On 6/6/2019 9:58 AM, Herbert Xu wrote: > On Thu, Jun 06, 2019 at 08:53:10AM +0200, Ard Biesheuvel wrote: >> >> That same patch 'fixes' CBC, since CBC was never broken to begin with. >> The CTS driver does not have something like the auth_tag sharing the >> same cacheline with the IV, so CBC has always worked fine. > > CBC is broken. Any crypto API user is allowed to place the IV > in the same position relative to the src/dst buffer. So the driver > must deal with it. > That's the theory. In practice we haven't encountered any issue so far, but yes this case has to be handled properly. > It's just that the CTR/ghash combo happened to expose this first. > Yes, and that's what the patch is fixing. >> So I guess what you are after is a patch that, instead of dodging the >> issue by limiting the copy to CBC, does not perform the copy at all >> while anything is mapped for DMA? Then we can leave it up to the NXP >> engineers to fix CTR mode. > > Right, we definitely need to fix it for CBC, probably in the way that > you suggested. > Not really. I am in favor of using the HW to update the IV, which would work for all skcipher algorithms. I have the fix ready, will send it in a couple of days. Thanks, Horia
