2019-05-19 15:08:20 +03:00
|
|
|
// SPDX-License-Identifier: GPL-2.0-only
|
2005-04-17 02:20:36 +04:00
|
|
|
/*
|
|
|
|
* Cryptographic API.
|
|
|
|
*
|
|
|
|
* Support for VIA PadLock hardware crypto engine.
|
|
|
|
*
|
|
|
|
* Copyright (c) 2004 Michal Ludvig <michal@logix.cz>
|
|
|
|
*
|
|
|
|
*/
|
|
|
|
|
2006-08-21 15:38:42 +04:00
|
|
|
#include <crypto/algapi.h>
|
2007-10-17 19:18:57 +04:00
|
|
|
#include <crypto/aes.h>
|
2019-10-13 07:17:41 +03:00
|
|
|
#include <crypto/internal/skcipher.h>
|
2011-01-07 06:52:00 +03:00
|
|
|
#include <crypto/padlock.h>
|
2005-04-17 02:20:36 +04:00
|
|
|
#include <linux/module.h>
|
|
|
|
#include <linux/init.h>
|
|
|
|
#include <linux/types.h>
|
|
|
|
#include <linux/errno.h>
|
|
|
|
#include <linux/interrupt.h>
|
2005-07-07 00:52:27 +04:00
|
|
|
#include <linux/kernel.h>
|
2020-08-19 14:58:20 +03:00
|
|
|
#include <linux/mm.h>
|
2008-08-31 09:58:45 +04:00
|
|
|
#include <linux/percpu.h>
|
|
|
|
#include <linux/smp.h>
|
include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h
percpu.h is included by sched.h and module.h and thus ends up being
included when building most .c files. percpu.h includes slab.h which
in turn includes gfp.h making everything defined by the two files
universally available and complicating inclusion dependencies.
percpu.h -> slab.h dependency is about to be removed. Prepare for
this change by updating users of gfp and slab facilities include those
headers directly instead of assuming availability. As this conversion
needs to touch large number of source files, the following script is
used as the basis of conversion.
http://userweb.kernel.org/~tj/misc/slabh-sweep.py
The script does the followings.
* Scan files for gfp and slab usages and update includes such that
only the necessary includes are there. ie. if only gfp is used,
gfp.h, if slab is used, slab.h.
* When the script inserts a new include, it looks at the include
blocks and try to put the new include such that its order conforms
to its surrounding. It's put in the include block which contains
core kernel includes, in the same order that the rest are ordered -
alphabetical, Christmas tree, rev-Xmas-tree or at the end if there
doesn't seem to be any matching order.
* If the script can't find a place to put a new include (mostly
because the file doesn't have fitting include block), it prints out
an error message indicating which .h file needs to be added to the
file.
The conversion was done in the following steps.
1. The initial automatic conversion of all .c files updated slightly
over 4000 files, deleting around 700 includes and adding ~480 gfp.h
and ~3000 slab.h inclusions. The script emitted errors for ~400
files.
2. Each error was manually checked. Some didn't need the inclusion,
some needed manual addition while adding it to implementation .h or
embedding .c file was more appropriate for others. This step added
inclusions to around 150 files.
3. The script was run again and the output was compared to the edits
from #2 to make sure no file was left behind.
4. Several build tests were done and a couple of problems were fixed.
e.g. lib/decompress_*.c used malloc/free() wrappers around slab
APIs requiring slab.h to be added manually.
5. The script was run on all .h files but without automatically
editing them as sprinkling gfp.h and slab.h inclusions around .h
files could easily lead to inclusion dependency hell. Most gfp.h
inclusion directives were ignored as stuff from gfp.h was usually
wildly available and often used in preprocessor macros. Each
slab.h inclusion directive was examined and added manually as
necessary.
6. percpu.h was updated not to include slab.h.
7. Build test were done on the following configurations and failures
were fixed. CONFIG_GCOV_KERNEL was turned off for all tests (as my
distributed build env didn't work with gcov compiles) and a few
more options had to be turned off depending on archs to make things
build (like ipr on powerpc/64 which failed due to missing writeq).
* x86 and x86_64 UP and SMP allmodconfig and a custom test config.
* powerpc and powerpc64 SMP allmodconfig
* sparc and sparc64 SMP allmodconfig
* ia64 SMP allmodconfig
* s390 SMP allmodconfig
* alpha SMP allmodconfig
* um on x86_64 SMP allmodconfig
8. percpu.h modifications were reverted so that it could be applied as
a separate patch and serve as bisection point.
Given the fact that I had only a couple of failures from tests on step
6, I'm fairly confident about the coverage of this conversion patch.
If there is a breakage, it's likely to be something in one of the arch
headers which should be easily discoverable easily on most builds of
the specific arch.
Signed-off-by: Tejun Heo <tj@kernel.org>
Guess-its-ok-by: Christoph Lameter <cl@linux-foundation.org>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
2010-03-24 11:04:11 +03:00
|
|
|
#include <linux/slab.h>
|
2012-01-26 03:09:06 +04:00
|
|
|
#include <asm/cpu_device_id.h>
|
2005-04-17 02:20:36 +04:00
|
|
|
#include <asm/byteorder.h>
|
2009-06-18 15:24:10 +04:00
|
|
|
#include <asm/processor.h>
|
2015-04-24 03:46:00 +03:00
|
|
|
#include <asm/fpu/api.h>
|
2005-04-17 02:20:36 +04:00
|
|
|
|
2009-06-18 15:31:09 +04:00
|
|
|
/*
|
|
|
|
* Number of data blocks actually fetched for each xcrypt insn.
|
|
|
|
* Processors with prefetch errata will fetch extra blocks.
|
|
|
|
*/
|
2009-06-18 15:24:10 +04:00
|
|
|
static unsigned int ecb_fetch_blocks = 2;
|
2009-06-18 15:31:09 +04:00
|
|
|
#define MAX_ECB_FETCH_BLOCKS (8)
|
2009-06-18 15:24:10 +04:00
|
|
|
#define ecb_fetch_bytes (ecb_fetch_blocks * AES_BLOCK_SIZE)
|
2009-06-18 15:31:09 +04:00
|
|
|
|
|
|
|
static unsigned int cbc_fetch_blocks = 1;
|
|
|
|
#define MAX_CBC_FETCH_BLOCKS (4)
|
2009-06-18 15:24:10 +04:00
|
|
|
#define cbc_fetch_bytes (cbc_fetch_blocks * AES_BLOCK_SIZE)
|
|
|
|
|
2006-07-15 04:23:49 +04:00
|
|
|
/* Control word. */
|
|
|
|
struct cword {
|
|
|
|
unsigned int __attribute__ ((__packed__))
|
|
|
|
rounds:4,
|
|
|
|
algo:3,
|
|
|
|
keygen:1,
|
|
|
|
interm:1,
|
|
|
|
encdec:1,
|
|
|
|
ksize:2;
|
|
|
|
} __attribute__ ((__aligned__(PADLOCK_ALIGNMENT)));
|
|
|
|
|
2006-07-15 05:08:50 +04:00
|
|
|
/* Whenever making any changes to the following
|
|
|
|
* structure *make sure* you keep E, d_data
|
2008-04-01 17:24:50 +04:00
|
|
|
* and cword aligned on 16 Bytes boundaries and
|
|
|
|
* the Hardware can access 16 * 16 bytes of E and d_data
|
|
|
|
* (only the first 15 * 16 bytes matter but the HW reads
|
|
|
|
* more).
|
|
|
|
*/
|
2005-04-17 02:20:36 +04:00
|
|
|
struct aes_ctx {
|
2008-04-01 17:24:50 +04:00
|
|
|
u32 E[AES_MAX_KEYLENGTH_U32]
|
|
|
|
__attribute__ ((__aligned__(PADLOCK_ALIGNMENT)));
|
|
|
|
u32 d_data[AES_MAX_KEYLENGTH_U32]
|
|
|
|
__attribute__ ((__aligned__(PADLOCK_ALIGNMENT)));
|
2005-07-07 00:52:27 +04:00
|
|
|
struct {
|
|
|
|
struct cword encrypt;
|
|
|
|
struct cword decrypt;
|
|
|
|
} cword;
|
2006-05-16 16:20:34 +04:00
|
|
|
u32 *D;
|
2005-04-17 02:20:36 +04:00
|
|
|
};
|
|
|
|
|
2009-10-29 16:34:14 +03:00
|
|
|
static DEFINE_PER_CPU(struct cword *, paes_last_cword);
|
2008-08-31 09:58:45 +04:00
|
|
|
|
2005-04-17 02:20:36 +04:00
|
|
|
/* Tells whether the ACE is capable to generate
|
|
|
|
the extended key for a given key_len. */
|
|
|
|
static inline int
|
|
|
|
aes_hw_extkey_available(uint8_t key_len)
|
|
|
|
{
|
|
|
|
/* TODO: We should check the actual CPU model/stepping
|
|
|
|
as it's possible that the capability will be
|
|
|
|
added in the next CPU revisions. */
|
|
|
|
if (key_len == 16)
|
|
|
|
return 1;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2006-08-21 15:38:42 +04:00
|
|
|
static inline struct aes_ctx *aes_ctx_common(void *ctx)
|
2005-07-07 00:52:27 +04:00
|
|
|
{
|
2006-08-21 15:38:42 +04:00
|
|
|
unsigned long addr = (unsigned long)ctx;
|
2006-01-25 14:34:01 +03:00
|
|
|
unsigned long align = PADLOCK_ALIGNMENT;
|
|
|
|
|
|
|
|
if (align <= crypto_tfm_ctx_alignment())
|
|
|
|
align = 1;
|
2006-05-16 16:09:29 +04:00
|
|
|
return (struct aes_ctx *)ALIGN(addr, align);
|
2005-07-07 00:52:27 +04:00
|
|
|
}
|
|
|
|
|
2006-08-21 15:38:42 +04:00
|
|
|
static inline struct aes_ctx *aes_ctx(struct crypto_tfm *tfm)
|
|
|
|
{
|
|
|
|
return aes_ctx_common(crypto_tfm_ctx(tfm));
|
|
|
|
}
|
|
|
|
|
2019-10-13 07:17:41 +03:00
|
|
|
static inline struct aes_ctx *skcipher_aes_ctx(struct crypto_skcipher *tfm)
|
2006-08-21 15:38:42 +04:00
|
|
|
{
|
2019-10-13 07:17:41 +03:00
|
|
|
return aes_ctx_common(crypto_skcipher_ctx(tfm));
|
2006-08-21 15:38:42 +04:00
|
|
|
}
|
|
|
|
|
2006-05-16 16:09:29 +04:00
|
|
|
static int aes_set_key(struct crypto_tfm *tfm, const u8 *in_key,
|
2006-08-13 08:16:39 +04:00
|
|
|
unsigned int key_len)
|
2005-04-17 02:20:36 +04:00
|
|
|
{
|
2006-05-16 16:09:29 +04:00
|
|
|
struct aes_ctx *ctx = aes_ctx(tfm);
|
2005-10-30 13:25:15 +03:00
|
|
|
const __le32 *key = (const __le32 *)in_key;
|
2008-04-01 17:24:50 +04:00
|
|
|
struct crypto_aes_ctx gen_aes;
|
2008-08-31 09:58:45 +04:00
|
|
|
int cpu;
|
2005-04-17 02:20:36 +04:00
|
|
|
|
crypto: remove CRYPTO_TFM_RES_BAD_KEY_LEN
The CRYPTO_TFM_RES_BAD_KEY_LEN flag was apparently meant as a way to
make the ->setkey() functions provide more information about errors.
However, no one actually checks for this flag, which makes it pointless.
Also, many algorithms fail to set this flag when given a bad length key.
Reviewing just the generic implementations, this is the case for
aes-fixed-time, cbcmac, echainiv, nhpoly1305, pcrypt, rfc3686, rfc4309,
rfc7539, rfc7539esp, salsa20, seqiv, and xcbc. But there are probably
many more in arch/*/crypto/ and drivers/crypto/.
Some algorithms can even set this flag when the key is the correct
length. For example, authenc and authencesn set it when the key payload
is malformed in any way (not just a bad length), the atmel-sha and ccree
drivers can set it if a memory allocation fails, and the chelsio driver
sets it for bad auth tag lengths, not just bad key lengths.
So even if someone actually wanted to start checking this flag (which
seems unlikely, since it's been unused for a long time), there would be
a lot of work needed to get it working correctly. But it would probably
be much better to go back to the drawing board and just define different
return values, like -EINVAL if the key is invalid for the algorithm vs.
-EKEYREJECTED if the key was rejected by a policy like "no weak keys".
That would be much simpler, less error-prone, and easier to test.
So just remove this flag.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2019-12-31 06:19:36 +03:00
|
|
|
if (key_len % 8)
|
2005-04-17 02:20:36 +04:00
|
|
|
return -EINVAL;
|
|
|
|
|
2005-07-07 00:52:27 +04:00
|
|
|
/*
|
|
|
|
* If the hardware is capable of generating the extended key
|
|
|
|
* itself we must supply the plain key for both encryption
|
|
|
|
* and decryption.
|
|
|
|
*/
|
2006-05-16 16:20:34 +04:00
|
|
|
ctx->D = ctx->E;
|
2005-04-17 02:20:36 +04:00
|
|
|
|
2008-04-01 17:24:50 +04:00
|
|
|
ctx->E[0] = le32_to_cpu(key[0]);
|
|
|
|
ctx->E[1] = le32_to_cpu(key[1]);
|
|
|
|
ctx->E[2] = le32_to_cpu(key[2]);
|
|
|
|
ctx->E[3] = le32_to_cpu(key[3]);
|
2005-04-17 02:20:36 +04:00
|
|
|
|
2005-07-07 00:52:27 +04:00
|
|
|
/* Prepare control words. */
|
|
|
|
memset(&ctx->cword, 0, sizeof(ctx->cword));
|
|
|
|
|
|
|
|
ctx->cword.decrypt.encdec = 1;
|
|
|
|
ctx->cword.encrypt.rounds = 10 + (key_len - 16) / 4;
|
|
|
|
ctx->cword.decrypt.rounds = ctx->cword.encrypt.rounds;
|
|
|
|
ctx->cword.encrypt.ksize = (key_len - 16) / 8;
|
|
|
|
ctx->cword.decrypt.ksize = ctx->cword.encrypt.ksize;
|
|
|
|
|
2005-04-17 02:20:36 +04:00
|
|
|
/* Don't generate extended keys if the hardware can do it. */
|
|
|
|
if (aes_hw_extkey_available(key_len))
|
2008-08-31 09:58:45 +04:00
|
|
|
goto ok;
|
2005-04-17 02:20:36 +04:00
|
|
|
|
2005-07-07 00:52:27 +04:00
|
|
|
ctx->D = ctx->d_data;
|
|
|
|
ctx->cword.encrypt.keygen = 1;
|
|
|
|
ctx->cword.decrypt.keygen = 1;
|
|
|
|
|
crypto: remove CRYPTO_TFM_RES_BAD_KEY_LEN
The CRYPTO_TFM_RES_BAD_KEY_LEN flag was apparently meant as a way to
make the ->setkey() functions provide more information about errors.
However, no one actually checks for this flag, which makes it pointless.
Also, many algorithms fail to set this flag when given a bad length key.
Reviewing just the generic implementations, this is the case for
aes-fixed-time, cbcmac, echainiv, nhpoly1305, pcrypt, rfc3686, rfc4309,
rfc7539, rfc7539esp, salsa20, seqiv, and xcbc. But there are probably
many more in arch/*/crypto/ and drivers/crypto/.
Some algorithms can even set this flag when the key is the correct
length. For example, authenc and authencesn set it when the key payload
is malformed in any way (not just a bad length), the atmel-sha and ccree
drivers can set it if a memory allocation fails, and the chelsio driver
sets it for bad auth tag lengths, not just bad key lengths.
So even if someone actually wanted to start checking this flag (which
seems unlikely, since it's been unused for a long time), there would be
a lot of work needed to get it working correctly. But it would probably
be much better to go back to the drawing board and just define different
return values, like -EINVAL if the key is invalid for the algorithm vs.
-EKEYREJECTED if the key was rejected by a policy like "no weak keys".
That would be much simpler, less error-prone, and easier to test.
