From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
To: Eric Biggers <ebiggers@kernel.org>
Cc: Pascal Van Leeuwen <pvanleeuwen@insidesecure.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
Zhang Zhijie <zhangzj@rock-chips.com>,
Heiko Stuebner <heiko@sntech.de>, Zain Wang <wzz@rock-chips.com>,
Arnd Bergmann <arnd@arndb.de>,
"linux-rockchip@lists.infradead.org"
<linux-rockchip@lists.infradead.org>,
"open list:HARDWARE RANDOM NUMBER GENERATOR CORE"
<linux-crypto@vger.kernel.org>, Olof Johansson <olof@lixom.net>,
"ezequiel@collabora.com" <ezequiel@collabora.com>,
linux-arm-kernel <linux-arm-kernel@lists.infradead.org>,
Tao Huang <huangtao@rock-chips.com>
Subject: Re: [Bug] Rockchip crypto driver sometimes produces wrong ciphertext
Date: Mon, 8 Apr 2019 23:17:51 +0200 [thread overview]
Message-ID: <CAKv+Gu8q6RTT134kZTjKkxDrWLezfio0AVWf8rnTji4wVdUpnw@mail.gmail.com> (raw)
In-Reply-To: <20190408182757.GD9145@gmail.com>
On Mon, 8 Apr 2019 at 20:28, Eric Biggers <ebiggers@kernel.org> wrote:
>
> On Sun, Apr 07, 2019 at 07:12:43PM +0000, Pascal Van Leeuwen wrote:
> >
> > Fact is, there are at least 2 hardware device drivers NOT doing this - and
> > I want to bet a nice sum of money there will be more - and that this has
> > not been noticed prior to adding these tests to testmgr, otherwise this
> > would have been fixed by now. Which seems to confirm that there is no
> > real use case for this functionality.
> >
>
> I really shouldn't have to say this, but just because something hasn't been
> reported doesn't mean it's not a real problem. Someone could easily be affected
> by one of these bugs where crypto drivers produce the wrong output, and never
> notice it because their use case doesn't involve checking the output against
> another implementation. Or, perhaps they noticed but never reported it
> upstream. Or perhaps they didn't have the time or skill to debug the problem so
> just they disabled the broken driver, or used No Crypto instead.
>
> That's why we have tests -- so bugs can be detected immediately rather than
> maybe years out in the field after causing critical security vulnerabilities.
>
Perhaps we could wire this up using a CRYPTO_ALG flag? I.e.,
implementations that need the compliant behavior (such as cts) check
for the flag, and the asynchronous implementations produce two
versions, where the one that lacks the flag has a higher priority.
That way, we don't take the performance hit in cases where it is not
needed.
WARNING: multiple messages have this Message-ID (diff)
From: Ard Biesheuvel <ard.biesheuvel-QSEj5FYQhm4dnm+yROfE0A@public.gmane.org>
To: Eric Biggers <ebiggers-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org>
Cc: Tao Huang <huangtao-TNX95d0MmH7DzftRWevZcw@public.gmane.org>,
Zain Wang <wzz-TNX95d0MmH7DzftRWevZcw@public.gmane.org>,
Herbert Xu
<herbert-lOAM2aK0SrRLBo1qDEOMRrpzq4S04n8Q@public.gmane.org>,
Arnd Bergmann <arnd-r2nGTMty4D4@public.gmane.org>,
Pascal Van Leeuwen
<pvanleeuwen-TMv6SC2IrX7YdpcV/sKalQ@public.gmane.org>,
Zhang Zhijie <zhangzj-TNX95d0MmH7DzftRWevZcw@public.gmane.org>,
"linux-rockchip-IAPFreCvJWM7uuMidbF8XUB+6BGkLq7r@public.gmane.org"
<linux-rockchip-IAPFreCvJWM7uuMidbF8XUB+6BGkLq7r@public.gmane.org>,
"open list:HARDWARE RANDOM NUMBER GENERATOR CORE"
<linux-crypto-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>,
Olof Johansson <olof-nZhT3qVonbNeoWH0uzbU5w@public.gmane.org>,
"ezequiel-ZGY8ohtN/8qB+jHODAdFcQ@public.gmane.org"
<ezequiel-ZGY8ohtN/8qB+jHODAdFcQ@public.gmane.org>,
linux-arm-kernel
<linux-arm-kernel-IAPFreCvJWM7uuMidbF8XUB+6BGkLq7r@public.gmane.org>,
Heiko Stuebner <heiko-4mtYJXux2i+zQB+pC5nmwQ@public.gmane.org>
Subject: Re: [Bug] Rockchip crypto driver sometimes produces wrong ciphertext
Date: Mon, 8 Apr 2019 23:17:51 +0200 [thread overview]
Message-ID: <CAKv+Gu8q6RTT134kZTjKkxDrWLezfio0AVWf8rnTji4wVdUpnw@mail.gmail.com> (raw)
In-Reply-To: <20190408182757.GD9145-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
On Mon, 8 Apr 2019 at 20:28, Eric Biggers <ebiggers-DgEjT+Ai2ygdnm+yROfE0A@public.gmane.org> wrote:
>
> On Sun, Apr 07, 2019 at 07:12:43PM +0000, Pascal Van Leeuwen wrote:
> >
> > Fact is, there are at least 2 hardware device drivers NOT doing this - and
> > I want to bet a nice sum of money there will be more - and that this has
> > not been noticed prior to adding these tests to testmgr, otherwise this
> > would have been fixed by now. Which seems to confirm that there is no
> > real use case for this functionality.
> >
>
> I really shouldn't have to say this, but just because something hasn't been
> reported doesn't mean it's not a real problem. Someone could easily be affected
> by one of these bugs where crypto drivers produce the wrong output, and never
> notice it because their use case doesn't involve checking the output against
> another implementation. Or, perhaps they noticed but never reported it
> upstream. Or perhaps they didn't have the time or skill to debug the problem so
> just they disabled the broken driver, or used No Crypto instead.
>
> That's why we have tests -- so bugs can be detected immediately rather than
> maybe years out in the field after causing critical security vulnerabilities.
>
Perhaps we could wire this up using a CRYPTO_ALG flag? I.e.,
implementations that need the compliant behavior (such as cts) check
for the flag, and the asynchronous implementations produce two
versions, where the one that lacks the flag has a higher priority.
That way, we don't take the performance hit in cases where it is not
needed.
WARNING: multiple messages have this Message-ID (diff)
From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
To: Eric Biggers <ebiggers@kernel.org>
Cc: Tao Huang <huangtao@rock-chips.com>,
Zain Wang <wzz@rock-chips.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
Arnd Bergmann <arnd@arndb.de>,
Pascal Van Leeuwen <pvanleeuwen@insidesecure.com>,
Zhang Zhijie <zhangzj@rock-chips.com>,
"linux-rockchip@lists.infradead.org"
<linux-rockchip@lists.infradead.org>,
"open list:HARDWARE RANDOM NUMBER GENERATOR CORE"
<linux-crypto@vger.kernel.org>, Olof Johansson <olof@lixom.net>,
"ezequiel@collabora.com" <ezequiel@collabora.com>,
linux-arm-kernel <linux-arm-kernel@lists.infradead.org>,
Heiko Stuebner <heiko@sntech.de>
Subject: Re: [Bug] Rockchip crypto driver sometimes produces wrong ciphertext
Date: Mon, 8 Apr 2019 23:17:51 +0200 [thread overview]
Message-ID: <CAKv+Gu8q6RTT134kZTjKkxDrWLezfio0AVWf8rnTji4wVdUpnw@mail.gmail.com> (raw)
In-Reply-To: <20190408182757.GD9145@gmail.com>
On Mon, 8 Apr 2019 at 20:28, Eric Biggers <ebiggers@kernel.org> wrote:
>
> On Sun, Apr 07, 2019 at 07:12:43PM +0000, Pascal Van Leeuwen wrote:
> >
> > Fact is, there are at least 2 hardware device drivers NOT doing this - and
> > I want to bet a nice sum of money there will be more - and that this has
> > not been noticed prior to adding these tests to testmgr, otherwise this
> > would have been fixed by now. Which seems to confirm that there is no
> > real use case for this functionality.
> >
>
> I really shouldn't have to say this, but just because something hasn't been
> reported doesn't mean it's not a real problem. Someone could easily be affected
> by one of these bugs where crypto drivers produce the wrong output, and never
> notice it because their use case doesn't involve checking the output against
> another implementation. Or, perhaps they noticed but never reported it
> upstream. Or perhaps they didn't have the time or skill to debug the problem so
> just they disabled the broken driver, or used No Crypto instead.
>
> That's why we have tests -- so bugs can be detected immediately rather than
> maybe years out in the field after causing critical security vulnerabilities.
>
Perhaps we could wire this up using a CRYPTO_ALG flag? I.e.,
implementations that need the compliant behavior (such as cts) check
for the flag, and the asynchronous implementations produce two
versions, where the one that lacks the flag has a higher priority.
That way, we don't take the performance hit in cases where it is not
needed.
_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel
next prev parent reply other threads:[~2019-04-08 21:18 UTC|newest]
Thread overview: 65+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-26 21:05 [Bug] Rockchip crypto driver sometimes produces wrong ciphertext Eric Biggers
2019-01-26 21:05 ` Eric Biggers
2019-01-27 8:54 ` Ard Biesheuvel
2019-01-27 8:54 ` Ard Biesheuvel
2019-01-27 8:54 ` Ard Biesheuvel
2019-01-27 10:29 ` Heiko Stuebner
2019-01-27 10:29 ` Heiko Stuebner
2019-01-27 10:29 ` Heiko Stuebner
2019-01-28 3:14 ` Tao Huang
2019-01-28 3:14 ` Tao Huang
2019-01-28 3:14 ` Tao Huang
2019-03-15 3:31 ` Eric Biggers
2019-03-15 3:31 ` Eric Biggers
2019-03-15 3:31 ` Eric Biggers
2019-03-16 22:31 ` Ezequiel Garcia
2019-03-16 22:31 ` Ezequiel Garcia
2019-03-16 22:31 ` Ezequiel Garcia
2019-03-18 15:03 ` Gael PORTAY
2019-03-18 15:03 ` Gael PORTAY
2019-03-18 15:03 ` Gael PORTAY
2019-03-21 17:04 ` Gael PORTAY
2019-03-21 17:04 ` Gael PORTAY
2019-03-25 6:31 ` Zhang Zhijie
2019-03-25 6:31 ` Zhang Zhijie
2019-04-04 13:41 ` Pascal Van Leeuwen
2019-04-04 13:41 ` Pascal Van Leeuwen
2019-04-04 13:41 ` Pascal Van Leeuwen
2019-04-04 17:12 ` Eric Biggers
2019-04-04 17:12 ` Eric Biggers
2019-04-04 17:12 ` Eric Biggers
2019-04-07 12:42 ` Herbert Xu
2019-04-07 12:42 ` Herbert Xu
2019-04-07 12:42 ` Herbert Xu
2019-04-07 19:12 ` Pascal Van Leeuwen
2019-04-07 19:12 ` Pascal Van Leeuwen
2019-04-07 19:12 ` Pascal Van Leeuwen
2019-04-08 5:58 ` Herbert Xu
2019-04-08 5:58 ` Herbert Xu
2019-04-08 5:58 ` Herbert Xu
2019-04-08 8:59 ` Pascal Van Leeuwen
2019-04-08 8:59 ` Pascal Van Leeuwen
2019-04-08 8:59 ` Pascal Van Leeuwen
2019-04-08 9:06 ` Herbert Xu
2019-04-08 9:06 ` Herbert Xu
2019-04-08 9:06 ` Herbert Xu
2019-04-09 15:53 ` Pascal Van Leeuwen
2019-04-09 15:53 ` Pascal Van Leeuwen
2019-04-09 15:53 ` Pascal Van Leeuwen
2019-04-08 18:09 ` Eric Biggers
2019-04-08 18:09 ` Eric Biggers
2019-04-08 18:09 ` Eric Biggers
2019-04-09 16:43 ` Pascal Van Leeuwen
2019-04-09 16:43 ` Pascal Van Leeuwen
2019-04-09 16:43 ` Pascal Van Leeuwen
2019-04-08 18:27 ` Eric Biggers
2019-04-08 18:27 ` Eric Biggers
2019-04-08 18:27 ` Eric Biggers
2019-04-08 21:17 ` Ard Biesheuvel [this message]
2019-04-08 21:17 ` Ard Biesheuvel
2019-04-08 21:17 ` Ard Biesheuvel
2019-04-09 16:58 ` Pascal Van Leeuwen
2019-04-09 16:58 ` Pascal Van Leeuwen
2019-04-09 16:58 ` Pascal Van Leeuwen
2019-03-21 10:46 ` [Bug] STM32 crc driver failed on selftest 1 Lionel DEBIEVE
2019-03-21 13:41 ` Eric Biggers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAKv+Gu8q6RTT134kZTjKkxDrWLezfio0AVWf8rnTji4wVdUpnw@mail.gmail.com \
--to=ard.biesheuvel@linaro.org \
--cc=arnd@arndb.de \
--cc=ebiggers@kernel.org \
--cc=ezequiel@collabora.com \
--cc=heiko@sntech.de \
--cc=herbert@gondor.apana.org.au \
--cc=huangtao@rock-chips.com \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-rockchip@lists.infradead.org \
--cc=olof@lixom.net \
--cc=pvanleeuwen@insidesecure.com \
--cc=wzz@rock-chips.com \
--cc=zhangzj@rock-chips.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.