2019-05-27 14:55:01 +08:00
|
|
|
// SPDX-License-Identifier: GPL-2.0-or-later
|
2006-08-21 19:08:13 +08:00
|
|
|
/*
|
|
|
|
* Cryptographic API for algorithms (i.e., low-level API).
|
|
|
|
*
|
|
|
|
* Copyright (c) 2006 Herbert Xu <herbert@gondor.apana.org.au>
|
|
|
|
*/
|
|
|
|
|
2018-04-09 21:54:46 +08:00
|
|
|
#include <crypto/algapi.h>
|
2022-01-14 14:40:30 +08:00
|
|
|
#include <crypto/internal/simd.h>
|
2006-09-21 09:39:29 +08:00
|
|
|
#include <linux/err.h>
|
2006-08-21 19:08:13 +08:00
|
|
|
#include <linux/errno.h>
|
2015-04-22 13:25:53 +08:00
|
|
|
#include <linux/fips.h>
|
2006-08-21 19:08:13 +08:00
|
|
|
#include <linux/init.h>
|
|
|
|
#include <linux/kernel.h>
|
2006-08-06 19:16:34 +08:00
|
|
|
#include <linux/list.h>
|
2006-08-21 19:08:13 +08:00
|
|
|
#include <linux/module.h>
|
2006-08-06 21:10:45 +08:00
|
|
|
#include <linux/rtnetlink.h>
|
include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h
percpu.h is included by sched.h and module.h and thus ends up being
included when building most .c files. percpu.h includes slab.h which
in turn includes gfp.h making everything defined by the two files
universally available and complicating inclusion dependencies.
percpu.h -> slab.h dependency is about to be removed. Prepare for
this change by updating users of gfp and slab facilities include those
headers directly instead of assuming availability. As this conversion
needs to touch large number of source files, the following script is
used as the basis of conversion.
http://userweb.kernel.org/~tj/misc/slabh-sweep.py
The script does the followings.
* Scan files for gfp and slab usages and update includes such that
only the necessary includes are there. ie. if only gfp is used,
gfp.h, if slab is used, slab.h.
* When the script inserts a new include, it looks at the include
blocks and try to put the new include such that its order conforms
to its surrounding. It's put in the include block which contains
core kernel includes, in the same order that the rest are ordered -
alphabetical, Christmas tree, rev-Xmas-tree or at the end if there
doesn't seem to be any matching order.
* If the script can't find a place to put a new include (mostly
because the file doesn't have fitting include block), it prints out
an error message indicating which .h file needs to be added to the
file.
The conversion was done in the following steps.
1. The initial automatic conversion of all .c files updated slightly
over 4000 files, deleting around 700 includes and adding ~480 gfp.h
and ~3000 slab.h inclusions. The script emitted errors for ~400
files.
2. Each error was manually checked. Some didn't need the inclusion,
some needed manual addition while adding it to implementation .h or
embedding .c file was more appropriate for others. This step added
inclusions to around 150 files.
3. The script was run again and the output was compared to the edits
from #2 to make sure no file was left behind.
4. Several build tests were done and a couple of problems were fixed.
e.g. lib/decompress_*.c used malloc/free() wrappers around slab
APIs requiring slab.h to be added manually.
5. The script was run on all .h files but without automatically
editing them as sprinkling gfp.h and slab.h inclusions around .h
files could easily lead to inclusion dependency hell. Most gfp.h
inclusion directives were ignored as stuff from gfp.h was usually
wildly available and often used in preprocessor macros. Each
slab.h inclusion directive was examined and added manually as
necessary.
6. percpu.h was updated not to include slab.h.
7. Build test were done on the following configurations and failures
were fixed. CONFIG_GCOV_KERNEL was turned off for all tests (as my
distributed build env didn't work with gcov compiles) and a few
more options had to be turned off depending on archs to make things
build (like ipr on powerpc/64 which failed due to missing writeq).
* x86 and x86_64 UP and SMP allmodconfig and a custom test config.
* powerpc and powerpc64 SMP allmodconfig
* sparc and sparc64 SMP allmodconfig
* ia64 SMP allmodconfig
* s390 SMP allmodconfig
* alpha SMP allmodconfig
* um on x86_64 SMP allmodconfig
8. percpu.h modifications were reverted so that it could be applied as
a separate patch and serve as bisection point.
Given the fact that I had only a couple of failures from tests on step
6, I'm fairly confident about the coverage of this conversion patch.
If there is a breakage, it's likely to be something in one of the arch
headers which should be easily discoverable easily on most builds of
the specific arch.
Signed-off-by: Tejun Heo <tj@kernel.org>
Guess-its-ok-by: Christoph Lameter <cl@linux-foundation.org>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
2010-03-24 16:04:11 +08:00
|
|
|
#include <linux/slab.h>
|
2006-08-21 19:08:13 +08:00
|
|
|
#include <linux/string.h>
|
2023-08-03 17:59:28 +08:00
|
|
|
#include <linux/workqueue.h>
|
2006-08-21 19:08:13 +08:00
|
|
|
|
|
|
|
#include "internal.h"
|
|
|
|
|
2006-08-06 19:16:34 +08:00
|
|
|
static LIST_HEAD(crypto_template_list);
|
|
|
|
|
2022-01-14 14:40:30 +08:00
|
|
|
#ifdef CONFIG_CRYPTO_MANAGER_EXTRA_TESTS
|
|
|
|
DEFINE_PER_CPU(bool, crypto_simd_disabled_for_test);
|
|
|
|
EXPORT_PER_CPU_SYMBOL_GPL(crypto_simd_disabled_for_test);
|
|
|
|
#endif
|
|
|
|
|
2014-07-03 03:37:30 +08:00
|
|
|
static inline void crypto_check_module_sig(struct module *mod)
|
|
|
|
{
|
2015-04-22 11:28:46 +08:00
|
|
|
if (fips_enabled && mod && !module_sig_ok(mod))
|
2014-07-03 03:37:30 +08:00
|
|
|
panic("Module %s signature verification failed in FIPS mode\n",
|
2015-04-23 14:48:05 +08:00
|
|
|
module_name(mod));
|
2014-07-03 03:37:30 +08:00
|
|
|
}
|
|
|
|
|
2006-08-06 19:16:34 +08:00
|
|
|
static int crypto_check_alg(struct crypto_alg *alg)
|
2006-08-21 19:08:13 +08:00
|
|
|
{
|
2014-07-03 03:37:30 +08:00
|
|
|
crypto_check_module_sig(alg->cra_module);
|
|
|
|
|
2019-06-03 13:40:58 +08:00
|
|
|
if (!alg->cra_name[0] || !alg->cra_driver_name[0])
|
|
|
|
return -EINVAL;
|
|
|
|
|
2006-08-21 19:08:13 +08:00
|
|
|
if (alg->cra_alignmask & (alg->cra_alignmask + 1))
|
|
|
|
return -EINVAL;
|
|
|
|
|
2018-08-08 05:18:40 +08:00
|
|
|
/* General maximums for all algs. */
|
|
|
|
if (alg->cra_alignmask > MAX_ALGAPI_ALIGNMASK)
|
2006-08-21 19:08:13 +08:00
|
|
|
return -EINVAL;
|
|
|
|
|
2018-08-08 05:18:40 +08:00
|
|
|
if (alg->cra_blocksize > MAX_ALGAPI_BLOCKSIZE)
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
/* Lower maximums for specific alg types. */
|
2018-04-09 21:54:46 +08:00
|
|
|
if (!alg->cra_type && (alg->cra_flags & CRYPTO_ALG_TYPE_MASK) ==
|
|
|
|
CRYPTO_ALG_TYPE_CIPHER) {
|
|
|
|
if (alg->cra_alignmask > MAX_CIPHER_ALIGNMASK)
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
if (alg->cra_blocksize > MAX_CIPHER_BLOCKSIZE)
|
|
|
|
return -EINVAL;
|
|
|
|
}
|
|
|
|
|
2006-08-21 19:08:13 +08:00
|
|
|
if (alg->cra_priority < 0)
|
|
|
|
return -EINVAL;
|
|
|
|
|
2017-12-30 00:00:46 +08:00
|
|
|
refcount_set(&alg->cra_refcnt, 1);
|
2015-04-09 17:40:35 +08:00
|
|
|
|
2019-06-03 13:40:58 +08:00
|
|
|
return 0;
|
2006-08-06 19:16:34 +08:00
|
|
|
}
|
|
|
|
|
2015-07-09 07:17:15 +08:00
|
|
|
static void crypto_free_instance(struct crypto_instance *inst)
|
|
|
|
{
|
|
|
|
inst->alg.cra_type->free(inst);
|
|
|
|
}
|
|
|
|
|
2023-08-03 17:59:28 +08:00
|
|
|
static void crypto_destroy_instance_workfn(struct work_struct *w)
|
2006-09-21 09:39:29 +08:00
|
|
|
{
|
2023-08-03 17:59:28 +08:00
|
|
|
struct crypto_instance *inst = container_of(w, struct crypto_instance,
|
|
|
|
free_work);
|
2006-09-21 09:39:29 +08:00
|
|
|
struct crypto_template *tmpl = inst->tmpl;
|
|
|
|
|
2015-07-09 07:17:15 +08:00
|
|
|
crypto_free_instance(inst);
|
2006-09-21 09:39:29 +08:00
|
|
|
crypto_tmpl_put(tmpl);
|
|
|
|
}
|
|
|
|
|
2023-08-03 17:59:28 +08:00
|
|
|
static void crypto_destroy_instance(struct crypto_alg *alg)
|
|
|
|
{
|
|
|
|
struct crypto_instance *inst = container_of(alg,
|
|
|
|
struct crypto_instance,
|
|
|
|
alg);
|
|
|
|
|
|
|
|
INIT_WORK(&inst->free_work, crypto_destroy_instance_workfn);
|
|
|
|
schedule_work(&inst->free_work);
|
|
|
|
}
|
|
|
|
|
2019-12-07 22:33:51 +08:00
|
|
|
/*
|
|
|
|
* This function adds a spawn to the list secondary_spawns which
|
|
|
|
* will be used at the end of crypto_remove_spawns to unregister
|
|
|
|
* instances, unless the spawn happens to be one that is depended
|
|
|
|
* on by the new algorithm (nalg in crypto_remove_spawns).
|
|
|
|
*
|
|
|
|
* This function is also responsible for resurrecting any algorithms
|
|
|
|
* in the dependency chain of nalg by unsetting n->dead.
|
|
|
|
*/
|
2009-08-31 13:56:54 +08:00
|
|
|
static struct list_head *crypto_more_spawns(struct crypto_alg *alg,
|
|
|
|
struct list_head *stack,
|
|
|
|
struct list_head *top,
|
|
|
|
struct list_head *secondary_spawns)
|
|
|
|
{
|
|
|
|
struct crypto_spawn *spawn, *n;
|
|
|
|
|
2015-11-16 22:37:14 +08:00
|
|
|
spawn = list_first_entry_or_null(stack, struct crypto_spawn, list);
|
|
|
|
if (!spawn)
|
2009-08-31 13:56:54 +08:00
|
|
|
return NULL;
|
|
|
|
|
2019-12-07 22:15:17 +08:00
|
|
|
n = list_prev_entry(spawn, list);
|
|
|
|
list_move(&spawn->list, secondary_spawns);
|
2009-08-31 13:56:54 +08:00
|
|
|
|
2019-12-07 22:15:17 +08:00
|
|
|
if (list_is_last(&n->list, stack))
|
|
|
|
return top;
|
2009-08-31 13:56:54 +08:00
|
|
|
|
2019-12-07 22:15:17 +08:00
|
|
|
n = list_next_entry(n, list);
|
|
|
|
if (!spawn->dead)
|
|
|
|
n->dead = false;
|
2009-08-31 13:56:54 +08:00
|
|
|
|
2019-12-07 22:15:17 +08:00
|
|
|
return &n->inst->alg.cra_users;
|
2009-08-31 13:56:54 +08:00
|
|
|
}
|
|
|
|
|
2015-04-02 22:31:22 +08:00
|
|
|
static void crypto_remove_instance(struct crypto_instance *inst,
|
|
|
|
struct list_head *list)
|
2006-09-21 09:39:29 +08:00
|
|
|
{
|
2007-04-08 19:31:36 +08:00
|
|
|
struct crypto_template *tmpl = inst->tmpl;
|
2006-09-21 09:39:29 +08:00
|
|
|
|
2007-04-08 19:31:36 +08:00
|
|
|
if (crypto_is_dead(&inst->alg))
|
|
|
|
return;
|
2006-09-21 09:39:29 +08:00
|
|
|
|
2007-04-08 19:31:36 +08:00
|
|
|
inst->alg.cra_flags |= CRYPTO_ALG_DEAD;
|
2007-11-17 22:09:38 +08:00
|
|
|
|
2007-04-08 19:31:36 +08:00
|
|
|
if (!tmpl || !crypto_tmpl_get(tmpl))
|
|
|
|
return;
|
|
|
|
|
|
|
|
list_move(&inst->alg.cra_list, list);
|
|
|
|
hlist_del(&inst->list);
|
|
|
|
inst->alg.cra_destroy = crypto_destroy_instance;
|
|
|
|
|
2009-08-31 13:56:54 +08:00
|
|
|
BUG_ON(!list_empty(&inst->alg.cra_users));
|
2007-04-08 19:31:36 +08:00
|
|
|
}
|
|
|
|
|
2019-12-07 22:33:51 +08:00
|
|
|
/*
|
|
|
|
* Given an algorithm alg, remove all algorithms that depend on it
|
|
|
|
* through spawns. If nalg is not null, then exempt any algorithms
|
|
|
|
* that is depended on by nalg. This is useful when nalg itself
|
|
|
|
* depends on alg.
