summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2025-05-12crypto: testmgr - replace CRYPTO_MANAGER_DISABLE_TESTS with CRYPTO_SELFTESTSEric Biggers
The negative-sense of CRYPTO_MANAGER_DISABLE_TESTS is a longstanding mistake that regularly causes confusion. Especially bad is that you can have CRYPTO=n && CRYPTO_MANAGER_DISABLE_TESTS=n, which is ambiguous. Replace CRYPTO_MANAGER_DISABLE_TESTS with CRYPTO_SELFTESTS which has the expected behavior. The tests continue to be disabled by default. Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2025-05-12crypto: testmgr - remove panic_on_failEric Biggers
The cryptomgr.panic_on_fail=1 kernel command-line parameter is not very useful now that the tests have been fixed to WARN on failure, since developers can just use panic_on_warn=1 instead. There's no need for a special option just for the crypto self-tests. Remove it. Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2025-05-12crypto: tcrypt - rename CRYPTO_TEST to CRYPTO_BENCHMARKEric Biggers
tcrypt is actually a benchmarking module and not the actual tests. This regularly causes confusion. Update the kconfig option name and help text accordingly. Signed-off-by: Eric Biggers <ebiggers@google.com> Acked-by: Geert Uytterhoeven <geert@linux-m68k.org> # m68k Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2025-05-12crypto: null - use memcpy_sglist()Eric Biggers
Make null_skcipher_crypt() use memcpy_sglist() instead of the skcipher_walk API, as this is simpler. Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2025-05-12crypto: null - merge CRYPTO_NULL2 into CRYPTO_NULLEric Biggers
There is no reason to have separate CRYPTO_NULL2 and CRYPTO_NULL options. Just merge them into CRYPTO_NULL. Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2025-05-12crypto: null - remove the default null skcipherEric Biggers
crypto_get_default_null_skcipher() and crypto_put_default_null_skcipher() are no longer used, so remove them. Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2025-05-12crypto: krb5enc - do not select CRYPTO_NULLEric Biggers
The krb5enc code does not use any of the so-called "null algorithms", so it does not need to select CRYPTO_NULL. Presumably this unused dependency got copied from one of the other kconfig options. Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2025-05-12crypto: geniv - use memcpy_sglist() instead of null skcipherEric Biggers
For copying data between two scatterlists, just use memcpy_sglist() instead of the so-called "null skcipher". This is much simpler. Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2025-05-12crypto: gcm - use memcpy_sglist() instead of null skcipherEric Biggers
For copying data between two scatterlists, just use memcpy_sglist() instead of the so-called "null skcipher". This is much simpler. Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2025-05-12crypto: authenc - use memcpy_sglist() instead of null skcipherEric Biggers
For copying data between two scatterlists, just use memcpy_sglist() instead of the so-called "null skcipher". This is much simpler. Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2025-05-12crypto: algif_aead - use memcpy_sglist() instead of null skcipherEric Biggers
For copying data between two scatterlists, just use memcpy_sglist() instead of the so-called "null skcipher". This is much simpler. Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2025-05-12crypto: lib/chacha - add array bounds to function prototypesEric Biggers
Add explicit array bounds to the function prototypes for the parameters that didn't already get handled by the conversion to use chacha_state: - chacha_block_*(): Change 'u8 *out' or 'u8 *stream' to u8 out[CHACHA_BLOCK_SIZE]. - hchacha_block_*(): Change 'u32 *out' or 'u32 *stream' to u32 out[HCHACHA_OUT_WORDS]. - chacha_init(): Change 'const u32 *key' to 'const u32 key[CHACHA_KEY_WORDS]'. Change 'const u8 *iv' to 'const u8 iv[CHACHA_IV_SIZE]'. No functional changes. This just makes it clear when fixed-size arrays are expected. Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2025-05-12crypto: lib/chacha - add strongly-typed state zeroizationEric Biggers
Now that the ChaCha state matrix is strongly-typed, add a helper function chacha_zeroize_state() which zeroizes it. Then convert all applicable callers to use it instead of direct memzero_explicit. No functional changes. Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2025-05-12crypto: lib/chacha - use struct assignment to copy stateEric Biggers
Use struct assignment instead of memcpy() in lib/crypto/chacha.c where appropriate. No functional change. Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2025-05-12crypto: lib/chacha - strongly type the ChaCha stateEric Biggers
The ChaCha state matrix is 16 32-bit words. Currently it is represented in the code as a raw u32 array, or even just a pointer to u32. This weak typing is error-prone. Instead, introduce struct chacha_state: struct chacha_state { u32 x[16]; }; Convert all ChaCha and HChaCha functions to use struct chacha_state. No functional changes. Signed-off-by: Eric Biggers <ebiggers@google.com> Acked-by: Kent Overstreet <kent.overstreet@linux.dev> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2025-05-12crypto: crypto4xx - Remove ahash-related codeHerbert Xu
The hash implementation in crypto4xx has been disabled since 2009. As nobody has tried to fix this remove all the dead code. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2025-05-10crypto: powerpc/poly1305 - Add poly1305_emit_arch wrapperHerbert Xu
Add poly1305_emit_arch with fallback instead of calling assembly directly. This is because the state format differs between p10 and that of the generic implementation. Reported-by: Venkat Rao Bagalkote <venkat88@linux.ibm.com> Reported-by: Eric Biggers <ebiggers@google.com> Fixes: 14d31979145d ("crypto: powerpc/poly1305 - Add block-only interface") Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2025-05-08crypto: arm64/sha256 - fix build when CONFIG_PREEMPT_VOLUNTARY=yEric Biggers
Fix the build of sha256-ce.S when CONFIG_PREEMPT_VOLUNTARY=y by passing the correct label to the cond_yield macro. Also adjust the code to execute only one branch instruction when CONFIG_PREEMPT_VOLUNTARY=n. Fixes: 6e36be511d28 ("crypto: arm64/sha256 - implement library instead of shash") Reported-by: kernel test robot <lkp@intel.com> Closes: https://lore.kernel.org/oe-kbuild-all/202505071811.yYpLUbav-lkp@intel.com/ Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2025-05-08crypto: powerpc/poly1305 - Add missing poly1305_emit_archHerbert Xu
Rename poly1305_emit_64 to poly1305_emit_arch to conform with the expectation of the poly1305 library. Reported-by: Thorsten Leemhuis <linux@leemhuis.info> Fixes: 14d31979145d ("crypto: powerpc/poly1305 - Add block-only interface") Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Tested-by: Thorsten Leemhuis <linux@leemhuis.info> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2025-05-07um: Include linux/types.h in asm/fpu/api.hHerbert Xu
Include linux/types.h before using bool. Reported-by: kernel test robot <lkp@intel.com> Closes: https://lore.kernel.org/oe-kbuild-all/202505070045.vWc04ygs-lkp@intel.com/ Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Acked-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2025-05-06crypto: lib/poly1305 - Build main library on LIB_POLY1305 and split generic ↵Herbert Xu
code out Split the lib poly1305 code just as was done with sha256. Make the main library code conditional on LIB_POLY1305 instead of LIB_POLY1305_GENERIC. Reported-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com> Fixes: 10a6d72ea355 ("crypto: lib/poly1305 - Use block-only interface") Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2025-05-05crypto: s390/sha512 - Initialise upper counter to zero for sha384Herbert Xu
Initialise the high bit counter to zero in sha384_init. Also change the state initialisation to use ctx->sha512.state instead of ctx->state for consistency. Fixes: 572b5c4682c7 ("crypto: s390/sha512 - Use API partial block handling") Reported-by: Ingo Franzki <ifranzki@linux.ibm.com> Reported-by: Harald Freudenberger <freude@linux.ibm.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2025-05-05crypto: padlock-sha - Use core import and export for fallbackHerbert Xu
As padlock-sha is block-only, it needs to use core import and export on the fallback. Also call sha256_block_init instead of sha256_init although this is harmless as sha256_init doesn't write into the partial block area. Fixes: 63dc06cd12f9 ("crypto: padlock-sha - Use API partial block handling") Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2025-05-05crypto: ahash - Add HASH_REQUEST_ZEROHerbert Xu
Add a helper to zero hash stack requests that were never cloned off the stack. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2025-05-05crypto: ahash - Add core export and importHerbert Xu
Add crypto_ahash_export_core and crypto_ahash_import_core. For now they only differ from the normal export/import functions when going through shash. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2025-05-05crypto: ahash - Enforce MAX_SYNC_HASH_REQSIZE for sync ahashHerbert Xu
As sync ahash algorithms (currently there are none) are used without a fallback, ensure that they obey the MAX_SYNC_HASH_REQSIZE rule just like shash algorithms. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2025-05-05crypto: shash - Mark shash algorithms as REQ_VIRTHerbert Xu
Mark shash algorithms with the REQ_VIRT bit as they can handle virtual addresses as is. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2025-05-05crypto: shash - Cap state size to HASH_MAX_STATESIZEHerbert Xu
Now that all shash algorithms have converted over to the generic export format, limit the shash state size to HASH_MAX_STATESIZE. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2025-05-05crypto: zynqmp-sha - Fix partial block implementationHerbert Xu
The zynqmp-sha partial block was based on an old design of the partial block API where the leftover calculation was done in the Crypto API. As the leftover calculation is now done by the algorithm, fix this by passing the partial blocks to the fallback. Also zero the stack descriptors. Fixes: 201e9ec3b621 ("crypto: zynqmp-sha - Use API partial block handling") Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2025-05-05crypto: hisilicon/qm - replace devm_kzalloc with devm_kcallocEthan Carter Edwards
Replace devm_kzalloc that has an internal multiplication with devm_kcalloc to improve code readability and safety from overflows. Signed-off-by: Ethan Carter Edwards <ethan@ethancedwards.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2025-05-05crypto: hisilicon/qm - remove sizeof(char)Ethan Carter Edwards
`sizeof(char)` evaluates to 1. Remove the churn. Signed-off-by: Ethan Carter Edwards <ethan@ethancedwards.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2025-05-05crypto: s390/hmac - Use API partial block handlingHerbert Xu
Use the Crypto API partial block handling. Also switch to the generic export format. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2025-05-05crypto: sha256 - Use the partial block APIHerbert Xu
Use the shash partial block API by default. Add a separate set of lib shash algorithms to preserve testing coverage until lib/sha256 has its own tests. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2025-05-05crypto: lib/sha256 - Use generic block helperHerbert Xu
Use the BLOCK_HASH_UPDATE_BLOCKS helper instead of duplicating partial block handling. Also remove the unused lib/sha256 force-generic interface. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2025-05-05crypto: x86/sha256 - Add simd block functionHerbert Xu
Add CRYPTO_ARCH_HAVE_LIB_SHA256_SIMD and a SIMD block function so that the caller can decide whether to use SIMD. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2025-05-05crypto: riscv/sha256 - Add simd block functionHerbert Xu
Add CRYPTO_ARCH_HAVE_LIB_SHA256_SIMD and a SIMD block function so that the caller can decide whether to use SIMD. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2025-05-05crypto: arm64/sha256 - Add simd block functionHerbert Xu
Add CRYPTO_ARCH_HAVE_LIB_SHA256_SIMD and a SIMD block function so that the caller can decide whether to use SIMD. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2025-05-05crypto: arm/sha256 - Add simd block functionHerbert Xu
Add CRYPTO_ARCH_HAVE_LIB_SHA256_SIMD and a SIMD block function so that the caller can decide whether to use SIMD. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2025-05-05crypto: arch/sha256 - Export block functions as GPL onlyHerbert Xu
Export the block functions as GPL only, there is no reason to let arbitrary modules use these internal functions. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2025-05-05crypto: sha256 - Use the partial block API for genericHerbert Xu
The shash interface already handles partial blocks, use it for sha224-generic and sha256-generic instead of going through the lib/sha256 interface. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2025-05-05crypto: lib/sha256 - Add helpers for block-based shashHerbert Xu
Add an internal sha256_finup helper and move the finalisation code from __sha256_final into it. Also add sha256_choose_blocks and CRYPTO_ARCH_HAVE_LIB_SHA256_SIMD so that the Crypto API can use the SIMD block function unconditionally. The Crypto API must not be used in hard IRQs and there is no reason to have a fallback path for hardirqs. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2025-05-05crypto: sun8i-ce-hash - use pm_runtime_resume_and_get()Ovidiu Panait
Replace pm_runtime_get_sync() usage with pm_runtime_resume_and_get() to simplify error handling. This is recommended in the documentation of pm_runtime_get_sync(). Signed-off-by: Ovidiu Panait <ovidiu.panait.oss@gmail.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2025-05-05crypto: sun8i-ce - undo runtime PM changes during driver removalOvidiu Panait
The pm_runtime_use_autosuspend() call must be undone with pm_runtime_dont_use_autosuspend() at driver exit, but this is not currently handled in the driver. To fix this issue and at the same time simplify error handling, switch to devm_pm_runtime_enable(). It will call both pm_runtime_disable() and pm_runtime_dont_use_autosuspend() during driver removal. Fixes: 06f751b61329 ("crypto: allwinner - Add sun8i-ce Crypto Engine") Signed-off-by: Ovidiu Panait <ovidiu.panait.oss@gmail.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2025-05-05crypto: api - Rename CRYPTO_ALG_REQ_CHAIN to CRYPTO_ALG_REQ_VIRTHerbert Xu
As chaining has been removed, all that remains of REQ_CHAIN is just virtual address support. Rename it before the reintroduction of batching creates confusion. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2025-05-05crypto: acomp - Clone folios properlyHerbert Xu
The folios contain references to the request itself so they must be setup again in the cloned request. Fixes: 5f3437e9c89e ("crypto: acomp - Simplify folio handling") Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2025-05-05hwrng: rockchip - add support for RK3576's RNGNicolas Frattaroli
The Rockchip RK3576 SoC uses a new hardware random number generator IP. It's also used on the Rockchip RK3562 and the Rockchip RK3528. It has several modes of operation and self-checking features that are not implemented here. For starters, it has a DRNG output, which is an AES-CTR pseudo-random number generator that can be reseeded from the true entropy regularly. However, it also allows for access of the true entropy generator directly. This entropy is generated from an oscillator. There are several configuration registers which we don't touch here. The oscillator can be switched between a "CRO" and "STR" oscillator, and the length of the oscillator can be configured. The hardware also supports some automatic continuous entropy quality checking, which is also not implemented in this driver for the time being. The output as-is has been deemed sufficient to be useful: rngtest: starting FIPS tests... rngtest: bits received from input: 20000032 rngtest: FIPS 140-2 successes: 997 rngtest: FIPS 140-2 failures: 3 rngtest: FIPS 140-2(2001-10-10) Monobit: 0 rngtest: FIPS 140-2(2001-10-10) Poker: 1 rngtest: FIPS 140-2(2001-10-10) Runs: 1 rngtest: FIPS 140-2(2001-10-10) Long run: 1 rngtest: FIPS 140-2(2001-10-10) Continuous run: 0 rngtest: input channel speed: (min=17.050; avg=1897.272; max=19531250.000)Kibits/s rngtest: FIPS tests speed: (min=44.773; avg=71.179; max=96.820)Mibits/s rngtest: Program run time: 11760715 microseconds rngtest: bits received from input: 40000032 rngtest: FIPS 140-2 successes: 1997 rngtest: FIPS 140-2 failures: 3 rngtest: FIPS 140-2(2001-10-10) Monobit: 0 rngtest: FIPS 140-2(2001-10-10) Poker: 1 rngtest: FIPS 140-2(2001-10-10) Runs: 1 rngtest: FIPS 140-2(2001-10-10) Long run: 1 rngtest: FIPS 140-2(2001-10-10) Continuous run: 0 rngtest: input channel speed: (min=17.050; avg=1798.618; max=19531250.000)Kibits/s rngtest: FIPS tests speed: (min=44.773; avg=64.561; max=96.820)Mibits/s rngtest: Program run time: 23507723 microseconds Stretching the entropy can then be left up to Linux's actual entropy pool. Signed-off-by: Nicolas Frattaroli <nicolas.frattaroli@collabora.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2025-05-05dt-bindings: rng: rockchip,rk3588-rng: add rk3576-rng compatibleNicolas Frattaroli
The RK3576 SoC contains another standalone TRNG implementation. While the register map and hardware is different, it has the same clocks/interrupts/resets as the RK3588's TRNG, so can go in the same binding. Add the compatible and generalise the title/description of the binding some more. Signed-off-by: Nicolas Frattaroli <nicolas.frattaroli@collabora.com> Acked-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2025-05-05crypto: rng - fix documentation for crypto_rng_alg()Ovidiu Panait
Current documentation states that crypto_rng_alg() returns the cra_name of the rng algorithm, but it actually returns a 'struct rng_alg' pointer from a RNG handle. Update documentation to reflect this. Signed-off-by: Ovidiu Panait <ovidiu.panait.oss@gmail.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2025-05-05crypto: qat - add qat_6xxx driverLaurent M Coquerel
Add a new driver, qat_6xxx, to support QAT GEN6 devices. QAT GEN6 devices are a follow-on generation of GEN4 devices and differently from the previous generation, they can support all three services (symmetric, asymmetric, and data compression) concurrently. In order to have the qat_6xxx driver to reuse some of the GEN4 logic, a new abstraction layer has been introduced to bridge the two implementations. This allows to avoid code duplication and to keep the qat_6xxx driver isolated from the GEN4 logic. This approach has been used for the PF to VF logic and the HW CSR access logic. Signed-off-by: Laurent M Coquerel <laurent.m.coquerel@intel.com> Co-developed-by: George Abraham P <george.abraham.p@intel.com> Signed-off-by: George Abraham P <george.abraham.p@intel.com> Co-developed-by: Karthikeyan Gopal <karthikeyan.gopal@intel.com> Signed-off-by: Karthikeyan Gopal <karthikeyan.gopal@intel.com> Co-developed-by: Suman Kumar Chakraborty <suman.kumar.chakraborty@intel.com> Signed-off-by: Suman Kumar Chakraborty <suman.kumar.chakraborty@intel.com> Reviewed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2025-05-05crypto: qat - add firmware headers for GEN6 devicesSuman Kumar Chakraborty
Add firmware headers related to compression that define macros for building the hardware configuration word, along with bitfields related to algorithm settings. Signed-off-by: Suman Kumar Chakraborty <suman.kumar.chakraborty@intel.com> Reviewed-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com> Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>