[Bionic][PATCH 0/1] UBUNTU: SAUCE: s390/crypto: Adjust s390 aes and paes cipher

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

[Bionic][PATCH 0/1] UBUNTU: SAUCE: s390/crypto: Adjust s390 aes and paes cipher

Joseph Salisbury-3
BugLink: http://bugs.launchpad.net/bugs/1762353


== Bionic Justification ==
Setting up two or more plain end-to-end encrypted disks using 'cryptsetup'
fails when using a cipher based on the protected key mechanism.
The setup needs the paes and pkey modules loaded, the former providing the
paes-xts-plain64 cipher (cat /proc/crpyto |grep paes).

A second attempt to establish an end-to-end encrypted disk fails
with : "device-mapper: reload ioctl on failed: No such file or directory."

The problem is independent of the second encrypted disk being based on a second DASD or second partition on one DASD.

This patch is not upstream as of yet.
Tentativ upstream targert is kernel 4.17 (merge window currently open).

== Fix ==
UBUNTU: SAUCE: s390/crypto: Adjust s390 aes and paes cipher

Harald Freudenberger (1):
  s390/crypto: Adjust s390 aes and paes cipher priorities

 arch/s390/crypto/aes_s390.c  | 8 ++++----
 arch/s390/crypto/paes_s390.c | 8 ++++----
 2 files changed, 8 insertions(+), 8 deletions(-)

--
2.7.4


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[Bionic][PATCH 1/1] UBUNTU: SAUCE: s390/crypto: Adjust s390 aes and paes cipher

Joseph Salisbury-3
From: Harald Freudenberger <[hidden email]>

BugLink: http://bugs.launchpad.net/bugs/1762353

Tests with paes-xts and debugging investigations showed
that the ciphers are not always correctly resolved.
The rules for cipher priorities seem to be:
 - Ecb-aes should have a prio greater than the
   generic ecb-aes.
 - The mode specialized ciphers (like cbc-aes-s390)
   should have a prio greater than the sum of the
   more generic combinations (like cbs(aes)).

This patch adjusts the cipher priorities for the
s390 aes and paes in kernel crypto implementations.

Signed-off-by: Harald Freudenberger <[hidden email]>
Signed-off-by: Joseph Salisbury <[hidden email]>
---
 arch/s390/crypto/aes_s390.c  | 8 ++++----
 arch/s390/crypto/paes_s390.c | 8 ++++----
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/arch/s390/crypto/aes_s390.c b/arch/s390/crypto/aes_s390.c
index fa9b7dd..ad47abd 100644
--- a/arch/s390/crypto/aes_s390.c
+++ b/arch/s390/crypto/aes_s390.c
@@ -329,7 +329,7 @@ static void fallback_exit_blk(struct crypto_tfm *tfm)
 static struct crypto_alg ecb_aes_alg = {
  .cra_name = "ecb(aes)",
  .cra_driver_name = "ecb-aes-s390",
- .cra_priority = 400, /* combo: aes + ecb */
+ .cra_priority = 401, /* combo: aes + ecb + 1 */
  .cra_flags = CRYPTO_ALG_TYPE_BLKCIPHER |
  CRYPTO_ALG_NEED_FALLBACK,
  .cra_blocksize = AES_BLOCK_SIZE,
@@ -426,7 +426,7 @@ static int cbc_aes_decrypt(struct blkcipher_desc *desc,
 static struct crypto_alg cbc_aes_alg = {
  .cra_name = "cbc(aes)",
  .cra_driver_name = "cbc-aes-s390",
- .cra_priority = 400, /* combo: aes + cbc */
+ .cra_priority = 402, /* ecb-aes-s390 + 1 */
  .cra_flags = CRYPTO_ALG_TYPE_BLKCIPHER |
  CRYPTO_ALG_NEED_FALLBACK,
  .cra_blocksize = AES_BLOCK_SIZE,
@@ -633,7 +633,7 @@ static void xts_fallback_exit(struct crypto_tfm *tfm)
 static struct crypto_alg xts_aes_alg = {
  .cra_name = "xts(aes)",
  .cra_driver_name = "xts-aes-s390",
- .cra_priority = 400, /* combo: aes + xts */
+ .cra_priority = 402, /* ecb-aes-s390 + 1 */
  .cra_flags = CRYPTO_ALG_TYPE_BLKCIPHER |
  CRYPTO_ALG_NEED_FALLBACK,
  .cra_blocksize = AES_BLOCK_SIZE,
@@ -763,7 +763,7 @@ static int ctr_aes_decrypt(struct blkcipher_desc *desc,
 static struct crypto_alg ctr_aes_alg = {
  .cra_name = "ctr(aes)",
  .cra_driver_name = "ctr-aes-s390",
- .cra_priority = 400, /* combo: aes + ctr */
+ .cra_priority = 402, /* ecb-aes-s390 + 1 */
  .cra_flags = CRYPTO_ALG_TYPE_BLKCIPHER |
  CRYPTO_ALG_NEED_FALLBACK,
  .cra_blocksize = 1,
diff --git a/arch/s390/crypto/paes_s390.c b/arch/s390/crypto/paes_s390.c
index 003932d..80b2729 100644
--- a/arch/s390/crypto/paes_s390.c
+++ b/arch/s390/crypto/paes_s390.c
@@ -138,7 +138,7 @@ static int ecb_paes_decrypt(struct blkcipher_desc *desc,
 static struct crypto_alg ecb_paes_alg = {
  .cra_name = "ecb(paes)",
  .cra_driver_name = "ecb-paes-s390",
- .cra_priority = 400, /* combo: aes + ecb */
+ .cra_priority = 401, /* combo: aes + ecb + 1 */
  .cra_flags = CRYPTO_ALG_TYPE_BLKCIPHER,
  .cra_blocksize = AES_BLOCK_SIZE,
  .cra_ctxsize = sizeof(struct s390_paes_ctx),
@@ -241,7 +241,7 @@ static int cbc_paes_decrypt(struct blkcipher_desc *desc,
 static struct crypto_alg cbc_paes_alg = {
  .cra_name = "cbc(paes)",
  .cra_driver_name = "cbc-paes-s390",
- .cra_priority = 400, /* combo: aes + cbc */
+ .cra_priority = 402, /* ecb-paes-s390 + 1 */
  .cra_flags = CRYPTO_ALG_TYPE_BLKCIPHER,
  .cra_blocksize = AES_BLOCK_SIZE,
  .cra_ctxsize = sizeof(struct s390_paes_ctx),
@@ -377,7 +377,7 @@ static int xts_paes_decrypt(struct blkcipher_desc *desc,
 static struct crypto_alg xts_paes_alg = {
  .cra_name = "xts(paes)",
  .cra_driver_name = "xts-paes-s390",
- .cra_priority = 400, /* combo: aes + xts */
+ .cra_priority = 402, /* ecb-paes-s390 + 1 */
  .cra_flags = CRYPTO_ALG_TYPE_BLKCIPHER,
  .cra_blocksize = AES_BLOCK_SIZE,
  .cra_ctxsize = sizeof(struct s390_pxts_ctx),
@@ -523,7 +523,7 @@ static int ctr_paes_decrypt(struct blkcipher_desc *desc,
 static struct crypto_alg ctr_paes_alg = {
  .cra_name = "ctr(paes)",
  .cra_driver_name = "ctr-paes-s390",
- .cra_priority = 400, /* combo: aes + ctr */
+ .cra_priority = 402, /* ecb-paes-s390 + 1 */
  .cra_flags = CRYPTO_ALG_TYPE_BLKCIPHER,
  .cra_blocksize = 1,
  .cra_ctxsize = sizeof(struct s390_paes_ctx),
--
2.7.4


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

APPLIED: [Bionic][PATCH 0/1] UBUNTU: SAUCE: s390/crypto: Adjust s390 aes and paes cipher

Seth Forshee
In reply to this post by Joseph Salisbury-3
On Mon, Apr 09, 2018 at 11:41:05AM -0400, Joseph Salisbury wrote:

> BugLink: http://bugs.launchpad.net/bugs/1762353
>
>
> == Bionic Justification ==
> Setting up two or more plain end-to-end encrypted disks using 'cryptsetup'
> fails when using a cipher based on the protected key mechanism.
> The setup needs the paes and pkey modules loaded, the former providing the
> paes-xts-plain64 cipher (cat /proc/crpyto |grep paes).
>
> A second attempt to establish an end-to-end encrypted disk fails
> with : "device-mapper: reload ioctl on failed: No such file or directory."
>
> The problem is independent of the second encrypted disk being based on a second DASD or second partition on one DASD.
>
> This patch is not upstream as of yet.
> Tentativ upstream targert is kernel 4.17 (merge window currently open).
>
> == Fix ==
> UBUNTU: SAUCE: s390/crypto: Adjust s390 aes and paes cipher

Applied to bionic/master-next, thanks!

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team