The `walksize` assignment is missed in simd skcipher.
Signed-off-by: Jerry Shih <jerry.shih@sifive.com>
---
crypto/cryptd.c | 1 +
crypto/simd.c | 1 +
2 files changed, 2 insertions(+)
diff --git a/crypto/cryptd.c b/crypto/cryptd.c
index bbcc368b6a55..253d13504ccb 100644
--- a/crypto/cryptd.c
+++ b/crypto/cryptd.c
@@ -405,6 +405,7 @@ static int cryptd_create_skcipher(struct crypto_template *tmpl,
(alg->base.cra_flags & CRYPTO_ALG_INTERNAL);
inst->alg.ivsize = crypto_skcipher_alg_ivsize(alg);
inst->alg.chunksize = crypto_skcipher_alg_chunksize(alg);
+ inst->alg.walksize = crypto_skcipher_alg_walksize(alg);
inst->alg.min_keysize = crypto_skcipher_alg_min_keysize(alg);
inst->alg.max_keysize = crypto_skcipher_alg_max_keysize(alg);
diff --git a/crypto/simd.c b/crypto/simd.c
index edaa479a1ec5..ea0caabf90f1 100644
--- a/crypto/simd.c
+++ b/crypto/simd.c
@@ -181,6 +181,7 @@ struct simd_skcipher_alg *simd_skcipher_create_compat(const char *algname,
alg->ivsize = ialg->ivsize;
alg->chunksize = ialg->chunksize;
+ alg->walksize = ialg->walksize;
alg->min_keysize = ialg->min_keysize;
alg->max_keysize = ialg->max_keysize;
--
2.28.0On Mon, Nov 27, 2023 at 03:06:55PM +0800, Jerry Shih wrote: > The `walksize` assignment is missed in simd skcipher. > > Signed-off-by: Jerry Shih <jerry.shih@sifive.com> > --- > crypto/cryptd.c | 1 + > crypto/simd.c | 1 + > 2 files changed, 2 insertions(+) > > diff --git a/crypto/cryptd.c b/crypto/cryptd.c > index bbcc368b6a55..253d13504ccb 100644 > --- a/crypto/cryptd.c > +++ b/crypto/cryptd.c > @@ -405,6 +405,7 @@ static int cryptd_create_skcipher(struct crypto_template *tmpl, > (alg->base.cra_flags & CRYPTO_ALG_INTERNAL); > inst->alg.ivsize = crypto_skcipher_alg_ivsize(alg); > inst->alg.chunksize = crypto_skcipher_alg_chunksize(alg); > + inst->alg.walksize = crypto_skcipher_alg_walksize(alg); > inst->alg.min_keysize = crypto_skcipher_alg_min_keysize(alg); > inst->alg.max_keysize = crypto_skcipher_alg_max_keysize(alg); Sorry but this patch doesn't apply any more now that we have lskcipher. -- Email: Herbert Xu <herbert@gondor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
On Dec 8, 2023, at 12:05, Herbert Xu <herbert@gondor.apana.org.au> wrote: > On Mon, Nov 27, 2023 at 03:06:55PM +0800, Jerry Shih wrote: >> The `walksize` assignment is missed in simd skcipher. >> >> Signed-off-by: Jerry Shih <jerry.shih@sifive.com> >> --- >> crypto/cryptd.c | 1 + >> crypto/simd.c | 1 + >> 2 files changed, 2 insertions(+) >> >> diff --git a/crypto/cryptd.c b/crypto/cryptd.c >> index bbcc368b6a55..253d13504ccb 100644 >> --- a/crypto/cryptd.c >> +++ b/crypto/cryptd.c >> @@ -405,6 +405,7 @@ static int cryptd_create_skcipher(struct crypto_template *tmpl, >> (alg->base.cra_flags & CRYPTO_ALG_INTERNAL); >> inst->alg.ivsize = crypto_skcipher_alg_ivsize(alg); >> inst->alg.chunksize = crypto_skcipher_alg_chunksize(alg); >> + inst->alg.walksize = crypto_skcipher_alg_walksize(alg); >> inst->alg.min_keysize = crypto_skcipher_alg_min_keysize(alg); >> inst->alg.max_keysize = crypto_skcipher_alg_max_keysize(alg); > > Sorry but this patch doesn't apply any more now that we have > lskcipher. The lskcipher is merged in kernel `6.7`. I will rebase the v3 series to `6.7` later. Link: https://lore.kernel.org/all/20231205092801.1335-1-jerry.shih@sifive.com/ Some dependent patches are not applicable to `6.7` now. I will check the status for the dependent patches. -Jerry
On Mon, Nov 27, 2023 at 03:06:55PM +0800, Jerry Shih wrote: > The `walksize` assignment is missed in simd skcipher. > > Signed-off-by: Jerry Shih <jerry.shih@sifive.com> > --- > crypto/cryptd.c | 1 + > crypto/simd.c | 1 + > 2 files changed, 2 insertions(+) > > diff --git a/crypto/cryptd.c b/crypto/cryptd.c > index bbcc368b6a55..253d13504ccb 100644 > --- a/crypto/cryptd.c > +++ b/crypto/cryptd.c > @@ -405,6 +405,7 @@ static int cryptd_create_skcipher(struct crypto_template *tmpl, > (alg->base.cra_flags & CRYPTO_ALG_INTERNAL); > inst->alg.ivsize = crypto_skcipher_alg_ivsize(alg); > inst->alg.chunksize = crypto_skcipher_alg_chunksize(alg); > + inst->alg.walksize = crypto_skcipher_alg_walksize(alg); > inst->alg.min_keysize = crypto_skcipher_alg_min_keysize(alg); > inst->alg.max_keysize = crypto_skcipher_alg_max_keysize(alg); > > diff --git a/crypto/simd.c b/crypto/simd.c > index edaa479a1ec5..ea0caabf90f1 100644 > --- a/crypto/simd.c > +++ b/crypto/simd.c > @@ -181,6 +181,7 @@ struct simd_skcipher_alg *simd_skcipher_create_compat(const char *algname, > > alg->ivsize = ialg->ivsize; > alg->chunksize = ialg->chunksize; > + alg->walksize = ialg->walksize; > alg->min_keysize = ialg->min_keysize; > alg->max_keysize = ialg->max_keysize; What are the consequences of this bug? I wonder if it actually matters? The "inner" algorithm is the one that actually gets used for the "walk", right? - Eric
On Nov 28, 2023, at 11:58, Eric Biggers <ebiggers@kernel.org> wrote:
> On Mon, Nov 27, 2023 at 03:06:55PM +0800, Jerry Shih wrote:
>> The `walksize` assignment is missed in simd skcipher.
>>
>> Signed-off-by: Jerry Shih <jerry.shih@sifive.com>
>> ---
>> crypto/cryptd.c | 1 +
>> crypto/simd.c | 1 +
>> 2 files changed, 2 insertions(+)
>>
>> diff --git a/crypto/cryptd.c b/crypto/cryptd.c
>> index bbcc368b6a55..253d13504ccb 100644
>> --- a/crypto/cryptd.c
>> +++ b/crypto/cryptd.c
>> @@ -405,6 +405,7 @@ static int cryptd_create_skcipher(struct crypto_template *tmpl,
>> (alg->base.cra_flags & CRYPTO_ALG_INTERNAL);
>> inst->alg.ivsize = crypto_skcipher_alg_ivsize(alg);
>> inst->alg.chunksize = crypto_skcipher_alg_chunksize(alg);
>> + inst->alg.walksize = crypto_skcipher_alg_walksize(alg);
>> inst->alg.min_keysize = crypto_skcipher_alg_min_keysize(alg);
>> inst->alg.max_keysize = crypto_skcipher_alg_max_keysize(alg);
>>
>> diff --git a/crypto/simd.c b/crypto/simd.c
>> index edaa479a1ec5..ea0caabf90f1 100644
>> --- a/crypto/simd.c
>> +++ b/crypto/simd.c
>> @@ -181,6 +181,7 @@ struct simd_skcipher_alg *simd_skcipher_create_compat(const char *algname,
>>
>> alg->ivsize = ialg->ivsize;
>> alg->chunksize = ialg->chunksize;
>> + alg->walksize = ialg->walksize;
>> alg->min_keysize = ialg->min_keysize;
>> alg->max_keysize = ialg->max_keysize;
>
> What are the consequences of this bug? I wonder if it actually matters? The
> "inner" algorithm is the one that actually gets used for the "walk", right?
>
> - Eric
Without this, we might still use chunksize or cra_blocksize as the walksize
even though we setup with the larger walksize.
Here is the code for the walksize default value:
static int skcipher_prepare_alg(struct skcipher_alg *alg)
{
...
if (!alg->chunksize)
alg->chunksize = base->cra_blocksize;
if (!alg->walksize)
alg->walksize = alg->chunksize;
And we already have the bigger walksize for x86 aes-xts.
.base = {
.cra_name = "__xts(aes)",
...
},
.walksize = 2 * AES_BLOCK_SIZE,
The x86 aes-xts only uses one `walk` to handle the tail elements. It assumes
that the walksize contains 2 aes blocks. If walksize is not set correctly, maybe
some tail elements is not processed in simd-cipher mode for x86 aes-xts.
-Jerry
On Tue, Nov 28, 2023 at 01:38:29PM +0800, Jerry Shih wrote:
> On Nov 28, 2023, at 11:58, Eric Biggers <ebiggers@kernel.org> wrote:
> > On Mon, Nov 27, 2023 at 03:06:55PM +0800, Jerry Shih wrote:
> >> The `walksize` assignment is missed in simd skcipher.
> >>
> >> Signed-off-by: Jerry Shih <jerry.shih@sifive.com>
> >> ---
> >> crypto/cryptd.c | 1 +
> >> crypto/simd.c | 1 +
> >> 2 files changed, 2 insertions(+)
> >>
> >> diff --git a/crypto/cryptd.c b/crypto/cryptd.c
> >> index bbcc368b6a55..253d13504ccb 100644
> >> --- a/crypto/cryptd.c
> >> +++ b/crypto/cryptd.c
> >> @@ -405,6 +405,7 @@ static int cryptd_create_skcipher(struct crypto_template *tmpl,
> >> (alg->base.cra_flags & CRYPTO_ALG_INTERNAL);
> >> inst->alg.ivsize = crypto_skcipher_alg_ivsize(alg);
> >> inst->alg.chunksize = crypto_skcipher_alg_chunksize(alg);
> >> + inst->alg.walksize = crypto_skcipher_alg_walksize(alg);
> >> inst->alg.min_keysize = crypto_skcipher_alg_min_keysize(alg);
> >> inst->alg.max_keysize = crypto_skcipher_alg_max_keysize(alg);
> >>
> >> diff --git a/crypto/simd.c b/crypto/simd.c
> >> index edaa479a1ec5..ea0caabf90f1 100644
> >> --- a/crypto/simd.c
> >> +++ b/crypto/simd.c
> >> @@ -181,6 +181,7 @@ struct simd_skcipher_alg *simd_skcipher_create_compat(const char *algname,
> >>
> >> alg->ivsize = ialg->ivsize;
> >> alg->chunksize = ialg->chunksize;
> >> + alg->walksize = ialg->walksize;
> >> alg->min_keysize = ialg->min_keysize;
> >> alg->max_keysize = ialg->max_keysize;
> >
> > What are the consequences of this bug? I wonder if it actually matters? The
> > "inner" algorithm is the one that actually gets used for the "walk", right?
> >
> > - Eric
>
> Without this, we might still use chunksize or cra_blocksize as the walksize
> even though we setup with the larger walksize.
>
> Here is the code for the walksize default value:
> static int skcipher_prepare_alg(struct skcipher_alg *alg)
> {
> ...
> if (!alg->chunksize)
> alg->chunksize = base->cra_blocksize;
> if (!alg->walksize)
> alg->walksize = alg->chunksize;
>
> And we already have the bigger walksize for x86 aes-xts.
> .base = {
> .cra_name = "__xts(aes)",
> ...
> },
> .walksize = 2 * AES_BLOCK_SIZE,
>
> The x86 aes-xts only uses one `walk` to handle the tail elements. It assumes
> that the walksize contains 2 aes blocks. If walksize is not set correctly, maybe
> some tail elements is not processed in simd-cipher mode for x86 aes-xts.
With the SIMD helper there are three "algorithms": the underlying algorithm, the
cryptd algorithm, and the simd algorithm. This patch makes the "walksize"
property be propagated from the underlying algorithm to the cryptd and simd
algorithms. I don't see how that actually makes a difference, since the only
place the skcipher_walk happens is on the underlying algorithm. So it uses the
"walksize" from the underlying algorithm, right?
- Eric
On Nov 29, 2023, at 01:22, Eric Biggers <ebiggers@kernel.org> wrote:
> On Tue, Nov 28, 2023 at 01:38:29PM +0800, Jerry Shih wrote:
>> On Nov 28, 2023, at 11:58, Eric Biggers <ebiggers@kernel.org> wrote:
>>> On Mon, Nov 27, 2023 at 03:06:55PM +0800, Jerry Shih wrote:
>>>> The `walksize` assignment is missed in simd skcipher.
>>>>
>>>> Signed-off-by: Jerry Shih <jerry.shih@sifive.com>
>>>> ---
>>>> crypto/cryptd.c | 1 +
>>>> crypto/simd.c | 1 +
>>>> 2 files changed, 2 insertions(+)
>>>>
>>>> diff --git a/crypto/cryptd.c b/crypto/cryptd.c
>>>> index bbcc368b6a55..253d13504ccb 100644
>>>> --- a/crypto/cryptd.c
>>>> +++ b/crypto/cryptd.c
>>>> @@ -405,6 +405,7 @@ static int cryptd_create_skcipher(struct crypto_template *tmpl,
>>>> (alg->base.cra_flags & CRYPTO_ALG_INTERNAL);
>>>> inst->alg.ivsize = crypto_skcipher_alg_ivsize(alg);
>>>> inst->alg.chunksize = crypto_skcipher_alg_chunksize(alg);
>>>> + inst->alg.walksize = crypto_skcipher_alg_walksize(alg);
>>>> inst->alg.min_keysize = crypto_skcipher_alg_min_keysize(alg);
>>>> inst->alg.max_keysize = crypto_skcipher_alg_max_keysize(alg);
>>>>
>>>> diff --git a/crypto/simd.c b/crypto/simd.c
>>>> index edaa479a1ec5..ea0caabf90f1 100644
>>>> --- a/crypto/simd.c
>>>> +++ b/crypto/simd.c
>>>> @@ -181,6 +181,7 @@ struct simd_skcipher_alg *simd_skcipher_create_compat(const char *algname,
>>>>
>>>> alg->ivsize = ialg->ivsize;
>>>> alg->chunksize = ialg->chunksize;
>>>> + alg->walksize = ialg->walksize;
>>>> alg->min_keysize = ialg->min_keysize;
>>>> alg->max_keysize = ialg->max_keysize;
>>>
>>> What are the consequences of this bug? I wonder if it actually matters? The
>>> "inner" algorithm is the one that actually gets used for the "walk", right?
>>>
>>> - Eric
>>
>> Without this, we might still use chunksize or cra_blocksize as the walksize
>> even though we setup with the larger walksize.
>>
>> Here is the code for the walksize default value:
>> static int skcipher_prepare_alg(struct skcipher_alg *alg)
>> {
>> ...
>> if (!alg->chunksize)
>> alg->chunksize = base->cra_blocksize;
>> if (!alg->walksize)
>> alg->walksize = alg->chunksize;
>>
>> And we already have the bigger walksize for x86 aes-xts.
>> .base = {
>> .cra_name = "__xts(aes)",
>> ...
>> },
>> .walksize = 2 * AES_BLOCK_SIZE,
>>
>> The x86 aes-xts only uses one `walk` to handle the tail elements. It assumes
>> that the walksize contains 2 aes blocks. If walksize is not set correctly, maybe
>> some tail elements is not processed in simd-cipher mode for x86 aes-xts.
>
> With the SIMD helper there are three "algorithms": the underlying algorithm, the
> cryptd algorithm, and the simd algorithm. This patch makes the "walksize"
> property be propagated from the underlying algorithm to the cryptd and simd
> algorithms. I don't see how that actually makes a difference, since the only
> place the skcipher_walk happens is on the underlying algorithm. So it uses the
> "walksize" from the underlying algorithm, right?
>
> - Eric
Yes, you are right.
I re-check the cryptd and simd cipher flow. They use the underlying algorithms.
So, the actual `walksize` in the underlying algorithm is set by the user in
skcipher_alg def.
The x86 aes-xts works correctly for both cryptd and simd-cipher case.
This patch becomes fixing the `walksize` display error in `/proc/crypto`.
The aes-xts skcipher_alg def:
...
.ivsize = AES_BLOCK_SIZE,
.chunksize = AES_BLOCK_SIZE,
.walksize = AES_BLOCK_SIZE * 8,
.base = {
.cra_flags = CRYPTO_ALG_INTERNAL,
.cra_name = "__xts(aes)",
.cra_driver_name = "__xts-aes-riscv64-zvkned-zvbb-zvkg",
...
},
Without patch:
The original skcipher:
name : __xts(aes)
driver : __xts-aes-riscv64-zvkned-zvbb-zvkg
internal : yes
async : no
...
walksize : 128
The async skcipher registered by simd_register_skciphers_compat:
name : xts(aes)
driver : xts-aes-riscv64-zvkned-zvbb-zvkg
internal : no
async : yes
...
walksize : 16
...
name : __xts(aes)
driver : cryptd(__xts-aes-riscv64-zvkned-zvbb-zvkg)
internal : yes
async : yes
...
walksize : 16
With patch:
name : xts(aes)
driver : xts-aes-riscv64-zvkned-zvbb-zvkg
internal : no
async : yes
...
walksize : 128
...
name : __xts(aes)
driver : cryptd(__xts-aes-riscv64-zvkned-zvbb-zvkg)
internal : yes
async : yes
...
walksize : 128
© 2016 - 2025 Red Hat, Inc.