[PATCH v2 7/9] crypto: virtio: Add IV buffer in structure virtio_crypto_sym_request

[PATCH v2 7/9] crypto: virtio: Add IV buffer in structure virtio_crypto_sym_request

[Bibo Mao]

Add IV buffer in structure virtio_crypto_sym_request to avoid unnecessary
IV buffer allocation in encrypt/decrypt process. And IV buffer is cleared
when encrypt/decrypt is finished.

Signed-off-by: Bibo Mao <maobibo@loongson.cn>
---
 .../virtio/virtio_crypto_skcipher_algs.c      | 20 +++++++------------
 1 file changed, 7 insertions(+), 13 deletions(-)

diff --git a/drivers/crypto/virtio/virtio_crypto_skcipher_algs.c b/drivers/crypto/virtio/virtio_crypto_skcipher_algs.c
index a7c7c726e6d9..c911b7ba8f13 100644
--- a/drivers/crypto/virtio/virtio_crypto_skcipher_algs.c
+++ b/drivers/crypto/virtio/virtio_crypto_skcipher_algs.c
@@ -30,9 +30,9 @@ struct virtio_crypto_sym_request {
 
 	/* Cipher or aead */
 	uint32_t type;
-	uint8_t *iv;
 	/* Encryption? */
 	bool encrypt;
+	uint8_t iv[0];
 };
 
 struct virtio_crypto_algo {
@@ -402,12 +402,7 @@ __virtio_crypto_skcipher_do_req(struct virtio_crypto_sym_request *vc_sym_req,
 	 * Avoid to do DMA from the stack, switch to using
 	 * dynamically-allocated for the IV
 	 */
-	iv = kzalloc_node(ivsize, GFP_ATOMIC,
-				dev_to_node(&vcrypto->vdev->dev));
-	if (!iv) {
-		err = -ENOMEM;
-		goto free;
-	}
+	iv = vc_sym_req->iv;
 	memcpy(iv, req->iv, ivsize);
 	if (!vc_sym_req->encrypt)
 		scatterwalk_map_and_copy(req->iv, req->src,
@@ -416,7 +411,6 @@ __virtio_crypto_skcipher_do_req(struct virtio_crypto_sym_request *vc_sym_req,
 
 	sg_init_one(&iv_sg, iv, ivsize);
 	sgs[num_out++] = &iv_sg;
-	vc_sym_req->iv = iv;
 
 	/* Source data */
 	for (sg = req->src; src_nents; sg = sg_next(sg), src_nents--)
@@ -438,12 +432,10 @@ __virtio_crypto_skcipher_do_req(struct virtio_crypto_sym_request *vc_sym_req,
 	virtqueue_kick(data_vq->vq);
 	spin_unlock_irqrestore(&data_vq->lock, flags);
 	if (unlikely(err < 0))
-		goto free_iv;
+		goto free;
 
 	return 0;
 
-free_iv:
-	kfree_sensitive(iv);
 free:
 	kfree(sgs);
 	return err;
@@ -501,8 +493,10 @@ static int virtio_crypto_skcipher_init(struct crypto_skcipher *tfm)
 {
 	struct virtio_crypto_skcipher_ctx *ctx = crypto_skcipher_ctx(tfm);
 	struct skcipher_alg *alg = crypto_skcipher_alg(tfm);
+	int size;
 
-	crypto_skcipher_set_reqsize(tfm, sizeof(struct virtio_crypto_sym_request));
+	size = sizeof(struct virtio_crypto_sym_request) + crypto_skcipher_ivsize(tfm);
+	crypto_skcipher_set_reqsize(tfm, size);
 	ctx->alg = container_of(alg, struct virtio_crypto_algo, algo.base);
 
 	return 0;
@@ -552,7 +546,7 @@ static void virtio_crypto_skcipher_finalize_req(
 		scatterwalk_map_and_copy(req->iv, req->dst,
 					 req->cryptlen - ivsize,
 					 ivsize, 0);
-	kfree_sensitive(vc_sym_req->iv);
+	memzero_explicit(vc_sym_req->iv, ivsize);
 	virtcrypto_clear_request(&vc_sym_req->base);
 
 	crypto_finalize_skcipher_request(vc_sym_req->base.dataq->engine,
-- 
2.39.3

[PATCH v2 8/9] crypto: virtio: Add skcipher support without IV

[Bibo Mao]

Some skcipher algo has no IV buffer such as ecb(aes) also, here add
checking with ivsize.

Signed-off-by: Bibo Mao <maobibo@loongson.cn>
---
 .../virtio/virtio_crypto_skcipher_algs.c      | 36 +++++++++++--------
 1 file changed, 21 insertions(+), 15 deletions(-)

diff --git a/drivers/crypto/virtio/virtio_crypto_skcipher_algs.c b/drivers/crypto/virtio/virtio_crypto_skcipher_algs.c
index c911b7ba8f13..b4b79121c37c 100644
--- a/drivers/crypto/virtio/virtio_crypto_skcipher_algs.c
+++ b/drivers/crypto/virtio/virtio_crypto_skcipher_algs.c
@@ -345,7 +345,9 @@ __virtio_crypto_skcipher_do_req(struct virtio_crypto_sym_request *vc_sym_req,
 			src_nents, dst_nents);
 
 	/* Why 3?  outhdr + iv + inhdr */
-	sg_total = src_nents + dst_nents + 3;
+	sg_total = src_nents + dst_nents + 2;
+	if (ivsize)
+		sg_total += 1;
 	sgs = kcalloc_node(sg_total, sizeof(*sgs), GFP_KERNEL,
 				dev_to_node(&vcrypto->vdev->dev));
 	if (!sgs)
@@ -402,15 +404,17 @@ __virtio_crypto_skcipher_do_req(struct virtio_crypto_sym_request *vc_sym_req,
 	 * Avoid to do DMA from the stack, switch to using
 	 * dynamically-allocated for the IV
 	 */
-	iv = vc_sym_req->iv;
-	memcpy(iv, req->iv, ivsize);
-	if (!vc_sym_req->encrypt)
-		scatterwalk_map_and_copy(req->iv, req->src,
-					 req->cryptlen - ivsize,
-					 ivsize, 0);
-
-	sg_init_one(&iv_sg, iv, ivsize);
-	sgs[num_out++] = &iv_sg;
+	if (ivsize) {
+		iv = vc_sym_req->iv;
+		memcpy(iv, req->iv, ivsize);
+		if (!vc_sym_req->encrypt)
+			scatterwalk_map_and_copy(req->iv, req->src,
+					req->cryptlen - ivsize,
+					ivsize, 0);
+
+		sg_init_one(&iv_sg, iv, ivsize);
+		sgs[num_out++] = &iv_sg;
+	}
 
 	/* Source data */
 	for (sg = req->src; src_nents; sg = sg_next(sg), src_nents--)
@@ -542,11 +546,13 @@ static void virtio_crypto_skcipher_finalize_req(
 	struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
 	unsigned int ivsize = crypto_skcipher_ivsize(tfm);
 
-	if (vc_sym_req->encrypt)
-		scatterwalk_map_and_copy(req->iv, req->dst,
-					 req->cryptlen - ivsize,
-					 ivsize, 0);
-	memzero_explicit(vc_sym_req->iv, ivsize);
+	if (ivsize) {
+		if (vc_sym_req->encrypt)
+			scatterwalk_map_and_copy(req->iv, req->dst,
+					req->cryptlen - ivsize,
+					ivsize, 0);
+		memzero_explicit(vc_sym_req->iv, ivsize);
+	}
 	virtcrypto_clear_request(&vc_sym_req->base);
 
 	crypto_finalize_skcipher_request(vc_sym_req->base.dataq->engine,
-- 
2.39.3

[PATCH v2 9/9] crypto: virtio: Add ecb aes algo support

[Bibo Mao]

ECB AES also is added here, its ivsize is zero and name is different
compared with CBC AES algo.

Signed-off-by: Bibo Mao <maobibo@loongson.cn>
---
 .../virtio/virtio_crypto_skcipher_algs.c      | 74 +++++++++++++------
 1 file changed, 50 insertions(+), 24 deletions(-)

diff --git a/drivers/crypto/virtio/virtio_crypto_skcipher_algs.c b/drivers/crypto/virtio/virtio_crypto_skcipher_algs.c
index b4b79121c37c..9b4ba6a6b9cf 100644
--- a/drivers/crypto/virtio/virtio_crypto_skcipher_algs.c
+++ b/drivers/crypto/virtio/virtio_crypto_skcipher_algs.c
@@ -559,31 +559,57 @@ static void virtio_crypto_skcipher_finalize_req(
 					   req, err);
 }
 
-static struct virtio_crypto_algo virtio_crypto_algs[] = { {
-	.algonum = VIRTIO_CRYPTO_CIPHER_AES_CBC,
-	.service = VIRTIO_CRYPTO_SERVICE_CIPHER,
-	.algo.base = {
-		.base.cra_name		= "cbc(aes)",
-		.base.cra_driver_name	= "virtio_crypto_aes_cbc",
-		.base.cra_priority	= 150,
-		.base.cra_flags		= CRYPTO_ALG_ASYNC |
-					  CRYPTO_ALG_ALLOCATES_MEMORY,
-		.base.cra_blocksize	= AES_BLOCK_SIZE,
-		.base.cra_ctxsize	= sizeof(struct virtio_crypto_skcipher_ctx),
-		.base.cra_module	= THIS_MODULE,
-		.init			= virtio_crypto_skcipher_init,
-		.exit			= virtio_crypto_skcipher_exit,
-		.setkey			= virtio_crypto_skcipher_setkey,
-		.decrypt		= virtio_crypto_skcipher_decrypt,
-		.encrypt		= virtio_crypto_skcipher_encrypt,
-		.min_keysize		= AES_MIN_KEY_SIZE,
-		.max_keysize		= AES_MAX_KEY_SIZE,
-		.ivsize			= AES_BLOCK_SIZE,
+static struct virtio_crypto_algo virtio_crypto_algs[] = {
+	{
+		.algonum = VIRTIO_CRYPTO_CIPHER_AES_CBC,
+		.service = VIRTIO_CRYPTO_SERVICE_CIPHER,
+		.algo.base = {
+			.base.cra_name		= "cbc(aes)",
+			.base.cra_driver_name	= "virtio_crypto_aes_cbc",
+			.base.cra_priority	= 150,
+			.base.cra_flags		= CRYPTO_ALG_ASYNC |
+				CRYPTO_ALG_ALLOCATES_MEMORY,
+			.base.cra_blocksize	= AES_BLOCK_SIZE,
+			.base.cra_ctxsize	= sizeof(struct virtio_crypto_skcipher_ctx),
+			.base.cra_module	= THIS_MODULE,
+			.init			= virtio_crypto_skcipher_init,
+			.exit			= virtio_crypto_skcipher_exit,
+			.setkey			= virtio_crypto_skcipher_setkey,
+			.decrypt		= virtio_crypto_skcipher_decrypt,
+			.encrypt		= virtio_crypto_skcipher_encrypt,
+			.min_keysize		= AES_MIN_KEY_SIZE,
+			.max_keysize		= AES_MAX_KEY_SIZE,
+			.ivsize			= AES_BLOCK_SIZE,
+		},
+		.algo.op = {
+			.do_one_request = virtio_crypto_skcipher_crypt_req,
+		},
 	},
-	.algo.op = {
-		.do_one_request = virtio_crypto_skcipher_crypt_req,
-	},
-} };
+	{
+		.algonum = VIRTIO_CRYPTO_CIPHER_AES_ECB,
+		.service = VIRTIO_CRYPTO_SERVICE_CIPHER,
+		.algo.base = {
+			.base.cra_name		= "ecb(aes)",
+			.base.cra_driver_name	= "virtio_crypto_aes_ecb",
+			.base.cra_priority	= 150,
+			.base.cra_flags		= CRYPTO_ALG_ASYNC |
+				CRYPTO_ALG_ALLOCATES_MEMORY,
+			.base.cra_blocksize	= AES_BLOCK_SIZE,
+			.base.cra_ctxsize	= sizeof(struct virtio_crypto_skcipher_ctx),
+			.base.cra_module	= THIS_MODULE,
+			.init			= virtio_crypto_skcipher_init,
+			.exit			= virtio_crypto_skcipher_exit,
+			.setkey			= virtio_crypto_skcipher_setkey,
+			.decrypt		= virtio_crypto_skcipher_decrypt,
+			.encrypt		= virtio_crypto_skcipher_encrypt,
+			.min_keysize		= AES_MIN_KEY_SIZE,
+			.max_keysize		= AES_MAX_KEY_SIZE,
+		},
+		.algo.op = {
+			.do_one_request = virtio_crypto_skcipher_crypt_req,
+		},
+	}
+};
 
 int virtio_crypto_skcipher_algs_register(struct virtio_crypto *vcrypto)
 {
-- 
2.39.3

Re: [PATCH v2 9/9] crypto: virtio: Add ecb aes algo support

[Michael S. Tsirkin]

On Thu, Dec 04, 2025 at 07:26:11PM +0800, Bibo Mao wrote:
> ECB AES also is added here, its ivsize is zero and name is different
> compared with CBC AES algo.
> 
> Signed-off-by: Bibo Mao <maobibo@loongson.cn>

you did not post the cover letter, so the mail thread is malformed.

> ---
>  .../virtio/virtio_crypto_skcipher_algs.c      | 74 +++++++++++++------
>  1 file changed, 50 insertions(+), 24 deletions(-)
> 
> diff --git a/drivers/crypto/virtio/virtio_crypto_skcipher_algs.c b/drivers/crypto/virtio/virtio_crypto_skcipher_algs.c
> index b4b79121c37c..9b4ba6a6b9cf 100644
> --- a/drivers/crypto/virtio/virtio_crypto_skcipher_algs.c
> +++ b/drivers/crypto/virtio/virtio_crypto_skcipher_algs.c
> @@ -559,31 +559,57 @@ static void virtio_crypto_skcipher_finalize_req(
>  					   req, err);
>  }
>  
> -static struct virtio_crypto_algo virtio_crypto_algs[] = { {
> -	.algonum = VIRTIO_CRYPTO_CIPHER_AES_CBC,
> -	.service = VIRTIO_CRYPTO_SERVICE_CIPHER,
> -	.algo.base = {
> -		.base.cra_name		= "cbc(aes)",
> -		.base.cra_driver_name	= "virtio_crypto_aes_cbc",
> -		.base.cra_priority	= 150,
> -		.base.cra_flags		= CRYPTO_ALG_ASYNC |
> -					  CRYPTO_ALG_ALLOCATES_MEMORY,
> -		.base.cra_blocksize	= AES_BLOCK_SIZE,
> -		.base.cra_ctxsize	= sizeof(struct virtio_crypto_skcipher_ctx),
> -		.base.cra_module	= THIS_MODULE,
> -		.init			= virtio_crypto_skcipher_init,
> -		.exit			= virtio_crypto_skcipher_exit,
> -		.setkey			= virtio_crypto_skcipher_setkey,
> -		.decrypt		= virtio_crypto_skcipher_decrypt,
> -		.encrypt		= virtio_crypto_skcipher_encrypt,
> -		.min_keysize		= AES_MIN_KEY_SIZE,
> -		.max_keysize		= AES_MAX_KEY_SIZE,
> -		.ivsize			= AES_BLOCK_SIZE,
> +static struct virtio_crypto_algo virtio_crypto_algs[] = {
> +	{
> +		.algonum = VIRTIO_CRYPTO_CIPHER_AES_CBC,
> +		.service = VIRTIO_CRYPTO_SERVICE_CIPHER,
> +		.algo.base = {
> +			.base.cra_name		= "cbc(aes)",
> +			.base.cra_driver_name	= "virtio_crypto_aes_cbc",
> +			.base.cra_priority	= 150,
> +			.base.cra_flags		= CRYPTO_ALG_ASYNC |
> +				CRYPTO_ALG_ALLOCATES_MEMORY,
> +			.base.cra_blocksize	= AES_BLOCK_SIZE,
> +			.base.cra_ctxsize	= sizeof(struct virtio_crypto_skcipher_ctx),
> +			.base.cra_module	= THIS_MODULE,
> +			.init			= virtio_crypto_skcipher_init,
> +			.exit			= virtio_crypto_skcipher_exit,
> +			.setkey			= virtio_crypto_skcipher_setkey,
> +			.decrypt		= virtio_crypto_skcipher_decrypt,
> +			.encrypt		= virtio_crypto_skcipher_encrypt,
> +			.min_keysize		= AES_MIN_KEY_SIZE,
> +			.max_keysize		= AES_MAX_KEY_SIZE,
> +			.ivsize			= AES_BLOCK_SIZE,
> +		},
> +		.algo.op = {
> +			.do_one_request = virtio_crypto_skcipher_crypt_req,
> +		},
>  	},
> -	.algo.op = {
> -		.do_one_request = virtio_crypto_skcipher_crypt_req,
> -	},
> -} };
> +	{
> +		.algonum = VIRTIO_CRYPTO_CIPHER_AES_ECB,
> +		.service = VIRTIO_CRYPTO_SERVICE_CIPHER,
> +		.algo.base = {
> +			.base.cra_name		= "ecb(aes)",
> +			.base.cra_driver_name	= "virtio_crypto_aes_ecb",
> +			.base.cra_priority	= 150,
> +			.base.cra_flags		= CRYPTO_ALG_ASYNC |
> +				CRYPTO_ALG_ALLOCATES_MEMORY,
> +			.base.cra_blocksize	= AES_BLOCK_SIZE,
> +			.base.cra_ctxsize	= sizeof(struct virtio_crypto_skcipher_ctx),
> +			.base.cra_module	= THIS_MODULE,
> +			.init			= virtio_crypto_skcipher_init,
> +			.exit			= virtio_crypto_skcipher_exit,
> +			.setkey			= virtio_crypto_skcipher_setkey,
> +			.decrypt		= virtio_crypto_skcipher_decrypt,
> +			.encrypt		= virtio_crypto_skcipher_encrypt,
> +			.min_keysize		= AES_MIN_KEY_SIZE,
> +			.max_keysize		= AES_MAX_KEY_SIZE,
> +		},
> +		.algo.op = {
> +			.do_one_request = virtio_crypto_skcipher_crypt_req,
> +		},
> +	}
> +};
>  
>  int virtio_crypto_skcipher_algs_register(struct virtio_crypto *vcrypto)
>  {
> -- 
> 2.39.3

