From patchwork Fri Apr 11 19:48:42 2014 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ard Biesheuvel X-Patchwork-Id: 28292 Return-Path: X-Original-To: linaro@patches.linaro.org Delivered-To: linaro@patches.linaro.org Received: from mail-pb0-f71.google.com (mail-pb0-f71.google.com [209.85.160.71]) by ip-10-151-82-157.ec2.internal (Postfix) with ESMTPS id 0E6D520822 for ; Fri, 11 Apr 2014 19:48:55 +0000 (UTC) Received: by mail-pb0-f71.google.com with SMTP id up15sf19612691pbc.6 for ; Fri, 11 Apr 2014 12:48:54 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:delivered-to:mime-version:in-reply-to:references :date:message-id:subject:from:to:cc:sender:precedence:list-id :x-original-sender:x-original-authentication-results:mailing-list :list-post:list-help:list-archive:list-unsubscribe:content-type; bh=fQqxwiPdSHddkwPl/YmXTFevFirq4lGNq4w1SygJw7w=; b=f6Fu+sOh/n0FpLJc3+hGBXdSwbnsao2gMHBf8C8RGY6r2H4fCHz8GtPhGv+4AdCA8u reiYVyuXaHjOv8tBQ7t9I8KW5iddGaGTZBXifj62tyPHnGNEOsRHpVmLk1HoeIgCSsjP dsGCJo1vyebQWLgYZfN2AWD22QLUhmVCH+v14tDFe03lHXWfU5hQAZ16t5jCNU+73ebH wYBzNH3jkBsXGzX5QSV2fK04uTzwFZHOV2upJTfulVTmx6MV38TPBdCc5CAq3w84BhHd cRWwS4D6t9A9w73Vi47XRmZujOQDA5m9Y0EtJaJatIMhl3+Kmplqh4PDs07w9M8jG2/y F6/g== X-Gm-Message-State: ALoCoQmILJQCgmjUTUMnmMjGOaLMGeNCWS1O1iQsb1VoHDis8+rKJCOdXbY0vYjqGjUBXR7cmfzt X-Received: by 10.66.197.131 with SMTP id iu3mr11912564pac.15.1397245734916; Fri, 11 Apr 2014 12:48:54 -0700 (PDT) X-BeenThere: patchwork-forward@linaro.org Received: by 10.140.27.38 with SMTP id 35ls1862301qgw.77.gmail; Fri, 11 Apr 2014 12:48:54 -0700 (PDT) X-Received: by 10.52.69.146 with SMTP id e18mr17862401vdu.15.1397245734724; Fri, 11 Apr 2014 12:48:54 -0700 (PDT) Received: from mail-ve0-f176.google.com (mail-ve0-f176.google.com [209.85.128.176]) by mx.google.com with ESMTPS id r7si1521177vcn.187.2014.04.11.12.48.54 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 11 Apr 2014 12:48:54 -0700 (PDT) Received-SPF: neutral (google.com: 209.85.128.176 is neither permitted nor denied by best guess record for domain of patch+caf_=patchwork-forward=linaro.org@linaro.org) client-ip=209.85.128.176; Received: by mail-ve0-f176.google.com with SMTP id db11so5136792veb.21 for ; Fri, 11 Apr 2014 12:48:54 -0700 (PDT) X-Received: by 10.220.250.203 with SMTP id mp11mr21292321vcb.2.1397245734649; Fri, 11 Apr 2014 12:48:54 -0700 (PDT) X-Forwarded-To: patchwork-forward@linaro.org X-Forwarded-For: patch@linaro.org patchwork-forward@linaro.org Delivered-To: patch@linaro.org Received: by 10.220.221.72 with SMTP id ib8csp82417vcb; Fri, 11 Apr 2014 12:48:53 -0700 (PDT) X-Received: by 10.66.253.170 with SMTP id ab10mr29875884pad.53.1397245733008; Fri, 11 Apr 2014 12:48:53 -0700 (PDT) Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j4si4813521pad.268.2014.04.11.12.48.52; Fri, 11 Apr 2014 12:48:52 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754288AbaDKTsr (ORCPT ); Fri, 11 Apr 2014 15:48:47 -0400 Received: from mail-lb0-f175.google.com ([209.85.217.175]:62088 "EHLO mail-lb0-f175.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754583AbaDKTso (ORCPT ); Fri, 11 Apr 2014 15:48:44 -0400 Received: by mail-lb0-f175.google.com with SMTP id w7so3825689lbi.6 for ; Fri, 11 Apr 2014 12:48:43 -0700 (PDT) MIME-Version: 1.0 X-Received: by 10.152.36.199 with SMTP id s7mr2612133laj.48.1397245722958; Fri, 11 Apr 2014 12:48:42 -0700 (PDT) Received: by 10.112.126.103 with HTTP; Fri, 11 Apr 2014 12:48:42 -0700 (PDT) In-Reply-To: <20140411160312.GB31676@kroah.com> References: <533aa1ae.qq4Hi3RBnPzgncue%fengguang.wu@intel.com> <20140401124824.GA13642@gondor.apana.org.au> <20140411160312.GB31676@kroah.com> Date: Fri, 11 Apr 2014 21:48:42 +0200 Message-ID: Subject: Re: Fwd: [crypto:master 60/60] arch/x86/crypto/ghash-clmulni-intel_glue.c:71:25: sparse: cast to restricted __be64 From: Ard Biesheuvel To: "gregkh@linuxfoundation.org" , Herbert Xu Cc: "linux-crypto@vger.kernel.org" , "linux-kernel@vger.kernel.org" Sender: linux-crypto-owner@vger.kernel.org Precedence: list List-ID: X-Mailing-List: linux-crypto@vger.kernel.org X-Removed-Original-Auth: Dkim didn't pass. X-Original-Sender: ard.biesheuvel@linaro.org X-Original-Authentication-Results: mx.google.com; spf=neutral (google.com: 209.85.128.176 is neither permitted nor denied by best guess record for domain of patch+caf_=patchwork-forward=linaro.org@linaro.org) smtp.mail=patch+caf_=patchwork-forward=linaro.org@linaro.org Mailing-list: list patchwork-forward@linaro.org; contact patchwork-forward+owners@linaro.org X-Google-Group-Id: 836684582541 List-Post: , List-Help: , List-Archive: List-Unsubscribe: , On 11 April 2014 18:03, gregkh@linuxfoundation.org wrote: > On Fri, Apr 04, 2014 at 10:11:19AM +0200, Ard Biesheuvel wrote: >> Greg, >> >> This pertains to commit 8ceee72808d1 (crypto: ghash-clmulni-intel - >> use C implementation for setkey()) that has been pulled by Linus >> during the current merge window. >> >> It is missing two things: >> - a cc to stable annotation >> - a fix for the sparse warning below (change cast from __be64 to __force __be64) >> >> The reason for cc'ing stable on this patch is that it fixes a >> potential data corruption issue where the ghash setkey() method uses >> SSE registers without calling kernel_fpu_begin() first. This issue was >> introduced by 0e1227d356e9b (crypto: ghash - Add PCLMULQDQ accelerated >> implementation). >> >> So how would you like to proceed with this? Should I propose a new >> patch somewhere? > > No problem, I'll apply this as-is. But it doesn't apply to the > 3.4-stable tree cleanly, can you send me a backported version if it's > still needed there as well? > Yes, the code was broken from the start. 3.4 version is attached, the only difference is the missing ENDPROC() at the end of the asm file. In the mean time, Herbert has submitted a fix for the sparse warning, but we settled on a different fix than I had suggested before. https://git.kernel.org/cgit/linux/kernel/git/herbert/cryptodev-2.6.git/commit/?id=0ea481466d1c Note that this code has not been tested (not by me, at least), so I wouldn't suggest you take it straight away, but if you care about the sparse warning, we could add a cc stable to it as well, I suppose. Regards, Ard. >From db9c70e8f3291490fec0da56dce2bfa7837e99f2 Mon Sep 17 00:00:00 2001 From: Ard Biesheuvel Date: Fri, 11 Apr 2014 20:37:37 +0200 Subject: [PATCH] crypto: ghash-clmulni-intel - use C implementation for setkey() commit 8ceee72808d1ae3fb191284afc2257a2be964725 upstream. The GHASH setkey() function uses SSE registers but fails to call kernel_fpu_begin()/kernel_fpu_end(). Instead of adding these calls, and then having to deal with the restriction that they cannot be called from interrupt context, move the setkey() implementation to the C domain. Note that setkey() does not use any particular SSE features and is not expected to become a performance bottleneck. Signed-off-by: Ard Biesheuvel Acked-by: H. Peter Anvin Fixes: 0e1227d356e9b (crypto: ghash - Add PCLMULQDQ accelerated implementation) Signed-off-by: Herbert Xu --- arch/x86/crypto/ghash-clmulni-intel_asm.S | 28 ---------------------------- arch/x86/crypto/ghash-clmulni-intel_glue.c | 14 +++++++++++--- 2 files changed, 11 insertions(+), 31 deletions(-) diff --git a/arch/x86/crypto/ghash-clmulni-intel_asm.S b/arch/x86/crypto/ghash-clmulni-intel_asm.S index 1eb7f90cb7b9..eb4d2a254b35 100644 --- a/arch/x86/crypto/ghash-clmulni-intel_asm.S +++ b/arch/x86/crypto/ghash-clmulni-intel_asm.S @@ -24,10 +24,6 @@ .align 16 .Lbswap_mask: .octa 0x000102030405060708090a0b0c0d0e0f -.Lpoly: - .octa 0xc2000000000000000000000000000001 -.Ltwo_one: - .octa 0x00000001000000000000000000000001 #define DATA %xmm0 #define SHASH %xmm1 @@ -131,27 +127,3 @@ ENTRY(clmul_ghash_update) movups DATA, (%rdi) .Lupdate_just_ret: ret - -/* - * void clmul_ghash_setkey(be128 *shash, const u8 *key); - * - * Calculate hash_key << 1 mod poly - */ -ENTRY(clmul_ghash_setkey) - movaps .Lbswap_mask, BSWAP - movups (%rsi), %xmm0 - PSHUFB_XMM BSWAP %xmm0 - movaps %xmm0, %xmm1 - psllq $1, %xmm0 - psrlq $63, %xmm1 - movaps %xmm1, %xmm2 - pslldq $8, %xmm1 - psrldq $8, %xmm2 - por %xmm1, %xmm0 - # reduction - pshufd $0b00100100, %xmm2, %xmm1 - pcmpeqd .Ltwo_one, %xmm1 - pand .Lpoly, %xmm1 - pxor %xmm1, %xmm0 - movups %xmm0, (%rdi) - ret diff --git a/arch/x86/crypto/ghash-clmulni-intel_glue.c b/arch/x86/crypto/ghash-clmulni-intel_glue.c index b4bf0a63b520..c07446d17463 100644 --- a/arch/x86/crypto/ghash-clmulni-intel_glue.c +++ b/arch/x86/crypto/ghash-clmulni-intel_glue.c @@ -30,8 +30,6 @@ void clmul_ghash_mul(char *dst, const be128 *shash); void clmul_ghash_update(char *dst, const char *src, unsigned int srclen, const be128 *shash); -void clmul_ghash_setkey(be128 *shash, const u8 *key); - struct ghash_async_ctx { struct cryptd_ahash *cryptd_tfm; }; @@ -58,13 +56,23 @@ static int ghash_setkey(struct crypto_shash *tfm, const u8 *key, unsigned int keylen) { struct ghash_ctx *ctx = crypto_shash_ctx(tfm); + be128 *x = (be128 *)key; + u64 a, b; if (keylen != GHASH_BLOCK_SIZE) { crypto_shash_set_flags(tfm, CRYPTO_TFM_RES_BAD_KEY_LEN); return -EINVAL; } - clmul_ghash_setkey(&ctx->shash, key); + /* perform multiplication by 'x' in GF(2^128) */ + a = be64_to_cpu(x->a); + b = be64_to_cpu(x->b); + + ctx->shash.a = (__be64)((b << 1) | (a >> 63)); + ctx->shash.b = (__be64)((a << 1) | (b >> 63)); + + if (a >> 63) + ctx->shash.b ^= cpu_to_be64(0xc2); return 0; } -- 1.8.3.2