So just remove this flag.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Reviewed-by: Horia Geantă <horia.geanta@nxp.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2019-12-31 06:19:36 +03:00
|
|
|
if (aes_expandkey(&gen_aes, in_key, key_len))
|
2008-04-01 17:24:50 +04:00
|
|
|
return -EINVAL;
|
2005-04-17 02:20:36 +04:00
|
|
|
|
2008-04-01 17:24:50 +04:00
|
|
|
memcpy(ctx->E, gen_aes.key_enc, AES_MAX_KEYLENGTH);
|
|
|
|
memcpy(ctx->D, gen_aes.key_dec, AES_MAX_KEYLENGTH);
|
2008-08-31 09:58:45 +04:00
|
|
|
|
|
|
|
ok:
|
|
|
|
for_each_online_cpu(cpu)
|
2009-10-29 16:34:14 +03:00
|
|
|
if (&ctx->cword.encrypt == per_cpu(paes_last_cword, cpu) ||
|
|
|
|
&ctx->cword.decrypt == per_cpu(paes_last_cword, cpu))
|
|
|
|
per_cpu(paes_last_cword, cpu) = NULL;
|
2008-08-31 09:58:45 +04:00
|
|
|
|
2005-04-17 02:20:36 +04:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2019-10-13 07:17:41 +03:00
|
|
|
static int aes_set_key_skcipher(struct crypto_skcipher *tfm, const u8 *in_key,
|
|
|
|
unsigned int key_len)
|
|
|
|
{
|
|
|
|
return aes_set_key(crypto_skcipher_tfm(tfm), in_key, key_len);
|
|
|
|
}
|
|
|
|
|
2005-04-17 02:20:36 +04:00
|
|
|
/* ====== Encryption/decryption routines ====== */
|
|
|
|
|
2005-07-07 00:52:43 +04:00
|
|
|
/* These are the real call to PadLock. */
|
2008-08-31 09:58:45 +04:00
|
|
|
static inline void padlock_reset_key(struct cword *cword)
|
|
|
|
{
|
|
|
|
int cpu = raw_smp_processor_id();
|
|
|
|
|
2009-10-29 16:34:14 +03:00
|
|
|
if (cword != per_cpu(paes_last_cword, cpu))
|
2009-04-21 10:14:37 +04:00
|
|
|
#ifndef CONFIG_X86_64
|
2008-08-31 09:58:45 +04:00
|
|
|
asm volatile ("pushfl; popfl");
|
2009-04-21 10:14:37 +04:00
|
|
|
#else
|
|
|
|
asm volatile ("pushfq; popfq");
|
|
|
|
#endif
|
2008-08-31 09:58:45 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
static inline void padlock_store_cword(struct cword *cword)
|
2007-12-26 16:04:44 +03:00
|
|
|
{
|
2009-10-29 16:34:14 +03:00
|
|
|
per_cpu(paes_last_cword, raw_smp_processor_id()) = cword;
|
2007-12-26 16:04:44 +03:00
|
|
|
}
|
|
|
|
|
crypto: padlock - fix VIA PadLock instruction usage with irq_ts_save/restore()
Wolfgang Walter reported this oops on his via C3 using padlock for
AES-encryption:
##################################################################
BUG: unable to handle kernel NULL pointer dereference at 000001f0
IP: [<c01028c5>] __switch_to+0x30/0x117
*pde = 00000000
Oops: 0002 [#1] PREEMPT
Modules linked in:
Pid: 2071, comm: sleep Not tainted (2.6.26 #11)
EIP: 0060:[<c01028c5>] EFLAGS: 00010002 CPU: 0
EIP is at __switch_to+0x30/0x117
EAX: 00000000 EBX: c0493300 ECX: dc48dd00 EDX: c0493300
ESI: dc48dd00 EDI: c0493530 EBP: c04cff8c ESP: c04cff7c
DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
Process sleep (pid: 2071, ti=c04ce000 task=dc48dd00 task.ti=d2fe6000)
Stack: dc48df30 c0493300 00000000 00000000 d2fe7f44 c03b5b43 c04cffc8 00000046
c0131856 0000005a dc472d3c c0493300 c0493470 d983ae00 00002696 00000000
c0239f54 00000000 c04c4000 c04cffd8 c01025fe c04f3740 00049800 c04cffe0
Call Trace:
[<c03b5b43>] ? schedule+0x285/0x2ff
[<c0131856>] ? pm_qos_requirement+0x3c/0x53
[<c0239f54>] ? acpi_processor_idle+0x0/0x434
[<c01025fe>] ? cpu_idle+0x73/0x7f
[<c03a4dcd>] ? rest_init+0x61/0x63
=======================
Wolfgang also found out that adding kernel_fpu_begin() and kernel_fpu_end()
around the padlock instructions fix the oops.
Suresh wrote:
These padlock instructions though don't use/touch SSE registers, but it behaves
similar to other SSE instructions. For example, it might cause DNA faults
when cr0.ts is set. While this is a spurious DNA trap, it might cause
oops with the recent fpu code changes.
This is the code sequence that is probably causing this problem:
a) new app is getting exec'd and it is somewhere in between
start_thread() and flush_old_exec() in the load_xyz_binary()
b) At pont "a", task's fpu state (like TS_USEDFPU, used_math() etc) is
cleared.
c) Now we get an interrupt/softirq which starts using these encrypt/decrypt
routines in the network stack. This generates a math fault (as
cr0.ts is '1') which sets TS_USEDFPU and restores the math that is
in the task's xstate.
d) Return to exec code path, which does start_thread() which does
free_thread_xstate() and sets xstate pointer to NULL while
the TS_USEDFPU is still set.
e) At the next context switch from the new exec'd task to another task,
we have a scenarios where TS_USEDFPU is set but xstate pointer is null.
This can cause an oops during unlazy_fpu() in __switch_to()
Now:
1) This should happen with or with out pre-emption. Viro also encountered
similar problem with out CONFIG_PREEMPT.
2) kernel_fpu_begin() and kernel_fpu_end() will fix this problem, because
kernel_fpu_begin() will manually do a clts() and won't run in to the
situation of setting TS_USEDFPU in step "c" above.
3) This was working before the fpu changes, because its a spurious
math fault which doesn't corrupt any fpu/sse registers and the task's
math state was always in an allocated state.
With out the recent lazy fpu allocation changes, while we don't see oops,
there is a possible race still present in older kernels(for example,
while kernel is using kernel_fpu_begin() in some optimized clear/copy
page and an interrupt/softirq happens which uses these padlock
instructions generating DNA fault).
This is the failing scenario that existed even before the lazy fpu allocation
changes:
0. CPU's TS flag is set
1. kernel using FPU in some optimized copy routine and while doing
kernel_fpu_begin() takes an interrupt just before doing clts()
2. Takes an interrupt and ipsec uses padlock instruction. And we
take a DNA fault as TS flag is still set.
3. We handle the DNA fault and set TS_USEDFPU and clear cr0.ts
4. We complete the padlock routine
5. Go back to step-1, which resumes clts() in kernel_fpu_begin(), finishes
the optimized copy routine and does kernel_fpu_end(). At this point,
we have cr0.ts again set to '1' but the task's TS_USEFPU is stilll
set and not cleared.
6. Now kernel resumes its user operation. And at the next context
switch, kernel sees it has do a FP save as TS_USEDFPU is still set
and then will do a unlazy_fpu() in __switch_to(). unlazy_fpu()
will take a DNA fault, as cr0.ts is '1' and now, because we are
in __switch_to(), math_state_restore() will get confused and will
restore the next task's FP state and will save it in prev tasks's FP state.
Remember, in __switch_to() we are already on the stack of the next task
but take a DNA fault for the prev task.
This causes the fpu leakage.
Fix the padlock instruction usage by calling them inside the
context of new routines irq_ts_save/restore(), which clear/restore cr0.ts
manually in the interrupt context. This will not generate spurious DNA
in the context of the interrupt which will fix the oops encountered and
the possible FPU leakage issue.
Reported-and-bisected-by: Wolfgang Walter <wolfgang.walter@stwm.de>
Signed-off-by: Suresh Siddha <suresh.b.siddha@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-08-13 16:02:26 +04:00
|
|
|
/*
|
|
|
|
* While the padlock instructions don't use FP/SSE registers, they
|
2016-11-01 01:18:44 +03:00
|
|
|
* generate a spurious DNA fault when CR0.TS is '1'. Fortunately,
|
|
|
|
* the kernel doesn't use CR0.TS.
|
crypto: padlock - fix VIA PadLock instruction usage with irq_ts_save/restore()
Wolfgang Walter reported this oops on his via C3 using padlock for
AES-encryption:
##################################################################
BUG: unable to handle kernel NULL pointer dereference at 000001f0
IP: [<c01028c5>] __switch_to+0x30/0x117
*pde = 00000000
Oops: 0002 [#1] PREEMPT
Modules linked in:
Pid: 2071, comm: sleep Not tainted (2.6.26 #11)
EIP: 0060:[<c01028c5>] EFLAGS: 00010002 CPU: 0
EIP is at __switch_to+0x30/0x117
EAX: 00000000 EBX: c0493300 ECX: dc48dd00 EDX: c0493300
ESI: dc48dd00 EDI: c0493530 EBP: c04cff8c ESP: c04cff7c
DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
Process sleep (pid: 2071, ti=c04ce000 task=dc48dd00 task.ti=d2fe6000)
Stack: dc48df30 c0493300 00000000 00000000 d2fe7f44 c03b5b43 c04cffc8 00000046
c0131856 0000005a dc472d3c c0493300 c0493470 d983ae00 00002696 00000000
c0239f54 00000000 c04c4000 c04cffd8 c01025fe c04f3740 00049800 c04cffe0
Call Trace:
[<c03b5b43>] ? schedule+0x285/0x2ff
[<c0131856>] ? pm_qos_requirement+0x3c/0x53
[<c0239f54>] ? acpi_processor_idle+0x0/0x434
[<c01025fe>] ? cpu_idle+0x73/0x7f
[<c03a4dcd>] ? rest_init+0x61/0x63
=======================
Wolfgang also found out that adding kernel_fpu_begin() and kernel_fpu_end()
around the padlock instructions fix the oops.
Suresh wrote:
These padlock instructions though don't use/touch SSE registers, but it behaves
similar to other SSE instructions. For example, it might cause DNA faults
when cr0.ts is set. While this is a spurious DNA trap, it might cause
oops with the recent fpu code changes.
This is the code sequence that is probably causing this problem:
a) new app is getting exec'd and it is somewhere in between
start_thread() and flush_old_exec() in the load_xyz_binary()
b) At pont "a", task's fpu state (like TS_USEDFPU, used_math() etc) is
cleared.
c) Now we get an interrupt/softirq which starts using these encrypt/decrypt
routines in the network stack. This generates a math fault (as
cr0.ts is '1') which sets TS_USEDFPU and restores the math that is
in the task's xstate.
d) Return to exec code path, which does start_thread() which does
free_thread_xstate() and sets xstate pointer to NULL while
the TS_USEDFPU is still set.
e) At the next context switch from the new exec'd task to another task,
we have a scenarios where TS_USEDFPU is set but xstate pointer is null.
This can cause an oops during unlazy_fpu() in __switch_to()
Now:
1) This should happen with or with out pre-emption. Viro also encountered
similar problem with out CONFIG_PREEMPT.
2) kernel_fpu_begin() and kernel_fpu_end() will fix this problem, because
kernel_fpu_begin() will manually do a clts() and won't run in to the
situation of setting TS_USEDFPU in step "c" above.
3) This was working before the fpu changes, because its a spurious
math fault which doesn't corrupt any fpu/sse registers and the task's
math state was always in an allocated state.
With out the recent lazy fpu allocation changes, while we don't see oops,
there is a possible race still present in older kernels(for example,
while kernel is using kernel_fpu_begin() in some optimized clear/copy
page and an interrupt/softirq happens which uses these padlock
instructions generating DNA fault).
This is the failing scenario that existed even before the lazy fpu allocation
changes:
0. CPU's TS flag is set
1. kernel using FPU in some optimized copy routine and while doing
kernel_fpu_begin() takes an interrupt just before doing clts()
2. Takes an interrupt and ipsec uses padlock instruction. And we
take a DNA fault as TS flag is still set.
3. We handle the DNA fault and set TS_USEDFPU and clear cr0.ts
4. We complete the padlock routine
5. Go back to step-1, which resumes clts() in kernel_fpu_begin(), finishes
the optimized copy routine and does kernel_fpu_end(). At this point,
we have cr0.ts again set to '1' but the task's TS_USEFPU is stilll
set and not cleared.
6. Now kernel resumes its user operation. And at the next context
switch, kernel sees it has do a FP save as TS_USEDFPU is still set
and then will do a unlazy_fpu() in __switch_to(). unlazy_fpu()
will take a DNA fault, as cr0.ts is '1' and now, because we are
in __switch_to(), math_state_restore() will get confused and will
restore the next task's FP state and will save it in prev tasks's FP state.
Remember, in __switch_to() we are already on the stack of the next task
but take a DNA fault for the prev task.
This causes the fpu leakage.
Fix the padlock instruction usage by calling them inside the
context of new routines irq_ts_save/restore(), which clear/restore cr0.ts
manually in the interrupt context. This will not generate spurious DNA
in the context of the interrupt which will fix the oops encountered and
the possible FPU leakage issue.
Reported-and-bisected-by: Wolfgang Walter <wolfgang.walter@stwm.de>
Signed-off-by: Suresh Siddha <suresh.b.siddha@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-08-13 16:02:26 +04:00
|
|
|
*/
|
|
|
|
|
2009-06-18 15:31:09 +04:00
|
|
|
static inline void rep_xcrypt_ecb(const u8 *input, u8 *output, void *key,
|
2009-06-18 15:24:10 +04:00
|
|
|
struct cword *control_word, int count)
|
2007-12-28 03:05:46 +03:00
|
|
|
{
|
|
|
|
asm volatile (".byte 0xf3,0x0f,0xa7,0xc8" /* rep xcryptecb */
|
|
|
|
: "+S"(input), "+D"(output)
|
2009-06-18 15:24:10 +04:00
|
|
|
: "d"(control_word), "b"(key), "c"(count));
|
2007-12-28 03:05:46 +03:00
|
|
|
}
|
|
|
|
|
2009-06-18 15:31:09 +04:00
|
|
|
static inline u8 *rep_xcrypt_cbc(const u8 *input, u8 *output, void *key,
|
|
|
|
u8 *iv, struct cword *control_word, int count)
|
|
|
|
{
|
|
|
|
asm volatile (".byte 0xf3,0x0f,0xa7,0xd0" /* rep xcryptcbc */
|
|
|
|
: "+S" (input), "+D" (output), "+a" (iv)
|
|
|
|
: "d" (control_word), "b" (key), "c" (count));
|
|
|
|
return iv;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void ecb_crypt_copy(const u8 *in, u8 *out, u32 *key,
|
2009-06-18 15:24:10 +04:00
|
|
|
struct cword *cword, int count)
|
2007-12-28 03:05:46 +03:00
|
|
|
{
|
2009-06-18 15:24:10 +04:00
|
|
|
/*
|
|
|
|
* Padlock prefetches extra data so we must provide mapped input buffers.
|
|
|
|
* Assume there are at least 16 bytes of stack already in use.
|
|
|
|
*/
|
2009-06-18 15:31:09 +04:00
|
|
|
u8 buf[AES_BLOCK_SIZE * (MAX_ECB_FETCH_BLOCKS - 1) + PADLOCK_ALIGNMENT - 1];
|
2008-01-11 00:09:35 +03:00
|
|
|
u8 *tmp = PTR_ALIGN(&buf[0], PADLOCK_ALIGNMENT);
|
2007-12-28 03:05:46 +03:00
|
|
|
|
2009-06-18 15:24:10 +04:00
|
|
|
memcpy(tmp, in, count * AES_BLOCK_SIZE);
|
2009-06-18 15:31:09 +04:00
|
|
|
rep_xcrypt_ecb(tmp, out, key, cword, count);
|
2007-12-28 03:05:46 +03:00
|
|
|
}
|
|
|
|
|
2009-06-18 15:31:09 +04:00
|
|
|
static u8 *cbc_crypt_copy(const u8 *in, u8 *out, u32 *key,
|
|
|
|
u8 *iv, struct cword *cword, int count)
|
|
|
|
{
|
|
|
|
/*
|
|
|
|
* Padlock prefetches extra data so we must provide mapped input buffers.
|
|
|
|
* Assume there are at least 16 bytes of stack already in use.
|
|
|
|
*/
|
|
|
|
u8 buf[AES_BLOCK_SIZE * (MAX_CBC_FETCH_BLOCKS - 1) + PADLOCK_ALIGNMENT - 1];
|
|
|
|
u8 *tmp = PTR_ALIGN(&buf[0], PADLOCK_ALIGNMENT);
|
|
|
|
|
|
|
|
memcpy(tmp, in, count * AES_BLOCK_SIZE);
|
|
|
|
return rep_xcrypt_cbc(tmp, out, key, iv, cword, count);
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline void ecb_crypt(const u8 *in, u8 *out, u32 *key,
|
2009-06-18 15:24:10 +04:00
|
|
|
struct cword *cword, int count)
|
2007-12-28 03:05:46 +03:00
|
|
|
{
|
2009-06-18 15:24:10 +04:00
|
|
|
/* Padlock in ECB mode fetches at least ecb_fetch_bytes of data.
|
|
|
|
* We could avoid some copying here but it's probably not worth it.
|
|
|
|
*/
|
2015-11-21 17:24:11 +03:00
|
|
|
if (unlikely(offset_in_page(in) + ecb_fetch_bytes > PAGE_SIZE)) {
|
2009-06-18 15:31:09 +04:00
|
|
|
ecb_crypt_copy(in, out, key, cword, count);
|
2007-12-28 03:05:46 +03:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2009-06-18 15:31:09 +04:00
|
|
|
rep_xcrypt_ecb(in, out, key, cword, count);
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline u8 *cbc_crypt(const u8 *in, u8 *out, u32 *key,
|
|
|
|
u8 *iv, struct cword *cword, int count)
|
|
|
|
{
|
|
|
|
/* Padlock in CBC mode fetches at least cbc_fetch_bytes of data. */
|
2015-11-21 17:24:11 +03:00
|
|
|
if (unlikely(offset_in_page(in) + cbc_fetch_bytes > PAGE_SIZE))
|
2009-06-18 15:31:09 +04:00
|
|
|
return cbc_crypt_copy(in, out, key, iv, cword, count);
|
|
|
|
|
|
|
|
return rep_xcrypt_cbc(in, out, key, iv, cword, count);
|
2007-12-28 03:05:46 +03:00
|
|
|
}
|
|
|
|
|
2005-07-07 00:52:27 +04:00
|
|
|
static inline void padlock_xcrypt_ecb(const u8 *input, u8 *output, void *key,
|
|
|
|
void *control_word, u32 count)
|
2005-04-17 02:20:36 +04:00
|
|
|
{
|
2009-06-18 15:24:10 +04:00
|
|
|
u32 initial = count & (ecb_fetch_blocks - 1);
|
|
|
|
|
|
|
|
if (count < ecb_fetch_blocks) {
|
2009-06-18 15:31:09 +04:00
|
|
|
ecb_crypt(input, output, key, control_word, count);
|
2007-12-28 03:05:46 +03:00
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2018-07-13 11:12:32 +03:00
|
|
|
count -= initial;
|
|
|
|
|
2009-06-18 15:24:10 +04:00
|
|
|
if (initial)
|
|
|
|
asm volatile (".byte 0xf3,0x0f,0xa7,0xc8" /* rep xcryptecb */
|
|
|
|
: "+S"(input), "+D"(output)
|
|
|
|
: "d"(control_word), "b"(key), "c"(initial));
|
|
|
|
|
|
|
|
asm volatile (".byte 0xf3,0x0f,0xa7,0xc8" /* rep xcryptecb */
|
2005-04-17 02:20:36 +04:00
|
|
|
: "+S"(input), "+D"(output)
|
2018-07-13 11:12:32 +03:00
|
|
|
: "d"(control_word), "b"(key), "c"(count));
|
2005-04-17 02:20:36 +04:00
|
|
|
}
|
|
|
|
|
2005-07-07 00:54:09 +04:00
|
|
|
static inline u8 *padlock_xcrypt_cbc(const u8 *input, u8 *output, void *key,
|
|
|
|
u8 *iv, void *control_word, u32 count)
|
2005-07-07 00:52:43 +04:00
|
|
|
{
|
2009-06-18 15:31:09 +04:00
|
|
|
u32 initial = count & (cbc_fetch_blocks - 1);
|
|
|
|
|
|
|
|
if (count < cbc_fetch_blocks)
|
|
|
|
return cbc_crypt(input, output, key, iv, control_word, count);
|
|
|
|
|
2018-07-13 11:12:32 +03:00
|
|
|
count -= initial;
|
|
|
|
|
2009-06-18 15:31:09 +04:00
|
|
|
if (initial)
|
|
|
|
asm volatile (".byte 0xf3,0x0f,0xa7,0xd0" /* rep xcryptcbc */
|
|
|
|
: "+S" (input), "+D" (output), "+a" (iv)
|
2010-11-04 21:38:39 +03:00
|
|
|
: "d" (control_word), "b" (key), "c" (initial));
|
2009-06-18 15:31:09 +04:00
|
|
|
|
|
|
|
asm volatile (".byte 0xf3,0x0f,0xa7,0xd0" /* rep xcryptcbc */
|
2005-07-07 00:52:43 +04:00
|
|
|
: "+S" (input), "+D" (output), "+a" (iv)
|
2018-07-13 11:12:32 +03:00
|
|
|
: "d" (control_word), "b" (key), "c" (count));
|
2005-07-07 00:54:09 +04:00
|
|
|
return iv;
|
2005-07-07 00:52:43 +04:00
|
|
|
}
|
|
|
|
|
2019-07-02 22:41:20 +03:00
|
|
|
static void padlock_aes_encrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in)
|
2005-04-17 02:20:36 +04:00
|
|
|
{
|
2006-05-16 16:09:29 +04:00
|
|
|
struct aes_ctx *ctx = aes_ctx(tfm);
|
crypto: padlock - fix VIA PadLock instruction usage with irq_ts_save/restore()
Wolfgang Walter reported this oops on his via C3 using padlock for
AES-encryption:
##################################################################
BUG: unable to handle kernel NULL pointer dereference at 000001f0
IP: [<c01028c5>] __switch_to+0x30/0x117
*pde = 00000000
Oops: 0002 [#1] PREEMPT
Modules linked in:
Pid: 2071, comm: sleep Not tainted (2.6.26 #11)
EIP: 0060:[<c01028c5>] EFLAGS: 00010002 CPU: 0
EIP is at __switch_to+0x30/0x117
EAX: 00000000 EBX: c0493300 ECX: dc48dd00 EDX: c0493300
ESI: dc48dd00 EDI: c0493530 EBP: c04cff8c ESP: c04cff7c
DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
Process sleep (pid: 2071, ti=c04ce000 task=dc48dd00 task.ti=d2fe6000)
Stack: dc48df30 c0493300 00000000 00000000 d2fe7f44 c03b5b43 c04cffc8 00000046
c0131856 0000005a dc472d3c c0493300 c0493470 d983ae00 00002696 00000000
c0239f54 00000000 c04c4000 c04cffd8 c01025fe c04f3740 00049800 c04cffe0
Call Trace:
[<c03b5b43>] ? schedule+0x285/0x2ff
[<c0131856>] ? pm_qos_requirement+0x3c/0x53
[<c0239f54>] ? acpi_processor_idle+0x0/0x434
[<c01025fe>] ? cpu_idle+0x73/0x7f
[<c03a4dcd>] ? rest_init+0x61/0x63
=======================
Wolfgang also found out that adding kernel_fpu_begin() and kernel_fpu_end()
around the padlock instructions fix the oops.
Suresh wrote:
These padlock instructions though don't use/touch SSE registers, but it behaves
similar to other SSE instructions. For example, it might cause DNA faults
when cr0.ts is set. While this is a spurious DNA trap, it might cause
oops with the recent fpu code changes.
This is the code sequence that is probably causing this problem:
a) new app is getting exec'd and it is somewhere in between
start_thread() and flush_old_exec() in the load_xyz_binary()
b) At pont "a", task's fpu state (like TS_USEDFPU, used_math() etc) is
cleared.
c) Now we get an interrupt/softirq which starts using these encrypt/decrypt
routines in the network stack. This generates a math fault (as
cr0.ts is '1') which sets TS_USEDFPU and restores the math that is
in the task's xstate.
d) Return to exec code path, which does start_thread() which does
free_thread_xstate() and sets xstate pointer to NULL while
the TS_USEDFPU is still set.
e) At the next context switch from the new exec'd task to another task,
we have a scenarios where TS_USEDFPU is set but xstate pointer is null.
This can cause an oops during unlazy_fpu() in __switch_to()
Now:
1) This should happen with or with out pre-emption. Viro also encountered
similar problem with out CONFIG_PREEMPT.
2) kernel_fpu_begin() and kernel_fpu_end() will fix this problem, because
kernel_fpu_begin() will manually do a clts() and won't run in to the
situation of setting TS_USEDFPU in step "c" above.
3) This was working before the fpu changes, because its a spurious
math fault which doesn't corrupt any fpu/sse registers and the task's
math state was always in an allocated state.
With out the recent lazy fpu allocation changes, while we don't see oops,
there is a possible race still present in older kernels(for example,
while kernel is using kernel_fpu_begin() in some optimized clear/copy
page and an interrupt/softirq happens which uses these padlock
instructions generating DNA fault).
This is the failing scenario that existed even before the lazy fpu allocation
changes:
0. CPU's TS flag is set
1. kernel using FPU in some optimized copy routine and while doing
kernel_fpu_begin() takes an interrupt just before doing clts()
2. Takes an interrupt and ipsec uses padlock instruction. And we
take a DNA fault as TS flag is still set.
3. We handle the DNA fault and set TS_USEDFPU and clear cr0.ts
4. We complete the padlock routine
5. Go back to step-1, which resumes clts() in kernel_fpu_begin(), finishes
the optimized copy routine and does kernel_fpu_end(). At this point,
we have cr0.ts again set to '1' but the task's TS_USEFPU is stilll
set and not cleared.
6. Now kernel resumes its user operation. And at the next context
switch, kernel sees it has do a FP save as TS_USEDFPU is still set
and then will do a unlazy_fpu() in __switch_to(). unlazy_fpu()
will take a DNA fault, as cr0.ts is '1' and now, because we are
in __switch_to(), math_state_restore() will get confused and will
restore the next task's FP state and will save it in prev tasks's FP state.
Remember, in __switch_to() we are already on the stack of the next task
but take a DNA fault for the prev task.
This causes the fpu leakage.
Fix the padlock instruction usage by calling them inside the
context of new routines irq_ts_save/restore(), which clear/restore cr0.ts
manually in the interrupt context. This will not generate spurious DNA
in the context of the interrupt which will fix the oops encountered and
the possible FPU leakage issue.
Reported-and-bisected-by: Wolfgang Walter <wolfgang.walter@stwm.de>
Signed-off-by: Suresh Siddha <suresh.b.siddha@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-08-13 16:02:26 +04:00
|
|
|
|
2008-08-31 09:58:45 +04:00
|
|
|
padlock_reset_key(&ctx->cword.encrypt);
|
2009-06-18 15:31:09 +04:00
|
|
|
ecb_crypt(in, out, ctx->E, &ctx->cword.encrypt, 1);
|
2008-08-31 09:58:45 +04:00
|
|
|
padlock_store_cword(&ctx->cword.encrypt);
|
2005-04-17 02:20:36 +04:00
|
|
|
}
|
|
|
|
|
2019-07-02 22:41:20 +03:00
|
|
|
static void padlock_aes_decrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in)
|
2005-04-17 02:20:36 +04:00
|
|
|
{
|
2006-05-16 16:09:29 +04:00
|
|
|
struct aes_ctx *ctx = aes_ctx(tfm);
|
crypto: padlock - fix VIA PadLock instruction usage with irq_ts_save/restore()
Wolfgang Walter reported this oops on his via C3 using padlock for
AES-encryption:
##################################################################
BUG: unable to handle kernel NULL pointer dereference at 000001f0
IP: [<c01028c5>] __switch_to+0x30/0x117
*pde = 00000000
Oops: 0002 [#1] PREEMPT
Modules linked in:
Pid: 2071, comm: sleep Not tainted (2.6.26 #11)
EIP: 0060:[<c01028c5>] EFLAGS: 00010002 CPU: 0
EIP is at __switch_to+0x30/0x117
EAX: 00000000 EBX: c0493300 ECX: dc48dd00 EDX: c0493300
ESI: dc48dd00 EDI: c0493530 EBP: c04cff8c ESP: c04cff7c
DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 0068
Process sleep (pid: 2071, ti=c04ce000 task=dc48dd00 task.ti=d2fe6000)
Stack: dc48df30 c0493300 00000000 00000000 d2fe7f44 c03b5b43 c04cffc8 00000046
c0131856 0000005a dc472d3c c0493300 c0493470 d983ae00 00002696 00000000
c0239f54 00000000 c04c4000 c04cffd8 c01025fe c04f3740 00049800 c04cffe0
Call Trace:
[<c03b5b43>] ? schedule+0x285/0x2ff
[<c0131856>] ? pm_qos_requirement+0x3c/0x53
[<c0239f54>] ? acpi_processor_idle+0x0/0x434
[<c01025fe>] ? cpu_idle+0x73/0x7f
[<c03a4dcd>] ? rest_init+0x61/0x63
=======================
Wolfgang also found out that adding kernel_fpu_begin() and kernel_fpu_end()
around the padlock instructions fix the oops.
Suresh wrote:
These padlock instructions though don't use/touch SSE registers, but it behaves
similar to other SSE instructions. For example, it might cause DNA faults
when cr0.ts is set. While this is a spurious DNA trap, it might cause
oops with the recent fpu code changes.
This is the code sequence that is probably causing this problem:
a) new app is getting exec'd and it is somewhere in between
start_thread() and flush_old_exec() in the load_xyz_binary()
b) At pont "a", task's fpu state (like TS_USEDFPU, used_math() etc) is
cleared.
c) Now we get an interrupt/softirq which starts using these encrypt/decrypt
routines in the network stack. This generates a math fault (as
cr0.ts is '1') which sets TS_USEDFPU and restores the math that is
in the task's xstate.
d) Return to exec code path, which does start_thread() which does
free_thread_xstate() and sets xstate pointer to NULL while
the TS_USEDFPU is still set.
e) At the next context switch from the new exec'd task to another task,
we have a scenarios where TS_USEDFPU is set but xstate pointer is null.
This can cause an oops during unlazy_fpu() in __switch_to()
Now:
1) This should happen with or with out pre-emption. Viro also encountered
similar problem with out CONFIG_PREEMPT.
2) kernel_fpu_begin() and kernel_fpu_end() will fix this problem, because
kernel_fpu_begin() will manually do a clts() and won't run in to the
situation of setting TS_USEDFPU in step "c" above.
3) This was working before the fpu changes, because its a spurious
math fault which doesn't corrupt any fpu/sse registers and the task's
math state was always in an allocated state.
With out the recent lazy fpu allocation changes, while we don't see oops,
there is a possible race still present in older kernels(for example,
while kernel is using kernel_fpu_begin() in some optimized clear/copy
page and an interrupt/softirq happens which uses these padlock
instructions generating DNA fault).
This is the failing scenario that existed even before the lazy fpu allocation
changes:
0. CPU's TS flag is set
1. kernel using FPU in some optimized copy routine and while doing
kernel_fpu_begin() takes an interrupt just before doing clts()
2. Takes an interrupt and ipsec uses padlock instruction. And we
take a DNA fault as TS flag is still set.
3. We handle the DNA fault and set TS_USEDFPU and clear cr0.ts
4. We complete the padlock routine
5. Go back to step-1, which resumes clts() in kernel_fpu_begin(), finishes
the optimized copy routine and does kernel_fpu_end(). At this point,
we have cr0.ts again set to '1' but the task's TS_USEFPU is stilll
set and not cleared.
6. Now kernel resumes its user operation. And at the next context
switch, kernel sees it has do a FP save as TS_USEDFPU is still set
and then will do a unlazy_fpu() in __switch_to(). unlazy_fpu()
will take a DNA fault, as cr0.ts is '1' and now, because we are
in __switch_to(), math_state_restore() will get confused and will
restore the next task's FP state and will save it in prev tasks's FP state.
Remember, in __switch_to() we are already on the stack of the next task
but take a DNA fault for the prev task.
This causes the fpu leakage.
Fix the padlock instruction usage by calling them inside the
context of new routines irq_ts_save/restore(), which clear/restore cr0.ts
manually in the interrupt context. This will not generate spurious DNA
in the context of the interrupt which will fix the oops encountered and
the possible FPU leakage issue.
Reported-and-bisected-by: Wolfgang Walter <wolfgang.walter@stwm.de>
Signed-off-by: Suresh Siddha <suresh.b.siddha@intel.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2008-08-13 16:02:26 +04:00
|
|
|
|
2008-08-31 09:58:45 +04:00
|
|
|
padlock_reset_key(&ctx->cword.encrypt);
|
2009-06-18 15:31:09 +04:00
|
|
|
ecb_crypt(in, out, ctx->D, &ctx->cword.decrypt, 1);
|
2008-08-31 09:58:45 +04:00
|
|
|
padlock_store_cword(&ctx->cword.encrypt);
|
2005-04-17 02:20:36 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
static struct crypto_alg aes_alg = {
|
|
|
|
.cra_name = "aes",
|
2005-11-05 10:06:26 +03:00
|
|
|
.cra_driver_name = "aes-padlock",
|
2006-07-15 04:23:49 +04:00
|
|
|
.cra_priority = PADLOCK_CRA_PRIORITY,
|
2005-04-17 02:20:36 +04:00
|
|
|
.cra_flags = CRYPTO_ALG_TYPE_CIPHER,
|
|
|
|
.cra_blocksize = AES_BLOCK_SIZE,
|
2005-07-07 00:53:29 +04:00
|
|
|
.cra_ctxsize = sizeof(struct aes_ctx),
|
2005-07-07 00:52:27 +04:00
|
|
|
.cra_alignmask = PADLOCK_ALIGNMENT - 1,
|
2005-04-17 02:20:36 +04:00
|
|
|
.cra_module = THIS_MODULE,
|
|
|
|
.cra_u = {
|
|
|
|
.cipher = {
|
|
|
|
.cia_min_keysize = AES_MIN_KEY_SIZE,
|
|
|
|
.cia_max_keysize = AES_MAX_KEY_SIZE,
|
|
|
|
.cia_setkey = aes_set_key,
|
2019-07-02 22:41:20 +03:00
|
|
|
.cia_encrypt = padlock_aes_encrypt,
|
|
|
|
.cia_decrypt = padlock_aes_decrypt,
|
2005-04-17 02:20:36 +04:00
|
|
|
}
|
|
|
|
}
|
|
|
|
};
|
|
|
|
|
2019-10-13 07:17:41 +03:00
|
|
|
static int ecb_aes_encrypt(struct skcipher_request *req)
|
2006-08-21 15:38:42 +04:00
|
|
|
{
|
2019-10-13 07:17:41 +03:00
|
|
|
struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
|
|
|
|
struct aes_ctx *ctx = skcipher_aes_ctx(tfm);
|
|
|
|
struct skcipher_walk walk;
|
|
|
|
unsigned int nbytes;
|
2006-08-21 15:38:42 +04:00
|
|
|
int err;
|
|
|
|
|
2008-08-31 09:58:45 +04:00
|
|
|
padlock_reset_key(&ctx->cword.encrypt);
|
2007-12-26 16:04:44 +03:00
|
|
|
|
2019-10-13 07:17:41 +03:00
|
|
|
err = skcipher_walk_virt(&walk, req, false);
|
2006-08-21 15:38:42 +04:00
|
|
|
|
2019-10-13 07:17:41 +03:00
|
|
|
while ((nbytes = walk.nbytes) != 0) {
|
2006-08-21 15:38:42 +04:00
|
|
|
padlock_xcrypt_ecb(walk.src.virt.addr, walk.dst.virt.addr,
|
|
|
|
ctx->E, &ctx->cword.encrypt,
|
|
|
|
nbytes / AES_BLOCK_SIZE);
|
|
|
|
nbytes &= AES_BLOCK_SIZE - 1;
|
2019-10-13 07:17:41 +03:00
|
|
|
err = skcipher_walk_done(&walk, nbytes);
|
2006-08-21 15:38:42 +04:00
|
|
|
}
|
|
|
|
|
2008-08-31 09:58:45 +04:00
|
|
|
padlock_store_cword(&ctx->cword.encrypt);
|
|
|
|
|
2006-08-21 15:38:42 +04:00
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
2019-10-13 07:17:41 +03:00
|
|
|
static int ecb_aes_decrypt(struct skcipher_request *req)
|
2006-08-21 15:38:42 +04:00
|
|
|
{
|
2019-10-13 07:17:41 +03:00
|
|
|
struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
|
|
|
|
struct aes_ctx *ctx = skcipher_aes_ctx(tfm);
|
|
|
|
struct skcipher_walk walk;
|
|
|
|
unsigned int nbytes;
|
2006-08-21 15:38:42 +04:00
|
|
|
int err;
|
|
|
|
|
2008-08-31 09:58:45 +04:00
|
|
|
padlock_reset_key(&ctx->cword.decrypt);
|
2007-12-26 16:04:44 +03:00
|
|
|
|
2019-10-13 07:17:41 +03:00
|
|
|
err = skcipher_walk_virt(&walk, req, false);
|
2006-08-21 15:38:42 +04:00
|
|
|
|
2019-10-13 07:17:41 +03:00
|
|
|
while ((nbytes = walk.nbytes) != 0) {
|
2006-08-21 15:38:42 +04:00
|
|
|
padlock_xcrypt_ecb(walk.src.virt.addr, walk.dst.virt.addr,
|
|
|
|
ctx->D, &ctx->cword.decrypt,
|
|
|
|
nbytes / AES_BLOCK_SIZE);
|
|
|
|
nbytes &= AES_BLOCK_SIZE - 1;
|
2019-10-13 07:17:41 +03:00
|
|
|
err = skcipher_walk_done(&walk, nbytes);
|
2006-08-21 15:38:42 +04:00
|
|
|
}
|
2008-08-31 09:58:45 +04:00
|
|
|
|
|
|
|
padlock_store_cword(&ctx->cword.encrypt);
|
|
|
|
|
2006-08-21 15:38:42 +04:00
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
2019-10-13 07:17:41 +03:00
|
|
|
static struct skcipher_alg ecb_aes_alg = {
|
|
|
|
.base.cra_name = "ecb(aes)",
|
|
|
|
.base.cra_driver_name = "ecb-aes-padlock",
|
|
|
|
.base.cra_priority = PADLOCK_COMPOSITE_PRIORITY,
|
|
|
|
.base.cra_blocksize = AES_BLOCK_SIZE,
|
|
|
|
.base.cra_ctxsize = sizeof(struct aes_ctx),
|
|
|
|
.base.cra_alignmask = PADLOCK_ALIGNMENT - 1,
|
|
|
|
.base.cra_module = THIS_MODULE,
|
|
|
|
.min_keysize = AES_MIN_KEY_SIZE,
|
|
|
|
.max_keysize = AES_MAX_KEY_SIZE,
|
|
|
|
.setkey = aes_set_key_skcipher,
|
|
|
|
.encrypt = ecb_aes_encrypt,
|
|
|
|
.decrypt = ecb_aes_decrypt,
|
2006-08-21 15:38:42 +04:00
|
|
|
};
|
|
|
|
|
2019-10-13 07:17:41 +03:00
|
|
|
static int cbc_aes_encrypt(struct skcipher_request *req)
|
2006-08-21 15:38:42 +04:00
|
|
|
{
|
2019-10-13 07:17:41 +03:00
|
|
|
struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
|
|
|
|
struct aes_ctx *ctx = skcipher_aes_ctx(tfm);
|
|
|
|
struct skcipher_walk walk;
|
|
|
|
unsigned int nbytes;
|
2006-08-21 15:38:42 +04:00
|
|
|
int err;
|
|
|
|
|
2008-08-31 09:58:45 +04:00
|
|
|
padlock_reset_key(&ctx->cword.encrypt);
|
2007-12-26 16:04:44 +03:00
|
|
|
|
2019-10-13 07:17:41 +03:00
|
|
|
err = skcipher_walk_virt(&walk, req, false);
|
2006-08-21 15:38:42 +04:00
|
|
|
|
2019-10-13 07:17:41 +03:00
|
|
|
while ((nbytes = walk.nbytes) != 0) {
|
2006-08-21 15:38:42 +04:00
|
|
|
u8 *iv = padlock_xcrypt_cbc(walk.src.virt.addr,
|
|
|
|
walk.dst.virt.addr, ctx->E,
|
|
|
|
walk.iv, &ctx->cword.encrypt,
|
|
|
|
nbytes / AES_BLOCK_SIZE);
|
|
|
|
memcpy(walk.iv, iv, AES_BLOCK_SIZE);
|
|
|
|
nbytes &= AES_BLOCK_SIZE - 1;
|
2019-10-13 07:17:41 +03:00
|
|
|
err = skcipher_walk_done(&walk, nbytes);
|
2006-08-21 15:38:42 +04:00
|
|
|
}
|
|
|
|
|
2008-08-31 09:58:45 +04:00
|
|
|
padlock_store_cword(&ctx->cword.decrypt);
|
|
|
|
|
2006-08-21 15:38:42 +04:00
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
2019-10-13 07:17:41 +03:00
|
|
|
static int cbc_aes_decrypt(struct skcipher_request *req)
|
2006-08-21 15:38:42 +04:00
|
|
|
{
|
2019-10-13 07:17:41 +03:00
|
|
|
struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
|
|
|
|
struct aes_ctx *ctx = skcipher_aes_ctx(tfm);
|
|
|
|
struct skcipher_walk walk;
|
|
|
|
unsigned int nbytes;
|
2006-08-21 15:38:42 +04:00
|
|
|
int err;
|
|
|
|
|
2008-08-31 09:58:45 +04:00
|
|
|
padlock_reset_key(&ctx->cword.encrypt);
|
2007-12-26 16:04:44 +03:00
|
|
|
|
2019-10-13 07:17:41 +03:00
|
|
|
err = skcipher_walk_virt(&walk, req, false);
|
2006-08-21 15:38:42 +04:00
|
|
|
|
2019-10-13 07:17:41 +03:00
|
|
|
while ((nbytes = walk.nbytes) != 0) {
|
2006-08-21 15:38:42 +04:00
|
|
|
padlock_xcrypt_cbc(walk.src.virt.addr, walk.dst.virt.addr,
|
|
|
|
ctx->D, walk.iv, &ctx->cword.decrypt,
|
|
|
|
nbytes / AES_BLOCK_SIZE);
|
|
|
|
nbytes &= AES_BLOCK_SIZE - 1;
|
2019-10-13 07:17:41 +03:00
|
|
|
err = skcipher_walk_done(&walk, nbytes);
|
2006-08-21 15:38:42 +04:00
|
|
|
}
|
|
|
|
|
2008-08-31 09:58:45 +04:00
|
|
|
padlock_store_cword(&ctx->cword.encrypt);
|
|
|
|
|
2006-08-21 15:38:42 +04:00
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
2019-10-13 07:17:41 +03:00
|
|
|
static struct skcipher_alg cbc_aes_alg = {
|
|
|
|
.base.cra_name = "cbc(aes)",
|
|
|
|
.base.cra_driver_name = "cbc-aes-padlock",
|
|
|
|
.base.cra_priority = PADLOCK_COMPOSITE_PRIORITY,
|
|
|
|
.base.cra_blocksize = AES_BLOCK_SIZE,
|
|
|
|
.base.cra_ctxsize = sizeof(struct aes_ctx),
|
|
|
|
.base.cra_alignmask = PADLOCK_ALIGNMENT - 1,
|
|
|
|
.base.cra_module = THIS_MODULE,
|
|
|
|
.min_keysize = AES_MIN_KEY_SIZE,
|
|
|
|
.max_keysize = AES_MAX_KEY_SIZE,
|
|
|
|
.ivsize = AES_BLOCK_SIZE,
|
|
|
|
.setkey = aes_set_key_skcipher,
|
|
|
|
.encrypt = cbc_aes_encrypt,
|
|
|
|
.decrypt = cbc_aes_decrypt,
|
2006-08-21 15:38:42 +04:00
|
|
|
};
|
|
|
|
|
2017-08-25 21:23:42 +03:00
|
|
|
static const struct x86_cpu_id padlock_cpu_id[] = {
|
2020-03-20 16:14:05 +03:00
|
|
|
X86_MATCH_FEATURE(X86_FEATURE_XCRYPT, NULL),
|
2012-01-26 03:09:06 +04:00
|
|
|
{}
|
|
|
|
};
|
|
|
|
MODULE_DEVICE_TABLE(x86cpu, padlock_cpu_id);
|
|
|
|
|
2006-08-06 16:46:20 +04:00
|
|
|
static int __init padlock_init(void)
|
2005-04-17 02:20:36 +04:00
|
|
|
{
|
2006-08-06 16:46:20 +04:00
|
|
|
int ret;
|
2009-06-18 15:24:10 +04:00
|
|
|
struct cpuinfo_x86 *c = &cpu_data(0);
|
2006-08-06 16:46:20 +04:00
|
|
|
|
2012-01-26 03:09:06 +04:00
|
|
|
if (!x86_match_cpu(padlock_cpu_id))
|
2006-08-06 16:46:20 +04:00
|
|
|
return -ENODEV;
|
|
|
|
|
2015-12-07 12:39:41 +03:00
|
|
|
if (!boot_cpu_has(X86_FEATURE_XCRYPT_EN)) {
|
2008-07-03 15:03:31 +04:00
|
|
|
printk(KERN_NOTICE PFX "VIA PadLock detected, but not enabled. Hmm, strange...\n");
|
2006-08-06 16:46:20 +04:00
|
|
|
return -ENODEV;
|
|
|
|
}
|
2005-04-17 02:20:36 +04:00
|
|
|
|
2019-10-13 07:17:41 +03:00
|
|
|
if ((ret = crypto_register_alg(&aes_alg)) != 0)
|
2006-08-21 15:38:42 +04:00
|
|
|
goto aes_err;
|
|
|
|
|
2019-10-13 07:17:41 +03:00
|
|
|
if ((ret = crypto_register_skcipher(&ecb_aes_alg)) != 0)
|
2006-08-21 15:38:42 +04:00
|
|
|
goto ecb_aes_err;
|
|
|
|
|
2019-10-13 07:17:41 +03:00
|
|
|
if ((ret = crypto_register_skcipher(&cbc_aes_alg)) != 0)
|
2006-08-21 15:38:42 +04:00
|
|
|
goto cbc_aes_err;
|
2006-08-06 16:46:20 +04:00
|
|
|
|
|
|
|
printk(KERN_NOTICE PFX "Using VIA PadLock ACE for AES algorithm.\n");
|
|
|
|
|
2018-01-01 04:52:10 +03:00
|
|
|
if (c->x86 == 6 && c->x86_model == 15 && c->x86_stepping == 2) {
|
2009-06-18 15:31:09 +04:00
|
|
|
ecb_fetch_blocks = MAX_ECB_FETCH_BLOCKS;
|
|
|
|
cbc_fetch_blocks = MAX_CBC_FETCH_BLOCKS;
|
2009-06-18 15:24:10 +04:00
|
|
|
printk(KERN_NOTICE PFX "VIA Nano stepping 2 detected: enabling workaround.\n");
|
|
|
|
}
|
|
|
|
|
2006-08-21 15:38:42 +04:00
|
|
|
out:
|
2006-08-06 16:46:20 +04:00
|
|
|
return ret;
|
2006-08-21 15:38:42 +04:00
|
|
|
|
|
|
|
cbc_aes_err:
|
2019-10-13 07:17:41 +03:00
|
|
|
crypto_unregister_skcipher(&ecb_aes_alg);
|
2006-08-21 15:38:42 +04:00
|
|
|
ecb_aes_err:
|
|
|
|
crypto_unregister_alg(&aes_alg);
|
|
|
|
aes_err:
|
|
|
|
printk(KERN_ERR PFX "VIA PadLock AES initialization failed.\n");
|
|
|
|
goto out;
|
2005-04-17 02:20:36 +04:00
|
|
|
}
|
|
|
|
|
2006-08-06 16:46:20 +04:00
|
|
|
static void __exit padlock_fini(void)
|
2005-04-17 02:20:36 +04:00
|
|
|
{
|
2019-10-13 07:17:41 +03:00
|
|
|
crypto_unregister_skcipher(&cbc_aes_alg);
|
|
|
|
crypto_unregister_skcipher(&ecb_aes_alg);
|
2005-04-17 02:20:36 +04:00
|
|
|
crypto_unregister_alg(&aes_alg);
|
|
|
|
}
|
2006-08-06 16:46:20 +04:00
|
|
|
|
|
|
|
module_init(padlock_init);
|
|
|
|
module_exit(padlock_fini);
|
|
|
|
|
|
|
|
MODULE_DESCRIPTION("VIA PadLock AES algorithm support");
|
|
|
|
MODULE_LICENSE("GPL");
|
|
|
|
MODULE_AUTHOR("Michal Ludvig");
|
|
|
|
|
2014-11-21 04:05:53 +03:00
|
|
|
MODULE_ALIAS_CRYPTO("aes");
|