Devicetree
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Saravanakrishnan Krishnamoorthy" <skrishnamoorthy@rambus.com>
Cc: robh@kernel.org, devicetree@vger.kernel.org, conor+dt@kernel.org
Subject: Re: [PATCH v2 15/19] crypto: cmh - add ML-KEM/ML-DSA (QSE)
Date: Thu, 09 Jul 2026 21:03:20 +0000	[thread overview]
Message-ID: <20260709210320.A31E61F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260709203037.1884436-16-skrishnamoorthy@rambus.com>

Thank you for your contribution! Sashiko AI review found 2 potential issue(s) to consider:
- [High] Missing software fallback for oversized ML-DSA messages and incorrect rejection of 0-length messages.
- [Medium] Redundant DMA mappings and DMA API ownership violation for key buffers.
--

--- Patch [15]: [PATCH v2 15/19] crypto: cmh - add ML-KEM/ML-DSA (QSE) ---
commit c3b137e6f523e1962d3380a121a8e0166757ffb3
Author: Alex Ousherovitch <aousherovitch@rambus.com>

crypto: cmh - add ML-KEM/ML-DSA (QSE)

This patch registers ML-KEM and ML-DSA algorithms using the CMH QSE core.
It provides ML-DSA as a signature algorithm at priority 5001, overriding
the kernel's software implementation. It includes key generation, signing,
and verification capabilities.

> diff --git a/drivers/crypto/cmh/cmh_pqc_mldsa.c b/drivers/crypto/cmh/cmh_pqc_mldsa.c
> new file mode 100644
> index 0000000000000..cbe63c34a1c80
> --- /dev/null
> +++ b/drivers/crypto/cmh/cmh_pqc_mldsa.c
[ ... ]
> +static int cmh_mldsa_sign(struct crypto_sig *tfm,
> +			  const void *src, unsigned int slen,
> +			  void *dst, unsigned int dlen)
> +{
[ ... ]
> +	if (ctx->key.mode != CMH_KEY_RAW)
> +		return -EINVAL;
> +	if (dlen < sig_size)
> +		return -EINVAL;
> +	if (!slen || slen > ML_DSA_MAX_MLEN)
> +		return -EINVAL;

[Severity: High]
Does returning -EINVAL here permanently fail valid operations?

FIPS 204 allows 0-length messages, so rejecting slen == 0 might break valid
requests. Additionally, since this driver registers at priority 5001 and
overrides the generic software implementation (priority 5000), returning an
error for messages over ML_DSA_MAX_MLEN (10KB) means the crypto API won't
transparently fall back.

Should the driver internally allocate a fallback software tfm to handle
oversized messages, and properly support 0-length messages?

> +
> +	m_buf = kmemdup(src, slen, GFP_KERNEL);
> +	sig_buf = kzalloc(sig_size, GFP_KERNEL);
> +	if (!m_buf || !sig_buf) {
> +		ret = -ENOMEM;
> +		goto out_free;
> +	}
> +
> +	if (ctx->key.raw.len != sk_size) {
> +		ret = -EINVAL;
> +		goto out_free;
> +	}
> +
> +	sk_buf = kmemdup(ctx->key.raw.data, ctx->key.raw.len, GFP_KERNEL);

[Severity: Medium]
Does this redundantly copy and map the secret key?

The key in ctx->key.raw.data was already mapped as ctx->key.raw.dma in
cmh_key_setkey_raw() for the lifetime of the key. Also, since that buffer
is mapped to the device (DMA_TO_DEVICE), does reading from it here with
kmemdup() violate DMA API ownership rules?

Can this code just pass ctx->key.raw.dma directly to the VCQ command to
avoid the extra allocation and copy on the hot path?

> +	if (!sk_buf) {
> +		ret = -ENOMEM;
> +		goto out_free;
> +	}
[ ... ]
> +static int cmh_mldsa_verify(struct crypto_sig *tfm,
> +			    const void *src, unsigned int slen,
> +			    const void *digest, unsigned int dlen)
> +{
[ ... ]
> +	if (!ctx->pub_key)
> +		return -EINVAL;
> +	if (slen != sig_size)
> +		return -EINVAL;
> +	if (!dlen || dlen > ML_DSA_MAX_MLEN)
> +		return -EINVAL;

[Severity: High]
Similar to the signing path, does this incorrectly reject valid 0-length
messages and oversized messages?

Since the driver overrides the software fallback, it likely needs to handle
dlen == 0 and delegate messages larger than ML_DSA_MAX_MLEN to a software
fallback to maintain API contracts.

> +
> +	sig_buf = kmemdup(src, slen, GFP_KERNEL);
> +	m_buf = kmemdup(digest, dlen, GFP_KERNEL);
> +	pk_buf = kmemdup(ctx->pub_key, pk_size, GFP_KERNEL);

[Severity: Medium]
Does this redundantly allocate and map the public key on every verification?

Instead of copying it here, could the public key be mapped once in
cmh_mldsa_set_pub_key() and reused, avoiding this extra copy overhead
on every verify operation?

> +	if (!sig_buf || !m_buf || !pk_buf) {
> +		ret = -ENOMEM;
> +		goto out_free;
> +	}

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260709203037.1884436-1-skrishnamoorthy@rambus.com?part=15

  reply	other threads:[~2026-07-09 21:03 UTC|newest]

Thread overview: 41+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-09 20:30 [PATCH v2 00/19] crypto: cmh - add CRI CryptoManager Hub driver Saravanakrishnan Krishnamoorthy
2026-07-09 20:30 ` [PATCH v2 01/19] dt-bindings: crypto: add Rambus CryptoManager Hub Saravanakrishnan Krishnamoorthy
2026-07-09 20:38   ` sashiko-bot
2026-07-10  8:58   ` Conor Dooley
2026-07-10 23:14     ` Ousherovitch, Alex
2026-07-09 20:30 ` [PATCH v2 02/19] crypto: cmh - add core platform driver Saravanakrishnan Krishnamoorthy
2026-07-09 20:49   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 03/19] crypto: cmh - add key provisioning and management Saravanakrishnan Krishnamoorthy
2026-07-09 20:49   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 04/19] crypto: cmh - add SHA-2/SHA-3/SHAKE ahash Saravanakrishnan Krishnamoorthy
2026-07-09 20:45   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 05/19] crypto: cmh - add HMAC ahash Saravanakrishnan Krishnamoorthy
2026-07-09 20:42   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 06/19] crypto: cmh - add CSHAKE/KMAC ahash Saravanakrishnan Krishnamoorthy
2026-07-09 20:47   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 07/19] crypto: cmh - add SM3 ahash Saravanakrishnan Krishnamoorthy
2026-07-09 20:47   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 08/19] crypto: cmh - add AES skcipher/aead/cmac Saravanakrishnan Krishnamoorthy
2026-07-09 20:47   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 09/19] crypto: cmh - add SM4 skcipher/aead/cmac/xcbc Saravanakrishnan Krishnamoorthy
2026-07-09 20:49   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 10/19] crypto: cmh - add ChaCha20-Poly1305 Saravanakrishnan Krishnamoorthy
2026-07-09 20:46   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 11/19] crypto: cmh - add DRBG hwrng Saravanakrishnan Krishnamoorthy
2026-07-09 20:54   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 12/19] crypto: cmh - add RSA akcipher Saravanakrishnan Krishnamoorthy
2026-07-09 20:57   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 13/19] crypto: cmh - add ECDSA/SM2 sig Saravanakrishnan Krishnamoorthy
2026-07-09 21:04   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 14/19] crypto: cmh - add ECDH/X25519 kpp Saravanakrishnan Krishnamoorthy
2026-07-09 21:08   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 15/19] crypto: cmh - add ML-KEM/ML-DSA (QSE) Saravanakrishnan Krishnamoorthy
2026-07-09 21:03   ` sashiko-bot [this message]
2026-07-09 20:30 ` [PATCH v2 16/19] crypto: cmh - add SLH-DSA/LMS/XMSS (HCQ) Saravanakrishnan Krishnamoorthy
2026-07-09 21:02   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 17/19] Documentation: ioctl: add CMH ioctl documentation and register 'J' Saravanakrishnan Krishnamoorthy
2026-07-09 20:54   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 18/19] selftests: crypto: cmh - add kselftest for management ioctl Saravanakrishnan Krishnamoorthy
2026-07-09 20:54   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 19/19] MAINTAINERS: add Rambus CryptoManager Hub (CMH) Saravanakrishnan Krishnamoorthy
2026-07-10  1:04   ` Randy Dunlap

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260709210320.A31E61F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=conor+dt@kernel.org \
    --cc=devicetree@vger.kernel.org \
    --cc=robh@kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    --cc=skrishnamoorthy@rambus.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox