From: Eric Biggers <ebiggers@kernel.org>
To: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Tao Huang <huangtao@rock-chips.com>,
Zain Wang <wzz@rock-chips.com>, Heiko Stuebner <heiko@sntech.de>,
Arnd Bergmann <arnd@arndb.de>,
Ard Biesheuvel <ard.biesheuvel@linaro.org>,
Pascal Van Leeuwen <pvanleeuwen@insidesecure.com>,
Zhang Zhijie <zhangzj@rock-chips.com>,
"linux-rockchip@lists.infradead.org"
<linux-rockchip@lists.infradead.org>,
"open list:HARDWARE RANDOM NUMBER GENERATOR CORE"
<linux-crypto@vger.kernel.org>, Olof Johansson <olof@lixom.net>,
"ezequiel@collabora.com" <ezequiel@collabora.com>,
linux-arm-kernel <linux-arm-kernel@lists.infradead.org>
Subject: Re: [Bug] Rockchip crypto driver sometimes produces wrong ciphertext
Date: Thu, 4 Apr 2019 10:12:05 -0700 [thread overview]
Message-ID: <20190404171204.GA121392@gmail.com> (raw)
In-Reply-To: <AM5PR0901MB115570ABE89DC1285AE07E60D2500@AM5PR0901MB1155.eurprd09.prod.outlook.com>
On Thu, Apr 04, 2019 at 01:41:50PM +0000, Pascal Van Leeuwen wrote:
> > The issue is that the self-tests now verify that CBC implementations update the
> > IV buffer to contain the next IV, aka the last ciphertext block. But the Rockchip
> > crypto driver doesn't do that, so it needs to be fixed.
> >
> > This has always been a requirement for CBC implementations so that users can
> > chain CBC requests. Unfortunately it was just never tested for...
> >
> This did not immediately trigger me when it came flying past a couple of weeks
> ago, but I ran into the same issue today with the inside_secure driver I'm playing
> with: it does NOT return correct IV outputs for CBC modes.
>
> However ... I'd like to question that very requirement ... if I may :-)
>
> My reasoning is that this IV output *is* available as the last block of either the
> output (for encrypt) or input (for decrypt) datastream. So requiring it to be
> updated in the IV buffer as well seems redundant to me. It burdens the driver
> with an extra data copy operation, while in the majority of practicle use cases
> you would not even *need* this output IV. (chaining IV's would not work on
> a hardware accelerator anyway, because you would need to serialize the
> datastream, meaning you run at the speed of the round-trip latency instead
> of the throughput, which is typically one to two orders of a magnitude slower)
>
> And in the odd case you do need it, you can just grab it from the data buffer
> yourself.
>
> Pascal van Leeuwen
> Silicon IP Architect, Multi-Protocol Engines
>
Herbert, can you explain what users actually rely on the next IV being returned?
I don't know all the historical context behind this.
- Eric
next prev parent reply other threads:[~2019-04-04 17:12 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-26 21:05 [Bug] Rockchip crypto driver sometimes produces wrong ciphertext Eric Biggers
2019-01-27 8:54 ` Ard Biesheuvel
2019-01-27 10:29 ` Heiko Stuebner
2019-01-28 3:14 ` Tao Huang
2019-03-15 3:31 ` Eric Biggers
2019-03-16 22:31 ` Ezequiel Garcia
2019-03-18 15:03 ` Gael PORTAY
2019-03-21 17:04 ` Gael PORTAY
2019-03-25 6:31 ` Zhang Zhijie
[not found] ` <20190315033140.GB1671-8Kz7deQLoS0mYvmMESoHnA@public.gmane.org>
2019-04-04 13:41 ` Pascal Van Leeuwen
2019-04-04 17:12 ` Eric Biggers [this message]
[not found] ` <20190404171204.GA121392-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2019-04-07 12:42 ` Herbert Xu
[not found] ` <20190407124211.fv7pjsozxhnhw56i-lOAM2aK0SrRLBo1qDEOMRrpzq4S04n8Q@public.gmane.org>
2019-04-07 19:12 ` Pascal Van Leeuwen
[not found] ` <AM6PR09MB352377D3A58CE6C12464414ED2530-BMP/HIh3pkp4VU3MGTQapqF+KQg4AgVRvxpqHgZTriW3zl9H0oFU5g@public.gmane.org>
2019-04-08 5:58 ` Herbert Xu
[not found] ` <20190408055841.xa5dof4e5xqgaitv-lOAM2aK0SrRLBo1qDEOMRrpzq4S04n8Q@public.gmane.org>
2019-04-08 8:59 ` Pascal Van Leeuwen
[not found] ` <AM6PR09MB35238739075B080390C11341D22C0-BMP/HIh3pkp4VU3MGTQapqF+KQg4AgVRvxpqHgZTriW3zl9H0oFU5g@public.gmane.org>
2019-04-08 9:06 ` Herbert Xu
[not found] ` <20190408090604.7v7s5xhfvwthknio-lOAM2aK0SrRLBo1qDEOMRrpzq4S04n8Q@public.gmane.org>
2019-04-09 15:53 ` Pascal Van Leeuwen
2019-04-08 18:09 ` Eric Biggers
2019-04-09 16:43 ` Pascal Van Leeuwen
2019-04-08 18:27 ` Eric Biggers
[not found] ` <20190408182757.GD9145-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
2019-04-08 21:17 ` Ard Biesheuvel
2019-04-09 16:58 ` Pascal Van Leeuwen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190404171204.GA121392@gmail.com \
--to=ebiggers@kernel.org \
--cc=ard.biesheuvel@linaro.org \
--cc=arnd@arndb.de \
--cc=ezequiel@collabora.com \
--cc=heiko@sntech.de \
--cc=herbert@gondor.apana.org.au \
--cc=huangtao@rock-chips.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-rockchip@lists.infradead.org \
--cc=olof@lixom.net \
--cc=pvanleeuwen@insidesecure.com \
--cc=wzz@rock-chips.com \
--cc=zhangzj@rock-chips.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox