From e7ed6473c2c8c4e45dd861bfa06e96189b11d8db Mon Sep 17 00:00:00 2001 From: Herbert Xu Date: Mon, 6 Nov 2023 18:00:08 +0800 Subject: [PATCH 1/2] crypto: jitterentropy - Hide esoteric Kconfig options under FIPS and EXPERT As JITTERENTROPY is selected by default if you enable the CRYPTO API, any Kconfig options added there will show up for every single user. Hide the esoteric options under EXPERT as well as FIPS so that only distro makers will see them. Reported-by: Linus Torvalds Signed-off-by: Herbert Xu Reviewed-by: Stephan Mueller Signed-off-by: Herbert Xu --- crypto/Kconfig | 28 +++++++++++++++++++++++++--- 1 file changed, 25 insertions(+), 3 deletions(-) diff --git a/crypto/Kconfig b/crypto/Kconfig index bbf51d55724e..70661f58ee41 100644 --- a/crypto/Kconfig +++ b/crypto/Kconfig @@ -1297,10 +1297,12 @@ config CRYPTO_JITTERENTROPY See https://www.chronox.de/jent.html +if CRYPTO_JITTERENTROPY +if CRYPTO_FIPS && EXPERT + choice prompt "CPU Jitter RNG Memory Size" default CRYPTO_JITTERENTROPY_MEMSIZE_2 - depends on CRYPTO_JITTERENTROPY help The Jitter RNG measures the execution time of memory accesses. Multiple consecutive memory accesses are performed. If the memory @@ -1344,7 +1346,6 @@ config CRYPTO_JITTERENTROPY_OSR int "CPU Jitter RNG Oversampling Rate" range 1 15 default 1 - depends on CRYPTO_JITTERENTROPY help The Jitter RNG allows the specification of an oversampling rate (OSR). The Jitter RNG operation requires a fixed amount of timing @@ -1359,7 +1360,6 @@ config CRYPTO_JITTERENTROPY_OSR config CRYPTO_JITTERENTROPY_TESTINTERFACE bool "CPU Jitter RNG Test Interface" - depends on CRYPTO_JITTERENTROPY help The test interface allows a privileged process to capture the raw unconditioned high resolution time stamp noise that @@ -1377,6 +1377,28 @@ config CRYPTO_JITTERENTROPY_TESTINTERFACE If unsure, select N. +endif # if CRYPTO_FIPS && EXPERT + +if !(CRYPTO_FIPS && EXPERT) + +config CRYPTO_JITTERENTROPY_MEMORY_BLOCKS + int + default 64 + +config CRYPTO_JITTERENTROPY_MEMORY_BLOCKSIZE + int + default 32 + +config CRYPTO_JITTERENTROPY_OSR + int + default 1 + +config CRYPTO_JITTERENTROPY_TESTINTERFACE + bool + +endif # if !(CRYPTO_FIPS && EXPERT) +endif # if CRYPTO_JITTERENTROPY + config CRYPTO_KDF800108_CTR tristate select CRYPTO_HMAC From 9aedd10fe38418319bd8ed55dc68a40ec04aaa05 Mon Sep 17 00:00:00 2001 From: Dmitry Safonov Date: Tue, 7 Nov 2023 02:37:17 +0000 Subject: [PATCH 2/2] crypto: ahash - Set using_shash for cloned ahash wrapper over shash The cloned child of ahash that uses shash under the hood should use shash helpers (like crypto_shash_setkey()). The following panic may be observed on TCP-AO selftests: > ================================================================== > BUG: KASAN: wild-memory-access in crypto_mod_get+0x1b/0x60 > Write of size 4 at addr 5d5be0ff5c415e14 by task connect_ipv4/1397 > > CPU: 0 PID: 1397 Comm: connect_ipv4 Tainted: G W 6.6.0+ #47 > Call Trace: > > dump_stack_lvl+0x46/0x70 > kasan_report+0xc3/0xf0 > kasan_check_range+0xec/0x190 > crypto_mod_get+0x1b/0x60 > crypto_spawn_alg+0x53/0x140 > crypto_spawn_tfm2+0x13/0x60 > hmac_init_tfm+0x25/0x60 > crypto_ahash_setkey+0x8b/0x100 > tcp_ao_add_cmd+0xe7a/0x1120 > do_tcp_setsockopt+0x5ed/0x12a0 > do_sock_setsockopt+0x82/0x100 > __sys_setsockopt+0xe9/0x160 > __x64_sys_setsockopt+0x60/0x70 > do_syscall_64+0x3c/0xe0 > entry_SYSCALL_64_after_hwframe+0x46/0x4e > ================================================================== > general protection fault, probably for non-canonical address 0x5d5be0ff5c415e14: 0000 [#1] PREEMPT SMP KASAN > CPU: 0 PID: 1397 Comm: connect_ipv4 Tainted: G B W 6.6.0+ #47 > Call Trace: > > ? die_addr+0x3c/0xa0 > ? exc_general_protection+0x144/0x210 > ? asm_exc_general_protection+0x22/0x30 > ? add_taint+0x26/0x90 > ? crypto_mod_get+0x20/0x60 > ? crypto_mod_get+0x1b/0x60 > ? ahash_def_finup_done1+0x58/0x80 > crypto_spawn_alg+0x53/0x140 > crypto_spawn_tfm2+0x13/0x60 > hmac_init_tfm+0x25/0x60 > crypto_ahash_setkey+0x8b/0x100 > tcp_ao_add_cmd+0xe7a/0x1120 > do_tcp_setsockopt+0x5ed/0x12a0 > do_sock_setsockopt+0x82/0x100 > __sys_setsockopt+0xe9/0x160 > __x64_sys_setsockopt+0x60/0x70 > do_syscall_64+0x3c/0xe0 > entry_SYSCALL_64_after_hwframe+0x46/0x4e > > RIP: 0010:crypto_mod_get+0x20/0x60 Make sure that the child/clone has using_shash set when parent is an shash user. Fixes: 2f1f34c1bf7b ("crypto: ahash - optimize performance when wrapping shash") Cc: David Ahern Cc: "David S. Miller" Cc: Dmitry Safonov <0x7f454c46@gmail.com> Cc: Eric Biggers Cc: Eric Dumazet Cc: Francesco Ruggeri To: Herbert Xu Cc: Jakub Kicinski Cc: Paolo Abeni Cc: Salam Noureddine Cc: netdev@vger.kernel.org Cc: linux-crypto@vger.kernel.org Cc: linux-kernel@vger.kernel.org Signed-off-by: Dmitry Safonov Reviewed-by: Eric Biggers Signed-off-by: Herbert Xu --- crypto/ahash.c | 1 + 1 file changed, 1 insertion(+) diff --git a/crypto/ahash.c b/crypto/ahash.c index deee55f939dc..80c3e5354711 100644 --- a/crypto/ahash.c +++ b/crypto/ahash.c @@ -651,6 +651,7 @@ struct crypto_ahash *crypto_clone_ahash(struct crypto_ahash *hash) err = PTR_ERR(shash); goto out_free_nhash; } + nhash->using_shash = true; *nctx = shash; return nhash; }