From: Horia Geanta <horia.geanta@nxp.com>
To: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: Herbert Xu <herbert@gondor.apana.org.au>,
Eric Biggers <ebiggers@kernel.org>,
Iuliana Prodan <iuliana.prodan@nxp.com>,
"David S. Miller" <davem@davemloft.net>,
Sascha Hauer <s.hauer@pengutronix.de>,
"linux-crypto@vger.kernel.org" <linux-crypto@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
dl-linux-imx <linux-imx@nxp.com>
Subject: Re: [PATCH] crypto: gcm - fix cacheline sharing
Date: Thu, 30 May 2019 13:18:34 +0000 [thread overview]
Message-ID: <VI1PR0402MB34859577A96645E890BD8F3198180@VI1PR0402MB3485.eurprd04.prod.outlook.com> (raw)
In-Reply-To: CAKv+Gu84HndAnkn7DU=ykjCokw_+bAHEcF0Rm12-hnXhVy2u_Q@mail.gmail.com
On 5/30/2019 11:08 AM, Ard Biesheuvel wrote:
> On Thu, 30 May 2019 at 09:46, Horia Geanta <horia.geanta@nxp.com> wrote:
>>
>> On 5/30/2019 8:34 AM, Herbert Xu wrote:
>>> On Wed, May 29, 2019 at 01:27:28PM -0700, Eric Biggers wrote:
>>>>
>>>> So what about the other places that also pass an IV located next to the data,
>>>> like crypto/ccm.c and crypto/adiantum.c? If we're actually going to make this a
>> Fix for ccm is WIP.
>> We were not aware of adiantum since our crypto engine does not accelerate it.
>>
>>>> new API requirement, then we need to add a debugging option that makes the API
>>>> detect this violation so that the other places can be fixed too.
>>>>
>> IMO this is not a new crypto API requirement.
>> crypto API and its users must follow DMA API rules, besides crypto-specific ones.
>>
>> In this particular case, crypto/gcm.c is both an implementation and a crypto API
>> user, since it uses underneath ctr(aes) (and ghash).
>> Currently generic gcm implementation is breaking DMA API, since part of the dst
>> buffer (auth_tag) provided to ctr(aes) is sharing a cache line with some other
>> data structure (iv).
>>
>> The DMA API rule is mentioned in Documentation/DMA-API.txt
>>
>> .. warning::
>>
>> Memory coherency operates at a granularity called the cache
>> line width. In order for memory mapped by this API to operate
>> correctly, the mapped region must begin exactly on a cache line
>> boundary and end exactly on one (to prevent two separately mapped
>> regions from sharing a single cache line).
>>
>>
>
> This is overly restrictive, and not in line with reality. The whole
> networking stack operates on buffers shifted by 2 bytes if
> NET_IP_ALIGN is left at its default value of 2. There are numerous
> examples in other places as well.
>
> Given that kmalloc() will take the cacheline granularity into account
> if necessary, the only way this issue can hit is when a single kmalloc
> buffer is written to by two different masters.
>
I guess there are only two options:
-either cache line sharing is avoided OR
-users need to be *aware* they are sharing the cache line and some rules /
assumptions are in place on how to safely work on the data
What you are probably saying is that 2nd option is sometimes the way to go.
>>>> Also, did you consider whether there's any way to make the crypto API handle
>>>> this automatically, so that all the individual users don't have to?
>> That would probably work, but I guess it would come up with a big overhead.
>>
>> I am thinking crypto API would have to check each buffer used by src, dst
>> scatterlists is correctly aligned - starting and ending on cache line boundaries.
>>
>>>
>>> You're absolutely right Eric.
>>>
>>> What I suggested in the old thread is non-sense. While you can
>>> force GCM to provide the right pointers you cannot force all the
>>> other crypto API users to do this.
>>>
>> Whose problem is that crypto API users don't follow the DMA API requirements?
>>
>>> It would appear that Ard's latest suggestion should fix the problem
>>> and is the correct approach.
>>>
>> I disagree.
>> We shouldn't force crypto implementations to be aware of such inconsistencies in
>> the I/O data buffers (pointed to by src/dst scatterlists) that are supposed to
>> be safely DMA mapped.
>>
>
> I'm on the fence here. On the one hand, it is slightly dodgy for the
> GCM driver to pass a scatterlist referencing a buffer that shares a
> cacheline with another buffer passed by an ordinary pointer, and for
> which an explicit requirement exists that the callee should update it
> before returning.
>
> On the other hand, I think it is reasonable to require drivers not to
> perform such updates while the scatterlist is mapped for DMA, since
> fixing it in the callers puts a disproportionate burden on them, given
> that non-coherent DMA only represents a small minority of use cases.
>
The problem with this approach is that the buffers in the scatterlist could
hypothetically share cache lines with *any* other CPU-updated data, not just the
IV in the crypto request (as it happens here).
How could a non-coherent DMA implementation cope with this?
Thanks,
Horia
next prev parent reply other threads:[~2019-05-30 13:18 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-29 17:10 [PATCH] crypto: gcm - fix cacheline sharing Iuliana Prodan
2019-05-29 20:27 ` Eric Biggers
2019-05-29 22:16 ` Ard Biesheuvel
2019-05-30 13:29 ` Iuliana Prodan
2019-05-30 13:34 ` Herbert Xu
2019-05-30 13:45 ` Iuliana Prodan
2019-05-30 13:53 ` Ard Biesheuvel
2019-05-30 13:55 ` Ard Biesheuvel
2019-05-30 14:27 ` Herbert Xu
2019-05-30 14:28 ` Ard Biesheuvel
2019-05-30 14:31 ` Ard Biesheuvel
2019-05-30 14:34 ` Herbert Xu
2019-05-30 15:04 ` Ard Biesheuvel
2019-05-30 15:06 ` Herbert Xu
2019-05-30 15:10 ` Ard Biesheuvel
2019-05-30 15:13 ` Herbert Xu
2019-05-30 15:17 ` Ard Biesheuvel
2019-05-30 22:00 ` Iuliana Prodan
2019-05-31 5:54 ` Horia Geanta
2019-05-30 14:53 ` Pascal Van Leeuwen
2019-05-30 15:13 ` Ard Biesheuvel
2019-06-06 6:37 ` Herbert Xu
2019-06-06 6:42 ` Ard Biesheuvel
2019-06-06 6:46 ` Herbert Xu
2019-06-06 6:53 ` Ard Biesheuvel
2019-06-06 6:57 ` Herbert Xu
2019-06-06 7:10 ` Horia Geanta
2019-06-06 7:15 ` Herbert Xu
2019-06-06 8:36 ` Horia Geanta
2019-06-06 9:33 ` Herbert Xu
2019-05-30 13:58 ` Herbert Xu
2019-05-30 14:11 ` Ard Biesheuvel
2019-05-30 14:29 ` Pascal Van Leeuwen
2019-05-30 5:34 ` Herbert Xu
2019-05-30 7:46 ` Horia Geanta
2019-05-30 8:08 ` Ard Biesheuvel
2019-05-30 13:18 ` Horia Geanta [this message]
2019-05-30 13:25 ` Ard Biesheuvel
2019-05-31 6:05 ` Horia Geanta
2019-05-30 13:26 ` Herbert Xu
2019-05-31 5:22 ` Horia Geanta
2019-05-31 5:42 ` Herbert Xu
2019-05-31 6:10 ` Horia Geanta
2019-05-31 6:14 ` Herbert Xu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=VI1PR0402MB34859577A96645E890BD8F3198180@VI1PR0402MB3485.eurprd04.prod.outlook.com \
--to=horia.geanta@nxp.com \
--cc=ard.biesheuvel@linaro.org \
--cc=davem@davemloft.net \
--cc=ebiggers@kernel.org \
--cc=herbert@gondor.apana.org.au \
--cc=iuliana.prodan@nxp.com \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-imx@nxp.com \
--cc=linux-kernel@vger.kernel.org \
--cc=s.hauer@pengutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).