Re: [PATCH 2/3] s390/crypto: Rework on paes implementation

[Harald Freudenberger <freude@linux.ibm.com>]

On 22.11.19 15:07, Herbert Xu wrote:
> On Fri, Nov 22, 2019 at 02:38:30PM +0100, Harald Freudenberger wrote:
>> The pkey is in fact a encrypted key + a verification pattern for the
>> encrypted key used. It gets invalid when this encryption key changes.
>> The encryption key changes when the LPAR is re-activated so for
>> example on suspend/resume or an Linux running as kvm guest
>> gets relocated. So this happens very rarely.
> I see.  Is there any way of you finding out that the key has been
> invalidated apart from trying out the crypto and having it fail?
No. By using the pkey for a crypto operation the hardware
checks the verification pattern and if there is a mismatch
it simple rejects the operation. Theoretically such an operation
can only partly complete and then a pkey could get invalid.
I have no way to check if the pkey is still valid before the
cpacf instruction call.
>
> Ideally you'd have a global counter that gets incremented everytime
> an invalidation occurs.  You can then regenerate your key if its
> generation counter differs from the current global counter.
>
> Also when the crypto fails due to an invalid key you're currently
> calling skcipher_walk_done with zero.  This is wrong as the done
> function must be called with a positive value or an error.  In
> some cases this can cause a crash in scatterwalk.
>
> IOW you should just repeat the crypto operation after regenerating
> the key rather than looping around again.
That's right. I'll try to rework the functions this way to
avoid calling skciper_walk_done with 0.

Thanks
>
> Cheers,