|
|
|
|
*/
|
2011-09-27 13:22:08 +08:00
|
|
|
void crypto_remove_spawns(struct crypto_alg *alg, struct list_head *list,
|
|
|
|
struct crypto_alg *nalg)
|
2007-04-08 19:31:36 +08:00
|
|
|
{
|
2009-08-31 13:56:54 +08:00
|
|
|
u32 new_type = (nalg ?: alg)->cra_flags;
|
2007-04-08 19:31:36 +08:00
|
|
|
struct crypto_spawn *spawn, *n;
|
|
|
|
LIST_HEAD(secondary_spawns);
|
2009-08-31 13:56:54 +08:00
|
|
|
struct list_head *spawns;
|
|
|
|
LIST_HEAD(stack);
|
|
|
|
LIST_HEAD(top);
|
2006-09-21 09:39:29 +08:00
|
|
|
|
2009-08-31 13:56:54 +08:00
|
|
|
spawns = &alg->cra_users;
|
2007-04-08 19:31:36 +08:00
|
|
|
list_for_each_entry_safe(spawn, n, spawns, list) {
|
|
|
|
if ((spawn->alg->cra_flags ^ new_type) & spawn->mask)
|
2006-09-21 09:39:29 +08:00
|
|
|
continue;
|
|
|
|
|
2009-08-31 13:56:54 +08:00
|
|
|
list_move(&spawn->list, &top);
|
2007-04-08 19:31:36 +08:00
|
|
|
}
|
2006-09-21 09:39:29 +08:00
|
|
|
|
2019-12-07 22:33:51 +08:00
|
|
|
/*
|
|
|
|
* Perform a depth-first walk starting from alg through
|
|
|
|
* the cra_users tree. The list stack records the path
|
|
|
|
* from alg to the current spawn.
|
|
|
|
*/
|
2009-08-31 13:56:54 +08:00
|
|
|
spawns = ⊤
|
|
|
|
do {
|
|
|
|
while (!list_empty(spawns)) {
|
|
|
|
struct crypto_instance *inst;
|
|
|
|
|
|
|
|
spawn = list_first_entry(spawns, struct crypto_spawn,
|
|
|
|
list);
|
|
|
|
inst = spawn->inst;
|
|
|
|
|
|
|
|
list_move(&spawn->list, &stack);
|
2019-12-18 15:53:01 +08:00
|
|
|
spawn->dead = !spawn->registered || &inst->alg != nalg;
|
|
|
|
|
|
|
|
if (!spawn->registered)
|
|
|
|
break;
|
|
|
|
|
|
|
|
BUG_ON(&inst->alg == alg);
|
2009-08-31 13:56:54 +08:00
|
|
|
|
|
|
|
if (&inst->alg == nalg)
|
|
|
|
break;
|
|
|
|
|
|
|
|
spawns = &inst->alg.cra_users;
|
2017-12-30 04:30:19 +08:00
|
|
|
|
|
|
|
/*
|
2019-12-18 15:53:01 +08:00
|
|
|
* Even if spawn->registered is true, the
|
|
|
|
* instance itself may still be unregistered.
|
|
|
|
* This is because it may have failed during
|
|
|
|
* registration. Therefore we still need to
|
|
|
|
* make the following test.
|
|
|
|
*
|
2017-12-30 04:30:19 +08:00
|
|
|
* We may encounter an unregistered instance here, since
|
|
|
|
* an instance's spawns are set up prior to the instance
|
|
|
|
* being registered. An unregistered instance will have
|
|
|
|
* NULL ->cra_users.next, since ->cra_users isn't
|
|
|
|
* properly initialized until registration. But an
|
|
|
|
* unregistered instance cannot have any users, so treat
|
|
|
|
* it the same as ->cra_users being empty.
|
|
|
|
*/
|
|
|
|
if (spawns->next == NULL)
|
|
|
|
break;
|
2009-08-31 13:56:54 +08:00
|
|
|
}
|
|
|
|
} while ((spawns = crypto_more_spawns(alg, &stack, &top,
|
|
|
|
&secondary_spawns)));
|
|
|
|
|
2019-12-07 22:33:51 +08:00
|
|
|
/*
|
|
|
|
* Remove all instances that are marked as dead. Also
|
|
|
|
* complete the resurrection of the others by moving them
|
|
|
|
* back to the cra_users list.
|
|
|
|
*/
|
2009-08-31 13:56:54 +08:00
|
|
|
list_for_each_entry_safe(spawn, n, &secondary_spawns, list) {
|
2019-12-07 22:15:17 +08:00
|
|
|
if (!spawn->dead)
|
2009-08-31 13:56:54 +08:00
|
|
|
list_move(&spawn->list, &spawn->alg->cra_users);
|
2019-12-18 15:53:01 +08:00
|
|
|
else if (spawn->registered)
|
2015-04-02 22:31:22 +08:00
|
|
|
crypto_remove_instance(spawn->inst, list);
|
2006-09-21 09:39:29 +08:00
|
|
|
}
|
|
|
|
}
|
2011-09-27 13:22:08 +08:00
|
|
|
EXPORT_SYMBOL_GPL(crypto_remove_spawns);
|
2006-09-21 09:39:29 +08:00
|
|
|
|
crypto: api - optimize algorithm registration when self-tests disabled
Currently, registering an algorithm with the crypto API always causes a
notification to be posted to the "cryptomgr", which then creates a
kthread to self-test the algorithm. However, if self-tests are disabled
in the kconfig (as is the default option), then this kthread just
notifies waiters that the algorithm has been tested, then exits.
This causes a significant amount of overhead, especially in the kthread
creation and destruction, which is not necessary at all. For example,
in a quick test I found that booting a "minimum" x86_64 kernel with all
the crypto options enabled (except for the self-tests) takes about 400ms
until PID 1 can start. Of that, a full 13ms is spent just doing this
pointless dance, involving a kthread being created, run, and destroyed
over 200 times. That's over 3% of the entire kernel start time.
Fix this by just skipping the creation of the test larval and the
posting of the registration notification entirely, when self-tests are
disabled.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2022-11-14 08:12:33 +08:00
|
|
|
static void crypto_alg_finish_registration(struct crypto_alg *alg,
|
|
|
|
bool fulfill_requests,
|
|
|
|
struct list_head *algs_to_put)
|
|
|
|
{
|
|
|
|
struct crypto_alg *q;
|
|
|
|
|
|
|
|
list_for_each_entry(q, &crypto_alg_list, cra_list) {
|
|
|
|
if (q == alg)
|
|
|
|
continue;
|
|
|
|
|
|
|
|
if (crypto_is_moribund(q))
|
|
|
|
continue;
|
|
|
|
|
|
|
|
if (crypto_is_larval(q)) {
|
|
|
|
struct crypto_larval *larval = (void *)q;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* Check to see if either our generic name or
|
|
|
|
* specific name can satisfy the name requested
|
|
|
|
* by the larval entry q.
|
|
|
|
*/
|
|
|
|
if (strcmp(alg->cra_name, q->cra_name) &&
|
|
|
|
strcmp(alg->cra_driver_name, q->cra_name))
|
|
|
|
continue;
|
|
|
|
|
|
|
|
if (larval->adult)
|
|
|
|
continue;
|
|
|
|
if ((q->cra_flags ^ alg->cra_flags) & larval->mask)
|
|
|
|
continue;
|
|
|
|
|
|
|
|
if (fulfill_requests && crypto_mod_get(alg))
|
|
|
|
larval->adult = alg;
|
|
|
|
else
|
|
|
|
larval->adult = ERR_PTR(-EAGAIN);
|
|
|
|
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (strcmp(alg->cra_name, q->cra_name))
|
|
|
|
continue;
|
|
|
|
|
|
|
|
if (strcmp(alg->cra_driver_name, q->cra_driver_name) &&
|
|
|
|
q->cra_priority > alg->cra_priority)
|
|
|
|
continue;
|
|
|
|
|
|
|
|
crypto_remove_spawns(q, algs_to_put, alg);
|
|
|
|
}
|
|
|
|
|
|
|
|
crypto_notify(CRYPTO_MSG_ALG_LOADED, alg);
|
|
|
|
}
|
|
|
|
|
2021-10-19 21:28:02 +08:00
|
|
|
static struct crypto_larval *crypto_alloc_test_larval(struct crypto_alg *alg)
|
|
|
|
{
|
|
|
|
struct crypto_larval *larval;
|
|
|
|
|
crypto: api - optimize algorithm registration when self-tests disabled
Currently, registering an algorithm with the crypto API always causes a
notification to be posted to the "cryptomgr", which then creates a
kthread to self-test the algorithm. However, if self-tests are disabled
in the kconfig (as is the default option), then this kthread just
notifies waiters that the algorithm has been tested, then exits.
This causes a significant amount of overhead, especially in the kthread
creation and destruction, which is not necessary at all. For example,
in a quick test I found that booting a "minimum" x86_64 kernel with all
the crypto options enabled (except for the self-tests) takes about 400ms
until PID 1 can start. Of that, a full 13ms is spent just doing this
pointless dance, involving a kthread being created, run, and destroyed
over 200 times. That's over 3% of the entire kernel start time.
Fix this by just skipping the creation of the test larval and the
posting of the registration notification entirely, when self-tests are
disabled.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2022-11-14 08:12:33 +08:00
|
|
|
if (!IS_ENABLED(CONFIG_CRYPTO_MANAGER) ||
|
2022-11-14 08:12:34 +08:00
|
|
|
IS_ENABLED(CONFIG_CRYPTO_MANAGER_DISABLE_TESTS) ||
|
|
|
|
(alg->cra_flags & CRYPTO_ALG_INTERNAL))
|
crypto: api - optimize algorithm registration when self-tests disabled
Currently, registering an algorithm with the crypto API always causes a
notification to be posted to the "cryptomgr", which then creates a
kthread to self-test the algorithm. However, if self-tests are disabled
in the kconfig (as is the default option), then this kthread just
notifies waiters that the algorithm has been tested, then exits.
This causes a significant amount of overhead, especially in the kthread
creation and destruction, which is not necessary at all. For example,
in a quick test I found that booting a "minimum" x86_64 kernel with all
the crypto options enabled (except for the self-tests) takes about 400ms
until PID 1 can start. Of that, a full 13ms is spent just doing this
pointless dance, involving a kthread being created, run, and destroyed
over 200 times. That's over 3% of the entire kernel start time.
Fix this by just skipping the creation of the test larval and the
posting of the registration notification entirely, when self-tests are
disabled.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2022-11-14 08:12:33 +08:00
|
|
|
return NULL; /* No self-test needed */
|
2021-10-19 21:28:02 +08:00
|
|
|
|
|
|
|
larval = crypto_larval_alloc(alg->cra_name,
|
|
|
|
alg->cra_flags | CRYPTO_ALG_TESTED, 0);
|
|
|
|
if (IS_ERR(larval))
|
|
|
|
return larval;
|
|
|
|
|
|
|
|
larval->adult = crypto_mod_get(alg);
|
|
|
|
if (!larval->adult) {
|
|
|
|
kfree(larval);
|
|
|
|
return ERR_PTR(-ENOENT);
|
|
|
|
}
|
|
|
|
|
|
|
|
refcount_set(&larval->alg.cra_refcnt, 1);
|
|
|
|
memcpy(larval->alg.cra_driver_name, alg->cra_driver_name,
|
|
|
|
CRYPTO_MAX_ALG_NAME);
|
|
|
|
larval->alg.cra_priority = alg->cra_priority;
|
|
|
|
|
|
|
|
return larval;
|
|
|
|
}
|
|
|
|
|
crypto: api - optimize algorithm registration when self-tests disabled
Currently, registering an algorithm with the crypto API always causes a
notification to be posted to the "cryptomgr", which then creates a
kthread to self-test the algorithm. However, if self-tests are disabled
in the kconfig (as is the default option), then this kthread just
notifies waiters that the algorithm has been tested, then exits.
This causes a significant amount of overhead, especially in the kthread
creation and destruction, which is not necessary at all. For example,
in a quick test I found that booting a "minimum" x86_64 kernel with all
the crypto options enabled (except for the self-tests) takes about 400ms
until PID 1 can start. Of that, a full 13ms is spent just doing this
pointless dance, involving a kthread being created, run, and destroyed
over 200 times. That's over 3% of the entire kernel start time.
Fix this by just skipping the creation of the test larval and the
posting of the registration notification entirely, when self-tests are
disabled.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2022-11-14 08:12:33 +08:00
|
|
|
static struct crypto_larval *
|
|
|
|
__crypto_register_alg(struct crypto_alg *alg, struct list_head *algs_to_put)
|
2006-08-06 19:16:34 +08:00
|
|
|
{
|
|
|
|
struct crypto_alg *q;
|
2008-08-03 21:15:23 +08:00
|
|
|
struct crypto_larval *larval;
|
2006-09-21 09:39:29 +08:00
|
|
|
int ret = -EAGAIN;
|
|
|
|
|
|
|
|
if (crypto_is_dead(alg))
|
2008-08-03 21:15:23 +08:00
|
|
|
goto err;
|
2006-09-21 09:39:29 +08:00
|
|
|
|
|
|
|
INIT_LIST_HEAD(&alg->cra_users);
|
|
|
|
|
|
|
|
ret = -EEXIST;
|
2006-08-06 19:16:34 +08:00
|
|
|
|
2006-08-21 19:08:13 +08:00
|
|
|
list_for_each_entry(q, &crypto_alg_list, cra_list) {
|
2006-08-06 19:16:34 +08:00
|
|
|
if (q == alg)
|
2008-08-03 21:15:23 +08:00
|
|
|
goto err;
|
|
|
|
|
2009-01-28 11:09:59 +08:00
|
|
|
if (crypto_is_moribund(q))
|
|
|
|
continue;
|
|
|
|
|
2008-08-03 21:15:23 +08:00
|
|
|
if (crypto_is_larval(q)) {
|
|
|
|
if (!strcmp(alg->cra_driver_name, q->cra_driver_name))
|
|
|
|
goto err;
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!strcmp(q->cra_driver_name, alg->cra_name) ||
|
2023-12-07 18:36:57 +08:00
|
|
|
!strcmp(q->cra_driver_name, alg->cra_driver_name) ||
|
2008-08-03 21:15:23 +08:00
|
|
|
!strcmp(q->cra_name, alg->cra_driver_name))
|
|
|
|
goto err;
|
|
|
|
}
|
|
|
|
|
2021-10-19 21:28:02 +08:00
|
|
|
larval = crypto_alloc_test_larval(alg);
|
2008-08-03 21:15:23 +08:00
|
|
|
if (IS_ERR(larval))
|
|
|
|
goto out;
|
|
|
|
|
|
|
|
list_add(&alg->cra_list, &crypto_alg_list);
|
2021-10-19 21:28:02 +08:00
|
|
|
|
crypto: api - optimize algorithm registration when self-tests disabled
Currently, registering an algorithm with the crypto API always causes a
notification to be posted to the "cryptomgr", which then creates a
kthread to self-test the algorithm. However, if self-tests are disabled
in the kconfig (as is the default option), then this kthread just
notifies waiters that the algorithm has been tested, then exits.
This causes a significant amount of overhead, especially in the kthread
creation and destruction, which is not necessary at all. For example,
in a quick test I found that booting a "minimum" x86_64 kernel with all
the crypto options enabled (except for the self-tests) takes about 400ms
until PID 1 can start. Of that, a full 13ms is spent just doing this
pointless dance, involving a kthread being created, run, and destroyed
over 200 times. That's over 3% of the entire kernel start time.
Fix this by just skipping the creation of the test larval and the
posting of the registration notification entirely, when self-tests are
disabled.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2022-11-14 08:12:33 +08:00
|
|
|
if (larval) {
|
|
|
|
/* No cheating! */
|
|
|
|
alg->cra_flags &= ~CRYPTO_ALG_TESTED;
|
|
|
|
|
2021-10-19 21:28:02 +08:00
|
|
|
list_add(&larval->alg.cra_list, &crypto_alg_list);
|
crypto: api - optimize algorithm registration when self-tests disabled
Currently, registering an algorithm with the crypto API always causes a
notification to be posted to the "cryptomgr", which then creates a
kthread to self-test the algorithm. However, if self-tests are disabled
in the kconfig (as is the default option), then this kthread just
notifies waiters that the algorithm has been tested, then exits.
This causes a significant amount of overhead, especially in the kthread
creation and destruction, which is not necessary at all. For example,
in a quick test I found that booting a "minimum" x86_64 kernel with all
the crypto options enabled (except for the self-tests) takes about 400ms
until PID 1 can start. Of that, a full 13ms is spent just doing this
pointless dance, involving a kthread being created, run, and destroyed
over 200 times. That's over 3% of the entire kernel start time.
Fix this by just skipping the creation of the test larval and the
posting of the registration notification entirely, when self-tests are
disabled.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2022-11-14 08:12:33 +08:00
|
|
|
} else {
|
2021-11-05 15:26:08 +08:00
|
|
|
alg->cra_flags |= CRYPTO_ALG_TESTED;
|
crypto: api - optimize algorithm registration when self-tests disabled
Currently, registering an algorithm with the crypto API always causes a
notification to be posted to the "cryptomgr", which then creates a
kthread to self-test the algorithm. However, if self-tests are disabled
in the kconfig (as is the default option), then this kthread just
notifies waiters that the algorithm has been tested, then exits.
This causes a significant amount of overhead, especially in the kthread
creation and destruction, which is not necessary at all. For example,
in a quick test I found that booting a "minimum" x86_64 kernel with all
the crypto options enabled (except for the self-tests) takes about 400ms
until PID 1 can start. Of that, a full 13ms is spent just doing this
pointless dance, involving a kthread being created, run, and destroyed
over 200 times. That's over 3% of the entire kernel start time.
Fix this by just skipping the creation of the test larval and the
posting of the registration notification entirely, when self-tests are
disabled.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2022-11-14 08:12:33 +08:00
|
|
|
crypto_alg_finish_registration(alg, true, algs_to_put);
|
|
|
|
}
|
2018-09-19 18:10:54 +08:00
|
|
|
|
2010-02-16 20:25:21 +08:00
|
|
|
out:
|
2008-08-03 21:15:23 +08:00
|
|
|
return larval;
|
|
|
|
|
|
|
|
err:
|
|
|
|
larval = ERR_PTR(ret);
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
|
|
|
|
void crypto_alg_tested(const char *name, int err)
|
|
|
|
{
|
|
|
|
struct crypto_larval *test;
|
|
|
|
struct crypto_alg *alg;
|
|
|
|
struct crypto_alg *q;
|
|
|
|
LIST_HEAD(list);
|
2019-12-11 10:50:11 +08:00
|
|
|
bool best;
|
2008-08-03 21:15:23 +08:00
|
|
|
|
|
|
|
down_write(&crypto_alg_sem);
|
|
|
|
list_for_each_entry(q, &crypto_alg_list, cra_list) {
|
2009-01-28 11:09:59 +08:00
|
|
|
if (crypto_is_moribund(q) || !crypto_is_larval(q))
|
2008-08-03 21:15:23 +08:00
|
|
|
continue;
|
|
|
|
|
|
|
|
test = (struct crypto_larval *)q;
|
|
|
|
|
|
|
|
if (!strcmp(q->cra_driver_name, name))
|
|
|
|
goto found;
|
|
|
|
}
|
|
|
|
|
2017-05-14 03:05:19 +08:00
|
|
|
pr_err("alg: Unexpected test result for %s: %d\n", name, err);
|
2008-08-03 21:15:23 +08:00
|
|
|
goto unlock;
|
|
|
|
|
|
|
|
found:
|
2009-01-28 11:09:59 +08:00
|
|
|
q->cra_flags |= CRYPTO_ALG_DEAD;
|
2008-08-03 21:15:23 +08:00
|
|
|
alg = test->adult;
|
crypto: api - allow algs only in specific constructions in FIPS mode
Currently we do not distinguish between algorithms that fail on
the self-test vs. those which are disabled in FIPS mode (not allowed).
Both are marked as having failed the self-test.
Recently the need arose to allow the usage of certain algorithms only
as arguments to specific template instantiations in FIPS mode. For
example, standalone "dh" must be blocked, but e.g. "ffdhe2048(dh)" is
allowed. Other potential use cases include "cbcmac(aes)", which must
only be used with ccm(), or "ghash", which must be used only for
gcm().
This patch allows this scenario by adding a new flag FIPS_INTERNAL to
indicate those algorithms that are not FIPS-allowed. They can then be
used as template arguments only, i.e. when looked up via
crypto_grab_spawn() to be more specific. The FIPS_INTERNAL bit gets
propagated upwards recursively into the surrounding template
instances, until the construction eventually matches an explicit
testmgr entry with ->fips_allowed being set, if any.
The behaviour to skip !->fips_allowed self-test executions in FIPS
mode will be retained. Note that this effectively means that
FIPS_INTERNAL algorithms are handled very similarly to the INTERNAL
ones in this regard. It is expected that the FIPS_INTERNAL algorithms
will receive sufficient testing when the larger constructions they're
a part of, if any, get exercised by testmgr.
Note that as a side-effect of this patch algorithms which are not
FIPS-allowed will now return ENOENT instead of ELIBBAD. Hopefully
this is not an issue as some people were relying on this already.
Link: https://lore.kernel.org/r/YeEVSaMEVJb3cQkq@gondor.apana.org.au
Originally-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Nicolai Stange <nstange@suse.de>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2022-02-21 20:10:58 +08:00
|
|
|
|
|
|
|
if (list_empty(&alg->cra_list))
|
2008-08-03 21:15:23 +08:00
|
|
|
goto complete;
|
|
|
|
|
crypto: api - allow algs only in specific constructions in FIPS mode
Currently we do not distinguish between algorithms that fail on
the self-test vs. those which are disabled in FIPS mode (not allowed).
Both are marked as having failed the self-test.
Recently the need arose to allow the usage of certain algorithms only
as arguments to specific template instantiations in FIPS mode. For
example, standalone "dh" must be blocked, but e.g. "ffdhe2048(dh)" is
allowed. Other potential use cases include "cbcmac(aes)", which must
only be used with ccm(), or "ghash", which must be used only for
gcm().
This patch allows this scenario by adding a new flag FIPS_INTERNAL to
indicate those algorithms that are not FIPS-allowed. They can then be
used as template arguments only, i.e. when looked up via
crypto_grab_spawn() to be more specific. The FIPS_INTERNAL bit gets
propagated upwards recursively into the surrounding template
instances, until the construction eventually matches an explicit
testmgr entry with ->fips_allowed being set, if any.
The behaviour to skip !->fips_allowed self-test executions in FIPS
mode will be retained. Note that this effectively means that
FIPS_INTERNAL algorithms are handled very similarly to the INTERNAL
ones in this regard. It is expected that the FIPS_INTERNAL algorithms
will receive sufficient testing when the larger constructions they're
a part of, if any, get exercised by testmgr.
Note that as a side-effect of this patch algorithms which are not
FIPS-allowed will now return ENOENT instead of ELIBBAD. Hopefully
this is not an issue as some people were relying on this already.
Link: https://lore.kernel.org/r/YeEVSaMEVJb3cQkq@gondor.apana.org.au
Originally-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Nicolai Stange <nstange@suse.de>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2022-02-21 20:10:58 +08:00
|
|
|
if (err == -ECANCELED)
|
|
|
|
alg->cra_flags |= CRYPTO_ALG_FIPS_INTERNAL;
|
|
|
|
else if (err)
|
2008-08-03 21:15:23 +08:00
|
|
|
goto complete;
|
crypto: api - allow algs only in specific constructions in FIPS mode
Currently we do not distinguish between algorithms that fail on
the self-test vs. those which are disabled in FIPS mode (not allowed).
Both are marked as having failed the self-test.
Recently the need arose to allow the usage of certain algorithms only
as arguments to specific template instantiations in FIPS mode. For
example, standalone "dh" must be blocked, but e.g. "ffdhe2048(dh)" is
allowed. Other potential use cases include "cbcmac(aes)", which must
only be used with ccm(), or "ghash", which must be used only for
gcm().
This patch allows this scenario by adding a new flag FIPS_INTERNAL to
indicate those algorithms that are not FIPS-allowed. They can then be
used as template arguments only, i.e. when looked up via
crypto_grab_spawn() to be more specific. The FIPS_INTERNAL bit gets
propagated upwards recursively into the surrounding template
instances, until the construction eventually matches an explicit
testmgr entry with ->fips_allowed being set, if any.
The behaviour to skip !->fips_allowed self-test executions in FIPS
mode will be retained. Note that this effectively means that
FIPS_INTERNAL algorithms are handled very similarly to the INTERNAL
ones in this regard. It is expected that the FIPS_INTERNAL algorithms
will receive sufficient testing when the larger constructions they're
a part of, if any, get exercised by testmgr.
Note that as a side-effect of this patch algorithms which are not
FIPS-allowed will now return ENOENT instead of ELIBBAD. Hopefully
this is not an issue as some people were relying on this already.
Link: https://lore.kernel.org/r/YeEVSaMEVJb3cQkq@gondor.apana.org.au
Originally-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Nicolai Stange <nstange@suse.de>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2022-02-21 20:10:58 +08:00
|
|
|
else
|
|
|
|
alg->cra_flags &= ~CRYPTO_ALG_FIPS_INTERNAL;
|
2008-08-03 21:15:23 +08:00
|
|
|
|
|
|
|
alg->cra_flags |= CRYPTO_ALG_TESTED;
|
|
|
|
|
crypto: api - optimize algorithm registration when self-tests disabled
Currently, registering an algorithm with the crypto API always causes a
notification to be posted to the "cryptomgr", which then creates a
kthread to self-test the algorithm. However, if self-tests are disabled
in the kconfig (as is the default option), then this kthread just
notifies waiters that the algorithm has been tested, then exits.
This causes a significant amount of overhead, especially in the kthread
creation and destruction, which is not necessary at all. For example,
in a quick test I found that booting a "minimum" x86_64 kernel with all
the crypto options enabled (except for the self-tests) takes about 400ms
until PID 1 can start. Of that, a full 13ms is spent just doing this
pointless dance, involving a kthread being created, run, and destroyed
over 200 times. That's over 3% of the entire kernel start time.
Fix this by just skipping the creation of the test larval and the
posting of the registration notification entirely, when self-tests are
disabled.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2022-11-14 08:12:33 +08:00
|
|
|
/*
|
|
|
|
* If a higher-priority implementation of the same algorithm is
|
|
|
|
* currently being tested, then don't fulfill request larvals.
|
|
|
|
*/
|
2019-12-11 10:50:11 +08:00
|
|
|
best = true;
|
|
|
|
list_for_each_entry(q, &crypto_alg_list, cra_list) {
|
|
|
|
if (crypto_is_moribund(q) || !crypto_is_larval(q))
|
|
|
|
continue;
|
|
|
|
|
|
|
|
if (strcmp(alg->cra_name, q->cra_name))
|
|
|
|
continue;
|
|
|
|
|
|
|
|
if (q->cra_priority > alg->cra_priority) {
|
|
|
|
best = false;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
crypto: api - optimize algorithm registration when self-tests disabled
Currently, registering an algorithm with the crypto API always causes a
notification to be posted to the "cryptomgr", which then creates a
kthread to self-test the algorithm. However, if self-tests are disabled
in the kconfig (as is the default option), then this kthread just
notifies waiters that the algorithm has been tested, then exits.
This causes a significant amount of overhead, especially in the kthread
creation and destruction, which is not necessary at all. For example,
in a quick test I found that booting a "minimum" x86_64 kernel with all
the crypto options enabled (except for the self-tests) takes about 400ms
until PID 1 can start. Of that, a full 13ms is spent just doing this
pointless dance, involving a kthread being created, run, and destroyed
over 200 times. That's over 3% of the entire kernel start time.
Fix this by just skipping the creation of the test larval and the
posting of the registration notification entirely, when self-tests are
disabled.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2022-11-14 08:12:33 +08:00
|
|
|
crypto_alg_finish_registration(alg, best, &list);
|
2006-08-06 19:23:26 +08:00
|
|
|
|
2008-08-03 21:15:23 +08:00
|
|
|
complete:
|
|
|
|
complete_all(&test->completion);
|
2006-08-06 19:23:26 +08:00
|
|
|
|
2008-08-03 21:15:23 +08:00
|
|
|
unlock:
|
|
|
|
up_write(&crypto_alg_sem);
|
|
|
|
|
|
|
|
crypto_remove_final(&list);
|
2006-08-21 19:08:13 +08:00
|
|
|
}
|
2008-08-03 21:15:23 +08:00
|
|
|
EXPORT_SYMBOL_GPL(crypto_alg_tested);
|
2006-08-06 19:16:34 +08:00
|
|
|
|
2011-09-27 13:23:07 +08:00
|
|
|
void crypto_remove_final(struct list_head *list)
|
2006-09-21 09:39:29 +08:00
|
|
|
{
|
|
|
|
struct crypto_alg *alg;
|
|
|
|
struct crypto_alg *n;
|
|
|
|
|
|
|
|
list_for_each_entry_safe(alg, n, list, cra_list) {
|
|
|
|
list_del_init(&alg->cra_list);
|
|
|
|
crypto_alg_put(alg);
|
|
|
|
}
|
|
|
|
}
|
2011-09-27 13:23:07 +08:00
|
|
|
EXPORT_SYMBOL_GPL(crypto_remove_final);
|
2006-09-21 09:39:29 +08:00
|
|
|
|
2006-08-06 19:16:34 +08:00
|
|
|
int crypto_register_alg(struct crypto_alg *alg)
|
|
|
|
{
|
2008-08-03 21:15:23 +08:00
|
|
|
struct crypto_larval *larval;
|
crypto: api - optimize algorithm registration when self-tests disabled
Currently, registering an algorithm with the crypto API always causes a
notification to be posted to the "cryptomgr", which then creates a
kthread to self-test the algorithm. However, if self-tests are disabled
in the kconfig (as is the default option), then this kthread just
notifies waiters that the algorithm has been tested, then exits.
This causes a significant amount of overhead, especially in the kthread
creation and destruction, which is not necessary at all. For example,
in a quick test I found that booting a "minimum" x86_64 kernel with all
the crypto options enabled (except for the self-tests) takes about 400ms
until PID 1 can start. Of that, a full 13ms is spent just doing this
pointless dance, involving a kthread being created, run, and destroyed
over 200 times. That's over 3% of the entire kernel start time.
Fix this by just skipping the creation of the test larval and the
posting of the registration notification entirely, when self-tests are
disabled.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2022-11-14 08:12:33 +08:00
|
|
|
LIST_HEAD(algs_to_put);
|
|
|
|
bool test_started = false;
|
2006-08-06 19:16:34 +08:00
|
|
|
int err;
|
|
|
|
|
2017-01-13 19:54:08 +08:00
|
|
|
alg->cra_flags &= ~CRYPTO_ALG_DEAD;
|
2006-08-06 19:16:34 +08:00
|
|
|
err = crypto_check_alg(alg);
|
|
|
|
if (err)
|
|
|
|
return err;
|
|
|
|
|
|
|
|
down_write(&crypto_alg_sem);
|
crypto: api - optimize algorithm registration when self-tests disabled
Currently, registering an algorithm with the crypto API always causes a
notification to be posted to the "cryptomgr", which then creates a
kthread to self-test the algorithm. However, if self-tests are disabled
in the kconfig (as is the default option), then this kthread just
notifies waiters that the algorithm has been tested, then exits.
This causes a significant amount of overhead, especially in the kthread
creation and destruction, which is not necessary at all. For example,
in a quick test I found that booting a "minimum" x86_64 kernel with all
the crypto options enabled (except for the self-tests) takes about 400ms
until PID 1 can start. Of that, a full 13ms is spent just doing this
pointless dance, involving a kthread being created, run, and destroyed
over 200 times. That's over 3% of the entire kernel start time.
Fix this by just skipping the creation of the test larval and the
posting of the registration notification entirely, when self-tests are
disabled.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2022-11-14 08:12:33 +08:00
|
|
|
larval = __crypto_register_alg(alg, &algs_to_put);
|
|
|
|
if (!IS_ERR_OR_NULL(larval)) {
|
2022-11-14 08:12:35 +08:00
|
|
|
test_started = crypto_boot_test_finished();
|
2021-10-19 21:28:02 +08:00
|
|
|
larval->test_started = test_started;
|
crypto: api - optimize algorithm registration when self-tests disabled
Currently, registering an algorithm with the crypto API always causes a
notification to be posted to the "cryptomgr", which then creates a
kthread to self-test the algorithm. However, if self-tests are disabled
in the kconfig (as is the default option), then this kthread just
notifies waiters that the algorithm has been tested, then exits.
This causes a significant amount of overhead, especially in the kthread
creation and destruction, which is not necessary at all. For example,
in a quick test I found that booting a "minimum" x86_64 kernel with all
the crypto options enabled (except for the self-tests) takes about 400ms
until PID 1 can start. Of that, a full 13ms is spent just doing this
pointless dance, involving a kthread being created, run, and destroyed
over 200 times. That's over 3% of the entire kernel start time.
Fix this by just skipping the creation of the test larval and the
posting of the registration notification entirely, when self-tests are
disabled.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2022-11-14 08:12:33 +08:00
|
|
|
}
|
2006-08-06 19:16:34 +08:00
|
|
|
up_write(&crypto_alg_sem);
|
|
|
|
|
crypto: api - optimize algorithm registration when self-tests disabled
Currently, registering an algorithm with the crypto API always causes a
notification to be posted to the "cryptomgr", which then creates a
kthread to self-test the algorithm. However, if self-tests are disabled
in the kconfig (as is the default option), then this kthread just
notifies waiters that the algorithm has been tested, then exits.
This causes a significant amount of overhead, especially in the kthread
creation and destruction, which is not necessary at all. For example,
in a quick test I found that booting a "minimum" x86_64 kernel with all
the crypto options enabled (except for the self-tests) takes about 400ms
until PID 1 can start. Of that, a full 13ms is spent just doing this
pointless dance, involving a kthread being created, run, and destroyed
over 200 times. That's over 3% of the entire kernel start time.
Fix this by just skipping the creation of the test larval and the
posting of the registration notification entirely, when self-tests are
disabled.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2022-11-14 08:12:33 +08:00
|
|
|
if (IS_ERR(larval))
|
2008-08-03 21:15:23 +08:00
|
|
|
return PTR_ERR(larval);
|
2021-09-17 08:26:19 +08:00
|
|
|
if (test_started)
|
|
|
|
crypto_wait_for_test(larval);
|
crypto: api - optimize algorithm registration when self-tests disabled
Currently, registering an algorithm with the crypto API always causes a
notification to be posted to the "cryptomgr", which then creates a
kthread to self-test the algorithm. However, if self-tests are disabled
in the kconfig (as is the default option), then this kthread just
notifies waiters that the algorithm has been tested, then exits.
This causes a significant amount of overhead, especially in the kthread
creation and destruction, which is not necessary at all. For example,
in a quick test I found that booting a "minimum" x86_64 kernel with all
the crypto options enabled (except for the self-tests) takes about 400ms
until PID 1 can start. Of that, a full 13ms is spent just doing this
pointless dance, involving a kthread being created, run, and destroyed
over 200 times. That's over 3% of the entire kernel start time.
Fix this by just skipping the creation of the test larval and the
posting of the registration notification entirely, when self-tests are
disabled.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2022-11-14 08:12:33 +08:00
|
|
|
crypto_remove_final(&algs_to_put);
|
2008-08-03 21:15:23 +08:00
|
|
|
return 0;
|
2006-08-06 19:16:34 +08:00
|
|
|
}
|
2006-08-21 19:08:13 +08:00
|
|
|
EXPORT_SYMBOL_GPL(crypto_register_alg);
|
|
|
|
|
2006-09-21 09:39:29 +08:00
|
|
|
static int crypto_remove_alg(struct crypto_alg *alg, struct list_head *list)
|
|
|
|
{
|
|
|
|
if (unlikely(list_empty(&alg->cra_list)))
|
|
|
|
return -ENOENT;
|
|
|
|
|
|
|
|
alg->cra_flags |= CRYPTO_ALG_DEAD;
|
|
|
|
|
|
|
|
list_del_init(&alg->cra_list);
|
2009-08-31 13:56:54 +08:00
|
|
|
crypto_remove_spawns(alg, list, NULL);
|
2006-09-21 09:39:29 +08:00
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2019-12-16 07:51:19 +08:00
|
|
|
void crypto_unregister_alg(struct crypto_alg *alg)
|
2006-08-21 19:08:13 +08:00
|
|
|
{
|
2006-09-21 09:39:29 +08:00
|
|
|
int ret;
|
|
|
|
LIST_HEAD(list);
|
2010-02-16 20:25:21 +08:00
|
|
|
|
2006-08-21 19:08:13 +08:00
|
|
|
down_write(&crypto_alg_sem);
|
2006-09-21 09:39:29 +08:00
|
|
|
ret = crypto_remove_alg(alg, &list);
|
2006-08-21 19:08:13 +08:00
|
|
|
up_write(&crypto_alg_sem);
|
|
|
|
|
2019-12-16 07:51:19 +08:00
|
|
|
if (WARN(ret, "Algorithm %s is not registered", alg->cra_driver_name))
|
|
|
|
return;
|
2006-08-21 19:08:13 +08:00
|
|
|
|
2023-03-13 17:17:24 +08:00
|
|
|
if (WARN_ON(refcount_read(&alg->cra_refcnt) != 1))
|
|
|
|
return;
|
|
|
|
|
2006-08-21 19:08:13 +08:00
|
|
|
if (alg->cra_destroy)
|
|
|
|
alg->cra_destroy(alg);
|
|
|
|
|
2006-09-21 09:39:29 +08:00
|
|
|
crypto_remove_final(&list);
|
2006-08-21 19:08:13 +08:00
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(crypto_unregister_alg);
|
|
|
|
|
2012-01-18 07:34:26 +08:00
|
|
|
int crypto_register_algs(struct crypto_alg *algs, int count)
|
|
|
|
{
|
|
|
|
int i, ret;
|
|
|
|
|
|
|
|
for (i = 0; i < count; i++) {
|
|
|
|
ret = crypto_register_alg(&algs[i]);
|
|
|
|
if (ret)
|
|
|
|
goto err;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
err:
|
|
|
|
for (--i; i >= 0; --i)
|
|
|
|
crypto_unregister_alg(&algs[i]);
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(crypto_register_algs);
|
|
|
|
|
2019-12-16 07:51:19 +08:00
|
|
|
void crypto_unregister_algs(struct crypto_alg *algs, int count)
|
2012-01-18 07:34:26 +08:00
|
|
|
{
|
2019-12-16 07:51:19 +08:00
|
|
|
int i;
|
2012-01-18 07:34:26 +08:00
|
|
|
|
2019-12-16 07:51:19 +08:00
|
|
|
for (i = 0; i < count; i++)
|
|
|
|
crypto_unregister_alg(&algs[i]);
|
2012-01-18 07:34:26 +08:00
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(crypto_unregister_algs);
|
|
|
|
|
2006-08-06 19:16:34 +08:00
|
|
|
int crypto_register_template(struct crypto_template *tmpl)
|
|
|
|
{
|
|
|
|
struct crypto_template *q;
|
|
|
|
int err = -EEXIST;
|
|
|
|
|
|
|
|
down_write(&crypto_alg_sem);
|
|
|
|
|
2014-07-03 03:37:30 +08:00
|
|
|
crypto_check_module_sig(tmpl->module);
|
|
|
|
|
2006-08-06 19:16:34 +08:00
|
|
|
list_for_each_entry(q, &crypto_template_list, list) {
|
|
|
|
if (q == tmpl)
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
|
|
|
|
list_add(&tmpl->list, &crypto_template_list);
|
|
|
|
err = 0;
|
|
|
|
out:
|
|
|
|
up_write(&crypto_alg_sem);
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(crypto_register_template);
|
|
|
|
|
2019-01-18 13:58:11 +08:00
|
|
|
int crypto_register_templates(struct crypto_template *tmpls, int count)
|
|
|
|
{
|
|
|
|
int i, err;
|
|
|
|
|
|
|
|
for (i = 0; i < count; i++) {
|
|
|
|
err = crypto_register_template(&tmpls[i]);
|
|
|
|
if (err)
|
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
out:
|
|
|
|
for (--i; i >= 0; --i)
|
|
|
|
crypto_unregister_template(&tmpls[i]);
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(crypto_register_templates);
|
|
|
|
|
2006-08-06 19:16:34 +08:00
|
|
|
void crypto_unregister_template(struct crypto_template *tmpl)
|
|
|
|
{
|
|
|
|
struct crypto_instance *inst;
|
hlist: drop the node parameter from iterators
I'm not sure why, but the hlist for each entry iterators were conceived
list_for_each_entry(pos, head, member)
The hlist ones were greedy and wanted an extra parameter:
hlist_for_each_entry(tpos, pos, head, member)
Why did they need an extra pos parameter? I'm not quite sure. Not only
they don't really need it, it also prevents the iterator from looking
exactly like the list iterator, which is unfortunate.
Besides the semantic patch, there was some manual work required:
- Fix up the actual hlist iterators in linux/list.h
- Fix up the declaration of other iterators based on the hlist ones.
- A very small amount of places were using the 'node' parameter, this
was modified to use 'obj->member' instead.
- Coccinelle didn't handle the hlist_for_each_entry_safe iterator
properly, so those had to be fixed up manually.
The semantic patch which is mostly the work of Peter Senna Tschudin is here:
@@
iterator name hlist_for_each_entry, hlist_for_each_entry_continue, hlist_for_each_entry_from, hlist_for_each_entry_rcu, hlist_for_each_entry_rcu_bh, hlist_for_each_entry_continue_rcu_bh, for_each_busy_worker, ax25_uid_for_each, ax25_for_each, inet_bind_bucket_for_each, sctp_for_each_hentry, sk_for_each, sk_for_each_rcu, sk_for_each_from, sk_for_each_safe, sk_for_each_bound, hlist_for_each_entry_safe, hlist_for_each_entry_continue_rcu, nr_neigh_for_each, nr_neigh_for_each_safe, nr_node_for_each, nr_node_for_each_safe, for_each_gfn_indirect_valid_sp, for_each_gfn_sp, for_each_host;
type T;
expression a,c,d,e;
identifier b;
statement S;
@@
-T b;
<+... when != b
(
hlist_for_each_entry(a,
- b,
c, d) S
|
hlist_for_each_entry_continue(a,
- b,
c) S
|
hlist_for_each_entry_from(a,
- b,
c) S
|
hlist_for_each_entry_rcu(a,
- b,
c, d) S
|
hlist_for_each_entry_rcu_bh(a,
- b,
c, d) S
|
hlist_for_each_entry_continue_rcu_bh(a,
- b,
c) S
|
for_each_busy_worker(a, c,
- b,
d) S
|
ax25_uid_for_each(a,
- b,
c) S
|
ax25_for_each(a,
- b,
c) S
|
inet_bind_bucket_for_each(a,
- b,
c) S
|
sctp_for_each_hentry(a,
- b,
c) S
|
sk_for_each(a,
- b,
c) S
|
sk_for_each_rcu(a,
- b,
c) S
|
sk_for_each_from
-(a, b)
+(a)
S
+ sk_for_each_from(a) S
|
sk_for_each_safe(a,
- b,
c, d) S
|
sk_for_each_bound(a,
- b,
c) S
|
hlist_for_each_entry_safe(a,
- b,
c, d, e) S
|
hlist_for_each_entry_continue_rcu(a,
- b,
c) S
|
nr_neigh_for_each(a,
- b,
c) S
|
nr_neigh_for_each_safe(a,
- b,
c, d) S
|
nr_node_for_each(a,
- b,
c) S
|
nr_node_for_each_safe(a,
- b,
c, d) S
|
- for_each_gfn_sp(a, c, d, b) S
+ for_each_gfn_sp(a, c, d) S
|
- for_each_gfn_indirect_valid_sp(a, c, d, b) S
+ for_each_gfn_indirect_valid_sp(a, c, d) S
|
for_each_host(a,
- b,
c) S
|
for_each_host_safe(a,
- b,
c, d) S
|
for_each_mesh_entry(a,
- b,
c, d) S
)
...+>
[akpm@linux-foundation.org: drop bogus change from net/ipv4/raw.c]
[akpm@linux-foundation.org: drop bogus hunk from net/ipv6/raw.c]
[akpm@linux-foundation.org: checkpatch fixes]
[akpm@linux-foundation.org: fix warnings]
[akpm@linux-foudnation.org: redo intrusive kvm changes]
Tested-by: Peter Senna Tschudin <peter.senna@gmail.com>
Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Cc: Wu Fengguang <fengguang.wu@intel.com>
Cc: Marcelo Tosatti <mtosatti@redhat.com>
Cc: Gleb Natapov <gleb@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2013-02-28 09:06:00 +08:00
|
|
|
struct hlist_node *n;
|
2006-08-06 19:16:34 +08:00
|
|
|
struct hlist_head *list;
|
2006-09-21 09:39:29 +08:00
|
|
|
LIST_HEAD(users);
|
2006-08-06 19:16:34 +08:00
|
|
|
|
|
|
|
down_write(&crypto_alg_sem);
|
|
|
|
|
|
|
|
BUG_ON(list_empty(&tmpl->list));
|
|
|
|
list_del_init(&tmpl->list);
|
|
|
|
|
|
|
|
list = &tmpl->instances;
|
hlist: drop the node parameter from iterators
I'm not sure why, but the hlist for each entry iterators were conceived
list_for_each_entry(pos, head, member)
The hlist ones were greedy and wanted an extra parameter:
hlist_for_each_entry(tpos, pos, head, member)
Why did they need an extra pos parameter? I'm not quite sure. Not only
they don't really need it, it also prevents the iterator from looking
exactly like the list iterator, which is unfortunate.
Besides the semantic patch, there was some manual work required:
- Fix up the actual hlist iterators in linux/list.h
- Fix up the declaration of other iterators based on the hlist ones.
- A very small amount of places were using the 'node' parameter, this
was modified to use 'obj->member' instead.
- Coccinelle didn't handle the hlist_for_each_entry_safe iterator
properly, so those had to be fixed up manually.
The semantic patch which is mostly the work of Peter Senna Tschudin is here:
@@
iterator name hlist_for_each_entry, hlist_for_each_entry_continue, hlist_for_each_entry_from, hlist_for_each_entry_rcu, hlist_for_each_entry_rcu_bh, hlist_for_each_entry_continue_rcu_bh, for_each_busy_worker, ax25_uid_for_each, ax25_for_each, inet_bind_bucket_for_each, sctp_for_each_hentry, sk_for_each, sk_for_each_rcu, sk_for_each_from, sk_for_each_safe, sk_for_each_bound, hlist_for_each_entry_safe, hlist_for_each_entry_continue_rcu, nr_neigh_for_each, nr_neigh_for_each_safe, nr_node_for_each, nr_node_for_each_safe, for_each_gfn_indirect_valid_sp, for_each_gfn_sp, for_each_host;
type T;
expression a,c,d,e;
identifier b;
statement S;
@@
-T b;
<+... when != b
(
hlist_for_each_entry(a,
- b,
c, d) S
|
hlist_for_each_entry_continue(a,
- b,
c) S
|
hlist_for_each_entry_from(a,
- b,
c) S
|
hlist_for_each_entry_rcu(a,
- b,
c, d) S
|
hlist_for_each_entry_rcu_bh(a,
- b,
c, d) S
|
hlist_for_each_entry_continue_rcu_bh(a,
- b,
c) S
|
for_each_busy_worker(a, c,
- b,
d) S
|
ax25_uid_for_each(a,
- b,
c) S
|
ax25_for_each(a,
- b,
c) S
|
inet_bind_bucket_for_each(a,
- b,
c) S
|
sctp_for_each_hentry(a,
- b,
c) S
|
sk_for_each(a,
- b,
c) S
|
sk_for_each_rcu(a,
- b,
c) S
|
sk_for_each_from
-(a, b)
+(a)
S
+ sk_for_each_from(a) S
|
sk_for_each_safe(a,
- b,
c, d) S
|
sk_for_each_bound(a,
- b,
c) S
|
hlist_for_each_entry_safe(a,
- b,
c, d, e) S
|
hlist_for_each_entry_continue_rcu(a,
- b,
c) S
|
nr_neigh_for_each(a,
- b,
c) S
|
nr_neigh_for_each_safe(a,
- b,
c, d) S
|
nr_node_for_each(a,
- b,
c) S
|
nr_node_for_each_safe(a,
- b,
c, d) S
|
- for_each_gfn_sp(a, c, d, b) S
+ for_each_gfn_sp(a, c, d) S
|
- for_each_gfn_indirect_valid_sp(a, c, d, b) S
+ for_each_gfn_indirect_valid_sp(a, c, d) S
|
for_each_host(a,
- b,
c) S
|
for_each_host_safe(a,
- b,
c, d) S
|
for_each_mesh_entry(a,
- b,
c, d) S
)
...+>
[akpm@linux-foundation.org: drop bogus change from net/ipv4/raw.c]
[akpm@linux-foundation.org: drop bogus hunk from net/ipv6/raw.c]
[akpm@linux-foundation.org: checkpatch fixes]
[akpm@linux-foundation.org: fix warnings]
[akpm@linux-foudnation.org: redo intrusive kvm changes]
Tested-by: Peter Senna Tschudin <peter.senna@gmail.com>
Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Cc: Wu Fengguang <fengguang.wu@intel.com>
Cc: Marcelo Tosatti <mtosatti@redhat.com>
Cc: Gleb Natapov <gleb@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2013-02-28 09:06:00 +08:00
|
|
|
hlist_for_each_entry(inst, list, list) {
|
2006-09-21 09:39:29 +08:00
|
|
|
int err = crypto_remove_alg(&inst->alg, &users);
|
2014-12-05 14:00:10 +08:00
|
|
|
|
2006-09-21 09:39:29 +08:00
|
|
|
BUG_ON(err);
|
2006-08-06 19:16:34 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
up_write(&crypto_alg_sem);
|
|
|
|
|
hlist: drop the node parameter from iterators
I'm not sure why, but the hlist for each entry iterators were conceived
list_for_each_entry(pos, head, member)
The hlist ones were greedy and wanted an extra parameter:
hlist_for_each_entry(tpos, pos, head, member)
Why did they need an extra pos parameter? I'm not quite sure. Not only
they don't really need it, it also prevents the iterator from looking
exactly like the list iterator, which is unfortunate.
Besides the semantic patch, there was some manual work required:
- Fix up the actual hlist iterators in linux/list.h
- Fix up the declaration of other iterators based on the hlist ones.
- A very small amount of places were using the 'node' parameter, this
was modified to use 'obj->member' instead.
- Coccinelle didn't handle the hlist_for_each_entry_safe iterator
properly, so those had to be fixed up manually.
The semantic patch which is mostly the work of Peter Senna Tschudin is here:
@@
iterator name hlist_for_each_entry, hlist_for_each_entry_continue, hlist_for_each_entry_from, hlist_for_each_entry_rcu, hlist_for_each_entry_rcu_bh, hlist_for_each_entry_continue_rcu_bh, for_each_busy_worker, ax25_uid_for_each, ax25_for_each, inet_bind_bucket_for_each, sctp_for_each_hentry, sk_for_each, sk_for_each_rcu, sk_for_each_from, sk_for_each_safe, sk_for_each_bound, hlist_for_each_entry_safe, hlist_for_each_entry_continue_rcu, nr_neigh_for_each, nr_neigh_for_each_safe, nr_node_for_each, nr_node_for_each_safe, for_each_gfn_indirect_valid_sp, for_each_gfn_sp, for_each_host;
type T;
expression a,c,d,e;
identifier b;
statement S;
@@
-T b;
<+... when != b
(
hlist_for_each_entry(a,
- b,
c, d) S
|
hlist_for_each_entry_continue(a,
- b,
c) S
|
hlist_for_each_entry_from(a,
- b,
c) S
|
hlist_for_each_entry_rcu(a,
- b,
c, d) S
|
hlist_for_each_entry_rcu_bh(a,
- b,
c, d) S
|
hlist_for_each_entry_continue_rcu_bh(a,
- b,
c) S
|
for_each_busy_worker(a, c,
- b,
d) S
|
ax25_uid_for_each(a,
- b,
c) S
|
ax25_for_each(a,
- b,
c) S
|
inet_bind_bucket_for_each(a,
- b,
c) S
|
sctp_for_each_hentry(a,
- b,
c) S
|
sk_for_each(a,
- b,
c) S
|
sk_for_each_rcu(a,
- b,
c) S
|
sk_for_each_from
-(a, b)
+(a)
S
+ sk_for_each_from(a) S
|
sk_for_each_safe(a,
- b,
c, d) S
|
sk_for_each_bound(a,
- b,
c) S
|
hlist_for_each_entry_safe(a,
- b,
c, d, e) S
|
hlist_for_each_entry_continue_rcu(a,
- b,
c) S
|
nr_neigh_for_each(a,
- b,
c) S
|
nr_neigh_for_each_safe(a,
- b,
c, d) S
|
nr_node_for_each(a,
- b,
c) S
|
nr_node_for_each_safe(a,
- b,
c, d) S
|
- for_each_gfn_sp(a, c, d, b) S
+ for_each_gfn_sp(a, c, d) S
|
- for_each_gfn_indirect_valid_sp(a, c, d, b) S
+ for_each_gfn_indirect_valid_sp(a, c, d) S
|
for_each_host(a,
- b,
c) S
|
for_each_host_safe(a,
- b,
c, d) S
|
for_each_mesh_entry(a,
- b,
c, d) S
)
...+>
[akpm@linux-foundation.org: drop bogus change from net/ipv4/raw.c]
[akpm@linux-foundation.org: drop bogus hunk from net/ipv6/raw.c]
[akpm@linux-foundation.org: checkpatch fixes]
[akpm@linux-foundation.org: fix warnings]
[akpm@linux-foudnation.org: redo intrusive kvm changes]
Tested-by: Peter Senna Tschudin <peter.senna@gmail.com>
Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Cc: Wu Fengguang <fengguang.wu@intel.com>
Cc: Marcelo Tosatti <mtosatti@redhat.com>
Cc: Gleb Natapov <gleb@redhat.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2013-02-28 09:06:00 +08:00
|
|
|
hlist_for_each_entry_safe(inst, n, list, list) {
|
2017-12-30 00:00:46 +08:00
|
|
|
BUG_ON(refcount_read(&inst->alg.cra_refcnt) != 1);
|
2015-07-09 07:17:15 +08:00
|
|
|
crypto_free_instance(inst);
|
2006-08-06 19:16:34 +08:00
|
|
|
}
|
2006-09-21 09:39:29 +08:00
|
|
|
crypto_remove_final(&users);
|
2006-08-06 19:16:34 +08:00
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(crypto_unregister_template);
|
|
|
|
|
2019-01-18 13:58:11 +08:00
|
|
|
void crypto_unregister_templates(struct crypto_template *tmpls, int count)
|
|
|
|
{
|
|
|
|
int i;
|
|
|
|
|
|
|
|
for (i = count - 1; i >= 0; --i)
|
|
|
|
crypto_unregister_template(&tmpls[i]);
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(crypto_unregister_templates);
|
|
|
|
|
2006-08-06 19:16:34 +08:00
|
|
|
static struct crypto_template *__crypto_lookup_template(const char *name)
|
|
|
|
{
|
|
|
|
struct crypto_template *q, *tmpl = NULL;
|
|
|
|
|
|
|
|
down_read(&crypto_alg_sem);
|
|
|
|
list_for_each_entry(q, &crypto_template_list, list) {
|
|
|
|
if (strcmp(q->name, name))
|
|
|
|
continue;
|
|
|
|
if (unlikely(!crypto_tmpl_get(q)))
|
|
|
|
continue;
|
|
|
|
|
|
|
|
tmpl = q;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
up_read(&crypto_alg_sem);
|
|
|
|
|
|
|
|
return tmpl;
|
|
|
|
}
|
|
|
|
|
|
|
|
struct crypto_template *crypto_lookup_template(const char *name)
|
|
|
|
{
|
2014-11-25 08:32:38 +08:00
|
|
|
return try_then_request_module(__crypto_lookup_template(name),
|
|
|
|
"crypto-%s", name);
|
2006-08-06 19:16:34 +08:00
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(crypto_lookup_template);
|
|
|
|
|
|
|
|
int crypto_register_instance(struct crypto_template *tmpl,
|
|
|
|
struct crypto_instance *inst)
|
|
|
|
{
|
2008-08-03 21:15:23 +08:00
|
|
|
struct crypto_larval *larval;
|
2019-12-18 15:53:01 +08:00
|
|
|
struct crypto_spawn *spawn;
|
crypto: api - allow algs only in specific constructions in FIPS mode
Currently we do not distinguish between algorithms that fail on
the self-test vs. those which are disabled in FIPS mode (not allowed).
Both are marked as having failed the self-test.
Recently the need arose to allow the usage of certain algorithms only
as arguments to specific template instantiations in FIPS mode. For
example, standalone "dh" must be blocked, but e.g. "ffdhe2048(dh)" is
allowed. Other potential use cases include "cbcmac(aes)", which must
only be used with ccm(), or "ghash", which must be used only for
gcm().
This patch allows this scenario by adding a new flag FIPS_INTERNAL to
indicate those algorithms that are not FIPS-allowed. They can then be
used as template arguments only, i.e. when looked up via
crypto_grab_spawn() to be more specific. The FIPS_INTERNAL bit gets
propagated upwards recursively into the surrounding template
instances, until the construction eventually matches an explicit
testmgr entry with ->fips_allowed being set, if any.
The behaviour to skip !->fips_allowed self-test executions in FIPS
mode will be retained. Note that this effectively means that
FIPS_INTERNAL algorithms are handled very similarly to the INTERNAL
ones in this regard. It is expected that the FIPS_INTERNAL algorithms
will receive sufficient testing when the larger constructions they're
a part of, if any, get exercised by testmgr.
Note that as a side-effect of this patch algorithms which are not
FIPS-allowed will now return ENOENT instead of ELIBBAD. Hopefully
this is not an issue as some people were relying on this already.
Link: https://lore.kernel.org/r/YeEVSaMEVJb3cQkq@gondor.apana.org.au
Originally-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Nicolai Stange <nstange@suse.de>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2022-02-21 20:10:58 +08:00
|
|
|
u32 fips_internal = 0;
|
crypto: api - optimize algorithm registration when self-tests disabled
Currently, registering an algorithm with the crypto API always causes a
notification to be posted to the "cryptomgr", which then creates a
kthread to self-test the algorithm. However, if self-tests are disabled
in the kconfig (as is the default option), then this kthread just
notifies waiters that the algorithm has been tested, then exits.
This causes a significant amount of overhead, especially in the kthread
creation and destruction, which is not necessary at all. For example,
in a quick test I found that booting a "minimum" x86_64 kernel with all
the crypto options enabled (except for the self-tests) takes about 400ms
until PID 1 can start. Of that, a full 13ms is spent just doing this
pointless dance, involving a kthread being created, run, and destroyed
over 200 times. That's over 3% of the entire kernel start time.
Fix this by just skipping the creation of the test larval and the
posting of the registration notification entirely, when self-tests are
disabled.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2022-11-14 08:12:33 +08:00
|
|
|
LIST_HEAD(algs_to_put);
|
2008-08-03 21:15:23 +08:00
|
|
|
int err;
|
2006-08-06 19:16:34 +08:00
|
|
|
|
|
|
|
err = crypto_check_alg(&inst->alg);
|
|
|
|
if (err)
|
2015-04-09 18:09:55 +08:00
|
|
|
return err;
|
|
|
|
|
2006-08-06 19:16:34 +08:00
|
|
|
inst->alg.cra_module = tmpl->module;
|
2011-09-27 13:21:26 +08:00
|
|
|
inst->alg.cra_flags |= CRYPTO_ALG_INSTANCE;
|
2006-08-06 19:16:34 +08:00
|
|
|
|
|
|
|
down_write(&crypto_alg_sem);
|
|
|
|
|
2019-12-18 15:53:01 +08:00
|
|
|
larval = ERR_PTR(-EAGAIN);
|
|
|
|
for (spawn = inst->spawns; spawn;) {
|
|
|
|
struct crypto_spawn *next;
|
|
|
|
|
|
|
|
if (spawn->dead)
|
|
|
|
goto unlock;
|
|
|
|
|
|
|
|
next = spawn->next;
|
|
|
|
spawn->inst = inst;
|
|
|
|
spawn->registered = true;
|
|
|
|
|
crypto: api - allow algs only in specific constructions in FIPS mode
Currently we do not distinguish between algorithms that fail on
the self-test vs. those which are disabled in FIPS mode (not allowed).
Both are marked as having failed the self-test.
Recently the need arose to allow the usage of certain algorithms only
as arguments to specific template instantiations in FIPS mode. For
example, standalone "dh" must be blocked, but e.g. "ffdhe2048(dh)" is
allowed. Other potential use cases include "cbcmac(aes)", which must
only be used with ccm(), or "ghash", which must be used only for
gcm().
This patch allows this scenario by adding a new flag FIPS_INTERNAL to
indicate those algorithms that are not FIPS-allowed. They can then be
used as template arguments only, i.e. when looked up via
crypto_grab_spawn() to be more specific. The FIPS_INTERNAL bit gets
propagated upwards recursively into the surrounding template
instances, until the construction eventually matches an explicit
testmgr entry with ->fips_allowed being set, if any.
The behaviour to skip !->fips_allowed self-test executions in FIPS
mode will be retained. Note that this effectively means that
FIPS_INTERNAL algorithms are handled very similarly to the INTERNAL
ones in this regard. It is expected that the FIPS_INTERNAL algorithms
will receive sufficient testing when the larger constructions they're
a part of, if any, get exercised by testmgr.
Note that as a side-effect of this patch algorithms which are not
FIPS-allowed will now return ENOENT instead of ELIBBAD. Hopefully
this is not an issue as some people were relying on this already.
Link: https://lore.kernel.org/r/YeEVSaMEVJb3cQkq@gondor.apana.org.au
Originally-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Nicolai Stange <nstange@suse.de>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2022-02-21 20:10:58 +08:00
|
|
|
fips_internal |= spawn->alg->cra_flags;
|
|
|
|
|
2020-01-03 11:59:08 +08:00
|
|
|
crypto_mod_put(spawn->alg);
|
2019-12-18 15:53:01 +08:00
|
|
|
|
|
|
|
spawn = next;
|
|
|
|
}
|
|
|
|
|
crypto: api - allow algs only in specific constructions in FIPS mode
Currently we do not distinguish between algorithms that fail on
the self-test vs. those which are disabled in FIPS mode (not allowed).
Both are marked as having failed the self-test.
Recently the need arose to allow the usage of certain algorithms only
as arguments to specific template instantiations in FIPS mode. For
example, standalone "dh" must be blocked, but e.g. "ffdhe2048(dh)" is
allowed. Other potential use cases include "cbcmac(aes)", which must
only be used with ccm(), or "ghash", which must be used only for
gcm().
This patch allows this scenario by adding a new flag FIPS_INTERNAL to
indicate those algorithms that are not FIPS-allowed. They can then be
used as template arguments only, i.e. when looked up via
crypto_grab_spawn() to be more specific. The FIPS_INTERNAL bit gets
propagated upwards recursively into the surrounding template
instances, until the construction eventually matches an explicit
testmgr entry with ->fips_allowed being set, if any.
The behaviour to skip !->fips_allowed self-test executions in FIPS
mode will be retained. Note that this effectively means that
FIPS_INTERNAL algorithms are handled very similarly to the INTERNAL
ones in this regard. It is expected that the FIPS_INTERNAL algorithms
will receive sufficient testing when the larger constructions they're
a part of, if any, get exercised by testmgr.
Note that as a side-effect of this patch algorithms which are not
FIPS-allowed will now return ENOENT instead of ELIBBAD. Hopefully
this is not an issue as some people were relying on this already.
Link: https://lore.kernel.org/r/YeEVSaMEVJb3cQkq@gondor.apana.org.au
Originally-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Nicolai Stange <nstange@suse.de>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2022-02-21 20:10:58 +08:00
|
|
|
inst->alg.cra_flags |= (fips_internal & CRYPTO_ALG_FIPS_INTERNAL);
|
|
|
|
|
crypto: api - optimize algorithm registration when self-tests disabled
Currently, registering an algorithm with the crypto API always causes a
notification to be posted to the "cryptomgr", which then creates a
kthread to self-test the algorithm. However, if self-tests are disabled
in the kconfig (as is the default option), then this kthread just
notifies waiters that the algorithm has been tested, then exits.
This causes a significant amount of overhead, especially in the kthread
creation and destruction, which is not necessary at all. For example,
in a quick test I found that booting a "minimum" x86_64 kernel with all
the crypto options enabled (except for the self-tests) takes about 400ms
until PID 1 can start. Of that, a full 13ms is spent just doing this
pointless dance, involving a kthread being created, run, and destroyed
over 200 times. That's over 3% of the entire kernel start time.
Fix this by just skipping the creation of the test larval and the
posting of the registration notification entirely, when self-tests are
disabled.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2022-11-14 08:12:33 +08:00
|
|
|
larval = __crypto_register_alg(&inst->alg, &algs_to_put);
|
2008-08-03 21:15:23 +08:00
|
|
|
if (IS_ERR(larval))
|
2006-08-06 19:16:34 +08:00
|
|
|
goto unlock;
|
2021-10-19 21:28:02 +08:00
|
|
|
else if (larval)
|
|
|
|
larval->test_started = true;
|
2021-09-17 08:26:19 +08:00
|
|
|
|
2006-08-06 19:16:34 +08:00
|
|
|
hlist_add_head(&inst->list, &tmpl->instances);
|
|
|
|
inst->tmpl = tmpl;
|
|
|
|
|
|
|
|
unlock:
|
|
|
|
up_write(&crypto_alg_sem);
|
|
|
|
|
crypto: api - optimize algorithm registration when self-tests disabled
Currently, registering an algorithm with the crypto API always causes a
notification to be posted to the "cryptomgr", which then creates a
kthread to self-test the algorithm. However, if self-tests are disabled
in the kconfig (as is the default option), then this kthread just
notifies waiters that the algorithm has been tested, then exits.
This causes a significant amount of overhead, especially in the kthread
creation and destruction, which is not necessary at all. For example,
in a quick test I found that booting a "minimum" x86_64 kernel with all
the crypto options enabled (except for the self-tests) takes about 400ms
until PID 1 can start. Of that, a full 13ms is spent just doing this
pointless dance, involving a kthread being created, run, and destroyed
over 200 times. That's over 3% of the entire kernel start time.
Fix this by just skipping the creation of the test larval and the
posting of the registration notification entirely, when self-tests are
disabled.
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2022-11-14 08:12:33 +08:00
|
|
|
if (IS_ERR(larval))
|
|
|
|
return PTR_ERR(larval);
|
|
|
|
if (larval)
|
|
|
|
crypto_wait_for_test(larval);
|
|
|
|
crypto_remove_final(&algs_to_put);
|
|
|
|
return 0;
|
2006-08-06 19:16:34 +08:00
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(crypto_register_instance);
|
2011-11-08 17:09:17 +08:00
|
|
|
|
2019-12-16 07:51:19 +08:00
|
|
|
void crypto_unregister_instance(struct crypto_instance *inst)
|
2011-11-08 17:09:17 +08:00
|
|
|
{
|
2015-04-02 22:31:22 +08:00
|
|
|
LIST_HEAD(list);
|
2011-11-08 17:09:17 +08:00
|
|
|
|
|
|
|
down_write(&crypto_alg_sem);
|
|
|
|
|
2015-04-02 22:39:40 +08:00
|
|
|
crypto_remove_spawns(&inst->alg, &list, NULL);
|
2015-04-02 22:31:22 +08:00
|
|
|
crypto_remove_instance(inst, &list);
|
2011-11-08 17:09:17 +08:00
|
|
|
|
|
|
|
up_write(&crypto_alg_sem);
|
|
|
|
|
2015-04-02 22:31:22 +08:00
|
|
|
crypto_remove_final(&list);
|
2011-11-08 17:09:17 +08:00
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(crypto_unregister_instance);
|
2006-08-06 19:16:34 +08:00
|
|
|
|
2020-01-03 11:59:08 +08:00
|
|
|
int crypto_grab_spawn(struct crypto_spawn *spawn, struct crypto_instance *inst,
|
|
|
|
const char *name, u32 type, u32 mask)
|
2006-09-21 09:39:29 +08:00
|
|
|
{
|
2020-01-03 11:59:08 +08:00
|
|
|
struct crypto_alg *alg;
|
2006-09-21 09:39:29 +08:00
|
|
|
int err = -EAGAIN;
|
|
|
|
|
2019-01-07 04:46:06 +08:00
|
|
|
if (WARN_ON_ONCE(inst == NULL))
|
|
|
|
return -EINVAL;
|
|
|
|
|
2020-01-03 11:59:08 +08:00
|
|
|
/* Allow the result of crypto_attr_alg_name() to be passed directly */
|
|
|
|
if (IS_ERR(name))
|
|
|
|
return PTR_ERR(name);
|
2019-12-18 15:53:01 +08:00
|
|
|
|
crypto: api - allow algs only in specific constructions in FIPS mode
Currently we do not distinguish between algorithms that fail on
the self-test vs. those which are disabled in FIPS mode (not allowed).
Both are marked as having failed the self-test.
Recently the need arose to allow the usage of certain algorithms only
as arguments to specific template instantiations in FIPS mode. For
example, standalone "dh" must be blocked, but e.g. "ffdhe2048(dh)" is
allowed. Other potential use cases include "cbcmac(aes)", which must
only be used with ccm(), or "ghash", which must be used only for
gcm().
This patch allows this scenario by adding a new flag FIPS_INTERNAL to
indicate those algorithms that are not FIPS-allowed. They can then be
used as template arguments only, i.e. when looked up via
crypto_grab_spawn() to be more specific. The FIPS_INTERNAL bit gets
propagated upwards recursively into the surrounding template
instances, until the construction eventually matches an explicit
testmgr entry with ->fips_allowed being set, if any.
The behaviour to skip !->fips_allowed self-test executions in FIPS
mode will be retained. Note that this effectively means that
FIPS_INTERNAL algorithms are handled very similarly to the INTERNAL
ones in this regard. It is expected that the FIPS_INTERNAL algorithms
will receive sufficient testing when the larger constructions they're
a part of, if any, get exercised by testmgr.
Note that as a side-effect of this patch algorithms which are not
FIPS-allowed will now return ENOENT instead of ELIBBAD. Hopefully
this is not an issue as some people were relying on this already.
Link: https://lore.kernel.org/r/YeEVSaMEVJb3cQkq@gondor.apana.org.au
Originally-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Nicolai Stange <nstange@suse.de>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2022-02-21 20:10:58 +08:00
|
|
|
alg = crypto_find_alg(name, spawn->frontend,
|
|
|
|
type | CRYPTO_ALG_FIPS_INTERNAL, mask);
|
2020-01-03 11:59:08 +08:00
|
|
|
if (IS_ERR(alg))
|
|
|
|
return PTR_ERR(alg);
|
2006-09-21 09:39:29 +08:00
|
|
|
|
|
|
|
down_write(&crypto_alg_sem);
|
|
|
|
if (!crypto_is_moribund(alg)) {
|
|
|
|
list_add(&spawn->list, &alg->cra_users);
|
|
|
|
spawn->alg = alg;
|
2020-01-03 11:59:08 +08:00
|
|
|
spawn->mask = mask;
|
|
|
|
spawn->next = inst->spawns;
|
|
|
|
inst->spawns = spawn;
|
2020-07-10 14:20:38 +08:00
|
|
|
inst->alg.cra_flags |=
|
|
|
|
(alg->cra_flags & CRYPTO_ALG_INHERITED_FLAGS);
|
2006-09-21 09:39:29 +08:00
|
|
|
err = 0;
|
|
|
|
}
|
|
|
|
up_write(&crypto_alg_sem);
|
2019-12-18 15:53:01 +08:00
|
|
|
if (err)
|
|
|
|
crypto_mod_put(alg);
|
2015-05-11 17:47:39 +08:00
|
|
|
return err;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(crypto_grab_spawn);
|
|
|
|
|
2006-09-21 09:39:29 +08:00
|
|
|
void crypto_drop_spawn(struct crypto_spawn *spawn)
|
|
|
|
{
|
2020-01-03 11:58:41 +08:00
|
|
|
if (!spawn->alg) /* not yet initialized? */
|
|
|
|
return;
|
|
|
|
|
2006-09-21 09:39:29 +08:00
|
|
|
down_write(&crypto_alg_sem);
|
2019-12-07 22:15:17 +08:00
|
|
|
if (!spawn->dead)
|
2019-12-06 13:55:17 +08:00
|
|
|
list_del(&spawn->list);
|
2006-09-21 09:39:29 +08:00
|
|
|
up_write(&crypto_alg_sem);
|
2019-12-18 15:53:01 +08:00
|
|
|
|
2020-01-03 11:59:08 +08:00
|
|
|
if (!spawn->registered)
|
2019-12-18 15:53:01 +08:00
|
|
|
crypto_mod_put(spawn->alg);
|
2006-09-21 09:39:29 +08:00
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(crypto_drop_spawn);
|
|
|
|
|
2009-07-08 15:55:52 +08:00
|
|
|
static struct crypto_alg *crypto_spawn_alg(struct crypto_spawn *spawn)
|
2006-09-21 09:39:29 +08:00
|
|
|
{
|
2020-04-10 14:09:42 +08:00
|
|
|
struct crypto_alg *alg = ERR_PTR(-EAGAIN);
|
|
|
|
struct crypto_alg *target;
|
|
|
|
bool shoot = false;
|
2006-09-21 09:39:29 +08:00
|
|
|
|
|
|
|
down_read(&crypto_alg_sem);
|
2020-04-10 14:09:42 +08:00
|
|
|
if (!spawn->dead) {
|
|
|
|
alg = spawn->alg;
|
|
|
|
if (!crypto_mod_get(alg)) {
|
|
|
|
target = crypto_alg_get(alg);
|
|
|
|
shoot = true;
|
|
|
|
alg = ERR_PTR(-EAGAIN);
|
|
|
|
}
|
2006-09-21 09:39:29 +08:00
|
|
|
}
|
2019-12-07 22:15:15 +08:00
|
|
|
up_read(&crypto_alg_sem);
|
2006-09-21 09:39:29 +08:00
|
|
|
|
2020-04-10 14:09:42 +08:00
|
|
|
if (shoot) {
|
|
|
|
crypto_shoot_alg(target);
|
|
|
|
crypto_alg_put(target);
|
|
|
|
}
|
|
|
|
|
|
|
|
return alg;
|
2009-07-08 15:55:52 +08:00
|
|
|
}
|
|
|
|
|
|
|
|
struct crypto_tfm *crypto_spawn_tfm(struct crypto_spawn *spawn, u32 type,
|
|
|
|
u32 mask)
|
|
|
|
{
|
|
|
|
struct crypto_alg *alg;
|
|
|
|
struct crypto_tfm *tfm;
|
|
|
|
|
|
|
|
alg = crypto_spawn_alg(spawn);
|
|
|
|
if (IS_ERR(alg))
|
|
|
|
return ERR_CAST(alg);
|
|
|
|
|
2006-12-17 07:05:58 +08:00
|
|
|
tfm = ERR_PTR(-EINVAL);
|
|
|
|
if (unlikely((alg->cra_flags ^ type) & mask))
|
|
|
|
goto out_put_alg;
|
|
|
|
|
2007-01-24 17:50:26 +08:00
|
|
|
tfm = __crypto_alloc_tfm(alg, type, mask);
|
2006-09-21 09:39:29 +08:00
|
|
|
if (IS_ERR(tfm))
|
2006-12-17 07:05:58 +08:00
|
|
|
goto out_put_alg;
|
|
|
|
|
|
|
|
return tfm;
|
2006-09-21 09:39:29 +08:00
|
|
|
|
2006-12-17 07:05:58 +08:00
|
|
|
out_put_alg:
|
|
|
|
crypto_mod_put(alg);
|
2006-09-21 09:39:29 +08:00
|
|
|
return tfm;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(crypto_spawn_tfm);
|
|
|
|
|
2009-07-08 15:55:52 +08:00
|
|
|
void *crypto_spawn_tfm2(struct crypto_spawn *spawn)
|
|
|
|
{
|
|
|
|
struct crypto_alg *alg;
|
|
|
|
struct crypto_tfm *tfm;
|
|
|
|
|
|
|
|
alg = crypto_spawn_alg(spawn);
|
|
|
|
if (IS_ERR(alg))
|
|
|
|
return ERR_CAST(alg);
|
|
|
|
|
|
|
|
tfm = crypto_create_tfm(alg, spawn->frontend);
|
|
|
|
if (IS_ERR(tfm))
|
|
|
|
goto out_put_alg;
|
|
|
|
|
|
|
|
return tfm;
|
|
|
|
|
|
|
|
out_put_alg:
|
|
|
|
crypto_mod_put(alg);
|
|
|
|
return tfm;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(crypto_spawn_tfm2);
|
|
|
|
|
2006-08-06 19:23:26 +08:00
|
|
|
int crypto_register_notifier(struct notifier_block *nb)
|
|
|
|
{
|
|
|
|
return blocking_notifier_chain_register(&crypto_chain, nb);
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(crypto_register_notifier);
|
|
|
|
|
|
|
|
int crypto_unregister_notifier(struct notifier_block *nb)
|
|
|
|
{
|
|
|
|
return blocking_notifier_chain_unregister(&crypto_chain, nb);
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(crypto_unregister_notifier);
|
|
|
|
|
2007-01-01 15:37:02 +08:00
|
|
|
struct crypto_attr_type *crypto_get_attr_type(struct rtattr **tb)
|
2006-08-06 21:10:45 +08:00
|
|
|
{
|
2007-08-29 19:27:26 +08:00
|
|
|
struct rtattr *rta = tb[0];
|
2007-01-01 15:37:02 +08:00
|
|
|
struct crypto_attr_type *algt;
|
|
|
|
|
|
|
|
if (!rta)
|
|
|
|
return ERR_PTR(-ENOENT);
|
|
|
|
if (RTA_PAYLOAD(rta) < sizeof(*algt))
|
|
|
|
return ERR_PTR(-EINVAL);
|
2007-08-29 19:27:26 +08:00
|
|
|
if (rta->rta_type != CRYPTOA_TYPE)
|
|
|
|
return ERR_PTR(-EINVAL);
|
2007-01-01 15:37:02 +08:00
|
|
|
|
|
|
|
algt = RTA_DATA(rta);
|
|
|
|
|
|
|
|
return algt;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(crypto_get_attr_type);
|
|
|
|
|
2020-07-10 14:20:38 +08:00
|
|
|
/**
|
|
|
|
* crypto_check_attr_type() - check algorithm type and compute inherited mask
|
|
|
|
* @tb: the template parameters
|
|
|
|
* @type: the algorithm type the template would be instantiated as
|
|
|
|
* @mask_ret: (output) the mask that should be passed to crypto_grab_*()
|
|
|
|
* to restrict the flags of any inner algorithms
|
|
|
|
*
|
|
|
|
* Validate that the algorithm type the user requested is compatible with the
|
|
|
|
* one the template would actually be instantiated as. E.g., if the user is
|
|
|
|
* doing crypto_alloc_shash("cbc(aes)", ...), this would return an error because
|
|
|
|
* the "cbc" template creates an "skcipher" algorithm, not an "shash" algorithm.
|
|
|
|
*
|
|
|
|
* Also compute the mask to use to restrict the flags of any inner algorithms.
|
|
|
|
*
|
|
|
|
* Return: 0 on success; -errno on failure
|
|
|
|
*/
|
|
|
|
int crypto_check_attr_type(struct rtattr **tb, u32 type, u32 *mask_ret)
|
2007-01-01 15:37:02 +08:00
|
|
|
{
|
|
|
|
struct crypto_attr_type *algt;
|
|
|
|
|
|
|
|
algt = crypto_get_attr_type(tb);
|
|
|
|
if (IS_ERR(algt))
|
|
|
|
return PTR_ERR(algt);
|
|
|
|
|
|
|
|
if ((algt->type ^ type) & algt->mask)
|
|
|
|
return -EINVAL;
|
|
|
|
|
2020-07-10 14:20:38 +08:00
|
|
|
*mask_ret = crypto_algt_inherited_mask(algt);
|
2007-01-01 15:37:02 +08:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(crypto_check_attr_type);
|
|
|
|
|
2007-12-07 20:18:17 +08:00
|
|
|
const char *crypto_attr_alg_name(struct rtattr *rta)
|
2007-01-01 15:37:02 +08:00
|
|
|
{
|
2006-08-06 21:10:45 +08:00
|
|
|
struct crypto_attr_alg *alga;
|
|
|
|
|
2007-01-01 15:37:02 +08:00
|
|
|
if (!rta)
|
|
|
|
return ERR_PTR(-ENOENT);
|
|
|
|
if (RTA_PAYLOAD(rta) < sizeof(*alga))
|
2006-08-06 21:10:45 +08:00
|
|
|
return ERR_PTR(-EINVAL);
|
2007-08-29 19:27:26 +08:00
|
|
|
if (rta->rta_type != CRYPTOA_ALG)
|
|
|
|
return ERR_PTR(-EINVAL);
|
2006-08-06 21:10:45 +08:00
|
|
|
|
|
|
|
alga = RTA_DATA(rta);
|
|
|
|
alga->name[CRYPTO_MAX_ALG_NAME - 1] = 0;
|
|
|
|
|
2007-12-07 20:18:17 +08:00
|
|
|
return alga->name;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(crypto_attr_alg_name);
|
|
|
|
|
2016-06-29 18:04:13 +08:00
|
|
|
int crypto_inst_setname(struct crypto_instance *inst, const char *name,
|
|
|
|
struct crypto_alg *alg)
|
|
|
|
{
|
|
|
|
if (snprintf(inst->alg.cra_name, CRYPTO_MAX_ALG_NAME, "%s(%s)", name,
|
|
|
|
alg->cra_name) >= CRYPTO_MAX_ALG_NAME)
|
|
|
|
return -ENAMETOOLONG;
|
|
|
|
|
|
|
|
if (snprintf(inst->alg.cra_driver_name, CRYPTO_MAX_ALG_NAME, "%s(%s)",
|
|
|
|
name, alg->cra_driver_name) >= CRYPTO_MAX_ALG_NAME)
|
|
|
|
return -ENAMETOOLONG;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(crypto_inst_setname);
|
|
|
|
|
2007-04-16 18:48:54 +08:00
|
|
|
void crypto_init_queue(struct crypto_queue *queue, unsigned int max_qlen)
|
|
|
|
{
|
|
|
|
INIT_LIST_HEAD(&queue->list);
|
|
|
|
queue->backlog = &queue->list;
|
|
|
|
queue->qlen = 0;
|
|
|
|
queue->max_qlen = max_qlen;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(crypto_init_queue);
|
|
|
|
|
|
|
|
int crypto_enqueue_request(struct crypto_queue *queue,
|
|
|
|
struct crypto_async_request *request)
|
|
|
|
{
|
|
|
|
int err = -EINPROGRESS;
|
|
|
|
|
|
|
|
if (unlikely(queue->qlen >= queue->max_qlen)) {
|
2017-10-18 15:00:33 +08:00
|
|
|
if (!(request->flags & CRYPTO_TFM_REQ_MAY_BACKLOG)) {
|
|
|
|
err = -ENOSPC;
|
2007-04-16 18:48:54 +08:00
|
|
|
goto out;
|
2017-10-18 15:00:33 +08:00
|
|
|
}
|
|
|
|
err = -EBUSY;
|
2007-04-16 18:48:54 +08:00
|
|
|
if (queue->backlog == &queue->list)
|
|
|
|
queue->backlog = &request->list;
|
|
|
|
}
|
|
|
|
|
|
|
|
queue->qlen++;
|
|
|
|
list_add_tail(&request->list, &queue->list);
|
|
|
|
|
|
|
|
out:
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(crypto_enqueue_request);
|
|
|
|
|
2020-04-28 23:49:03 +08:00
|
|
|
void crypto_enqueue_request_head(struct crypto_queue *queue,
|
|
|
|
struct crypto_async_request *request)
|
|
|
|
{
|
2023-04-20 23:00:35 +08:00
|
|
|
if (unlikely(queue->qlen >= queue->max_qlen))
|
|
|
|
queue->backlog = queue->backlog->prev;
|
|
|
|
|
2020-04-28 23:49:03 +08:00
|
|
|
queue->qlen++;
|
|
|
|
list_add(&request->list, &queue->list);
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(crypto_enqueue_request_head);
|
|
|
|
|
2015-07-08 11:55:30 +08:00
|
|
|
struct crypto_async_request *crypto_dequeue_request(struct crypto_queue *queue)
|
2007-04-16 18:48:54 +08:00
|
|
|
{
|
|
|
|
struct list_head *request;
|
|
|
|
|
|
|
|
if (unlikely(!queue->qlen))
|
|
|
|
return NULL;
|
|
|
|
|
|
|
|
queue->qlen--;
|
|
|
|
|
|
|
|
if (queue->backlog != &queue->list)
|
|
|
|
queue->backlog = queue->backlog->next;
|
|
|
|
|
|
|
|
request = queue->list.next;
|
|
|
|
list_del(request);
|
|
|
|
|
2015-07-08 11:55:30 +08:00
|
|
|
return list_entry(request, struct crypto_async_request, list);
|
2007-04-16 18:48:54 +08:00
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(crypto_dequeue_request);
|
|
|
|
|
2007-11-20 17:26:06 +08:00
|
|
|
static inline void crypto_inc_byte(u8 *a, unsigned int size)
|
|
|
|
{
|
|
|
|
u8 *b = (a + size);
|
|
|
|
u8 c;
|
|
|
|
|
|
|
|
for (; size; size--) {
|
|
|
|
c = *--b + 1;
|
|
|
|
*b = c;
|
|
|
|
if (c)
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
void crypto_inc(u8 *a, unsigned int size)
|
|
|
|
{
|
|
|
|
__be32 *b = (__be32 *)(a + size);
|
|
|
|
u32 c;
|
|
|
|
|
crypto: algapi - make crypto_xor() and crypto_inc() alignment agnostic
Instead of unconditionally forcing 4 byte alignment for all generic
chaining modes that rely on crypto_xor() or crypto_inc() (which may
result in unnecessary copying of data when the underlying hardware
can perform unaligned accesses efficiently), make those functions
deal with unaligned input explicitly, but only if the Kconfig symbol
HAVE_EFFICIENT_UNALIGNED_ACCESS is set. This will allow us to drop
the alignmasks from the CBC, CMAC, CTR, CTS, PCBC and SEQIV drivers.
For crypto_inc(), this simply involves making the 4-byte stride
conditional on HAVE_EFFICIENT_UNALIGNED_ACCESS being set, given that
it typically operates on 16 byte buffers.
For crypto_xor(), an algorithm is implemented that simply runs through
the input using the largest strides possible if unaligned accesses are
allowed. If they are not, an optimal sequence of memory accesses is
emitted that takes the relative alignment of the input buffers into
account, e.g., if the relative misalignment of dst and src is 4 bytes,
the entire xor operation will be completed using 4 byte loads and stores
(modulo unaligned bits at the start and end). Note that all expressions
involving misalign are simply eliminated by the compiler when
HAVE_EFFICIENT_UNALIGNED_ACCESS is defined.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2017-02-05 18:06:12 +08:00
|
|
|
if (IS_ENABLED(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) ||
|
crypto: algapi - annotate expected branch behavior in crypto_inc()
To prevent unnecessary branching, mark the exit condition of the
primary loop as likely(), given that a carry in a 32-bit counter
occurs very rarely.
On arm64, the resulting code is emitted by GCC as
9a8: cmp w1, #0x3
9ac: add x3, x0, w1, uxtw
9b0: b.ls 9e0 <crypto_inc+0x38>
9b4: ldr w2, [x3,#-4]!
9b8: rev w2, w2
9bc: add w2, w2, #0x1
9c0: rev w4, w2
9c4: str w4, [x3]
9c8: cbz w2, 9d0 <crypto_inc+0x28>
9cc: ret
where the two remaining branch conditions (one for size < 4 and one for
the carry) are statically predicted as non-taken, resulting in optimal
execution in the vast majority of cases.
Also, replace the open coded alignment test with IS_ALIGNED().
Cc: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2017-02-15 05:51:02 +08:00
|
|
|
IS_ALIGNED((unsigned long)b, __alignof__(*b)))
|
crypto: algapi - make crypto_xor() and crypto_inc() alignment agnostic
Instead of unconditionally forcing 4 byte alignment for all generic
chaining modes that rely on crypto_xor() or crypto_inc() (which may
result in unnecessary copying of data when the underlying hardware
can perform unaligned accesses efficiently), make those functions
deal with unaligned input explicitly, but only if the Kconfig symbol
HAVE_EFFICIENT_UNALIGNED_ACCESS is set. This will allow us to drop
the alignmasks from the CBC, CMAC, CTR, CTS, PCBC and SEQIV drivers.
For crypto_inc(), this simply involves making the 4-byte stride
conditional on HAVE_EFFICIENT_UNALIGNED_ACCESS being set, given that
it typically operates on 16 byte buffers.
For crypto_xor(), an algorithm is implemented that simply runs through
the input using the largest strides possible if unaligned accesses are
allowed. If they are not, an optimal sequence of memory accesses is
emitted that takes the relative alignment of the input buffers into
account, e.g., if the relative misalignment of dst and src is 4 bytes,
the entire xor operation will be completed using 4 byte loads and stores
(modulo unaligned bits at the start and end). Note that all expressions
involving misalign are simply eliminated by the compiler when
HAVE_EFFICIENT_UNALIGNED_ACCESS is defined.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2017-02-05 18:06:12 +08:00
|
|
|
for (; size >= 4; size -= 4) {
|
|
|
|
c = be32_to_cpu(*--b) + 1;
|
|
|
|
*b = cpu_to_be32(c);
|
crypto: algapi - annotate expected branch behavior in crypto_inc()
To prevent unnecessary branching, mark the exit condition of the
primary loop as likely(), given that a carry in a 32-bit counter
occurs very rarely.
On arm64, the resulting code is emitted by GCC as
9a8: cmp w1, #0x3
9ac: add x3, x0, w1, uxtw
9b0: b.ls 9e0 <crypto_inc+0x38>
9b4: ldr w2, [x3,#-4]!
9b8: rev w2, w2
9bc: add w2, w2, #0x1
9c0: rev w4, w2
9c4: str w4, [x3]
9c8: cbz w2, 9d0 <crypto_inc+0x28>
9cc: ret
where the two remaining branch conditions (one for size < 4 and one for
the carry) are statically predicted as non-taken, resulting in optimal
execution in the vast majority of cases.
Also, replace the open coded alignment test with IS_ALIGNED().
Cc: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2017-02-15 05:51:02 +08:00
|
|
|
if (likely(c))
|
crypto: algapi - make crypto_xor() and crypto_inc() alignment agnostic
Instead of unconditionally forcing 4 byte alignment for all generic
chaining modes that rely on crypto_xor() or crypto_inc() (which may
result in unnecessary copying of data when the underlying hardware
can perform unaligned accesses efficiently), make those functions
deal with unaligned input explicitly, but only if the Kconfig symbol
HAVE_EFFICIENT_UNALIGNED_ACCESS is set. This will allow us to drop
the alignmasks from the CBC, CMAC, CTR, CTS, PCBC and SEQIV drivers.
For crypto_inc(), this simply involves making the 4-byte stride
conditional on HAVE_EFFICIENT_UNALIGNED_ACCESS being set, given that
it typically operates on 16 byte buffers.
For crypto_xor(), an algorithm is implemented that simply runs through
the input using the largest strides possible if unaligned accesses are
allowed. If they are not, an optimal sequence of memory accesses is
emitted that takes the relative alignment of the input buffers into
account, e.g., if the relative misalignment of dst and src is 4 bytes,
the entire xor operation will be completed using 4 byte loads and stores
(modulo unaligned bits at the start and end). Note that all expressions
involving misalign are simply eliminated by the compiler when
HAVE_EFFICIENT_UNALIGNED_ACCESS is defined.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2017-02-05 18:06:12 +08:00
|
|
|
return;
|
|
|
|
}
|
2007-11-20 17:26:06 +08:00
|
|
|
|
|
|
|
crypto_inc_byte(a, size);
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(crypto_inc);
|
|
|
|
|
2015-04-20 13:39:00 +08:00
|
|
|
unsigned int crypto_alg_extsize(struct crypto_alg *alg)
|
|
|
|
{
|
2015-05-28 22:07:56 +08:00
|
|
|
return alg->cra_ctxsize +
|
|
|
|
(alg->cra_alignmask & ~(crypto_tfm_ctx_alignment() - 1));
|
2015-04-20 13:39:00 +08:00
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(crypto_alg_extsize);
|
|
|
|
|
2016-01-23 13:51:01 +08:00
|
|
|
int crypto_type_has_alg(const char *name, const struct crypto_type *frontend,
|
|
|
|
u32 type, u32 mask)
|
|
|
|
{
|
|
|
|
int ret = 0;
|
|
|
|
struct crypto_alg *alg = crypto_find_alg(name, frontend, type, mask);
|
|
|
|
|
|
|
|
if (!IS_ERR(alg)) {
|
|
|
|
crypto_mod_put(alg);
|
|
|
|
ret = 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
EXPORT_SYMBOL_GPL(crypto_type_has_alg);
|
|
|
|
|
2021-09-17 08:26:19 +08:00
|
|
|
static void __init crypto_start_tests(void)
|
|
|
|
{
|
2024-05-21 10:54:50 +08:00
|
|
|
if (!IS_BUILTIN(CONFIG_CRYPTO_ALGAPI))
|
|
|
|
return;
|
|
|
|
|
2022-11-14 08:12:35 +08:00
|
|
|
if (IS_ENABLED(CONFIG_CRYPTO_MANAGER_DISABLE_TESTS))
|
|
|
|
return;
|
|
|
|
|
2021-09-17 08:26:19 +08:00
|
|
|
for (;;) {
|
|
|
|
struct crypto_larval *larval = NULL;
|
|
|
|
struct crypto_alg *q;
|
|
|
|
|
|
|
|
down_write(&crypto_alg_sem);
|
|
|
|
|
|
|
|
list_for_each_entry(q, &crypto_alg_list, cra_list) {
|
|
|
|
struct crypto_larval *l;
|
|
|
|
|
|
|
|
if (!crypto_is_larval(q))
|
|
|
|
continue;
|
|
|
|
|
|
|
|
l = (void *)q;
|
|
|
|
|
|
|
|
if (!crypto_is_test_larval(l))
|
|
|
|
continue;
|
|
|
|
|
|
|
|
if (l->test_started)
|
|
|
|
continue;
|
|
|
|
|
|
|
|
l->test_started = true;
|
|
|
|
larval = l;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
up_write(&crypto_alg_sem);
|
|
|
|
|
|
|
|
if (!larval)
|
|
|
|
break;
|
|
|
|
|
|
|
|
crypto_wait_for_test(larval);
|
|
|
|
}
|
|
|
|
|
2022-11-14 08:12:35 +08:00
|
|
|
set_crypto_boot_test_finished();
|
2021-09-17 08:26:19 +08:00
|
|
|
}
|
|
|
|
|
2006-08-21 19:08:13 +08:00
|
|
|
static int __init crypto_algapi_init(void)
|
|
|
|
{
|
|
|
|
crypto_init_proc();
|
2021-09-17 08:26:19 +08:00
|
|
|
crypto_start_tests();
|
2006-08-21 19:08:13 +08:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void __exit crypto_algapi_exit(void)
|
|
|
|
{
|
|
|
|
crypto_exit_proc();
|
|
|
|
}
|
|
|
|
|
2021-09-17 08:26:19 +08:00
|
|
|
/*
|
|
|
|
* We run this at late_initcall so that all the built-in algorithms
|
|
|
|
* have had a chance to register themselves first.
|
|
|
|
*/
|
|
|
|
late_initcall(crypto_algapi_init);
|
2006-08-21 19:08:13 +08:00
|
|
|
module_exit(crypto_algapi_exit);
|
|
|
|
|
|
|
|
MODULE_LICENSE("GPL");
|
|
|
|
MODULE_DESCRIPTION("Cryptographic algorithms API");
|
2022-02-02 14:46:48 +08:00
|
|
|
MODULE_SOFTDEP("pre: cryptomgr");
|