All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] lib/crypto: blake2s: fix a CFI failure
@ 2022-01-19  8:24 ` miles.chen
  0 siblings, 0 replies; 100+ messages in thread
From: miles.chen @ 2022-01-19  8:24 UTC (permalink / raw)
  To: Herbert Xu, David S. Miller, Matthias Brugger,
	Jason A. Donenfeld, Greg Kroah-Hartman, Ard Biesheuvel
  Cc: Miles Chen, linux-crypto, linux-kernel, linux-arm-kernel, linux-mediatek

From: Miles Chen <miles.chen@mediatek.com>

With CONFIG_CFI_CLANG=y, we observe a CFI failure of
blake2s_compress_generic.

Reverting commit 6048fdcc5f26 ("lib/crypto: blake2s: include as built-in")
is a solution for this problem. So I looked into the patch
and I think it is caused by the weak symbols use by blake2s_compress().

To fix it, remove the weak symbol and use CRYPTO_ARCH_HAVE_LIB_BLAKE2S
to select blake2s_compress_arch/blake2s_compress_generic.

log:
[    0.000000][    T0] Kernel panic - not syncing: CFI failure (target: blake2s_compress_generic+0x0/0x1444)
[    0.000000][    T0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.16.0-mainline-06981-g076c855b846e #1
[    0.000000][    T0] Hardware name: MT6873 (DT)
[    0.000000][    T0] Call trace:
[    0.000000][    T0]  dump_backtrace+0xfc/0x1dc
[    0.000000][    T0]  dump_stack_lvl+0xa8/0x11c
[    0.000000][    T0]  panic+0x194/0x464
[    0.000000][    T0]  __cfi_check_fail+0x54/0x58
[    0.000000][    T0]  __cfi_slowpath_diag+0x354/0x4b0
[    0.000000][    T0]  blake2s_update+0x14c/0x178
[    0.000000][    T0]  _extract_entropy+0xf4/0x29c
[    0.000000][    T0]  crng_initialize_primary+0x24/0x94
[    0.000000][    T0]  rand_initialize+0x2c/0x6c
[    0.000000][    T0]  start_kernel+0x2f8/0x65c
[    0.000000][    T0]  __primary_switched+0xc4/0x7be4
[    0.000000][    T0] Rebooting in 5 seconds..

Fixes: 6048fdcc5f26 ("lib/crypto: blake2s: include as built-in")
Signed-off-by: Miles Chen <miles.chen@mediatek.com>
---
 lib/crypto/blake2s-generic.c | 3 +--
 lib/crypto/blake2s.c         | 6 ++++++
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/lib/crypto/blake2s-generic.c b/lib/crypto/blake2s-generic.c
index 75ccb3e633e6..22fa3ea1689e 100644
--- a/lib/crypto/blake2s-generic.c
+++ b/lib/crypto/blake2s-generic.c
@@ -38,8 +38,7 @@ static inline void blake2s_increment_counter(struct blake2s_state *state,
 }
 
 void blake2s_compress(struct blake2s_state *state, const u8 *block,
-		      size_t nblocks, const u32 inc)
-		      __weak __alias(blake2s_compress_generic);
+		      size_t nblocks, const u32 inc);
 
 void blake2s_compress_generic(struct blake2s_state *state, const u8 *block,
 			      size_t nblocks, const u32 inc)
diff --git a/lib/crypto/blake2s.c b/lib/crypto/blake2s.c
index 93f2ae051370..4055aa593ec4 100644
--- a/lib/crypto/blake2s.c
+++ b/lib/crypto/blake2s.c
@@ -16,6 +16,12 @@
 #include <linux/init.h>
 #include <linux/bug.h>
 
+#if IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_BLAKE2S)
+#  define blake2s_compress blake2s_compress_arch
+#else
+#  define blake2s_compress blake2s_compress_generic
+#endif
+
 void blake2s_update(struct blake2s_state *state, const u8 *in, size_t inlen)
 {
 	__blake2s_update(state, in, inlen, blake2s_compress);
-- 
2.18.0


^ permalink raw reply related	[flat|nested] 100+ messages in thread

* [PATCH] lib/crypto: blake2s: fix a CFI failure
@ 2022-01-19  8:24 ` miles.chen
  0 siblings, 0 replies; 100+ messages in thread
From: miles.chen @ 2022-01-19  8:24 UTC (permalink / raw)
  To: Herbert Xu, David S. Miller, Matthias Brugger,
	Jason A. Donenfeld, Greg Kroah-Hartman, Ard Biesheuvel
  Cc: Miles Chen, linux-crypto, linux-kernel, linux-arm-kernel, linux-mediatek

From: Miles Chen <miles.chen@mediatek.com>

With CONFIG_CFI_CLANG=y, we observe a CFI failure of
blake2s_compress_generic.

Reverting commit 6048fdcc5f26 ("lib/crypto: blake2s: include as built-in")
is a solution for this problem. So I looked into the patch
and I think it is caused by the weak symbols use by blake2s_compress().

To fix it, remove the weak symbol and use CRYPTO_ARCH_HAVE_LIB_BLAKE2S
to select blake2s_compress_arch/blake2s_compress_generic.

log:
[    0.000000][    T0] Kernel panic - not syncing: CFI failure (target: blake2s_compress_generic+0x0/0x1444)
[    0.000000][    T0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.16.0-mainline-06981-g076c855b846e #1
[    0.000000][    T0] Hardware name: MT6873 (DT)
[    0.000000][    T0] Call trace:
[    0.000000][    T0]  dump_backtrace+0xfc/0x1dc
[    0.000000][    T0]  dump_stack_lvl+0xa8/0x11c
[    0.000000][    T0]  panic+0x194/0x464
[    0.000000][    T0]  __cfi_check_fail+0x54/0x58
[    0.000000][    T0]  __cfi_slowpath_diag+0x354/0x4b0
[    0.000000][    T0]  blake2s_update+0x14c/0x178
[    0.000000][    T0]  _extract_entropy+0xf4/0x29c
[    0.000000][    T0]  crng_initialize_primary+0x24/0x94
[    0.000000][    T0]  rand_initialize+0x2c/0x6c
[    0.000000][    T0]  start_kernel+0x2f8/0x65c
[    0.000000][    T0]  __primary_switched+0xc4/0x7be4
[    0.000000][    T0] Rebooting in 5 seconds..

Fixes: 6048fdcc5f26 ("lib/crypto: blake2s: include as built-in")
Signed-off-by: Miles Chen <miles.chen@mediatek.com>
---
 lib/crypto/blake2s-generic.c | 3 +--
 lib/crypto/blake2s.c         | 6 ++++++
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/lib/crypto/blake2s-generic.c b/lib/crypto/blake2s-generic.c
index 75ccb3e633e6..22fa3ea1689e 100644
--- a/lib/crypto/blake2s-generic.c
+++ b/lib/crypto/blake2s-generic.c
@@ -38,8 +38,7 @@ static inline void blake2s_increment_counter(struct blake2s_state *state,
 }
 
 void blake2s_compress(struct blake2s_state *state, const u8 *block,
-		      size_t nblocks, const u32 inc)
-		      __weak __alias(blake2s_compress_generic);
+		      size_t nblocks, const u32 inc);
 
 void blake2s_compress_generic(struct blake2s_state *state, const u8 *block,
 			      size_t nblocks, const u32 inc)
diff --git a/lib/crypto/blake2s.c b/lib/crypto/blake2s.c
index 93f2ae051370..4055aa593ec4 100644
--- a/lib/crypto/blake2s.c
+++ b/lib/crypto/blake2s.c
@@ -16,6 +16,12 @@
 #include <linux/init.h>
 #include <linux/bug.h>
 
+#if IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_BLAKE2S)
+#  define blake2s_compress blake2s_compress_arch
+#else
+#  define blake2s_compress blake2s_compress_generic
+#endif
+
 void blake2s_update(struct blake2s_state *state, const u8 *in, size_t inlen)
 {
 	__blake2s_update(state, in, inlen, blake2s_compress);
-- 
2.18.0


_______________________________________________
Linux-mediatek mailing list
Linux-mediatek@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-mediatek

^ permalink raw reply related	[flat|nested] 100+ messages in thread

* [PATCH] lib/crypto: blake2s: fix a CFI failure
@ 2022-01-19  8:24 ` miles.chen
  0 siblings, 0 replies; 100+ messages in thread
From: miles.chen @ 2022-01-19  8:24 UTC (permalink / raw)
  To: Herbert Xu, David S. Miller, Matthias Brugger,
	Jason A. Donenfeld, Greg Kroah-Hartman, Ard Biesheuvel
  Cc: Miles Chen, linux-crypto, linux-kernel, linux-arm-kernel, linux-mediatek

From: Miles Chen <miles.chen@mediatek.com>

With CONFIG_CFI_CLANG=y, we observe a CFI failure of
blake2s_compress_generic.

Reverting commit 6048fdcc5f26 ("lib/crypto: blake2s: include as built-in")
is a solution for this problem. So I looked into the patch
and I think it is caused by the weak symbols use by blake2s_compress().

To fix it, remove the weak symbol and use CRYPTO_ARCH_HAVE_LIB_BLAKE2S
to select blake2s_compress_arch/blake2s_compress_generic.

log:
[    0.000000][    T0] Kernel panic - not syncing: CFI failure (target: blake2s_compress_generic+0x0/0x1444)
[    0.000000][    T0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.16.0-mainline-06981-g076c855b846e #1
[    0.000000][    T0] Hardware name: MT6873 (DT)
[    0.000000][    T0] Call trace:
[    0.000000][    T0]  dump_backtrace+0xfc/0x1dc
[    0.000000][    T0]  dump_stack_lvl+0xa8/0x11c
[    0.000000][    T0]  panic+0x194/0x464
[    0.000000][    T0]  __cfi_check_fail+0x54/0x58
[    0.000000][    T0]  __cfi_slowpath_diag+0x354/0x4b0
[    0.000000][    T0]  blake2s_update+0x14c/0x178
[    0.000000][    T0]  _extract_entropy+0xf4/0x29c
[    0.000000][    T0]  crng_initialize_primary+0x24/0x94
[    0.000000][    T0]  rand_initialize+0x2c/0x6c
[    0.000000][    T0]  start_kernel+0x2f8/0x65c
[    0.000000][    T0]  __primary_switched+0xc4/0x7be4
[    0.000000][    T0] Rebooting in 5 seconds..

Fixes: 6048fdcc5f26 ("lib/crypto: blake2s: include as built-in")
Signed-off-by: Miles Chen <miles.chen@mediatek.com>
---
 lib/crypto/blake2s-generic.c | 3 +--
 lib/crypto/blake2s.c         | 6 ++++++
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/lib/crypto/blake2s-generic.c b/lib/crypto/blake2s-generic.c
index 75ccb3e633e6..22fa3ea1689e 100644
--- a/lib/crypto/blake2s-generic.c
+++ b/lib/crypto/blake2s-generic.c
@@ -38,8 +38,7 @@ static inline void blake2s_increment_counter(struct blake2s_state *state,
 }
 
 void blake2s_compress(struct blake2s_state *state, const u8 *block,
-		      size_t nblocks, const u32 inc)
-		      __weak __alias(blake2s_compress_generic);
+		      size_t nblocks, const u32 inc);
 
 void blake2s_compress_generic(struct blake2s_state *state, const u8 *block,
 			      size_t nblocks, const u32 inc)
diff --git a/lib/crypto/blake2s.c b/lib/crypto/blake2s.c
index 93f2ae051370..4055aa593ec4 100644
--- a/lib/crypto/blake2s.c
+++ b/lib/crypto/blake2s.c
@@ -16,6 +16,12 @@
 #include <linux/init.h>
 #include <linux/bug.h>
 
+#if IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_BLAKE2S)
+#  define blake2s_compress blake2s_compress_arch
+#else
+#  define blake2s_compress blake2s_compress_generic
+#endif
+
 void blake2s_update(struct blake2s_state *state, const u8 *in, size_t inlen)
 {
 	__blake2s_update(state, in, inlen, blake2s_compress);
-- 
2.18.0


_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

^ permalink raw reply related	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: fix a CFI failure
  2022-01-19  8:24 ` miles.chen
  (?)
@ 2022-01-19  9:00   ` Jason A. Donenfeld
  -1 siblings, 0 replies; 100+ messages in thread
From: Jason A. Donenfeld @ 2022-01-19  9:00 UTC (permalink / raw)
  To: miles.chen
  Cc: Herbert Xu, David S. Miller, Matthias Brugger,
	Greg Kroah-Hartman, Ard Biesheuvel, linux-crypto, linux-kernel,
	linux-arm-kernel, linux-mediatek

Hi Miles,

Thanks for the patch. Could you let me know which architecture and
compiler this was broken on? If I had to guess, I'd wager arm32, and
you hit this by enabling optimized blake2s?

If so, I'm not sure the problem is with weak symbols. Why should CFI
break weak symbols? Rather, perhaps the issue is that the function is
defined in blake2s-core.S? Are there some CFI macros we need for that
definition?

Jason

^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: fix a CFI failure
@ 2022-01-19  9:00   ` Jason A. Donenfeld
  0 siblings, 0 replies; 100+ messages in thread
From: Jason A. Donenfeld @ 2022-01-19  9:00 UTC (permalink / raw)
  To: miles.chen
  Cc: Herbert Xu, David S. Miller, Matthias Brugger,
	Greg Kroah-Hartman, Ard Biesheuvel, linux-crypto, linux-kernel,
	linux-arm-kernel, linux-mediatek

Hi Miles,

Thanks for the patch. Could you let me know which architecture and
compiler this was broken on? If I had to guess, I'd wager arm32, and
you hit this by enabling optimized blake2s?

If so, I'm not sure the problem is with weak symbols. Why should CFI
break weak symbols? Rather, perhaps the issue is that the function is
defined in blake2s-core.S? Are there some CFI macros we need for that
definition?

Jason

_______________________________________________
Linux-mediatek mailing list
Linux-mediatek@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-mediatek

^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: fix a CFI failure
@ 2022-01-19  9:00   ` Jason A. Donenfeld
  0 siblings, 0 replies; 100+ messages in thread
From: Jason A. Donenfeld @ 2022-01-19  9:00 UTC (permalink / raw)
  To: miles.chen
  Cc: Herbert Xu, David S. Miller, Matthias Brugger,
	Greg Kroah-Hartman, Ard Biesheuvel, linux-crypto, linux-kernel,
	linux-arm-kernel, linux-mediatek

Hi Miles,

Thanks for the patch. Could you let me know which architecture and
compiler this was broken on? If I had to guess, I'd wager arm32, and
you hit this by enabling optimized blake2s?

If so, I'm not sure the problem is with weak symbols. Why should CFI
break weak symbols? Rather, perhaps the issue is that the function is
defined in blake2s-core.S? Are there some CFI macros we need for that
definition?

Jason

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: fix a CFI failure
  2022-01-19  9:00   ` Jason A. Donenfeld
  (?)
@ 2022-01-19  9:09     ` Jason A. Donenfeld
  -1 siblings, 0 replies; 100+ messages in thread
From: Jason A. Donenfeld @ 2022-01-19  9:09 UTC (permalink / raw)
  To: miles.chen
  Cc: Herbert Xu, David S. Miller, Matthias Brugger,
	Greg Kroah-Hartman, Ard Biesheuvel, linux-crypto, linux-kernel,
	linux-arm-kernel, linux-mediatek

Hey again,

Actually... It looks like the issue is that in this file:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/crypto/internal/blake2s.h

this line

typedef void (*blake2s_compress_t)(struct blake2s_state *state,
				   const u8 *block, size_t nblocks, u32 inc);

should become

typedef void (*blake2s_compress_t)(struct blake2s_state *state,
				   const u8 *block, size_t nblocks, const u32 inc);

Does making that change fix things for you?

Thanks,
Jason

^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: fix a CFI failure
@ 2022-01-19  9:09     ` Jason A. Donenfeld
  0 siblings, 0 replies; 100+ messages in thread
From: Jason A. Donenfeld @ 2022-01-19  9:09 UTC (permalink / raw)
  To: miles.chen
  Cc: Herbert Xu, David S. Miller, Matthias Brugger,
	Greg Kroah-Hartman, Ard Biesheuvel, linux-crypto, linux-kernel,
	linux-arm-kernel, linux-mediatek

Hey again,

Actually... It looks like the issue is that in this file:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/crypto/internal/blake2s.h

this line

typedef void (*blake2s_compress_t)(struct blake2s_state *state,
				   const u8 *block, size_t nblocks, u32 inc);

should become

typedef void (*blake2s_compress_t)(struct blake2s_state *state,
				   const u8 *block, size_t nblocks, const u32 inc);

Does making that change fix things for you?

Thanks,
Jason

_______________________________________________
Linux-mediatek mailing list
Linux-mediatek@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-mediatek

^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: fix a CFI failure
@ 2022-01-19  9:09     ` Jason A. Donenfeld
  0 siblings, 0 replies; 100+ messages in thread
From: Jason A. Donenfeld @ 2022-01-19  9:09 UTC (permalink / raw)
  To: miles.chen
  Cc: Herbert Xu, David S. Miller, Matthias Brugger,
	Greg Kroah-Hartman, Ard Biesheuvel, linux-crypto, linux-kernel,
	linux-arm-kernel, linux-mediatek

Hey again,

Actually... It looks like the issue is that in this file:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/crypto/internal/blake2s.h

this line

typedef void (*blake2s_compress_t)(struct blake2s_state *state,
				   const u8 *block, size_t nblocks, u32 inc);

should become

typedef void (*blake2s_compress_t)(struct blake2s_state *state,
				   const u8 *block, size_t nblocks, const u32 inc);

Does making that change fix things for you?

Thanks,
Jason

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: fix a CFI failure
  2022-01-19  9:00   ` Jason A. Donenfeld
  (?)
@ 2022-01-19  9:09     ` Ard Biesheuvel
  -1 siblings, 0 replies; 100+ messages in thread
From: Ard Biesheuvel @ 2022-01-19  9:09 UTC (permalink / raw)
  To: Jason A. Donenfeld
  Cc: Miles Chen (陳民樺),
	Herbert Xu, David S. Miller, Matthias Brugger,
	Greg Kroah-Hartman, Linux Crypto Mailing List,
	Linux Kernel Mailing List, Linux ARM, linux-mediatek,
	Eric Biggers, Sami Tolvanen

(+ Sami, Eric)

On Wed, 19 Jan 2022 at 10:00, Jason A. Donenfeld <Jason@zx2c4.com> wrote:
>
> Hi Miles,
>
> Thanks for the patch. Could you let me know which architecture and
> compiler this was broken on? If I had to guess, I'd wager arm32, and
> you hit this by enabling optimized blake2s?
>
> If so, I'm not sure the problem is with weak symbols. Why should CFI
> break weak symbols? Rather, perhaps the issue is that the function is
> defined in blake2s-core.S? Are there some CFI macros we need for that
> definition?
>

We should try to understand why CFI thinks the prototypes of the two
symbols are different. There are still a number of issues with CFI, so
papering over them by reverting stuff that we want for good reasons is
not the way to go imo.

In the short term, you can work around it by avoiding the indirect
call to blake2s_compress, e.g.,

diff --git a/lib/crypto/blake2s.c b/lib/crypto/blake2s.c
index 93f2ae051370..fef2ff678431 100644
--- a/lib/crypto/blake2s.c
+++ b/lib/crypto/blake2s.c
@@ -16,9 +16,15 @@
 #include <linux/init.h>
 #include <linux/bug.h>

+static void __blake2s_compress(struct blake2s_state *state, const u8 *block,
+                              size_t nblocks, const u32 inc)
+{
+       return blake2s_compress(state, block, nblocks, inc);
+}
+
 void blake2s_update(struct blake2s_state *state, const u8 *in, size_t inlen)
 {
-       __blake2s_update(state, in, inlen, blake2s_compress);
+       __blake2s_update(state, in, inlen, __blake2s_compress);
 }
 EXPORT_SYMBOL(blake2s_update);

^ permalink raw reply related	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: fix a CFI failure
@ 2022-01-19  9:09     ` Ard Biesheuvel
  0 siblings, 0 replies; 100+ messages in thread
From: Ard Biesheuvel @ 2022-01-19  9:09 UTC (permalink / raw)
  To: Jason A. Donenfeld
  Cc: Miles Chen (陳民樺),
	Herbert Xu, David S. Miller, Matthias Brugger,
	Greg Kroah-Hartman, Linux Crypto Mailing List,
	Linux Kernel Mailing List, Linux ARM, linux-mediatek,
	Eric Biggers, Sami Tolvanen

(+ Sami, Eric)

On Wed, 19 Jan 2022 at 10:00, Jason A. Donenfeld <Jason@zx2c4.com> wrote:
>
> Hi Miles,
>
> Thanks for the patch. Could you let me know which architecture and
> compiler this was broken on? If I had to guess, I'd wager arm32, and
> you hit this by enabling optimized blake2s?
>
> If so, I'm not sure the problem is with weak symbols. Why should CFI
> break weak symbols? Rather, perhaps the issue is that the function is
> defined in blake2s-core.S? Are there some CFI macros we need for that
> definition?
>

We should try to understand why CFI thinks the prototypes of the two
symbols are different. There are still a number of issues with CFI, so
papering over them by reverting stuff that we want for good reasons is
not the way to go imo.

In the short term, you can work around it by avoiding the indirect
call to blake2s_compress, e.g.,

diff --git a/lib/crypto/blake2s.c b/lib/crypto/blake2s.c
index 93f2ae051370..fef2ff678431 100644
--- a/lib/crypto/blake2s.c
+++ b/lib/crypto/blake2s.c
@@ -16,9 +16,15 @@
 #include <linux/init.h>
 #include <linux/bug.h>

+static void __blake2s_compress(struct blake2s_state *state, const u8 *block,
+                              size_t nblocks, const u32 inc)
+{
+       return blake2s_compress(state, block, nblocks, inc);
+}
+
 void blake2s_update(struct blake2s_state *state, const u8 *in, size_t inlen)
 {
-       __blake2s_update(state, in, inlen, blake2s_compress);
+       __blake2s_update(state, in, inlen, __blake2s_compress);
 }
 EXPORT_SYMBOL(blake2s_update);

_______________________________________________
Linux-mediatek mailing list
Linux-mediatek@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-mediatek

^ permalink raw reply related	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: fix a CFI failure
@ 2022-01-19  9:09     ` Ard Biesheuvel
  0 siblings, 0 replies; 100+ messages in thread
From: Ard Biesheuvel @ 2022-01-19  9:09 UTC (permalink / raw)
  To: Jason A. Donenfeld
  Cc: Miles Chen (陳民樺),
	Herbert Xu, David S. Miller, Matthias Brugger,
	Greg Kroah-Hartman, Linux Crypto Mailing List,
	Linux Kernel Mailing List, Linux ARM, linux-mediatek,
	Eric Biggers, Sami Tolvanen

(+ Sami, Eric)

On Wed, 19 Jan 2022 at 10:00, Jason A. Donenfeld <Jason@zx2c4.com> wrote:
>
> Hi Miles,
>
> Thanks for the patch. Could you let me know which architecture and
> compiler this was broken on? If I had to guess, I'd wager arm32, and
> you hit this by enabling optimized blake2s?
>
> If so, I'm not sure the problem is with weak symbols. Why should CFI
> break weak symbols? Rather, perhaps the issue is that the function is
> defined in blake2s-core.S? Are there some CFI macros we need for that
> definition?
>

We should try to understand why CFI thinks the prototypes of the two
symbols are different. There are still a number of issues with CFI, so
papering over them by reverting stuff that we want for good reasons is
not the way to go imo.

In the short term, you can work around it by avoiding the indirect
call to blake2s_compress, e.g.,

diff --git a/lib/crypto/blake2s.c b/lib/crypto/blake2s.c
index 93f2ae051370..fef2ff678431 100644
--- a/lib/crypto/blake2s.c
+++ b/lib/crypto/blake2s.c
@@ -16,9 +16,15 @@
 #include <linux/init.h>
 #include <linux/bug.h>

+static void __blake2s_compress(struct blake2s_state *state, const u8 *block,
+                              size_t nblocks, const u32 inc)
+{
+       return blake2s_compress(state, block, nblocks, inc);
+}
+
 void blake2s_update(struct blake2s_state *state, const u8 *in, size_t inlen)
 {
-       __blake2s_update(state, in, inlen, blake2s_compress);
+       __blake2s_update(state, in, inlen, __blake2s_compress);
 }
 EXPORT_SYMBOL(blake2s_update);

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

^ permalink raw reply related	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: fix a CFI failure
  2022-01-19  9:09     ` Ard Biesheuvel
  (?)
@ 2022-01-19  9:13       ` Ard Biesheuvel
  -1 siblings, 0 replies; 100+ messages in thread
From: Ard Biesheuvel @ 2022-01-19  9:13 UTC (permalink / raw)
  To: Jason A. Donenfeld
  Cc: Miles Chen (陳民樺),
	Herbert Xu, David S. Miller, Matthias Brugger,
	Greg Kroah-Hartman, Linux Crypto Mailing List,
	Linux Kernel Mailing List, Linux ARM, linux-mediatek,
	Eric Biggers, Sami Tolvanen

On Wed, 19 Jan 2022 at 10:09, Ard Biesheuvel <ardb@kernel.org> wrote:
>
> (+ Sami, Eric)
>
> On Wed, 19 Jan 2022 at 10:00, Jason A. Donenfeld <Jason@zx2c4.com> wrote:
> >
> > Hi Miles,
> >
> > Thanks for the patch. Could you let me know which architecture and
> > compiler this was broken on? If I had to guess, I'd wager arm32, and
> > you hit this by enabling optimized blake2s?
> >
> > If so, I'm not sure the problem is with weak symbols. Why should CFI
> > break weak symbols? Rather, perhaps the issue is that the function is
> > defined in blake2s-core.S? Are there some CFI macros we need for that
> > definition?
> >
>
> We should try to understand why CFI thinks the prototypes of the two
> symbols are different. There are still a number of issues with CFI, so
> papering over them by reverting stuff that we want for good reasons is
> not the way to go imo.
>
> In the short term, you can work around it by avoiding the indirect
> call to blake2s_compress, e.g.,
>
> diff --git a/lib/crypto/blake2s.c b/lib/crypto/blake2s.c
> index 93f2ae051370..fef2ff678431 100644
> --- a/lib/crypto/blake2s.c
> +++ b/lib/crypto/blake2s.c
> @@ -16,9 +16,15 @@
>  #include <linux/init.h>
>  #include <linux/bug.h>
>
> +static void __blake2s_compress(struct blake2s_state *state, const u8 *block,
> +                              size_t nblocks, const u32 inc)
> +{
> +       return blake2s_compress(state, block, nblocks, inc);
> +}
> +
>  void blake2s_update(struct blake2s_state *state, const u8 *in, size_t inlen)
>  {
> -       __blake2s_update(state, in, inlen, blake2s_compress);
> +       __blake2s_update(state, in, inlen, __blake2s_compress);
>  }
>  EXPORT_SYMBOL(blake2s_update);

Ehm, maybe not. As Jason points out, the typedef does not have quite
the right type, so that is most likely the culprit, and this
workaround would trigger CFI in exactly the same way.

Interestingly, the compiler does not seem to mind, right? Or are you
seeing any build time warnings on the reference to blake2s_compress in
the call to __blake2s_update() ?

^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: fix a CFI failure
@ 2022-01-19  9:13       ` Ard Biesheuvel
  0 siblings, 0 replies; 100+ messages in thread
From: Ard Biesheuvel @ 2022-01-19  9:13 UTC (permalink / raw)
  To: Jason A. Donenfeld
  Cc: Miles Chen (陳民樺),
	Herbert Xu, David S. Miller, Matthias Brugger,
	Greg Kroah-Hartman, Linux Crypto Mailing List,
	Linux Kernel Mailing List, Linux ARM, linux-mediatek,
	Eric Biggers, Sami Tolvanen

On Wed, 19 Jan 2022 at 10:09, Ard Biesheuvel <ardb@kernel.org> wrote:
>
> (+ Sami, Eric)
>
> On Wed, 19 Jan 2022 at 10:00, Jason A. Donenfeld <Jason@zx2c4.com> wrote:
> >
> > Hi Miles,
> >
> > Thanks for the patch. Could you let me know which architecture and
> > compiler this was broken on? If I had to guess, I'd wager arm32, and
> > you hit this by enabling optimized blake2s?
> >
> > If so, I'm not sure the problem is with weak symbols. Why should CFI
> > break weak symbols? Rather, perhaps the issue is that the function is
> > defined in blake2s-core.S? Are there some CFI macros we need for that
> > definition?
> >
>
> We should try to understand why CFI thinks the prototypes of the two
> symbols are different. There are still a number of issues with CFI, so
> papering over them by reverting stuff that we want for good reasons is
> not the way to go imo.
>
> In the short term, you can work around it by avoiding the indirect
> call to blake2s_compress, e.g.,
>
> diff --git a/lib/crypto/blake2s.c b/lib/crypto/blake2s.c
> index 93f2ae051370..fef2ff678431 100644
> --- a/lib/crypto/blake2s.c
> +++ b/lib/crypto/blake2s.c
> @@ -16,9 +16,15 @@
>  #include <linux/init.h>
>  #include <linux/bug.h>
>
> +static void __blake2s_compress(struct blake2s_state *state, const u8 *block,
> +                              size_t nblocks, const u32 inc)
> +{
> +       return blake2s_compress(state, block, nblocks, inc);
> +}
> +
>  void blake2s_update(struct blake2s_state *state, const u8 *in, size_t inlen)
>  {
> -       __blake2s_update(state, in, inlen, blake2s_compress);
> +       __blake2s_update(state, in, inlen, __blake2s_compress);
>  }
>  EXPORT_SYMBOL(blake2s_update);

Ehm, maybe not. As Jason points out, the typedef does not have quite
the right type, so that is most likely the culprit, and this
workaround would trigger CFI in exactly the same way.

Interestingly, the compiler does not seem to mind, right? Or are you
seeing any build time warnings on the reference to blake2s_compress in
the call to __blake2s_update() ?

_______________________________________________
Linux-mediatek mailing list
Linux-mediatek@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-mediatek

^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: fix a CFI failure
@ 2022-01-19  9:13       ` Ard Biesheuvel
  0 siblings, 0 replies; 100+ messages in thread
From: Ard Biesheuvel @ 2022-01-19  9:13 UTC (permalink / raw)
  To: Jason A. Donenfeld
  Cc: Miles Chen (陳民樺),
	Herbert Xu, David S. Miller, Matthias Brugger,
	Greg Kroah-Hartman, Linux Crypto Mailing List,
	Linux Kernel Mailing List, Linux ARM, linux-mediatek,
	Eric Biggers, Sami Tolvanen

On Wed, 19 Jan 2022 at 10:09, Ard Biesheuvel <ardb@kernel.org> wrote:
>
> (+ Sami, Eric)
>
> On Wed, 19 Jan 2022 at 10:00, Jason A. Donenfeld <Jason@zx2c4.com> wrote:
> >
> > Hi Miles,
> >
> > Thanks for the patch. Could you let me know which architecture and
> > compiler this was broken on? If I had to guess, I'd wager arm32, and
> > you hit this by enabling optimized blake2s?
> >
> > If so, I'm not sure the problem is with weak symbols. Why should CFI
> > break weak symbols? Rather, perhaps the issue is that the function is
> > defined in blake2s-core.S? Are there some CFI macros we need for that
> > definition?
> >
>
> We should try to understand why CFI thinks the prototypes of the two
> symbols are different. There are still a number of issues with CFI, so
> papering over them by reverting stuff that we want for good reasons is
> not the way to go imo.
>
> In the short term, you can work around it by avoiding the indirect
> call to blake2s_compress, e.g.,
>
> diff --git a/lib/crypto/blake2s.c b/lib/crypto/blake2s.c
> index 93f2ae051370..fef2ff678431 100644
> --- a/lib/crypto/blake2s.c
> +++ b/lib/crypto/blake2s.c
> @@ -16,9 +16,15 @@
>  #include <linux/init.h>
>  #include <linux/bug.h>
>
> +static void __blake2s_compress(struct blake2s_state *state, const u8 *block,
> +                              size_t nblocks, const u32 inc)
> +{
> +       return blake2s_compress(state, block, nblocks, inc);
> +}
> +
>  void blake2s_update(struct blake2s_state *state, const u8 *in, size_t inlen)
>  {
> -       __blake2s_update(state, in, inlen, blake2s_compress);
> +       __blake2s_update(state, in, inlen, __blake2s_compress);
>  }
>  EXPORT_SYMBOL(blake2s_update);

Ehm, maybe not. As Jason points out, the typedef does not have quite
the right type, so that is most likely the culprit, and this
workaround would trigger CFI in exactly the same way.

Interestingly, the compiler does not seem to mind, right? Or are you
seeing any build time warnings on the reference to blake2s_compress in
the call to __blake2s_update() ?

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: fix a CFI failure
  2022-01-19  9:09     ` Jason A. Donenfeld
  (?)
@ 2022-01-19  9:16       ` Miles Chen
  -1 siblings, 0 replies; 100+ messages in thread
From: Miles Chen @ 2022-01-19  9:16 UTC (permalink / raw)
  To: jason
  Cc: ardb, davem, gregkh, herbert, linux-arm-kernel, linux-crypto,
	linux-kernel, linux-mediatek, matthias.bgg, miles.chen

>typedef void (*blake2s_compress_t)(struct blake2s_state *state,
>				   const u8 *block, size_t nblocks, u32 inc);
>
>should become
>
>typedef void (*blake2s_compress_t)(struct blake2s_state *state,
>				   const u8 *block, size_t nblocks, const u32 inc);
>
>Does making that change fix things for you?
>
>Thanks,
>Jason

Thanks for your fast response.
It does not work. I tried this before reverting the commit 6048fdcc5f26.

Miles

^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: fix a CFI failure
@ 2022-01-19  9:16       ` Miles Chen
  0 siblings, 0 replies; 100+ messages in thread
From: Miles Chen @ 2022-01-19  9:16 UTC (permalink / raw)
  To: jason
  Cc: ardb, davem, gregkh, herbert, linux-arm-kernel, linux-crypto,
	linux-kernel, linux-mediatek, matthias.bgg, miles.chen

>typedef void (*blake2s_compress_t)(struct blake2s_state *state,
>				   const u8 *block, size_t nblocks, u32 inc);
>
>should become
>
>typedef void (*blake2s_compress_t)(struct blake2s_state *state,
>				   const u8 *block, size_t nblocks, const u32 inc);
>
>Does making that change fix things for you?
>
>Thanks,
>Jason

Thanks for your fast response.
It does not work. I tried this before reverting the commit 6048fdcc5f26.

Miles

_______________________________________________
Linux-mediatek mailing list
Linux-mediatek@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-mediatek

^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: fix a CFI failure
@ 2022-01-19  9:16       ` Miles Chen
  0 siblings, 0 replies; 100+ messages in thread
From: Miles Chen @ 2022-01-19  9:16 UTC (permalink / raw)
  To: jason
  Cc: ardb, davem, gregkh, herbert, linux-arm-kernel, linux-crypto,
	linux-kernel, linux-mediatek, matthias.bgg, miles.chen

>typedef void (*blake2s_compress_t)(struct blake2s_state *state,
>				   const u8 *block, size_t nblocks, u32 inc);
>
>should become
>
>typedef void (*blake2s_compress_t)(struct blake2s_state *state,
>				   const u8 *block, size_t nblocks, const u32 inc);
>
>Does making that change fix things for you?
>
>Thanks,
>Jason

Thanks for your fast response.
It does not work. I tried this before reverting the commit 6048fdcc5f26.

Miles

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: fix a CFI failure
  2022-01-19  9:00   ` Jason A. Donenfeld
  (?)
@ 2022-01-19  9:24     ` Miles Chen
  -1 siblings, 0 replies; 100+ messages in thread
From: Miles Chen @ 2022-01-19  9:24 UTC (permalink / raw)
  To: jason
  Cc: ardb, davem, gregkh, herbert, linux-arm-kernel, linux-crypto,
	linux-kernel, linux-mediatek, matthias.bgg, miles.chen

hi,

>Thanks for the patch. Could you let me know which architecture and
>compiler this was broken on? If I had to guess, I'd wager arm32, and
>you hit this by enabling optimized blake2s?

Actually, I am merging android-common tree and test our device.
I use arm64 and clang-r437112b.

I'm not sure which option is the right one, grep 'BLAKE' .config shows:

CONFIG_CRYPTO_BLAKE2B=y
# CONFIG_CRYPTO_BLAKE2S is not set
# CONFIG_CRYPTO_LIB_BLAKE2S_GENERIC=y

and... I found that my patch breaks arm32 build, sorry for that.

>If so, I'm not sure the problem is with weak symbols. Why should CFI
>break weak symbols? Rather, perhaps the issue is that the function is
>defined in blake2s-core.S? Are there some CFI macros we need for that
>definition?


^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: fix a CFI failure
@ 2022-01-19  9:24     ` Miles Chen
  0 siblings, 0 replies; 100+ messages in thread
From: Miles Chen @ 2022-01-19  9:24 UTC (permalink / raw)
  To: jason
  Cc: ardb, davem, gregkh, herbert, linux-arm-kernel, linux-crypto,
	linux-kernel, linux-mediatek, matthias.bgg, miles.chen

hi,

>Thanks for the patch. Could you let me know which architecture and
>compiler this was broken on? If I had to guess, I'd wager arm32, and
>you hit this by enabling optimized blake2s?

Actually, I am merging android-common tree and test our device.
I use arm64 and clang-r437112b.

I'm not sure which option is the right one, grep 'BLAKE' .config shows:

CONFIG_CRYPTO_BLAKE2B=y
# CONFIG_CRYPTO_BLAKE2S is not set
# CONFIG_CRYPTO_LIB_BLAKE2S_GENERIC=y

and... I found that my patch breaks arm32 build, sorry for that.

>If so, I'm not sure the problem is with weak symbols. Why should CFI
>break weak symbols? Rather, perhaps the issue is that the function is
>defined in blake2s-core.S? Are there some CFI macros we need for that
>definition?


_______________________________________________
Linux-mediatek mailing list
Linux-mediatek@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-mediatek

^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: fix a CFI failure
@ 2022-01-19  9:24     ` Miles Chen
  0 siblings, 0 replies; 100+ messages in thread
From: Miles Chen @ 2022-01-19  9:24 UTC (permalink / raw)
  To: jason
  Cc: ardb, davem, gregkh, herbert, linux-arm-kernel, linux-crypto,
	linux-kernel, linux-mediatek, matthias.bgg, miles.chen

hi,

>Thanks for the patch. Could you let me know which architecture and
>compiler this was broken on? If I had to guess, I'd wager arm32, and
>you hit this by enabling optimized blake2s?

Actually, I am merging android-common tree and test our device.
I use arm64 and clang-r437112b.

I'm not sure which option is the right one, grep 'BLAKE' .config shows:

CONFIG_CRYPTO_BLAKE2B=y
# CONFIG_CRYPTO_BLAKE2S is not set
# CONFIG_CRYPTO_LIB_BLAKE2S_GENERIC=y

and... I found that my patch breaks arm32 build, sorry for that.

>If so, I'm not sure the problem is with weak symbols. Why should CFI
>break weak symbols? Rather, perhaps the issue is that the function is
>defined in blake2s-core.S? Are there some CFI macros we need for that
>definition?


_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: fix a CFI failure
  2022-01-19  9:13       ` Ard Biesheuvel
  (?)
@ 2022-01-19  9:43         ` Miles Chen
  -1 siblings, 0 replies; 100+ messages in thread
From: Miles Chen @ 2022-01-19  9:43 UTC (permalink / raw)
  To: ardb
  Cc: Jason, davem, ebiggers, gregkh, herbert, linux-arm-kernel,
	linux-crypto, linux-kernel, linux-mediatek, matthias.bgg,
	miles.chen, samitolvanen

>Ehm, maybe not. As Jason points out, the typedef does not have quite
>the right type, so that is most likely the culprit, and this
>workaround would trigger CFI in exactly the same way.
>
>Interestingly, the compiler does not seem to mind, right? Or are you
>seeing any build time warnings on the reference to blake2s_compress in
>the call to __blake2s_update() ?

No, no warnings as the -Wcast-function-type is globally enabled.
I cleaned some cast-function-type errors but no warnings in
__blake2s_update.


Miles

^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: fix a CFI failure
@ 2022-01-19  9:43         ` Miles Chen
  0 siblings, 0 replies; 100+ messages in thread
From: Miles Chen @ 2022-01-19  9:43 UTC (permalink / raw)
  To: ardb
  Cc: Jason, davem, ebiggers, gregkh, herbert, linux-arm-kernel,
	linux-crypto, linux-kernel, linux-mediatek, matthias.bgg,
	miles.chen, samitolvanen

>Ehm, maybe not. As Jason points out, the typedef does not have quite
>the right type, so that is most likely the culprit, and this
>workaround would trigger CFI in exactly the same way.
>
>Interestingly, the compiler does not seem to mind, right? Or are you
>seeing any build time warnings on the reference to blake2s_compress in
>the call to __blake2s_update() ?

No, no warnings as the -Wcast-function-type is globally enabled.
I cleaned some cast-function-type errors but no warnings in
__blake2s_update.


Miles

_______________________________________________
Linux-mediatek mailing list
Linux-mediatek@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-mediatek

^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: fix a CFI failure
@ 2022-01-19  9:43         ` Miles Chen
  0 siblings, 0 replies; 100+ messages in thread
From: Miles Chen @ 2022-01-19  9:43 UTC (permalink / raw)
  To: ardb
  Cc: Jason, davem, ebiggers, gregkh, herbert, linux-arm-kernel,
	linux-crypto, linux-kernel, linux-mediatek, matthias.bgg,
	miles.chen, samitolvanen

>Ehm, maybe not. As Jason points out, the typedef does not have quite
>the right type, so that is most likely the culprit, and this
>workaround would trigger CFI in exactly the same way.
>
>Interestingly, the compiler does not seem to mind, right? Or are you
>seeing any build time warnings on the reference to blake2s_compress in
>the call to __blake2s_update() ?

No, no warnings as the -Wcast-function-type is globally enabled.
I cleaned some cast-function-type errors but no warnings in
__blake2s_update.


Miles

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: fix a CFI failure
  2022-01-19  9:24     ` Miles Chen
  (?)
@ 2022-01-19  9:55       ` Jason A. Donenfeld
  -1 siblings, 0 replies; 100+ messages in thread
From: Jason A. Donenfeld @ 2022-01-19  9:55 UTC (permalink / raw)
  To: Miles Chen
  Cc: ndesaulniers, nathan, ardb, davem, gregkh, herbert,
	linux-arm-kernel, linux-crypto, linux-kernel, linux-mediatek,
	matthias.bgg

Hi Miles,

I'm actually not able to reproduce your oops. I'm using vanilla clang
13, cross compiling for arm64, with thin LTO enabled and CFI enabled.
Kernel seems to run fine.

Are there other settings that are needed to trigger this? Do you see
it in upstream clang or just the Android fork of clang?

Jason

^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: fix a CFI failure
@ 2022-01-19  9:55       ` Jason A. Donenfeld
  0 siblings, 0 replies; 100+ messages in thread
From: Jason A. Donenfeld @ 2022-01-19  9:55 UTC (permalink / raw)
  To: Miles Chen
  Cc: ndesaulniers, nathan, ardb, davem, gregkh, herbert,
	linux-arm-kernel, linux-crypto, linux-kernel, linux-mediatek,
	matthias.bgg

Hi Miles,

I'm actually not able to reproduce your oops. I'm using vanilla clang
13, cross compiling for arm64, with thin LTO enabled and CFI enabled.
Kernel seems to run fine.

Are there other settings that are needed to trigger this? Do you see
it in upstream clang or just the Android fork of clang?

Jason

_______________________________________________
Linux-mediatek mailing list
Linux-mediatek@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-mediatek

^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: fix a CFI failure
@ 2022-01-19  9:55       ` Jason A. Donenfeld
  0 siblings, 0 replies; 100+ messages in thread
From: Jason A. Donenfeld @ 2022-01-19  9:55 UTC (permalink / raw)
  To: Miles Chen
  Cc: ndesaulniers, nathan, ardb, davem, gregkh, herbert,
	linux-arm-kernel, linux-crypto, linux-kernel, linux-mediatek,
	matthias.bgg

Hi Miles,

I'm actually not able to reproduce your oops. I'm using vanilla clang
13, cross compiling for arm64, with thin LTO enabled and CFI enabled.
Kernel seems to run fine.

Are there other settings that are needed to trigger this? Do you see
it in upstream clang or just the Android fork of clang?

Jason

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: fix a CFI failure
  2022-01-19  9:55       ` Jason A. Donenfeld
  (?)
@ 2022-01-19 10:06         ` Miles Chen
  -1 siblings, 0 replies; 100+ messages in thread
From: Miles Chen @ 2022-01-19 10:06 UTC (permalink / raw)
  To: jason
  Cc: ardb, davem, gregkh, herbert, linux-arm-kernel, linux-crypto,
	linux-kernel, linux-mediatek, matthias.bgg, miles.chen, nathan,
	ndesaulniers

Hi,

>Hi Miles,
>
>I'm actually not able to reproduce your oops. I'm using vanilla clang
>13, cross compiling for arm64, with thin LTO enabled and CFI enabled.
>Kernel seems to run fine.
>
>
>Are there other settings that are needed to trigger this? Do you see
>it in upstream clang or just the Android fork of clang?
>
I will try another clang (the previous version I use).
I am using Android fork of clang and there is a clang upgrade in this merge.

Miles


^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: fix a CFI failure
@ 2022-01-19 10:06         ` Miles Chen
  0 siblings, 0 replies; 100+ messages in thread
From: Miles Chen @ 2022-01-19 10:06 UTC (permalink / raw)
  To: jason
  Cc: ardb, davem, gregkh, herbert, linux-arm-kernel, linux-crypto,
	linux-kernel, linux-mediatek, matthias.bgg, miles.chen, nathan,
	ndesaulniers

Hi,

>Hi Miles,
>
>I'm actually not able to reproduce your oops. I'm using vanilla clang
>13, cross compiling for arm64, with thin LTO enabled and CFI enabled.
>Kernel seems to run fine.
>
>
>Are there other settings that are needed to trigger this? Do you see
>it in upstream clang or just the Android fork of clang?
>
I will try another clang (the previous version I use).
I am using Android fork of clang and there is a clang upgrade in this merge.

Miles


_______________________________________________
Linux-mediatek mailing list
Linux-mediatek@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-mediatek

^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: fix a CFI failure
@ 2022-01-19 10:06         ` Miles Chen
  0 siblings, 0 replies; 100+ messages in thread
From: Miles Chen @ 2022-01-19 10:06 UTC (permalink / raw)
  To: jason
  Cc: ardb, davem, gregkh, herbert, linux-arm-kernel, linux-crypto,
	linux-kernel, linux-mediatek, matthias.bgg, miles.chen, nathan,
	ndesaulniers

Hi,

>Hi Miles,
>
>I'm actually not able to reproduce your oops. I'm using vanilla clang
>13, cross compiling for arm64, with thin LTO enabled and CFI enabled.
>Kernel seems to run fine.
>
>
>Are there other settings that are needed to trigger this? Do you see
>it in upstream clang or just the Android fork of clang?
>
I will try another clang (the previous version I use).
I am using Android fork of clang and there is a clang upgrade in this merge.

Miles


_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: fix a CFI failure
  2022-01-19  9:09     ` Ard Biesheuvel
  (?)
@ 2022-01-19 10:10       ` Miles Chen
  -1 siblings, 0 replies; 100+ messages in thread
From: Miles Chen @ 2022-01-19 10:10 UTC (permalink / raw)
  To: ardb
  Cc: Jason, davem, ebiggers, gregkh, herbert, linux-arm-kernel,
	linux-crypto, linux-kernel, linux-mediatek, matthias.bgg,
	miles.chen, samitolvanen

Hi, 

> We should try to understand why CFI thinks the prototypes of the two
> symbols are different. There are still a number of issues with CFI, so
> papering over them by reverting stuff that we want for good reasons is
> not the way to go imo.
> 
> In the short term, you can work around it by avoiding the indirect
> call to blake2s_compress, e.g.,

Thanks for the patch. I tried it and the issue remains.
As Jason said, he cannot reproduce this issue. I will try another version
of clang next.

Miles

^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: fix a CFI failure
@ 2022-01-19 10:10       ` Miles Chen
  0 siblings, 0 replies; 100+ messages in thread
From: Miles Chen @ 2022-01-19 10:10 UTC (permalink / raw)
  To: ardb
  Cc: Jason, davem, ebiggers, gregkh, herbert, linux-arm-kernel,
	linux-crypto, linux-kernel, linux-mediatek, matthias.bgg,
	miles.chen, samitolvanen

Hi, 

> We should try to understand why CFI thinks the prototypes of the two
> symbols are different. There are still a number of issues with CFI, so
> papering over them by reverting stuff that we want for good reasons is
> not the way to go imo.
> 
> In the short term, you can work around it by avoiding the indirect
> call to blake2s_compress, e.g.,

Thanks for the patch. I tried it and the issue remains.
As Jason said, he cannot reproduce this issue. I will try another version
of clang next.

Miles

_______________________________________________
Linux-mediatek mailing list
Linux-mediatek@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-mediatek

^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: fix a CFI failure
@ 2022-01-19 10:10       ` Miles Chen
  0 siblings, 0 replies; 100+ messages in thread
From: Miles Chen @ 2022-01-19 10:10 UTC (permalink / raw)
  To: ardb
  Cc: Jason, davem, ebiggers, gregkh, herbert, linux-arm-kernel,
	linux-crypto, linux-kernel, linux-mediatek, matthias.bgg,
	miles.chen, samitolvanen

Hi, 

> We should try to understand why CFI thinks the prototypes of the two
> symbols are different. There are still a number of issues with CFI, so
> papering over them by reverting stuff that we want for good reasons is
> not the way to go imo.
> 
> In the short term, you can work around it by avoiding the indirect
> call to blake2s_compress, e.g.,

Thanks for the patch. I tried it and the issue remains.
As Jason said, he cannot reproduce this issue. I will try another version
of clang next.

Miles

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: fix a CFI failure
  2022-01-19 10:06         ` Miles Chen
  (?)
@ 2022-01-19 10:11           ` Jason A. Donenfeld
  -1 siblings, 0 replies; 100+ messages in thread
From: Jason A. Donenfeld @ 2022-01-19 10:11 UTC (permalink / raw)
  To: Miles Chen
  Cc: ardb, davem, gregkh, herbert, linux-arm-kernel, linux-crypto,
	linux-kernel, linux-mediatek, matthias.bgg, nathan, ndesaulniers

Hi Miles,

Okay. Keep me posted.

Just FYI, as mentioned, I'm unable to reproduce this, and you haven't
provided any further minimized guidance on how I might reproduce this,
so it'll sit in the "not a bug" bin until I have another clue on how
to reproduce. Alternatively, Nick and Nathan are now on this thread
and they usually have good luck teasing out compiler issues and such,
so maybe they'll have an idea. But I'm afraid with the information I
currently have, I'm at a dead end.

Jason

^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: fix a CFI failure
@ 2022-01-19 10:11           ` Jason A. Donenfeld
  0 siblings, 0 replies; 100+ messages in thread
From: Jason A. Donenfeld @ 2022-01-19 10:11 UTC (permalink / raw)
  To: Miles Chen
  Cc: ardb, davem, gregkh, herbert, linux-arm-kernel, linux-crypto,
	linux-kernel, linux-mediatek, matthias.bgg, nathan, ndesaulniers

Hi Miles,

Okay. Keep me posted.

Just FYI, as mentioned, I'm unable to reproduce this, and you haven't
provided any further minimized guidance on how I might reproduce this,
so it'll sit in the "not a bug" bin until I have another clue on how
to reproduce. Alternatively, Nick and Nathan are now on this thread
and they usually have good luck teasing out compiler issues and such,
so maybe they'll have an idea. But I'm afraid with the information I
currently have, I'm at a dead end.

Jason

_______________________________________________
Linux-mediatek mailing list
Linux-mediatek@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-mediatek

^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: fix a CFI failure
@ 2022-01-19 10:11           ` Jason A. Donenfeld
  0 siblings, 0 replies; 100+ messages in thread
From: Jason A. Donenfeld @ 2022-01-19 10:11 UTC (permalink / raw)
  To: Miles Chen
  Cc: ardb, davem, gregkh, herbert, linux-arm-kernel, linux-crypto,
	linux-kernel, linux-mediatek, matthias.bgg, nathan, ndesaulniers

Hi Miles,

Okay. Keep me posted.

Just FYI, as mentioned, I'm unable to reproduce this, and you haven't
provided any further minimized guidance on how I might reproduce this,
so it'll sit in the "not a bug" bin until I have another clue on how
to reproduce. Alternatively, Nick and Nathan are now on this thread
and they usually have good luck teasing out compiler issues and such,
so maybe they'll have an idea. But I'm afraid with the information I
currently have, I'm at a dead end.

Jason

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: fix a CFI failure
  2022-01-19 10:06         ` Miles Chen
  (?)
@ 2022-01-19 10:13           ` Ard Biesheuvel
  -1 siblings, 0 replies; 100+ messages in thread
From: Ard Biesheuvel @ 2022-01-19 10:13 UTC (permalink / raw)
  To: Miles Chen
  Cc: Jason A. Donenfeld, David S. Miller, Greg Kroah-Hartman,
	Herbert Xu, Linux ARM, Linux Crypto Mailing List,
	Linux Kernel Mailing List, linux-mediatek, Matthias Brugger,
	Nathan Chancellor, Nick Desaulniers

On Wed, 19 Jan 2022 at 11:06, Miles Chen <miles.chen@mediatek.com> wrote:
>
> Hi,
>
> >Hi Miles,
> >
> >I'm actually not able to reproduce your oops. I'm using vanilla clang
> >13, cross compiling for arm64, with thin LTO enabled and CFI enabled.
> >Kernel seems to run fine.
> >
> >
> >Are there other settings that are needed to trigger this? Do you see
> >it in upstream clang or just the Android fork of clang?
> >
> I will try another clang (the previous version I use).
> I am using Android fork of clang and there is a clang upgrade in this merge.
>

One thing that could be worth a try is to make __blake2s_update() and
__blake2s_final() __always_inline rather than just inline, which by
itself does not appear to be sufficient for the code to get inlined.
(If it were, the indirect call should have disappeared as well)

Given that indirect calls suck on x86, we should probably apply that
change in any case, regardless of CFI.

^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: fix a CFI failure
@ 2022-01-19 10:13           ` Ard Biesheuvel
  0 siblings, 0 replies; 100+ messages in thread
From: Ard Biesheuvel @ 2022-01-19 10:13 UTC (permalink / raw)
  To: Miles Chen
  Cc: Jason A. Donenfeld, David S. Miller, Greg Kroah-Hartman,
	Herbert Xu, Linux ARM, Linux Crypto Mailing List,
	Linux Kernel Mailing List, linux-mediatek, Matthias Brugger,
	Nathan Chancellor, Nick Desaulniers

On Wed, 19 Jan 2022 at 11:06, Miles Chen <miles.chen@mediatek.com> wrote:
>
> Hi,
>
> >Hi Miles,
> >
> >I'm actually not able to reproduce your oops. I'm using vanilla clang
> >13, cross compiling for arm64, with thin LTO enabled and CFI enabled.
> >Kernel seems to run fine.
> >
> >
> >Are there other settings that are needed to trigger this? Do you see
> >it in upstream clang or just the Android fork of clang?
> >
> I will try another clang (the previous version I use).
> I am using Android fork of clang and there is a clang upgrade in this merge.
>

One thing that could be worth a try is to make __blake2s_update() and
__blake2s_final() __always_inline rather than just inline, which by
itself does not appear to be sufficient for the code to get inlined.
(If it were, the indirect call should have disappeared as well)

Given that indirect calls suck on x86, we should probably apply that
change in any case, regardless of CFI.

_______________________________________________
Linux-mediatek mailing list
Linux-mediatek@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-mediatek

^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: fix a CFI failure
@ 2022-01-19 10:13           ` Ard Biesheuvel
  0 siblings, 0 replies; 100+ messages in thread
From: Ard Biesheuvel @ 2022-01-19 10:13 UTC (permalink / raw)
  To: Miles Chen
  Cc: Jason A. Donenfeld, David S. Miller, Greg Kroah-Hartman,
	Herbert Xu, Linux ARM, Linux Crypto Mailing List,
	Linux Kernel Mailing List, linux-mediatek, Matthias Brugger,
	Nathan Chancellor, Nick Desaulniers

On Wed, 19 Jan 2022 at 11:06, Miles Chen <miles.chen@mediatek.com> wrote:
>
> Hi,
>
> >Hi Miles,
> >
> >I'm actually not able to reproduce your oops. I'm using vanilla clang
> >13, cross compiling for arm64, with thin LTO enabled and CFI enabled.
> >Kernel seems to run fine.
> >
> >
> >Are there other settings that are needed to trigger this? Do you see
> >it in upstream clang or just the Android fork of clang?
> >
> I will try another clang (the previous version I use).
> I am using Android fork of clang and there is a clang upgrade in this merge.
>

One thing that could be worth a try is to make __blake2s_update() and
__blake2s_final() __always_inline rather than just inline, which by
itself does not appear to be sufficient for the code to get inlined.
(If it were, the indirect call should have disappeared as well)

Given that indirect calls suck on x86, we should probably apply that
change in any case, regardless of CFI.

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: fix a CFI failure
  2022-01-19 10:13           ` Ard Biesheuvel
  (?)
@ 2022-01-19 10:20             ` Jason A. Donenfeld
  -1 siblings, 0 replies; 100+ messages in thread
From: Jason A. Donenfeld @ 2022-01-19 10:20 UTC (permalink / raw)
  To: Ard Biesheuvel
  Cc: Miles Chen, David S. Miller, Greg Kroah-Hartman, Herbert Xu,
	Linux ARM, Linux Crypto Mailing List, Linux Kernel Mailing List,
	linux-mediatek, Matthias Brugger, Nathan Chancellor,
	Nick Desaulniers

On 1/19/22, Ard Biesheuvel <ardb@kernel.org> wrote:
> On Wed, 19 Jan 2022 at 11:06, Miles Chen <miles.chen@mediatek.com> wrote:
>>
>> Hi,
>>
>> >Hi Miles,
>> >
>> >I'm actually not able to reproduce your oops. I'm using vanilla clang
>> >13, cross compiling for arm64, with thin LTO enabled and CFI enabled.
>> >Kernel seems to run fine.
>> >
>> >
>> >Are there other settings that are needed to trigger this? Do you see
>> >it in upstream clang or just the Android fork of clang?
>> >
>> I will try another clang (the previous version I use).
>> I am using Android fork of clang and there is a clang upgrade in this
>> merge.
>>
>
> One thing that could be worth a try is to make __blake2s_update() and
> __blake2s_final() __always_inline rather than just inline, which by
> itself does not appear to be sufficient for the code to get inlined.
> (If it were, the indirect call should have disappeared as well)
>
> Given that indirect calls suck on x86, we should probably apply that
> change in any case, regardless of CFI.
>

Had the same thought at first, but then looking at the original stack
trace, it looks like the __ function is inlined:

[    0.000000][    T0]  __cfi_slowpath_diag+0x354/0x4b0
[    0.000000][    T0]  blake2s_update+0x14c/0x178
[    0.000000][    T0]  _extract_entropy+0xf4/0x29c

So that makes me think that the issue really does involve calling
through the weak alias. But why should weak alias calling trigger CFI?
Compiler bug? Some other subtlety we're missing?

Jason

^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: fix a CFI failure
@ 2022-01-19 10:20             ` Jason A. Donenfeld
  0 siblings, 0 replies; 100+ messages in thread
From: Jason A. Donenfeld @ 2022-01-19 10:20 UTC (permalink / raw)
  To: Ard Biesheuvel
  Cc: Miles Chen, David S. Miller, Greg Kroah-Hartman, Herbert Xu,
	Linux ARM, Linux Crypto Mailing List, Linux Kernel Mailing List,
	linux-mediatek, Matthias Brugger, Nathan Chancellor,
	Nick Desaulniers

On 1/19/22, Ard Biesheuvel <ardb@kernel.org> wrote:
> On Wed, 19 Jan 2022 at 11:06, Miles Chen <miles.chen@mediatek.com> wrote:
>>
>> Hi,
>>
>> >Hi Miles,
>> >
>> >I'm actually not able to reproduce your oops. I'm using vanilla clang
>> >13, cross compiling for arm64, with thin LTO enabled and CFI enabled.
>> >Kernel seems to run fine.
>> >
>> >
>> >Are there other settings that are needed to trigger this? Do you see
>> >it in upstream clang or just the Android fork of clang?
>> >
>> I will try another clang (the previous version I use).
>> I am using Android fork of clang and there is a clang upgrade in this
>> merge.
>>
>
> One thing that could be worth a try is to make __blake2s_update() and
> __blake2s_final() __always_inline rather than just inline, which by
> itself does not appear to be sufficient for the code to get inlined.
> (If it were, the indirect call should have disappeared as well)
>
> Given that indirect calls suck on x86, we should probably apply that
> change in any case, regardless of CFI.
>

Had the same thought at first, but then looking at the original stack
trace, it looks like the __ function is inlined:

[    0.000000][    T0]  __cfi_slowpath_diag+0x354/0x4b0
[    0.000000][    T0]  blake2s_update+0x14c/0x178
[    0.000000][    T0]  _extract_entropy+0xf4/0x29c

So that makes me think that the issue really does involve calling
through the weak alias. But why should weak alias calling trigger CFI?
Compiler bug? Some other subtlety we're missing?

Jason

_______________________________________________
Linux-mediatek mailing list
Linux-mediatek@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-mediatek

^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: fix a CFI failure
@ 2022-01-19 10:20             ` Jason A. Donenfeld
  0 siblings, 0 replies; 100+ messages in thread
From: Jason A. Donenfeld @ 2022-01-19 10:20 UTC (permalink / raw)
  To: Ard Biesheuvel
  Cc: Miles Chen, David S. Miller, Greg Kroah-Hartman, Herbert Xu,
	Linux ARM, Linux Crypto Mailing List, Linux Kernel Mailing List,
	linux-mediatek, Matthias Brugger, Nathan Chancellor,
	Nick Desaulniers

On 1/19/22, Ard Biesheuvel <ardb@kernel.org> wrote:
> On Wed, 19 Jan 2022 at 11:06, Miles Chen <miles.chen@mediatek.com> wrote:
>>
>> Hi,
>>
>> >Hi Miles,
>> >
>> >I'm actually not able to reproduce your oops. I'm using vanilla clang
>> >13, cross compiling for arm64, with thin LTO enabled and CFI enabled.
>> >Kernel seems to run fine.
>> >
>> >
>> >Are there other settings that are needed to trigger this? Do you see
>> >it in upstream clang or just the Android fork of clang?
>> >
>> I will try another clang (the previous version I use).
>> I am using Android fork of clang and there is a clang upgrade in this
>> merge.
>>
>
> One thing that could be worth a try is to make __blake2s_update() and
> __blake2s_final() __always_inline rather than just inline, which by
> itself does not appear to be sufficient for the code to get inlined.
> (If it were, the indirect call should have disappeared as well)
>
> Given that indirect calls suck on x86, we should probably apply that
> change in any case, regardless of CFI.
>

Had the same thought at first, but then looking at the original stack
trace, it looks like the __ function is inlined:

[    0.000000][    T0]  __cfi_slowpath_diag+0x354/0x4b0
[    0.000000][    T0]  blake2s_update+0x14c/0x178
[    0.000000][    T0]  _extract_entropy+0xf4/0x29c

So that makes me think that the issue really does involve calling
through the weak alias. But why should weak alias calling trigger CFI?
Compiler bug? Some other subtlety we're missing?

Jason

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: fix a CFI failure
  2022-01-19 10:20             ` Jason A. Donenfeld
  (?)
@ 2022-01-19 10:35               ` Ard Biesheuvel
  -1 siblings, 0 replies; 100+ messages in thread
From: Ard Biesheuvel @ 2022-01-19 10:35 UTC (permalink / raw)
  To: Jason A. Donenfeld
  Cc: Miles Chen, David S. Miller, Greg Kroah-Hartman, Herbert Xu,
	Linux ARM, Linux Crypto Mailing List, Linux Kernel Mailing List,
	linux-mediatek, Matthias Brugger, Nathan Chancellor,
	Nick Desaulniers

On Wed, 19 Jan 2022 at 11:20, Jason A. Donenfeld <Jason@zx2c4.com> wrote:
>
> On 1/19/22, Ard Biesheuvel <ardb@kernel.org> wrote:
> > On Wed, 19 Jan 2022 at 11:06, Miles Chen <miles.chen@mediatek.com> wrote:
> >>
> >> Hi,
> >>
> >> >Hi Miles,
> >> >
> >> >I'm actually not able to reproduce your oops. I'm using vanilla clang
> >> >13, cross compiling for arm64, with thin LTO enabled and CFI enabled.
> >> >Kernel seems to run fine.
> >> >
> >> >
> >> >Are there other settings that are needed to trigger this? Do you see
> >> >it in upstream clang or just the Android fork of clang?
> >> >
> >> I will try another clang (the previous version I use).
> >> I am using Android fork of clang and there is a clang upgrade in this
> >> merge.
> >>
> >
> > One thing that could be worth a try is to make __blake2s_update() and
> > __blake2s_final() __always_inline rather than just inline, which by
> > itself does not appear to be sufficient for the code to get inlined.
> > (If it were, the indirect call should have disappeared as well)
> >
> > Given that indirect calls suck on x86, we should probably apply that
> > change in any case, regardless of CFI.
> >
>
> Had the same thought at first, but then looking at the original stack
> trace, it looks like the __ function is inlined:
>
> [    0.000000][    T0]  __cfi_slowpath_diag+0x354/0x4b0
> [    0.000000][    T0]  blake2s_update+0x14c/0x178
> [    0.000000][    T0]  _extract_entropy+0xf4/0x29c
>

Indeed. How odd. I hope this doesn't happen with the x86 backend
because that would be plain silly. On arm64, it doesn't actually
matter in terms of performance, it just needs one additional callee
save register to preserve the function pointer across calls.

^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: fix a CFI failure
@ 2022-01-19 10:35               ` Ard Biesheuvel
  0 siblings, 0 replies; 100+ messages in thread
From: Ard Biesheuvel @ 2022-01-19 10:35 UTC (permalink / raw)
  To: Jason A. Donenfeld
  Cc: Miles Chen, David S. Miller, Greg Kroah-Hartman, Herbert Xu,
	Linux ARM, Linux Crypto Mailing List, Linux Kernel Mailing List,
	linux-mediatek, Matthias Brugger, Nathan Chancellor,
	Nick Desaulniers

On Wed, 19 Jan 2022 at 11:20, Jason A. Donenfeld <Jason@zx2c4.com> wrote:
>
> On 1/19/22, Ard Biesheuvel <ardb@kernel.org> wrote:
> > On Wed, 19 Jan 2022 at 11:06, Miles Chen <miles.chen@mediatek.com> wrote:
> >>
> >> Hi,
> >>
> >> >Hi Miles,
> >> >
> >> >I'm actually not able to reproduce your oops. I'm using vanilla clang
> >> >13, cross compiling for arm64, with thin LTO enabled and CFI enabled.
> >> >Kernel seems to run fine.
> >> >
> >> >
> >> >Are there other settings that are needed to trigger this? Do you see
> >> >it in upstream clang or just the Android fork of clang?
> >> >
> >> I will try another clang (the previous version I use).
> >> I am using Android fork of clang and there is a clang upgrade in this
> >> merge.
> >>
> >
> > One thing that could be worth a try is to make __blake2s_update() and
> > __blake2s_final() __always_inline rather than just inline, which by
> > itself does not appear to be sufficient for the code to get inlined.
> > (If it were, the indirect call should have disappeared as well)
> >
> > Given that indirect calls suck on x86, we should probably apply that
> > change in any case, regardless of CFI.
> >
>
> Had the same thought at first, but then looking at the original stack
> trace, it looks like the __ function is inlined:
>
> [    0.000000][    T0]  __cfi_slowpath_diag+0x354/0x4b0
> [    0.000000][    T0]  blake2s_update+0x14c/0x178
> [    0.000000][    T0]  _extract_entropy+0xf4/0x29c
>

Indeed. How odd. I hope this doesn't happen with the x86 backend
because that would be plain silly. On arm64, it doesn't actually
matter in terms of performance, it just needs one additional callee
save register to preserve the function pointer across calls.

_______________________________________________
Linux-mediatek mailing list
Linux-mediatek@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-mediatek

^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: fix a CFI failure
@ 2022-01-19 10:35               ` Ard Biesheuvel
  0 siblings, 0 replies; 100+ messages in thread
From: Ard Biesheuvel @ 2022-01-19 10:35 UTC (permalink / raw)
  To: Jason A. Donenfeld
  Cc: Miles Chen, David S. Miller, Greg Kroah-Hartman, Herbert Xu,
	Linux ARM, Linux Crypto Mailing List, Linux Kernel Mailing List,
	linux-mediatek, Matthias Brugger, Nathan Chancellor,
	Nick Desaulniers

On Wed, 19 Jan 2022 at 11:20, Jason A. Donenfeld <Jason@zx2c4.com> wrote:
>
> On 1/19/22, Ard Biesheuvel <ardb@kernel.org> wrote:
> > On Wed, 19 Jan 2022 at 11:06, Miles Chen <miles.chen@mediatek.com> wrote:
> >>
> >> Hi,
> >>
> >> >Hi Miles,
> >> >
> >> >I'm actually not able to reproduce your oops. I'm using vanilla clang
> >> >13, cross compiling for arm64, with thin LTO enabled and CFI enabled.
> >> >Kernel seems to run fine.
> >> >
> >> >
> >> >Are there other settings that are needed to trigger this? Do you see
> >> >it in upstream clang or just the Android fork of clang?
> >> >
> >> I will try another clang (the previous version I use).
> >> I am using Android fork of clang and there is a clang upgrade in this
> >> merge.
> >>
> >
> > One thing that could be worth a try is to make __blake2s_update() and
> > __blake2s_final() __always_inline rather than just inline, which by
> > itself does not appear to be sufficient for the code to get inlined.
> > (If it were, the indirect call should have disappeared as well)
> >
> > Given that indirect calls suck on x86, we should probably apply that
> > change in any case, regardless of CFI.
> >
>
> Had the same thought at first, but then looking at the original stack
> trace, it looks like the __ function is inlined:
>
> [    0.000000][    T0]  __cfi_slowpath_diag+0x354/0x4b0
> [    0.000000][    T0]  blake2s_update+0x14c/0x178
> [    0.000000][    T0]  _extract_entropy+0xf4/0x29c
>

Indeed. How odd. I hope this doesn't happen with the x86 backend
because that would be plain silly. On arm64, it doesn't actually
matter in terms of performance, it just needs one additional callee
save register to preserve the function pointer across calls.

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: fix a CFI failure
  2022-01-19 10:11           ` Jason A. Donenfeld
  (?)
@ 2022-01-19 10:56             ` Jason A. Donenfeld
  -1 siblings, 0 replies; 100+ messages in thread
From: Jason A. Donenfeld @ 2022-01-19 10:56 UTC (permalink / raw)
  To: Miles Chen
  Cc: ardb, davem, gregkh, herbert, linux-arm-kernel, linux-crypto,
	linux-kernel, linux-mediatek, matthias.bgg, nathan, ndesaulniers

On 1/19/22, Jason A. Donenfeld <Jason@zx2c4.com> wrote:
> Hi Miles,
>
> Okay. Keep me posted.
>
> Just FYI, as mentioned, I'm unable to reproduce this, and you haven't
> provided any further minimized guidance on how I might reproduce this,
> so it'll sit in the "not a bug" bin until I have another clue on how
> to reproduce. Alternatively, Nick and Nathan are now on this thread
> and they usually have good luck teasing out compiler issues and such,
> so maybe they'll have an idea. But I'm afraid with the information I
> currently have, I'm at a dead end.
>
> Jason
>

We're back in business! I was able to reproduce this using FullLTO
rather than ThinLTO.

^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: fix a CFI failure
@ 2022-01-19 10:56             ` Jason A. Donenfeld
  0 siblings, 0 replies; 100+ messages in thread
From: Jason A. Donenfeld @ 2022-01-19 10:56 UTC (permalink / raw)
  To: Miles Chen
  Cc: ardb, davem, gregkh, herbert, linux-arm-kernel, linux-crypto,
	linux-kernel, linux-mediatek, matthias.bgg, nathan, ndesaulniers

On 1/19/22, Jason A. Donenfeld <Jason@zx2c4.com> wrote:
> Hi Miles,
>
> Okay. Keep me posted.
>
> Just FYI, as mentioned, I'm unable to reproduce this, and you haven't
> provided any further minimized guidance on how I might reproduce this,
> so it'll sit in the "not a bug" bin until I have another clue on how
> to reproduce. Alternatively, Nick and Nathan are now on this thread
> and they usually have good luck teasing out compiler issues and such,
> so maybe they'll have an idea. But I'm afraid with the information I
> currently have, I'm at a dead end.
>
> Jason
>

We're back in business! I was able to reproduce this using FullLTO
rather than ThinLTO.

_______________________________________________
Linux-mediatek mailing list
Linux-mediatek@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-mediatek

^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: fix a CFI failure
@ 2022-01-19 10:56             ` Jason A. Donenfeld
  0 siblings, 0 replies; 100+ messages in thread
From: Jason A. Donenfeld @ 2022-01-19 10:56 UTC (permalink / raw)
  To: Miles Chen
  Cc: ardb, davem, gregkh, herbert, linux-arm-kernel, linux-crypto,
	linux-kernel, linux-mediatek, matthias.bgg, nathan, ndesaulniers

On 1/19/22, Jason A. Donenfeld <Jason@zx2c4.com> wrote:
> Hi Miles,
>
> Okay. Keep me posted.
>
> Just FYI, as mentioned, I'm unable to reproduce this, and you haven't
> provided any further minimized guidance on how I might reproduce this,
> so it'll sit in the "not a bug" bin until I have another clue on how
> to reproduce. Alternatively, Nick and Nathan are now on this thread
> and they usually have good luck teasing out compiler issues and such,
> so maybe they'll have an idea. But I'm afraid with the information I
> currently have, I'm at a dead end.
>
> Jason
>

We're back in business! I was able to reproduce this using FullLTO
rather than ThinLTO.

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: fix a CFI failure
  2022-01-19 10:56             ` Jason A. Donenfeld
  (?)
@ 2022-01-19 12:14               ` Jason A. Donenfeld
  -1 siblings, 0 replies; 100+ messages in thread
From: Jason A. Donenfeld @ 2022-01-19 12:14 UTC (permalink / raw)
  To: Miles Chen
  Cc: ardb, davem, gregkh, herbert, linux-arm-kernel, linux-crypto,
	linux-kernel, linux-mediatek, matthias.bgg, nathan, ndesaulniers

The below kludge of a patch fixes the issue. Still unclear whether we
should go with something like this or get clang fixed or what.

diff --git a/arch/arm/crypto/blake2s-shash.c b/arch/arm/crypto/blake2s-shash.c
index 17c1c3bfe2f5..be8cde5f1719 100644
--- a/arch/arm/crypto/blake2s-shash.c
+++ b/arch/arm/crypto/blake2s-shash.c
@@ -13,12 +13,12 @@
 static int crypto_blake2s_update_arm(struct shash_desc *desc,
 				     const u8 *in, unsigned int inlen)
 {
-	return crypto_blake2s_update(desc, in, inlen, blake2s_compress);
+	return crypto_blake2s_update(desc, in, inlen);
 }

 static int crypto_blake2s_final_arm(struct shash_desc *desc, u8 *out)
 {
-	return crypto_blake2s_final(desc, out, blake2s_compress);
+	return crypto_blake2s_final(desc, out);
 }

 #define BLAKE2S_ALG(name, driver_name, digest_size)			\
diff --git a/arch/x86/crypto/blake2s-shash.c b/arch/x86/crypto/blake2s-shash.c
index f9e2fecdb761..c81ffedb4865 100644
--- a/arch/x86/crypto/blake2s-shash.c
+++ b/arch/x86/crypto/blake2s-shash.c
@@ -18,12 +18,12 @@
 static int crypto_blake2s_update_x86(struct shash_desc *desc,
 				     const u8 *in, unsigned int inlen)
 {
-	return crypto_blake2s_update(desc, in, inlen, blake2s_compress);
+	return crypto_blake2s_update(desc, in, inlen);
 }

 static int crypto_blake2s_final_x86(struct shash_desc *desc, u8 *out)
 {
-	return crypto_blake2s_final(desc, out, blake2s_compress);
+	return crypto_blake2s_final(desc, out);
 }

 #define BLAKE2S_ALG(name, driver_name, digest_size)			\
diff --git a/crypto/blake2s_generic.c b/crypto/blake2s_generic.c
index 72fe480f9bd6..050874588a84 100644
--- a/crypto/blake2s_generic.c
+++ b/crypto/blake2s_generic.c
@@ -5,6 +5,7 @@
  * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All
Rights Reserved.
  */

+#define FORCE_BLAKE2S_GENERIC
 #include <crypto/internal/blake2s.h>
 #include <crypto/internal/hash.h>

@@ -15,12 +16,12 @@
 static int crypto_blake2s_update_generic(struct shash_desc *desc,
 					 const u8 *in, unsigned int inlen)
 {
-	return crypto_blake2s_update(desc, in, inlen, blake2s_compress_generic);
+	return crypto_blake2s_update(desc, in, inlen);
 }

 static int crypto_blake2s_final_generic(struct shash_desc *desc, u8 *out)
 {
-	return crypto_blake2s_final(desc, out, blake2s_compress_generic);
+	return crypto_blake2s_final(desc, out);
 }

 #define BLAKE2S_ALG(name, driver_name, digest_size)			\
diff --git a/include/crypto/internal/blake2s.h
b/include/crypto/internal/blake2s.h
index d39cfa0d333e..fec7eead93fc 100644
--- a/include/crypto/internal/blake2s.h
+++ b/include/crypto/internal/blake2s.h
@@ -24,14 +24,14 @@ static inline void blake2s_set_lastblock(struct
blake2s_state *state)
 	state->f[0] = -1;
 }

-typedef void (*blake2s_compress_t)(struct blake2s_state *state,
-				   const u8 *block, size_t nblocks, u32 inc);
-
 /* Helper functions for BLAKE2s shared by the library and shash APIs */

+#ifdef FORCE_BLAKE2S_GENERIC
+#define blake2s_compress blake2s_compress_generic
+#endif
+
 static inline void __blake2s_update(struct blake2s_state *state,
-				    const u8 *in, size_t inlen,
-				    blake2s_compress_t compress)
+				    const u8 *in, size_t inlen)
 {
 	const size_t fill = BLAKE2S_BLOCK_SIZE - state->buflen;

@@ -39,7 +39,7 @@ static inline void __blake2s_update(struct
blake2s_state *state,
 		return;
 	if (inlen > fill) {
 		memcpy(state->buf + state->buflen, in, fill);
-		(*compress)(state, state->buf, 1, BLAKE2S_BLOCK_SIZE);
+		blake2s_compress(state, state->buf, 1, BLAKE2S_BLOCK_SIZE);
 		state->buflen = 0;
 		in += fill;
 		inlen -= fill;
@@ -47,7 +47,7 @@ static inline void __blake2s_update(struct
blake2s_state *state,
 	if (inlen > BLAKE2S_BLOCK_SIZE) {
 		const size_t nblocks = DIV_ROUND_UP(inlen, BLAKE2S_BLOCK_SIZE);
 		/* Hash one less (full) block than strictly possible */
-		(*compress)(state, in, nblocks - 1, BLAKE2S_BLOCK_SIZE);
+		blake2s_compress(state, in, nblocks - 1, BLAKE2S_BLOCK_SIZE);
 		in += BLAKE2S_BLOCK_SIZE * (nblocks - 1);
 		inlen -= BLAKE2S_BLOCK_SIZE * (nblocks - 1);
 	}
@@ -55,13 +55,12 @@ static inline void __blake2s_update(struct
blake2s_state *state,
 	state->buflen += inlen;
 }

-static inline void __blake2s_final(struct blake2s_state *state, u8 *out,
-				   blake2s_compress_t compress)
+static inline void __blake2s_final(struct blake2s_state *state, u8 *out)
 {
 	blake2s_set_lastblock(state);
 	memset(state->buf + state->buflen, 0,
 	       BLAKE2S_BLOCK_SIZE - state->buflen); /* Padding */
-	(*compress)(state, state->buf, 1, state->buflen);
+	blake2s_compress(state, state->buf, 1, state->buflen);
 	cpu_to_le32_array(state->h, ARRAY_SIZE(state->h));
 	memcpy(out, state->h, state->outlen);
 }
@@ -98,21 +97,19 @@ static inline int crypto_blake2s_init(struct
shash_desc *desc)
 }

 static inline int crypto_blake2s_update(struct shash_desc *desc,
-					const u8 *in, unsigned int inlen,
-					blake2s_compress_t compress)
+					const u8 *in, unsigned int inlen)
 {
 	struct blake2s_state *state = shash_desc_ctx(desc);

-	__blake2s_update(state, in, inlen, compress);
+	__blake2s_update(state, in, inlen);
 	return 0;
 }

-static inline int crypto_blake2s_final(struct shash_desc *desc, u8 *out,
-				       blake2s_compress_t compress)
+static inline int crypto_blake2s_final(struct shash_desc *desc, u8 *out)
 {
 	struct blake2s_state *state = shash_desc_ctx(desc);

-	__blake2s_final(state, out, compress);
+	__blake2s_final(state, out);
 	return 0;
 }

diff --git a/lib/crypto/blake2s.c b/lib/crypto/blake2s.c
index 9364f79937b8..a13f01ff53a7 100644
--- a/lib/crypto/blake2s.c
+++ b/lib/crypto/blake2s.c
@@ -18,14 +18,14 @@

 void blake2s_update(struct blake2s_state *state, const u8 *in, size_t inlen)
 {
-	__blake2s_update(state, in, inlen, blake2s_compress);
+	__blake2s_update(state, in, inlen);
 }
 EXPORT_SYMBOL(blake2s_update);

 void blake2s_final(struct blake2s_state *state, u8 *out)
 {
 	WARN_ON(IS_ENABLED(DEBUG) && !out);
-	__blake2s_final(state, out, blake2s_compress);
+	__blake2s_final(state, out);
 	memzero_explicit(state, sizeof(*state));
 }
 EXPORT_SYMBOL(blake2s_final);

^ permalink raw reply related	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: fix a CFI failure
@ 2022-01-19 12:14               ` Jason A. Donenfeld
  0 siblings, 0 replies; 100+ messages in thread
From: Jason A. Donenfeld @ 2022-01-19 12:14 UTC (permalink / raw)
  To: Miles Chen
  Cc: ardb, davem, gregkh, herbert, linux-arm-kernel, linux-crypto,
	linux-kernel, linux-mediatek, matthias.bgg, nathan, ndesaulniers

The below kludge of a patch fixes the issue. Still unclear whether we
should go with something like this or get clang fixed or what.

diff --git a/arch/arm/crypto/blake2s-shash.c b/arch/arm/crypto/blake2s-shash.c
index 17c1c3bfe2f5..be8cde5f1719 100644
--- a/arch/arm/crypto/blake2s-shash.c
+++ b/arch/arm/crypto/blake2s-shash.c
@@ -13,12 +13,12 @@
 static int crypto_blake2s_update_arm(struct shash_desc *desc,
 				     const u8 *in, unsigned int inlen)
 {
-	return crypto_blake2s_update(desc, in, inlen, blake2s_compress);
+	return crypto_blake2s_update(desc, in, inlen);
 }

 static int crypto_blake2s_final_arm(struct shash_desc *desc, u8 *out)
 {
-	return crypto_blake2s_final(desc, out, blake2s_compress);
+	return crypto_blake2s_final(desc, out);
 }

 #define BLAKE2S_ALG(name, driver_name, digest_size)			\
diff --git a/arch/x86/crypto/blake2s-shash.c b/arch/x86/crypto/blake2s-shash.c
index f9e2fecdb761..c81ffedb4865 100644
--- a/arch/x86/crypto/blake2s-shash.c
+++ b/arch/x86/crypto/blake2s-shash.c
@@ -18,12 +18,12 @@
 static int crypto_blake2s_update_x86(struct shash_desc *desc,
 				     const u8 *in, unsigned int inlen)
 {
-	return crypto_blake2s_update(desc, in, inlen, blake2s_compress);
+	return crypto_blake2s_update(desc, in, inlen);
 }

 static int crypto_blake2s_final_x86(struct shash_desc *desc, u8 *out)
 {
-	return crypto_blake2s_final(desc, out, blake2s_compress);
+	return crypto_blake2s_final(desc, out);
 }

 #define BLAKE2S_ALG(name, driver_name, digest_size)			\
diff --git a/crypto/blake2s_generic.c b/crypto/blake2s_generic.c
index 72fe480f9bd6..050874588a84 100644
--- a/crypto/blake2s_generic.c
+++ b/crypto/blake2s_generic.c
@@ -5,6 +5,7 @@
  * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All
Rights Reserved.
  */

+#define FORCE_BLAKE2S_GENERIC
 #include <crypto/internal/blake2s.h>
 #include <crypto/internal/hash.h>

@@ -15,12 +16,12 @@
 static int crypto_blake2s_update_generic(struct shash_desc *desc,
 					 const u8 *in, unsigned int inlen)
 {
-	return crypto_blake2s_update(desc, in, inlen, blake2s_compress_generic);
+	return crypto_blake2s_update(desc, in, inlen);
 }

 static int crypto_blake2s_final_generic(struct shash_desc *desc, u8 *out)
 {
-	return crypto_blake2s_final(desc, out, blake2s_compress_generic);
+	return crypto_blake2s_final(desc, out);
 }

 #define BLAKE2S_ALG(name, driver_name, digest_size)			\
diff --git a/include/crypto/internal/blake2s.h
b/include/crypto/internal/blake2s.h
index d39cfa0d333e..fec7eead93fc 100644
--- a/include/crypto/internal/blake2s.h
+++ b/include/crypto/internal/blake2s.h
@@ -24,14 +24,14 @@ static inline void blake2s_set_lastblock(struct
blake2s_state *state)
 	state->f[0] = -1;
 }

-typedef void (*blake2s_compress_t)(struct blake2s_state *state,
-				   const u8 *block, size_t nblocks, u32 inc);
-
 /* Helper functions for BLAKE2s shared by the library and shash APIs */

+#ifdef FORCE_BLAKE2S_GENERIC
+#define blake2s_compress blake2s_compress_generic
+#endif
+
 static inline void __blake2s_update(struct blake2s_state *state,
-				    const u8 *in, size_t inlen,
-				    blake2s_compress_t compress)
+				    const u8 *in, size_t inlen)
 {
 	const size_t fill = BLAKE2S_BLOCK_SIZE - state->buflen;

@@ -39,7 +39,7 @@ static inline void __blake2s_update(struct
blake2s_state *state,
 		return;
 	if (inlen > fill) {
 		memcpy(state->buf + state->buflen, in, fill);
-		(*compress)(state, state->buf, 1, BLAKE2S_BLOCK_SIZE);
+		blake2s_compress(state, state->buf, 1, BLAKE2S_BLOCK_SIZE);
 		state->buflen = 0;
 		in += fill;
 		inlen -= fill;
@@ -47,7 +47,7 @@ static inline void __blake2s_update(struct
blake2s_state *state,
 	if (inlen > BLAKE2S_BLOCK_SIZE) {
 		const size_t nblocks = DIV_ROUND_UP(inlen, BLAKE2S_BLOCK_SIZE);
 		/* Hash one less (full) block than strictly possible */
-		(*compress)(state, in, nblocks - 1, BLAKE2S_BLOCK_SIZE);
+		blake2s_compress(state, in, nblocks - 1, BLAKE2S_BLOCK_SIZE);
 		in += BLAKE2S_BLOCK_SIZE * (nblocks - 1);
 		inlen -= BLAKE2S_BLOCK_SIZE * (nblocks - 1);
 	}
@@ -55,13 +55,12 @@ static inline void __blake2s_update(struct
blake2s_state *state,
 	state->buflen += inlen;
 }

-static inline void __blake2s_final(struct blake2s_state *state, u8 *out,
-				   blake2s_compress_t compress)
+static inline void __blake2s_final(struct blake2s_state *state, u8 *out)
 {
 	blake2s_set_lastblock(state);
 	memset(state->buf + state->buflen, 0,
 	       BLAKE2S_BLOCK_SIZE - state->buflen); /* Padding */
-	(*compress)(state, state->buf, 1, state->buflen);
+	blake2s_compress(state, state->buf, 1, state->buflen);
 	cpu_to_le32_array(state->h, ARRAY_SIZE(state->h));
 	memcpy(out, state->h, state->outlen);
 }
@@ -98,21 +97,19 @@ static inline int crypto_blake2s_init(struct
shash_desc *desc)
 }

 static inline int crypto_blake2s_update(struct shash_desc *desc,
-					const u8 *in, unsigned int inlen,
-					blake2s_compress_t compress)
+					const u8 *in, unsigned int inlen)
 {
 	struct blake2s_state *state = shash_desc_ctx(desc);

-	__blake2s_update(state, in, inlen, compress);
+	__blake2s_update(state, in, inlen);
 	return 0;
 }

-static inline int crypto_blake2s_final(struct shash_desc *desc, u8 *out,
-				       blake2s_compress_t compress)
+static inline int crypto_blake2s_final(struct shash_desc *desc, u8 *out)
 {
 	struct blake2s_state *state = shash_desc_ctx(desc);

-	__blake2s_final(state, out, compress);
+	__blake2s_final(state, out);
 	return 0;
 }

diff --git a/lib/crypto/blake2s.c b/lib/crypto/blake2s.c
index 9364f79937b8..a13f01ff53a7 100644
--- a/lib/crypto/blake2s.c
+++ b/lib/crypto/blake2s.c
@@ -18,14 +18,14 @@

 void blake2s_update(struct blake2s_state *state, const u8 *in, size_t inlen)
 {
-	__blake2s_update(state, in, inlen, blake2s_compress);
+	__blake2s_update(state, in, inlen);
 }
 EXPORT_SYMBOL(blake2s_update);

 void blake2s_final(struct blake2s_state *state, u8 *out)
 {
 	WARN_ON(IS_ENABLED(DEBUG) && !out);
-	__blake2s_final(state, out, blake2s_compress);
+	__blake2s_final(state, out);
 	memzero_explicit(state, sizeof(*state));
 }
 EXPORT_SYMBOL(blake2s_final);

_______________________________________________
Linux-mediatek mailing list
Linux-mediatek@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-mediatek

^ permalink raw reply related	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: fix a CFI failure
@ 2022-01-19 12:14               ` Jason A. Donenfeld
  0 siblings, 0 replies; 100+ messages in thread
From: Jason A. Donenfeld @ 2022-01-19 12:14 UTC (permalink / raw)
  To: Miles Chen
  Cc: ardb, davem, gregkh, herbert, linux-arm-kernel, linux-crypto,
	linux-kernel, linux-mediatek, matthias.bgg, nathan, ndesaulniers

The below kludge of a patch fixes the issue. Still unclear whether we
should go with something like this or get clang fixed or what.

diff --git a/arch/arm/crypto/blake2s-shash.c b/arch/arm/crypto/blake2s-shash.c
index 17c1c3bfe2f5..be8cde5f1719 100644
--- a/arch/arm/crypto/blake2s-shash.c
+++ b/arch/arm/crypto/blake2s-shash.c
@@ -13,12 +13,12 @@
 static int crypto_blake2s_update_arm(struct shash_desc *desc,
 				     const u8 *in, unsigned int inlen)
 {
-	return crypto_blake2s_update(desc, in, inlen, blake2s_compress);
+	return crypto_blake2s_update(desc, in, inlen);
 }

 static int crypto_blake2s_final_arm(struct shash_desc *desc, u8 *out)
 {
-	return crypto_blake2s_final(desc, out, blake2s_compress);
+	return crypto_blake2s_final(desc, out);
 }

 #define BLAKE2S_ALG(name, driver_name, digest_size)			\
diff --git a/arch/x86/crypto/blake2s-shash.c b/arch/x86/crypto/blake2s-shash.c
index f9e2fecdb761..c81ffedb4865 100644
--- a/arch/x86/crypto/blake2s-shash.c
+++ b/arch/x86/crypto/blake2s-shash.c
@@ -18,12 +18,12 @@
 static int crypto_blake2s_update_x86(struct shash_desc *desc,
 				     const u8 *in, unsigned int inlen)
 {
-	return crypto_blake2s_update(desc, in, inlen, blake2s_compress);
+	return crypto_blake2s_update(desc, in, inlen);
 }

 static int crypto_blake2s_final_x86(struct shash_desc *desc, u8 *out)
 {
-	return crypto_blake2s_final(desc, out, blake2s_compress);
+	return crypto_blake2s_final(desc, out);
 }

 #define BLAKE2S_ALG(name, driver_name, digest_size)			\
diff --git a/crypto/blake2s_generic.c b/crypto/blake2s_generic.c
index 72fe480f9bd6..050874588a84 100644
--- a/crypto/blake2s_generic.c
+++ b/crypto/blake2s_generic.c
@@ -5,6 +5,7 @@
  * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All
Rights Reserved.
  */

+#define FORCE_BLAKE2S_GENERIC
 #include <crypto/internal/blake2s.h>
 #include <crypto/internal/hash.h>

@@ -15,12 +16,12 @@
 static int crypto_blake2s_update_generic(struct shash_desc *desc,
 					 const u8 *in, unsigned int inlen)
 {
-	return crypto_blake2s_update(desc, in, inlen, blake2s_compress_generic);
+	return crypto_blake2s_update(desc, in, inlen);
 }

 static int crypto_blake2s_final_generic(struct shash_desc *desc, u8 *out)
 {
-	return crypto_blake2s_final(desc, out, blake2s_compress_generic);
+	return crypto_blake2s_final(desc, out);
 }

 #define BLAKE2S_ALG(name, driver_name, digest_size)			\
diff --git a/include/crypto/internal/blake2s.h
b/include/crypto/internal/blake2s.h
index d39cfa0d333e..fec7eead93fc 100644
--- a/include/crypto/internal/blake2s.h
+++ b/include/crypto/internal/blake2s.h
@@ -24,14 +24,14 @@ static inline void blake2s_set_lastblock(struct
blake2s_state *state)
 	state->f[0] = -1;
 }

-typedef void (*blake2s_compress_t)(struct blake2s_state *state,
-				   const u8 *block, size_t nblocks, u32 inc);
-
 /* Helper functions for BLAKE2s shared by the library and shash APIs */

+#ifdef FORCE_BLAKE2S_GENERIC
+#define blake2s_compress blake2s_compress_generic
+#endif
+
 static inline void __blake2s_update(struct blake2s_state *state,
-				    const u8 *in, size_t inlen,
-				    blake2s_compress_t compress)
+				    const u8 *in, size_t inlen)
 {
 	const size_t fill = BLAKE2S_BLOCK_SIZE - state->buflen;

@@ -39,7 +39,7 @@ static inline void __blake2s_update(struct
blake2s_state *state,
 		return;
 	if (inlen > fill) {
 		memcpy(state->buf + state->buflen, in, fill);
-		(*compress)(state, state->buf, 1, BLAKE2S_BLOCK_SIZE);
+		blake2s_compress(state, state->buf, 1, BLAKE2S_BLOCK_SIZE);
 		state->buflen = 0;
 		in += fill;
 		inlen -= fill;
@@ -47,7 +47,7 @@ static inline void __blake2s_update(struct
blake2s_state *state,
 	if (inlen > BLAKE2S_BLOCK_SIZE) {
 		const size_t nblocks = DIV_ROUND_UP(inlen, BLAKE2S_BLOCK_SIZE);
 		/* Hash one less (full) block than strictly possible */
-		(*compress)(state, in, nblocks - 1, BLAKE2S_BLOCK_SIZE);
+		blake2s_compress(state, in, nblocks - 1, BLAKE2S_BLOCK_SIZE);
 		in += BLAKE2S_BLOCK_SIZE * (nblocks - 1);
 		inlen -= BLAKE2S_BLOCK_SIZE * (nblocks - 1);
 	}
@@ -55,13 +55,12 @@ static inline void __blake2s_update(struct
blake2s_state *state,
 	state->buflen += inlen;
 }

-static inline void __blake2s_final(struct blake2s_state *state, u8 *out,
-				   blake2s_compress_t compress)
+static inline void __blake2s_final(struct blake2s_state *state, u8 *out)
 {
 	blake2s_set_lastblock(state);
 	memset(state->buf + state->buflen, 0,
 	       BLAKE2S_BLOCK_SIZE - state->buflen); /* Padding */
-	(*compress)(state, state->buf, 1, state->buflen);
+	blake2s_compress(state, state->buf, 1, state->buflen);
 	cpu_to_le32_array(state->h, ARRAY_SIZE(state->h));
 	memcpy(out, state->h, state->outlen);
 }
@@ -98,21 +97,19 @@ static inline int crypto_blake2s_init(struct
shash_desc *desc)
 }

 static inline int crypto_blake2s_update(struct shash_desc *desc,
-					const u8 *in, unsigned int inlen,
-					blake2s_compress_t compress)
+					const u8 *in, unsigned int inlen)
 {
 	struct blake2s_state *state = shash_desc_ctx(desc);

-	__blake2s_update(state, in, inlen, compress);
+	__blake2s_update(state, in, inlen);
 	return 0;
 }

-static inline int crypto_blake2s_final(struct shash_desc *desc, u8 *out,
-				       blake2s_compress_t compress)
+static inline int crypto_blake2s_final(struct shash_desc *desc, u8 *out)
 {
 	struct blake2s_state *state = shash_desc_ctx(desc);

-	__blake2s_final(state, out, compress);
+	__blake2s_final(state, out);
 	return 0;
 }

diff --git a/lib/crypto/blake2s.c b/lib/crypto/blake2s.c
index 9364f79937b8..a13f01ff53a7 100644
--- a/lib/crypto/blake2s.c
+++ b/lib/crypto/blake2s.c
@@ -18,14 +18,14 @@

 void blake2s_update(struct blake2s_state *state, const u8 *in, size_t inlen)
 {
-	__blake2s_update(state, in, inlen, blake2s_compress);
+	__blake2s_update(state, in, inlen);
 }
 EXPORT_SYMBOL(blake2s_update);

 void blake2s_final(struct blake2s_state *state, u8 *out)
 {
 	WARN_ON(IS_ENABLED(DEBUG) && !out);
-	__blake2s_final(state, out, blake2s_compress);
+	__blake2s_final(state, out);
 	memzero_explicit(state, sizeof(*state));
 }
 EXPORT_SYMBOL(blake2s_final);

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

^ permalink raw reply related	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: fix a CFI failure
  2022-01-19 12:14               ` Jason A. Donenfeld
  (?)
@ 2022-01-19 12:18                 ` Ard Biesheuvel
  -1 siblings, 0 replies; 100+ messages in thread
From: Ard Biesheuvel @ 2022-01-19 12:18 UTC (permalink / raw)
  To: Jason A. Donenfeld
  Cc: Miles Chen, David S. Miller, Greg Kroah-Hartman, Herbert Xu,
	Linux ARM, Linux Crypto Mailing List, Linux Kernel Mailing List,
	linux-mediatek, Matthias Brugger, Nathan Chancellor,
	Nick Desaulniers

On Wed, 19 Jan 2022 at 13:15, Jason A. Donenfeld <Jason@zx2c4.com> wrote:
>
> The below kludge of a patch fixes the issue. Still unclear whether we
> should go with something like this or get clang fixed or what.
>
> diff --git a/arch/arm/crypto/blake2s-shash.c b/arch/arm/crypto/blake2s-shash.c
> index 17c1c3bfe2f5..be8cde5f1719 100644
> --- a/arch/arm/crypto/blake2s-shash.c
> +++ b/arch/arm/crypto/blake2s-shash.c
> @@ -13,12 +13,12 @@
>  static int crypto_blake2s_update_arm(struct shash_desc *desc,
>                                      const u8 *in, unsigned int inlen)
>  {
> -       return crypto_blake2s_update(desc, in, inlen, blake2s_compress);
> +       return crypto_blake2s_update(desc, in, inlen);
>  }
>
>  static int crypto_blake2s_final_arm(struct shash_desc *desc, u8 *out)
>  {
> -       return crypto_blake2s_final(desc, out, blake2s_compress);
> +       return crypto_blake2s_final(desc, out);
>  }
>
>  #define BLAKE2S_ALG(name, driver_name, digest_size)                    \
> diff --git a/arch/x86/crypto/blake2s-shash.c b/arch/x86/crypto/blake2s-shash.c
> index f9e2fecdb761..c81ffedb4865 100644
> --- a/arch/x86/crypto/blake2s-shash.c
> +++ b/arch/x86/crypto/blake2s-shash.c
> @@ -18,12 +18,12 @@
>  static int crypto_blake2s_update_x86(struct shash_desc *desc,
>                                      const u8 *in, unsigned int inlen)
>  {
> -       return crypto_blake2s_update(desc, in, inlen, blake2s_compress);
> +       return crypto_blake2s_update(desc, in, inlen);
>  }
>
>  static int crypto_blake2s_final_x86(struct shash_desc *desc, u8 *out)
>  {
> -       return crypto_blake2s_final(desc, out, blake2s_compress);
> +       return crypto_blake2s_final(desc, out);
>  }
>
>  #define BLAKE2S_ALG(name, driver_name, digest_size)                    \
> diff --git a/crypto/blake2s_generic.c b/crypto/blake2s_generic.c
> index 72fe480f9bd6..050874588a84 100644
> --- a/crypto/blake2s_generic.c
> +++ b/crypto/blake2s_generic.c
> @@ -5,6 +5,7 @@
>   * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All
> Rights Reserved.
>   */
>
> +#define FORCE_BLAKE2S_GENERIC
>  #include <crypto/internal/blake2s.h>
>  #include <crypto/internal/hash.h>
>

I'd prefer it if we could avoid magic #define's like this. We could
fix it up locally to crypto/internal/blake2s.h just by doing something
like the below.

diff --git a/include/crypto/internal/blake2s.h
b/include/crypto/internal/blake2s.h
index d39cfa0d333e..9e52c07c54cc 100644
--- a/include/crypto/internal/blake2s.h
+++ b/include/crypto/internal/blake2s.h
@@ -39,7 +39,11 @@ static inline void __blake2s_update(struct
blake2s_state *state,
                return;
        if (inlen > fill) {
                memcpy(state->buf + state->buflen, in, fill);
-               (*compress)(state, state->buf, 1, BLAKE2S_BLOCK_SIZE);
+               if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_BLAKE2S))
+                       (*compress)(state, state->buf, 1, BLAKE2S_BLOCK_SIZE);
+               else
+                       blake2s_compress_generic(state, state->buf, 1,
+                                                BLAKE2S_BLOCK_SIZE);
                state->buflen = 0;
                in += fill;
                inlen -= fill;
@@ -47,7 +51,11 @@ static inline void __blake2s_update(struct
blake2s_state *state,
        if (inlen > BLAKE2S_BLOCK_SIZE) {
                const size_t nblocks = DIV_ROUND_UP(inlen, BLAKE2S_BLOCK_SIZE);
                /* Hash one less (full) block than strictly possible */
-               (*compress)(state, in, nblocks - 1, BLAKE2S_BLOCK_SIZE);
+               if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_BLAKE2S))
+                       (*compress)(state, in, nblocks - 1, BLAKE2S_BLOCK_SIZE);
+               else
+                       blake2s_compress_generic(state, in, nblocks - 1,
+                                                BLAKE2S_BLOCK_SIZE);
                in += BLAKE2S_BLOCK_SIZE * (nblocks - 1);
                inlen -= BLAKE2S_BLOCK_SIZE * (nblocks - 1);
        }
@@ -61,7 +69,10 @@ static inline void __blake2s_final(struct
blake2s_state *state, u8 *out,
        blake2s_set_lastblock(state);
        memset(state->buf + state->buflen, 0,
               BLAKE2S_BLOCK_SIZE - state->buflen); /* Padding */
-       (*compress)(state, state->buf, 1, state->buflen);
+       if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_BLAKE2S))
+               (*compress)(state, state->buf, 1, state->buflen);
+       else
+               blake2s_compress_generic(state, state->buf, 1, state->buflen);
        cpu_to_le32_array(state->h, ARRAY_SIZE(state->h));

^ permalink raw reply related	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: fix a CFI failure
@ 2022-01-19 12:18                 ` Ard Biesheuvel
  0 siblings, 0 replies; 100+ messages in thread
From: Ard Biesheuvel @ 2022-01-19 12:18 UTC (permalink / raw)
  To: Jason A. Donenfeld
  Cc: Miles Chen, David S. Miller, Greg Kroah-Hartman, Herbert Xu,
	Linux ARM, Linux Crypto Mailing List, Linux Kernel Mailing List,
	linux-mediatek, Matthias Brugger, Nathan Chancellor,
	Nick Desaulniers

On Wed, 19 Jan 2022 at 13:15, Jason A. Donenfeld <Jason@zx2c4.com> wrote:
>
> The below kludge of a patch fixes the issue. Still unclear whether we
> should go with something like this or get clang fixed or what.
>
> diff --git a/arch/arm/crypto/blake2s-shash.c b/arch/arm/crypto/blake2s-shash.c
> index 17c1c3bfe2f5..be8cde5f1719 100644
> --- a/arch/arm/crypto/blake2s-shash.c
> +++ b/arch/arm/crypto/blake2s-shash.c
> @@ -13,12 +13,12 @@
>  static int crypto_blake2s_update_arm(struct shash_desc *desc,
>                                      const u8 *in, unsigned int inlen)
>  {
> -       return crypto_blake2s_update(desc, in, inlen, blake2s_compress);
> +       return crypto_blake2s_update(desc, in, inlen);
>  }
>
>  static int crypto_blake2s_final_arm(struct shash_desc *desc, u8 *out)
>  {
> -       return crypto_blake2s_final(desc, out, blake2s_compress);
> +       return crypto_blake2s_final(desc, out);
>  }
>
>  #define BLAKE2S_ALG(name, driver_name, digest_size)                    \
> diff --git a/arch/x86/crypto/blake2s-shash.c b/arch/x86/crypto/blake2s-shash.c
> index f9e2fecdb761..c81ffedb4865 100644
> --- a/arch/x86/crypto/blake2s-shash.c
> +++ b/arch/x86/crypto/blake2s-shash.c
> @@ -18,12 +18,12 @@
>  static int crypto_blake2s_update_x86(struct shash_desc *desc,
>                                      const u8 *in, unsigned int inlen)
>  {
> -       return crypto_blake2s_update(desc, in, inlen, blake2s_compress);
> +       return crypto_blake2s_update(desc, in, inlen);
>  }
>
>  static int crypto_blake2s_final_x86(struct shash_desc *desc, u8 *out)
>  {
> -       return crypto_blake2s_final(desc, out, blake2s_compress);
> +       return crypto_blake2s_final(desc, out);
>  }
>
>  #define BLAKE2S_ALG(name, driver_name, digest_size)                    \
> diff --git a/crypto/blake2s_generic.c b/crypto/blake2s_generic.c
> index 72fe480f9bd6..050874588a84 100644
> --- a/crypto/blake2s_generic.c
> +++ b/crypto/blake2s_generic.c
> @@ -5,6 +5,7 @@
>   * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All
> Rights Reserved.
>   */
>
> +#define FORCE_BLAKE2S_GENERIC
>  #include <crypto/internal/blake2s.h>
>  #include <crypto/internal/hash.h>
>

I'd prefer it if we could avoid magic #define's like this. We could
fix it up locally to crypto/internal/blake2s.h just by doing something
like the below.

diff --git a/include/crypto/internal/blake2s.h
b/include/crypto/internal/blake2s.h
index d39cfa0d333e..9e52c07c54cc 100644
--- a/include/crypto/internal/blake2s.h
+++ b/include/crypto/internal/blake2s.h
@@ -39,7 +39,11 @@ static inline void __blake2s_update(struct
blake2s_state *state,
                return;
        if (inlen > fill) {
                memcpy(state->buf + state->buflen, in, fill);
-               (*compress)(state, state->buf, 1, BLAKE2S_BLOCK_SIZE);
+               if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_BLAKE2S))
+                       (*compress)(state, state->buf, 1, BLAKE2S_BLOCK_SIZE);
+               else
+                       blake2s_compress_generic(state, state->buf, 1,
+                                                BLAKE2S_BLOCK_SIZE);
                state->buflen = 0;
                in += fill;
                inlen -= fill;
@@ -47,7 +51,11 @@ static inline void __blake2s_update(struct
blake2s_state *state,
        if (inlen > BLAKE2S_BLOCK_SIZE) {
                const size_t nblocks = DIV_ROUND_UP(inlen, BLAKE2S_BLOCK_SIZE);
                /* Hash one less (full) block than strictly possible */
-               (*compress)(state, in, nblocks - 1, BLAKE2S_BLOCK_SIZE);
+               if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_BLAKE2S))
+                       (*compress)(state, in, nblocks - 1, BLAKE2S_BLOCK_SIZE);
+               else
+                       blake2s_compress_generic(state, in, nblocks - 1,
+                                                BLAKE2S_BLOCK_SIZE);
                in += BLAKE2S_BLOCK_SIZE * (nblocks - 1);
                inlen -= BLAKE2S_BLOCK_SIZE * (nblocks - 1);
        }
@@ -61,7 +69,10 @@ static inline void __blake2s_final(struct
blake2s_state *state, u8 *out,
        blake2s_set_lastblock(state);
        memset(state->buf + state->buflen, 0,
               BLAKE2S_BLOCK_SIZE - state->buflen); /* Padding */
-       (*compress)(state, state->buf, 1, state->buflen);
+       if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_BLAKE2S))
+               (*compress)(state, state->buf, 1, state->buflen);
+       else
+               blake2s_compress_generic(state, state->buf, 1, state->buflen);
        cpu_to_le32_array(state->h, ARRAY_SIZE(state->h));

_______________________________________________
Linux-mediatek mailing list
Linux-mediatek@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-mediatek

^ permalink raw reply related	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: fix a CFI failure
@ 2022-01-19 12:18                 ` Ard Biesheuvel
  0 siblings, 0 replies; 100+ messages in thread
From: Ard Biesheuvel @ 2022-01-19 12:18 UTC (permalink / raw)
  To: Jason A. Donenfeld
  Cc: Miles Chen, David S. Miller, Greg Kroah-Hartman, Herbert Xu,
	Linux ARM, Linux Crypto Mailing List, Linux Kernel Mailing List,
	linux-mediatek, Matthias Brugger, Nathan Chancellor,
	Nick Desaulniers

On Wed, 19 Jan 2022 at 13:15, Jason A. Donenfeld <Jason@zx2c4.com> wrote:
>
> The below kludge of a patch fixes the issue. Still unclear whether we
> should go with something like this or get clang fixed or what.
>
> diff --git a/arch/arm/crypto/blake2s-shash.c b/arch/arm/crypto/blake2s-shash.c
> index 17c1c3bfe2f5..be8cde5f1719 100644
> --- a/arch/arm/crypto/blake2s-shash.c
> +++ b/arch/arm/crypto/blake2s-shash.c
> @@ -13,12 +13,12 @@
>  static int crypto_blake2s_update_arm(struct shash_desc *desc,
>                                      const u8 *in, unsigned int inlen)
>  {
> -       return crypto_blake2s_update(desc, in, inlen, blake2s_compress);
> +       return crypto_blake2s_update(desc, in, inlen);
>  }
>
>  static int crypto_blake2s_final_arm(struct shash_desc *desc, u8 *out)
>  {
> -       return crypto_blake2s_final(desc, out, blake2s_compress);
> +       return crypto_blake2s_final(desc, out);
>  }
>
>  #define BLAKE2S_ALG(name, driver_name, digest_size)                    \
> diff --git a/arch/x86/crypto/blake2s-shash.c b/arch/x86/crypto/blake2s-shash.c
> index f9e2fecdb761..c81ffedb4865 100644
> --- a/arch/x86/crypto/blake2s-shash.c
> +++ b/arch/x86/crypto/blake2s-shash.c
> @@ -18,12 +18,12 @@
>  static int crypto_blake2s_update_x86(struct shash_desc *desc,
>                                      const u8 *in, unsigned int inlen)
>  {
> -       return crypto_blake2s_update(desc, in, inlen, blake2s_compress);
> +       return crypto_blake2s_update(desc, in, inlen);
>  }
>
>  static int crypto_blake2s_final_x86(struct shash_desc *desc, u8 *out)
>  {
> -       return crypto_blake2s_final(desc, out, blake2s_compress);
> +       return crypto_blake2s_final(desc, out);
>  }
>
>  #define BLAKE2S_ALG(name, driver_name, digest_size)                    \
> diff --git a/crypto/blake2s_generic.c b/crypto/blake2s_generic.c
> index 72fe480f9bd6..050874588a84 100644
> --- a/crypto/blake2s_generic.c
> +++ b/crypto/blake2s_generic.c
> @@ -5,6 +5,7 @@
>   * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All
> Rights Reserved.
>   */
>
> +#define FORCE_BLAKE2S_GENERIC
>  #include <crypto/internal/blake2s.h>
>  #include <crypto/internal/hash.h>
>

I'd prefer it if we could avoid magic #define's like this. We could
fix it up locally to crypto/internal/blake2s.h just by doing something
like the below.

diff --git a/include/crypto/internal/blake2s.h
b/include/crypto/internal/blake2s.h
index d39cfa0d333e..9e52c07c54cc 100644
--- a/include/crypto/internal/blake2s.h
+++ b/include/crypto/internal/blake2s.h
@@ -39,7 +39,11 @@ static inline void __blake2s_update(struct
blake2s_state *state,
                return;
        if (inlen > fill) {
                memcpy(state->buf + state->buflen, in, fill);
-               (*compress)(state, state->buf, 1, BLAKE2S_BLOCK_SIZE);
+               if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_BLAKE2S))
+                       (*compress)(state, state->buf, 1, BLAKE2S_BLOCK_SIZE);
+               else
+                       blake2s_compress_generic(state, state->buf, 1,
+                                                BLAKE2S_BLOCK_SIZE);
                state->buflen = 0;
                in += fill;
                inlen -= fill;
@@ -47,7 +51,11 @@ static inline void __blake2s_update(struct
blake2s_state *state,
        if (inlen > BLAKE2S_BLOCK_SIZE) {
                const size_t nblocks = DIV_ROUND_UP(inlen, BLAKE2S_BLOCK_SIZE);
                /* Hash one less (full) block than strictly possible */
-               (*compress)(state, in, nblocks - 1, BLAKE2S_BLOCK_SIZE);
+               if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_BLAKE2S))
+                       (*compress)(state, in, nblocks - 1, BLAKE2S_BLOCK_SIZE);
+               else
+                       blake2s_compress_generic(state, in, nblocks - 1,
+                                                BLAKE2S_BLOCK_SIZE);
                in += BLAKE2S_BLOCK_SIZE * (nblocks - 1);
                inlen -= BLAKE2S_BLOCK_SIZE * (nblocks - 1);
        }
@@ -61,7 +69,10 @@ static inline void __blake2s_final(struct
blake2s_state *state, u8 *out,
        blake2s_set_lastblock(state);
        memset(state->buf + state->buflen, 0,
               BLAKE2S_BLOCK_SIZE - state->buflen); /* Padding */
-       (*compress)(state, state->buf, 1, state->buflen);
+       if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_BLAKE2S))
+               (*compress)(state, state->buf, 1, state->buflen);
+       else
+               blake2s_compress_generic(state, state->buf, 1, state->buflen);
        cpu_to_le32_array(state->h, ARRAY_SIZE(state->h));

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

^ permalink raw reply related	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: fix a CFI failure
  2022-01-19 10:56             ` Jason A. Donenfeld
  (?)
@ 2022-01-19 12:34               ` Miles Chen
  -1 siblings, 0 replies; 100+ messages in thread
From: Miles Chen @ 2022-01-19 12:34 UTC (permalink / raw)
  To: jason
  Cc: ardb, davem, gregkh, herbert, linux-arm-kernel, linux-crypto,
	linux-kernel, linux-mediatek, matthias.bgg, miles.chen, nathan,
	ndesaulniers

> We're back in business! I was able to reproduce this using FullLTO
> rather than ThinLTO.

Great!

I tried two clang (r437112b/r437112) but the issue remains.


Miles

^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: fix a CFI failure
@ 2022-01-19 12:34               ` Miles Chen
  0 siblings, 0 replies; 100+ messages in thread
From: Miles Chen @ 2022-01-19 12:34 UTC (permalink / raw)
  To: jason
  Cc: ardb, davem, gregkh, herbert, linux-arm-kernel, linux-crypto,
	linux-kernel, linux-mediatek, matthias.bgg, miles.chen, nathan,
	ndesaulniers

> We're back in business! I was able to reproduce this using FullLTO
> rather than ThinLTO.

Great!

I tried two clang (r437112b/r437112) but the issue remains.


Miles

_______________________________________________
Linux-mediatek mailing list
Linux-mediatek@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-mediatek

^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: fix a CFI failure
@ 2022-01-19 12:34               ` Miles Chen
  0 siblings, 0 replies; 100+ messages in thread
From: Miles Chen @ 2022-01-19 12:34 UTC (permalink / raw)
  To: jason
  Cc: ardb, davem, gregkh, herbert, linux-arm-kernel, linux-crypto,
	linux-kernel, linux-mediatek, matthias.bgg, miles.chen, nathan,
	ndesaulniers

> We're back in business! I was able to reproduce this using FullLTO
> rather than ThinLTO.

Great!

I tried two clang (r437112b/r437112) but the issue remains.


Miles

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: fix a CFI failure
  2022-01-19 12:18                 ` Ard Biesheuvel
  (?)
@ 2022-01-19 13:34                   ` Jason A. Donenfeld
  -1 siblings, 0 replies; 100+ messages in thread
From: Jason A. Donenfeld @ 2022-01-19 13:34 UTC (permalink / raw)
  To: Ard Biesheuvel
  Cc: Miles Chen, David S. Miller, Greg Kroah-Hartman, Herbert Xu,
	Linux ARM, Linux Crypto Mailing List, Linux Kernel Mailing List,
	linux-mediatek, Matthias Brugger, Nathan Chancellor,
	Nick Desaulniers

On Wed, Jan 19, 2022 at 1:19 PM Ard Biesheuvel <ardb@kernel.org> wrote:
>
> I'd prefer it if we could avoid magic #define's like this.

I'll send something that just replaces it with a simple bool.

^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: fix a CFI failure
@ 2022-01-19 13:34                   ` Jason A. Donenfeld
  0 siblings, 0 replies; 100+ messages in thread
From: Jason A. Donenfeld @ 2022-01-19 13:34 UTC (permalink / raw)
  To: Ard Biesheuvel
  Cc: Miles Chen, David S. Miller, Greg Kroah-Hartman, Herbert Xu,
	Linux ARM, Linux Crypto Mailing List, Linux Kernel Mailing List,
	linux-mediatek, Matthias Brugger, Nathan Chancellor,
	Nick Desaulniers

On Wed, Jan 19, 2022 at 1:19 PM Ard Biesheuvel <ardb@kernel.org> wrote:
>
> I'd prefer it if we could avoid magic #define's like this.

I'll send something that just replaces it with a simple bool.

_______________________________________________
Linux-mediatek mailing list
Linux-mediatek@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-mediatek

^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: fix a CFI failure
@ 2022-01-19 13:34                   ` Jason A. Donenfeld
  0 siblings, 0 replies; 100+ messages in thread
From: Jason A. Donenfeld @ 2022-01-19 13:34 UTC (permalink / raw)
  To: Ard Biesheuvel
  Cc: Miles Chen, David S. Miller, Greg Kroah-Hartman, Herbert Xu,
	Linux ARM, Linux Crypto Mailing List, Linux Kernel Mailing List,
	linux-mediatek, Matthias Brugger, Nathan Chancellor,
	Nick Desaulniers

On Wed, Jan 19, 2022 at 1:19 PM Ard Biesheuvel <ardb@kernel.org> wrote:
>
> I'd prefer it if we could avoid magic #define's like this.

I'll send something that just replaces it with a simple bool.

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

^ permalink raw reply	[flat|nested] 100+ messages in thread

* [PATCH] lib/crypto: blake2s: avoid indirect calls to compression function for Clang CFI
  2022-01-19 13:34                   ` Jason A. Donenfeld
  (?)
@ 2022-01-19 13:54                     ` Jason A. Donenfeld
  -1 siblings, 0 replies; 100+ messages in thread
From: Jason A. Donenfeld @ 2022-01-19 13:54 UTC (permalink / raw)
  To: Miles Chen, Ard Biesheuvel, Linux ARM, Linux Crypto Mailing List,
	Linux Kernel Mailing List, linux-mediatek
  Cc: Jason A. Donenfeld, Nick Desaulniers, Sami Tolvanen

blake2s_compress_generic is weakly aliased to blake2s_generic. The
current harness for function selection uses a function pointer, which is
ordinarily inlined and resolved at compile time. But when Clang's CFI is
enabled, CFI still triggers when making an indirect call via a weak
symbol. This seems like a bug in Clang's CFI, as though it's bucketing
weak symbols and strong symbols differently. It also only seems to
trigger when "full LTO" mode is used, rather than "thin LTO".

[    0.000000][    T0] Kernel panic - not syncing: CFI failure (target: blake2s_compress_generic+0x0/0x1444)
[    0.000000][    T0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.16.0-mainline-06981-g076c855b846e #1
[    0.000000][    T0] Hardware name: MT6873 (DT)
[    0.000000][    T0] Call trace:
[    0.000000][    T0]  dump_backtrace+0xfc/0x1dc
[    0.000000][    T0]  dump_stack_lvl+0xa8/0x11c
[    0.000000][    T0]  panic+0x194/0x464
[    0.000000][    T0]  __cfi_check_fail+0x54/0x58
[    0.000000][    T0]  __cfi_slowpath_diag+0x354/0x4b0
[    0.000000][    T0]  blake2s_update+0x14c/0x178
[    0.000000][    T0]  _extract_entropy+0xf4/0x29c
[    0.000000][    T0]  crng_initialize_primary+0x24/0x94
[    0.000000][    T0]  rand_initialize+0x2c/0x6c
[    0.000000][    T0]  start_kernel+0x2f8/0x65c
[    0.000000][    T0]  __primary_switched+0xc4/0x7be4
[    0.000000][    T0] Rebooting in 5 seconds..

Nonetheless, the function pointer method isn't so terrific anyway, so
this patch replaces it with a simple boolean, which also gets inlined
away. This successfully works around the Clang bug.

In general, I'm not too keen on all of the indirection involved here; it
clearly does more harm than good. Hopefully the whole thing can get
cleaned up down the road when lib/crypto is overhauled more
comprehensively. But for now, we go with a simple bandaid.

Fixes: 6048fdcc5f26 ("lib/crypto: blake2s: include as built-in")
Reported-by: Miles Chen <miles.chen@mediatek.com>
Cc: Nick Desaulniers <ndesaulniers@google.com>
Cc: Sami Tolvanen <samitolvanen@google.com>
Cc: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
---
 arch/arm/crypto/blake2s-shash.c   |  4 ++--
 arch/x86/crypto/blake2s-shash.c   |  4 ++--
 crypto/blake2s_generic.c          |  4 ++--
 include/crypto/internal/blake2s.h | 36 ++++++++++++++++++-------------
 lib/crypto/blake2s.c              |  4 ++--
 5 files changed, 29 insertions(+), 23 deletions(-)

diff --git a/arch/arm/crypto/blake2s-shash.c b/arch/arm/crypto/blake2s-shash.c
index 17c1c3bfe2f5..763c73beea2d 100644
--- a/arch/arm/crypto/blake2s-shash.c
+++ b/arch/arm/crypto/blake2s-shash.c
@@ -13,12 +13,12 @@
 static int crypto_blake2s_update_arm(struct shash_desc *desc,
 				     const u8 *in, unsigned int inlen)
 {
-	return crypto_blake2s_update(desc, in, inlen, blake2s_compress);
+	return crypto_blake2s_update(desc, in, inlen, false);
 }
 
 static int crypto_blake2s_final_arm(struct shash_desc *desc, u8 *out)
 {
-	return crypto_blake2s_final(desc, out, blake2s_compress);
+	return crypto_blake2s_final(desc, out, false);
 }
 
 #define BLAKE2S_ALG(name, driver_name, digest_size)			\
diff --git a/arch/x86/crypto/blake2s-shash.c b/arch/x86/crypto/blake2s-shash.c
index f9e2fecdb761..59ae28abe35c 100644
--- a/arch/x86/crypto/blake2s-shash.c
+++ b/arch/x86/crypto/blake2s-shash.c
@@ -18,12 +18,12 @@
 static int crypto_blake2s_update_x86(struct shash_desc *desc,
 				     const u8 *in, unsigned int inlen)
 {
-	return crypto_blake2s_update(desc, in, inlen, blake2s_compress);
+	return crypto_blake2s_update(desc, in, inlen, false);
 }
 
 static int crypto_blake2s_final_x86(struct shash_desc *desc, u8 *out)
 {
-	return crypto_blake2s_final(desc, out, blake2s_compress);
+	return crypto_blake2s_final(desc, out, false);
 }
 
 #define BLAKE2S_ALG(name, driver_name, digest_size)			\
diff --git a/crypto/blake2s_generic.c b/crypto/blake2s_generic.c
index 72fe480f9bd6..5f96a21f8788 100644
--- a/crypto/blake2s_generic.c
+++ b/crypto/blake2s_generic.c
@@ -15,12 +15,12 @@
 static int crypto_blake2s_update_generic(struct shash_desc *desc,
 					 const u8 *in, unsigned int inlen)
 {
-	return crypto_blake2s_update(desc, in, inlen, blake2s_compress_generic);
+	return crypto_blake2s_update(desc, in, inlen, true);
 }
 
 static int crypto_blake2s_final_generic(struct shash_desc *desc, u8 *out)
 {
-	return crypto_blake2s_final(desc, out, blake2s_compress_generic);
+	return crypto_blake2s_final(desc, out, true);
 }
 
 #define BLAKE2S_ALG(name, driver_name, digest_size)			\
diff --git a/include/crypto/internal/blake2s.h b/include/crypto/internal/blake2s.h
index d39cfa0d333e..e2da9b413d44 100644
--- a/include/crypto/internal/blake2s.h
+++ b/include/crypto/internal/blake2s.h
@@ -24,14 +24,11 @@ static inline void blake2s_set_lastblock(struct blake2s_state *state)
 	state->f[0] = -1;
 }
 
-typedef void (*blake2s_compress_t)(struct blake2s_state *state,
-				   const u8 *block, size_t nblocks, u32 inc);
-
 /* Helper functions for BLAKE2s shared by the library and shash APIs */
 
-static inline void __blake2s_update(struct blake2s_state *state,
-				    const u8 *in, size_t inlen,
-				    blake2s_compress_t compress)
+static __always_inline void __blake2s_update(struct blake2s_state *state,
+					     const u8 *in, size_t inlen,
+					     bool force_generic)
 {
 	const size_t fill = BLAKE2S_BLOCK_SIZE - state->buflen;
 
@@ -39,7 +36,10 @@ static inline void __blake2s_update(struct blake2s_state *state,
 		return;
 	if (inlen > fill) {
 		memcpy(state->buf + state->buflen, in, fill);
-		(*compress)(state, state->buf, 1, BLAKE2S_BLOCK_SIZE);
+		if (force_generic)
+			blake2s_compress_generic(state, state->buf, 1, BLAKE2S_BLOCK_SIZE);
+		else
+			blake2s_compress(state, state->buf, 1, BLAKE2S_BLOCK_SIZE);
 		state->buflen = 0;
 		in += fill;
 		inlen -= fill;
@@ -47,7 +47,10 @@ static inline void __blake2s_update(struct blake2s_state *state,
 	if (inlen > BLAKE2S_BLOCK_SIZE) {
 		const size_t nblocks = DIV_ROUND_UP(inlen, BLAKE2S_BLOCK_SIZE);
 		/* Hash one less (full) block than strictly possible */
-		(*compress)(state, in, nblocks - 1, BLAKE2S_BLOCK_SIZE);
+		if (force_generic)
+			blake2s_compress_generic(state, in, nblocks - 1, BLAKE2S_BLOCK_SIZE);
+		else
+			blake2s_compress(state, in, nblocks - 1, BLAKE2S_BLOCK_SIZE);
 		in += BLAKE2S_BLOCK_SIZE * (nblocks - 1);
 		inlen -= BLAKE2S_BLOCK_SIZE * (nblocks - 1);
 	}
@@ -55,13 +58,16 @@ static inline void __blake2s_update(struct blake2s_state *state,
 	state->buflen += inlen;
 }
 
-static inline void __blake2s_final(struct blake2s_state *state, u8 *out,
-				   blake2s_compress_t compress)
+static __always_inline void __blake2s_final(struct blake2s_state *state, u8 *out,
+					    bool force_generic)
 {
 	blake2s_set_lastblock(state);
 	memset(state->buf + state->buflen, 0,
 	       BLAKE2S_BLOCK_SIZE - state->buflen); /* Padding */
-	(*compress)(state, state->buf, 1, state->buflen);
+	if (force_generic)
+		blake2s_compress_generic(state, state->buf, 1, state->buflen);
+	else
+		blake2s_compress(state, state->buf, 1, state->buflen);
 	cpu_to_le32_array(state->h, ARRAY_SIZE(state->h));
 	memcpy(out, state->h, state->outlen);
 }
@@ -99,20 +105,20 @@ static inline int crypto_blake2s_init(struct shash_desc *desc)
 
 static inline int crypto_blake2s_update(struct shash_desc *desc,
 					const u8 *in, unsigned int inlen,
-					blake2s_compress_t compress)
+					bool force_generic)
 {
 	struct blake2s_state *state = shash_desc_ctx(desc);
 
-	__blake2s_update(state, in, inlen, compress);
+	__blake2s_update(state, in, inlen, force_generic);
 	return 0;
 }
 
 static inline int crypto_blake2s_final(struct shash_desc *desc, u8 *out,
-				       blake2s_compress_t compress)
+				       bool force_generic)
 {
 	struct blake2s_state *state = shash_desc_ctx(desc);
 
-	__blake2s_final(state, out, compress);
+	__blake2s_final(state, out, force_generic);
 	return 0;
 }
 
diff --git a/lib/crypto/blake2s.c b/lib/crypto/blake2s.c
index 9364f79937b8..c71c09621c09 100644
--- a/lib/crypto/blake2s.c
+++ b/lib/crypto/blake2s.c
@@ -18,14 +18,14 @@
 
 void blake2s_update(struct blake2s_state *state, const u8 *in, size_t inlen)
 {
-	__blake2s_update(state, in, inlen, blake2s_compress);
+	__blake2s_update(state, in, inlen, false);
 }
 EXPORT_SYMBOL(blake2s_update);
 
 void blake2s_final(struct blake2s_state *state, u8 *out)
 {
 	WARN_ON(IS_ENABLED(DEBUG) && !out);
-	__blake2s_final(state, out, blake2s_compress);
+	__blake2s_final(state, out, false);
 	memzero_explicit(state, sizeof(*state));
 }
 EXPORT_SYMBOL(blake2s_final);
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 100+ messages in thread

* [PATCH] lib/crypto: blake2s: avoid indirect calls to compression function for Clang CFI
@ 2022-01-19 13:54                     ` Jason A. Donenfeld
  0 siblings, 0 replies; 100+ messages in thread
From: Jason A. Donenfeld @ 2022-01-19 13:54 UTC (permalink / raw)
  To: Miles Chen, Ard Biesheuvel, Linux ARM, Linux Crypto Mailing List,
	Linux Kernel Mailing List, linux-mediatek
  Cc: Jason A. Donenfeld, Nick Desaulniers, Sami Tolvanen

blake2s_compress_generic is weakly aliased to blake2s_generic. The
current harness for function selection uses a function pointer, which is
ordinarily inlined and resolved at compile time. But when Clang's CFI is
enabled, CFI still triggers when making an indirect call via a weak
symbol. This seems like a bug in Clang's CFI, as though it's bucketing
weak symbols and strong symbols differently. It also only seems to
trigger when "full LTO" mode is used, rather than "thin LTO".

[    0.000000][    T0] Kernel panic - not syncing: CFI failure (target: blake2s_compress_generic+0x0/0x1444)
[    0.000000][    T0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.16.0-mainline-06981-g076c855b846e #1
[    0.000000][    T0] Hardware name: MT6873 (DT)
[    0.000000][    T0] Call trace:
[    0.000000][    T0]  dump_backtrace+0xfc/0x1dc
[    0.000000][    T0]  dump_stack_lvl+0xa8/0x11c
[    0.000000][    T0]  panic+0x194/0x464
[    0.000000][    T0]  __cfi_check_fail+0x54/0x58
[    0.000000][    T0]  __cfi_slowpath_diag+0x354/0x4b0
[    0.000000][    T0]  blake2s_update+0x14c/0x178
[    0.000000][    T0]  _extract_entropy+0xf4/0x29c
[    0.000000][    T0]  crng_initialize_primary+0x24/0x94
[    0.000000][    T0]  rand_initialize+0x2c/0x6c
[    0.000000][    T0]  start_kernel+0x2f8/0x65c
[    0.000000][    T0]  __primary_switched+0xc4/0x7be4
[    0.000000][    T0] Rebooting in 5 seconds..

Nonetheless, the function pointer method isn't so terrific anyway, so
this patch replaces it with a simple boolean, which also gets inlined
away. This successfully works around the Clang bug.

In general, I'm not too keen on all of the indirection involved here; it
clearly does more harm than good. Hopefully the whole thing can get
cleaned up down the road when lib/crypto is overhauled more
comprehensively. But for now, we go with a simple bandaid.

Fixes: 6048fdcc5f26 ("lib/crypto: blake2s: include as built-in")
Reported-by: Miles Chen <miles.chen@mediatek.com>
Cc: Nick Desaulniers <ndesaulniers@google.com>
Cc: Sami Tolvanen <samitolvanen@google.com>
Cc: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
---
 arch/arm/crypto/blake2s-shash.c   |  4 ++--
 arch/x86/crypto/blake2s-shash.c   |  4 ++--
 crypto/blake2s_generic.c          |  4 ++--
 include/crypto/internal/blake2s.h | 36 ++++++++++++++++++-------------
 lib/crypto/blake2s.c              |  4 ++--
 5 files changed, 29 insertions(+), 23 deletions(-)

diff --git a/arch/arm/crypto/blake2s-shash.c b/arch/arm/crypto/blake2s-shash.c
index 17c1c3bfe2f5..763c73beea2d 100644
--- a/arch/arm/crypto/blake2s-shash.c
+++ b/arch/arm/crypto/blake2s-shash.c
@@ -13,12 +13,12 @@
 static int crypto_blake2s_update_arm(struct shash_desc *desc,
 				     const u8 *in, unsigned int inlen)
 {
-	return crypto_blake2s_update(desc, in, inlen, blake2s_compress);
+	return crypto_blake2s_update(desc, in, inlen, false);
 }
 
 static int crypto_blake2s_final_arm(struct shash_desc *desc, u8 *out)
 {
-	return crypto_blake2s_final(desc, out, blake2s_compress);
+	return crypto_blake2s_final(desc, out, false);
 }
 
 #define BLAKE2S_ALG(name, driver_name, digest_size)			\
diff --git a/arch/x86/crypto/blake2s-shash.c b/arch/x86/crypto/blake2s-shash.c
index f9e2fecdb761..59ae28abe35c 100644
--- a/arch/x86/crypto/blake2s-shash.c
+++ b/arch/x86/crypto/blake2s-shash.c
@@ -18,12 +18,12 @@
 static int crypto_blake2s_update_x86(struct shash_desc *desc,
 				     const u8 *in, unsigned int inlen)
 {
-	return crypto_blake2s_update(desc, in, inlen, blake2s_compress);
+	return crypto_blake2s_update(desc, in, inlen, false);
 }
 
 static int crypto_blake2s_final_x86(struct shash_desc *desc, u8 *out)
 {
-	return crypto_blake2s_final(desc, out, blake2s_compress);
+	return crypto_blake2s_final(desc, out, false);
 }
 
 #define BLAKE2S_ALG(name, driver_name, digest_size)			\
diff --git a/crypto/blake2s_generic.c b/crypto/blake2s_generic.c
index 72fe480f9bd6..5f96a21f8788 100644
--- a/crypto/blake2s_generic.c
+++ b/crypto/blake2s_generic.c
@@ -15,12 +15,12 @@
 static int crypto_blake2s_update_generic(struct shash_desc *desc,
 					 const u8 *in, unsigned int inlen)
 {
-	return crypto_blake2s_update(desc, in, inlen, blake2s_compress_generic);
+	return crypto_blake2s_update(desc, in, inlen, true);
 }
 
 static int crypto_blake2s_final_generic(struct shash_desc *desc, u8 *out)
 {
-	return crypto_blake2s_final(desc, out, blake2s_compress_generic);
+	return crypto_blake2s_final(desc, out, true);
 }
 
 #define BLAKE2S_ALG(name, driver_name, digest_size)			\
diff --git a/include/crypto/internal/blake2s.h b/include/crypto/internal/blake2s.h
index d39cfa0d333e..e2da9b413d44 100644
--- a/include/crypto/internal/blake2s.h
+++ b/include/crypto/internal/blake2s.h
@@ -24,14 +24,11 @@ static inline void blake2s_set_lastblock(struct blake2s_state *state)
 	state->f[0] = -1;
 }
 
-typedef void (*blake2s_compress_t)(struct blake2s_state *state,
-				   const u8 *block, size_t nblocks, u32 inc);
-
 /* Helper functions for BLAKE2s shared by the library and shash APIs */
 
-static inline void __blake2s_update(struct blake2s_state *state,
-				    const u8 *in, size_t inlen,
-				    blake2s_compress_t compress)
+static __always_inline void __blake2s_update(struct blake2s_state *state,
+					     const u8 *in, size_t inlen,
+					     bool force_generic)
 {
 	const size_t fill = BLAKE2S_BLOCK_SIZE - state->buflen;
 
@@ -39,7 +36,10 @@ static inline void __blake2s_update(struct blake2s_state *state,
 		return;
 	if (inlen > fill) {
 		memcpy(state->buf + state->buflen, in, fill);
-		(*compress)(state, state->buf, 1, BLAKE2S_BLOCK_SIZE);
+		if (force_generic)
+			blake2s_compress_generic(state, state->buf, 1, BLAKE2S_BLOCK_SIZE);
+		else
+			blake2s_compress(state, state->buf, 1, BLAKE2S_BLOCK_SIZE);
 		state->buflen = 0;
 		in += fill;
 		inlen -= fill;
@@ -47,7 +47,10 @@ static inline void __blake2s_update(struct blake2s_state *state,
 	if (inlen > BLAKE2S_BLOCK_SIZE) {
 		const size_t nblocks = DIV_ROUND_UP(inlen, BLAKE2S_BLOCK_SIZE);
 		/* Hash one less (full) block than strictly possible */
-		(*compress)(state, in, nblocks - 1, BLAKE2S_BLOCK_SIZE);
+		if (force_generic)
+			blake2s_compress_generic(state, in, nblocks - 1, BLAKE2S_BLOCK_SIZE);
+		else
+			blake2s_compress(state, in, nblocks - 1, BLAKE2S_BLOCK_SIZE);
 		in += BLAKE2S_BLOCK_SIZE * (nblocks - 1);
 		inlen -= BLAKE2S_BLOCK_SIZE * (nblocks - 1);
 	}
@@ -55,13 +58,16 @@ static inline void __blake2s_update(struct blake2s_state *state,
 	state->buflen += inlen;
 }
 
-static inline void __blake2s_final(struct blake2s_state *state, u8 *out,
-				   blake2s_compress_t compress)
+static __always_inline void __blake2s_final(struct blake2s_state *state, u8 *out,
+					    bool force_generic)
 {
 	blake2s_set_lastblock(state);
 	memset(state->buf + state->buflen, 0,
 	       BLAKE2S_BLOCK_SIZE - state->buflen); /* Padding */
-	(*compress)(state, state->buf, 1, state->buflen);
+	if (force_generic)
+		blake2s_compress_generic(state, state->buf, 1, state->buflen);
+	else
+		blake2s_compress(state, state->buf, 1, state->buflen);
 	cpu_to_le32_array(state->h, ARRAY_SIZE(state->h));
 	memcpy(out, state->h, state->outlen);
 }
@@ -99,20 +105,20 @@ static inline int crypto_blake2s_init(struct shash_desc *desc)
 
 static inline int crypto_blake2s_update(struct shash_desc *desc,
 					const u8 *in, unsigned int inlen,
-					blake2s_compress_t compress)
+					bool force_generic)
 {
 	struct blake2s_state *state = shash_desc_ctx(desc);
 
-	__blake2s_update(state, in, inlen, compress);
+	__blake2s_update(state, in, inlen, force_generic);
 	return 0;
 }
 
 static inline int crypto_blake2s_final(struct shash_desc *desc, u8 *out,
-				       blake2s_compress_t compress)
+				       bool force_generic)
 {
 	struct blake2s_state *state = shash_desc_ctx(desc);
 
-	__blake2s_final(state, out, compress);
+	__blake2s_final(state, out, force_generic);
 	return 0;
 }
 
diff --git a/lib/crypto/blake2s.c b/lib/crypto/blake2s.c
index 9364f79937b8..c71c09621c09 100644
--- a/lib/crypto/blake2s.c
+++ b/lib/crypto/blake2s.c
@@ -18,14 +18,14 @@
 
 void blake2s_update(struct blake2s_state *state, const u8 *in, size_t inlen)
 {
-	__blake2s_update(state, in, inlen, blake2s_compress);
+	__blake2s_update(state, in, inlen, false);
 }
 EXPORT_SYMBOL(blake2s_update);
 
 void blake2s_final(struct blake2s_state *state, u8 *out)
 {
 	WARN_ON(IS_ENABLED(DEBUG) && !out);
-	__blake2s_final(state, out, blake2s_compress);
+	__blake2s_final(state, out, false);
 	memzero_explicit(state, sizeof(*state));
 }
 EXPORT_SYMBOL(blake2s_final);
-- 
2.34.1


_______________________________________________
Linux-mediatek mailing list
Linux-mediatek@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-mediatek

^ permalink raw reply related	[flat|nested] 100+ messages in thread

* [PATCH] lib/crypto: blake2s: avoid indirect calls to compression function for Clang CFI
@ 2022-01-19 13:54                     ` Jason A. Donenfeld
  0 siblings, 0 replies; 100+ messages in thread
From: Jason A. Donenfeld @ 2022-01-19 13:54 UTC (permalink / raw)
  To: Miles Chen, Ard Biesheuvel, Linux ARM, Linux Crypto Mailing List,
	Linux Kernel Mailing List, linux-mediatek
  Cc: Jason A. Donenfeld, Nick Desaulniers, Sami Tolvanen

blake2s_compress_generic is weakly aliased to blake2s_generic. The
current harness for function selection uses a function pointer, which is
ordinarily inlined and resolved at compile time. But when Clang's CFI is
enabled, CFI still triggers when making an indirect call via a weak
symbol. This seems like a bug in Clang's CFI, as though it's bucketing
weak symbols and strong symbols differently. It also only seems to
trigger when "full LTO" mode is used, rather than "thin LTO".

[    0.000000][    T0] Kernel panic - not syncing: CFI failure (target: blake2s_compress_generic+0x0/0x1444)
[    0.000000][    T0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.16.0-mainline-06981-g076c855b846e #1
[    0.000000][    T0] Hardware name: MT6873 (DT)
[    0.000000][    T0] Call trace:
[    0.000000][    T0]  dump_backtrace+0xfc/0x1dc
[    0.000000][    T0]  dump_stack_lvl+0xa8/0x11c
[    0.000000][    T0]  panic+0x194/0x464
[    0.000000][    T0]  __cfi_check_fail+0x54/0x58
[    0.000000][    T0]  __cfi_slowpath_diag+0x354/0x4b0
[    0.000000][    T0]  blake2s_update+0x14c/0x178
[    0.000000][    T0]  _extract_entropy+0xf4/0x29c
[    0.000000][    T0]  crng_initialize_primary+0x24/0x94
[    0.000000][    T0]  rand_initialize+0x2c/0x6c
[    0.000000][    T0]  start_kernel+0x2f8/0x65c
[    0.000000][    T0]  __primary_switched+0xc4/0x7be4
[    0.000000][    T0] Rebooting in 5 seconds..

Nonetheless, the function pointer method isn't so terrific anyway, so
this patch replaces it with a simple boolean, which also gets inlined
away. This successfully works around the Clang bug.

In general, I'm not too keen on all of the indirection involved here; it
clearly does more harm than good. Hopefully the whole thing can get
cleaned up down the road when lib/crypto is overhauled more
comprehensively. But for now, we go with a simple bandaid.

Fixes: 6048fdcc5f26 ("lib/crypto: blake2s: include as built-in")
Reported-by: Miles Chen <miles.chen@mediatek.com>
Cc: Nick Desaulniers <ndesaulniers@google.com>
Cc: Sami Tolvanen <samitolvanen@google.com>
Cc: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
---
 arch/arm/crypto/blake2s-shash.c   |  4 ++--
 arch/x86/crypto/blake2s-shash.c   |  4 ++--
 crypto/blake2s_generic.c          |  4 ++--
 include/crypto/internal/blake2s.h | 36 ++++++++++++++++++-------------
 lib/crypto/blake2s.c              |  4 ++--
 5 files changed, 29 insertions(+), 23 deletions(-)

diff --git a/arch/arm/crypto/blake2s-shash.c b/arch/arm/crypto/blake2s-shash.c
index 17c1c3bfe2f5..763c73beea2d 100644
--- a/arch/arm/crypto/blake2s-shash.c
+++ b/arch/arm/crypto/blake2s-shash.c
@@ -13,12 +13,12 @@
 static int crypto_blake2s_update_arm(struct shash_desc *desc,
 				     const u8 *in, unsigned int inlen)
 {
-	return crypto_blake2s_update(desc, in, inlen, blake2s_compress);
+	return crypto_blake2s_update(desc, in, inlen, false);
 }
 
 static int crypto_blake2s_final_arm(struct shash_desc *desc, u8 *out)
 {
-	return crypto_blake2s_final(desc, out, blake2s_compress);
+	return crypto_blake2s_final(desc, out, false);
 }
 
 #define BLAKE2S_ALG(name, driver_name, digest_size)			\
diff --git a/arch/x86/crypto/blake2s-shash.c b/arch/x86/crypto/blake2s-shash.c
index f9e2fecdb761..59ae28abe35c 100644
--- a/arch/x86/crypto/blake2s-shash.c
+++ b/arch/x86/crypto/blake2s-shash.c
@@ -18,12 +18,12 @@
 static int crypto_blake2s_update_x86(struct shash_desc *desc,
 				     const u8 *in, unsigned int inlen)
 {
-	return crypto_blake2s_update(desc, in, inlen, blake2s_compress);
+	return crypto_blake2s_update(desc, in, inlen, false);
 }
 
 static int crypto_blake2s_final_x86(struct shash_desc *desc, u8 *out)
 {
-	return crypto_blake2s_final(desc, out, blake2s_compress);
+	return crypto_blake2s_final(desc, out, false);
 }
 
 #define BLAKE2S_ALG(name, driver_name, digest_size)			\
diff --git a/crypto/blake2s_generic.c b/crypto/blake2s_generic.c
index 72fe480f9bd6..5f96a21f8788 100644
--- a/crypto/blake2s_generic.c
+++ b/crypto/blake2s_generic.c
@@ -15,12 +15,12 @@
 static int crypto_blake2s_update_generic(struct shash_desc *desc,
 					 const u8 *in, unsigned int inlen)
 {
-	return crypto_blake2s_update(desc, in, inlen, blake2s_compress_generic);
+	return crypto_blake2s_update(desc, in, inlen, true);
 }
 
 static int crypto_blake2s_final_generic(struct shash_desc *desc, u8 *out)
 {
-	return crypto_blake2s_final(desc, out, blake2s_compress_generic);
+	return crypto_blake2s_final(desc, out, true);
 }
 
 #define BLAKE2S_ALG(name, driver_name, digest_size)			\
diff --git a/include/crypto/internal/blake2s.h b/include/crypto/internal/blake2s.h
index d39cfa0d333e..e2da9b413d44 100644
--- a/include/crypto/internal/blake2s.h
+++ b/include/crypto/internal/blake2s.h
@@ -24,14 +24,11 @@ static inline void blake2s_set_lastblock(struct blake2s_state *state)
 	state->f[0] = -1;
 }
 
-typedef void (*blake2s_compress_t)(struct blake2s_state *state,
-				   const u8 *block, size_t nblocks, u32 inc);
-
 /* Helper functions for BLAKE2s shared by the library and shash APIs */
 
-static inline void __blake2s_update(struct blake2s_state *state,
-				    const u8 *in, size_t inlen,
-				    blake2s_compress_t compress)
+static __always_inline void __blake2s_update(struct blake2s_state *state,
+					     const u8 *in, size_t inlen,
+					     bool force_generic)
 {
 	const size_t fill = BLAKE2S_BLOCK_SIZE - state->buflen;
 
@@ -39,7 +36,10 @@ static inline void __blake2s_update(struct blake2s_state *state,
 		return;
 	if (inlen > fill) {
 		memcpy(state->buf + state->buflen, in, fill);
-		(*compress)(state, state->buf, 1, BLAKE2S_BLOCK_SIZE);
+		if (force_generic)
+			blake2s_compress_generic(state, state->buf, 1, BLAKE2S_BLOCK_SIZE);
+		else
+			blake2s_compress(state, state->buf, 1, BLAKE2S_BLOCK_SIZE);
 		state->buflen = 0;
 		in += fill;
 		inlen -= fill;
@@ -47,7 +47,10 @@ static inline void __blake2s_update(struct blake2s_state *state,
 	if (inlen > BLAKE2S_BLOCK_SIZE) {
 		const size_t nblocks = DIV_ROUND_UP(inlen, BLAKE2S_BLOCK_SIZE);
 		/* Hash one less (full) block than strictly possible */
-		(*compress)(state, in, nblocks - 1, BLAKE2S_BLOCK_SIZE);
+		if (force_generic)
+			blake2s_compress_generic(state, in, nblocks - 1, BLAKE2S_BLOCK_SIZE);
+		else
+			blake2s_compress(state, in, nblocks - 1, BLAKE2S_BLOCK_SIZE);
 		in += BLAKE2S_BLOCK_SIZE * (nblocks - 1);
 		inlen -= BLAKE2S_BLOCK_SIZE * (nblocks - 1);
 	}
@@ -55,13 +58,16 @@ static inline void __blake2s_update(struct blake2s_state *state,
 	state->buflen += inlen;
 }
 
-static inline void __blake2s_final(struct blake2s_state *state, u8 *out,
-				   blake2s_compress_t compress)
+static __always_inline void __blake2s_final(struct blake2s_state *state, u8 *out,
+					    bool force_generic)
 {
 	blake2s_set_lastblock(state);
 	memset(state->buf + state->buflen, 0,
 	       BLAKE2S_BLOCK_SIZE - state->buflen); /* Padding */
-	(*compress)(state, state->buf, 1, state->buflen);
+	if (force_generic)
+		blake2s_compress_generic(state, state->buf, 1, state->buflen);
+	else
+		blake2s_compress(state, state->buf, 1, state->buflen);
 	cpu_to_le32_array(state->h, ARRAY_SIZE(state->h));
 	memcpy(out, state->h, state->outlen);
 }
@@ -99,20 +105,20 @@ static inline int crypto_blake2s_init(struct shash_desc *desc)
 
 static inline int crypto_blake2s_update(struct shash_desc *desc,
 					const u8 *in, unsigned int inlen,
-					blake2s_compress_t compress)
+					bool force_generic)
 {
 	struct blake2s_state *state = shash_desc_ctx(desc);
 
-	__blake2s_update(state, in, inlen, compress);
+	__blake2s_update(state, in, inlen, force_generic);
 	return 0;
 }
 
 static inline int crypto_blake2s_final(struct shash_desc *desc, u8 *out,
-				       blake2s_compress_t compress)
+				       bool force_generic)
 {
 	struct blake2s_state *state = shash_desc_ctx(desc);
 
-	__blake2s_final(state, out, compress);
+	__blake2s_final(state, out, force_generic);
 	return 0;
 }
 
diff --git a/lib/crypto/blake2s.c b/lib/crypto/blake2s.c
index 9364f79937b8..c71c09621c09 100644
--- a/lib/crypto/blake2s.c
+++ b/lib/crypto/blake2s.c
@@ -18,14 +18,14 @@
 
 void blake2s_update(struct blake2s_state *state, const u8 *in, size_t inlen)
 {
-	__blake2s_update(state, in, inlen, blake2s_compress);
+	__blake2s_update(state, in, inlen, false);
 }
 EXPORT_SYMBOL(blake2s_update);
 
 void blake2s_final(struct blake2s_state *state, u8 *out)
 {
 	WARN_ON(IS_ENABLED(DEBUG) && !out);
-	__blake2s_final(state, out, blake2s_compress);
+	__blake2s_final(state, out, false);
 	memzero_explicit(state, sizeof(*state));
 }
 EXPORT_SYMBOL(blake2s_final);
-- 
2.34.1


_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

^ permalink raw reply related	[flat|nested] 100+ messages in thread

* RE: [PATCH] lib/crypto: blake2s: fix a CFI failure
  2022-01-19 12:18                 ` Ard Biesheuvel
  (?)
@ 2022-01-19 14:40                   ` David Laight
  -1 siblings, 0 replies; 100+ messages in thread
From: David Laight @ 2022-01-19 14:40 UTC (permalink / raw)
  To: 'Ard Biesheuvel', Jason A. Donenfeld
  Cc: Miles Chen, David S. Miller, Greg Kroah-Hartman, Herbert Xu,
	Linux ARM, Linux Crypto Mailing List, Linux Kernel Mailing List,
	linux-mediatek, Matthias Brugger, Nathan Chancellor,
	Nick Desaulniers

From: Ard Biesheuvel
> Sent: 19 January 2022 12:19
...
> -               (*compress)(state, in, nblocks - 1, BLAKE2S_BLOCK_SIZE);
> +               if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_BLAKE2S))
> +                       (*compress)(state, in, nblocks - 1, BLAKE2S_BLOCK_SIZE);
> +               else
> +                       blake2s_compress_generic(state, in, nblocks - 1,
> +                                                BLAKE2S_BLOCK_SIZE);

Isn't that a candidate for a 'static call' ?

And, maybe all these inlined functions should be real functions?
No point having all the bloat on every call site.
Much better to call a real function and used the cached instructions.

Although, having looked at the source and the generated code for
x86-64 and arm64 I'm not sure I'd want to try to generate
optimised assembler for it.
(Unless you can a instruction that does exactly what the code wants.)

Basically the compiler can merge the instructions for 4 of the
G() expansions so that they can execute in parallel on a multi-issue
cpu. Doing that by hand will be error prone.
Each G() expansion is pretty much a register dependency chain,
not much chance of parallel execution.

There are clearly optimisations for the top/bottom of the loop.
But they can be done to the generic C version.

The real problem is lack of registers - the code needs 16 for the
v[] array plus a few extras.
So some have to spill to stack.

The unrolled code is about 1200 instructions on arm64 and x86-64.
Each of the 10 rounds reads all 16 of the u32 input values.
So that is about 8 (1200/160) instructions for each read.
Which means there is plenty of memory bandwidth for other
reads.

So 'rolling up' the rounds - which adds in the blake2s_sigma[]
reads could easily be 'almost free'.
Certainly on x86 where you are just (well should be just) adding an
extra memory uop for each input buffer reads.

I'm not sure the 8 G() calls can be folded into two sets of 4
while still getting the compiler to interleave the generated code.

	David

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)

^ permalink raw reply	[flat|nested] 100+ messages in thread

* RE: [PATCH] lib/crypto: blake2s: fix a CFI failure
@ 2022-01-19 14:40                   ` David Laight
  0 siblings, 0 replies; 100+ messages in thread
From: David Laight @ 2022-01-19 14:40 UTC (permalink / raw)
  To: 'Ard Biesheuvel', Jason A. Donenfeld
  Cc: Miles Chen, David S. Miller, Greg Kroah-Hartman, Herbert Xu,
	Linux ARM, Linux Crypto Mailing List, Linux Kernel Mailing List,
	linux-mediatek, Matthias Brugger, Nathan Chancellor,
	Nick Desaulniers

From: Ard Biesheuvel
> Sent: 19 January 2022 12:19
...
> -               (*compress)(state, in, nblocks - 1, BLAKE2S_BLOCK_SIZE);
> +               if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_BLAKE2S))
> +                       (*compress)(state, in, nblocks - 1, BLAKE2S_BLOCK_SIZE);
> +               else
> +                       blake2s_compress_generic(state, in, nblocks - 1,
> +                                                BLAKE2S_BLOCK_SIZE);

Isn't that a candidate for a 'static call' ?

And, maybe all these inlined functions should be real functions?
No point having all the bloat on every call site.
Much better to call a real function and used the cached instructions.

Although, having looked at the source and the generated code for
x86-64 and arm64 I'm not sure I'd want to try to generate
optimised assembler for it.
(Unless you can a instruction that does exactly what the code wants.)

Basically the compiler can merge the instructions for 4 of the
G() expansions so that they can execute in parallel on a multi-issue
cpu. Doing that by hand will be error prone.
Each G() expansion is pretty much a register dependency chain,
not much chance of parallel execution.

There are clearly optimisations for the top/bottom of the loop.
But they can be done to the generic C version.

The real problem is lack of registers - the code needs 16 for the
v[] array plus a few extras.
So some have to spill to stack.

The unrolled code is about 1200 instructions on arm64 and x86-64.
Each of the 10 rounds reads all 16 of the u32 input values.
So that is about 8 (1200/160) instructions for each read.
Which means there is plenty of memory bandwidth for other
reads.

So 'rolling up' the rounds - which adds in the blake2s_sigma[]
reads could easily be 'almost free'.
Certainly on x86 where you are just (well should be just) adding an
extra memory uop for each input buffer reads.

I'm not sure the 8 G() calls can be folded into two sets of 4
while still getting the compiler to interleave the generated code.

	David

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)
_______________________________________________
Linux-mediatek mailing list
Linux-mediatek@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-mediatek

^ permalink raw reply	[flat|nested] 100+ messages in thread

* RE: [PATCH] lib/crypto: blake2s: fix a CFI failure
@ 2022-01-19 14:40                   ` David Laight
  0 siblings, 0 replies; 100+ messages in thread
From: David Laight @ 2022-01-19 14:40 UTC (permalink / raw)
  To: 'Ard Biesheuvel', Jason A. Donenfeld
  Cc: Miles Chen, David S. Miller, Greg Kroah-Hartman, Herbert Xu,
	Linux ARM, Linux Crypto Mailing List, Linux Kernel Mailing List,
	linux-mediatek, Matthias Brugger, Nathan Chancellor,
	Nick Desaulniers

From: Ard Biesheuvel
> Sent: 19 January 2022 12:19
...
> -               (*compress)(state, in, nblocks - 1, BLAKE2S_BLOCK_SIZE);
> +               if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_BLAKE2S))
> +                       (*compress)(state, in, nblocks - 1, BLAKE2S_BLOCK_SIZE);
> +               else
> +                       blake2s_compress_generic(state, in, nblocks - 1,
> +                                                BLAKE2S_BLOCK_SIZE);

Isn't that a candidate for a 'static call' ?

And, maybe all these inlined functions should be real functions?
No point having all the bloat on every call site.
Much better to call a real function and used the cached instructions.

Although, having looked at the source and the generated code for
x86-64 and arm64 I'm not sure I'd want to try to generate
optimised assembler for it.
(Unless you can a instruction that does exactly what the code wants.)

Basically the compiler can merge the instructions for 4 of the
G() expansions so that they can execute in parallel on a multi-issue
cpu. Doing that by hand will be error prone.
Each G() expansion is pretty much a register dependency chain,
not much chance of parallel execution.

There are clearly optimisations for the top/bottom of the loop.
But they can be done to the generic C version.

The real problem is lack of registers - the code needs 16 for the
v[] array plus a few extras.
So some have to spill to stack.

The unrolled code is about 1200 instructions on arm64 and x86-64.
Each of the 10 rounds reads all 16 of the u32 input values.
So that is about 8 (1200/160) instructions for each read.
Which means there is plenty of memory bandwidth for other
reads.

So 'rolling up' the rounds - which adds in the blake2s_sigma[]
reads could easily be 'almost free'.
Certainly on x86 where you are just (well should be just) adding an
extra memory uop for each input buffer reads.

I'm not sure the 8 G() calls can be folded into two sets of 4
while still getting the compiler to interleave the generated code.

	David

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

^ permalink raw reply	[flat|nested] 100+ messages in thread

* [PATCH] lib/crypto: blake2s: avoid indirect calls to compression function for Clang CFI
  2022-01-19 13:54                     ` Jason A. Donenfeld
  (?)
@ 2022-01-19 14:46                       ` Miles Chen
  -1 siblings, 0 replies; 100+ messages in thread
From: Miles Chen @ 2022-01-19 14:46 UTC (permalink / raw)
  To: jason
  Cc: ardb, linux-arm-kernel, linux-crypto, linux-kernel,
	linux-mediatek, miles.chen, ndesaulniers, samitolvanen

Test-by: Miles Chen <miles.chen@mediatek.com>

Thank Jason & Ard for your help!

Miles

^ permalink raw reply	[flat|nested] 100+ messages in thread

* [PATCH] lib/crypto: blake2s: avoid indirect calls to compression function for Clang CFI
@ 2022-01-19 14:46                       ` Miles Chen
  0 siblings, 0 replies; 100+ messages in thread
From: Miles Chen @ 2022-01-19 14:46 UTC (permalink / raw)
  To: jason
  Cc: ardb, linux-arm-kernel, linux-crypto, linux-kernel,
	linux-mediatek, miles.chen, ndesaulniers, samitolvanen

Test-by: Miles Chen <miles.chen@mediatek.com>

Thank Jason & Ard for your help!

Miles

_______________________________________________
Linux-mediatek mailing list
Linux-mediatek@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-mediatek

^ permalink raw reply	[flat|nested] 100+ messages in thread

* [PATCH] lib/crypto: blake2s: avoid indirect calls to compression function for Clang CFI
@ 2022-01-19 14:46                       ` Miles Chen
  0 siblings, 0 replies; 100+ messages in thread
From: Miles Chen @ 2022-01-19 14:46 UTC (permalink / raw)
  To: jason
  Cc: ardb, linux-arm-kernel, linux-crypto, linux-kernel,
	linux-mediatek, miles.chen, ndesaulniers, samitolvanen

Test-by: Miles Chen <miles.chen@mediatek.com>

Thank Jason & Ard for your help!

Miles

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: fix a CFI failure
  2022-01-19 14:40                   ` David Laight
  (?)
@ 2022-01-19 15:03                     ` Jason A. Donenfeld
  -1 siblings, 0 replies; 100+ messages in thread
From: Jason A. Donenfeld @ 2022-01-19 15:03 UTC (permalink / raw)
  To: David Laight
  Cc: Ard Biesheuvel, Miles Chen, David S. Miller, Greg Kroah-Hartman,
	Herbert Xu, Linux ARM, Linux Crypto Mailing List,
	Linux Kernel Mailing List, linux-mediatek, Matthias Brugger,
	Nathan Chancellor, Nick Desaulniers

Hi David,

On Wed, Jan 19, 2022 at 3:41 PM David Laight <David.Laight@aculab.com> wrote:
>
> From: Ard Biesheuvel
> > Sent: 19 January 2022 12:19
> ...
> > -               (*compress)(state, in, nblocks - 1, BLAKE2S_BLOCK_SIZE);
> > +               if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_BLAKE2S))
> > +                       (*compress)(state, in, nblocks - 1, BLAKE2S_BLOCK_SIZE);
> > +               else
> > +                       blake2s_compress_generic(state, in, nblocks - 1,
> > +                                                BLAKE2S_BLOCK_SIZE);
>
> Isn't that a candidate for a 'static call' ?
>
> And, maybe all these inlined functions should be real functions?
> No point having all the bloat on every call site.
> Much better to call a real function and used the cached instructions.

Not a good candidate for static call, as this doesn't actually need to
change at runtime ever. It's using a function pointer here out of
laziness to keep the same body of the function, like a compile-time
template. You can sort of squint and imagine the C++. Unfortunately,
CFI felt differently and still treats it as an indirect call.

https://lore.kernel.org/linux-crypto/20220119135450.564115-1-Jason@zx2c4.com/
fixes it up to use a boolean instead, which will certainly be inlined
away. So that's definitely an improvement on what's there now.

For 5.18, I think it's probable that all of this stuff goes away
anyway, and we don't need the templated helpers at all. So perhaps my
patch will serve as an okay stop gap. Alternatively, maybe the clang
people will say, "oh no, our bug" and then fix it in their
neighborhood. According to
https://github.com/ClangBuiltLinux/linux/issues/1567 it looks like
that could be the case.

> There are clearly optimisations for the top/bottom of the loop.
> But they can be done to the generic C version.

Optimizing the generic C version would be quite nice, as it'd help all
platforms.

Jason

^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: fix a CFI failure
@ 2022-01-19 15:03                     ` Jason A. Donenfeld
  0 siblings, 0 replies; 100+ messages in thread
From: Jason A. Donenfeld @ 2022-01-19 15:03 UTC (permalink / raw)
  To: David Laight
  Cc: Ard Biesheuvel, Miles Chen, David S. Miller, Greg Kroah-Hartman,
	Herbert Xu, Linux ARM, Linux Crypto Mailing List,
	Linux Kernel Mailing List, linux-mediatek, Matthias Brugger,
	Nathan Chancellor, Nick Desaulniers

Hi David,

On Wed, Jan 19, 2022 at 3:41 PM David Laight <David.Laight@aculab.com> wrote:
>
> From: Ard Biesheuvel
> > Sent: 19 January 2022 12:19
> ...
> > -               (*compress)(state, in, nblocks - 1, BLAKE2S_BLOCK_SIZE);
> > +               if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_BLAKE2S))
> > +                       (*compress)(state, in, nblocks - 1, BLAKE2S_BLOCK_SIZE);
> > +               else
> > +                       blake2s_compress_generic(state, in, nblocks - 1,
> > +                                                BLAKE2S_BLOCK_SIZE);
>
> Isn't that a candidate for a 'static call' ?
>
> And, maybe all these inlined functions should be real functions?
> No point having all the bloat on every call site.
> Much better to call a real function and used the cached instructions.

Not a good candidate for static call, as this doesn't actually need to
change at runtime ever. It's using a function pointer here out of
laziness to keep the same body of the function, like a compile-time
template. You can sort of squint and imagine the C++. Unfortunately,
CFI felt differently and still treats it as an indirect call.

https://lore.kernel.org/linux-crypto/20220119135450.564115-1-Jason@zx2c4.com/
fixes it up to use a boolean instead, which will certainly be inlined
away. So that's definitely an improvement on what's there now.

For 5.18, I think it's probable that all of this stuff goes away
anyway, and we don't need the templated helpers at all. So perhaps my
patch will serve as an okay stop gap. Alternatively, maybe the clang
people will say, "oh no, our bug" and then fix it in their
neighborhood. According to
https://github.com/ClangBuiltLinux/linux/issues/1567 it looks like
that could be the case.

> There are clearly optimisations for the top/bottom of the loop.
> But they can be done to the generic C version.

Optimizing the generic C version would be quite nice, as it'd help all
platforms.

Jason

_______________________________________________
Linux-mediatek mailing list
Linux-mediatek@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-mediatek

^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: fix a CFI failure
@ 2022-01-19 15:03                     ` Jason A. Donenfeld
  0 siblings, 0 replies; 100+ messages in thread
From: Jason A. Donenfeld @ 2022-01-19 15:03 UTC (permalink / raw)
  To: David Laight
  Cc: Ard Biesheuvel, Miles Chen, David S. Miller, Greg Kroah-Hartman,
	Herbert Xu, Linux ARM, Linux Crypto Mailing List,
	Linux Kernel Mailing List, linux-mediatek, Matthias Brugger,
	Nathan Chancellor, Nick Desaulniers

Hi David,

On Wed, Jan 19, 2022 at 3:41 PM David Laight <David.Laight@aculab.com> wrote:
>
> From: Ard Biesheuvel
> > Sent: 19 January 2022 12:19
> ...
> > -               (*compress)(state, in, nblocks - 1, BLAKE2S_BLOCK_SIZE);
> > +               if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_BLAKE2S))
> > +                       (*compress)(state, in, nblocks - 1, BLAKE2S_BLOCK_SIZE);
> > +               else
> > +                       blake2s_compress_generic(state, in, nblocks - 1,
> > +                                                BLAKE2S_BLOCK_SIZE);
>
> Isn't that a candidate for a 'static call' ?
>
> And, maybe all these inlined functions should be real functions?
> No point having all the bloat on every call site.
> Much better to call a real function and used the cached instructions.

Not a good candidate for static call, as this doesn't actually need to
change at runtime ever. It's using a function pointer here out of
laziness to keep the same body of the function, like a compile-time
template. You can sort of squint and imagine the C++. Unfortunately,
CFI felt differently and still treats it as an indirect call.

https://lore.kernel.org/linux-crypto/20220119135450.564115-1-Jason@zx2c4.com/
fixes it up to use a boolean instead, which will certainly be inlined
away. So that's definitely an improvement on what's there now.

For 5.18, I think it's probable that all of this stuff goes away
anyway, and we don't need the templated helpers at all. So perhaps my
patch will serve as an okay stop gap. Alternatively, maybe the clang
people will say, "oh no, our bug" and then fix it in their
neighborhood. According to
https://github.com/ClangBuiltLinux/linux/issues/1567 it looks like
that could be the case.

> There are clearly optimisations for the top/bottom of the loop.
> But they can be done to the generic C version.

Optimizing the generic C version would be quite nice, as it'd help all
platforms.

Jason

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: avoid indirect calls to compression function for Clang CFI
  2022-01-19 13:54                     ` Jason A. Donenfeld
  (?)
@ 2022-01-19 22:24                       ` Nathan Chancellor
  -1 siblings, 0 replies; 100+ messages in thread
From: Nathan Chancellor @ 2022-01-19 22:24 UTC (permalink / raw)
  To: Jason A. Donenfeld
  Cc: Miles Chen, Ard Biesheuvel, Linux ARM, Linux Crypto Mailing List,
	Linux Kernel Mailing List, linux-mediatek, Nick Desaulniers,
	Sami Tolvanen

On Wed, Jan 19, 2022 at 02:54:50PM +0100, Jason A. Donenfeld wrote:
> blake2s_compress_generic is weakly aliased to blake2s_generic. The

Isn't it the other way around?

> current harness for function selection uses a function pointer, which is
> ordinarily inlined and resolved at compile time. But when Clang's CFI is
> enabled, CFI still triggers when making an indirect call via a weak
> symbol. This seems like a bug in Clang's CFI, as though it's bucketing
> weak symbols and strong symbols differently. It also only seems to
> trigger when "full LTO" mode is used, rather than "thin LTO".
> 
> [    0.000000][    T0] Kernel panic - not syncing: CFI failure (target: blake2s_compress_generic+0x0/0x1444)
> [    0.000000][    T0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.16.0-mainline-06981-g076c855b846e #1
> [    0.000000][    T0] Hardware name: MT6873 (DT)
> [    0.000000][    T0] Call trace:
> [    0.000000][    T0]  dump_backtrace+0xfc/0x1dc
> [    0.000000][    T0]  dump_stack_lvl+0xa8/0x11c
> [    0.000000][    T0]  panic+0x194/0x464
> [    0.000000][    T0]  __cfi_check_fail+0x54/0x58
> [    0.000000][    T0]  __cfi_slowpath_diag+0x354/0x4b0
> [    0.000000][    T0]  blake2s_update+0x14c/0x178
> [    0.000000][    T0]  _extract_entropy+0xf4/0x29c
> [    0.000000][    T0]  crng_initialize_primary+0x24/0x94
> [    0.000000][    T0]  rand_initialize+0x2c/0x6c
> [    0.000000][    T0]  start_kernel+0x2f8/0x65c
> [    0.000000][    T0]  __primary_switched+0xc4/0x7be4
> [    0.000000][    T0] Rebooting in 5 seconds..
> 
> Nonetheless, the function pointer method isn't so terrific anyway, so
> this patch replaces it with a simple boolean, which also gets inlined
> away. This successfully works around the Clang bug.
> 
> In general, I'm not too keen on all of the indirection involved here; it
> clearly does more harm than good. Hopefully the whole thing can get
> cleaned up down the road when lib/crypto is overhauled more
> comprehensively. But for now, we go with a simple bandaid.
> 
> Fixes: 6048fdcc5f26 ("lib/crypto: blake2s: include as built-in")
> Reported-by: Miles Chen <miles.chen@mediatek.com>
> Cc: Nick Desaulniers <ndesaulniers@google.com>
> Cc: Sami Tolvanen <samitolvanen@google.com>
> Cc: Ard Biesheuvel <ardb@kernel.org>
> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

I am not familiar enough with the inner workings of CFI to comment on
what could be going wrong here in LLVM (perhaps Sami can?) but
eliminating the indirect call resolves the issue for me as well.

Tested-by: Nathan Chancellor <nathan@kernel.org>

> ---
>  arch/arm/crypto/blake2s-shash.c   |  4 ++--
>  arch/x86/crypto/blake2s-shash.c   |  4 ++--
>  crypto/blake2s_generic.c          |  4 ++--
>  include/crypto/internal/blake2s.h | 36 ++++++++++++++++++-------------
>  lib/crypto/blake2s.c              |  4 ++--
>  5 files changed, 29 insertions(+), 23 deletions(-)
> 
> diff --git a/arch/arm/crypto/blake2s-shash.c b/arch/arm/crypto/blake2s-shash.c
> index 17c1c3bfe2f5..763c73beea2d 100644
> --- a/arch/arm/crypto/blake2s-shash.c
> +++ b/arch/arm/crypto/blake2s-shash.c
> @@ -13,12 +13,12 @@
>  static int crypto_blake2s_update_arm(struct shash_desc *desc,
>  				     const u8 *in, unsigned int inlen)
>  {
> -	return crypto_blake2s_update(desc, in, inlen, blake2s_compress);
> +	return crypto_blake2s_update(desc, in, inlen, false);
>  }
>  
>  static int crypto_blake2s_final_arm(struct shash_desc *desc, u8 *out)
>  {
> -	return crypto_blake2s_final(desc, out, blake2s_compress);
> +	return crypto_blake2s_final(desc, out, false);
>  }
>  
>  #define BLAKE2S_ALG(name, driver_name, digest_size)			\
> diff --git a/arch/x86/crypto/blake2s-shash.c b/arch/x86/crypto/blake2s-shash.c
> index f9e2fecdb761..59ae28abe35c 100644
> --- a/arch/x86/crypto/blake2s-shash.c
> +++ b/arch/x86/crypto/blake2s-shash.c
> @@ -18,12 +18,12 @@
>  static int crypto_blake2s_update_x86(struct shash_desc *desc,
>  				     const u8 *in, unsigned int inlen)
>  {
> -	return crypto_blake2s_update(desc, in, inlen, blake2s_compress);
> +	return crypto_blake2s_update(desc, in, inlen, false);
>  }
>  
>  static int crypto_blake2s_final_x86(struct shash_desc *desc, u8 *out)
>  {
> -	return crypto_blake2s_final(desc, out, blake2s_compress);
> +	return crypto_blake2s_final(desc, out, false);
>  }
>  
>  #define BLAKE2S_ALG(name, driver_name, digest_size)			\
> diff --git a/crypto/blake2s_generic.c b/crypto/blake2s_generic.c
> index 72fe480f9bd6..5f96a21f8788 100644
> --- a/crypto/blake2s_generic.c
> +++ b/crypto/blake2s_generic.c
> @@ -15,12 +15,12 @@
>  static int crypto_blake2s_update_generic(struct shash_desc *desc,
>  					 const u8 *in, unsigned int inlen)
>  {
> -	return crypto_blake2s_update(desc, in, inlen, blake2s_compress_generic);
> +	return crypto_blake2s_update(desc, in, inlen, true);
>  }
>  
>  static int crypto_blake2s_final_generic(struct shash_desc *desc, u8 *out)
>  {
> -	return crypto_blake2s_final(desc, out, blake2s_compress_generic);
> +	return crypto_blake2s_final(desc, out, true);
>  }
>  
>  #define BLAKE2S_ALG(name, driver_name, digest_size)			\
> diff --git a/include/crypto/internal/blake2s.h b/include/crypto/internal/blake2s.h
> index d39cfa0d333e..e2da9b413d44 100644
> --- a/include/crypto/internal/blake2s.h
> +++ b/include/crypto/internal/blake2s.h
> @@ -24,14 +24,11 @@ static inline void blake2s_set_lastblock(struct blake2s_state *state)
>  	state->f[0] = -1;
>  }
>  
> -typedef void (*blake2s_compress_t)(struct blake2s_state *state,
> -				   const u8 *block, size_t nblocks, u32 inc);
> -
>  /* Helper functions for BLAKE2s shared by the library and shash APIs */
>  
> -static inline void __blake2s_update(struct blake2s_state *state,
> -				    const u8 *in, size_t inlen,
> -				    blake2s_compress_t compress)
> +static __always_inline void __blake2s_update(struct blake2s_state *state,
> +					     const u8 *in, size_t inlen,
> +					     bool force_generic)
>  {
>  	const size_t fill = BLAKE2S_BLOCK_SIZE - state->buflen;
>  
> @@ -39,7 +36,10 @@ static inline void __blake2s_update(struct blake2s_state *state,
>  		return;
>  	if (inlen > fill) {
>  		memcpy(state->buf + state->buflen, in, fill);
> -		(*compress)(state, state->buf, 1, BLAKE2S_BLOCK_SIZE);
> +		if (force_generic)
> +			blake2s_compress_generic(state, state->buf, 1, BLAKE2S_BLOCK_SIZE);
> +		else
> +			blake2s_compress(state, state->buf, 1, BLAKE2S_BLOCK_SIZE);
>  		state->buflen = 0;
>  		in += fill;
>  		inlen -= fill;
> @@ -47,7 +47,10 @@ static inline void __blake2s_update(struct blake2s_state *state,
>  	if (inlen > BLAKE2S_BLOCK_SIZE) {
>  		const size_t nblocks = DIV_ROUND_UP(inlen, BLAKE2S_BLOCK_SIZE);
>  		/* Hash one less (full) block than strictly possible */
> -		(*compress)(state, in, nblocks - 1, BLAKE2S_BLOCK_SIZE);
> +		if (force_generic)
> +			blake2s_compress_generic(state, in, nblocks - 1, BLAKE2S_BLOCK_SIZE);
> +		else
> +			blake2s_compress(state, in, nblocks - 1, BLAKE2S_BLOCK_SIZE);
>  		in += BLAKE2S_BLOCK_SIZE * (nblocks - 1);
>  		inlen -= BLAKE2S_BLOCK_SIZE * (nblocks - 1);
>  	}
> @@ -55,13 +58,16 @@ static inline void __blake2s_update(struct blake2s_state *state,
>  	state->buflen += inlen;
>  }
>  
> -static inline void __blake2s_final(struct blake2s_state *state, u8 *out,
> -				   blake2s_compress_t compress)
> +static __always_inline void __blake2s_final(struct blake2s_state *state, u8 *out,
> +					    bool force_generic)
>  {
>  	blake2s_set_lastblock(state);
>  	memset(state->buf + state->buflen, 0,
>  	       BLAKE2S_BLOCK_SIZE - state->buflen); /* Padding */
> -	(*compress)(state, state->buf, 1, state->buflen);
> +	if (force_generic)
> +		blake2s_compress_generic(state, state->buf, 1, state->buflen);
> +	else
> +		blake2s_compress(state, state->buf, 1, state->buflen);
>  	cpu_to_le32_array(state->h, ARRAY_SIZE(state->h));
>  	memcpy(out, state->h, state->outlen);
>  }
> @@ -99,20 +105,20 @@ static inline int crypto_blake2s_init(struct shash_desc *desc)
>  
>  static inline int crypto_blake2s_update(struct shash_desc *desc,
>  					const u8 *in, unsigned int inlen,
> -					blake2s_compress_t compress)
> +					bool force_generic)
>  {
>  	struct blake2s_state *state = shash_desc_ctx(desc);
>  
> -	__blake2s_update(state, in, inlen, compress);
> +	__blake2s_update(state, in, inlen, force_generic);
>  	return 0;
>  }
>  
>  static inline int crypto_blake2s_final(struct shash_desc *desc, u8 *out,
> -				       blake2s_compress_t compress)
> +				       bool force_generic)
>  {
>  	struct blake2s_state *state = shash_desc_ctx(desc);
>  
> -	__blake2s_final(state, out, compress);
> +	__blake2s_final(state, out, force_generic);
>  	return 0;
>  }
>  
> diff --git a/lib/crypto/blake2s.c b/lib/crypto/blake2s.c
> index 9364f79937b8..c71c09621c09 100644
> --- a/lib/crypto/blake2s.c
> +++ b/lib/crypto/blake2s.c
> @@ -18,14 +18,14 @@
>  
>  void blake2s_update(struct blake2s_state *state, const u8 *in, size_t inlen)
>  {
> -	__blake2s_update(state, in, inlen, blake2s_compress);
> +	__blake2s_update(state, in, inlen, false);
>  }
>  EXPORT_SYMBOL(blake2s_update);
>  
>  void blake2s_final(struct blake2s_state *state, u8 *out)
>  {
>  	WARN_ON(IS_ENABLED(DEBUG) && !out);
> -	__blake2s_final(state, out, blake2s_compress);
> +	__blake2s_final(state, out, false);
>  	memzero_explicit(state, sizeof(*state));
>  }
>  EXPORT_SYMBOL(blake2s_final);
> -- 
> 2.34.1
> 
> 

^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: avoid indirect calls to compression function for Clang CFI
@ 2022-01-19 22:24                       ` Nathan Chancellor
  0 siblings, 0 replies; 100+ messages in thread
From: Nathan Chancellor @ 2022-01-19 22:24 UTC (permalink / raw)
  To: Jason A. Donenfeld
  Cc: Miles Chen, Ard Biesheuvel, Linux ARM, Linux Crypto Mailing List,
	Linux Kernel Mailing List, linux-mediatek, Nick Desaulniers,
	Sami Tolvanen

On Wed, Jan 19, 2022 at 02:54:50PM +0100, Jason A. Donenfeld wrote:
> blake2s_compress_generic is weakly aliased to blake2s_generic. The

Isn't it the other way around?

> current harness for function selection uses a function pointer, which is
> ordinarily inlined and resolved at compile time. But when Clang's CFI is
> enabled, CFI still triggers when making an indirect call via a weak
> symbol. This seems like a bug in Clang's CFI, as though it's bucketing
> weak symbols and strong symbols differently. It also only seems to
> trigger when "full LTO" mode is used, rather than "thin LTO".
> 
> [    0.000000][    T0] Kernel panic - not syncing: CFI failure (target: blake2s_compress_generic+0x0/0x1444)
> [    0.000000][    T0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.16.0-mainline-06981-g076c855b846e #1
> [    0.000000][    T0] Hardware name: MT6873 (DT)
> [    0.000000][    T0] Call trace:
> [    0.000000][    T0]  dump_backtrace+0xfc/0x1dc
> [    0.000000][    T0]  dump_stack_lvl+0xa8/0x11c
> [    0.000000][    T0]  panic+0x194/0x464
> [    0.000000][    T0]  __cfi_check_fail+0x54/0x58
> [    0.000000][    T0]  __cfi_slowpath_diag+0x354/0x4b0
> [    0.000000][    T0]  blake2s_update+0x14c/0x178
> [    0.000000][    T0]  _extract_entropy+0xf4/0x29c
> [    0.000000][    T0]  crng_initialize_primary+0x24/0x94
> [    0.000000][    T0]  rand_initialize+0x2c/0x6c
> [    0.000000][    T0]  start_kernel+0x2f8/0x65c
> [    0.000000][    T0]  __primary_switched+0xc4/0x7be4
> [    0.000000][    T0] Rebooting in 5 seconds..
> 
> Nonetheless, the function pointer method isn't so terrific anyway, so
> this patch replaces it with a simple boolean, which also gets inlined
> away. This successfully works around the Clang bug.
> 
> In general, I'm not too keen on all of the indirection involved here; it
> clearly does more harm than good. Hopefully the whole thing can get
> cleaned up down the road when lib/crypto is overhauled more
> comprehensively. But for now, we go with a simple bandaid.
> 
> Fixes: 6048fdcc5f26 ("lib/crypto: blake2s: include as built-in")
> Reported-by: Miles Chen <miles.chen@mediatek.com>
> Cc: Nick Desaulniers <ndesaulniers@google.com>
> Cc: Sami Tolvanen <samitolvanen@google.com>
> Cc: Ard Biesheuvel <ardb@kernel.org>
> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

I am not familiar enough with the inner workings of CFI to comment on
what could be going wrong here in LLVM (perhaps Sami can?) but
eliminating the indirect call resolves the issue for me as well.

Tested-by: Nathan Chancellor <nathan@kernel.org>

> ---
>  arch/arm/crypto/blake2s-shash.c   |  4 ++--
>  arch/x86/crypto/blake2s-shash.c   |  4 ++--
>  crypto/blake2s_generic.c          |  4 ++--
>  include/crypto/internal/blake2s.h | 36 ++++++++++++++++++-------------
>  lib/crypto/blake2s.c              |  4 ++--
>  5 files changed, 29 insertions(+), 23 deletions(-)
> 
> diff --git a/arch/arm/crypto/blake2s-shash.c b/arch/arm/crypto/blake2s-shash.c
> index 17c1c3bfe2f5..763c73beea2d 100644
> --- a/arch/arm/crypto/blake2s-shash.c
> +++ b/arch/arm/crypto/blake2s-shash.c
> @@ -13,12 +13,12 @@
>  static int crypto_blake2s_update_arm(struct shash_desc *desc,
>  				     const u8 *in, unsigned int inlen)
>  {
> -	return crypto_blake2s_update(desc, in, inlen, blake2s_compress);
> +	return crypto_blake2s_update(desc, in, inlen, false);
>  }
>  
>  static int crypto_blake2s_final_arm(struct shash_desc *desc, u8 *out)
>  {
> -	return crypto_blake2s_final(desc, out, blake2s_compress);
> +	return crypto_blake2s_final(desc, out, false);
>  }
>  
>  #define BLAKE2S_ALG(name, driver_name, digest_size)			\
> diff --git a/arch/x86/crypto/blake2s-shash.c b/arch/x86/crypto/blake2s-shash.c
> index f9e2fecdb761..59ae28abe35c 100644
> --- a/arch/x86/crypto/blake2s-shash.c
> +++ b/arch/x86/crypto/blake2s-shash.c
> @@ -18,12 +18,12 @@
>  static int crypto_blake2s_update_x86(struct shash_desc *desc,
>  				     const u8 *in, unsigned int inlen)
>  {
> -	return crypto_blake2s_update(desc, in, inlen, blake2s_compress);
> +	return crypto_blake2s_update(desc, in, inlen, false);
>  }
>  
>  static int crypto_blake2s_final_x86(struct shash_desc *desc, u8 *out)
>  {
> -	return crypto_blake2s_final(desc, out, blake2s_compress);
> +	return crypto_blake2s_final(desc, out, false);
>  }
>  
>  #define BLAKE2S_ALG(name, driver_name, digest_size)			\
> diff --git a/crypto/blake2s_generic.c b/crypto/blake2s_generic.c
> index 72fe480f9bd6..5f96a21f8788 100644
> --- a/crypto/blake2s_generic.c
> +++ b/crypto/blake2s_generic.c
> @@ -15,12 +15,12 @@
>  static int crypto_blake2s_update_generic(struct shash_desc *desc,
>  					 const u8 *in, unsigned int inlen)
>  {
> -	return crypto_blake2s_update(desc, in, inlen, blake2s_compress_generic);
> +	return crypto_blake2s_update(desc, in, inlen, true);
>  }
>  
>  static int crypto_blake2s_final_generic(struct shash_desc *desc, u8 *out)
>  {
> -	return crypto_blake2s_final(desc, out, blake2s_compress_generic);
> +	return crypto_blake2s_final(desc, out, true);
>  }
>  
>  #define BLAKE2S_ALG(name, driver_name, digest_size)			\
> diff --git a/include/crypto/internal/blake2s.h b/include/crypto/internal/blake2s.h
> index d39cfa0d333e..e2da9b413d44 100644
> --- a/include/crypto/internal/blake2s.h
> +++ b/include/crypto/internal/blake2s.h
> @@ -24,14 +24,11 @@ static inline void blake2s_set_lastblock(struct blake2s_state *state)
>  	state->f[0] = -1;
>  }
>  
> -typedef void (*blake2s_compress_t)(struct blake2s_state *state,
> -				   const u8 *block, size_t nblocks, u32 inc);
> -
>  /* Helper functions for BLAKE2s shared by the library and shash APIs */
>  
> -static inline void __blake2s_update(struct blake2s_state *state,
> -				    const u8 *in, size_t inlen,
> -				    blake2s_compress_t compress)
> +static __always_inline void __blake2s_update(struct blake2s_state *state,
> +					     const u8 *in, size_t inlen,
> +					     bool force_generic)
>  {
>  	const size_t fill = BLAKE2S_BLOCK_SIZE - state->buflen;
>  
> @@ -39,7 +36,10 @@ static inline void __blake2s_update(struct blake2s_state *state,
>  		return;
>  	if (inlen > fill) {
>  		memcpy(state->buf + state->buflen, in, fill);
> -		(*compress)(state, state->buf, 1, BLAKE2S_BLOCK_SIZE);
> +		if (force_generic)
> +			blake2s_compress_generic(state, state->buf, 1, BLAKE2S_BLOCK_SIZE);
> +		else
> +			blake2s_compress(state, state->buf, 1, BLAKE2S_BLOCK_SIZE);
>  		state->buflen = 0;
>  		in += fill;
>  		inlen -= fill;
> @@ -47,7 +47,10 @@ static inline void __blake2s_update(struct blake2s_state *state,
>  	if (inlen > BLAKE2S_BLOCK_SIZE) {
>  		const size_t nblocks = DIV_ROUND_UP(inlen, BLAKE2S_BLOCK_SIZE);
>  		/* Hash one less (full) block than strictly possible */
> -		(*compress)(state, in, nblocks - 1, BLAKE2S_BLOCK_SIZE);
> +		if (force_generic)
> +			blake2s_compress_generic(state, in, nblocks - 1, BLAKE2S_BLOCK_SIZE);
> +		else
> +			blake2s_compress(state, in, nblocks - 1, BLAKE2S_BLOCK_SIZE);
>  		in += BLAKE2S_BLOCK_SIZE * (nblocks - 1);
>  		inlen -= BLAKE2S_BLOCK_SIZE * (nblocks - 1);
>  	}
> @@ -55,13 +58,16 @@ static inline void __blake2s_update(struct blake2s_state *state,
>  	state->buflen += inlen;
>  }
>  
> -static inline void __blake2s_final(struct blake2s_state *state, u8 *out,
> -				   blake2s_compress_t compress)
> +static __always_inline void __blake2s_final(struct blake2s_state *state, u8 *out,
> +					    bool force_generic)
>  {
>  	blake2s_set_lastblock(state);
>  	memset(state->buf + state->buflen, 0,
>  	       BLAKE2S_BLOCK_SIZE - state->buflen); /* Padding */
> -	(*compress)(state, state->buf, 1, state->buflen);
> +	if (force_generic)
> +		blake2s_compress_generic(state, state->buf, 1, state->buflen);
> +	else
> +		blake2s_compress(state, state->buf, 1, state->buflen);
>  	cpu_to_le32_array(state->h, ARRAY_SIZE(state->h));
>  	memcpy(out, state->h, state->outlen);
>  }
> @@ -99,20 +105,20 @@ static inline int crypto_blake2s_init(struct shash_desc *desc)
>  
>  static inline int crypto_blake2s_update(struct shash_desc *desc,
>  					const u8 *in, unsigned int inlen,
> -					blake2s_compress_t compress)
> +					bool force_generic)
>  {
>  	struct blake2s_state *state = shash_desc_ctx(desc);
>  
> -	__blake2s_update(state, in, inlen, compress);
> +	__blake2s_update(state, in, inlen, force_generic);
>  	return 0;
>  }
>  
>  static inline int crypto_blake2s_final(struct shash_desc *desc, u8 *out,
> -				       blake2s_compress_t compress)
> +				       bool force_generic)
>  {
>  	struct blake2s_state *state = shash_desc_ctx(desc);
>  
> -	__blake2s_final(state, out, compress);
> +	__blake2s_final(state, out, force_generic);
>  	return 0;
>  }
>  
> diff --git a/lib/crypto/blake2s.c b/lib/crypto/blake2s.c
> index 9364f79937b8..c71c09621c09 100644
> --- a/lib/crypto/blake2s.c
> +++ b/lib/crypto/blake2s.c
> @@ -18,14 +18,14 @@
>  
>  void blake2s_update(struct blake2s_state *state, const u8 *in, size_t inlen)
>  {
> -	__blake2s_update(state, in, inlen, blake2s_compress);
> +	__blake2s_update(state, in, inlen, false);
>  }
>  EXPORT_SYMBOL(blake2s_update);
>  
>  void blake2s_final(struct blake2s_state *state, u8 *out)
>  {
>  	WARN_ON(IS_ENABLED(DEBUG) && !out);
> -	__blake2s_final(state, out, blake2s_compress);
> +	__blake2s_final(state, out, false);
>  	memzero_explicit(state, sizeof(*state));
>  }
>  EXPORT_SYMBOL(blake2s_final);
> -- 
> 2.34.1
> 
> 

_______________________________________________
Linux-mediatek mailing list
Linux-mediatek@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-mediatek

^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: avoid indirect calls to compression function for Clang CFI
@ 2022-01-19 22:24                       ` Nathan Chancellor
  0 siblings, 0 replies; 100+ messages in thread
From: Nathan Chancellor @ 2022-01-19 22:24 UTC (permalink / raw)
  To: Jason A. Donenfeld
  Cc: Miles Chen, Ard Biesheuvel, Linux ARM, Linux Crypto Mailing List,
	Linux Kernel Mailing List, linux-mediatek, Nick Desaulniers,
	Sami Tolvanen

On Wed, Jan 19, 2022 at 02:54:50PM +0100, Jason A. Donenfeld wrote:
> blake2s_compress_generic is weakly aliased to blake2s_generic. The

Isn't it the other way around?

> current harness for function selection uses a function pointer, which is
> ordinarily inlined and resolved at compile time. But when Clang's CFI is
> enabled, CFI still triggers when making an indirect call via a weak
> symbol. This seems like a bug in Clang's CFI, as though it's bucketing
> weak symbols and strong symbols differently. It also only seems to
> trigger when "full LTO" mode is used, rather than "thin LTO".
> 
> [    0.000000][    T0] Kernel panic - not syncing: CFI failure (target: blake2s_compress_generic+0x0/0x1444)
> [    0.000000][    T0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.16.0-mainline-06981-g076c855b846e #1
> [    0.000000][    T0] Hardware name: MT6873 (DT)
> [    0.000000][    T0] Call trace:
> [    0.000000][    T0]  dump_backtrace+0xfc/0x1dc
> [    0.000000][    T0]  dump_stack_lvl+0xa8/0x11c
> [    0.000000][    T0]  panic+0x194/0x464
> [    0.000000][    T0]  __cfi_check_fail+0x54/0x58
> [    0.000000][    T0]  __cfi_slowpath_diag+0x354/0x4b0
> [    0.000000][    T0]  blake2s_update+0x14c/0x178
> [    0.000000][    T0]  _extract_entropy+0xf4/0x29c
> [    0.000000][    T0]  crng_initialize_primary+0x24/0x94
> [    0.000000][    T0]  rand_initialize+0x2c/0x6c
> [    0.000000][    T0]  start_kernel+0x2f8/0x65c
> [    0.000000][    T0]  __primary_switched+0xc4/0x7be4
> [    0.000000][    T0] Rebooting in 5 seconds..
> 
> Nonetheless, the function pointer method isn't so terrific anyway, so
> this patch replaces it with a simple boolean, which also gets inlined
> away. This successfully works around the Clang bug.
> 
> In general, I'm not too keen on all of the indirection involved here; it
> clearly does more harm than good. Hopefully the whole thing can get
> cleaned up down the road when lib/crypto is overhauled more
> comprehensively. But for now, we go with a simple bandaid.
> 
> Fixes: 6048fdcc5f26 ("lib/crypto: blake2s: include as built-in")
> Reported-by: Miles Chen <miles.chen@mediatek.com>
> Cc: Nick Desaulniers <ndesaulniers@google.com>
> Cc: Sami Tolvanen <samitolvanen@google.com>
> Cc: Ard Biesheuvel <ardb@kernel.org>
> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>

I am not familiar enough with the inner workings of CFI to comment on
what could be going wrong here in LLVM (perhaps Sami can?) but
eliminating the indirect call resolves the issue for me as well.

Tested-by: Nathan Chancellor <nathan@kernel.org>

> ---
>  arch/arm/crypto/blake2s-shash.c   |  4 ++--
>  arch/x86/crypto/blake2s-shash.c   |  4 ++--
>  crypto/blake2s_generic.c          |  4 ++--
>  include/crypto/internal/blake2s.h | 36 ++++++++++++++++++-------------
>  lib/crypto/blake2s.c              |  4 ++--
>  5 files changed, 29 insertions(+), 23 deletions(-)
> 
> diff --git a/arch/arm/crypto/blake2s-shash.c b/arch/arm/crypto/blake2s-shash.c
> index 17c1c3bfe2f5..763c73beea2d 100644
> --- a/arch/arm/crypto/blake2s-shash.c
> +++ b/arch/arm/crypto/blake2s-shash.c
> @@ -13,12 +13,12 @@
>  static int crypto_blake2s_update_arm(struct shash_desc *desc,
>  				     const u8 *in, unsigned int inlen)
>  {
> -	return crypto_blake2s_update(desc, in, inlen, blake2s_compress);
> +	return crypto_blake2s_update(desc, in, inlen, false);
>  }
>  
>  static int crypto_blake2s_final_arm(struct shash_desc *desc, u8 *out)
>  {
> -	return crypto_blake2s_final(desc, out, blake2s_compress);
> +	return crypto_blake2s_final(desc, out, false);
>  }
>  
>  #define BLAKE2S_ALG(name, driver_name, digest_size)			\
> diff --git a/arch/x86/crypto/blake2s-shash.c b/arch/x86/crypto/blake2s-shash.c
> index f9e2fecdb761..59ae28abe35c 100644
> --- a/arch/x86/crypto/blake2s-shash.c
> +++ b/arch/x86/crypto/blake2s-shash.c
> @@ -18,12 +18,12 @@
>  static int crypto_blake2s_update_x86(struct shash_desc *desc,
>  				     const u8 *in, unsigned int inlen)
>  {
> -	return crypto_blake2s_update(desc, in, inlen, blake2s_compress);
> +	return crypto_blake2s_update(desc, in, inlen, false);
>  }
>  
>  static int crypto_blake2s_final_x86(struct shash_desc *desc, u8 *out)
>  {
> -	return crypto_blake2s_final(desc, out, blake2s_compress);
> +	return crypto_blake2s_final(desc, out, false);
>  }
>  
>  #define BLAKE2S_ALG(name, driver_name, digest_size)			\
> diff --git a/crypto/blake2s_generic.c b/crypto/blake2s_generic.c
> index 72fe480f9bd6..5f96a21f8788 100644
> --- a/crypto/blake2s_generic.c
> +++ b/crypto/blake2s_generic.c
> @@ -15,12 +15,12 @@
>  static int crypto_blake2s_update_generic(struct shash_desc *desc,
>  					 const u8 *in, unsigned int inlen)
>  {
> -	return crypto_blake2s_update(desc, in, inlen, blake2s_compress_generic);
> +	return crypto_blake2s_update(desc, in, inlen, true);
>  }
>  
>  static int crypto_blake2s_final_generic(struct shash_desc *desc, u8 *out)
>  {
> -	return crypto_blake2s_final(desc, out, blake2s_compress_generic);
> +	return crypto_blake2s_final(desc, out, true);
>  }
>  
>  #define BLAKE2S_ALG(name, driver_name, digest_size)			\
> diff --git a/include/crypto/internal/blake2s.h b/include/crypto/internal/blake2s.h
> index d39cfa0d333e..e2da9b413d44 100644
> --- a/include/crypto/internal/blake2s.h
> +++ b/include/crypto/internal/blake2s.h
> @@ -24,14 +24,11 @@ static inline void blake2s_set_lastblock(struct blake2s_state *state)
>  	state->f[0] = -1;
>  }
>  
> -typedef void (*blake2s_compress_t)(struct blake2s_state *state,
> -				   const u8 *block, size_t nblocks, u32 inc);
> -
>  /* Helper functions for BLAKE2s shared by the library and shash APIs */
>  
> -static inline void __blake2s_update(struct blake2s_state *state,
> -				    const u8 *in, size_t inlen,
> -				    blake2s_compress_t compress)
> +static __always_inline void __blake2s_update(struct blake2s_state *state,
> +					     const u8 *in, size_t inlen,
> +					     bool force_generic)
>  {
>  	const size_t fill = BLAKE2S_BLOCK_SIZE - state->buflen;
>  
> @@ -39,7 +36,10 @@ static inline void __blake2s_update(struct blake2s_state *state,
>  		return;
>  	if (inlen > fill) {
>  		memcpy(state->buf + state->buflen, in, fill);
> -		(*compress)(state, state->buf, 1, BLAKE2S_BLOCK_SIZE);
> +		if (force_generic)
> +			blake2s_compress_generic(state, state->buf, 1, BLAKE2S_BLOCK_SIZE);
> +		else
> +			blake2s_compress(state, state->buf, 1, BLAKE2S_BLOCK_SIZE);
>  		state->buflen = 0;
>  		in += fill;
>  		inlen -= fill;
> @@ -47,7 +47,10 @@ static inline void __blake2s_update(struct blake2s_state *state,
>  	if (inlen > BLAKE2S_BLOCK_SIZE) {
>  		const size_t nblocks = DIV_ROUND_UP(inlen, BLAKE2S_BLOCK_SIZE);
>  		/* Hash one less (full) block than strictly possible */
> -		(*compress)(state, in, nblocks - 1, BLAKE2S_BLOCK_SIZE);
> +		if (force_generic)
> +			blake2s_compress_generic(state, in, nblocks - 1, BLAKE2S_BLOCK_SIZE);
> +		else
> +			blake2s_compress(state, in, nblocks - 1, BLAKE2S_BLOCK_SIZE);
>  		in += BLAKE2S_BLOCK_SIZE * (nblocks - 1);
>  		inlen -= BLAKE2S_BLOCK_SIZE * (nblocks - 1);
>  	}
> @@ -55,13 +58,16 @@ static inline void __blake2s_update(struct blake2s_state *state,
>  	state->buflen += inlen;
>  }
>  
> -static inline void __blake2s_final(struct blake2s_state *state, u8 *out,
> -				   blake2s_compress_t compress)
> +static __always_inline void __blake2s_final(struct blake2s_state *state, u8 *out,
> +					    bool force_generic)
>  {
>  	blake2s_set_lastblock(state);
>  	memset(state->buf + state->buflen, 0,
>  	       BLAKE2S_BLOCK_SIZE - state->buflen); /* Padding */
> -	(*compress)(state, state->buf, 1, state->buflen);
> +	if (force_generic)
> +		blake2s_compress_generic(state, state->buf, 1, state->buflen);
> +	else
> +		blake2s_compress(state, state->buf, 1, state->buflen);
>  	cpu_to_le32_array(state->h, ARRAY_SIZE(state->h));
>  	memcpy(out, state->h, state->outlen);
>  }
> @@ -99,20 +105,20 @@ static inline int crypto_blake2s_init(struct shash_desc *desc)
>  
>  static inline int crypto_blake2s_update(struct shash_desc *desc,
>  					const u8 *in, unsigned int inlen,
> -					blake2s_compress_t compress)
> +					bool force_generic)
>  {
>  	struct blake2s_state *state = shash_desc_ctx(desc);
>  
> -	__blake2s_update(state, in, inlen, compress);
> +	__blake2s_update(state, in, inlen, force_generic);
>  	return 0;
>  }
>  
>  static inline int crypto_blake2s_final(struct shash_desc *desc, u8 *out,
> -				       blake2s_compress_t compress)
> +				       bool force_generic)
>  {
>  	struct blake2s_state *state = shash_desc_ctx(desc);
>  
> -	__blake2s_final(state, out, compress);
> +	__blake2s_final(state, out, force_generic);
>  	return 0;
>  }
>  
> diff --git a/lib/crypto/blake2s.c b/lib/crypto/blake2s.c
> index 9364f79937b8..c71c09621c09 100644
> --- a/lib/crypto/blake2s.c
> +++ b/lib/crypto/blake2s.c
> @@ -18,14 +18,14 @@
>  
>  void blake2s_update(struct blake2s_state *state, const u8 *in, size_t inlen)
>  {
> -	__blake2s_update(state, in, inlen, blake2s_compress);
> +	__blake2s_update(state, in, inlen, false);
>  }
>  EXPORT_SYMBOL(blake2s_update);
>  
>  void blake2s_final(struct blake2s_state *state, u8 *out)
>  {
>  	WARN_ON(IS_ENABLED(DEBUG) && !out);
> -	__blake2s_final(state, out, blake2s_compress);
> +	__blake2s_final(state, out, false);
>  	memzero_explicit(state, sizeof(*state));
>  }
>  EXPORT_SYMBOL(blake2s_final);
> -- 
> 2.34.1
> 
> 

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: avoid indirect calls to compression function for Clang CFI
  2022-01-19 22:24                       ` Nathan Chancellor
  (?)
@ 2022-01-20  9:44                         ` Jason A. Donenfeld
  -1 siblings, 0 replies; 100+ messages in thread
From: Jason A. Donenfeld @ 2022-01-20  9:44 UTC (permalink / raw)
  To: Nathan Chancellor
  Cc: Miles Chen, Ard Biesheuvel, Linux ARM, Linux Crypto Mailing List,
	Linux Kernel Mailing List, linux-mediatek, Nick Desaulniers,
	Sami Tolvanen

On 1/19/22, Nathan Chancellor <nathan@kernel.org> wrote:
> On Wed, Jan 19, 2022 at 02:54:50PM +0100, Jason A. Donenfeld wrote:
>> blake2s_compress_generic is weakly aliased to blake2s_generic. The
>
> Isn't it the other way around?

Thanks. Changed that 'to' to a 'by'.

Jason

^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: avoid indirect calls to compression function for Clang CFI
@ 2022-01-20  9:44                         ` Jason A. Donenfeld
  0 siblings, 0 replies; 100+ messages in thread
From: Jason A. Donenfeld @ 2022-01-20  9:44 UTC (permalink / raw)
  To: Nathan Chancellor
  Cc: Miles Chen, Ard Biesheuvel, Linux ARM, Linux Crypto Mailing List,
	Linux Kernel Mailing List, linux-mediatek, Nick Desaulniers,
	Sami Tolvanen

On 1/19/22, Nathan Chancellor <nathan@kernel.org> wrote:
> On Wed, Jan 19, 2022 at 02:54:50PM +0100, Jason A. Donenfeld wrote:
>> blake2s_compress_generic is weakly aliased to blake2s_generic. The
>
> Isn't it the other way around?

Thanks. Changed that 'to' to a 'by'.

Jason

_______________________________________________
Linux-mediatek mailing list
Linux-mediatek@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-mediatek

^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: avoid indirect calls to compression function for Clang CFI
@ 2022-01-20  9:44                         ` Jason A. Donenfeld
  0 siblings, 0 replies; 100+ messages in thread
From: Jason A. Donenfeld @ 2022-01-20  9:44 UTC (permalink / raw)
  To: Nathan Chancellor
  Cc: Miles Chen, Ard Biesheuvel, Linux ARM, Linux Crypto Mailing List,
	Linux Kernel Mailing List, linux-mediatek, Nick Desaulniers,
	Sami Tolvanen

On 1/19/22, Nathan Chancellor <nathan@kernel.org> wrote:
> On Wed, Jan 19, 2022 at 02:54:50PM +0100, Jason A. Donenfeld wrote:
>> blake2s_compress_generic is weakly aliased to blake2s_generic. The
>
> Isn't it the other way around?

Thanks. Changed that 'to' to a 'by'.

Jason

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: avoid indirect calls to compression function for Clang CFI
  2022-01-19 13:54                     ` Jason A. Donenfeld
  (?)
@ 2022-01-21 19:54                       ` Eric Biggers
  -1 siblings, 0 replies; 100+ messages in thread
From: Eric Biggers @ 2022-01-21 19:54 UTC (permalink / raw)
  To: Jason A. Donenfeld
  Cc: Miles Chen, Ard Biesheuvel, Linux ARM, Linux Crypto Mailing List,
	Linux Kernel Mailing List, linux-mediatek, Nick Desaulniers,
	Sami Tolvanen

On Wed, Jan 19, 2022 at 02:54:50PM +0100, Jason A. Donenfeld wrote:
> blake2s_compress_generic is weakly aliased to blake2s_generic. The
> current harness for function selection uses a function pointer, which is
> ordinarily inlined and resolved at compile time. But when Clang's CFI is
> enabled, CFI still triggers when making an indirect call via a weak
> symbol. This seems like a bug in Clang's CFI, as though it's bucketing
> weak symbols and strong symbols differently. It also only seems to
> trigger when "full LTO" mode is used, rather than "thin LTO".
> 
> [    0.000000][    T0] Kernel panic - not syncing: CFI failure (target: blake2s_compress_generic+0x0/0x1444)
> [    0.000000][    T0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.16.0-mainline-06981-g076c855b846e #1
> [    0.000000][    T0] Hardware name: MT6873 (DT)
> [    0.000000][    T0] Call trace:
> [    0.000000][    T0]  dump_backtrace+0xfc/0x1dc
> [    0.000000][    T0]  dump_stack_lvl+0xa8/0x11c
> [    0.000000][    T0]  panic+0x194/0x464
> [    0.000000][    T0]  __cfi_check_fail+0x54/0x58
> [    0.000000][    T0]  __cfi_slowpath_diag+0x354/0x4b0
> [    0.000000][    T0]  blake2s_update+0x14c/0x178
> [    0.000000][    T0]  _extract_entropy+0xf4/0x29c
> [    0.000000][    T0]  crng_initialize_primary+0x24/0x94
> [    0.000000][    T0]  rand_initialize+0x2c/0x6c
> [    0.000000][    T0]  start_kernel+0x2f8/0x65c
> [    0.000000][    T0]  __primary_switched+0xc4/0x7be4
> [    0.000000][    T0] Rebooting in 5 seconds..
> 
> Nonetheless, the function pointer method isn't so terrific anyway, so
> this patch replaces it with a simple boolean, which also gets inlined
> away. This successfully works around the Clang bug.
> 
> In general, I'm not too keen on all of the indirection involved here; it
> clearly does more harm than good. Hopefully the whole thing can get
> cleaned up down the road when lib/crypto is overhauled more
> comprehensively. But for now, we go with a simple bandaid.
> 
> Fixes: 6048fdcc5f26 ("lib/crypto: blake2s: include as built-in")
> Reported-by: Miles Chen <miles.chen@mediatek.com>
> Cc: Nick Desaulniers <ndesaulniers@google.com>
> Cc: Sami Tolvanen <samitolvanen@google.com>
> Cc: Ard Biesheuvel <ardb@kernel.org>
> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
> ---
>  arch/arm/crypto/blake2s-shash.c   |  4 ++--
>  arch/x86/crypto/blake2s-shash.c   |  4 ++--
>  crypto/blake2s_generic.c          |  4 ++--
>  include/crypto/internal/blake2s.h | 36 ++++++++++++++++++-------------
>  lib/crypto/blake2s.c              |  4 ++--
>  5 files changed, 29 insertions(+), 23 deletions(-)

There are some lines over 80 columns in this patch.

Otherwise this looks fine.  It would be really nice to fix this in clang,
though.

- Eric

^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: avoid indirect calls to compression function for Clang CFI
@ 2022-01-21 19:54                       ` Eric Biggers
  0 siblings, 0 replies; 100+ messages in thread
From: Eric Biggers @ 2022-01-21 19:54 UTC (permalink / raw)
  To: Jason A. Donenfeld
  Cc: Miles Chen, Ard Biesheuvel, Linux ARM, Linux Crypto Mailing List,
	Linux Kernel Mailing List, linux-mediatek, Nick Desaulniers,
	Sami Tolvanen

On Wed, Jan 19, 2022 at 02:54:50PM +0100, Jason A. Donenfeld wrote:
> blake2s_compress_generic is weakly aliased to blake2s_generic. The
> current harness for function selection uses a function pointer, which is
> ordinarily inlined and resolved at compile time. But when Clang's CFI is
> enabled, CFI still triggers when making an indirect call via a weak
> symbol. This seems like a bug in Clang's CFI, as though it's bucketing
> weak symbols and strong symbols differently. It also only seems to
> trigger when "full LTO" mode is used, rather than "thin LTO".
> 
> [    0.000000][    T0] Kernel panic - not syncing: CFI failure (target: blake2s_compress_generic+0x0/0x1444)
> [    0.000000][    T0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.16.0-mainline-06981-g076c855b846e #1
> [    0.000000][    T0] Hardware name: MT6873 (DT)
> [    0.000000][    T0] Call trace:
> [    0.000000][    T0]  dump_backtrace+0xfc/0x1dc
> [    0.000000][    T0]  dump_stack_lvl+0xa8/0x11c
> [    0.000000][    T0]  panic+0x194/0x464
> [    0.000000][    T0]  __cfi_check_fail+0x54/0x58
> [    0.000000][    T0]  __cfi_slowpath_diag+0x354/0x4b0
> [    0.000000][    T0]  blake2s_update+0x14c/0x178
> [    0.000000][    T0]  _extract_entropy+0xf4/0x29c
> [    0.000000][    T0]  crng_initialize_primary+0x24/0x94
> [    0.000000][    T0]  rand_initialize+0x2c/0x6c
> [    0.000000][    T0]  start_kernel+0x2f8/0x65c
> [    0.000000][    T0]  __primary_switched+0xc4/0x7be4
> [    0.000000][    T0] Rebooting in 5 seconds..
> 
> Nonetheless, the function pointer method isn't so terrific anyway, so
> this patch replaces it with a simple boolean, which also gets inlined
> away. This successfully works around the Clang bug.
> 
> In general, I'm not too keen on all of the indirection involved here; it
> clearly does more harm than good. Hopefully the whole thing can get
> cleaned up down the road when lib/crypto is overhauled more
> comprehensively. But for now, we go with a simple bandaid.
> 
> Fixes: 6048fdcc5f26 ("lib/crypto: blake2s: include as built-in")
> Reported-by: Miles Chen <miles.chen@mediatek.com>
> Cc: Nick Desaulniers <ndesaulniers@google.com>
> Cc: Sami Tolvanen <samitolvanen@google.com>
> Cc: Ard Biesheuvel <ardb@kernel.org>
> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
> ---
>  arch/arm/crypto/blake2s-shash.c   |  4 ++--
>  arch/x86/crypto/blake2s-shash.c   |  4 ++--
>  crypto/blake2s_generic.c          |  4 ++--
>  include/crypto/internal/blake2s.h | 36 ++++++++++++++++++-------------
>  lib/crypto/blake2s.c              |  4 ++--
>  5 files changed, 29 insertions(+), 23 deletions(-)

There are some lines over 80 columns in this patch.

Otherwise this looks fine.  It would be really nice to fix this in clang,
though.

- Eric

_______________________________________________
Linux-mediatek mailing list
Linux-mediatek@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-mediatek

^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: avoid indirect calls to compression function for Clang CFI
@ 2022-01-21 19:54                       ` Eric Biggers
  0 siblings, 0 replies; 100+ messages in thread
From: Eric Biggers @ 2022-01-21 19:54 UTC (permalink / raw)
  To: Jason A. Donenfeld
  Cc: Miles Chen, Ard Biesheuvel, Linux ARM, Linux Crypto Mailing List,
	Linux Kernel Mailing List, linux-mediatek, Nick Desaulniers,
	Sami Tolvanen

On Wed, Jan 19, 2022 at 02:54:50PM +0100, Jason A. Donenfeld wrote:
> blake2s_compress_generic is weakly aliased to blake2s_generic. The
> current harness for function selection uses a function pointer, which is
> ordinarily inlined and resolved at compile time. But when Clang's CFI is
> enabled, CFI still triggers when making an indirect call via a weak
> symbol. This seems like a bug in Clang's CFI, as though it's bucketing
> weak symbols and strong symbols differently. It also only seems to
> trigger when "full LTO" mode is used, rather than "thin LTO".
> 
> [    0.000000][    T0] Kernel panic - not syncing: CFI failure (target: blake2s_compress_generic+0x0/0x1444)
> [    0.000000][    T0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.16.0-mainline-06981-g076c855b846e #1
> [    0.000000][    T0] Hardware name: MT6873 (DT)
> [    0.000000][    T0] Call trace:
> [    0.000000][    T0]  dump_backtrace+0xfc/0x1dc
> [    0.000000][    T0]  dump_stack_lvl+0xa8/0x11c
> [    0.000000][    T0]  panic+0x194/0x464
> [    0.000000][    T0]  __cfi_check_fail+0x54/0x58
> [    0.000000][    T0]  __cfi_slowpath_diag+0x354/0x4b0
> [    0.000000][    T0]  blake2s_update+0x14c/0x178
> [    0.000000][    T0]  _extract_entropy+0xf4/0x29c
> [    0.000000][    T0]  crng_initialize_primary+0x24/0x94
> [    0.000000][    T0]  rand_initialize+0x2c/0x6c
> [    0.000000][    T0]  start_kernel+0x2f8/0x65c
> [    0.000000][    T0]  __primary_switched+0xc4/0x7be4
> [    0.000000][    T0] Rebooting in 5 seconds..
> 
> Nonetheless, the function pointer method isn't so terrific anyway, so
> this patch replaces it with a simple boolean, which also gets inlined
> away. This successfully works around the Clang bug.
> 
> In general, I'm not too keen on all of the indirection involved here; it
> clearly does more harm than good. Hopefully the whole thing can get
> cleaned up down the road when lib/crypto is overhauled more
> comprehensively. But for now, we go with a simple bandaid.
> 
> Fixes: 6048fdcc5f26 ("lib/crypto: blake2s: include as built-in")
> Reported-by: Miles Chen <miles.chen@mediatek.com>
> Cc: Nick Desaulniers <ndesaulniers@google.com>
> Cc: Sami Tolvanen <samitolvanen@google.com>
> Cc: Ard Biesheuvel <ardb@kernel.org>
> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
> ---
>  arch/arm/crypto/blake2s-shash.c   |  4 ++--
>  arch/x86/crypto/blake2s-shash.c   |  4 ++--
>  crypto/blake2s_generic.c          |  4 ++--
>  include/crypto/internal/blake2s.h | 36 ++++++++++++++++++-------------
>  lib/crypto/blake2s.c              |  4 ++--
>  5 files changed, 29 insertions(+), 23 deletions(-)

There are some lines over 80 columns in this patch.

Otherwise this looks fine.  It would be really nice to fix this in clang,
though.

- Eric

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: avoid indirect calls to compression function for Clang CFI
  2022-01-21 19:54                       ` Eric Biggers
  (?)
@ 2022-01-21 20:22                         ` Jason A. Donenfeld
  -1 siblings, 0 replies; 100+ messages in thread
From: Jason A. Donenfeld @ 2022-01-21 20:22 UTC (permalink / raw)
  To: Eric Biggers
  Cc: Miles Chen, Ard Biesheuvel, Linux ARM, Linux Crypto Mailing List,
	Linux Kernel Mailing List, linux-mediatek, Nick Desaulniers,
	Sami Tolvanen

On Fri, Jan 21, 2022 at 8:54 PM Eric Biggers <ebiggers@kernel.org> wrote:
> There are some lines over 80 columns in this patch.

I'll fix that up.

> Otherwise this looks fine.  It would be really nice to fix this in clang,
> though.

I agree. I'm wondering whether it makes sense to roll with this patch,
or to just not change anything and lean on Clang upstream to fix their
bug. Full LTO is marked as "experimental" still. On the other hand,
Android ships with it turned on, so how "experimental" can it really
be? I don't have a strong read on the Clang ecosystem to know what
makes most sense, to apply this or not. Do you have an opinion?

Jason

^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: avoid indirect calls to compression function for Clang CFI
@ 2022-01-21 20:22                         ` Jason A. Donenfeld
  0 siblings, 0 replies; 100+ messages in thread
From: Jason A. Donenfeld @ 2022-01-21 20:22 UTC (permalink / raw)
  To: Eric Biggers
  Cc: Miles Chen, Ard Biesheuvel, Linux ARM, Linux Crypto Mailing List,
	Linux Kernel Mailing List, linux-mediatek, Nick Desaulniers,
	Sami Tolvanen

On Fri, Jan 21, 2022 at 8:54 PM Eric Biggers <ebiggers@kernel.org> wrote:
> There are some lines over 80 columns in this patch.

I'll fix that up.

> Otherwise this looks fine.  It would be really nice to fix this in clang,
> though.

I agree. I'm wondering whether it makes sense to roll with this patch,
or to just not change anything and lean on Clang upstream to fix their
bug. Full LTO is marked as "experimental" still. On the other hand,
Android ships with it turned on, so how "experimental" can it really
be? I don't have a strong read on the Clang ecosystem to know what
makes most sense, to apply this or not. Do you have an opinion?

Jason

_______________________________________________
Linux-mediatek mailing list
Linux-mediatek@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-mediatek

^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: avoid indirect calls to compression function for Clang CFI
@ 2022-01-21 20:22                         ` Jason A. Donenfeld
  0 siblings, 0 replies; 100+ messages in thread
From: Jason A. Donenfeld @ 2022-01-21 20:22 UTC (permalink / raw)
  To: Eric Biggers
  Cc: Miles Chen, Ard Biesheuvel, Linux ARM, Linux Crypto Mailing List,
	Linux Kernel Mailing List, linux-mediatek, Nick Desaulniers,
	Sami Tolvanen

On Fri, Jan 21, 2022 at 8:54 PM Eric Biggers <ebiggers@kernel.org> wrote:
> There are some lines over 80 columns in this patch.

I'll fix that up.

> Otherwise this looks fine.  It would be really nice to fix this in clang,
> though.

I agree. I'm wondering whether it makes sense to roll with this patch,
or to just not change anything and lean on Clang upstream to fix their
bug. Full LTO is marked as "experimental" still. On the other hand,
Android ships with it turned on, so how "experimental" can it really
be? I don't have a strong read on the Clang ecosystem to know what
makes most sense, to apply this or not. Do you have an opinion?

Jason

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: avoid indirect calls to compression function for Clang CFI
  2022-01-21 20:22                         ` Jason A. Donenfeld
  (?)
@ 2022-01-21 20:51                           ` Sami Tolvanen
  -1 siblings, 0 replies; 100+ messages in thread
From: Sami Tolvanen @ 2022-01-21 20:51 UTC (permalink / raw)
  To: Jason A. Donenfeld
  Cc: Eric Biggers, Miles Chen, Ard Biesheuvel, Linux ARM,
	Linux Crypto Mailing List, Linux Kernel Mailing List,
	moderated list:ARM/Mediatek SoC...,
	Nick Desaulniers

Hi Jason,

On Fri, Jan 21, 2022 at 12:23 PM Jason A. Donenfeld <Jason@zx2c4.com> wrote:
>
> On Fri, Jan 21, 2022 at 8:54 PM Eric Biggers <ebiggers@kernel.org> wrote:
> > There are some lines over 80 columns in this patch.
>
> I'll fix that up.
>
> > Otherwise this looks fine.  It would be really nice to fix this in clang,
> > though.
>
> I agree. I'm wondering whether it makes sense to roll with this patch,
> or to just not change anything and lean on Clang upstream to fix their
> bug. Full LTO is marked as "experimental" still. On the other hand,
> Android ships with it turned on, so how "experimental" can it really
> be? I don't have a strong read on the Clang ecosystem to know what
> makes most sense, to apply this or not. Do you have an opinion?

We'll work on fixing the compiler, but please note that it's most
likely going to take a while, so I would prefer to work around the
issue in the kernel for now.

Sami

^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: avoid indirect calls to compression function for Clang CFI
@ 2022-01-21 20:51                           ` Sami Tolvanen
  0 siblings, 0 replies; 100+ messages in thread
From: Sami Tolvanen @ 2022-01-21 20:51 UTC (permalink / raw)
  To: Jason A. Donenfeld
  Cc: Eric Biggers, Miles Chen, Ard Biesheuvel, Linux ARM,
	Linux Crypto Mailing List, Linux Kernel Mailing List,
	moderated list:ARM/Mediatek SoC...,
	Nick Desaulniers

Hi Jason,

On Fri, Jan 21, 2022 at 12:23 PM Jason A. Donenfeld <Jason@zx2c4.com> wrote:
>
> On Fri, Jan 21, 2022 at 8:54 PM Eric Biggers <ebiggers@kernel.org> wrote:
> > There are some lines over 80 columns in this patch.
>
> I'll fix that up.
>
> > Otherwise this looks fine.  It would be really nice to fix this in clang,
> > though.
>
> I agree. I'm wondering whether it makes sense to roll with this patch,
> or to just not change anything and lean on Clang upstream to fix their
> bug. Full LTO is marked as "experimental" still. On the other hand,
> Android ships with it turned on, so how "experimental" can it really
> be? I don't have a strong read on the Clang ecosystem to know what
> makes most sense, to apply this or not. Do you have an opinion?

We'll work on fixing the compiler, but please note that it's most
likely going to take a while, so I would prefer to work around the
issue in the kernel for now.

Sami

_______________________________________________
Linux-mediatek mailing list
Linux-mediatek@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-mediatek

^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: avoid indirect calls to compression function for Clang CFI
@ 2022-01-21 20:51                           ` Sami Tolvanen
  0 siblings, 0 replies; 100+ messages in thread
From: Sami Tolvanen @ 2022-01-21 20:51 UTC (permalink / raw)
  To: Jason A. Donenfeld
  Cc: Eric Biggers, Miles Chen, Ard Biesheuvel, Linux ARM,
	Linux Crypto Mailing List, Linux Kernel Mailing List,
	moderated list:ARM/Mediatek SoC...,
	Nick Desaulniers

Hi Jason,

On Fri, Jan 21, 2022 at 12:23 PM Jason A. Donenfeld <Jason@zx2c4.com> wrote:
>
> On Fri, Jan 21, 2022 at 8:54 PM Eric Biggers <ebiggers@kernel.org> wrote:
> > There are some lines over 80 columns in this patch.
>
> I'll fix that up.
>
> > Otherwise this looks fine.  It would be really nice to fix this in clang,
> > though.
>
> I agree. I'm wondering whether it makes sense to roll with this patch,
> or to just not change anything and lean on Clang upstream to fix their
> bug. Full LTO is marked as "experimental" still. On the other hand,
> Android ships with it turned on, so how "experimental" can it really
> be? I don't have a strong read on the Clang ecosystem to know what
> makes most sense, to apply this or not. Do you have an opinion?

We'll work on fixing the compiler, but please note that it's most
likely going to take a while, so I would prefer to work around the
issue in the kernel for now.

Sami

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

^ permalink raw reply	[flat|nested] 100+ messages in thread

* [PATCH v2] lib/crypto: blake2s: avoid indirect calls to compression function for Clang CFI
  2022-01-19 13:54                     ` Jason A. Donenfeld
@ 2022-01-24 19:28                       ` Jason A. Donenfeld
  -1 siblings, 0 replies; 100+ messages in thread
From: Jason A. Donenfeld @ 2022-01-24 19:28 UTC (permalink / raw)
  To: Linux ARM, Linux Crypto Mailing List, Linux Kernel Mailing List,
	llvm, Nick Desaulniers, Sami Tolvanen, Nathan Chancellor,
	Eric Biggers, Herbert Xu, Miles Chen, Ard Biesheuvel
  Cc: Jason A. Donenfeld

blake2s_compress_generic is weakly aliased by blake2s_generic. The
current harness for function selection uses a function pointer, which is
ordinarily inlined and resolved at compile time. But when Clang's CFI is
enabled, CFI still triggers when making an indirect call via a weak
symbol. This seems like a bug in Clang's CFI, as though it's bucketing
weak symbols and strong symbols differently. It also only seems to
trigger when "full LTO" mode is used, rather than "thin LTO".

[    0.000000][    T0] Kernel panic - not syncing: CFI failure (target: blake2s_compress_generic+0x0/0x1444)
[    0.000000][    T0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.16.0-mainline-06981-g076c855b846e #1
[    0.000000][    T0] Hardware name: MT6873 (DT)
[    0.000000][    T0] Call trace:
[    0.000000][    T0]  dump_backtrace+0xfc/0x1dc
[    0.000000][    T0]  dump_stack_lvl+0xa8/0x11c
[    0.000000][    T0]  panic+0x194/0x464
[    0.000000][    T0]  __cfi_check_fail+0x54/0x58
[    0.000000][    T0]  __cfi_slowpath_diag+0x354/0x4b0
[    0.000000][    T0]  blake2s_update+0x14c/0x178
[    0.000000][    T0]  _extract_entropy+0xf4/0x29c
[    0.000000][    T0]  crng_initialize_primary+0x24/0x94
[    0.000000][    T0]  rand_initialize+0x2c/0x6c
[    0.000000][    T0]  start_kernel+0x2f8/0x65c
[    0.000000][    T0]  __primary_switched+0xc4/0x7be4
[    0.000000][    T0] Rebooting in 5 seconds..

Nonetheless, the function pointer method isn't so terrific anyway, so
this patch replaces it with a simple boolean, which also gets inlined
away. This successfully works around the Clang bug.

In general, I'm not too keen on all of the indirection involved here; it
clearly does more harm than good. Hopefully the whole thing can get
cleaned up down the road when lib/crypto is overhauled more
comprehensively. But for now, we go with a simple bandaid.

Fixes: 6048fdcc5f26 ("lib/crypto: blake2s: include as built-in")
Reported-by: Miles Chen <miles.chen@mediatek.com>
Tested-by: Miles Chen <miles.chen@mediatek.com>
Tested-by: Nathan Chancellor <nathan@kernel.org>
Link: https://github.com/ClangBuiltLinux/linux/issues/1567
Cc: Nick Desaulniers <ndesaulniers@google.com>
Cc: Sami Tolvanen <samitolvanen@google.com>
Cc: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
---
Changes v1->v2:
- Wrapped columns at 80 for Eric.

 arch/arm/crypto/blake2s-shash.c   |  4 ++--
 arch/x86/crypto/blake2s-shash.c   |  4 ++--
 crypto/blake2s_generic.c          |  4 ++--
 include/crypto/internal/blake2s.h | 40 +++++++++++++++++++------------
 lib/crypto/blake2s.c              |  4 ++--
 5 files changed, 33 insertions(+), 23 deletions(-)

diff --git a/arch/arm/crypto/blake2s-shash.c b/arch/arm/crypto/blake2s-shash.c
index 17c1c3bfe2f5..763c73beea2d 100644
--- a/arch/arm/crypto/blake2s-shash.c
+++ b/arch/arm/crypto/blake2s-shash.c
@@ -13,12 +13,12 @@
 static int crypto_blake2s_update_arm(struct shash_desc *desc,
 				     const u8 *in, unsigned int inlen)
 {
-	return crypto_blake2s_update(desc, in, inlen, blake2s_compress);
+	return crypto_blake2s_update(desc, in, inlen, false);
 }
 
 static int crypto_blake2s_final_arm(struct shash_desc *desc, u8 *out)
 {
-	return crypto_blake2s_final(desc, out, blake2s_compress);
+	return crypto_blake2s_final(desc, out, false);
 }
 
 #define BLAKE2S_ALG(name, driver_name, digest_size)			\
diff --git a/arch/x86/crypto/blake2s-shash.c b/arch/x86/crypto/blake2s-shash.c
index f9e2fecdb761..59ae28abe35c 100644
--- a/arch/x86/crypto/blake2s-shash.c
+++ b/arch/x86/crypto/blake2s-shash.c
@@ -18,12 +18,12 @@
 static int crypto_blake2s_update_x86(struct shash_desc *desc,
 				     const u8 *in, unsigned int inlen)
 {
-	return crypto_blake2s_update(desc, in, inlen, blake2s_compress);
+	return crypto_blake2s_update(desc, in, inlen, false);
 }
 
 static int crypto_blake2s_final_x86(struct shash_desc *desc, u8 *out)
 {
-	return crypto_blake2s_final(desc, out, blake2s_compress);
+	return crypto_blake2s_final(desc, out, false);
 }
 
 #define BLAKE2S_ALG(name, driver_name, digest_size)			\
diff --git a/crypto/blake2s_generic.c b/crypto/blake2s_generic.c
index 72fe480f9bd6..5f96a21f8788 100644
--- a/crypto/blake2s_generic.c
+++ b/crypto/blake2s_generic.c
@@ -15,12 +15,12 @@
 static int crypto_blake2s_update_generic(struct shash_desc *desc,
 					 const u8 *in, unsigned int inlen)
 {
-	return crypto_blake2s_update(desc, in, inlen, blake2s_compress_generic);
+	return crypto_blake2s_update(desc, in, inlen, true);
 }
 
 static int crypto_blake2s_final_generic(struct shash_desc *desc, u8 *out)
 {
-	return crypto_blake2s_final(desc, out, blake2s_compress_generic);
+	return crypto_blake2s_final(desc, out, true);
 }
 
 #define BLAKE2S_ALG(name, driver_name, digest_size)			\
diff --git a/include/crypto/internal/blake2s.h b/include/crypto/internal/blake2s.h
index d39cfa0d333e..52363eee2b20 100644
--- a/include/crypto/internal/blake2s.h
+++ b/include/crypto/internal/blake2s.h
@@ -24,14 +24,11 @@ static inline void blake2s_set_lastblock(struct blake2s_state *state)
 	state->f[0] = -1;
 }
 
-typedef void (*blake2s_compress_t)(struct blake2s_state *state,
-				   const u8 *block, size_t nblocks, u32 inc);
-
 /* Helper functions for BLAKE2s shared by the library and shash APIs */
 
-static inline void __blake2s_update(struct blake2s_state *state,
-				    const u8 *in, size_t inlen,
-				    blake2s_compress_t compress)
+static __always_inline void
+__blake2s_update(struct blake2s_state *state, const u8 *in, size_t inlen,
+		 bool force_generic)
 {
 	const size_t fill = BLAKE2S_BLOCK_SIZE - state->buflen;
 
@@ -39,7 +36,12 @@ static inline void __blake2s_update(struct blake2s_state *state,
 		return;
 	if (inlen > fill) {
 		memcpy(state->buf + state->buflen, in, fill);
-		(*compress)(state, state->buf, 1, BLAKE2S_BLOCK_SIZE);
+		if (force_generic)
+			blake2s_compress_generic(state, state->buf, 1,
+						 BLAKE2S_BLOCK_SIZE);
+		else
+			blake2s_compress(state, state->buf, 1,
+					 BLAKE2S_BLOCK_SIZE);
 		state->buflen = 0;
 		in += fill;
 		inlen -= fill;
@@ -47,7 +49,12 @@ static inline void __blake2s_update(struct blake2s_state *state,
 	if (inlen > BLAKE2S_BLOCK_SIZE) {
 		const size_t nblocks = DIV_ROUND_UP(inlen, BLAKE2S_BLOCK_SIZE);
 		/* Hash one less (full) block than strictly possible */
-		(*compress)(state, in, nblocks - 1, BLAKE2S_BLOCK_SIZE);
+		if (force_generic)
+			blake2s_compress_generic(state, in, nblocks - 1,
+						 BLAKE2S_BLOCK_SIZE);
+		else
+			blake2s_compress(state, in, nblocks - 1,
+					 BLAKE2S_BLOCK_SIZE);
 		in += BLAKE2S_BLOCK_SIZE * (nblocks - 1);
 		inlen -= BLAKE2S_BLOCK_SIZE * (nblocks - 1);
 	}
@@ -55,13 +62,16 @@ static inline void __blake2s_update(struct blake2s_state *state,
 	state->buflen += inlen;
 }
 
-static inline void __blake2s_final(struct blake2s_state *state, u8 *out,
-				   blake2s_compress_t compress)
+static __always_inline void
+__blake2s_final(struct blake2s_state *state, u8 *out, bool force_generic)
 {
 	blake2s_set_lastblock(state);
 	memset(state->buf + state->buflen, 0,
 	       BLAKE2S_BLOCK_SIZE - state->buflen); /* Padding */
-	(*compress)(state, state->buf, 1, state->buflen);
+	if (force_generic)
+		blake2s_compress_generic(state, state->buf, 1, state->buflen);
+	else
+		blake2s_compress(state, state->buf, 1, state->buflen);
 	cpu_to_le32_array(state->h, ARRAY_SIZE(state->h));
 	memcpy(out, state->h, state->outlen);
 }
@@ -99,20 +109,20 @@ static inline int crypto_blake2s_init(struct shash_desc *desc)
 
 static inline int crypto_blake2s_update(struct shash_desc *desc,
 					const u8 *in, unsigned int inlen,
-					blake2s_compress_t compress)
+					bool force_generic)
 {
 	struct blake2s_state *state = shash_desc_ctx(desc);
 
-	__blake2s_update(state, in, inlen, compress);
+	__blake2s_update(state, in, inlen, force_generic);
 	return 0;
 }
 
 static inline int crypto_blake2s_final(struct shash_desc *desc, u8 *out,
-				       blake2s_compress_t compress)
+				       bool force_generic)
 {
 	struct blake2s_state *state = shash_desc_ctx(desc);
 
-	__blake2s_final(state, out, compress);
+	__blake2s_final(state, out, force_generic);
 	return 0;
 }
 
diff --git a/lib/crypto/blake2s.c b/lib/crypto/blake2s.c
index 9364f79937b8..c71c09621c09 100644
--- a/lib/crypto/blake2s.c
+++ b/lib/crypto/blake2s.c
@@ -18,14 +18,14 @@
 
 void blake2s_update(struct blake2s_state *state, const u8 *in, size_t inlen)
 {
-	__blake2s_update(state, in, inlen, blake2s_compress);
+	__blake2s_update(state, in, inlen, false);
 }
 EXPORT_SYMBOL(blake2s_update);
 
 void blake2s_final(struct blake2s_state *state, u8 *out)
 {
 	WARN_ON(IS_ENABLED(DEBUG) && !out);
-	__blake2s_final(state, out, blake2s_compress);
+	__blake2s_final(state, out, false);
 	memzero_explicit(state, sizeof(*state));
 }
 EXPORT_SYMBOL(blake2s_final);
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 100+ messages in thread

* [PATCH v2] lib/crypto: blake2s: avoid indirect calls to compression function for Clang CFI
@ 2022-01-24 19:28                       ` Jason A. Donenfeld
  0 siblings, 0 replies; 100+ messages in thread
From: Jason A. Donenfeld @ 2022-01-24 19:28 UTC (permalink / raw)
  To: Linux ARM, Linux Crypto Mailing List, Linux Kernel Mailing List,
	llvm, Nick Desaulniers, Sami Tolvanen, Nathan Chancellor,
	Eric Biggers, Herbert Xu, Miles Chen, Ard Biesheuvel
  Cc: Jason A. Donenfeld

blake2s_compress_generic is weakly aliased by blake2s_generic. The
current harness for function selection uses a function pointer, which is
ordinarily inlined and resolved at compile time. But when Clang's CFI is
enabled, CFI still triggers when making an indirect call via a weak
symbol. This seems like a bug in Clang's CFI, as though it's bucketing
weak symbols and strong symbols differently. It also only seems to
trigger when "full LTO" mode is used, rather than "thin LTO".

[    0.000000][    T0] Kernel panic - not syncing: CFI failure (target: blake2s_compress_generic+0x0/0x1444)
[    0.000000][    T0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.16.0-mainline-06981-g076c855b846e #1
[    0.000000][    T0] Hardware name: MT6873 (DT)
[    0.000000][    T0] Call trace:
[    0.000000][    T0]  dump_backtrace+0xfc/0x1dc
[    0.000000][    T0]  dump_stack_lvl+0xa8/0x11c
[    0.000000][    T0]  panic+0x194/0x464
[    0.000000][    T0]  __cfi_check_fail+0x54/0x58
[    0.000000][    T0]  __cfi_slowpath_diag+0x354/0x4b0
[    0.000000][    T0]  blake2s_update+0x14c/0x178
[    0.000000][    T0]  _extract_entropy+0xf4/0x29c
[    0.000000][    T0]  crng_initialize_primary+0x24/0x94
[    0.000000][    T0]  rand_initialize+0x2c/0x6c
[    0.000000][    T0]  start_kernel+0x2f8/0x65c
[    0.000000][    T0]  __primary_switched+0xc4/0x7be4
[    0.000000][    T0] Rebooting in 5 seconds..

Nonetheless, the function pointer method isn't so terrific anyway, so
this patch replaces it with a simple boolean, which also gets inlined
away. This successfully works around the Clang bug.

In general, I'm not too keen on all of the indirection involved here; it
clearly does more harm than good. Hopefully the whole thing can get
cleaned up down the road when lib/crypto is overhauled more
comprehensively. But for now, we go with a simple bandaid.

Fixes: 6048fdcc5f26 ("lib/crypto: blake2s: include as built-in")
Reported-by: Miles Chen <miles.chen@mediatek.com>
Tested-by: Miles Chen <miles.chen@mediatek.com>
Tested-by: Nathan Chancellor <nathan@kernel.org>
Link: https://github.com/ClangBuiltLinux/linux/issues/1567
Cc: Nick Desaulniers <ndesaulniers@google.com>
Cc: Sami Tolvanen <samitolvanen@google.com>
Cc: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
---
Changes v1->v2:
- Wrapped columns at 80 for Eric.

 arch/arm/crypto/blake2s-shash.c   |  4 ++--
 arch/x86/crypto/blake2s-shash.c   |  4 ++--
 crypto/blake2s_generic.c          |  4 ++--
 include/crypto/internal/blake2s.h | 40 +++++++++++++++++++------------
 lib/crypto/blake2s.c              |  4 ++--
 5 files changed, 33 insertions(+), 23 deletions(-)

diff --git a/arch/arm/crypto/blake2s-shash.c b/arch/arm/crypto/blake2s-shash.c
index 17c1c3bfe2f5..763c73beea2d 100644
--- a/arch/arm/crypto/blake2s-shash.c
+++ b/arch/arm/crypto/blake2s-shash.c
@@ -13,12 +13,12 @@
 static int crypto_blake2s_update_arm(struct shash_desc *desc,
 				     const u8 *in, unsigned int inlen)
 {
-	return crypto_blake2s_update(desc, in, inlen, blake2s_compress);
+	return crypto_blake2s_update(desc, in, inlen, false);
 }
 
 static int crypto_blake2s_final_arm(struct shash_desc *desc, u8 *out)
 {
-	return crypto_blake2s_final(desc, out, blake2s_compress);
+	return crypto_blake2s_final(desc, out, false);
 }
 
 #define BLAKE2S_ALG(name, driver_name, digest_size)			\
diff --git a/arch/x86/crypto/blake2s-shash.c b/arch/x86/crypto/blake2s-shash.c
index f9e2fecdb761..59ae28abe35c 100644
--- a/arch/x86/crypto/blake2s-shash.c
+++ b/arch/x86/crypto/blake2s-shash.c
@@ -18,12 +18,12 @@
 static int crypto_blake2s_update_x86(struct shash_desc *desc,
 				     const u8 *in, unsigned int inlen)
 {
-	return crypto_blake2s_update(desc, in, inlen, blake2s_compress);
+	return crypto_blake2s_update(desc, in, inlen, false);
 }
 
 static int crypto_blake2s_final_x86(struct shash_desc *desc, u8 *out)
 {
-	return crypto_blake2s_final(desc, out, blake2s_compress);
+	return crypto_blake2s_final(desc, out, false);
 }
 
 #define BLAKE2S_ALG(name, driver_name, digest_size)			\
diff --git a/crypto/blake2s_generic.c b/crypto/blake2s_generic.c
index 72fe480f9bd6..5f96a21f8788 100644
--- a/crypto/blake2s_generic.c
+++ b/crypto/blake2s_generic.c
@@ -15,12 +15,12 @@
 static int crypto_blake2s_update_generic(struct shash_desc *desc,
 					 const u8 *in, unsigned int inlen)
 {
-	return crypto_blake2s_update(desc, in, inlen, blake2s_compress_generic);
+	return crypto_blake2s_update(desc, in, inlen, true);
 }
 
 static int crypto_blake2s_final_generic(struct shash_desc *desc, u8 *out)
 {
-	return crypto_blake2s_final(desc, out, blake2s_compress_generic);
+	return crypto_blake2s_final(desc, out, true);
 }
 
 #define BLAKE2S_ALG(name, driver_name, digest_size)			\
diff --git a/include/crypto/internal/blake2s.h b/include/crypto/internal/blake2s.h
index d39cfa0d333e..52363eee2b20 100644
--- a/include/crypto/internal/blake2s.h
+++ b/include/crypto/internal/blake2s.h
@@ -24,14 +24,11 @@ static inline void blake2s_set_lastblock(struct blake2s_state *state)
 	state->f[0] = -1;
 }
 
-typedef void (*blake2s_compress_t)(struct blake2s_state *state,
-				   const u8 *block, size_t nblocks, u32 inc);
-
 /* Helper functions for BLAKE2s shared by the library and shash APIs */
 
-static inline void __blake2s_update(struct blake2s_state *state,
-				    const u8 *in, size_t inlen,
-				    blake2s_compress_t compress)
+static __always_inline void
+__blake2s_update(struct blake2s_state *state, const u8 *in, size_t inlen,
+		 bool force_generic)
 {
 	const size_t fill = BLAKE2S_BLOCK_SIZE - state->buflen;
 
@@ -39,7 +36,12 @@ static inline void __blake2s_update(struct blake2s_state *state,
 		return;
 	if (inlen > fill) {
 		memcpy(state->buf + state->buflen, in, fill);
-		(*compress)(state, state->buf, 1, BLAKE2S_BLOCK_SIZE);
+		if (force_generic)
+			blake2s_compress_generic(state, state->buf, 1,
+						 BLAKE2S_BLOCK_SIZE);
+		else
+			blake2s_compress(state, state->buf, 1,
+					 BLAKE2S_BLOCK_SIZE);
 		state->buflen = 0;
 		in += fill;
 		inlen -= fill;
@@ -47,7 +49,12 @@ static inline void __blake2s_update(struct blake2s_state *state,
 	if (inlen > BLAKE2S_BLOCK_SIZE) {
 		const size_t nblocks = DIV_ROUND_UP(inlen, BLAKE2S_BLOCK_SIZE);
 		/* Hash one less (full) block than strictly possible */
-		(*compress)(state, in, nblocks - 1, BLAKE2S_BLOCK_SIZE);
+		if (force_generic)
+			blake2s_compress_generic(state, in, nblocks - 1,
+						 BLAKE2S_BLOCK_SIZE);
+		else
+			blake2s_compress(state, in, nblocks - 1,
+					 BLAKE2S_BLOCK_SIZE);
 		in += BLAKE2S_BLOCK_SIZE * (nblocks - 1);
 		inlen -= BLAKE2S_BLOCK_SIZE * (nblocks - 1);
 	}
@@ -55,13 +62,16 @@ static inline void __blake2s_update(struct blake2s_state *state,
 	state->buflen += inlen;
 }
 
-static inline void __blake2s_final(struct blake2s_state *state, u8 *out,
-				   blake2s_compress_t compress)
+static __always_inline void
+__blake2s_final(struct blake2s_state *state, u8 *out, bool force_generic)
 {
 	blake2s_set_lastblock(state);
 	memset(state->buf + state->buflen, 0,
 	       BLAKE2S_BLOCK_SIZE - state->buflen); /* Padding */
-	(*compress)(state, state->buf, 1, state->buflen);
+	if (force_generic)
+		blake2s_compress_generic(state, state->buf, 1, state->buflen);
+	else
+		blake2s_compress(state, state->buf, 1, state->buflen);
 	cpu_to_le32_array(state->h, ARRAY_SIZE(state->h));
 	memcpy(out, state->h, state->outlen);
 }
@@ -99,20 +109,20 @@ static inline int crypto_blake2s_init(struct shash_desc *desc)
 
 static inline int crypto_blake2s_update(struct shash_desc *desc,
 					const u8 *in, unsigned int inlen,
-					blake2s_compress_t compress)
+					bool force_generic)
 {
 	struct blake2s_state *state = shash_desc_ctx(desc);
 
-	__blake2s_update(state, in, inlen, compress);
+	__blake2s_update(state, in, inlen, force_generic);
 	return 0;
 }
 
 static inline int crypto_blake2s_final(struct shash_desc *desc, u8 *out,
-				       blake2s_compress_t compress)
+				       bool force_generic)
 {
 	struct blake2s_state *state = shash_desc_ctx(desc);
 
-	__blake2s_final(state, out, compress);
+	__blake2s_final(state, out, force_generic);
 	return 0;
 }
 
diff --git a/lib/crypto/blake2s.c b/lib/crypto/blake2s.c
index 9364f79937b8..c71c09621c09 100644
--- a/lib/crypto/blake2s.c
+++ b/lib/crypto/blake2s.c
@@ -18,14 +18,14 @@
 
 void blake2s_update(struct blake2s_state *state, const u8 *in, size_t inlen)
 {
-	__blake2s_update(state, in, inlen, blake2s_compress);
+	__blake2s_update(state, in, inlen, false);
 }
 EXPORT_SYMBOL(blake2s_update);
 
 void blake2s_final(struct blake2s_state *state, u8 *out)
 {
 	WARN_ON(IS_ENABLED(DEBUG) && !out);
-	__blake2s_final(state, out, blake2s_compress);
+	__blake2s_final(state, out, false);
 	memzero_explicit(state, sizeof(*state));
 }
 EXPORT_SYMBOL(blake2s_final);
-- 
2.34.1


_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

^ permalink raw reply related	[flat|nested] 100+ messages in thread

* Re: [PATCH v2] lib/crypto: blake2s: avoid indirect calls to compression function for Clang CFI
  2022-01-24 19:28                       ` Jason A. Donenfeld
@ 2022-01-24 19:59                         ` Nick Desaulniers
  -1 siblings, 0 replies; 100+ messages in thread
From: Nick Desaulniers @ 2022-01-24 19:59 UTC (permalink / raw)
  To: Jason A. Donenfeld
  Cc: Linux ARM, Linux Crypto Mailing List, Linux Kernel Mailing List,
	llvm, Sami Tolvanen, Nathan Chancellor, Eric Biggers, Herbert Xu,
	Miles Chen, Ard Biesheuvel

On Mon, Jan 24, 2022 at 11:29 AM Jason A. Donenfeld <Jason@zx2c4.com> wrote:
>
> blake2s_compress_generic is weakly aliased by blake2s_generic. The
> current harness for function selection uses a function pointer, which is
> ordinarily inlined and resolved at compile time. But when Clang's CFI is
> enabled, CFI still triggers when making an indirect call via a weak
> symbol. This seems like a bug in Clang's CFI, as though it's bucketing
> weak symbols and strong symbols differently. It also only seems to
> trigger when "full LTO" mode is used, rather than "thin LTO".
>
> [    0.000000][    T0] Kernel panic - not syncing: CFI failure (target: blake2s_compress_generic+0x0/0x1444)
> [    0.000000][    T0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.16.0-mainline-06981-g076c855b846e #1
> [    0.000000][    T0] Hardware name: MT6873 (DT)
> [    0.000000][    T0] Call trace:
> [    0.000000][    T0]  dump_backtrace+0xfc/0x1dc
> [    0.000000][    T0]  dump_stack_lvl+0xa8/0x11c
> [    0.000000][    T0]  panic+0x194/0x464
> [    0.000000][    T0]  __cfi_check_fail+0x54/0x58
> [    0.000000][    T0]  __cfi_slowpath_diag+0x354/0x4b0
> [    0.000000][    T0]  blake2s_update+0x14c/0x178
> [    0.000000][    T0]  _extract_entropy+0xf4/0x29c
> [    0.000000][    T0]  crng_initialize_primary+0x24/0x94
> [    0.000000][    T0]  rand_initialize+0x2c/0x6c
> [    0.000000][    T0]  start_kernel+0x2f8/0x65c
> [    0.000000][    T0]  __primary_switched+0xc4/0x7be4
> [    0.000000][    T0] Rebooting in 5 seconds..
>
> Nonetheless, the function pointer method isn't so terrific anyway, so
> this patch replaces it with a simple boolean, which also gets inlined
> away. This successfully works around the Clang bug.

Acked-by: Nick Desaulniers <ndesaulniers@google.com>

Thanks for the report. Once we have a fix in hand for LLVM, we can
revisit removing this and raising the required LLVM version for CFI.

>
> In general, I'm not too keen on all of the indirection involved here; it
> clearly does more harm than good. Hopefully the whole thing can get
> cleaned up down the road when lib/crypto is overhauled more
> comprehensively. But for now, we go with a simple bandaid.
>
> Fixes: 6048fdcc5f26 ("lib/crypto: blake2s: include as built-in")
> Reported-by: Miles Chen <miles.chen@mediatek.com>
> Tested-by: Miles Chen <miles.chen@mediatek.com>
> Tested-by: Nathan Chancellor <nathan@kernel.org>
> Link: https://github.com/ClangBuiltLinux/linux/issues/1567
> Cc: Nick Desaulniers <ndesaulniers@google.com>
> Cc: Sami Tolvanen <samitolvanen@google.com>
> Cc: Ard Biesheuvel <ardb@kernel.org>
> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
> ---
> Changes v1->v2:
> - Wrapped columns at 80 for Eric.
>
>  arch/arm/crypto/blake2s-shash.c   |  4 ++--
>  arch/x86/crypto/blake2s-shash.c   |  4 ++--
>  crypto/blake2s_generic.c          |  4 ++--
>  include/crypto/internal/blake2s.h | 40 +++++++++++++++++++------------
>  lib/crypto/blake2s.c              |  4 ++--
>  5 files changed, 33 insertions(+), 23 deletions(-)
>
> diff --git a/arch/arm/crypto/blake2s-shash.c b/arch/arm/crypto/blake2s-shash.c
> index 17c1c3bfe2f5..763c73beea2d 100644
> --- a/arch/arm/crypto/blake2s-shash.c
> +++ b/arch/arm/crypto/blake2s-shash.c
> @@ -13,12 +13,12 @@
>  static int crypto_blake2s_update_arm(struct shash_desc *desc,
>                                      const u8 *in, unsigned int inlen)
>  {
> -       return crypto_blake2s_update(desc, in, inlen, blake2s_compress);
> +       return crypto_blake2s_update(desc, in, inlen, false);
>  }
>
>  static int crypto_blake2s_final_arm(struct shash_desc *desc, u8 *out)
>  {
> -       return crypto_blake2s_final(desc, out, blake2s_compress);
> +       return crypto_blake2s_final(desc, out, false);
>  }
>
>  #define BLAKE2S_ALG(name, driver_name, digest_size)                    \
> diff --git a/arch/x86/crypto/blake2s-shash.c b/arch/x86/crypto/blake2s-shash.c
> index f9e2fecdb761..59ae28abe35c 100644
> --- a/arch/x86/crypto/blake2s-shash.c
> +++ b/arch/x86/crypto/blake2s-shash.c
> @@ -18,12 +18,12 @@
>  static int crypto_blake2s_update_x86(struct shash_desc *desc,
>                                      const u8 *in, unsigned int inlen)
>  {
> -       return crypto_blake2s_update(desc, in, inlen, blake2s_compress);
> +       return crypto_blake2s_update(desc, in, inlen, false);
>  }
>
>  static int crypto_blake2s_final_x86(struct shash_desc *desc, u8 *out)
>  {
> -       return crypto_blake2s_final(desc, out, blake2s_compress);
> +       return crypto_blake2s_final(desc, out, false);
>  }
>
>  #define BLAKE2S_ALG(name, driver_name, digest_size)                    \
> diff --git a/crypto/blake2s_generic.c b/crypto/blake2s_generic.c
> index 72fe480f9bd6..5f96a21f8788 100644
> --- a/crypto/blake2s_generic.c
> +++ b/crypto/blake2s_generic.c
> @@ -15,12 +15,12 @@
>  static int crypto_blake2s_update_generic(struct shash_desc *desc,
>                                          const u8 *in, unsigned int inlen)
>  {
> -       return crypto_blake2s_update(desc, in, inlen, blake2s_compress_generic);
> +       return crypto_blake2s_update(desc, in, inlen, true);
>  }
>
>  static int crypto_blake2s_final_generic(struct shash_desc *desc, u8 *out)
>  {
> -       return crypto_blake2s_final(desc, out, blake2s_compress_generic);
> +       return crypto_blake2s_final(desc, out, true);
>  }
>
>  #define BLAKE2S_ALG(name, driver_name, digest_size)                    \
> diff --git a/include/crypto/internal/blake2s.h b/include/crypto/internal/blake2s.h
> index d39cfa0d333e..52363eee2b20 100644
> --- a/include/crypto/internal/blake2s.h
> +++ b/include/crypto/internal/blake2s.h
> @@ -24,14 +24,11 @@ static inline void blake2s_set_lastblock(struct blake2s_state *state)
>         state->f[0] = -1;
>  }
>
> -typedef void (*blake2s_compress_t)(struct blake2s_state *state,
> -                                  const u8 *block, size_t nblocks, u32 inc);
> -
>  /* Helper functions for BLAKE2s shared by the library and shash APIs */
>
> -static inline void __blake2s_update(struct blake2s_state *state,
> -                                   const u8 *in, size_t inlen,
> -                                   blake2s_compress_t compress)
> +static __always_inline void
> +__blake2s_update(struct blake2s_state *state, const u8 *in, size_t inlen,
> +                bool force_generic)
>  {
>         const size_t fill = BLAKE2S_BLOCK_SIZE - state->buflen;
>
> @@ -39,7 +36,12 @@ static inline void __blake2s_update(struct blake2s_state *state,
>                 return;
>         if (inlen > fill) {
>                 memcpy(state->buf + state->buflen, in, fill);
> -               (*compress)(state, state->buf, 1, BLAKE2S_BLOCK_SIZE);
> +               if (force_generic)
> +                       blake2s_compress_generic(state, state->buf, 1,
> +                                                BLAKE2S_BLOCK_SIZE);
> +               else
> +                       blake2s_compress(state, state->buf, 1,
> +                                        BLAKE2S_BLOCK_SIZE);
>                 state->buflen = 0;
>                 in += fill;
>                 inlen -= fill;
> @@ -47,7 +49,12 @@ static inline void __blake2s_update(struct blake2s_state *state,
>         if (inlen > BLAKE2S_BLOCK_SIZE) {
>                 const size_t nblocks = DIV_ROUND_UP(inlen, BLAKE2S_BLOCK_SIZE);
>                 /* Hash one less (full) block than strictly possible */
> -               (*compress)(state, in, nblocks - 1, BLAKE2S_BLOCK_SIZE);
> +               if (force_generic)
> +                       blake2s_compress_generic(state, in, nblocks - 1,
> +                                                BLAKE2S_BLOCK_SIZE);
> +               else
> +                       blake2s_compress(state, in, nblocks - 1,
> +                                        BLAKE2S_BLOCK_SIZE);
>                 in += BLAKE2S_BLOCK_SIZE * (nblocks - 1);
>                 inlen -= BLAKE2S_BLOCK_SIZE * (nblocks - 1);
>         }
> @@ -55,13 +62,16 @@ static inline void __blake2s_update(struct blake2s_state *state,
>         state->buflen += inlen;
>  }
>
> -static inline void __blake2s_final(struct blake2s_state *state, u8 *out,
> -                                  blake2s_compress_t compress)
> +static __always_inline void
> +__blake2s_final(struct blake2s_state *state, u8 *out, bool force_generic)
>  {
>         blake2s_set_lastblock(state);
>         memset(state->buf + state->buflen, 0,
>                BLAKE2S_BLOCK_SIZE - state->buflen); /* Padding */
> -       (*compress)(state, state->buf, 1, state->buflen);
> +       if (force_generic)
> +               blake2s_compress_generic(state, state->buf, 1, state->buflen);
> +       else
> +               blake2s_compress(state, state->buf, 1, state->buflen);
>         cpu_to_le32_array(state->h, ARRAY_SIZE(state->h));
>         memcpy(out, state->h, state->outlen);
>  }
> @@ -99,20 +109,20 @@ static inline int crypto_blake2s_init(struct shash_desc *desc)
>
>  static inline int crypto_blake2s_update(struct shash_desc *desc,
>                                         const u8 *in, unsigned int inlen,
> -                                       blake2s_compress_t compress)
> +                                       bool force_generic)
>  {
>         struct blake2s_state *state = shash_desc_ctx(desc);
>
> -       __blake2s_update(state, in, inlen, compress);
> +       __blake2s_update(state, in, inlen, force_generic);
>         return 0;
>  }
>
>  static inline int crypto_blake2s_final(struct shash_desc *desc, u8 *out,
> -                                      blake2s_compress_t compress)
> +                                      bool force_generic)
>  {
>         struct blake2s_state *state = shash_desc_ctx(desc);
>
> -       __blake2s_final(state, out, compress);
> +       __blake2s_final(state, out, force_generic);
>         return 0;
>  }
>
> diff --git a/lib/crypto/blake2s.c b/lib/crypto/blake2s.c
> index 9364f79937b8..c71c09621c09 100644
> --- a/lib/crypto/blake2s.c
> +++ b/lib/crypto/blake2s.c
> @@ -18,14 +18,14 @@
>
>  void blake2s_update(struct blake2s_state *state, const u8 *in, size_t inlen)
>  {
> -       __blake2s_update(state, in, inlen, blake2s_compress);
> +       __blake2s_update(state, in, inlen, false);
>  }
>  EXPORT_SYMBOL(blake2s_update);
>
>  void blake2s_final(struct blake2s_state *state, u8 *out)
>  {
>         WARN_ON(IS_ENABLED(DEBUG) && !out);
> -       __blake2s_final(state, out, blake2s_compress);
> +       __blake2s_final(state, out, false);
>         memzero_explicit(state, sizeof(*state));
>  }
>  EXPORT_SYMBOL(blake2s_final);
> --
> 2.34.1
>


-- 
Thanks,
~Nick Desaulniers

^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH v2] lib/crypto: blake2s: avoid indirect calls to compression function for Clang CFI
@ 2022-01-24 19:59                         ` Nick Desaulniers
  0 siblings, 0 replies; 100+ messages in thread
From: Nick Desaulniers @ 2022-01-24 19:59 UTC (permalink / raw)
  To: Jason A. Donenfeld
  Cc: Linux ARM, Linux Crypto Mailing List, Linux Kernel Mailing List,
	llvm, Sami Tolvanen, Nathan Chancellor, Eric Biggers, Herbert Xu,
	Miles Chen, Ard Biesheuvel

On Mon, Jan 24, 2022 at 11:29 AM Jason A. Donenfeld <Jason@zx2c4.com> wrote:
>
> blake2s_compress_generic is weakly aliased by blake2s_generic. The
> current harness for function selection uses a function pointer, which is
> ordinarily inlined and resolved at compile time. But when Clang's CFI is
> enabled, CFI still triggers when making an indirect call via a weak
> symbol. This seems like a bug in Clang's CFI, as though it's bucketing
> weak symbols and strong symbols differently. It also only seems to
> trigger when "full LTO" mode is used, rather than "thin LTO".
>
> [    0.000000][    T0] Kernel panic - not syncing: CFI failure (target: blake2s_compress_generic+0x0/0x1444)
> [    0.000000][    T0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.16.0-mainline-06981-g076c855b846e #1
> [    0.000000][    T0] Hardware name: MT6873 (DT)
> [    0.000000][    T0] Call trace:
> [    0.000000][    T0]  dump_backtrace+0xfc/0x1dc
> [    0.000000][    T0]  dump_stack_lvl+0xa8/0x11c
> [    0.000000][    T0]  panic+0x194/0x464
> [    0.000000][    T0]  __cfi_check_fail+0x54/0x58
> [    0.000000][    T0]  __cfi_slowpath_diag+0x354/0x4b0
> [    0.000000][    T0]  blake2s_update+0x14c/0x178
> [    0.000000][    T0]  _extract_entropy+0xf4/0x29c
> [    0.000000][    T0]  crng_initialize_primary+0x24/0x94
> [    0.000000][    T0]  rand_initialize+0x2c/0x6c
> [    0.000000][    T0]  start_kernel+0x2f8/0x65c
> [    0.000000][    T0]  __primary_switched+0xc4/0x7be4
> [    0.000000][    T0] Rebooting in 5 seconds..
>
> Nonetheless, the function pointer method isn't so terrific anyway, so
> this patch replaces it with a simple boolean, which also gets inlined
> away. This successfully works around the Clang bug.

Acked-by: Nick Desaulniers <ndesaulniers@google.com>

Thanks for the report. Once we have a fix in hand for LLVM, we can
revisit removing this and raising the required LLVM version for CFI.

>
> In general, I'm not too keen on all of the indirection involved here; it
> clearly does more harm than good. Hopefully the whole thing can get
> cleaned up down the road when lib/crypto is overhauled more
> comprehensively. But for now, we go with a simple bandaid.
>
> Fixes: 6048fdcc5f26 ("lib/crypto: blake2s: include as built-in")
> Reported-by: Miles Chen <miles.chen@mediatek.com>
> Tested-by: Miles Chen <miles.chen@mediatek.com>
> Tested-by: Nathan Chancellor <nathan@kernel.org>
> Link: https://github.com/ClangBuiltLinux/linux/issues/1567
> Cc: Nick Desaulniers <ndesaulniers@google.com>
> Cc: Sami Tolvanen <samitolvanen@google.com>
> Cc: Ard Biesheuvel <ardb@kernel.org>
> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
> ---
> Changes v1->v2:
> - Wrapped columns at 80 for Eric.
>
>  arch/arm/crypto/blake2s-shash.c   |  4 ++--
>  arch/x86/crypto/blake2s-shash.c   |  4 ++--
>  crypto/blake2s_generic.c          |  4 ++--
>  include/crypto/internal/blake2s.h | 40 +++++++++++++++++++------------
>  lib/crypto/blake2s.c              |  4 ++--
>  5 files changed, 33 insertions(+), 23 deletions(-)
>
> diff --git a/arch/arm/crypto/blake2s-shash.c b/arch/arm/crypto/blake2s-shash.c
> index 17c1c3bfe2f5..763c73beea2d 100644
> --- a/arch/arm/crypto/blake2s-shash.c
> +++ b/arch/arm/crypto/blake2s-shash.c
> @@ -13,12 +13,12 @@
>  static int crypto_blake2s_update_arm(struct shash_desc *desc,
>                                      const u8 *in, unsigned int inlen)
>  {
> -       return crypto_blake2s_update(desc, in, inlen, blake2s_compress);
> +       return crypto_blake2s_update(desc, in, inlen, false);
>  }
>
>  static int crypto_blake2s_final_arm(struct shash_desc *desc, u8 *out)
>  {
> -       return crypto_blake2s_final(desc, out, blake2s_compress);
> +       return crypto_blake2s_final(desc, out, false);
>  }
>
>  #define BLAKE2S_ALG(name, driver_name, digest_size)                    \
> diff --git a/arch/x86/crypto/blake2s-shash.c b/arch/x86/crypto/blake2s-shash.c
> index f9e2fecdb761..59ae28abe35c 100644
> --- a/arch/x86/crypto/blake2s-shash.c
> +++ b/arch/x86/crypto/blake2s-shash.c
> @@ -18,12 +18,12 @@
>  static int crypto_blake2s_update_x86(struct shash_desc *desc,
>                                      const u8 *in, unsigned int inlen)
>  {
> -       return crypto_blake2s_update(desc, in, inlen, blake2s_compress);
> +       return crypto_blake2s_update(desc, in, inlen, false);
>  }
>
>  static int crypto_blake2s_final_x86(struct shash_desc *desc, u8 *out)
>  {
> -       return crypto_blake2s_final(desc, out, blake2s_compress);
> +       return crypto_blake2s_final(desc, out, false);
>  }
>
>  #define BLAKE2S_ALG(name, driver_name, digest_size)                    \
> diff --git a/crypto/blake2s_generic.c b/crypto/blake2s_generic.c
> index 72fe480f9bd6..5f96a21f8788 100644
> --- a/crypto/blake2s_generic.c
> +++ b/crypto/blake2s_generic.c
> @@ -15,12 +15,12 @@
>  static int crypto_blake2s_update_generic(struct shash_desc *desc,
>                                          const u8 *in, unsigned int inlen)
>  {
> -       return crypto_blake2s_update(desc, in, inlen, blake2s_compress_generic);
> +       return crypto_blake2s_update(desc, in, inlen, true);
>  }
>
>  static int crypto_blake2s_final_generic(struct shash_desc *desc, u8 *out)
>  {
> -       return crypto_blake2s_final(desc, out, blake2s_compress_generic);
> +       return crypto_blake2s_final(desc, out, true);
>  }
>
>  #define BLAKE2S_ALG(name, driver_name, digest_size)                    \
> diff --git a/include/crypto/internal/blake2s.h b/include/crypto/internal/blake2s.h
> index d39cfa0d333e..52363eee2b20 100644
> --- a/include/crypto/internal/blake2s.h
> +++ b/include/crypto/internal/blake2s.h
> @@ -24,14 +24,11 @@ static inline void blake2s_set_lastblock(struct blake2s_state *state)
>         state->f[0] = -1;
>  }
>
> -typedef void (*blake2s_compress_t)(struct blake2s_state *state,
> -                                  const u8 *block, size_t nblocks, u32 inc);
> -
>  /* Helper functions for BLAKE2s shared by the library and shash APIs */
>
> -static inline void __blake2s_update(struct blake2s_state *state,
> -                                   const u8 *in, size_t inlen,
> -                                   blake2s_compress_t compress)
> +static __always_inline void
> +__blake2s_update(struct blake2s_state *state, const u8 *in, size_t inlen,
> +                bool force_generic)
>  {
>         const size_t fill = BLAKE2S_BLOCK_SIZE - state->buflen;
>
> @@ -39,7 +36,12 @@ static inline void __blake2s_update(struct blake2s_state *state,
>                 return;
>         if (inlen > fill) {
>                 memcpy(state->buf + state->buflen, in, fill);
> -               (*compress)(state, state->buf, 1, BLAKE2S_BLOCK_SIZE);
> +               if (force_generic)
> +                       blake2s_compress_generic(state, state->buf, 1,
> +                                                BLAKE2S_BLOCK_SIZE);
> +               else
> +                       blake2s_compress(state, state->buf, 1,
> +                                        BLAKE2S_BLOCK_SIZE);
>                 state->buflen = 0;
>                 in += fill;
>                 inlen -= fill;
> @@ -47,7 +49,12 @@ static inline void __blake2s_update(struct blake2s_state *state,
>         if (inlen > BLAKE2S_BLOCK_SIZE) {
>                 const size_t nblocks = DIV_ROUND_UP(inlen, BLAKE2S_BLOCK_SIZE);
>                 /* Hash one less (full) block than strictly possible */
> -               (*compress)(state, in, nblocks - 1, BLAKE2S_BLOCK_SIZE);
> +               if (force_generic)
> +                       blake2s_compress_generic(state, in, nblocks - 1,
> +                                                BLAKE2S_BLOCK_SIZE);
> +               else
> +                       blake2s_compress(state, in, nblocks - 1,
> +                                        BLAKE2S_BLOCK_SIZE);
>                 in += BLAKE2S_BLOCK_SIZE * (nblocks - 1);
>                 inlen -= BLAKE2S_BLOCK_SIZE * (nblocks - 1);
>         }
> @@ -55,13 +62,16 @@ static inline void __blake2s_update(struct blake2s_state *state,
>         state->buflen += inlen;
>  }
>
> -static inline void __blake2s_final(struct blake2s_state *state, u8 *out,
> -                                  blake2s_compress_t compress)
> +static __always_inline void
> +__blake2s_final(struct blake2s_state *state, u8 *out, bool force_generic)
>  {
>         blake2s_set_lastblock(state);
>         memset(state->buf + state->buflen, 0,
>                BLAKE2S_BLOCK_SIZE - state->buflen); /* Padding */
> -       (*compress)(state, state->buf, 1, state->buflen);
> +       if (force_generic)
> +               blake2s_compress_generic(state, state->buf, 1, state->buflen);
> +       else
> +               blake2s_compress(state, state->buf, 1, state->buflen);
>         cpu_to_le32_array(state->h, ARRAY_SIZE(state->h));
>         memcpy(out, state->h, state->outlen);
>  }
> @@ -99,20 +109,20 @@ static inline int crypto_blake2s_init(struct shash_desc *desc)
>
>  static inline int crypto_blake2s_update(struct shash_desc *desc,
>                                         const u8 *in, unsigned int inlen,
> -                                       blake2s_compress_t compress)
> +                                       bool force_generic)
>  {
>         struct blake2s_state *state = shash_desc_ctx(desc);
>
> -       __blake2s_update(state, in, inlen, compress);
> +       __blake2s_update(state, in, inlen, force_generic);
>         return 0;
>  }
>
>  static inline int crypto_blake2s_final(struct shash_desc *desc, u8 *out,
> -                                      blake2s_compress_t compress)
> +                                      bool force_generic)
>  {
>         struct blake2s_state *state = shash_desc_ctx(desc);
>
> -       __blake2s_final(state, out, compress);
> +       __blake2s_final(state, out, force_generic);
>         return 0;
>  }
>
> diff --git a/lib/crypto/blake2s.c b/lib/crypto/blake2s.c
> index 9364f79937b8..c71c09621c09 100644
> --- a/lib/crypto/blake2s.c
> +++ b/lib/crypto/blake2s.c
> @@ -18,14 +18,14 @@
>
>  void blake2s_update(struct blake2s_state *state, const u8 *in, size_t inlen)
>  {
> -       __blake2s_update(state, in, inlen, blake2s_compress);
> +       __blake2s_update(state, in, inlen, false);
>  }
>  EXPORT_SYMBOL(blake2s_update);
>
>  void blake2s_final(struct blake2s_state *state, u8 *out)
>  {
>         WARN_ON(IS_ENABLED(DEBUG) && !out);
> -       __blake2s_final(state, out, blake2s_compress);
> +       __blake2s_final(state, out, false);
>         memzero_explicit(state, sizeof(*state));
>  }
>  EXPORT_SYMBOL(blake2s_final);
> --
> 2.34.1
>


-- 
Thanks,
~Nick Desaulniers

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH v2] lib/crypto: blake2s: avoid indirect calls to compression function for Clang CFI
  2022-01-24 19:28                       ` Jason A. Donenfeld
@ 2022-01-25  6:40                         ` Eric Biggers
  -1 siblings, 0 replies; 100+ messages in thread
From: Eric Biggers @ 2022-01-25  6:40 UTC (permalink / raw)
  To: Jason A. Donenfeld
  Cc: Linux ARM, Linux Crypto Mailing List, Linux Kernel Mailing List,
	llvm, Nick Desaulniers, Sami Tolvanen, Nathan Chancellor,
	Herbert Xu, Miles Chen, Ard Biesheuvel

On Mon, Jan 24, 2022 at 08:28:49PM +0100, Jason A. Donenfeld wrote:
> blake2s_compress_generic is weakly aliased by blake2s_generic. The

Don't you mean "weakly aliased by blake2s_compress"?

> Fixes: 6048fdcc5f26 ("lib/crypto: blake2s: include as built-in")
> Reported-by: Miles Chen <miles.chen@mediatek.com>
> Tested-by: Miles Chen <miles.chen@mediatek.com>
> Tested-by: Nathan Chancellor <nathan@kernel.org>
> Link: https://github.com/ClangBuiltLinux/linux/issues/1567
> Cc: Nick Desaulniers <ndesaulniers@google.com>
> Cc: Sami Tolvanen <samitolvanen@google.com>
> Cc: Ard Biesheuvel <ardb@kernel.org>
> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
> ---

Otherwise this looks fine, though it's unfortunate this is needed.  You can add:

	Reviewed-by: Eric Biggers <ebiggers@google.com>

> Changes v1->v2:
> - Wrapped columns at 80 for Eric.

It is the recommended coding style, so not just for me :-)

- Eric

^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH v2] lib/crypto: blake2s: avoid indirect calls to compression function for Clang CFI
@ 2022-01-25  6:40                         ` Eric Biggers
  0 siblings, 0 replies; 100+ messages in thread
From: Eric Biggers @ 2022-01-25  6:40 UTC (permalink / raw)
  To: Jason A. Donenfeld
  Cc: Linux ARM, Linux Crypto Mailing List, Linux Kernel Mailing List,
	llvm, Nick Desaulniers, Sami Tolvanen, Nathan Chancellor,
	Herbert Xu, Miles Chen, Ard Biesheuvel

On Mon, Jan 24, 2022 at 08:28:49PM +0100, Jason A. Donenfeld wrote:
> blake2s_compress_generic is weakly aliased by blake2s_generic. The

Don't you mean "weakly aliased by blake2s_compress"?

> Fixes: 6048fdcc5f26 ("lib/crypto: blake2s: include as built-in")
> Reported-by: Miles Chen <miles.chen@mediatek.com>
> Tested-by: Miles Chen <miles.chen@mediatek.com>
> Tested-by: Nathan Chancellor <nathan@kernel.org>
> Link: https://github.com/ClangBuiltLinux/linux/issues/1567
> Cc: Nick Desaulniers <ndesaulniers@google.com>
> Cc: Sami Tolvanen <samitolvanen@google.com>
> Cc: Ard Biesheuvel <ardb@kernel.org>
> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
> ---

Otherwise this looks fine, though it's unfortunate this is needed.  You can add:

	Reviewed-by: Eric Biggers <ebiggers@google.com>

> Changes v1->v2:
> - Wrapped columns at 80 for Eric.

It is the recommended coding style, so not just for me :-)

- Eric

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH v2] lib/crypto: blake2s: avoid indirect calls to compression function for Clang CFI
  2022-01-25  6:40                         ` Eric Biggers
@ 2022-01-25 12:23                           ` Jason A. Donenfeld
  -1 siblings, 0 replies; 100+ messages in thread
From: Jason A. Donenfeld @ 2022-01-25 12:23 UTC (permalink / raw)
  To: Eric Biggers
  Cc: Linux ARM, Linux Crypto Mailing List, Linux Kernel Mailing List,
	llvm, Nick Desaulniers, Sami Tolvanen, Nathan Chancellor,
	Herbert Xu, Miles Chen, Ard Biesheuvel

On 1/25/22, Eric Biggers <ebiggers@kernel.org> wrote:
> On Mon, Jan 24, 2022 at 08:28:49PM +0100, Jason A. Donenfeld wrote:
>> blake2s_compress_generic is weakly aliased by blake2s_generic. The
>
> Don't you mean "weakly aliased by blake2s_compress"?

Grrrr. Thanks.

>> Changes v1->v2:
>> - Wrapped columns at 80 for Eric.
>
> It is the recommended coding style, so not just for me :-)

I was under the impression this increased to 100 mid-2020 or so, and
checkpatch.pl now makes noise at that width instead.

^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH v2] lib/crypto: blake2s: avoid indirect calls to compression function for Clang CFI
@ 2022-01-25 12:23                           ` Jason A. Donenfeld
  0 siblings, 0 replies; 100+ messages in thread
From: Jason A. Donenfeld @ 2022-01-25 12:23 UTC (permalink / raw)
  To: Eric Biggers
  Cc: Linux ARM, Linux Crypto Mailing List, Linux Kernel Mailing List,
	llvm, Nick Desaulniers, Sami Tolvanen, Nathan Chancellor,
	Herbert Xu, Miles Chen, Ard Biesheuvel

On 1/25/22, Eric Biggers <ebiggers@kernel.org> wrote:
> On Mon, Jan 24, 2022 at 08:28:49PM +0100, Jason A. Donenfeld wrote:
>> blake2s_compress_generic is weakly aliased by blake2s_generic. The
>
> Don't you mean "weakly aliased by blake2s_compress"?

Grrrr. Thanks.

>> Changes v1->v2:
>> - Wrapped columns at 80 for Eric.
>
> It is the recommended coding style, so not just for me :-)

I was under the impression this increased to 100 mid-2020 or so, and
checkpatch.pl now makes noise at that width instead.

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: avoid indirect calls to compression function for Clang CFI
  2022-01-19 13:54                     ` Jason A. Donenfeld
  (?)
@ 2022-01-26 22:51                       ` John Stultz
  -1 siblings, 0 replies; 100+ messages in thread
From: John Stultz @ 2022-01-26 22:51 UTC (permalink / raw)
  To: Jason A. Donenfeld
  Cc: Miles Chen, Ard Biesheuvel, Linux ARM, Linux Crypto Mailing List,
	Linux Kernel Mailing List, linux-mediatek, Nick Desaulniers,
	Sami Tolvanen, YongQin Liu

On Fri, Jan 21, 2022 at 11:17 AM Jason A. Donenfeld <Jason@zx2c4.com> wrote:
>
> blake2s_compress_generic is weakly aliased to blake2s_generic. The
> current harness for function selection uses a function pointer, which is
> ordinarily inlined and resolved at compile time. But when Clang's CFI is
> enabled, CFI still triggers when making an indirect call via a weak
> symbol. This seems like a bug in Clang's CFI, as though it's bucketing
> weak symbols and strong symbols differently. It also only seems to
> trigger when "full LTO" mode is used, rather than "thin LTO".
>
> [    0.000000][    T0] Kernel panic - not syncing: CFI failure (target: blake2s_compress_generic+0x0/0x1444)
> [    0.000000][    T0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.16.0-mainline-06981-g076c855b846e #1
> [    0.000000][    T0] Hardware name: MT6873 (DT)
> [    0.000000][    T0] Call trace:
> [    0.000000][    T0]  dump_backtrace+0xfc/0x1dc
> [    0.000000][    T0]  dump_stack_lvl+0xa8/0x11c
> [    0.000000][    T0]  panic+0x194/0x464
> [    0.000000][    T0]  __cfi_check_fail+0x54/0x58
> [    0.000000][    T0]  __cfi_slowpath_diag+0x354/0x4b0
> [    0.000000][    T0]  blake2s_update+0x14c/0x178
> [    0.000000][    T0]  _extract_entropy+0xf4/0x29c
> [    0.000000][    T0]  crng_initialize_primary+0x24/0x94
> [    0.000000][    T0]  rand_initialize+0x2c/0x6c
> [    0.000000][    T0]  start_kernel+0x2f8/0x65c
> [    0.000000][    T0]  __primary_switched+0xc4/0x7be4
> [    0.000000][    T0] Rebooting in 5 seconds..

YongQin also reported hitting this issue(also, only in the LTO=full
case) on the db845c dev board. Sami pointed me to this patch and I
just wanted to confirm it gets things booting again.

Reported-by: YongQin Liu <yongqin.liu@linaro.org>
Tested-by: John Stultz <john.stultz@linaro.org>

Thanks so much for the quick analysis and fix!
-john

^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: avoid indirect calls to compression function for Clang CFI
@ 2022-01-26 22:51                       ` John Stultz
  0 siblings, 0 replies; 100+ messages in thread
From: John Stultz @ 2022-01-26 22:51 UTC (permalink / raw)
  To: Jason A. Donenfeld
  Cc: Miles Chen, Ard Biesheuvel, Linux ARM, Linux Crypto Mailing List,
	Linux Kernel Mailing List, linux-mediatek, Nick Desaulniers,
	Sami Tolvanen, YongQin Liu

On Fri, Jan 21, 2022 at 11:17 AM Jason A. Donenfeld <Jason@zx2c4.com> wrote:
>
> blake2s_compress_generic is weakly aliased to blake2s_generic. The
> current harness for function selection uses a function pointer, which is
> ordinarily inlined and resolved at compile time. But when Clang's CFI is
> enabled, CFI still triggers when making an indirect call via a weak
> symbol. This seems like a bug in Clang's CFI, as though it's bucketing
> weak symbols and strong symbols differently. It also only seems to
> trigger when "full LTO" mode is used, rather than "thin LTO".
>
> [    0.000000][    T0] Kernel panic - not syncing: CFI failure (target: blake2s_compress_generic+0x0/0x1444)
> [    0.000000][    T0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.16.0-mainline-06981-g076c855b846e #1
> [    0.000000][    T0] Hardware name: MT6873 (DT)
> [    0.000000][    T0] Call trace:
> [    0.000000][    T0]  dump_backtrace+0xfc/0x1dc
> [    0.000000][    T0]  dump_stack_lvl+0xa8/0x11c
> [    0.000000][    T0]  panic+0x194/0x464
> [    0.000000][    T0]  __cfi_check_fail+0x54/0x58
> [    0.000000][    T0]  __cfi_slowpath_diag+0x354/0x4b0
> [    0.000000][    T0]  blake2s_update+0x14c/0x178
> [    0.000000][    T0]  _extract_entropy+0xf4/0x29c
> [    0.000000][    T0]  crng_initialize_primary+0x24/0x94
> [    0.000000][    T0]  rand_initialize+0x2c/0x6c
> [    0.000000][    T0]  start_kernel+0x2f8/0x65c
> [    0.000000][    T0]  __primary_switched+0xc4/0x7be4
> [    0.000000][    T0] Rebooting in 5 seconds..

YongQin also reported hitting this issue(also, only in the LTO=full
case) on the db845c dev board. Sami pointed me to this patch and I
just wanted to confirm it gets things booting again.

Reported-by: YongQin Liu <yongqin.liu@linaro.org>
Tested-by: John Stultz <john.stultz@linaro.org>

Thanks so much for the quick analysis and fix!
-john

_______________________________________________
Linux-mediatek mailing list
Linux-mediatek@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-mediatek

^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH] lib/crypto: blake2s: avoid indirect calls to compression function for Clang CFI
@ 2022-01-26 22:51                       ` John Stultz
  0 siblings, 0 replies; 100+ messages in thread
From: John Stultz @ 2022-01-26 22:51 UTC (permalink / raw)
  To: Jason A. Donenfeld
  Cc: Miles Chen, Ard Biesheuvel, Linux ARM, Linux Crypto Mailing List,
	Linux Kernel Mailing List, linux-mediatek, Nick Desaulniers,
	Sami Tolvanen, YongQin Liu

On Fri, Jan 21, 2022 at 11:17 AM Jason A. Donenfeld <Jason@zx2c4.com> wrote:
>
> blake2s_compress_generic is weakly aliased to blake2s_generic. The
> current harness for function selection uses a function pointer, which is
> ordinarily inlined and resolved at compile time. But when Clang's CFI is
> enabled, CFI still triggers when making an indirect call via a weak
> symbol. This seems like a bug in Clang's CFI, as though it's bucketing
> weak symbols and strong symbols differently. It also only seems to
> trigger when "full LTO" mode is used, rather than "thin LTO".
>
> [    0.000000][    T0] Kernel panic - not syncing: CFI failure (target: blake2s_compress_generic+0x0/0x1444)
> [    0.000000][    T0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.16.0-mainline-06981-g076c855b846e #1
> [    0.000000][    T0] Hardware name: MT6873 (DT)
> [    0.000000][    T0] Call trace:
> [    0.000000][    T0]  dump_backtrace+0xfc/0x1dc
> [    0.000000][    T0]  dump_stack_lvl+0xa8/0x11c
> [    0.000000][    T0]  panic+0x194/0x464
> [    0.000000][    T0]  __cfi_check_fail+0x54/0x58
> [    0.000000][    T0]  __cfi_slowpath_diag+0x354/0x4b0
> [    0.000000][    T0]  blake2s_update+0x14c/0x178
> [    0.000000][    T0]  _extract_entropy+0xf4/0x29c
> [    0.000000][    T0]  crng_initialize_primary+0x24/0x94
> [    0.000000][    T0]  rand_initialize+0x2c/0x6c
> [    0.000000][    T0]  start_kernel+0x2f8/0x65c
> [    0.000000][    T0]  __primary_switched+0xc4/0x7be4
> [    0.000000][    T0] Rebooting in 5 seconds..

YongQin also reported hitting this issue(also, only in the LTO=full
case) on the db845c dev board. Sami pointed me to this patch and I
just wanted to confirm it gets things booting again.

Reported-by: YongQin Liu <yongqin.liu@linaro.org>
Tested-by: John Stultz <john.stultz@linaro.org>

Thanks so much for the quick analysis and fix!
-john

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH v2] lib/crypto: blake2s: avoid indirect calls to compression function for Clang CFI
  2022-01-25 12:23                           ` Jason A. Donenfeld
@ 2022-01-26 22:54                             ` Eric Biggers
  -1 siblings, 0 replies; 100+ messages in thread
From: Eric Biggers @ 2022-01-26 22:54 UTC (permalink / raw)
  To: Jason A. Donenfeld
  Cc: Linux ARM, Linux Crypto Mailing List, Linux Kernel Mailing List,
	llvm, Nick Desaulniers, Sami Tolvanen, Nathan Chancellor,
	Herbert Xu, Miles Chen, Ard Biesheuvel

On Tue, Jan 25, 2022 at 01:23:34PM +0100, Jason A. Donenfeld wrote:
> On 1/25/22, Eric Biggers <ebiggers@kernel.org> wrote:
> > On Mon, Jan 24, 2022 at 08:28:49PM +0100, Jason A. Donenfeld wrote:
> >> blake2s_compress_generic is weakly aliased by blake2s_generic. The
> >
> > Don't you mean "weakly aliased by blake2s_compress"?
> 
> Grrrr. Thanks.
> 
> >> Changes v1->v2:
> >> - Wrapped columns at 80 for Eric.
> >
> > It is the recommended coding style, so not just for me :-)
> 
> I was under the impression this increased to 100 mid-2020 or so, and
> checkpatch.pl now makes noise at that width instead.

From Documentation/process/coding-style.rst:

"The preferred limit on the length of a single line is 80 columns.

 Statements longer than 80 columns should be broken into sensible chunks,
 unless exceeding 80 columns significantly increases readability and does
 not hide information."

It's not as strict as it used to be, but checkpatch seems to be overly-lenient.
I always run it with --max-line-length=80.

- Eric

^ permalink raw reply	[flat|nested] 100+ messages in thread

* Re: [PATCH v2] lib/crypto: blake2s: avoid indirect calls to compression function for Clang CFI
@ 2022-01-26 22:54                             ` Eric Biggers
  0 siblings, 0 replies; 100+ messages in thread
From: Eric Biggers @ 2022-01-26 22:54 UTC (permalink / raw)
  To: Jason A. Donenfeld
  Cc: Linux ARM, Linux Crypto Mailing List, Linux Kernel Mailing List,
	llvm, Nick Desaulniers, Sami Tolvanen, Nathan Chancellor,
	Herbert Xu, Miles Chen, Ard Biesheuvel

On Tue, Jan 25, 2022 at 01:23:34PM +0100, Jason A. Donenfeld wrote:
> On 1/25/22, Eric Biggers <ebiggers@kernel.org> wrote:
> > On Mon, Jan 24, 2022 at 08:28:49PM +0100, Jason A. Donenfeld wrote:
> >> blake2s_compress_generic is weakly aliased by blake2s_generic. The
> >
> > Don't you mean "weakly aliased by blake2s_compress"?
> 
> Grrrr. Thanks.
> 
> >> Changes v1->v2:
> >> - Wrapped columns at 80 for Eric.
> >
> > It is the recommended coding style, so not just for me :-)
> 
> I was under the impression this increased to 100 mid-2020 or so, and
> checkpatch.pl now makes noise at that width instead.

From Documentation/process/coding-style.rst:

"The preferred limit on the length of a single line is 80 columns.

 Statements longer than 80 columns should be broken into sensible chunks,
 unless exceeding 80 columns significantly increases readability and does
 not hide information."

It's not as strict as it used to be, but checkpatch seems to be overly-lenient.
I always run it with --max-line-length=80.

- Eric

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

^ permalink raw reply	[flat|nested] 100+ messages in thread

end of thread, other threads:[~2022-01-26 22:55 UTC | newest]

Thread overview: 100+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-01-19  8:24 [PATCH] lib/crypto: blake2s: fix a CFI failure miles.chen
2022-01-19  8:24 ` miles.chen
2022-01-19  8:24 ` miles.chen
2022-01-19  9:00 ` Jason A. Donenfeld
2022-01-19  9:00   ` Jason A. Donenfeld
2022-01-19  9:00   ` Jason A. Donenfeld
2022-01-19  9:09   ` Jason A. Donenfeld
2022-01-19  9:09     ` Jason A. Donenfeld
2022-01-19  9:09     ` Jason A. Donenfeld
2022-01-19  9:16     ` Miles Chen
2022-01-19  9:16       ` Miles Chen
2022-01-19  9:16       ` Miles Chen
2022-01-19  9:09   ` Ard Biesheuvel
2022-01-19  9:09     ` Ard Biesheuvel
2022-01-19  9:09     ` Ard Biesheuvel
2022-01-19  9:13     ` Ard Biesheuvel
2022-01-19  9:13       ` Ard Biesheuvel
2022-01-19  9:13       ` Ard Biesheuvel
2022-01-19  9:43       ` Miles Chen
2022-01-19  9:43         ` Miles Chen
2022-01-19  9:43         ` Miles Chen
2022-01-19 10:10     ` Miles Chen
2022-01-19 10:10       ` Miles Chen
2022-01-19 10:10       ` Miles Chen
2022-01-19  9:24   ` Miles Chen
2022-01-19  9:24     ` Miles Chen
2022-01-19  9:24     ` Miles Chen
2022-01-19  9:55     ` Jason A. Donenfeld
2022-01-19  9:55       ` Jason A. Donenfeld
2022-01-19  9:55       ` Jason A. Donenfeld
2022-01-19 10:06       ` Miles Chen
2022-01-19 10:06         ` Miles Chen
2022-01-19 10:06         ` Miles Chen
2022-01-19 10:11         ` Jason A. Donenfeld
2022-01-19 10:11           ` Jason A. Donenfeld
2022-01-19 10:11           ` Jason A. Donenfeld
2022-01-19 10:56           ` Jason A. Donenfeld
2022-01-19 10:56             ` Jason A. Donenfeld
2022-01-19 10:56             ` Jason A. Donenfeld
2022-01-19 12:14             ` Jason A. Donenfeld
2022-01-19 12:14               ` Jason A. Donenfeld
2022-01-19 12:14               ` Jason A. Donenfeld
2022-01-19 12:18               ` Ard Biesheuvel
2022-01-19 12:18                 ` Ard Biesheuvel
2022-01-19 12:18                 ` Ard Biesheuvel
2022-01-19 13:34                 ` Jason A. Donenfeld
2022-01-19 13:34                   ` Jason A. Donenfeld
2022-01-19 13:34                   ` Jason A. Donenfeld
2022-01-19 13:54                   ` [PATCH] lib/crypto: blake2s: avoid indirect calls to compression function for Clang CFI Jason A. Donenfeld
2022-01-19 13:54                     ` Jason A. Donenfeld
2022-01-19 13:54                     ` Jason A. Donenfeld
2022-01-19 14:46                     ` Miles Chen
2022-01-19 14:46                       ` Miles Chen
2022-01-19 14:46                       ` Miles Chen
2022-01-19 22:24                     ` Nathan Chancellor
2022-01-19 22:24                       ` Nathan Chancellor
2022-01-19 22:24                       ` Nathan Chancellor
2022-01-20  9:44                       ` Jason A. Donenfeld
2022-01-20  9:44                         ` Jason A. Donenfeld
2022-01-20  9:44                         ` Jason A. Donenfeld
2022-01-21 19:54                     ` Eric Biggers
2022-01-21 19:54                       ` Eric Biggers
2022-01-21 19:54                       ` Eric Biggers
2022-01-21 20:22                       ` Jason A. Donenfeld
2022-01-21 20:22                         ` Jason A. Donenfeld
2022-01-21 20:22                         ` Jason A. Donenfeld
2022-01-21 20:51                         ` Sami Tolvanen
2022-01-21 20:51                           ` Sami Tolvanen
2022-01-21 20:51                           ` Sami Tolvanen
2022-01-24 19:28                     ` [PATCH v2] " Jason A. Donenfeld
2022-01-24 19:28                       ` Jason A. Donenfeld
2022-01-24 19:59                       ` Nick Desaulniers
2022-01-24 19:59                         ` Nick Desaulniers
2022-01-25  6:40                       ` Eric Biggers
2022-01-25  6:40                         ` Eric Biggers
2022-01-25 12:23                         ` Jason A. Donenfeld
2022-01-25 12:23                           ` Jason A. Donenfeld
2022-01-26 22:54                           ` Eric Biggers
2022-01-26 22:54                             ` Eric Biggers
2022-01-26 22:51                     ` [PATCH] " John Stultz
2022-01-26 22:51                       ` John Stultz
2022-01-26 22:51                       ` John Stultz
2022-01-19 14:40                 ` [PATCH] lib/crypto: blake2s: fix a CFI failure David Laight
2022-01-19 14:40                   ` David Laight
2022-01-19 14:40                   ` David Laight
2022-01-19 15:03                   ` Jason A. Donenfeld
2022-01-19 15:03                     ` Jason A. Donenfeld
2022-01-19 15:03                     ` Jason A. Donenfeld
2022-01-19 12:34             ` Miles Chen
2022-01-19 12:34               ` Miles Chen
2022-01-19 12:34               ` Miles Chen
2022-01-19 10:13         ` Ard Biesheuvel
2022-01-19 10:13           ` Ard Biesheuvel
2022-01-19 10:13           ` Ard Biesheuvel
2022-01-19 10:20           ` Jason A. Donenfeld
2022-01-19 10:20             ` Jason A. Donenfeld
2022-01-19 10:20             ` Jason A. Donenfeld
2022-01-19 10:35             ` Ard Biesheuvel
2022-01-19 10:35               ` Ard Biesheuvel
2022-01-19 10:35               ` Ard Biesheuvel

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.