diff options
| author | Gilad Ben-Yossef <gilad@benyossef.com> | 2017-07-11 18:11:37 +0300 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2017-07-16 09:40:57 +0300 |
| commit | b7e607bf33a2f18507c7f35f7c7abfd45f55047f (patch) | |
| tree | 385c2595a8d817d2956965b4159b79f9034e869e /drivers/staging/ccree/ssi_cipher.c | |
| parent | 07642a075f2743a0ebebde1163da6a2f0aa98d14 (diff) | |
| download | linux-b7e607bf33a2f18507c7f35f7c7abfd45f55047f.tar.xz | |
staging: ccree: move FIPS support to kernel infrastructure
The ccree driver had its own FIPS support, complete with
a test harness comparable to crypto testmgr and an
implementation which disables crypto functionality on
FIPS test error detection, either in Linux or from TEE.
This patch removes the duplication, while reimplementing
the handling of TEE reported FIPS errors according to the
kernel policy of inducing a panic in such an event.
Signed-off-by: Gilad Ben-Yossef <gilad@benyossef.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/staging/ccree/ssi_cipher.c')
| -rw-r--r-- | drivers/staging/ccree/ssi_cipher.c | 30 |
1 files changed, 4 insertions, 26 deletions
diff --git a/drivers/staging/ccree/ssi_cipher.c b/drivers/staging/ccree/ssi_cipher.c index 4ef0c9ba8678..af16bd02397c 100644 --- a/drivers/staging/ccree/ssi_cipher.c +++ b/drivers/staging/ccree/ssi_cipher.c @@ -23,6 +23,7 @@ #include <crypto/aes.h> #include <crypto/ctr.h> #include <crypto/des.h> +#include <crypto/xts.h> #include "ssi_config.h" #include "ssi_driver.h" @@ -31,7 +32,6 @@ #include "ssi_cipher.h" #include "ssi_request_mgr.h" #include "ssi_sysfs.h" -#include "ssi_fips_local.h" #define MAX_ABLKCIPHER_SEQ_LEN 6 @@ -188,7 +188,6 @@ static int ssi_blkcipher_init(struct crypto_tfm *tfm) SSI_LOG_DEBUG("Initializing context @%p for %s\n", ctx_p, crypto_tfm_alg_name(tfm)); - CHECK_AND_RETURN_UPON_FIPS_ERROR(); ctx_p->cipher_mode = ssi_alg->cipher_mode; ctx_p->flow_mode = ssi_alg->flow_mode; ctx_p->drvdata = ssi_alg->drvdata; @@ -265,9 +264,8 @@ static const u8 zero_buff[] = { 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}; /* The function verifies that tdes keys are not weak.*/ -static int ssi_fips_verify_3des_keys(const u8 *key, unsigned int keylen) +static int ssi_verify_3des_keys(const u8 *key, unsigned int keylen) { -#ifdef CCREE_FIPS_SUPPORT struct tdes_keys *tdes_key = (struct tdes_keys *)key; /* verify key1 != key2 and key3 != key2*/ @@ -275,21 +273,6 @@ static int ssi_fips_verify_3des_keys(const u8 *key, unsigned int keylen) (memcmp((u8 *)tdes_key->key3, (u8 *)tdes_key->key2, sizeof(tdes_key->key3)) == 0))) { return -ENOEXEC; } -#endif /* CCREE_FIPS_SUPPORT */ - - return 0; -} - -/* The function verifies that xts keys are not weak.*/ -static int ssi_fips_verify_xts_keys(const u8 *key, unsigned int keylen) -{ -#ifdef CCREE_FIPS_SUPPORT - /* Weak key is define as key that its first half (128/256 lsb) equals its second half (128/256 msb) */ - int singleKeySize = keylen >> 1; - - if (unlikely(memcmp(key, &key[singleKeySize], singleKeySize) == 0)) - return -ENOEXEC; -#endif /* CCREE_FIPS_SUPPORT */ return 0; } @@ -322,8 +305,6 @@ static int ssi_blkcipher_setkey(struct crypto_tfm *tfm, ctx_p, crypto_tfm_alg_name(tfm), keylen); dump_byte_array("key", (u8 *)key, keylen); - CHECK_AND_RETURN_UPON_FIPS_ERROR(); - SSI_LOG_DEBUG("ssi_blkcipher_setkey: after FIPS check"); /* STAT_PHASE_0: Init and sanity checks */ @@ -385,13 +366,13 @@ static int ssi_blkcipher_setkey(struct crypto_tfm *tfm, } } if ((ctx_p->cipher_mode == DRV_CIPHER_XTS) && - ssi_fips_verify_xts_keys(key, keylen) != 0) { + xts_check_key(tfm, key, keylen) != 0) { SSI_LOG_DEBUG("ssi_blkcipher_setkey: weak XTS key"); return -EINVAL; } if ((ctx_p->flow_mode == S_DIN_to_DES) && (keylen == DES3_EDE_KEY_SIZE) && - ssi_fips_verify_3des_keys(key, keylen) != 0) { + ssi_verify_3des_keys(key, keylen) != 0) { SSI_LOG_DEBUG("ssi_blkcipher_setkey: weak 3DES key"); return -EINVAL; } @@ -754,7 +735,6 @@ static int ssi_blkcipher_process( ((direction == DRV_CRYPTO_DIRECTION_ENCRYPT) ? "Encrypt" : "Decrypt"), areq, info, nbytes); - CHECK_AND_RETURN_UPON_FIPS_ERROR(); /* STAT_PHASE_0: Init and sanity checks */ /* TODO: check data length according to mode */ @@ -855,8 +835,6 @@ static void ssi_ablkcipher_complete(struct device *dev, void *ssi_req, void __io struct ssi_ablkcipher_ctx *ctx_p = crypto_ablkcipher_ctx(tfm); unsigned int ivsize = crypto_ablkcipher_ivsize(tfm); - CHECK_AND_RETURN_VOID_UPON_FIPS_ERROR(); - ssi_blkcipher_complete(dev, ctx_p, req_ctx, areq->dst, areq->src, ivsize, areq, cc_base); } |