On Mon, Jun 03, 2019 at 08:10:15AM +0000, Horia Geanta wrote:
> On 6/3/2019 10:52 AM, Greg Kroah-Hartman wrote:
> > On Thu, May 30, 2019 at 11:36:25AM +0000, Horia Geanta wrote:
> >> On 5/6/2019 11:06 AM, Horia Geanta wrote:
> >>> On 5/6/2019 9:40 AM, Herbert Xu wrote:
> >>>> On Fri, May 03, 2019 at 03:05:48PM +0300, Horia Geantă wrote:
> >>>>> The detection whether DKP (Derived Key Protocol) is used relies on
> >>>>> the setkey callback.
> >>>>> Since "aead_setkey" was replaced in some cases with "des3_aead_setkey"
> >>>>> (for 3DES weak key checking), the logic has to be updated - otherwise
> >>>>> the DMA mapping direction is incorrect (leading to faults in case caam
> >>>>> is behind an IOMMU).
> >>>>>
> >>>>> Fixes: 1b52c40919e6 ("crypto: caam - Forbid 2-key 3DES in FIPS mode")
> >>>>> Signed-off-by: Horia Geantă <horia.geanta@xxxxxxx>
> >>>>> ---
> >>>>>
> >>>>> This issue was noticed when testing with previously submitted IOMMU support:
> >>>>> https://patchwork.kernel.org/project/linux-crypto/list/?series=110277&state=*
> >>>>
> >>>> Thanks for catching this Horia!
> >>>>
> >>>> My preference would be to encode this logic separately rather than
> >>>> relying on the setkey test. How about this patch?
> >>>>
> >>> This is probably more reliable.
> >>>
> >>>> ---8<---
> >>>> The detection for DKP (Derived Key Protocol) relied on the value
> >>>> of the setkey function. This was broken by the recent change which
> >>>> added des3_aead_setkey.
> >>>>
> >>>> This patch fixes this by introducing a new flag for DKP and setting
> >>>> that where needed.
> >>>>
> >>>> Reported-by: Horia Geantă <horia.geanta@xxxxxxx>
> >>>> Signed-off-by: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
> >>> Tested-by: Horia Geantă <horia.geanta@xxxxxxx>
> >>>
> >> Unfortunately the commit message dropped the tag provided in v1:
> >> Fixes: 1b52c40919e6 ("crypto: caam - Forbid 2-key 3DES in FIPS mode")
> >>
> >> This fix was merged in v5.2-rc1 (commit 24586b5feaf17ecf85ae6259fe3ea7815dee432d
> >> upstream) but should also be queued up for 5.1.y.
> >
> > I do not understand, sorry. What exact patches need to be applied to
> > 5.1.y?
> >
> Commit 24586b5feaf1 ("crypto: caam - fix DKP detection logic").
But that commit says:
Fixes: 1b52c40919e6 ("crypto: caam - Forbid 2-key 3DES in FIPS mode")
which is only contained in 5.2-rc1, so why would I want to apply the
first one to 5.1.y?
Still confused,
greg k-h
