On Sun, Oct 08, 2023 at 07:31:16PM -0700, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@xxxxxxxxxx>
>
> Since commit adad556efcdd ("crypto: api - Fix built-in testing
> dependency failures"), the following warning appears when booting an
> x86_64 kernel that is configured with
> CONFIG_CRYPTO_MANAGER_EXTRA_TESTS=y and CONFIG_CRYPTO_AES_NI_INTEL=y,
> even when CONFIG_CRYPTO_XTS=y and CONFIG_CRYPTO_AES=y:
>
> alg: skcipher: skipping comparison tests for xts-aes-aesni because xts(ecb(aes-generic)) is unavailable
>
> This is caused by an issue in the xts template where it allocates an
> "aes" single-block cipher without declaring a dependency on it via the
> crypto_spawn mechanism. This issue was exposed by the above commit
> because it reversed the order that the algorithms are tested in.
>
> Specifically, when "xts(ecb(aes-generic))" is instantiated and tested
> during the comparison tests for "xts-aes-aesni", the "xts" template
> allocates an "aes" crypto_cipher for encrypting tweaks. This resolves
> to "aes-aesni". (Getting "aes-aesni" instead of "aes-generic" here is a
> bit weird, but it's apparently intended.) Due to the above-mentioned
> commit, the testing of "aes-aesni", and the finalization of its
> registration, now happens at this point instead of before. At the end
> of that, crypto_remove_spawns() unregisters all algorithm instances that
> depend on a lower-priority "aes" implementation such as "aes-generic"
> but that do not depend on "aes-aesni". However, because "xts" does not
> use the crypto_spawn mechanism for its "aes", its dependency on
> "aes-aesni" is not recognized by crypto_remove_spawns(). Thus,
> crypto_remove_spawns() unexpectedly unregisters "xts(ecb(aes-generic))".
>
> Fix this issue by making the "xts" template use the crypto_spawn
> mechanism for its "aes" dependency, like what other templates do.
>
> Note, this fix could be applied as far back as commit f1c131b45410
> ("crypto: xts - Convert to skcipher"). However, the issue only got
> exposed by the much more recent changes to how the crypto API runs the
> self-tests, so there should be no need to backport this to very old
> kernels. Also, an alternative fix would be to flip the list iteration
> order in crypto_start_tests() to restore the original testing order.
> I'm thinking we should do that too, since the original order seems more
> natural, but it shouldn't be relied on for correctness.
>
> Fixes: adad556efcdd ("crypto: api - Fix built-in testing dependency failures")
> Signed-off-by: Eric Biggers <ebiggers@xxxxxxxxxx>
BTW, I noticed that the essiv template has this problem too. It shows up when
essiv-cbc-aes-sha256-ce is tested on arm64.
- Eric
