The cbc-aes-s390 algorithm incorrectly places the IV in the tfm
data structure.  As the tfm is shared between multiple threads,
this introduces a possibility of data corruption.

This patch fixes this by moving the parameter block containing
the IV and key onto the stack (the block is 48 bytes long).

The same bug exists elsewhere in the s390 crypto system and they
will be fixed in subsequent patches.

Cc: stable@vger.kernel.org
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

NIST vectors for CTR mode in testmgr.h assume the entire IV as the counter. To
get correct results that match the output of these vectors, we need to set the
counter length correctly.
Signed-off-by: NJoel Fernandes <joelf@ti.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Signed-off-by: NJoni Lapilainen <joni.lapilainen@gmail.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Using a spinlock to atomically increase a counter sounds wrong -- we've
atomic_t for this!

Also move 'seq_nr' to a different cache line than 'lock' to reduce cache
line trashing. This has the nice side effect of decreasing the size of
struct parallel_data from 192 to 128 bytes for a x86-64 build, e.g.
occupying only two instead of three cache lines.

Those changes results in a 5% performance increase on an IPsec test run
using pcrypt.

Btw. the seq_lock spinlock was never explicitly initialized -- one more
reason to get rid of it.
Signed-off-by: NMathias Krause <mathias.krause@secunet.com>
Acked-by: NSteffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

- Earlier interface layers - caamalg, caamhash, caamrng were
  directly using the Controller driver private structure to access
  the Job ring.
- Changed the above to use alloc/free API's provided by Job Ring Drive
Signed-off-by: NRuchika Gupta <ruchika.gupta@freescale.com>
Reviewed-by: NGarg Vakul-B16394 <vakul@freescale.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

With each of the Job Ring available as a platform device, the
Job Ring driver needs to take care of allocation/deallocation
of the Job Rings to the above interface layers. Added APIs
in Job Ring Driver to allocate/free Job rings
Signed-off-by: NRuchika Gupta <ruchika.gupta@freescale.com>
Reviewed-by: NGarg Vakul-B16394 <vakul@freescale.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

The SEC Job Rings are now available as individual devices.
This would enable sharing of job rings between kernel and
user space. Job Rings can now be dynamically bound/unbound
from kernel.

Changes are made in the following layers of CAAM Driver
1. Controller driver
        - Does basic initialization of CAAM Block.
        - Creates platform devices for Job Rings.
(Earlier the initialization of Job ring  was done
 by the controller driver)

2. JobRing Platform driver
        - Manages the platform Job Ring devices created
          by the controller driver
Signed-off-by: NRuchika Gupta <ruchika.gupta@freescale.com>
Reviewed-by: NGarg Vakul-B16394 <vakul@freescale.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This adds a driver for hardware random number generator present
on Qualcomm MSM SoC's.
Signed-off-by: NStanimir Varbanov <svarbanov@mm-sol.com>
Reviewed-by: NStephen Boyd <sboyd@codeaurora.org>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This adds Qualcomm PRNG driver device tree binding documentation
to use as an example in dts trees.
Signed-off-by: NStanimir Varbanov <svarbanov@mm-sol.com>
Reviewed-by: NStephen Boyd <sboyd@codeaurora.org>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Previously we would use eseqiv on all async ciphers in all cases,
and sync ciphers if we have more than one CPU.  This meant that
chainiv is only used in the case of sync ciphers on a UP machine.

As chainiv may aid attackers by making the IV predictable, even
though this risk itself is small, the above usage pattern causes
it to further leak information about the host.

This patch addresses these issues by using eseqiv even if we're
on a UP machine.
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
Acked-by: NSteffen Klassert <steffen.klassert@secunet.com>
Acked-by: NDavid S. Miller <davem@davemloft.net>

Use the common helper function crypto_authenc_extractkeys() for key
parsing.

Cc: Kim Phillips <kim.phillips@freescale.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: "David S. Miller" <davem@davemloft.net>
Signed-off-by: NMathias Krause <mathias.krause@secunet.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Use the common helper function crypto_authenc_extractkeys() for key
parsing. Also ensure the auth key won't overflow the hash_ctx buffer.

Cc: Jamie Iles <jamie@jamieiles.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: "David S. Miller" <davem@davemloft.net>
Signed-off-by: NMathias Krause <mathias.krause@secunet.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Use the common helper function crypto_authenc_extractkeys() for key
parsing. Also ensure the keys do fit into the corresponding buffers.
Otherwise memory corruption might occur.

Cc: Christian Hohnstaedt <chohnstaedt@innominate.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: "David S. Miller" <davem@davemloft.net>
Signed-off-by: NMathias Krause <mathias.krause@secunet.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Use the common helper function crypto_authenc_extractkeys() for key
parsing.

Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: "David S. Miller" <davem@davemloft.net>
Signed-off-by: NMathias Krause <mathias.krause@secunet.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

AEAD key parsing is duplicated to multiple places in the kernel. Add a
common helper function to consolidate that functionality.

Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: "David S. Miller" <davem@davemloft.net>
Signed-off-by: NMathias Krause <mathias.krause@secunet.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This patch proposes to remove the use of the IRQF_DISABLED flag

It's a NOOP since 2.6.35 and it will be removed one day.
Signed-off-by: NMichael Opdenacker <michael.opdenacker@free-electrons.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

This driver provides kernel-side support for the Random Number
Generator hardware found on OMAP34xx processors.

This driver comes from Maemo 2.6.28 kernel and was tested on Nokia RX-51.
It is platform device because it needs board specific function for smc calls.
Signed-off-by: NPali Rohár <pali.rohar@gmail.com>
Signed-off-by: NJuha Yrjola <juha.yrjola@solidboot.com>
Acked-by: NTony Lindgren <tony@atomide.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

The AVX2 implementation also uses BMI2 instructions,
but doesn't test for their availability. The assumption
that AVX2 and BMI2 always go together is false. Some
Haswells have AVX2 but not BMI2.
Signed-off-by: NOliver Neukum <oneukum@suse.de>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

The data structure of_match_ptr() protects is always compiled in.
Hence of_match_ptr() is not needed.
Signed-off-by: NSachin Kamat <sachin.kamat@linaro.org>
Cc: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

The data structure of_match_ptr() protects is always compiled in.
Hence of_match_ptr() is not needed.
Signed-off-by: NSachin Kamat <sachin.kamat@linaro.org>
Cc: Javier Martin <javier.martin@vista-silicon.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

When comparing MAC hashes, AEAD authentication tags, or other hash
values in the context of authentication or integrity checking, it
is important not to leak timing information to a potential attacker,
i.e. when communication happens over a network.

Bytewise memory comparisons (such as memcmp) are usually optimized so
that they return a nonzero value as soon as a mismatch is found. E.g,
on x86_64/i5 for 512 bytes this can be ~50 cyc for a full mismatch
and up to ~850 cyc for a full match (cold). This early-return behavior
can leak timing information as a side channel, allowing an attacker to
iteratively guess the correct result.

This patch adds a new method crypto_memneq ("memory not equal to each
other") to the crypto API that compares memory areas of the same length
in roughly "constant time" (cache misses could change the timing, but
since they don't reveal information about the content of the strings
being compared, they are effectively benign). Iow, best and worst case
behaviour take the same amount of time to complete (in contrast to
memcmp).

Note that crypto_memneq (unlike memcmp) can only be used to test for
equality or inequality, NOT for lexicographical order. This, however,
is not an issue for its use-cases within the crypto API.

We tried to locate all of the places in the crypto API where memcmp was
being used for authentication or integrity checking, and convert them
over to crypto_memneq.

crypto_memneq is declared noinline, placed in its own source file,
and compiled with optimizations that might increase code size disabled
("Os") because a smart compiler (or LTO) might notice that the return
value is always compared against zero/nonzero, and might then
reintroduce the same early-return optimization that we are trying to
avoid.

Using #pragma or __attribute__ optimization annotations of the code
for disabling optimization was avoided as it seems to be considered
broken or unmaintained for long time in GCC [1]. Therefore, we work
around that by specifying the compile flag for memneq.o directly in
the Makefile. We found that this seems to be most appropriate.

As we use ("Os"), this patch also provides a loop-free "fast-path" for
frequently used 16 byte digests. Similarly to kernel library string
functions, leave an option for future even further optimized architecture
specific assembler implementations.

This was a joint work of James Yonan and Daniel Borkmann. Also thanks
for feedback from Florian Weimer on this and earlier proposals [2].

  [1] http://gcc.gnu.org/ml/gcc/2012-07/msg00211.html
  [2] https://lkml.org/lkml/2013/2/10/131Signed-off-by: NJames Yonan <james@openvpn.net>
Signed-off-by: NDaniel Borkmann <dborkman@redhat.com>
Cc: Florian Weimer <fw@deneb.enyo.de>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

We don't expect to get errors from the hypervisor when reading the rng,
but if we do we should pass the error up to the hwrng driver. Otherwise
the hwrng driver will continue calling us forever.
Signed-off-by: NMichael Ellerman <michael@ellerman.id.au>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Signed-off-by: NMichael Ellerman <michael@ellerman.id.au>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

tree:   git://git.kernel.org/pub/scm/linux/kernel/git/herbert/cryptodev-2.6.git master
head:   48e6dc1b
commit: a62b01cd [20/24] crypto: create generic version of ablk_helper

coccinelle warnings: (new ones prefixed by >>)

>> crypto/ablk_helper.c:97:2-8: Replace memcpy with struct assignment
>> crypto/ablk_helper.c:78:2-8: Replace memcpy with struct assignment

Please consider folding the attached diff :-)
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

devm_ioremap_resource() may fail, so better check its return value and propagate
it in the case of error.
Signed-off-by: NFabio Estevam <fabio.estevam@freescale.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

tasklet_kill() is not being called in probe and the remove function releases
the resources in the wrong order.

Fix these issues.
Signed-off-by: NFabio Estevam <fabio.estevam@freescale.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Using Use devm_request_irq() can make the code smaller and simpler, as we do
not need to call free_irq() in the probe error path and in the remove function.
Signed-off-by: NFabio Estevam <fabio.estevam@freescale.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Using devm_ioremap_resource() can make the code simpler and smaller.

When devm_ioremap_resource() is used there is no need to explicitely check the
error returned by platform_get_resource().
Signed-off-by: NFabio Estevam <fabio.estevam@freescale.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Move all users of ablk_helper under x86/ to the generic version
and delete the x86 specific version.
Acked-by: NJussi Kivilinna <jussi.kivilinna@iki.fi>
Signed-off-by: NArd Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Create a generic version of ablk_helper so it can be reused
by other architectures.
Acked-by: NJussi Kivilinna <jussi.kivilinna@iki.fi>
Signed-off-by: NArd Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Stephan Mueller reported to me recently a error in random number generation in
the ansi cprng. If several small requests are made that are less than the
instances block size, the remainder for loop code doesn't increment
rand_data_valid in the last iteration, meaning that the last bytes in the
rand_data buffer gets reused on the subsequent smaller-than-a-block request for
random data.

The fix is pretty easy, just re-code the for loop to make sure that
rand_data_valid gets incremented appropriately
Signed-off-by: NNeil Horman <nhorman@tuxdriver.com>
Reported-by: NStephan Mueller <stephan.mueller@atsec.com>
CC: Stephan Mueller <stephan.mueller@atsec.com>
CC: Petr Matousek <pmatouse@redhat.com>
CC: Herbert Xu <herbert@gondor.apana.org.au>
CC: "David S. Miller" <davem@davemloft.net>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Following commit f5b38c5f "crypto: tegra - use kernel entropy instead
of ad-hoc", this function is no longer used. It's also only accurate
for Tegra20 and not later SoCs. So, remove it.
Signed-off-by: NStephen Warren <swarren@nvidia.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

devm_clk_get is device managed and makes code simpler.
Signed-off-by: NSachin Kamat <sachin.kamat@linaro.org>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

'dd' is tested for NULL. However, it is derefenced in the error
message print. Change the print to pr_err to avoid this.
Signed-off-by: NSachin Kamat <sachin.kamat@linaro.org>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

'tegra_aes_cra_exit' is used only in this file.
Signed-off-by: NSachin Kamat <sachin.kamat@linaro.org>
Cc: Stephen Warren <swarren@wwwdotorg.org>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Local symbols used only in this file are made static.
Signed-off-by: NSachin Kamat <sachin.kamat@linaro.org>
Cc: Dmitry Kasatkin <dmitry.kasatkin@nokia.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

Local symbols used only in this file are made static.
Signed-off-by: NSachin Kamat <sachin.kamat@linaro.org>
Cc: Sebastian Andrzej Siewior <sebastian@breakpoint.cc>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

KMap the buffers before copying trailing bytes during hmac into a session
temporary buffer. This is required if pinned buffer from user-space is send
during hmac and is safe even if hmac request is generated from within kernel.
Signed-off-by: NYashpal Dutta <yashpal.dutta@freescale.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

RNG4 block contains multiple (i.e. 2) state handles that can be
initialized. This patch adds the necessary code for detecting
which of the two state handles has been instantiated by another
piece of software e.g. u-boot and instantiate the other one (or
both if none was instantiated). Only the state handle(s)
instantiated by this driver will be deinstantiated when removing
the module.
Signed-off-by: NAlex Porosanu <alexandru.porosanu@freescale.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>

RNG4 defines in desc.h were incomplete (bits AI & PS were missing),
while SK was set as an ALG related bit. This patchs adds the
missing bits and corrects the SK bit.
Signed-off-by: NAlex Porosanu <alexandru.porosanu@freescale.com>
Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>