Merge branch 'macsec-clear-encryption-keys-in-h-w-drivers'

Antoine Tenart says: ==================== macsec: clear encryption keys in h/w drivers Commit aaab73f8 ("macsec: clear encryption keys from the stack after setting up offload") made sure to clean encryption keys from the stack after setting up offloading but some h/w drivers did a copy of the key which need to be zeroed as well. The MSCC PHY driver can actually be converted not to copy the encryption key at all, but such patch would be quite difficult to backport. I'll send a following up patch doing this in net-next once this series lands. Tested on the MSCC PHY but not on the atlantic NIC. ==================== Link: https://lore.kernel.org/r/20221108153459.811293-1-atenart@kernel.orgSigned-off-by: N Paolo Abeni <pabeni@redhat.com>

Merge branch 'macsec-clear-encryption-keys-in-h-w-drivers'
Antoine Tenart says: ==================== macsec: clear encryption keys in h/w drivers Commit aaab73f8 ("macsec: clear encryption keys from the stack after setting up offload") made sure to clean encryption keys from the stack after setting up offloading but some h/w drivers did a copy of the key which need to be zeroed as well. The MSCC PHY driver can actually be converted not to copy the encryption key at all, but such patch would be quite difficult to backport. I'll send a following up patch doing this in net-next once this series lands. Tested on the MSCC PHY but not on the atlantic NIC. ==================== Link: https://lore.kernel.org/r/20221108153459.811293-1-atenart@kernel.orgSigned-off-by: N Paolo Abeni <pabeni@redhat.com>
1893bb64 · Paolo Abeni · 63eec6f9 · 879785de · 1893bb64 · 1893bb64
3 changed file
--- a/drivers/net/ethernet/aquantia/atlantic/aq_macsec.c
+++ b/drivers/net/ethernet/aquantia/atlantic/aq_macsec.c
@@ -570,6 +570,7 @@ static int aq_update_txsa(struct aq_nic_s *nic, const unsigned int sc_idx,

 	ret = aq_mss_set_egress_sakey_record(hw, &key_rec, sa_idx);

+	memzero_explicit(&key_rec, sizeof(key_rec));
 	return ret;
 }

@@ -899,6 +900,7 @@ static int aq_update_rxsa(struct aq_nic_s *nic, const unsigned int sc_idx,

 	ret = aq_mss_set_ingress_sakey_record(hw, &sa_key_record, sa_idx);

+	memzero_explicit(&sa_key_record, sizeof(sa_key_record));
 	return ret;
 }


--- a/drivers/net/ethernet/aquantia/atlantic/macsec/macsec_api.c
+++ b/drivers/net/ethernet/aquantia/atlantic/macsec/macsec_api.c
@@ -757,6 +757,7 @@ set_ingress_sakey_record(struct aq_hw_s *hw,
 			 u16 table_index)
 {
 	u16 packed_record[18];
+	int ret;

 	if (table_index >= NUMROWS_INGRESSSAKEYRECORD)
 		return -EINVAL;
@@ -789,9 +790,12 @@ set_ingress_sakey_record(struct aq_hw_s *hw,

 	packed_record[16] = rec->key_len & 0x3;

-	return set_raw_ingress_record(hw, packed_record, 18, 2,
-				      ROWOFFSET_INGRESSSAKEYRECORD +
-					      table_index);
+	ret = set_raw_ingress_record(hw, packed_record, 18, 2,
+				     ROWOFFSET_INGRESSSAKEYRECORD +
+				     table_index);
+
+	memzero_explicit(packed_record, sizeof(packed_record));
+	return ret;
 }

 int aq_mss_set_ingress_sakey_record(struct aq_hw_s *hw,
@@ -1739,14 +1743,14 @@ static int set_egress_sakey_record(struct aq_hw_s *hw,
 	ret = set_raw_egress_record(hw, packed_record, 8, 2,
 				    ROWOFFSET_EGRESSSAKEYRECORD + table_index);
 	if (unlikely(ret))
-		return ret;
+		goto clear_key;
 	ret = set_raw_egress_record(hw, packed_record + 8, 8, 2,
 				    ROWOFFSET_EGRESSSAKEYRECORD + table_index -
 					    32);
-	if (unlikely(ret))
-		return ret;

-	return 0;
+clear_key:
+	memzero_explicit(packed_record, sizeof(packed_record));
+	return ret;
 }

 int aq_mss_set_egress_sakey_record(struct aq_hw_s *hw,

--- a/drivers/net/phy/mscc/mscc_macsec.c
+++ b/drivers/net/phy/mscc/mscc_macsec.c
@@ -632,6 +632,7 @@ static void vsc8584_macsec_free_flow(struct vsc8531_private *priv,

 	list_del(&flow->list);
 	clear_bit(flow->index, bitmap);
+	memzero_explicit(flow->key, sizeof(flow->key));
 	kfree(flow);
 }