884436-12-skrishnamoorthy@rambus.com>

Thank you for your contribution! Sashiko AI review found 4 potential issue(s) to consider:
- [High] The `hwrng_quality` module parameter defaults to 0, which is documented as disabling CRNG seeding, but unintentionally grants full trust to the DRBG due to core framework fallback.
- [High] Lockless TOCTOU race on the g_cmh_dev singleton pointer allows concurrent probes to corrupt global device state.
- [Medium] Generated DRBG entropy is left uncleared in freed heap memory on the success and synchronous error paths.
- [Medium] Returning -EAGAIN on blocking reads violates POSIX semantics.
--

--- Patch [11]: [PATCH v2 11/19] crypto: cmh - add DRBG hwrng ---
commit 2408e2e670d0040cbc567d97d33eb49067cbda6f
Author: Alex Ousherovitch <aousherovitch@rambus.com>

crypto: cmh - add DRBG hwrng
    
Register the CMH DRBG core (core ID 0x0f) as an hwrng provider.
The hardware implements a NIST SP 800-90A compliant DRBG with
automatic self-seeding.

> diff --git a/drivers/crypto/cmh/cmh_main.c b/drivers/crypto/cmh/cmh_main.c
> index e5b2a86c3149b..40440e2b73b43 100644
> --- a/drivers/crypto/cmh/cmh_main.c
> +++ b/drivers/crypto/cmh/cmh_main.c
> @@ -230,6 +231,11 @@ static int cmh_probe(struct platform_device *pdev)
>  	if (ret)
>  		goto err_sm3_register;
>  
> +	/* Register hwrng backed by DRBG core */
> +	ret = cmh_rng_register(pdev);
> +	if (ret)
> +		goto err_rng_register;
> +

[Severity: High]
While reviewing the new registration in cmh_probe(), I noticed a potential
issue with the global singleton g_cmh_dev.

At the start of cmh_probe(), there is a lockless check:

if (g_cmh_dev)
	return -EBUSY;

But g_cmh_dev is only assigned at the very end of the function:

g_cmh_dev = dev;

Does this allow a time-of-check to time-of-use race where concurrent probes
could both see g_cmh_dev as NULL and proceed to register global algorithms,
potentially corrupting the crypto api lists and subsystem state?

[ ... ]
> diff --git a/drivers/crypto/cmh/cmh_rng.c b/drivers/crypto/cmh/cmh_rng.c
> new file mode 100644
> index 0000000000000..c9693f6cc3609
> --- /dev/null
> +++ b/drivers/crypto/cmh/cmh_rng.c
> @@ -0,0 +1,316 @@
[ ... ]
> +static int hwrng_quality;
> +module_param(hwrng_quality, int, 0444);
> +MODULE_PARM_DESC(hwrng_quality,
> +		 "hwrng quality (0=no CRNG seeding, 1-1024=enable; default: 0)");
[ ... ]
> +int cmh_rng_register(struct platform_device *pdev)
> +{
> +	int ret;
> +
> +	cmh_hwrng.quality = hwrng_quality;

[Severity: High]
The module parameter documentation indicates that a default value of 0 means
"no CRNG seeding".

If hwrng_quality is 0, this assigns 0 to cmh_hwrng.quality. The hwrng core
framework treats 0 as uninitialized and applies fallback logic:

rng->quality = min3(default_quality, 1024, rng->quality ?: 1024);

Does this fallback logic evaluate to 1024 when rng->quality is 0, silently
elevating the hardware rng to a fully trusted entropy source by default
and violating the documented security intent?

[ ... ]
> +static int cmh_rng_read(struct hwrng *rng, void *data, size_t max, bool wait)
> +{
[ ... ]
> +	ret = cmh_tm_submit_sync_noabort(vcq, DRBG_READ_VCQ_CMDS, 1,
> +					 msecs_to_jiffies(drbg_timeout_ms),
> +					 cmh_dma_orphan_free, orphan);
> +	if (ret == -EINPROGRESS) {
> +		/* Orphan callback owns dmabuf -- will free on VCQ completion */
> +		return -EAGAIN;
> +	}

[Severity: Medium]
When wait is true, cmh_rng_read() is being called for a blocking read.

If a transient error like -EINPROGRESS is returned, propagating -EAGAIN back
to the hwrng core causes it to return -EAGAIN to userspace on a blocking
file descriptor.

Could returning -EAGAIN on a blocking read violate posix semantics for
blocking file descriptors?

> +
> +	/* Normal path or cancelled-from-queue: caller owns DMA */
> +	cmh_dma_unmap_single(dma_addr, nbytes, DMA_FROM_DEVICE);
> +	kfree(orphan);
> +
> +	if (ret) {
[ ... ]
> +		case -ENODEV:
> +			dev_dbg_ratelimited(cmh_dev(),
> +					    "rng: transient DRBG failure (rc=%d)\n",
> +					    ret);
> +			kfree(dmabuf);
> +			return -EAGAIN;

[Severity: Medium]
Similar to the -EINPROGRESS check above, this path returns -EAGAIN without
checking the wait parameter, which can leak non-blocking error codes to a
blocking read.

