NX CCM has not support to keys larger than 128 neither our hardware. In cases where a system is running in fips mode enabled a tcrypt test will crash the system in a kernel panic call. This patch disable, for now, CCM's algorithms in fips mode to avoid this. Signed-off-by: Leonidas S. Barbosa <leosilva@xxxxxxxxxxxxxxxxxx> --- drivers/crypto/nx/nx.c | 32 ++++++++++++++++++++++---------- 1 files changed, 22 insertions(+), 10 deletions(-) diff --git a/drivers/crypto/nx/nx.c b/drivers/crypto/nx/nx.c index aa8c38d..a32239c 100644 --- a/drivers/crypto/nx/nx.c +++ b/drivers/crypto/nx/nx.c @@ -35,6 +35,7 @@ #include <linux/of.h> #include <asm/hvcall.h> #include <asm/vio.h> +#include <linux/fips.h> #include "nx_csbcpb.h" #include "nx.h" @@ -566,13 +567,15 @@ static int nx_register_algs(void) if (rc) goto out_unreg_gcm; - rc = crypto_register_alg(&nx_ccm_aes_alg); - if (rc) - goto out_unreg_gcm4106; + if (!fips_enabled) { + rc = crypto_register_alg(&nx_ccm_aes_alg); + if (rc) + goto out_unreg_gcm4106; - rc = crypto_register_alg(&nx_ccm4309_aes_alg); - if (rc) - goto out_unreg_ccm; + rc = crypto_register_alg(&nx_ccm4309_aes_alg); + if (rc) + goto out_unreg_ccm; + } rc = crypto_register_shash(&nx_shash_sha256_alg); if (rc) @@ -593,9 +596,11 @@ out_unreg_s512: out_unreg_s256: crypto_unregister_shash(&nx_shash_sha256_alg); out_unreg_ccm4309: - crypto_unregister_alg(&nx_ccm4309_aes_alg); + if (!fips_enabled) + crypto_unregister_alg(&nx_ccm4309_aes_alg); out_unreg_ccm: - crypto_unregister_alg(&nx_ccm_aes_alg); + if (fips_enabled) + crypto_unregister_alg(&nx_ccm_aes_alg); out_unreg_gcm4106: crypto_unregister_alg(&nx_gcm4106_aes_alg); out_unreg_gcm: @@ -746,8 +751,15 @@ static int nx_remove(struct vio_dev *viodev) if (nx_driver.of.status == NX_OKAY) { NX_DEBUGFS_FINI(&nx_driver); - crypto_unregister_alg(&nx_ccm_aes_alg); - crypto_unregister_alg(&nx_ccm4309_aes_alg); + /* CCM algorithm has not support to keys larger than 128 + * however tcrypt test uses key larger than. If a system + * runs with fips enabled it'll crash. For now we need to + * disable this two algorithms in fips mode. + */ + if (!fips_enabled) { + crypto_unregister_alg(&nx_ccm_aes_alg); + crypto_unregister_alg(&nx_ccm4309_aes_alg); + } crypto_unregister_alg(&nx_gcm_aes_alg); crypto_unregister_alg(&nx_gcm4106_aes_alg); crypto_unregister_alg(&nx_ctr_aes_alg); -- 1.7.1 -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html