linux-integrity.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Ahmad Fatoum <a.fatoum@pengutronix.de>
To: David Gstir <david@sigma-star.at>
Cc: "Horia Geantă" <horia.geanta@nxp.com>,
	"Aymen Sghaier" <aymen.sghaier@nxp.com>,
	"Herbert Xu" <herbert@gondor.apana.org.au>,
	"David S. Miller" <davem@davemloft.net>,
	kernel@pengutronix.de, "James Bottomley" <jejb@linux.ibm.com>,
	"Jarkko Sakkinen" <jarkko@kernel.org>,
	"Mimi Zohar" <zohar@linux.ibm.com>,
	"David Howells" <dhowells@redhat.com>,
	"James Morris" <jmorris@namei.org>,
	"Eric Biggers" <ebiggers@kernel.org>,
	"Serge E. Hallyn" <serge@hallyn.com>,
	"Udit Agarwal" <udit.agarwal@nxp.com>,
	"Jan Luebbe" <j.luebbe@pengutronix.de>,
	"Richard Weinberger" <richard@nod.at>,
	"Franck LENORMAND" <franck.lenormand@nxp.com>,
	"Sumit Garg" <sumit.garg@linaro.org>,
	linux-integrity@vger.kernel.org, keyrings@vger.kernel.org,
	linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org,
	linux-security-module@vger.kernel.org
Subject: Re: [PATCH 3/4] crypto: caam - add in-kernel interface for blob generator
Date: Wed, 11 Aug 2021 12:22:47 +0200	[thread overview]
Message-ID: <7cc83edd-dc39-ee7e-d18c-30b2492247ea@pengutronix.de> (raw)
In-Reply-To: <796E18E6-1329-40D6-B12F-4CE6C90DD988@sigma-star.at>

On 10.08.21 13:29, David Gstir wrote:
> Hi Ahmad,
> 
>> On 21.07.2021, at 18:48, Ahmad Fatoum <a.fatoum@pengutronix.de> wrote:
> 
> 
> [...]
> 
>> diff --git a/drivers/crypto/caam/blob_gen.c b/drivers/crypto/caam/blob_gen.c
>> new file mode 100644
>> index 000000000000..513d3f90e438
>> --- /dev/null
>> +++ b/drivers/crypto/caam/blob_gen.c
>> @@ -0,0 +1,230 @@
> 
> [...]
> 
>> +
>> +int caam_encap_blob(struct caam_blob_priv *priv, const char *keymod,
>> +		    void *input, void *output, size_t length)
>> +{
>> +	u32 *desc;
>> +	struct device *jrdev = &priv->jrdev;
>> +	dma_addr_t dma_in, dma_out;
>> +	struct caam_blob_job_result testres;
>> +	size_t keymod_len = strlen(keymod);
>> +	int ret;
>> +
>> +	if (length <= CAAM_BLOB_OVERHEAD || keymod_len > CAAM_BLOB_KEYMOD_LENGTH)
> 
> The docs for this function mention the length <= CAAM_BLOB_MAX_LEN
> restriction. This is not checked here. Is this intended?

Yes.

> Since you already assert that MAX_BLOB_SIZE <= CAAM_BLOB_MAX_LEN
> in security/keys/trusted-keys/trusted_caam.c, this will never
> be an issue for CAAM-based trusted-keys though.
I omitted checks in code, which are verified at compile-time.
Would you prefer a runtime check to be added as well?

>> +		return -EINVAL;
>> +
>> +	desc = caam_blob_alloc_desc(keymod_len);
>> +	if (!desc) {
>> +		dev_err(jrdev, "unable to allocate desc\n");
>> +		return -ENOMEM;
>> +	}
>> +
> 
> [...]
> 
>> diff --git a/include/soc/fsl/caam-blob.h b/include/soc/fsl/caam-blob.h
>> new file mode 100644
>> index 000000000000..aebbc9335f64
>> --- /dev/null
>> +++ b/include/soc/fsl/caam-blob.h
>> @@ -0,0 +1,56 @@
>> +/* SPDX-License-Identifier: GPL-2.0-only */
>> +/*
>> + * Copyright (C) 2020 Pengutronix, Ahmad Fatoum <kernel@pengutronix.de>
>> + */
>> +
>> +#ifndef __CAAM_BLOB_GEN
>> +#define __CAAM_BLOB_GEN
>> +
>> +#include <linux/types.h>
>> +
>> +#define CAAM_BLOB_KEYMOD_LENGTH		16
>> +#define CAAM_BLOB_OVERHEAD		(32 + 16)
>> +#define CAAM_BLOB_MAX_LEN		4096
>> +
>> +struct caam_blob_priv;
>> +
>> +/** caam_blob_gen_init - initialize blob generation
>> + *
>> + * returns either pointer to new caam_blob_priv instance
>> + * or error pointer
>> + */
>> +struct caam_blob_priv *caam_blob_gen_init(void);
>> +
>> +/** caam_blob_gen_init - free blob generation resources
> 
> s/init/exit/

Oh, thanks for catching.

>> + *
>> + * @priv: instance returned by caam_blob_gen_init
>> + */
>> +void caam_blob_gen_exit(struct caam_blob_priv *priv);
> 
> 
> Except these minor things, I noticed no issues with this whole series:
> 
> Reviewed-by: David Gstir <david@sigma-star.at>

Thanks! Will include it with the next iteration.

Cheers,
Ahmad 


> 
> 
> 


-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

  reply	other threads:[~2021-08-11 10:23 UTC|newest]

Thread overview: 28+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-07-21 16:48 [PATCH 0/4] KEYS: trusted: Introduce support for NXP CAAM-based trusted keys Ahmad Fatoum
2021-07-21 16:48 ` [PATCH 1/4] KEYS: trusted: allow users to use kernel RNG for key material Ahmad Fatoum
2021-07-22  6:17   ` Sumit Garg
2021-07-21 16:48 ` [PATCH 2/4] KEYS: trusted: allow trust sources " Ahmad Fatoum
2021-07-22  6:31   ` Sumit Garg
2021-08-09  7:52     ` Ahmad Fatoum
2021-08-09  9:56       ` Jarkko Sakkinen
2021-08-10  5:24         ` Sumit Garg
2021-07-21 16:48 ` [PATCH 3/4] crypto: caam - add in-kernel interface for blob generator Ahmad Fatoum
2021-08-10 11:29   ` David Gstir
2021-08-11 10:22     ` Ahmad Fatoum [this message]
2021-08-11 10:43       ` David Gstir
2021-07-21 16:48 ` [PATCH 4/4] KEYS: trusted: Introduce support for NXP CAAM-based trusted keys Ahmad Fatoum
2021-08-06 15:12 ` [PATCH 0/4] " Ahmad Fatoum
2021-08-09  9:35   ` Jarkko Sakkinen
2021-08-09 10:16     ` Ahmad Fatoum
2021-08-10 11:28       ` David Gstir
2021-08-20 16:25         ` Ahmad Fatoum
2021-08-20 15:39 ` Tim Harvey
2021-08-20 16:19   ` Ahmad Fatoum
2021-08-20 20:20     ` Tim Harvey
2021-08-20 20:36       ` Ahmad Fatoum
2021-08-20 21:19         ` Tim Harvey
2021-08-23 13:29           ` Ahmad Fatoum
2021-08-23 17:50             ` Tim Harvey
2021-08-24  7:33               ` Ahmad Fatoum
2021-08-24 15:23                 ` Tim Harvey
2021-08-25  9:34                   ` Ahmad Fatoum

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=7cc83edd-dc39-ee7e-d18c-30b2492247ea@pengutronix.de \
    --to=a.fatoum@pengutronix.de \
    --cc=aymen.sghaier@nxp.com \
    --cc=davem@davemloft.net \
    --cc=david@sigma-star.at \
    --cc=dhowells@redhat.com \
    --cc=ebiggers@kernel.org \
    --cc=franck.lenormand@nxp.com \
    --cc=herbert@gondor.apana.org.au \
    --cc=horia.geanta@nxp.com \
    --cc=j.luebbe@pengutronix.de \
    --cc=jarkko@kernel.org \
    --cc=jejb@linux.ibm.com \
    --cc=jmorris@namei.org \
    --cc=kernel@pengutronix.de \
    --cc=keyrings@vger.kernel.org \
    --cc=linux-crypto@vger.kernel.org \
    --cc=linux-integrity@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    --cc=richard@nod.at \
    --cc=serge@hallyn.com \
    --cc=sumit.garg@linaro.org \
    --cc=udit.agarwal@nxp.com \
    --cc=zohar@linux.ibm.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).