On 6/3/2019 11:43 AM, Greg Kroah-Hartman wrote:
> On Mon, Jun 03, 2019 at 08:10:15AM +0000, Horia Geanta wrote:
>> On 6/3/2019 10:52 AM, Greg Kroah-Hartman wrote:
>>> On Thu, May 30, 2019 at 11:36:25AM +0000, Horia Geanta wrote:
>>>> On 5/6/2019 11:06 AM, Horia Geanta wrote:
>>>>> On 5/6/2019 9:40 AM, Herbert Xu wrote:
>>>>>> On Fri, May 03, 2019 at 03:05:48PM +0300, Horia Geantă wrote:
>>>>>>> The detection whether DKP (Derived Key Protocol) is used relies on
>>>>>>> the setkey callback.
>>>>>>> Since "aead_setkey" was replaced in some cases with "des3_aead_setkey"
>>>>>>> (for 3DES weak key checking), the logic has to be updated - otherwise
>>>>>>> the DMA mapping direction is incorrect (leading to faults in case caam
>>>>>>> is behind an IOMMU).
>>>>>>>
>>>>>>> Fixes: 1b52c40919e6 ("crypto: caam - Forbid 2-key 3DES in FIPS mode")
>>>>>>> Signed-off-by: Horia Geantă <horia.geanta@xxxxxxx>
>>>>>>> ---
>>>>>>>
>>>>>>> This issue was noticed when testing with previously submitted IOMMU support:
>>>>>>> https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpatchwork.kernel.org%2Fproject%2Flinux-crypto%2Flist%2F%3Fseries%3D110277%26state%3D*&data=02%7C01%7Choria.geanta%40nxp.com%7C0531d21296e1471cd12708d6e7ff7ed1%7C686ea1d3bc2b4c6fa92cd99c5c301635%7C0%7C0%7C636951481867509241&sdata=vpeK41WQcINZTn4REHwk1Zgh5kIwPJNqiB75sT3ABV0%3D&reserved=0
>>>>>>
>>>>>> Thanks for catching this Horia!
>>>>>>
>>>>>> My preference would be to encode this logic separately rather than
>>>>>> relying on the setkey test. How about this patch?
>>>>>>
>>>>> This is probably more reliable.
>>>>>
>>>>>> ---8<---
>>>>>> The detection for DKP (Derived Key Protocol) relied on the value
>>>>>> of the setkey function. This was broken by the recent change which
>>>>>> added des3_aead_setkey.
>>>>>>
>>>>>> This patch fixes this by introducing a new flag for DKP and setting
>>>>>> that where needed.
>>>>>>
>>>>>> Reported-by: Horia Geantă <horia.geanta@xxxxxxx>
>>>>>> Signed-off-by: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
>>>>> Tested-by: Horia Geantă <horia.geanta@xxxxxxx>
>>>>>
>>>> Unfortunately the commit message dropped the tag provided in v1:
>>>> Fixes: 1b52c40919e6 ("crypto: caam - Forbid 2-key 3DES in FIPS mode")
>>>>
>>>> This fix was merged in v5.2-rc1 (commit 24586b5feaf17ecf85ae6259fe3ea7815dee432d
>>>> upstream) but should also be queued up for 5.1.y.
>>>
>>> I do not understand, sorry. What exact patches need to be applied to
>>> 5.1.y?
>>>
>> Commit 24586b5feaf1 ("crypto: caam - fix DKP detection logic").
>
> But that commit says:
> Fixes: 1b52c40919e6 ("crypto: caam - Forbid 2-key 3DES in FIPS mode")
> which is only contained in 5.2-rc1, so why would I want to apply the
> first one to 5.1.y?
>
Sorry, my bad.
I've looked at the failing kernel version: 5.1.0-09365-g8ea5b2abd07e
and seeing that commit 1b52c40919e6 ("crypto: caam - Forbid 2-key 3DES in FIPS
mode") is in the tree, concluded it was delivered in 5.1 and would need the fix.
Please disregard the request.
Thanks,
Horia
