diff options
10 files changed, 3 insertions, 1067 deletions
diff --git a/recipes-kernel/cryptodev/cryptodev-qoriq_1.9.inc b/recipes-kernel/cryptodev/cryptodev-qoriq_1.9.inc index 24cc87c9..3e6fcf7c 100644 --- a/recipes-kernel/cryptodev/cryptodev-qoriq_1.9.inc +++ b/recipes-kernel/cryptodev/cryptodev-qoriq_1.9.inc @@ -12,31 +12,15 @@ python() { d.appendVar("RREPLACES_%s" % p, p.replace('cryptodev-qoriq', 'cryptodev')) } -FILESEXTRAPATHS_prepend := "${THISDIR}/sdk_patches:" FILESEXTRAPATHS_prepend := "${THISDIR}/yocto_patches:" -SRC_URI = "http://nwl.cc/pub/cryptodev-linux/cryptodev-linux-${PV}.tar.gz" - -SRC_URI[md5sum] = "cb4e0ed9e5937716c7c8a7be84895b6d" -SRC_URI[sha256sum] = "9f4c0b49b30e267d776f79455d09c70cc9c12c86eee400a0d0a0cd1d8e467950" - -# SDK patches -SRC_URI_append = " file://0001-refactoring-split-big-function-to-simplify-maintaina.patch \ - file://0002-refactoring-relocate-code-to-simplify-later-patches.patch \ - file://0003-convert-to-new-AEAD-interface-in-kernels-v4.2.patch \ - file://0004-fix-type-of-returned-value.patch \ - file://0005-remove-unnecessary-header-inclusion.patch \ - file://0006-move-structure-definition-to-cryptodev_int.h.patch \ - file://0007-add-support-for-RSA-public-and-private-key-operation.patch \ - file://0008-check-session-flags-early-to-avoid-incorrect-failure.patch \ - file://0009-add-support-for-composite-TLS10-SHA1-AES-algorithm-o.patch \ -" -#SRC_URI_append = " file://0003-update-the-install-path-for-cryptodev-tests.patch" +SRC_URI = "git://github.com/qoriq-open-source/cryptodev-linux.git;nobranch=1" +SRCREV = "f365c69d7852d6579952825c9f90a27129f92d22" # NOTE: remove this patch and all traces of DISTRO_FEATURE c29x_pkc # if pkc-host does not need customized cryptodev patches anymore #SRC_URI_append = "${@bb.utils.contains('DISTRO_FEATURES', 'c29x_pkc', ' file://0001-don-t-advertise-RSA-keygen.patch', '', d)}" -S = "${WORKDIR}/cryptodev-linux-${PV}" +S = "${WORKDIR}/git" CLEANBROKEN = "1" diff --git a/recipes-kernel/cryptodev/sdk_patches/0001-refactoring-split-big-function-to-simplify-maintaina.patch b/recipes-kernel/cryptodev/sdk_patches/0001-refactoring-split-big-function-to-simplify-maintaina.patch deleted file mode 100644 index 57ac8e1e..00000000 --- a/recipes-kernel/cryptodev/sdk_patches/0001-refactoring-split-big-function-to-simplify-maintaina.patch +++ /dev/null @@ -1,244 +0,0 @@ -From 20dcf071bc3076ee7db9d603cfbe6a06e86c7d5f Mon Sep 17 00:00:00 2001 -From: Cristian Stoica <cristian.stoica@nxp.com> -Date: Thu, 4 May 2017 15:06:20 +0300 -Subject: [PATCH 1/9] refactoring: split big function to simplify maintainance - -The setup of auth_buf in tls and aead is now duplicated but this -is temporary and allows necessary corrections for the aead case -with v4.2+ kernels. - -Signed-off-by: Cristian Stoica <cristian.stoica@nxp.com> ---- - authenc.c | 197 ++++++++++++++++++++++++++++++++++++++++---------------------- - 1 file changed, 126 insertions(+), 71 deletions(-) - -diff --git a/authenc.c b/authenc.c -index 1bd7377..28eb0f9 100644 ---- a/authenc.c -+++ b/authenc.c -@@ -609,96 +609,151 @@ auth_n_crypt(struct csession *ses_ptr, struct kernel_crypt_auth_op *kcaop, - return 0; - } - --/* This is the main crypto function - zero-copy edition */ --static int --__crypto_auth_run_zc(struct csession *ses_ptr, struct kernel_crypt_auth_op *kcaop) -+static int crypto_auth_zc_srtp(struct csession *ses_ptr, struct kernel_crypt_auth_op *kcaop) - { -- struct scatterlist *dst_sg, *auth_sg, *src_sg; -+ struct scatterlist *dst_sg, *auth_sg; - struct crypt_auth_op *caop = &kcaop->caop; -- int ret = 0; -+ int ret; - -- if (caop->flags & COP_FLAG_AEAD_SRTP_TYPE) { -- if (unlikely(ses_ptr->cdata.init != 0 && -- (ses_ptr->cdata.stream == 0 || -- ses_ptr->cdata.aead != 0))) { -- derr(0, "Only stream modes are allowed in SRTP mode (but not AEAD)"); -- return -EINVAL; -- } -+ if (unlikely(ses_ptr->cdata.init != 0 && -+ (ses_ptr->cdata.stream == 0 || ses_ptr->cdata.aead != 0))) { -+ derr(0, "Only stream modes are allowed in SRTP mode (but not AEAD)"); -+ return -EINVAL; -+ } - -- ret = get_userbuf_srtp(ses_ptr, kcaop, &auth_sg, &dst_sg); -- if (unlikely(ret)) { -- derr(1, "get_userbuf_srtp(): Error getting user pages."); -- return ret; -- } -+ ret = get_userbuf_srtp(ses_ptr, kcaop, &auth_sg, &dst_sg); -+ if (unlikely(ret)) { -+ derr(1, "get_userbuf_srtp(): Error getting user pages."); -+ return ret; -+ } - -- ret = srtp_auth_n_crypt(ses_ptr, kcaop, auth_sg, caop->auth_len, -- dst_sg, caop->len); -+ ret = srtp_auth_n_crypt(ses_ptr, kcaop, auth_sg, caop->auth_len, -+ dst_sg, caop->len); - -- release_user_pages(ses_ptr); -- } else { /* TLS and normal cases. Here auth data are usually small -- * so we just copy them to a free page, instead of trying -- * to map them. -- */ -- unsigned char *auth_buf = NULL; -- struct scatterlist tmp; -+ release_user_pages(ses_ptr); - -- if (unlikely(caop->auth_len > PAGE_SIZE)) { -- derr(1, "auth data len is excessive."); -- return -EINVAL; -- } -+ return ret; -+} - -- auth_buf = (char *)__get_free_page(GFP_KERNEL); -- if (unlikely(!auth_buf)) { -- derr(1, "unable to get a free page."); -- return -ENOMEM; -- } -+static int crypto_auth_zc_tls(struct csession *ses_ptr, struct kernel_crypt_auth_op *kcaop) -+{ -+ struct crypt_auth_op *caop = &kcaop->caop; -+ struct scatterlist *dst_sg, *auth_sg; -+ unsigned char *auth_buf = NULL; -+ struct scatterlist tmp; -+ int ret; - -- if (caop->auth_src && caop->auth_len > 0) { -- if (unlikely(copy_from_user(auth_buf, caop->auth_src, caop->auth_len))) { -- derr(1, "unable to copy auth data from userspace."); -- ret = -EFAULT; -- goto free_auth_buf; -- } -+ if (unlikely(ses_ptr->cdata.aead != 0)) { -+ return -EINVAL; -+ } -+ -+ if (unlikely(caop->auth_len > PAGE_SIZE)) { -+ derr(1, "auth data len is excessive."); -+ return -EINVAL; -+ } -+ -+ auth_buf = (char *)__get_free_page(GFP_KERNEL); -+ if (unlikely(!auth_buf)) { -+ derr(1, "unable to get a free page."); -+ return -ENOMEM; -+ } - -- sg_init_one(&tmp, auth_buf, caop->auth_len); -- auth_sg = &tmp; -- } else { -- auth_sg = NULL; -+ if (caop->auth_src && caop->auth_len > 0) { -+ if (unlikely(copy_from_user(auth_buf, caop->auth_src, caop->auth_len))) { -+ derr(1, "unable to copy auth data from userspace."); -+ ret = -EFAULT; -+ goto free_auth_buf; - } - -- if (caop->flags & COP_FLAG_AEAD_TLS_TYPE && ses_ptr->cdata.aead == 0) { -- ret = get_userbuf_tls(ses_ptr, kcaop, &dst_sg); -- if (unlikely(ret)) { -- derr(1, "get_userbuf_tls(): Error getting user pages."); -- goto free_auth_buf; -- } -+ sg_init_one(&tmp, auth_buf, caop->auth_len); -+ auth_sg = &tmp; -+ } else { -+ auth_sg = NULL; -+ } - -- ret = tls_auth_n_crypt(ses_ptr, kcaop, auth_sg, caop->auth_len, -- dst_sg, caop->len); -- } else { -- if (unlikely(ses_ptr->cdata.init == 0 || -- (ses_ptr->cdata.stream == 0 && -- ses_ptr->cdata.aead == 0))) { -- derr(0, "Only stream and AEAD ciphers are allowed for authenc"); -- ret = -EINVAL; -- goto free_auth_buf; -- } -+ ret = get_userbuf_tls(ses_ptr, kcaop, &dst_sg); -+ if (unlikely(ret)) { -+ derr(1, "get_userbuf_tls(): Error getting user pages."); -+ goto free_auth_buf; -+ } - -- ret = get_userbuf(ses_ptr, caop->src, caop->len, caop->dst, kcaop->dst_len, -- kcaop->task, kcaop->mm, &src_sg, &dst_sg); -- if (unlikely(ret)) { -- derr(1, "get_userbuf(): Error getting user pages."); -- goto free_auth_buf; -- } -+ ret = tls_auth_n_crypt(ses_ptr, kcaop, auth_sg, caop->auth_len, -+ dst_sg, caop->len); -+ release_user_pages(ses_ptr); -+ -+free_auth_buf: -+ free_page((unsigned long)auth_buf); -+ return ret; -+} -+ -+static int crypto_auth_zc_aead(struct csession *ses_ptr, struct kernel_crypt_auth_op *kcaop) -+{ -+ struct scatterlist *dst_sg, *auth_sg, *src_sg; -+ struct crypt_auth_op *caop = &kcaop->caop; -+ unsigned char *auth_buf = NULL; -+ struct scatterlist tmp; -+ int ret; - -- ret = auth_n_crypt(ses_ptr, kcaop, auth_sg, caop->auth_len, -- src_sg, dst_sg, caop->len); -+ if (unlikely(ses_ptr->cdata.init == 0 || -+ (ses_ptr->cdata.stream == 0 && ses_ptr->cdata.aead == 0))) { -+ derr(0, "Only stream and AEAD ciphers are allowed for authenc"); -+ return -EINVAL; -+ } -+ -+ if (unlikely(caop->auth_len > PAGE_SIZE)) { -+ derr(1, "auth data len is excessive."); -+ return -EINVAL; -+ } -+ -+ auth_buf = (char *)__get_free_page(GFP_KERNEL); -+ if (unlikely(!auth_buf)) { -+ derr(1, "unable to get a free page."); -+ return -ENOMEM; -+ } -+ -+ if (caop->auth_src && caop->auth_len > 0) { -+ if (unlikely(copy_from_user(auth_buf, caop->auth_src, caop->auth_len))) { -+ derr(1, "unable to copy auth data from userspace."); -+ ret = -EFAULT; -+ goto free_auth_buf; - } - -- release_user_pages(ses_ptr); -+ sg_init_one(&tmp, auth_buf, caop->auth_len); -+ auth_sg = &tmp; -+ } else { -+ auth_sg = NULL; -+ } -+ -+ ret = get_userbuf(ses_ptr, caop->src, caop->len, caop->dst, kcaop->dst_len, -+ kcaop->task, kcaop->mm, &src_sg, &dst_sg); -+ if (unlikely(ret)) { -+ derr(1, "get_userbuf(): Error getting user pages."); -+ goto free_auth_buf; -+ } -+ -+ ret = auth_n_crypt(ses_ptr, kcaop, auth_sg, caop->auth_len, -+ src_sg, dst_sg, caop->len); -+ -+ release_user_pages(ses_ptr); - - free_auth_buf: -- free_page((unsigned long)auth_buf); -+ free_page((unsigned long)auth_buf); -+ -+ return ret; -+} -+ -+static int -+__crypto_auth_run_zc(struct csession *ses_ptr, struct kernel_crypt_auth_op *kcaop) -+{ -+ struct crypt_auth_op *caop = &kcaop->caop; -+ int ret; -+ -+ if (caop->flags & COP_FLAG_AEAD_SRTP_TYPE) { -+ ret = crypto_auth_zc_srtp(ses_ptr, kcaop); -+ } else if (caop->flags & COP_FLAG_AEAD_TLS_TYPE) { -+ ret = crypto_auth_zc_tls(ses_ptr, kcaop); -+ } else { -+ ret = crypto_auth_zc_aead(ses_ptr, kcaop); - } - - return ret; --- -2.7.4 - diff --git a/recipes-kernel/cryptodev/sdk_patches/0002-refactoring-relocate-code-to-simplify-later-patches.patch b/recipes-kernel/cryptodev/sdk_patches/0002-refactoring-relocate-code-to-simplify-later-patches.patch deleted file mode 100644 index b948c914..00000000 --- a/recipes-kernel/cryptodev/sdk_patches/0002-refactoring-relocate-code-to-simplify-later-patches.patch +++ /dev/null @@ -1,58 +0,0 @@ -From c2bf0e42b1d9fda60cde4a3a682784d349ef1c0b Mon Sep 17 00:00:00 2001 -From: Cristian Stoica <cristian.stoica@nxp.com> -Date: Thu, 4 May 2017 15:06:21 +0300 -Subject: [PATCH 2/9] refactoring: relocate code to simplify later patches - -This code move will simplify the conversion to new AEAD interface in -next patches - -Signed-off-by: Cristian Stoica <cristian.stoica@nxp.com> ---- - authenc.c | 17 +++++++++-------- - 1 file changed, 9 insertions(+), 8 deletions(-) - -diff --git a/authenc.c b/authenc.c -index 28eb0f9..95727b4 100644 ---- a/authenc.c -+++ b/authenc.c -@@ -711,11 +711,18 @@ static int crypto_auth_zc_aead(struct csession *ses_ptr, struct kernel_crypt_aut - return -ENOMEM; - } - -+ ret = get_userbuf(ses_ptr, caop->src, caop->len, caop->dst, kcaop->dst_len, -+ kcaop->task, kcaop->mm, &src_sg, &dst_sg); -+ if (unlikely(ret)) { -+ derr(1, "get_userbuf(): Error getting user pages."); -+ goto free_auth_buf; -+ } -+ - if (caop->auth_src && caop->auth_len > 0) { - if (unlikely(copy_from_user(auth_buf, caop->auth_src, caop->auth_len))) { - derr(1, "unable to copy auth data from userspace."); - ret = -EFAULT; -- goto free_auth_buf; -+ goto free_pages; - } - - sg_init_one(&tmp, auth_buf, caop->auth_len); -@@ -724,16 +731,10 @@ static int crypto_auth_zc_aead(struct csession *ses_ptr, struct kernel_crypt_aut - auth_sg = NULL; - } - -- ret = get_userbuf(ses_ptr, caop->src, caop->len, caop->dst, kcaop->dst_len, -- kcaop->task, kcaop->mm, &src_sg, &dst_sg); -- if (unlikely(ret)) { -- derr(1, "get_userbuf(): Error getting user pages."); -- goto free_auth_buf; -- } -- - ret = auth_n_crypt(ses_ptr, kcaop, auth_sg, caop->auth_len, - src_sg, dst_sg, caop->len); - -+free_pages: - release_user_pages(ses_ptr); - - free_auth_buf: --- -2.7.4 - diff --git a/recipes-kernel/cryptodev/sdk_patches/0003-convert-to-new-AEAD-interface-in-kernels-v4.2.patch b/recipes-kernel/cryptodev/sdk_patches/0003-convert-to-new-AEAD-interface-in-kernels-v4.2.patch deleted file mode 100644 index ab3c7a81..00000000 --- a/recipes-kernel/cryptodev/sdk_patches/0003-convert-to-new-AEAD-interface-in-kernels-v4.2.patch +++ /dev/null @@ -1,96 +0,0 @@ -From a705360197260d28535746ae98c461ba2cfb7a9e Mon Sep 17 00:00:00 2001 -From: Cristian Stoica <cristian.stoica@nxp.com> -Date: Thu, 4 May 2017 15:06:22 +0300 -Subject: [PATCH 3/9] convert to new AEAD interface in kernels v4.2+ - -The crypto API for AEAD ciphers changed in recent kernels so that -associated data is now part of both source and destination scatter -gathers. The source, destination and associated data buffers need -to be stiched accordingly for the operations to succeed: - -src_sg: auth_buf + src_buf -dst_sg: auth_buf + (dst_buf + tag space) - -This patch fixes a kernel crash observed with cipher-gcm test. - -See also kernel patch: 81c4c35eb61a69c229871c490b011c1171511d5a - crypto: ccm - Convert to new AEAD interface - -Reported-by: Phil Sutter <phil@nwl.cc> -Signed-off-by: Cristian Stoica <cristian.stoica@nxp.com> ---- - authenc.c | 40 ++++++++++++++++++++++++++++++++++++++-- - 1 file changed, 38 insertions(+), 2 deletions(-) - -diff --git a/authenc.c b/authenc.c -index 95727b4..692951f 100644 ---- a/authenc.c -+++ b/authenc.c -@@ -688,12 +688,20 @@ free_auth_buf: - - static int crypto_auth_zc_aead(struct csession *ses_ptr, struct kernel_crypt_auth_op *kcaop) - { -- struct scatterlist *dst_sg, *auth_sg, *src_sg; -+ struct scatterlist *dst_sg; -+ struct scatterlist *src_sg; - struct crypt_auth_op *caop = &kcaop->caop; - unsigned char *auth_buf = NULL; -- struct scatterlist tmp; - int ret; - -+#if (LINUX_VERSION_CODE < KERNEL_VERSION(4, 2, 0)) -+ struct scatterlist tmp; -+ struct scatterlist *auth_sg; -+#else -+ struct scatterlist auth1[2]; -+ struct scatterlist auth2[2]; -+#endif -+ - if (unlikely(ses_ptr->cdata.init == 0 || - (ses_ptr->cdata.stream == 0 && ses_ptr->cdata.aead == 0))) { - derr(0, "Only stream and AEAD ciphers are allowed for authenc"); -@@ -718,6 +726,7 @@ static int crypto_auth_zc_aead(struct csession *ses_ptr, struct kernel_crypt_aut - goto free_auth_buf; - } - -+#if (LINUX_VERSION_CODE < KERNEL_VERSION(4, 2, 0)) - if (caop->auth_src && caop->auth_len > 0) { - if (unlikely(copy_from_user(auth_buf, caop->auth_src, caop->auth_len))) { - derr(1, "unable to copy auth data from userspace."); -@@ -733,6 +742,33 @@ static int crypto_auth_zc_aead(struct csession *ses_ptr, struct kernel_crypt_aut - - ret = auth_n_crypt(ses_ptr, kcaop, auth_sg, caop->auth_len, - src_sg, dst_sg, caop->len); -+#else -+ if (caop->auth_src && caop->auth_len > 0) { -+ if (unlikely(copy_from_user(auth_buf, caop->auth_src, caop->auth_len))) { -+ derr(1, "unable to copy auth data from userspace."); -+ ret = -EFAULT; -+ goto free_pages; -+ } -+ -+ sg_init_table(auth1, 2); -+ sg_set_buf(auth1, auth_buf, caop->auth_len); -+ sg_chain(auth1, 2, src_sg); -+ -+ if (src_sg == dst_sg) { -+ src_sg = auth1; -+ dst_sg = auth1; -+ } else { -+ sg_init_table(auth2, 2); -+ sg_set_buf(auth2, auth_buf, caop->auth_len); -+ sg_chain(auth2, 2, dst_sg); -+ src_sg = auth1; -+ dst_sg = auth2; -+ } -+ } -+ -+ ret = auth_n_crypt(ses_ptr, kcaop, NULL, caop->auth_len, -+ src_sg, dst_sg, caop->len); -+#endif - - free_pages: - release_user_pages(ses_ptr); --- -2.7.4 - diff --git a/recipes-kernel/cryptodev/sdk_patches/0004-fix-type-of-returned-value.patch b/recipes-kernel/cryptodev/sdk_patches/0004-fix-type-of-returned-value.patch deleted file mode 100644 index faad6cc5..00000000 --- a/recipes-kernel/cryptodev/sdk_patches/0004-fix-type-of-returned-value.patch +++ /dev/null @@ -1,29 +0,0 @@ -From 1d7c84838445981a06812869f8906bdef52e69eb Mon Sep 17 00:00:00 2001 -From: Cristian Stoica <cristian.stoica@nxp.com> -Date: Mon, 15 Feb 2016 18:27:35 +0200 -Subject: [PATCH 4/9] fix type of returned value - -The function is declared as unsigned int so we return an -unsigned int as well - -Signed-off-by: Cristian Stoica <cristian.stoica@nxp.com> ---- - ioctl.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/ioctl.c b/ioctl.c -index 0385203..db7207a 100644 ---- a/ioctl.c -+++ b/ioctl.c -@@ -1065,7 +1065,7 @@ cryptodev_compat_ioctl(struct file *file, unsigned int cmd, unsigned long arg_) - static unsigned int cryptodev_poll(struct file *file, poll_table *wait) - { - struct crypt_priv *pcr = file->private_data; -- int ret = 0; -+ unsigned int ret = 0; - - poll_wait(file, &pcr->user_waiter, wait); - --- -2.7.4 - diff --git a/recipes-kernel/cryptodev/sdk_patches/0005-remove-unnecessary-header-inclusion.patch b/recipes-kernel/cryptodev/sdk_patches/0005-remove-unnecessary-header-inclusion.patch deleted file mode 100644 index f9c8f3a0..00000000 --- a/recipes-kernel/cryptodev/sdk_patches/0005-remove-unnecessary-header-inclusion.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 00a686189f7e05d70a7184cd6218f7424ab21b0d Mon Sep 17 00:00:00 2001 -From: Cristian Stoica <cristian.stoica@nxp.com> -Date: Tue, 23 May 2017 15:28:58 +0300 -Subject: [PATCH 5/9] remove unnecessary header inclusion - -Signed-off-by: Cristian Stoica <cristian.stoica@nxp.com> ---- - zc.h | 2 -- - 1 file changed, 2 deletions(-) - -diff --git a/zc.h b/zc.h -index 6f975d6..666c4a5 100644 ---- a/zc.h -+++ b/zc.h -@@ -1,8 +1,6 @@ - #ifndef ZC_H - # define ZC_H - --#include "cryptodev_int.h" -- - /* For zero copy */ - int __get_userbuf(uint8_t __user *addr, uint32_t len, int write, - unsigned int pgcount, struct page **pg, struct scatterlist *sg, --- -2.7.4 - diff --git a/recipes-kernel/cryptodev/sdk_patches/0006-move-structure-definition-to-cryptodev_int.h.patch b/recipes-kernel/cryptodev/sdk_patches/0006-move-structure-definition-to-cryptodev_int.h.patch deleted file mode 100644 index 9a7ef3dc..00000000 --- a/recipes-kernel/cryptodev/sdk_patches/0006-move-structure-definition-to-cryptodev_int.h.patch +++ /dev/null @@ -1,51 +0,0 @@ -From 3245b0f9ed2085f6167068409fb344166093808c Mon Sep 17 00:00:00 2001 -From: Cristian Stoica <cristian.stoica@nxp.com> -Date: Tue, 23 May 2017 15:50:40 +0300 -Subject: [PATCH 6/9] move structure definition to cryptodev_int.h - -This is necessary for the rsa patch and makes this data structure -visible to kernel_crypt_pkop structure which will be defined in -cryptodev_int.h as well. - -Signed-off-by: Cristian Stoica <cristian.stoica@nxp.com> ---- - cryptlib.h | 6 ------ - cryptodev_int.h | 5 +++++ - 2 files changed, 5 insertions(+), 6 deletions(-) - -diff --git a/cryptlib.h b/cryptlib.h -index 8e8aa71..48fe9bd 100644 ---- a/cryptlib.h -+++ b/cryptlib.h -@@ -2,12 +2,6 @@ - # define CRYPTLIB_H - - #include <linux/version.h> -- --struct cryptodev_result { -- struct completion completion; -- int err; --}; -- - #include "cipherapi.h" - - struct cipher_data { -diff --git a/cryptodev_int.h b/cryptodev_int.h -index d7660fa..c1879fd 100644 ---- a/cryptodev_int.h -+++ b/cryptodev_int.h -@@ -35,6 +35,11 @@ - #define ddebug(level, format, a...) dprintk(level, KERN_DEBUG, format, ##a) - - -+struct cryptodev_result { -+ struct completion completion; -+ int err; -+}; -+ - extern int cryptodev_verbosity; - - struct fcrypt { --- -2.7.4 - diff --git a/recipes-kernel/cryptodev/sdk_patches/0007-add-support-for-RSA-public-and-private-key-operation.patch b/recipes-kernel/cryptodev/sdk_patches/0007-add-support-for-RSA-public-and-private-key-operation.patch deleted file mode 100644 index 803b90ad..00000000 --- a/recipes-kernel/cryptodev/sdk_patches/0007-add-support-for-RSA-public-and-private-key-operation.patch +++ /dev/null @@ -1,440 +0,0 @@ -From 6213ae5228a2ff0bb3521474ae37effda95a5d46 Mon Sep 17 00:00:00 2001 -From: Cristian Stoica <cristian.stoica@nxp.com> -Date: Fri, 12 May 2017 17:04:40 +0300 -Subject: [PATCH 7/9] add support for RSA public and private key operations - -Only form 1 support is added with this patch. To maintain -compatibility with OpenBSD we need to reverse bignum buffers before -giving them to the kernel. This adds an artificial performance -penalty that can be resolved only with a CIOCKEY extension in -cryptodev API. - -As of Linux kernel 4.12 it is not possible to give to the kernel -directly a pointer to a RSA key structure and must resort to a BER -encoding scheme. - -Support for private keys in form 3 (CRT) must wait for updates and -fixes in Linux kernel crypto API. - -Known issue: -Kernels <= v4.7 strip leading zeros from the result and we get padding -errors from Openssl: RSA_EAY_PUBLIC_DECRYPT: padding check failed -(Fixed with kernel commit "crypto: rsa - Generate fixed-length output" -9b45b7bba3d22de52e09df63c50f390a193a3f53) - -Signed-off-by: Cristian Stoica <cristian.stoica@nxp.com> ---- - cryptlib.c | 234 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++ - cryptlib.h | 4 +- - cryptodev_int.h | 17 ++++ - ioctl.c | 17 +++- - main.c | 42 ++++++++++ - 5 files changed, 312 insertions(+), 2 deletions(-) - -diff --git a/cryptlib.c b/cryptlib.c -index 2c6028e..1c044a4 100644 ---- a/cryptlib.c -+++ b/cryptlib.c -@@ -37,6 +37,10 @@ - #include <crypto/authenc.h> - #include "cryptodev_int.h" - #include "cipherapi.h" -+#if (LINUX_VERSION_CODE > KERNEL_VERSION(4, 3, 0)) -+#include <linux/asn1_ber_bytecode.h> -+#include <crypto/akcipher.h> -+#endif - - extern const struct crypto_type crypto_givcipher_type; - -@@ -435,3 +439,233 @@ int cryptodev_hash_final(struct hash_data *hdata, void *output) - return waitfor(&hdata->async.result, ret); - } - -+#if (LINUX_VERSION_CODE > KERNEL_VERSION(4, 3, 0)) -+/* This function is necessary because the bignums in Linux kernel are MSB first -+ * (big endian) as opposed to LSB first as OpenBSD crypto layer uses */ -+void reverse_buf(uint8_t *buf, size_t sz) -+{ -+ int i; -+ uint8_t *end; -+ uint8_t tmp; -+ -+ end = buf + sz; -+ -+ for (i = 0; i < sz/2; i++) { -+ end--; -+ -+ tmp = *buf; -+ *buf = *end; -+ *end = tmp; -+ -+ buf++; -+ } -+} -+ -+int ber_wr_tag(uint8_t **ber_ptr, uint8_t tag) -+{ -+ **ber_ptr = tag; -+ *ber_ptr += 1; -+ -+ return 0; -+} -+ -+int ber_wr_len(uint8_t **ber_ptr, size_t len, size_t sz) -+{ -+ if (len < 127) { -+ **ber_ptr = len; -+ *ber_ptr += 1; -+ } else { -+ size_t sz_save = sz; -+ -+ sz--; -+ **ber_ptr = 0x80 | sz; -+ -+ while (sz > 0) { -+ *(*ber_ptr + sz) = len & 0xff; -+ len >>= 8; -+ sz--; -+ } -+ *ber_ptr += sz_save; -+ } -+ -+ return 0; -+} -+ -+int ber_wr_int(uint8_t **ber_ptr, uint8_t *crp_p, size_t sz) -+{ -+ int ret; -+ -+ ret = copy_from_user(*ber_ptr, crp_p, sz); -+ reverse_buf(*ber_ptr, sz); -+ -+ *ber_ptr += sz; -+ -+ return ret; -+} -+ -+/* calculate the size of the length field itself in BER encoding */ -+size_t ber_enc_len(size_t len) -+{ -+ size_t sz; -+ -+ sz = 1; -+ if (len > 127) { /* long encoding */ -+ while (len != 0) { -+ len >>= 8; -+ sz++; -+ } -+ } -+ -+ return sz; -+} -+ -+void *cryptodev_alloc_rsa_pub_key(struct kernel_crypt_pkop *pkop, -+ uint32_t *key_len) -+{ -+ struct crypt_kop *cop = &pkop->pkop; -+ uint8_t *ber_key; -+ uint8_t *ber_ptr; -+ uint32_t ber_key_len; -+ size_t s_sz; -+ size_t e_sz; -+ size_t n_sz; -+ size_t s_enc_len; -+ size_t e_enc_len; -+ size_t n_enc_len; -+ int err; -+ -+ /* BER public key format: -+ * SEQUENCE TAG 1 byte -+ * SEQUENCE LENGTH s_enc_len bytes -+ * INTEGER TAG 1 byte -+ * INTEGER LENGTH n_enc_len bytes -+ * INTEGER (n modulus) n_sz bytes -+ * INTEGER TAG 1 byte -+ * INTEGER LENGTH e_enc_len bytes -+ * INTEGER (e exponent) e_sz bytes -+ */ -+ -+ e_sz = (cop->crk_param[1].crp_nbits + 7)/8; -+ n_sz = (cop->crk_param[2].crp_nbits + 7)/8; -+ -+ e_enc_len = ber_enc_len(e_sz); -+ n_enc_len = ber_enc_len(n_sz); -+ -+ /* -+ * Sequence length is the size of all the fields following the sequence -+ * tag, added together. The two added bytes account for the two INT -+ * tags in the Public Key sequence -+ */ -+ s_sz = e_sz + e_enc_len + n_sz + n_enc_len + 2; -+ s_enc_len = ber_enc_len(s_sz); -+ -+ /* The added byte accounts for the SEQ tag at the start of the key */ -+ ber_key_len = s_sz + s_enc_len + 1; -+ -+ /* Linux asn1_ber_decoder doesn't like keys that are too large */ -+ if (ber_key_len > 65535) { -+ return NULL; -+ } -+ -+ ber_key = kmalloc(ber_key_len, GFP_DMA); -+ if (!ber_key) { -+ return NULL; -+ } -+ -+ ber_ptr = ber_key; -+ -+ err = ber_wr_tag(&ber_ptr, _tag(UNIV, CONS, SEQ)) || -+ ber_wr_len(&ber_ptr, s_sz, s_enc_len) || -+ ber_wr_tag(&ber_ptr, _tag(UNIV, PRIM, INT)) || -+ ber_wr_len(&ber_ptr, n_sz, n_enc_len) || -+ ber_wr_int(&ber_ptr, cop->crk_param[2].crp_p, n_sz) || -+ ber_wr_tag(&ber_ptr, _tag(UNIV, PRIM, INT)) || -+ ber_wr_len(&ber_ptr, e_sz, e_enc_len) || -+ ber_wr_int(&ber_ptr, cop->crk_param[1].crp_p, e_sz); -+ if (err != 0) { -+ goto free_key; -+ } -+ -+ *key_len = ber_key_len; -+ return ber_key; -+ -+free_key: -+ kfree(ber_key); -+ return NULL; -+} -+ -+int crypto_bn_modexp(struct kernel_crypt_pkop *pkop) -+{ -+ struct crypt_kop *cop = &pkop->pkop; -+ uint8_t *ber_key; -+ uint32_t ber_key_len; -+ size_t m_sz; -+ size_t c_sz; -+ size_t c_sz_max; -+ uint8_t *m_buf; -+ uint8_t *c_buf; -+ struct scatterlist src; -+ struct scatterlist dst; -+ int err; -+ -+ ber_key = cryptodev_alloc_rsa_pub_key(pkop, &ber_key_len); -+ if (!ber_key) { -+ return -ENOMEM; -+ } -+ -+ err = crypto_akcipher_set_pub_key(pkop->s, ber_key, ber_key_len); -+ if (err != 0) { -+ goto free_key; -+ } -+ -+ m_sz = (cop->crk_param[0].crp_nbits + 7)/8; -+ c_sz = (cop->crk_param[3].crp_nbits + 7)/8; -+ -+ m_buf = kmalloc(m_sz, GFP_DMA); -+ if (!m_buf) { -+ err = -ENOMEM; -+ goto free_key; -+ } -+ -+ err = copy_from_user(m_buf, cop->crk_param[0].crp_p, m_sz); -+ if (err != 0) { -+ goto free_m_buf; -+ } -+ reverse_buf(m_buf, m_sz); -+ -+ c_sz_max = crypto_akcipher_maxsize(pkop->s); -+ if (c_sz > c_sz_max) { -+ err = -EINVAL; -+ goto free_m_buf; -+ } -+ -+ c_buf = kzalloc(c_sz_max, GFP_KERNEL); -+ if (!c_buf) { -+ goto free_m_buf; -+ } -+ -+ sg_init_one(&src, m_buf, m_sz); -+ sg_init_one(&dst, c_buf, c_sz); -+ -+ init_completion(&pkop->result.completion); -+ akcipher_request_set_callback(pkop->req, 0, -+ cryptodev_complete, &pkop->result); -+ akcipher_request_set_crypt(pkop->req, &src, &dst, m_sz, c_sz); -+ -+ err = crypto_akcipher_encrypt(pkop->req); -+ err = waitfor(&pkop->result, err); -+ -+ if (err == 0) { -+ reverse_buf(c_buf, c_sz); -+ err = copy_to_user(cop->crk_param[3].crp_p, c_buf, c_sz); -+ } -+ -+ kfree(c_buf); -+free_m_buf: -+ kfree(m_buf); -+free_key: -+ kfree(ber_key); -+ -+ return err; -+} -+#endif -diff --git a/cryptlib.h b/cryptlib.h -index 48fe9bd..f909c34 100644 ---- a/cryptlib.h -+++ b/cryptlib.h -@@ -95,6 +95,8 @@ int cryptodev_hash_reset(struct hash_data *hdata); - void cryptodev_hash_deinit(struct hash_data *hdata); - int cryptodev_hash_init(struct hash_data *hdata, const char *alg_name, - int hmac_mode, void *mackey, size_t mackeylen); -- -+#if (LINUX_VERSION_CODE > KERNEL_VERSION(4, 3, 0)) -+int crypto_bn_modexp(struct kernel_crypt_pkop *pkop); -+#endif - - #endif -diff --git a/cryptodev_int.h b/cryptodev_int.h -index c1879fd..7860c39 100644 ---- a/cryptodev_int.h -+++ b/cryptodev_int.h -@@ -19,6 +19,10 @@ - #include <linux/scatterlist.h> - #include <crypto/cryptodev.h> - #include <crypto/aead.h> -+#if (LINUX_VERSION_CODE > KERNEL_VERSION(4, 3, 0)) -+#include <crypto/internal/rsa.h> -+#endif -+ - - #define PFX "cryptodev: " - #define dprintk(level, severity, format, a...) \ -@@ -111,6 +115,18 @@ struct kernel_crypt_auth_op { - struct mm_struct *mm; - }; - -+#if (LINUX_VERSION_CODE > KERNEL_VERSION(4, 3, 0)) -+struct kernel_crypt_pkop { -+ struct crypt_kop pkop; -+ -+ struct crypto_akcipher *s; /* Transform pointer from CryptoAPI */ -+ struct akcipher_request *req; /* PKC request allocated from CryptoAPI */ -+ struct cryptodev_result result; /* updated by completion handler */ -+}; -+ -+int crypto_run_asym(struct kernel_crypt_pkop *pkop); -+#endif -+ - /* auth */ - - int kcaop_from_user(struct kernel_crypt_auth_op *kcop, -@@ -122,6 +138,7 @@ int crypto_run(struct fcrypt *fcr, struct kernel_crypt_op *kcop); - - #include <cryptlib.h> - -+ - /* other internal structs */ - struct csession { - struct list_head entry; -diff --git a/ioctl.c b/ioctl.c -index db7207a..8b0df4e 100644 ---- a/ioctl.c -+++ b/ioctl.c -@@ -810,6 +810,9 @@ cryptodev_ioctl(struct file *filp, unsigned int cmd, unsigned long arg_) - struct session_op sop; - struct kernel_crypt_op kcop; - struct kernel_crypt_auth_op kcaop; -+#if (LINUX_VERSION_CODE > KERNEL_VERSION(4, 3, 0)) -+ struct kernel_crypt_pkop pkop; -+#endif - struct crypt_priv *pcr = filp->private_data; - struct fcrypt *fcr; - struct session_info_op siop; -@@ -823,7 +826,11 @@ cryptodev_ioctl(struct file *filp, unsigned int cmd, unsigned long arg_) - - switch (cmd) { - case CIOCASYMFEAT: -- return put_user(0, p); -+ ses = 0; -+ if (crypto_has_alg("rsa", 0, 0)) { -+ ses = CRF_MOD_EXP; -+ } -+ return put_user(ses, p); - case CRIOGET: - fd = clonefd(filp); - ret = put_user(fd, p); -@@ -859,6 +866,14 @@ cryptodev_ioctl(struct file *filp, unsigned int cmd, unsigned long arg_) - if (unlikely(ret)) - return ret; - return copy_to_user(arg, &siop, sizeof(siop)); -+#if (LINUX_VERSION_CODE > KERNEL_VERSION(4, 3, 0)) -+ case CIOCKEY: -+ ret = copy_from_user(&pkop.pkop, arg, sizeof(struct crypt_kop)); -+ if (ret == 0) { -+ ret = crypto_run_asym(&pkop); -+ } -+ return ret; -+#endif - case CIOCCRYPT: - if (unlikely(ret = kcop_from_user(&kcop, fcr, arg))) { - dwarning(1, "Error copying from user"); -diff --git a/main.c b/main.c -index 57e5c38..2bfe6f0 100644 ---- a/main.c -+++ b/main.c -@@ -48,6 +48,9 @@ - #include "zc.h" - #include "cryptlib.h" - #include "version.h" -+#if (LINUX_VERSION_CODE > KERNEL_VERSION(4, 3, 0)) -+#include <crypto/akcipher.h> -+#endif - - /* This file contains the traditional operations of encryption - * and hashing of /dev/crypto. -@@ -265,3 +268,42 @@ out_unlock: - crypto_put_session(ses_ptr); - return ret; - } -+ -+#if (LINUX_VERSION_CODE > KERNEL_VERSION(4, 3, 0)) -+int crypto_run_asym(struct kernel_crypt_pkop *pkop) -+{ -+ int err; -+ -+ pkop->s = crypto_alloc_akcipher("rsa", 0, 0); -+ if (IS_ERR(pkop->s)) { -+ return PTR_ERR(pkop->s); -+ } -+ -+ pkop->req = akcipher_request_alloc(pkop->s, GFP_KERNEL); -+ if (pkop->req == NULL) { -+ err = -ENOMEM; -+ goto out_free_tfm; -+ } -+ -+ switch (pkop->pkop.crk_op) { -+ case CRK_MOD_EXP: /* RSA_PUB or PRIV form 1 */ -+ if (pkop->pkop.crk_iparams != 3 && pkop->pkop.crk_oparams != 1) { -+ err = -EINVAL; -+ goto out_free_req; -+ } -+ err = crypto_bn_modexp(pkop); -+ break; -+ default: -+ err = -EINVAL; -+ break; -+ } -+ -+out_free_req: -+ kfree(pkop->req); -+ -+out_free_tfm: -+ crypto_free_akcipher(pkop->s); -+ -+ return err; -+} -+#endif --- -2.7.4 - diff --git a/recipes-kernel/cryptodev/sdk_patches/0008-check-session-flags-early-to-avoid-incorrect-failure.patch b/recipes-kernel/cryptodev/sdk_patches/0008-check-session-flags-early-to-avoid-incorrect-failure.patch deleted file mode 100644 index 1fce5580..00000000 --- a/recipes-kernel/cryptodev/sdk_patches/0008-check-session-flags-early-to-avoid-incorrect-failure.patch +++ /dev/null @@ -1,54 +0,0 @@ -From ec2529027a6565fdede79e7bda4a0232757acf70 Mon Sep 17 00:00:00 2001 -From: Cristian Stoica <cristian.stoica@nxp.com> -Date: Wed, 14 Jun 2017 11:23:18 +0300 -Subject: [PATCH 8/9] check session flags early to avoid incorrect failure - modes - -This verification of aead flag was incorrectly removed in -"refactoring: split big function to simplify maintainance" -20dcf071bc3076ee7db9d603cfbe6a06e86c7d5f -resulting in an incorrect dispatching of functions. - -Add back this check and at the same time remove the second check from -the called function which now becomes redundant. -Add another guard check for aead modes and reject not supported combinations. - -Signed-off-by: Cristian Stoica <cristian.stoica@nxp.com> ---- - authenc.c | 11 +++++------ - 1 file changed, 5 insertions(+), 6 deletions(-) - -diff --git a/authenc.c b/authenc.c -index 692951f..fc32f43 100644 ---- a/authenc.c -+++ b/authenc.c -@@ -643,10 +643,6 @@ static int crypto_auth_zc_tls(struct csession *ses_ptr, struct kernel_crypt_auth - struct scatterlist tmp; - int ret; - -- if (unlikely(ses_ptr->cdata.aead != 0)) { -- return -EINVAL; -- } -- - if (unlikely(caop->auth_len > PAGE_SIZE)) { - derr(1, "auth data len is excessive."); - return -EINVAL; -@@ -787,10 +783,13 @@ __crypto_auth_run_zc(struct csession *ses_ptr, struct kernel_crypt_auth_op *kcao - - if (caop->flags & COP_FLAG_AEAD_SRTP_TYPE) { - ret = crypto_auth_zc_srtp(ses_ptr, kcaop); -- } else if (caop->flags & COP_FLAG_AEAD_TLS_TYPE) { -+ } else if (caop->flags & COP_FLAG_AEAD_TLS_TYPE && -+ ses_ptr->cdata.aead == 0) { - ret = crypto_auth_zc_tls(ses_ptr, kcaop); -- } else { -+ } else if (ses_ptr->cdata.aead) { - ret = crypto_auth_zc_aead(ses_ptr, kcaop); -+ } else { -+ ret = -EINVAL; - } - - return ret; --- -2.7.4 - diff --git a/recipes-kernel/cryptodev/sdk_patches/0009-add-support-for-composite-TLS10-SHA1-AES-algorithm-o.patch b/recipes-kernel/cryptodev/sdk_patches/0009-add-support-for-composite-TLS10-SHA1-AES-algorithm-o.patch deleted file mode 100644 index 795abdf0..00000000 --- a/recipes-kernel/cryptodev/sdk_patches/0009-add-support-for-composite-TLS10-SHA1-AES-algorithm-o.patch +++ /dev/null @@ -1,50 +0,0 @@ -From f365c69d7852d6579952825c9f90a27129f92d22 Mon Sep 17 00:00:00 2001 -From: Cristian Stoica <cristian.stoica@nxp.com> -Date: Tue, 13 Jun 2017 11:13:33 +0300 -Subject: [PATCH 9/9] add support for composite TLS10(SHA1,AES) algorithm - offload - -This adds support for composite algorithm offload as a primitive -crypto (cipher + hmac) operation. - -It requires kernel support for tls10(hmac(sha1),cbc(aes)) algorithm -provided either in software or accelerated by hardware such as -Freescale B*, P* and T* platforms. - -Signed-off-by: Cristian Stoica <cristian.stoica@nxp.com> ---- - crypto/cryptodev.h | 1 + - ioctl.c | 5 +++++ - 2 files changed, 6 insertions(+) - -diff --git a/crypto/cryptodev.h b/crypto/cryptodev.h -index 7fb9c7d..c0e8cd4 100644 ---- a/crypto/cryptodev.h -+++ b/crypto/cryptodev.h -@@ -50,6 +50,7 @@ enum cryptodev_crypto_op_t { - CRYPTO_SHA2_384, - CRYPTO_SHA2_512, - CRYPTO_SHA2_224_HMAC, -+ CRYPTO_TLS10_AES_CBC_HMAC_SHA1, - CRYPTO_ALGORITHM_ALL, /* Keep updated - see below */ - }; - -diff --git a/ioctl.c b/ioctl.c -index 8b0df4e..998f51a 100644 ---- a/ioctl.c -+++ b/ioctl.c -@@ -159,6 +159,11 @@ crypto_create_session(struct fcrypt *fcr, struct session_op *sop) - stream = 1; - aead = 1; - break; -+ case CRYPTO_TLS10_AES_CBC_HMAC_SHA1: -+ alg_name = "tls10(hmac(sha1),cbc(aes))"; -+ stream = 0; -+ aead = 1; -+ break; - case CRYPTO_NULL: - alg_name = "ecb(cipher_null)"; - stream = 1; --- -2.7.4 - |