Merge branch 'macsec-clear-encryption-keys-in-h-w-drivers'

Antoine Tenart says:

====================
macsec: clear encryption keys in h/w drivers

Commit aaab73f8fb ("macsec: clear encryption keys from the stack after
setting up offload") made sure to clean encryption keys from the stack
after setting up offloading but some h/w drivers did a copy of the key
which need to be zeroed as well.

The MSCC PHY driver can actually be converted not to copy the encryption
key at all, but such patch would be quite difficult to backport. I'll
send a following up patch doing this in net-next once this series lands.

Tested on the MSCC PHY but not on the atlantic NIC.
====================

Link: https://lore.kernel.org/r/20221108153459.811293-1-atenart@kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
This commit is contained in:
Paolo Abeni 2022-11-10 11:58:54 +01:00
Родитель 63eec6f926 879785def0
Коммит 1893bb64c0
3 изменённых файлов: 14 добавлений и 7 удалений

Просмотреть файл

@ -570,6 +570,7 @@ static int aq_update_txsa(struct aq_nic_s *nic, const unsigned int sc_idx,
ret = aq_mss_set_egress_sakey_record(hw, &key_rec, sa_idx);
memzero_explicit(&key_rec, sizeof(key_rec));
return ret;
}
@ -899,6 +900,7 @@ static int aq_update_rxsa(struct aq_nic_s *nic, const unsigned int sc_idx,
ret = aq_mss_set_ingress_sakey_record(hw, &sa_key_record, sa_idx);
memzero_explicit(&sa_key_record, sizeof(sa_key_record));
return ret;
}

Просмотреть файл

@ -757,6 +757,7 @@ set_ingress_sakey_record(struct aq_hw_s *hw,
u16 table_index)
{
u16 packed_record[18];
int ret;
if (table_index >= NUMROWS_INGRESSSAKEYRECORD)
return -EINVAL;
@ -789,9 +790,12 @@ set_ingress_sakey_record(struct aq_hw_s *hw,
packed_record[16] = rec->key_len & 0x3;
return set_raw_ingress_record(hw, packed_record, 18, 2,
ROWOFFSET_INGRESSSAKEYRECORD +
table_index);
ret = set_raw_ingress_record(hw, packed_record, 18, 2,
ROWOFFSET_INGRESSSAKEYRECORD +
table_index);
memzero_explicit(packed_record, sizeof(packed_record));
return ret;
}
int aq_mss_set_ingress_sakey_record(struct aq_hw_s *hw,
@ -1739,14 +1743,14 @@ static int set_egress_sakey_record(struct aq_hw_s *hw,
ret = set_raw_egress_record(hw, packed_record, 8, 2,
ROWOFFSET_EGRESSSAKEYRECORD + table_index);
if (unlikely(ret))
return ret;
goto clear_key;
ret = set_raw_egress_record(hw, packed_record + 8, 8, 2,
ROWOFFSET_EGRESSSAKEYRECORD + table_index -
32);
if (unlikely(ret))
return ret;
return 0;
clear_key:
memzero_explicit(packed_record, sizeof(packed_record));
return ret;
}
int aq_mss_set_egress_sakey_record(struct aq_hw_s *hw,

Просмотреть файл

@ -632,6 +632,7 @@ static void vsc8584_macsec_free_flow(struct vsc8531_private *priv,
list_del(&flow->list);
clear_bit(flow->index, bitmap);
memzero_explicit(flow->key, sizeof(flow->key));
kfree(flow);
}