From: sashiko-bot@kernel.org
To: "Saravanakrishnan Krishnamoorthy" <skrishnamoorthy@rambus.com>
Cc: conor+dt@kernel.org, robh@kernel.org, devicetree@vger.kernel.org
Subject: Re: [PATCH v2 13/19] crypto: cmh - add ECDSA/SM2 sig
Date: Thu, 09 Jul 2026 21:04:18 +0000 [thread overview]
Message-ID: <20260709210419.E11241F000E9@smtp.kernel.org> (raw)
In-Reply-To: <20260709203037.1884436-14-skrishnamoorthy@rambus.com>
Thank you for your contribution! Sashiko AI review found 3 potential issue(s) to consider:
- [High] `cmh_ecdsa_set_priv_key` incorrectly rejects valid P-521 private keys due to a strict length check.
- [High] A malicious user can provide an oversized ECDSA signature to trigger a WARN_ON_ONCE, potentially causing a kernel panic on systems with panic_on_warn enabled.
- [Medium] Unnecessary copying and DMA mapping of the private key on the fast path during `cmh_ecdsa_sign()`.
--
--- Patch [13]: [PATCH v2 13/19] crypto: cmh - add ECDSA/SM2 sig ---
commit 6d12540edcf70f967d4d40c53ce926233bb16875
Author: Alex Ousherovitch <aousherovitch@rambus.com>
crypto: cmh - add ECDSA/SM2 sig
This commit registers ECDSA and SM2 signature algorithms using the CMH PKE
core. It supports P-256, P-384, P-521, and SM2 curves for signing and
verification. SM2 is registered as verify-only via the crypto API.
> diff --git a/drivers/crypto/cmh/cmh_pke_ecdsa.c b/drivers/crypto/cmh/cmh_pke_ecdsa.c
> new file mode 100644
> index 0000000000000..6b65f7fb72cc9
> --- /dev/null
> +++ b/drivers/crypto/cmh/cmh_pke_ecdsa.c
[ ... ]
> +static void ecdsa_vli_to_be(const u64 *vli, unsigned int ndigits,
> + u8 *out, unsigned int out_len)
> +{
[ ... ]
> + } else {
> + /* VLI wider than out -- skip leading (zero) bytes */
> + u8 tmp[ECC_MAX_BYTES];
> +
> + for (i = 0; i < ndigits; i++)
> + put_unaligned_be64(vli[ndigits - 1 - i],
> + &tmp[i * sizeof(u64)]);
> + skip = full_len - out_len;
> + WARN_ON_ONCE(memchr_inv(tmp, 0, skip));
[Severity: High]
Can an unprivileged user trigger this WARN_ON_ONCE by providing an
oversized signature (e.g., via keyctl or AF_ALG)?
If the user passes an r or s array padded with non-zero upper bytes during
signature verification, could this cause a kernel panic on systems with
panic_on_warn enabled?
Would it be safer to return -EINVAL here instead of warning?
> + memcpy(out, tmp + skip, out_len);
> + }
> +}
[ ... ]
> +static int cmh_ecdsa_sign(struct crypto_sig *tfm,
> + const void *src, unsigned int slen,
> + void *dst, unsigned int dlen)
> +{
[ ... ]
> + dig_buf = kzalloc(clen, GFP_KERNEL);
> + sig_buf = kzalloc(sig_raw_len, GFP_KERNEL);
> + sk_buf = kmemdup(ctx->key.raw.data, ctx->key.raw.len, GFP_KERNEL);
> + if (!dig_buf || !sig_buf || !sk_buf) {
> + ret = -ENOMEM;
> + goto out_free;
> + }
> +
> + /*
> + * Truncate or zero-pad digest to clen bytes, right-aligned.
> + * Matches ECDSA bits2int: use leftmost min(slen, clen) bytes,
> + * zero-pad on the left when slen < clen.
> + */
> + memcpy(dig_buf + (clen - copy_len), src, copy_len);
> +
> + dig_dma = cmh_dma_map_single(dig_buf, clen, DMA_TO_DEVICE);
> + sig_dma = cmh_dma_map_single(sig_buf, sig_raw_len, DMA_FROM_DEVICE);
> + sk_dma = cmh_dma_map_single(sk_buf, ctx->key.raw.len, DMA_TO_DEVICE);
[Severity: Medium]
Is it necessary to allocate and DMA map the private key on the fast path
during cmh_ecdsa_sign()?
Since cmh_key_setkey_raw() already pre-maps the key into ctx->key.raw.dma
for the lifetime of the transform, does duplicating this mapping here
cause unnecessary performance overhead, or unnecessarily expose the private
key material in a transient heap buffer?
> +
> + if (cmh_dma_map_error(dig_dma) || cmh_dma_map_error(sig_dma) ||
> + cmh_dma_map_error(sk_dma)) {
> + ret = -ENOMEM;
[ ... ]
> +static int cmh_ecdsa_set_priv_key(struct crypto_sig *tfm,
> + const void *key, unsigned int keylen)
> +{
> + struct cmh_ecdsa_tfm_ctx *ctx = cmh_ecdsa_ctx(tfm);
> +
> + if (keylen != ctx->clen)
> + return -EINVAL;
[Severity: High]
Does this strict length equality check prevent P-521 signing?
The kernel crypto API passes exactly 66 bytes (ceil(521/8)) for P-521
coordinates, but ctx->clen for P-521 is 68. Would it be better to accept
lengths <= clen and left-pad them with zeroes, similar to how
cmh_ecdsa_set_pub_key() handles it?
> +
> + return cmh_key_setkey_raw(&ctx->key, key, keylen, CORE_ID_PKE);
> +}
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260709203037.1884436-1-skrishnamoorthy@rambus.com?part=13
next prev parent reply other threads:[~2026-07-09 21:04 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-09 20:30 [PATCH v2 00/19] crypto: cmh - add CRI CryptoManager Hub driver Saravanakrishnan Krishnamoorthy
2026-07-09 20:30 ` [PATCH v2 01/19] dt-bindings: crypto: add Rambus CryptoManager Hub Saravanakrishnan Krishnamoorthy
2026-07-09 20:38 ` sashiko-bot
2026-07-10 8:58 ` Conor Dooley
2026-07-10 23:14 ` Ousherovitch, Alex
2026-07-09 20:30 ` [PATCH v2 02/19] crypto: cmh - add core platform driver Saravanakrishnan Krishnamoorthy
2026-07-09 20:49 ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 03/19] crypto: cmh - add key provisioning and management Saravanakrishnan Krishnamoorthy
2026-07-09 20:49 ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 04/19] crypto: cmh - add SHA-2/SHA-3/SHAKE ahash Saravanakrishnan Krishnamoorthy
2026-07-09 20:45 ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 05/19] crypto: cmh - add HMAC ahash Saravanakrishnan Krishnamoorthy
2026-07-09 20:42 ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 06/19] crypto: cmh - add CSHAKE/KMAC ahash Saravanakrishnan Krishnamoorthy
2026-07-09 20:47 ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 07/19] crypto: cmh - add SM3 ahash Saravanakrishnan Krishnamoorthy
2026-07-09 20:47 ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 08/19] crypto: cmh - add AES skcipher/aead/cmac Saravanakrishnan Krishnamoorthy
2026-07-09 20:47 ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 09/19] crypto: cmh - add SM4 skcipher/aead/cmac/xcbc Saravanakrishnan Krishnamoorthy
2026-07-09 20:49 ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 10/19] crypto: cmh - add ChaCha20-Poly1305 Saravanakrishnan Krishnamoorthy
2026-07-09 20:46 ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 11/19] crypto: cmh - add DRBG hwrng Saravanakrishnan Krishnamoorthy
2026-07-09 20:54 ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 12/19] crypto: cmh - add RSA akcipher Saravanakrishnan Krishnamoorthy
2026-07-09 20:57 ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 13/19] crypto: cmh - add ECDSA/SM2 sig Saravanakrishnan Krishnamoorthy
2026-07-09 21:04 ` sashiko-bot [this message]
2026-07-09 20:30 ` [PATCH v2 14/19] crypto: cmh - add ECDH/X25519 kpp Saravanakrishnan Krishnamoorthy
2026-07-09 21:08 ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 15/19] crypto: cmh - add ML-KEM/ML-DSA (QSE) Saravanakrishnan Krishnamoorthy
2026-07-09 21:03 ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 16/19] crypto: cmh - add SLH-DSA/LMS/XMSS (HCQ) Saravanakrishnan Krishnamoorthy
2026-07-09 21:02 ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 17/19] Documentation: ioctl: add CMH ioctl documentation and register 'J' Saravanakrishnan Krishnamoorthy
2026-07-09 20:54 ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 18/19] selftests: crypto: cmh - add kselftest for management ioctl Saravanakrishnan Krishnamoorthy
2026-07-09 20:54 ` sashiko-bot
2026-07-09 20:30 ` [PATCH v2 19/19] MAINTAINERS: add Rambus CryptoManager Hub (CMH) Saravanakrishnan Krishnamoorthy
2026-07-10 1:04 ` Randy Dunlap
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260709210419.E11241F000E9@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=conor+dt@kernel.org \
--cc=devicetree@vger.kernel.org \
--cc=robh@kernel.org \
--cc=sashiko-reviews@lists.linux.dev \
--cc=skrishnamoorthy@rambus.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox