mbox series

[GIT,PULL] Asymmetric keys fix for v6.4-rc5

Message ID 4d7e38ff5bbc496cb794b50e1c5c83bcd2317e69.camel@huaweicloud.com
State New
Headers show
Series [GIT,PULL] Asymmetric keys fix for v6.4-rc5 | expand

Pull-request

https://github.com/robertosassu/linux.git tags/asym-keys-fix-for-linus-v6.4-rc5

Message

Roberto Sassu June 2, 2023, 2:41 p.m. UTC
Hi Linus

sorry for this unusual procedure of me requesting a patch to be pulled.
I asked for several months the maintainers (David: asymmetric keys,
Jarkko: key subsystem) to pick my patch but without any luck.

I signed the tag, but probably it would not matter, since my key is not
among your trusted keys.

The following changes since commit 921bdc72a0d68977092d6a64855a1b8967acc1d9:

  Merge tag 'mmc-v6.4-rc1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc (2023-06-02 08:35:13 -0400)

are available in the Git repository at:

  https://github.com/robertosassu/linux.git tags/asym-keys-fix-for-linus-v6.4-rc5

for you to fetch changes up to c3d03e8e35e005e1a614e51bb59053eeb5857f76:

  KEYS: asymmetric: Copy sig and digest in public_key_verify_signature() (2023-06-02 15:36:23 +0200)

----------------------------------------------------------------
Asymmetric keys fix for v6.4-rc5

Here is a small fix to make an unconditional copy of the buffer passed
to crypto operations, to take into account the case of the stack not in
the linear mapping area.

It has been tested and verified to fix the bug.

Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>

----------------------------------------------------------------
Roberto Sassu (1):
      KEYS: asymmetric: Copy sig and digest in public_key_verify_signature()

 crypto/asymmetric_keys/public_key.c | 38 +++++++++++++++++++++-----------------
 1 file changed, 21 insertions(+), 17 deletions(-)

Comments

Eric Biggers June 3, 2023, 4:02 p.m. UTC | #1
On Sat, Jun 03, 2023 at 12:41:00PM +0200, Roberto Sassu wrote:
> On 6/3/2023 2:02 AM, Linus Torvalds wrote:
> > On Fri, Jun 2, 2023 at 1:38 PM Linus Torvalds
> > <torvalds@linux-foundation.org> wrote:
> > > 
> > > The patch re-uses the allocation it already does for the key data, and
> > > it seems sane.
> > 
> > Ugh. I had to check that it was ok to re-use the key buffer, but it
> > does seem to be the case that you can just re-use the buffer after
> > you've done that crypto_akcipher_set_priv/pub_key() call, and the
> > crypto layer has to copy it into its own data structures.
> 
> Yes, we could not do it if the set_pub_key/set_priv_key methods use
> internally the passed pointer. I guess it depends on the methods, for RSA
> and ECDSA it seems fine (they copy to a different location).
> 
> The doubt comes because the buffer is freed after crypto_wait_req() and not
> after crypto_akcipher_set_*_key(), suggesting that it could be actually used
> during the crypto operation.
> 
> Rechecked the thread, and the suggestion to reuse the buffer and not append
> the signature and digest at the end was by Eric Biggers.
> 
> Eric, in light of this finding, should we still reuse the buffer?
> 

I don't think there was any "finding" here.  The setkey methods in the crypto
API aren't allowed to reuse the buffer they are passed, so the patch is fine.

- Eric
Herbert Xu June 5, 2023, 8:49 a.m. UTC | #2
On Fri, Jun 02, 2023 at 08:02:23PM -0400, Linus Torvalds wrote:
>
> I absolutely abhor the crypto interfaces. They all seem designed for
> that "external DMA engine" case that seems so horrendously pointless
> and slow.  In practice so few of them are that, and we have all those
> optimized routines for doing it all on the CPU - but have in the
> meantime wasted all that time and effort into copying everything,
> turning simple buffers into sg-bufs etc etc. The amount of indirection
> and "set this state in the state machine" is just nasty, and this
> seems to all be a prime example of it all. With some of it then
> randomly going through some kthread too.

You're right.  Originally SG lists were used as the majority of
our input came from network packets, in the form of skb's.  They
are easily translated into SG lists.  This is still somewhat the
case for parts of the Crypto API (e.g., skcipher and ahash).

However, for akcipher the only user of the underlying API is the
file in question so I absolutely agree that forcing it to go through
an SG list is just wrong.

I'll change the underlying akcipher interface to take pointers
instead and hide the SG list stuff (along with the copying) inside
API.

In the mean time feel free to take this patch as it appears to be
correct and should keep things chugging along while we work on the
API.

Acked-by: Herbert Xu <herbert@gondor.apana.org.au>

Cheers,
David Howells June 5, 2023, 2:47 p.m. UTC | #3
Roberto Sassu <roberto.sassu@huaweicloud.com> wrote:

> Here is a small fix to make an unconditional copy of the buffer passed
> to crypto operations, to take into account the case of the stack not in
> the linear mapping area.

I wonder if evm_verify_hmac() and other such callers of the signature
verification service should be placing the data and crypto material in slab
memory rather than it being on the stack.  But, for the moment:

Acked-by: David Howells <dhowells@redhat.com>
pr-tracker-bot@kernel.org June 5, 2023, 3:36 p.m. UTC | #4
The pull request you sent on Fri, 02 Jun 2023 16:41:04 +0200:

> https://github.com/robertosassu/linux.git tags/asym-keys-fix-for-linus-v6.4-rc5

has been merged into torvalds/linux.git:
https://git.kernel.org/torvalds/c/f8dba31b0a826e691949cd4fdfa5c30defaac8c5

Thank you!
Ard Biesheuvel June 6, 2023, 11 a.m. UTC | #5
On Mon, 5 Jun 2023 at 10:49, Herbert Xu <herbert@gondor.apana.org.au> wrote:
>
> On Fri, Jun 02, 2023 at 08:02:23PM -0400, Linus Torvalds wrote:
> >
> > I absolutely abhor the crypto interfaces. They all seem designed for
> > that "external DMA engine" case that seems so horrendously pointless
> > and slow.  In practice so few of them are that, and we have all those
> > optimized routines for doing it all on the CPU - but have in the
> > meantime wasted all that time and effort into copying everything,
> > turning simple buffers into sg-bufs etc etc. The amount of indirection
> > and "set this state in the state machine" is just nasty, and this
> > seems to all be a prime example of it all. With some of it then
> > randomly going through some kthread too.
>
> You're right.  Originally SG lists were used as the majority of
> our input came from network packets, in the form of skb's.  They
> are easily translated into SG lists.  This is still somewhat the
> case for parts of the Crypto API (e.g., skcipher and ahash).
>
> However, for akcipher the only user of the underlying API is the
> file in question so I absolutely agree that forcing it to go through
> an SG list is just wrong.
>
> I'll change the underlying akcipher interface to take pointers
> instead and hide the SG list stuff (along with the copying) inside
> API.
>

Could we do the same for the compression API? This is a major pain as
well, and results (on my 128-core workstation) in 32 MiB permanently
tied up in scratch buffers in the scomp-to-acomp adaptation layer
because most of the underlying implementations are compression
libraries operating on plain virtual addresses, and so the
scatterlists needs to be copied into a buffer and back to perform the
actual transformation.

The only user user of the async compression interface is zswap, but it
blocks on the completion so it is actually synchronous as well.