Re: [PATCH v2 9/9] crypto: virtio: Add ecb aes algo support

[Bibo Mao]

On 2025/12/4 下午7:43, Michael S. Tsirkin wrote:
> On Thu, Dec 04, 2025 at 07:26:11PM +0800, Bibo Mao wrote:
>> ECB AES also is added here, its ivsize is zero and name is different
>> compared with CBC AES algo.
>>
>> Signed-off-by: Bibo Mao <maobibo@loongson.cn>
> 
> you did not post the cover letter, so the mail thread is malformed.
Sorry for the trouble, my mail server has problem to send multiple mails 
in batch mode with git send-email command.

Please ignore it, will sent it tomorrow to avoid extra confusion, sorry 
for the noise again.

Regards
Bibo Mao
> 
>> ---
>>   .../virtio/virtio_crypto_skcipher_algs.c      | 74 +++++++++++++------
>>   1 file changed, 50 insertions(+), 24 deletions(-)
>>
>> diff --git a/drivers/crypto/virtio/virtio_crypto_skcipher_algs.c b/drivers/crypto/virtio/virtio_crypto_skcipher_algs.c
>> index b4b79121c37c..9b4ba6a6b9cf 100644
>> --- a/drivers/crypto/virtio/virtio_crypto_skcipher_algs.c
>> +++ b/drivers/crypto/virtio/virtio_crypto_skcipher_algs.c
>> @@ -559,31 +559,57 @@ static void virtio_crypto_skcipher_finalize_req(
>>   					   req, err);
>>   }
>>   
>> -static struct virtio_crypto_algo virtio_crypto_algs[] = { {
>> -	.algonum = VIRTIO_CRYPTO_CIPHER_AES_CBC,
>> -	.service = VIRTIO_CRYPTO_SERVICE_CIPHER,
>> -	.algo.base = {
>> -		.base.cra_name		= "cbc(aes)",
>> -		.base.cra_driver_name	= "virtio_crypto_aes_cbc",
>> -		.base.cra_priority	= 150,
>> -		.base.cra_flags		= CRYPTO_ALG_ASYNC |
>> -					  CRYPTO_ALG_ALLOCATES_MEMORY,
>> -		.base.cra_blocksize	= AES_BLOCK_SIZE,
>> -		.base.cra_ctxsize	= sizeof(struct virtio_crypto_skcipher_ctx),
>> -		.base.cra_module	= THIS_MODULE,
>> -		.init			= virtio_crypto_skcipher_init,
>> -		.exit			= virtio_crypto_skcipher_exit,
>> -		.setkey			= virtio_crypto_skcipher_setkey,
>> -		.decrypt		= virtio_crypto_skcipher_decrypt,
>> -		.encrypt		= virtio_crypto_skcipher_encrypt,
>> -		.min_keysize		= AES_MIN_KEY_SIZE,
>> -		.max_keysize		= AES_MAX_KEY_SIZE,
>> -		.ivsize			= AES_BLOCK_SIZE,
>> +static struct virtio_crypto_algo virtio_crypto_algs[] = {
>> +	{
>> +		.algonum = VIRTIO_CRYPTO_CIPHER_AES_CBC,
>> +		.service = VIRTIO_CRYPTO_SERVICE_CIPHER,
>> +		.algo.base = {
>> +			.base.cra_name		= "cbc(aes)",
>> +			.base.cra_driver_name	= "virtio_crypto_aes_cbc",
>> +			.base.cra_priority	= 150,
>> +			.base.cra_flags		= CRYPTO_ALG_ASYNC |
>> +				CRYPTO_ALG_ALLOCATES_MEMORY,
>> +			.base.cra_blocksize	= AES_BLOCK_SIZE,
>> +			.base.cra_ctxsize	= sizeof(struct virtio_crypto_skcipher_ctx),
>> +			.base.cra_module	= THIS_MODULE,
>> +			.init			= virtio_crypto_skcipher_init,
>> +			.exit			= virtio_crypto_skcipher_exit,
>> +			.setkey			= virtio_crypto_skcipher_setkey,
>> +			.decrypt		= virtio_crypto_skcipher_decrypt,
>> +			.encrypt		= virtio_crypto_skcipher_encrypt,
>> +			.min_keysize		= AES_MIN_KEY_SIZE,
>> +			.max_keysize		= AES_MAX_KEY_SIZE,
>> +			.ivsize			= AES_BLOCK_SIZE,
>> +		},
>> +		.algo.op = {
>> +			.do_one_request = virtio_crypto_skcipher_crypt_req,
>> +		},
>>   	},
>> -	.algo.op = {
>> -		.do_one_request = virtio_crypto_skcipher_crypt_req,
>> -	},
>> -} };
>> +	{
>> +		.algonum = VIRTIO_CRYPTO_CIPHER_AES_ECB,
>> +		.service = VIRTIO_CRYPTO_SERVICE_CIPHER,
>> +		.algo.base = {
>> +			.base.cra_name		= "ecb(aes)",
>> +			.base.cra_driver_name	= "virtio_crypto_aes_ecb",
>> +			.base.cra_priority	= 150,
>> +			.base.cra_flags		= CRYPTO_ALG_ASYNC |
>> +				CRYPTO_ALG_ALLOCATES_MEMORY,
>> +			.base.cra_blocksize	= AES_BLOCK_SIZE,
>> +			.base.cra_ctxsize	= sizeof(struct virtio_crypto_skcipher_ctx),
>> +			.base.cra_module	= THIS_MODULE,
>> +			.init			= virtio_crypto_skcipher_init,
>> +			.exit			= virtio_crypto_skcipher_exit,
>> +			.setkey			= virtio_crypto_skcipher_setkey,
>> +			.decrypt		= virtio_crypto_skcipher_decrypt,
>> +			.encrypt		= virtio_crypto_skcipher_encrypt,
>> +			.min_keysize		= AES_MIN_KEY_SIZE,
>> +			.max_keysize		= AES_MAX_KEY_SIZE,
>> +		},
>> +		.algo.op = {
>> +			.do_one_request = virtio_crypto_skcipher_crypt_req,
>> +		},
>> +	}
>> +};
>>   
>>   int virtio_crypto_skcipher_algs_register(struct virtio_crypto *vcrypto)
>>   {
>> -- 
>> 2.39.3

Re: [PATCH v2 7/9] crypto: virtio: Add IV buffer in structure virtio_crypto_sym_request

[Michael S. Tsirkin]

On Thu, Dec 04, 2025 at 07:25:02PM +0800, Bibo Mao wrote:
> Add IV buffer in structure virtio_crypto_sym_request to avoid unnecessary
> IV buffer allocation in encrypt/decrypt process. And IV buffer is cleared
> when encrypt/decrypt is finished.
> 
> Signed-off-by: Bibo Mao <maobibo@loongson.cn>
> ---
>  .../virtio/virtio_crypto_skcipher_algs.c      | 20 +++++++------------
>  1 file changed, 7 insertions(+), 13 deletions(-)
> 
> diff --git a/drivers/crypto/virtio/virtio_crypto_skcipher_algs.c b/drivers/crypto/virtio/virtio_crypto_skcipher_algs.c
> index a7c7c726e6d9..c911b7ba8f13 100644
> --- a/drivers/crypto/virtio/virtio_crypto_skcipher_algs.c
> +++ b/drivers/crypto/virtio/virtio_crypto_skcipher_algs.c
> @@ -30,9 +30,9 @@ struct virtio_crypto_sym_request {
>  
>  	/* Cipher or aead */
>  	uint32_t type;
> -	uint8_t *iv;
>  	/* Encryption? */
>  	bool encrypt;
> +	uint8_t iv[0];
>  };
>  
>  struct virtio_crypto_algo {
> @@ -402,12 +402,7 @@ __virtio_crypto_skcipher_do_req(struct virtio_crypto_sym_request *vc_sym_req,
>  	 * Avoid to do DMA from the stack, switch to using
>  	 * dynamically-allocated for the IV
>  	 */
> -	iv = kzalloc_node(ivsize, GFP_ATOMIC,
> -				dev_to_node(&vcrypto->vdev->dev));
> -	if (!iv) {
> -		err = -ENOMEM;
> -		goto free;
> -	}
> +	iv = vc_sym_req->iv;
>  	memcpy(iv, req->iv, ivsize);
>  	if (!vc_sym_req->encrypt)
>  		scatterwalk_map_and_copy(req->iv, req->src,
> @@ -416,7 +411,6 @@ __virtio_crypto_skcipher_do_req(struct virtio_crypto_sym_request *vc_sym_req,
>  
>  	sg_init_one(&iv_sg, iv, ivsize);
>  	sgs[num_out++] = &iv_sg;
> -	vc_sym_req->iv = iv;
>  
>  	/* Source data */
>  	for (sg = req->src; src_nents; sg = sg_next(sg), src_nents--)
> @@ -438,12 +432,10 @@ __virtio_crypto_skcipher_do_req(struct virtio_crypto_sym_request *vc_sym_req,
>  	virtqueue_kick(data_vq->vq);
>  	spin_unlock_irqrestore(&data_vq->lock, flags);
>  	if (unlikely(err < 0))
> -		goto free_iv;
> +		goto free;
>  
>  	return 0;
>  
> -free_iv:
> -	kfree_sensitive(iv);

so iv is no longer cleared on error. problem?

>  free:
>  	kfree(sgs);
>  	return err;
> @@ -501,8 +493,10 @@ static int virtio_crypto_skcipher_init(struct crypto_skcipher *tfm)
>  {
>  	struct virtio_crypto_skcipher_ctx *ctx = crypto_skcipher_ctx(tfm);
>  	struct skcipher_alg *alg = crypto_skcipher_alg(tfm);
> +	int size;
>  
> -	crypto_skcipher_set_reqsize(tfm, sizeof(struct virtio_crypto_sym_request));
> +	size = sizeof(struct virtio_crypto_sym_request) + crypto_skcipher_ivsize(tfm);
> +	crypto_skcipher_set_reqsize(tfm, size);
>  	ctx->alg = container_of(alg, struct virtio_crypto_algo, algo.base);
>  
>  	return 0;
> @@ -552,7 +546,7 @@ static void virtio_crypto_skcipher_finalize_req(
>  		scatterwalk_map_and_copy(req->iv, req->dst,
>  					 req->cryptlen - ivsize,
>  					 ivsize, 0);
> -	kfree_sensitive(vc_sym_req->iv);
> +	memzero_explicit(vc_sym_req->iv, ivsize);
>  	virtcrypto_clear_request(&vc_sym_req->base);
>  
>  	crypto_finalize_skcipher_request(vc_sym_req->base.dataq->engine,
> -- 
> 2.39.3

Re: [PATCH v2 7/9] crypto: virtio: Add IV buffer in structure virtio_crypto_sym_request

[Bibo Mao]

On 2025/12/4 下午8:48, Michael S. Tsirkin wrote:
> On Thu, Dec 04, 2025 at 07:25:02PM +0800, Bibo Mao wrote:
>> Add IV buffer in structure virtio_crypto_sym_request to avoid unnecessary
>> IV buffer allocation in encrypt/decrypt process. And IV buffer is cleared
>> when encrypt/decrypt is finished.
>>
>> Signed-off-by: Bibo Mao <maobibo@loongson.cn>
>> ---
>>   .../virtio/virtio_crypto_skcipher_algs.c      | 20 +++++++------------
>>   1 file changed, 7 insertions(+), 13 deletions(-)
>>
>> diff --git a/drivers/crypto/virtio/virtio_crypto_skcipher_algs.c b/drivers/crypto/virtio/virtio_crypto_skcipher_algs.c
>> index a7c7c726e6d9..c911b7ba8f13 100644
>> --- a/drivers/crypto/virtio/virtio_crypto_skcipher_algs.c
>> +++ b/drivers/crypto/virtio/virtio_crypto_skcipher_algs.c
>> @@ -30,9 +30,9 @@ struct virtio_crypto_sym_request {
>>   
>>   	/* Cipher or aead */
>>   	uint32_t type;
>> -	uint8_t *iv;
>>   	/* Encryption? */
>>   	bool encrypt;
>> +	uint8_t iv[0];
>>   };
>>   
>>   struct virtio_crypto_algo {
>> @@ -402,12 +402,7 @@ __virtio_crypto_skcipher_do_req(struct virtio_crypto_sym_request *vc_sym_req,
>>   	 * Avoid to do DMA from the stack, switch to using
>>   	 * dynamically-allocated for the IV
>>   	 */
>> -	iv = kzalloc_node(ivsize, GFP_ATOMIC,
>> -				dev_to_node(&vcrypto->vdev->dev));
>> -	if (!iv) {
>> -		err = -ENOMEM;
>> -		goto free;
>> -	}
>> +	iv = vc_sym_req->iv;
>>   	memcpy(iv, req->iv, ivsize);
>>   	if (!vc_sym_req->encrypt)
>>   		scatterwalk_map_and_copy(req->iv, req->src,
>> @@ -416,7 +411,6 @@ __virtio_crypto_skcipher_do_req(struct virtio_crypto_sym_request *vc_sym_req,
>>   
>>   	sg_init_one(&iv_sg, iv, ivsize);
>>   	sgs[num_out++] = &iv_sg;
>> -	vc_sym_req->iv = iv;
>>   
>>   	/* Source data */
>>   	for (sg = req->src; src_nents; sg = sg_next(sg), src_nents--)
>> @@ -438,12 +432,10 @@ __virtio_crypto_skcipher_do_req(struct virtio_crypto_sym_request *vc_sym_req,
>>   	virtqueue_kick(data_vq->vq);
>>   	spin_unlock_irqrestore(&data_vq->lock, flags);
>>   	if (unlikely(err < 0))
>> -		goto free_iv;
>> +		goto free;
>>   
>>   	return 0;
>>   
>> -free_iv:
>> -	kfree_sensitive(iv);
> 
> so iv is no longer cleared on error. problem?
yes, it is a problem, IV buffer should be cleared on error.
Will fix on next version.

Regards
Bibo Mao
> 
>>   free:
>>   	kfree(sgs);
>>   	return err;
>> @@ -501,8 +493,10 @@ static int virtio_crypto_skcipher_init(struct crypto_skcipher *tfm)
>>   {
>>   	struct virtio_crypto_skcipher_ctx *ctx = crypto_skcipher_ctx(tfm);
>>   	struct skcipher_alg *alg = crypto_skcipher_alg(tfm);
>> +	int size;
>>   
>> -	crypto_skcipher_set_reqsize(tfm, sizeof(struct virtio_crypto_sym_request));
>> +	size = sizeof(struct virtio_crypto_sym_request) + crypto_skcipher_ivsize(tfm);
>> +	crypto_skcipher_set_reqsize(tfm, size);
>>   	ctx->alg = container_of(alg, struct virtio_crypto_algo, algo.base);
>>   
>>   	return 0;
>> @@ -552,7 +546,7 @@ static void virtio_crypto_skcipher_finalize_req(
>>   		scatterwalk_map_and_copy(req->iv, req->dst,
>>   					 req->cryptlen - ivsize,
>>   					 ivsize, 0);
>> -	kfree_sensitive(vc_sym_req->iv);
>> +	memzero_explicit(vc_sym_req->iv, ivsize);
>>   	virtcrypto_clear_request(&vc_sym_req->base);
>>   
>>   	crypto_finalize_skcipher_request(vc_sym_req->base.dataq->engine,
>> -- 
>> 2.39.3
>