Devicetree
 help / color / mirror / Atom feed
From: sashiko-bot@kernel.org
To: "Saravanakrishnan Krishnamoorthy" <skrishnamoorthy@rambus.com>
Cc: conor+dt@kernel.org, robh@kernel.org, devicetree@vger.kernel.org
Subject: Re: [PATCH v2 13/19] crypto: cmh - add ECDSA/SM2 sig
Date: Thu, 09 Jul 2026 21:04:18 +0000	[thread overview]
Message-ID: <20260709210419.E11241F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260709203037.1884436-14-skrishnamoorthy@rambus.com>

Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
- [High] `cmh_ecdsa_set_priv_key` incorrectly rejects valid P-521 private keys due to a strict length check.
- [High] A malicious user can provide an oversized ECDSA signature to trigger a WARN_ON_ONCE, potentially causing a kernel panic on systems with panic_on_warn enabled.
- [Medium] Unnecessary copying and DMA mapping of the private key on the fast path during `cmh_ecdsa_sign()`.
--

--- Patch [13]: [PATCH v2 13/19] crypto: cmh - add ECDSA/SM2 sig ---
commit 6d12540edcf70f967d4d40c53ce926233bb16875
Author: Alex Ousherovitch <aousherovitch@rambus.com>

crypto: cmh - add ECDSA/SM2 sig

This commit registers ECDSA and SM2 signature algorithms using the CMH PKE
core. It supports P-256, P-384, P-521, and SM2 curves for signing and
verification. SM2 is registered as verify-only via the crypto API.

> diff --git a/drivers/crypto/cmh/cmh_pke_ecdsa.c b/drivers/crypto/cmh/cmh_pke_ecdsa.c
> new file mode 100644
> index 0000000000000..6b65f7fb72cc9
> --- /dev/null
> +++ b/drivers/crypto/cmh/cmh_pke_ecdsa.c

[ ... ]

> +static void ecdsa_vli_to_be(const u64 *vli, unsigned int ndigits,
> +			    u8 *out, unsigned int out_len)
> +{

[ ... ]

> +	} else {
> +		/* VLI wider than out -- skip leading (zero) bytes */
> +		u8 tmp[ECC_MAX_BYTES];
> +
> +		for (i = 0; i < ndigits; i++)
> +			put_unaligned_be64(vli[ndigits - 1 - i],
> +					   &tmp[i * sizeof(u64)]);
> +		skip = full_len - out_len;
> +		WARN_ON_ONCE(memchr_inv(tmp, 0, skip));

[Severity: High]
Can an unprivileged user trigger this WARN_ON_ONCE by providing an
oversized signature (e.g., via keyctl or AF_ALG)?

If the user passes an r or s array padded with non-zero upper bytes during
signature verification, could this cause a kernel panic on systems with
panic_on_warn enabled?

Would it be safer to return -EINVAL here instead of warning?

> +		memcpy(out, tmp + skip, out_len);
> +	}
> +}

[ ... ]

> +static int cmh_ecdsa_sign(struct crypto_sig *tfm,
> +			  const void *src, unsigned int slen,
> +			  void *dst, unsigned int dlen)
> +{

[ ... ]

> +	dig_buf = kzalloc(clen, GFP_KERNEL);
> +	sig_buf = kzalloc(sig_raw_len, GFP_KERNEL);
> +	sk_buf = kmemdup(ctx->key.raw.data, ctx->key.raw.len, GFP_KERNEL);
> +	if (!dig_buf || !sig_buf || !sk_buf) {
> +		ret = -ENOMEM;
> +		goto out_free;
> +	}
> +
> +	/*
> +	 * Truncate or zero-pad digest to clen bytes, right-aligned.
> +	 * Matches ECDSA bits2int: use leftmost min(slen, clen) bytes,
> +	 * zero-pad on the left when slen < clen.
> +	 */
> +	memcpy(dig_buf + (clen - copy_len), src, copy_len);
> +
> +	dig_dma = cmh_dma_map_single(dig_buf, clen, DMA_TO_DEVICE);
> +	sig_dma = cmh_dma_map_single(sig_buf, sig_raw_len, DMA_FROM_DEVICE);
> +	sk_dma = cmh_dma_map_single(sk_buf, ctx->key.raw.len, DMA_TO_DEVICE);

[Severity: Medium]
Is it necessary to allocate and DMA map the private key on the fast path
during cmh_ecdsa_sign()?

Since cmh_key_setkey_raw() already pre-maps the key into ctx->key.raw.dma
for the lifetime of the transform, does duplicating this mapping here
cause unnecessary performance overhead, or unnecessarily expose the private
key material in a transient heap buffer?

> +
> +	if (cmh_dma_map_error(dig_dma) || cmh_dma_map_error(sig_dma) ||
> +	    cmh_dma_map_error(sk_dma)) {
> +		ret = -ENOMEM;

[ ... ]

> +static int cmh_ecdsa_set_priv_key(struct crypto_sig *tfm,
> +				  const void *key, unsigned int keylen)
> +{
> +	struct cmh_ecdsa_tfm_ctx *ctx = cmh_ecdsa_ctx(tfm);
> +
> +	if (keylen != ctx->clen)
> +		return -EINVAL;

[Severity: High]
Does this strict length equality check prevent P-521 signing?

The kernel crypto API passes exactly 66 bytes (ceil(521/8)) for P-521
coordinates, but ctx->clen for P-521 is 68. Would it be better to accept
lengths <= clen and left-pad them with zeroes, similar to how
cmh_ecdsa_set_pub_key() handles it?

> +
> +	return cmh_key_setkey_raw(&ctx->key, key, keylen, CORE_ID_PKE);
> +}

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260709203037.1884436-1-skrishnamoorthy@rambus.com?part=13

  reply	other threads:[~2026-07-09 21:04 UTC|newest]

Thread overview: 41+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-09 20:30 [PATCH v2 00/19] crypto: cmh - add CRI CryptoManager Hub driver Saravanakrishnan Krishnamoorthy
2026-07-09 20:30 ` [PATCH v2 01/19] dt-bindings: crypto: add Rambus CryptoManager Hub Saravanakrishnan Krishnamoorthy
2026-07-09 20:38   ` sashiko-bot
2026-07-10  8:58   ` Conor Dooley
2026-07-10 23:14     ` Ousherovitch, Alex
2026-07-09 20:30 ` [PATCH v2 02/19] crypto: cmh - add core platform driver Saravanakrishnan Krishnamoorthy
2026-07-09 20:49   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 03/19] crypto: cmh - add key provisioning and management Saravanakrishnan Krishnamoorthy
2026-07-09 20:49   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 04/19] crypto: cmh - add SHA-2/SHA-3/SHAKE ahash Saravanakrishnan Krishnamoorthy
2026-07-09 20:45   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 05/19] crypto: cmh - add HMAC ahash Saravanakrishnan Krishnamoorthy
2026-07-09 20:42   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 06/19] crypto: cmh - add CSHAKE/KMAC ahash Saravanakrishnan Krishnamoorthy
2026-07-09 20:47   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 07/19] crypto: cmh - add SM3 ahash Saravanakrishnan Krishnamoorthy
2026-07-09 20:47   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 08/19] crypto: cmh - add AES skcipher/aead/cmac Saravanakrishnan Krishnamoorthy
2026-07-09 20:47   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 09/19] crypto: cmh - add SM4 skcipher/aead/cmac/xcbc Saravanakrishnan Krishnamoorthy
2026-07-09 20:49   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 10/19] crypto: cmh - add ChaCha20-Poly1305 Saravanakrishnan Krishnamoorthy
2026-07-09 20:46   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 11/19] crypto: cmh - add DRBG hwrng Saravanakrishnan Krishnamoorthy
2026-07-09 20:54   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 12/19] crypto: cmh - add RSA akcipher Saravanakrishnan Krishnamoorthy
2026-07-09 20:57   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 13/19] crypto: cmh - add ECDSA/SM2 sig Saravanakrishnan Krishnamoorthy
2026-07-09 21:04   ` sashiko-bot [this message]
2026-07-09 20:30 ` [PATCH v2 14/19] crypto: cmh - add ECDH/X25519 kpp Saravanakrishnan Krishnamoorthy
2026-07-09 21:08   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 15/19] crypto: cmh - add ML-KEM/ML-DSA (QSE) Saravanakrishnan Krishnamoorthy
2026-07-09 21:03   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 16/19] crypto: cmh - add SLH-DSA/LMS/XMSS (HCQ) Saravanakrishnan Krishnamoorthy
2026-07-09 21:02   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 17/19] Documentation: ioctl: add CMH ioctl documentation and register 'J' Saravanakrishnan Krishnamoorthy
2026-07-09 20:54   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 18/19] selftests: crypto: cmh - add kselftest for management ioctl Saravanakrishnan Krishnamoorthy
2026-07-09 20:54   ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 19/19] MAINTAINERS: add Rambus CryptoManager Hub (CMH) Saravanakrishnan Krishnamoorthy
2026-07-10  1:04   ` Randy Dunlap

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260709210419.E11241F000E9@smtp.kernel.org \
    --to=sashiko-bot@kernel.org \
    --cc=conor+dt@kernel.org \
    --cc=devicetree@vger.kernel.org \
    --cc=robh@kernel.org \
    --cc=sashiko-reviews@lists.linux.dev \
    --cc=skrishnamoorthy@rambus.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox