Linux-Crypto Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH v2] net: phy: mscc: avoid skcipher API for single block AES encryption
@ 2020-06-25  7:18 Ard Biesheuvel
  2020-06-25  7:54 ` Antoine Tenart
  2020-06-25 19:16 ` David Miller
  0 siblings, 2 replies; 4+ messages in thread
From: Ard Biesheuvel @ 2020-06-25  7:18 UTC (permalink / raw)
  To: netdev
  Cc: linux-crypto, Ard Biesheuvel, Antoine Tenart, Andrew Lunn,
	Florian Fainelli, Heiner Kallweit, David S. Miller,
	Jakub Kicinski, stable, Eric Biggers

The skcipher API dynamically instantiates the transformation object
on request that implements the requested algorithm optimally on the
given platform. This notion of optimality only matters for cases like
bulk network or disk encryption, where performance can be a bottleneck,
or in cases where the algorithm itself is not known at compile time.

In the mscc case, we are dealing with AES encryption of a single
block, and so neither concern applies, and we are better off using
the AES library interface, which is lightweight and safe for this
kind of use.

Note that the scatterlist API does not permit references to buffers
that are located on the stack, so the existing code is incorrect in
any case, but avoiding the skcipher and scatterlist APIs entirely is
the most straight-forward approach to fixing this.

Cc: Antoine Tenart <antoine.tenart@bootlin.com>
Cc: Andrew Lunn <andrew@lunn.ch>
Cc: Florian Fainelli <f.fainelli@gmail.com>
Cc: Heiner Kallweit <hkallweit1@gmail.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: <stable@vger.kernel.org>
Fixes: 28c5107aa904e ("net: phy: mscc: macsec support")
Reviewed-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
---
v2:
- select CRYPTO_LIB_AES only if MACSEC is enabled
- add Eric's R-b

 drivers/net/phy/Kconfig            |  3 +-
 drivers/net/phy/mscc/mscc_macsec.c | 40 +++++---------------
 2 files changed, 10 insertions(+), 33 deletions(-)

diff --git a/drivers/net/phy/Kconfig b/drivers/net/phy/Kconfig
index f25702386d83..e351d65533aa 100644
--- a/drivers/net/phy/Kconfig
+++ b/drivers/net/phy/Kconfig
@@ -480,8 +480,7 @@ config MICROCHIP_T1_PHY
 config MICROSEMI_PHY
 	tristate "Microsemi PHYs"
 	depends on MACSEC || MACSEC=n
-	select CRYPTO_AES
-	select CRYPTO_ECB
+	select CRYPTO_LIB_AES if MACSEC
 	help
 	  Currently supports VSC8514, VSC8530, VSC8531, VSC8540 and VSC8541 PHYs
 
diff --git a/drivers/net/phy/mscc/mscc_macsec.c b/drivers/net/phy/mscc/mscc_macsec.c
index b4d3dc4068e2..d53ca884b5c9 100644
--- a/drivers/net/phy/mscc/mscc_macsec.c
+++ b/drivers/net/phy/mscc/mscc_macsec.c
@@ -10,7 +10,7 @@
 #include <linux/phy.h>
 #include <dt-bindings/net/mscc-phy-vsc8531.h>
 
-#include <crypto/skcipher.h>
+#include <crypto/aes.h>
 
 #include <net/macsec.h>
 
@@ -500,39 +500,17 @@ static u32 vsc8584_macsec_flow_context_id(struct macsec_flow *flow)
 static int vsc8584_macsec_derive_key(const u8 key[MACSEC_KEYID_LEN],
 				     u16 key_len, u8 hkey[16])
 {
-	struct crypto_skcipher *tfm = crypto_alloc_skcipher("ecb(aes)", 0, 0);
-	struct skcipher_request *req = NULL;
-	struct scatterlist src, dst;
-	DECLARE_CRYPTO_WAIT(wait);
-	u32 input[4] = {0};
+	const u8 input[AES_BLOCK_SIZE] = {0};
+	struct crypto_aes_ctx ctx;
 	int ret;
 
-	if (IS_ERR(tfm))
-		return PTR_ERR(tfm);
-
-	req = skcipher_request_alloc(tfm, GFP_KERNEL);
-	if (!req) {
-		ret = -ENOMEM;
-		goto out;
-	}
-
-	skcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG |
-				      CRYPTO_TFM_REQ_MAY_SLEEP, crypto_req_done,
-				      &wait);
-	ret = crypto_skcipher_setkey(tfm, key, key_len);
-	if (ret < 0)
-		goto out;
-
-	sg_init_one(&src, input, 16);
-	sg_init_one(&dst, hkey, 16);
-	skcipher_request_set_crypt(req, &src, &dst, 16, NULL);
-
-	ret = crypto_wait_req(crypto_skcipher_encrypt(req), &wait);
+	ret = aes_expandkey(&ctx, key, key_len);
+	if (ret)
+		return ret;
 
-out:
-	skcipher_request_free(req);
-	crypto_free_skcipher(tfm);
-	return ret;
+	aes_encrypt(&ctx, hkey, input);
+	memzero_explicit(&ctx, sizeof(ctx));
+	return 0;
 }
 
 static int vsc8584_macsec_transformation(struct phy_device *phydev,
-- 
2.27.0


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH v2] net: phy: mscc: avoid skcipher API for single block AES encryption
  2020-06-25  7:18 [PATCH v2] net: phy: mscc: avoid skcipher API for single block AES encryption Ard Biesheuvel
@ 2020-06-25  7:54 ` Antoine Tenart
  2020-06-25 19:16 ` David Miller
  1 sibling, 0 replies; 4+ messages in thread
From: Antoine Tenart @ 2020-06-25  7:54 UTC (permalink / raw)
  To: Ard Biesheuvel, netdev
  Cc: linux-crypto, Ard Biesheuvel, Andrew Lunn, Florian Fainelli,
	Heiner Kallweit, David S. Miller, Jakub Kicinski, stable,
	Eric Biggers

Hello Ard,

Quoting Ard Biesheuvel (2020-06-25 09:18:16)
> The skcipher API dynamically instantiates the transformation object
> on request that implements the requested algorithm optimally on the
> given platform. This notion of optimality only matters for cases like
> bulk network or disk encryption, where performance can be a bottleneck,
> or in cases where the algorithm itself is not known at compile time.
> 
> In the mscc case, we are dealing with AES encryption of a single
> block, and so neither concern applies, and we are better off using
> the AES library interface, which is lightweight and safe for this
> kind of use.
> 
> Note that the scatterlist API does not permit references to buffers
> that are located on the stack, so the existing code is incorrect in
> any case, but avoiding the skcipher and scatterlist APIs entirely is
> the most straight-forward approach to fixing this.
> 
> Cc: Antoine Tenart <antoine.tenart@bootlin.com>
> Cc: Andrew Lunn <andrew@lunn.ch>
> Cc: Florian Fainelli <f.fainelli@gmail.com>
> Cc: Heiner Kallweit <hkallweit1@gmail.com>
> Cc: "David S. Miller" <davem@davemloft.net>
> Cc: Jakub Kicinski <kuba@kernel.org>
> Cc: <stable@vger.kernel.org>
> Fixes: 28c5107aa904e ("net: phy: mscc: macsec support")
> Reviewed-by: Eric Biggers <ebiggers@google.com>
> Signed-off-by: Ard Biesheuvel <ardb@kernel.org>

Tested-by: Antoine Tenart <antoine.tenart@bootlin.com>

That improves and simplifies a lot the code, thank you!
Antoine

> ---
> v2:
> - select CRYPTO_LIB_AES only if MACSEC is enabled
> - add Eric's R-b
> 
>  drivers/net/phy/Kconfig            |  3 +-
>  drivers/net/phy/mscc/mscc_macsec.c | 40 +++++---------------
>  2 files changed, 10 insertions(+), 33 deletions(-)
> 
> diff --git a/drivers/net/phy/Kconfig b/drivers/net/phy/Kconfig
> index f25702386d83..e351d65533aa 100644
> --- a/drivers/net/phy/Kconfig
> +++ b/drivers/net/phy/Kconfig
> @@ -480,8 +480,7 @@ config MICROCHIP_T1_PHY
>  config MICROSEMI_PHY
>         tristate "Microsemi PHYs"
>         depends on MACSEC || MACSEC=n
> -       select CRYPTO_AES
> -       select CRYPTO_ECB
> +       select CRYPTO_LIB_AES if MACSEC
>         help
>           Currently supports VSC8514, VSC8530, VSC8531, VSC8540 and VSC8541 PHYs
>  
> diff --git a/drivers/net/phy/mscc/mscc_macsec.c b/drivers/net/phy/mscc/mscc_macsec.c
> index b4d3dc4068e2..d53ca884b5c9 100644
> --- a/drivers/net/phy/mscc/mscc_macsec.c
> +++ b/drivers/net/phy/mscc/mscc_macsec.c
> @@ -10,7 +10,7 @@
>  #include <linux/phy.h>
>  #include <dt-bindings/net/mscc-phy-vsc8531.h>
>  
> -#include <crypto/skcipher.h>
> +#include <crypto/aes.h>
>  
>  #include <net/macsec.h>
>  
> @@ -500,39 +500,17 @@ static u32 vsc8584_macsec_flow_context_id(struct macsec_flow *flow)
>  static int vsc8584_macsec_derive_key(const u8 key[MACSEC_KEYID_LEN],
>                                      u16 key_len, u8 hkey[16])
>  {
> -       struct crypto_skcipher *tfm = crypto_alloc_skcipher("ecb(aes)", 0, 0);
> -       struct skcipher_request *req = NULL;
> -       struct scatterlist src, dst;
> -       DECLARE_CRYPTO_WAIT(wait);
> -       u32 input[4] = {0};
> +       const u8 input[AES_BLOCK_SIZE] = {0};
> +       struct crypto_aes_ctx ctx;
>         int ret;
>  
> -       if (IS_ERR(tfm))
> -               return PTR_ERR(tfm);
> -
> -       req = skcipher_request_alloc(tfm, GFP_KERNEL);
> -       if (!req) {
> -               ret = -ENOMEM;
> -               goto out;
> -       }
> -
> -       skcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG |
> -                                     CRYPTO_TFM_REQ_MAY_SLEEP, crypto_req_done,
> -                                     &wait);
> -       ret = crypto_skcipher_setkey(tfm, key, key_len);
> -       if (ret < 0)
> -               goto out;
> -
> -       sg_init_one(&src, input, 16);
> -       sg_init_one(&dst, hkey, 16);
> -       skcipher_request_set_crypt(req, &src, &dst, 16, NULL);
> -
> -       ret = crypto_wait_req(crypto_skcipher_encrypt(req), &wait);
> +       ret = aes_expandkey(&ctx, key, key_len);
> +       if (ret)
> +               return ret;
>  
> -out:
> -       skcipher_request_free(req);
> -       crypto_free_skcipher(tfm);
> -       return ret;
> +       aes_encrypt(&ctx, hkey, input);
> +       memzero_explicit(&ctx, sizeof(ctx));
> +       return 0;
>  }
>  
>  static int vsc8584_macsec_transformation(struct phy_device *phydev,
> -- 
> 2.27.0
> 

-- 
Antoine Ténart, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH v2] net: phy: mscc: avoid skcipher API for single block AES encryption
  2020-06-25  7:18 [PATCH v2] net: phy: mscc: avoid skcipher API for single block AES encryption Ard Biesheuvel
  2020-06-25  7:54 ` Antoine Tenart
@ 2020-06-25 19:16 ` David Miller
  2020-06-25 19:32   ` Ard Biesheuvel
  1 sibling, 1 reply; 4+ messages in thread
From: David Miller @ 2020-06-25 19:16 UTC (permalink / raw)
  To: ardb
  Cc: netdev, linux-crypto, antoine.tenart, andrew, f.fainelli,
	hkallweit1, kuba, stable, ebiggers

From: Ard Biesheuvel <ardb@kernel.org>
Date: Thu, 25 Jun 2020 09:18:16 +0200

> The skcipher API dynamically instantiates the transformation object
> on request that implements the requested algorithm optimally on the
> given platform. This notion of optimality only matters for cases like
> bulk network or disk encryption, where performance can be a bottleneck,
> or in cases where the algorithm itself is not known at compile time.
> 
> In the mscc case, we are dealing with AES encryption of a single
> block, and so neither concern applies, and we are better off using
> the AES library interface, which is lightweight and safe for this
> kind of use.
> 
> Note that the scatterlist API does not permit references to buffers
> that are located on the stack, so the existing code is incorrect in
> any case, but avoiding the skcipher and scatterlist APIs entirely is
> the most straight-forward approach to fixing this.
> 
> Fixes: 28c5107aa904e ("net: phy: mscc: macsec support")
> Reviewed-by: Eric Biggers <ebiggers@google.com>
> Signed-off-by: Ard Biesheuvel <ardb@kernel.org>

Applied and queued up for -stable, thanks.

Please never CC: stable for networking changes, I handle the submissions
by hand.

Thank you.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH v2] net: phy: mscc: avoid skcipher API for single block AES encryption
  2020-06-25 19:16 ` David Miller
@ 2020-06-25 19:32   ` Ard Biesheuvel
  0 siblings, 0 replies; 4+ messages in thread
From: Ard Biesheuvel @ 2020-06-25 19:32 UTC (permalink / raw)
  To: David Miller
  Cc: netdev, Linux Crypto Mailing List, Antoine Tenart, Andrew Lunn,
	Florian Fainelli, Heiner Kallweit, Jakub Kicinski, Eric Biggers

On Thu, 25 Jun 2020 at 21:16, David Miller <davem@davemloft.net> wrote:
>
> From: Ard Biesheuvel <ardb@kernel.org>
> Date: Thu, 25 Jun 2020 09:18:16 +0200
>
> > The skcipher API dynamically instantiates the transformation object
> > on request that implements the requested algorithm optimally on the
> > given platform. This notion of optimality only matters for cases like
> > bulk network or disk encryption, where performance can be a bottleneck,
> > or in cases where the algorithm itself is not known at compile time.
> >
> > In the mscc case, we are dealing with AES encryption of a single
> > block, and so neither concern applies, and we are better off using
> > the AES library interface, which is lightweight and safe for this
> > kind of use.
> >
> > Note that the scatterlist API does not permit references to buffers
> > that are located on the stack, so the existing code is incorrect in
> > any case, but avoiding the skcipher and scatterlist APIs entirely is
> > the most straight-forward approach to fixing this.
> >
> > Fixes: 28c5107aa904e ("net: phy: mscc: macsec support")
> > Reviewed-by: Eric Biggers <ebiggers@google.com>
> > Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
>
> Applied and queued up for -stable, thanks.
>
> Please never CC: stable for networking changes, I handle the submissions
> by hand.
>

Noted, thanks.

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, back to index

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-06-25  7:18 [PATCH v2] net: phy: mscc: avoid skcipher API for single block AES encryption Ard Biesheuvel
2020-06-25  7:54 ` Antoine Tenart
2020-06-25 19:16 ` David Miller
2020-06-25 19:32   ` Ard Biesheuvel

Linux-Crypto Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/linux-crypto/0 linux-crypto/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 linux-crypto linux-crypto/ https://lore.kernel.org/linux-crypto \
		linux-crypto@vger.kernel.org
	public-inbox-index linux-crypto

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.linux-crypto


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git