diff --git a/drivers/crypto/tegra-hv-vse-safety.c b/drivers/crypto/tegra-hv-vse-safety.c index 0df66b4a..bacc59c1 100644 --- a/drivers/crypto/tegra-hv-vse-safety.c +++ b/drivers/crypto/tegra-hv-vse-safety.c @@ -1593,6 +1593,14 @@ static int tegra_vse_validate_sha_params(struct tegra_virtual_se_sha_context *sh goto exit; } + if (is_last) { + if (sha_ctx->user_digest_buffer == NULL) { + VSE_ERR("%s: user digest buffer is NULL\n", __func__); + ret = -EINVAL; + goto exit; + } + } + if (sha_ctx->blk_size == 0U) { VSE_ERR("SHA blk_size is invalid\n"); ret = -EINVAL; @@ -2323,11 +2331,6 @@ static int tegra_hv_vse_safety_hmac_sha_finup(struct ahash_request *req) return ret; } - if (!hmac_ctx->is_key_slot_allocated) { - VSE_ERR("%s key is not allocated\n", __func__); - return -EINVAL; - } - se_dev = g_crypto_to_ivc_map[hmac_ctx->node_id].se_dev; /* Return error if engine is in suspended state */ @@ -4472,6 +4475,12 @@ static int tegra_vse_aes_gmac_sv_check_params(struct ahash_request *req, bool is int err = 0; bool is_zero_copy; + if ((gmac_ctx->request_type != TEGRA_HV_VSE_GMAC_SIGN) && + (gmac_ctx->request_type != TEGRA_HV_VSE_GMAC_VERIFY)) { + dev_err(se_dev->dev, "%s: Invalid request type\n", __func__); + err = -EINVAL; + } + if (gmac_ctx->node_id >= MAX_NUMBER_MISC_DEVICES) { dev_err(se_dev->dev, "%s: Node id is not valid\n", __func__); err = -EINVAL; @@ -4482,7 +4491,6 @@ static int tegra_vse_aes_gmac_sv_check_params(struct ahash_request *req, bool is err = -EINVAL; } - /* Validate aad buf len */ if (gmac_ctx->user_aad_buf_size > TEGRA_VIRTUAL_SE_MAX_SUPPORTED_BUFLEN) { dev_err(se_dev->dev, "%s: aad buf length exceeds max supported size\n", __func__); err = -EINVAL; @@ -4494,9 +4502,6 @@ static int tegra_vse_aes_gmac_sv_check_params(struct ahash_request *req, bool is dev_err(se_dev->dev, "%s: aad buf is NULL\n", __func__); err = -EINVAL; } - } - - if (gmac_ctx->request_type == TEGRA_HV_VSE_GMAC_VERIFY) { if (is_last != 0U) { if (gmac_ctx->authsize > 0 && gmac_ctx->user_tag_buf == NULL) { dev_err(se_dev->dev, @@ -4504,8 +4509,14 @@ static int tegra_vse_aes_gmac_sv_check_params(struct ahash_request *req, bool is err = -EINVAL; } } + } else { + if (gmac_ctx->request_type == TEGRA_HV_VSE_GMAC_SIGN) { + if (is_last == 1U && gmac_ctx->user_tag_iova == 0) { + dev_err(se_dev->dev, "%s: user tag iova is invalid\n", __func__); + err = -EINVAL; + } + } } - return err; } @@ -5028,7 +5039,6 @@ static int tegra_hv_vse_aes_gmac_sv_op_hw_support(struct ahash_request *req, } } - free_exit: if (ivc_req_msg) devm_kfree(se_dev->dev, ivc_req_msg); @@ -5056,6 +5066,11 @@ static int tegra_hv_vse_aes_gmac_sv_update(struct ahash_request *req) } gmac_ctx = crypto_ahash_ctx(crypto_ahash_reqtfm(req)); + if (gmac_ctx == NULL) { + VSE_ERR("%s: gmac_ctx is NULL\n", __func__); + return -EINVAL; + } + if (!gmac_ctx->req_context_initialized) { VSE_ERR("%s Request ctx not initialized\n", __func__); ret = -EPERM; @@ -5100,6 +5115,11 @@ static int tegra_hv_vse_aes_gmac_sv_finup(struct ahash_request *req) } gmac_ctx = crypto_ahash_ctx(crypto_ahash_reqtfm(req)); + if (gmac_ctx == NULL) { + VSE_ERR("%s: gmac_ctx is NULL\n", __func__); + return -EINVAL; + } + if (!gmac_ctx->req_context_initialized) { VSE_ERR("%s: Request ctx not initialized\n", __func__); ret = -EPERM; diff --git a/drivers/crypto/tegra-nvvse-cryptodev.c b/drivers/crypto/tegra-nvvse-cryptodev.c index aed1bd00..4b6779fe 100644 --- a/drivers/crypto/tegra-nvvse-cryptodev.c +++ b/drivers/crypto/tegra-nvvse-cryptodev.c @@ -267,6 +267,20 @@ static int tnvvse_crypto_validate_sha_update_req(struct tnvvse_crypto_ctx *ctx, enum tegra_nvvse_sha_type sha_type = sha_update_ctl->sha_type; int32_t ret = 0; + if ((sha_type < TEGRA_NVVSE_SHA_TYPE_SHA256) || (sha_type >= TEGRA_NVVSE_SHA_TYPE_MAX)) { + CRYPTODEV_ERR("%s(): SHA Type requested %d is not supported\n", __func__, sha_type); + ret = -EINVAL; + goto exit; + } + + if ((sha_type == TEGRA_NVVSE_SHA_TYPE_SHAKE128 || + sha_type == TEGRA_NVVSE_SHA_TYPE_SHAKE256) && + sha_update_ctl->digest_size == 0) { + CRYPTODEV_ERR("%s: Digest Buffer Size is invalid\n", __func__); + ret = -EINVAL; + goto exit; + } + if (sha_update_ctl->init_only != 0U) { if (sha_state->sha_init_done != 0U) { CRYPTODEV_INFO("%s(): SHA init is already done\n", __func__); @@ -295,27 +309,19 @@ static int tnvvse_crypto_validate_sha_update_req(struct tnvvse_crypto_ctx *ctx, goto exit; } - if ((sha_state->sha_init_done == 0U) && (sha_update_ctl->is_first == 0U)) { - CRYPTODEV_ERR("%s(): SHA First req is not yet received\n", __func__); - ret = -EINVAL; - goto exit; - } - - if ((sha_type < TEGRA_NVVSE_SHA_TYPE_SHA256) || (sha_type >= TEGRA_NVVSE_SHA_TYPE_MAX)) { - CRYPTODEV_ERR("%s(): SHA Type requested %d is not supported\n", __func__, sha_type); - ret = -EINVAL; - goto exit; - } - - if (sha_type == TEGRA_NVVSE_SHA_TYPE_SHAKE128 && sha_update_ctl->digest_size == 0) { - CRYPTODEV_ERR("%s: Digest Buffer Size is invalid\n", __func__); - ret = -EINVAL; - goto exit; - } - if (sha_update_ctl->input_buffer_size == 0U) { if (sha_update_ctl->is_last == 0U) { - CRYPTODEV_ERR("%s(): zero length non-last request is not supported\n", __func__); + CRYPTODEV_ERR("%s(): zero length non-last request is not supported\n", + __func__); + ret = -EINVAL; + goto exit; + } + } + + if (sha_update_ctl->is_last == 0U) { + if (sha_update_ctl->do_reset == 1U) { + CRYPTODEV_ERR("%s(): do_reset is not supported for non-last request\n", + __func__); ret = -EINVAL; goto exit; } @@ -361,7 +367,7 @@ exit: static int tnvvse_crypto_sha_update(struct tnvvse_crypto_ctx *ctx, struct tegra_nvvse_sha_update_ctl *sha_update_ctl) { - struct crypto_sha_state *sha_state = &ctx->sha_state; + struct crypto_sha_state *sha_state; struct tegra_virtual_se_sha_context *sha_ctx; struct crypto_ahash *tfm = NULL; struct ahash_request *req = NULL; @@ -369,15 +375,7 @@ static int tnvvse_crypto_sha_update(struct tnvvse_crypto_ctx *ctx, enum tegra_nvvse_sha_type sha_type; int ret = -ENOMEM; - sha_type = sha_update_ctl->sha_type; - - if (sha_update_ctl->do_reset != 0U) { - /* Force reset SHA state and return */ - sha_state->sha_init_done = 0U; - sha_state->sha_total_msg_length = 0U; - ret = 0; - goto exit; - } + sha_state = &ctx->sha_state; ret = tnvvse_crypto_validate_sha_update_req(ctx, sha_update_ctl); if (ret != 0) { @@ -389,6 +387,16 @@ static int tnvvse_crypto_sha_update(struct tnvvse_crypto_ctx *ctx, goto exit; } + sha_type = sha_update_ctl->sha_type; + + if (sha_update_ctl->do_reset != 0U) { + /* Force reset SHA state and return */ + sha_state->sha_init_done = 0U; + sha_state->sha_total_msg_length = 0U; + ret = 0; + goto exit; + } + if (sha_update_ctl->init_only != 0U) { /* Only set state as SHA init done and return */ sha_state->sha_init_done = 1U; @@ -445,6 +453,8 @@ static int tnvvse_crypto_sha_update(struct tnvvse_crypto_ctx *ctx, ret = wait_async_op(&sha_complete, crypto_ahash_init(req)); if (ret) { CRYPTODEV_ERR("%s(): Failed to initialize ahash: %d\n", __func__, ret); + sha_state->sha_init_done = 0; + sha_state->sha_total_msg_length = 0; goto free_tfm; } @@ -452,12 +462,16 @@ static int tnvvse_crypto_sha_update(struct tnvvse_crypto_ctx *ctx, ret = wait_async_op(&sha_complete, crypto_ahash_update(req)); if (ret) { CRYPTODEV_ERR("%s(): Failed to ahash_update: %d\n", __func__, ret); + sha_state->sha_init_done = 0; + sha_state->sha_total_msg_length = 0; goto free_tfm; } } else { ret = wait_async_op(&sha_complete, crypto_ahash_finup(req)); if (ret) { CRYPTODEV_ERR("%s(): Failed to ahash_finup: %d\n", __func__, ret); + sha_state->sha_init_done = 0; + sha_state->sha_total_msg_length = 0; goto free_tfm; } @@ -550,8 +564,11 @@ static int tnvvse_crypto_hmac_sha_sign_verify(struct tnvvse_crypto_ctx *ctx, int ret = -ENOMEM; ret = tnvvse_crypto_hmac_sha_validate_req(ctx, hmac_sha_ctl); - if (ret != 0) + if (ret != 0) { + sha_state->hmac_sha_init_done = 0; + sha_state->hmac_sha_total_msg_length = 0; goto exit; + } tfm = crypto_alloc_ahash("hmac-sha256-vse", 0, 0); if (IS_ERR(tfm)) { @@ -1068,6 +1085,13 @@ static int tnvvse_crypto_aes_gmac_sign_verify(struct tnvvse_crypto_ctx *ctx, goto free_req; } + if ((gmac_sign_verify_ctl->gmac_type != TEGRA_NVVSE_AES_GMAC_SIGN) && + (gmac_sign_verify_ctl->gmac_type != TEGRA_NVVSE_AES_GMAC_VERIFY)) { + CRYPTODEV_ERR("%s: Invalid request type\n", __func__); + ret = -EINVAL; + goto done; + } + ret = tnvvse_crypto_aes_gmac_sign_verify_init(ctx, gmac_sign_verify_ctl, req); if (ret) { CRYPTODEV_ERR("%s(): Failed to init: %d\n", __func__, ret);