Additionally, dmabuf is freed here using a standard kfree(). Since dmabuf
might contain sensitive pseudo-random material from a partially completed
or failed operation, would it be safer to use kfree_sensitive() to ensure
the buffer is zeroized?

> +		default:
> +			dev_err_ratelimited(cmh_dev(),
> +					    "rng: DRBG generate failed (rc=%d)\n",
> +					    ret);
> +			kfree(dmabuf);

[Severity: Medium]
Does this error path also need kfree_sensitive() to clear potentially
sensitive entropy data left in dmabuf?

> +			return ret;
> +		}
> +	}
> +
> +	memcpy(data, dmabuf, nbytes);
> +	kfree(dmabuf);

[Severity: Medium]
After successfully copying the generated entropy to the caller's buffer,
dmabuf is freed with kfree().

Could this leave uncleared generated entropy in the kernel heap, and should
kfree_sensitive() be used here instead?

> +
> +	return nbytes;
> +}

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260709203037.1884436-1-skrishnamoorthy@rambus.com?part=11

  reply	other threads:[~2026-07-09 20:54 UTC|newest]

Thread overview: 41+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-09 20:30 [PATCH v2 00/19] crypto: cmh - add CRI CryptoManager Hub driver Saravanakrishnan Krishnamoorthy
2026-07-09 20:30 ` [PATCH v2 01/19] dt-bindings: crypto: add Rambus CryptoManager Hub Saravanakrishnan Krishnamoorthy
2026-07-09 20:38   ` sashiko-bot
2026-07-10  8:58   ` Conor Dooley
2026-07-10 23:14     ` Ousherovitch, Alex
2026-07-09 20:30 ` [PATCH v2 02/19] crypto: cmh - add core platform driver Saravanakrishnan Krishnamoorthy
2026-07-09 20:49   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 03/19] crypto: cmh - add key provisioning and management Saravanakrishnan Krishnamoorthy
2026-07-09 20:49   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 04/19] crypto: cmh - add SHA-2/SHA-3/SHAKE ahash Saravanakrishnan Krishnamoorthy
2026-07-09 20:45   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 05/19] crypto: cmh - add HMAC ahash Saravanakrishnan Krishnamoorthy
2026-07-09 20:42   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 06/19] crypto: cmh - add CSHAKE/KMAC ahash Saravanakrishnan Krishnamoorthy
2026-07-09 20:47   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 07/19] crypto: cmh - add SM3 ahash Saravanakrishnan Krishnamoorthy
2026-07-09 20:47   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 08/19] crypto: cmh - add AES skcipher/aead/cmac Saravanakrishnan Krishnamoorthy
2026-07-09 20:47   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 09/19] crypto: cmh - add SM4 skcipher/aead/cmac/xcbc Saravanakrishnan Krishnamoorthy
2026-07-09 20:49   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 10/19] crypto: cmh - add ChaCha20-Poly1305 Saravanakrishnan Krishnamoorthy
2026-07-09 20:46   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 11/19] crypto: cmh - add DRBG hwrng Saravanakrishnan Krishnamoorthy
2026-07-09 20:54   ` sashiko-bot [this message]
2026-07-09 20:30 ` [PATCH v2 12/19] crypto: cmh - add RSA akcipher Saravanakrishnan Krishnamoorthy
2026-07-09 20:57   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 13/19] crypto: cmh - add ECDSA/SM2 sig Saravanakrishnan Krishnamoorthy
2026-07-09 21:04   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 14/19] crypto: cmh - add ECDH/X25519 kpp Saravanakrishnan Krishnamoorthy
2026-07-09 21:08   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 15/19] crypto: cmh - add ML-KEM/ML-DSA (QSE) Saravanakrishnan Krishnamoorthy
2026-07-09 21:03   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 16/19] crypto: cmh - add SLH-DSA/LMS/XMSS (HCQ) Saravanakrishnan Krishnamoorthy
2026-07-09 21:02   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 17/19] Documentation: ioctl: add CMH ioctl documentation and register 'J' Saravanakrishnan Krishnamoorthy
2026-07-09 20:54   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 18/19] selftests: crypto: cmh - add kselftest for management ioctl Saravanakrishnan Krishnamoorthy
2026-07-09 20:54   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 19/19] MAINTAINERS: add Rambus CryptoManager Hub (CMH) Saravanakrishnan Krishnamoorthy
2026-07-10  1:04   ` Randy Dunlap

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260709205439.4E1B81F00A3A@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=conor+dt@kernel.org \
    --cc=devicetree@vger.kernel.org \
    --cc=robh@kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    --cc=skrishnamoorthy@rambus.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox