* [PATCH net 0/2] macsec: clear encryption keys in h/w drivers
@ 2022-11-08 15:34 Antoine Tenart
2022-11-08 15:34 ` [PATCH net 1/2] net: phy: mscc: macsec: clear encryption keys when freeing a flow Antoine Tenart
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: Antoine Tenart @ 2022-11-08 15:34 UTC (permalink / raw)
To: davem, kuba, pabeni, edumazet; +Cc: Antoine Tenart, sd, irusskikh, netdev
Hello,
Commit aaab73f8fba4 ("macsec: clear encryption keys from the stack after
setting up offload") made sure to clean encryption keys from the stack
after setting up offloading but some h/w drivers did a copy of the key
which need to be zeroed as well.
The MSCC PHY driver can actually be converted not to copy the encryption
key at all, but such patch would be quite difficult to backport. I'll
send a following up patch doing this in net-next once this series lands.
Tested on the MSCC PHY but not on the atlantic NIC.
Thanks,
Antoine
Antoine Tenart (2):
net: phy: mscc: macsec: clear encryption keys when freeing a flow
net: atlantic: macsec: clear encryption keys from the stack
.../net/ethernet/aquantia/atlantic/aq_macsec.c | 2 ++
.../aquantia/atlantic/macsec/macsec_api.c | 18 +++++++++++-------
drivers/net/phy/mscc/mscc_macsec.c | 1 +
3 files changed, 14 insertions(+), 7 deletions(-)
--
2.38.1
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH net 1/2] net: phy: mscc: macsec: clear encryption keys when freeing a flow
2022-11-08 15:34 [PATCH net 0/2] macsec: clear encryption keys in h/w drivers Antoine Tenart
@ 2022-11-08 15:34 ` Antoine Tenart
2022-11-08 15:34 ` [PATCH net 2/2] net: atlantic: macsec: clear encryption keys from the stack Antoine Tenart
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Antoine Tenart @ 2022-11-08 15:34 UTC (permalink / raw)
To: davem, kuba, pabeni, edumazet; +Cc: Antoine Tenart, sd, irusskikh, netdev
Commit aaab73f8fba4 ("macsec: clear encryption keys from the stack after
setting up offload") made sure to clean encryption keys from the stack
after setting up offloading, but the MSCC PHY driver made a copy, kept
it in the flow data and did not clear it when freeing a flow. Fix this.
Fixes: 28c5107aa904 ("net: phy: mscc: macsec support")
Signed-off-by: Antoine Tenart <atenart@kernel•org>
---
drivers/net/phy/mscc/mscc_macsec.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/phy/mscc/mscc_macsec.c b/drivers/net/phy/mscc/mscc_macsec.c
index ee5b17edca39..f81b077618f4 100644
--- a/drivers/net/phy/mscc/mscc_macsec.c
+++ b/drivers/net/phy/mscc/mscc_macsec.c
@@ -632,6 +632,7 @@ static void vsc8584_macsec_free_flow(struct vsc8531_private *priv,
list_del(&flow->list);
clear_bit(flow->index, bitmap);
+ memzero_explicit(flow->key, sizeof(flow->key));
kfree(flow);
}
--
2.38.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH net 2/2] net: atlantic: macsec: clear encryption keys from the stack
2022-11-08 15:34 [PATCH net 0/2] macsec: clear encryption keys in h/w drivers Antoine Tenart
2022-11-08 15:34 ` [PATCH net 1/2] net: phy: mscc: macsec: clear encryption keys when freeing a flow Antoine Tenart
@ 2022-11-08 15:34 ` Antoine Tenart
2022-11-09 9:54 ` [EXT] [PATCH net 0/2] macsec: clear encryption keys in h/w drivers Igor Russkikh
2022-11-10 11:10 ` patchwork-bot+netdevbpf
3 siblings, 0 replies; 5+ messages in thread
From: Antoine Tenart @ 2022-11-08 15:34 UTC (permalink / raw)
To: davem, kuba, pabeni, edumazet; +Cc: Antoine Tenart, sd, irusskikh, netdev
Commit aaab73f8fba4 ("macsec: clear encryption keys from the stack after
setting up offload") made sure to clean encryption keys from the stack
after setting up offloading, but the atlantic driver made a copy and did
not clear it. Fix this.
[4 Fixes tags below, all part of the same series, no need to split this]
Fixes: 9ff40a751a6f ("net: atlantic: MACSec ingress offload implementation")
Fixes: b8f8a0b7b5cb ("net: atlantic: MACSec ingress offload HW bindings")
Fixes: 27736563ce32 ("net: atlantic: MACSec egress offload implementation")
Fixes: 9d106c6dd81b ("net: atlantic: MACSec egress offload HW bindings")
Signed-off-by: Antoine Tenart <atenart@kernel•org>
---
.../net/ethernet/aquantia/atlantic/aq_macsec.c | 2 ++
.../aquantia/atlantic/macsec/macsec_api.c | 18 +++++++++++-------
2 files changed, 13 insertions(+), 7 deletions(-)
diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_macsec.c b/drivers/net/ethernet/aquantia/atlantic/aq_macsec.c
index a0180811305d..7eb5851eb95d 100644
--- a/drivers/net/ethernet/aquantia/atlantic/aq_macsec.c
+++ b/drivers/net/ethernet/aquantia/atlantic/aq_macsec.c
@@ -570,6 +570,7 @@ static int aq_update_txsa(struct aq_nic_s *nic, const unsigned int sc_idx,
ret = aq_mss_set_egress_sakey_record(hw, &key_rec, sa_idx);
+ memzero_explicit(&key_rec, sizeof(key_rec));
return ret;
}
@@ -899,6 +900,7 @@ static int aq_update_rxsa(struct aq_nic_s *nic, const unsigned int sc_idx,
ret = aq_mss_set_ingress_sakey_record(hw, &sa_key_record, sa_idx);
+ memzero_explicit(&sa_key_record, sizeof(sa_key_record));
return ret;
}
diff --git a/drivers/net/ethernet/aquantia/atlantic/macsec/macsec_api.c b/drivers/net/ethernet/aquantia/atlantic/macsec/macsec_api.c
index 36c7cf05630a..431924959520 100644
--- a/drivers/net/ethernet/aquantia/atlantic/macsec/macsec_api.c
+++ b/drivers/net/ethernet/aquantia/atlantic/macsec/macsec_api.c
@@ -757,6 +757,7 @@ set_ingress_sakey_record(struct aq_hw_s *hw,
u16 table_index)
{
u16 packed_record[18];
+ int ret;
if (table_index >= NUMROWS_INGRESSSAKEYRECORD)
return -EINVAL;
@@ -789,9 +790,12 @@ set_ingress_sakey_record(struct aq_hw_s *hw,
packed_record[16] = rec->key_len & 0x3;
- return set_raw_ingress_record(hw, packed_record, 18, 2,
- ROWOFFSET_INGRESSSAKEYRECORD +
- table_index);
+ ret = set_raw_ingress_record(hw, packed_record, 18, 2,
+ ROWOFFSET_INGRESSSAKEYRECORD +
+ table_index);
+
+ memzero_explicit(packed_record, sizeof(packed_record));
+ return ret;
}
int aq_mss_set_ingress_sakey_record(struct aq_hw_s *hw,
@@ -1739,14 +1743,14 @@ static int set_egress_sakey_record(struct aq_hw_s *hw,
ret = set_raw_egress_record(hw, packed_record, 8, 2,
ROWOFFSET_EGRESSSAKEYRECORD + table_index);
if (unlikely(ret))
- return ret;
+ goto clear_key;
ret = set_raw_egress_record(hw, packed_record + 8, 8, 2,
ROWOFFSET_EGRESSSAKEYRECORD + table_index -
32);
- if (unlikely(ret))
- return ret;
- return 0;
+clear_key:
+ memzero_explicit(packed_record, sizeof(packed_record));
+ return ret;
}
int aq_mss_set_egress_sakey_record(struct aq_hw_s *hw,
--
2.38.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [EXT] [PATCH net 0/2] macsec: clear encryption keys in h/w drivers
2022-11-08 15:34 [PATCH net 0/2] macsec: clear encryption keys in h/w drivers Antoine Tenart
2022-11-08 15:34 ` [PATCH net 1/2] net: phy: mscc: macsec: clear encryption keys when freeing a flow Antoine Tenart
2022-11-08 15:34 ` [PATCH net 2/2] net: atlantic: macsec: clear encryption keys from the stack Antoine Tenart
@ 2022-11-09 9:54 ` Igor Russkikh
2022-11-10 11:10 ` patchwork-bot+netdevbpf
3 siblings, 0 replies; 5+ messages in thread
From: Igor Russkikh @ 2022-11-09 9:54 UTC (permalink / raw)
To: Antoine Tenart, davem, kuba, pabeni, edumazet; +Cc: sd, netdev
> Commit aaab73f8fba4 ("macsec: clear encryption keys from the stack after
> setting up offload") made sure to clean encryption keys from the stack
> after setting up offloading but some h/w drivers did a copy of the key
> which need to be zeroed as well.
>
> The MSCC PHY driver can actually be converted not to copy the encryption
> key at all, but such patch would be quite difficult to backport. I'll
> send a following up patch doing this in net-next once this series lands.
>
> Tested on the MSCC PHY but not on the atlantic NIC.
Hi Antoine, reviewed both. Will try to test on atlantic when possible.
Reviewed-by: Igor Russkikh <irusskikh@marvell•com>
Thanks
Igor
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH net 0/2] macsec: clear encryption keys in h/w drivers
2022-11-08 15:34 [PATCH net 0/2] macsec: clear encryption keys in h/w drivers Antoine Tenart
` (2 preceding siblings ...)
2022-11-09 9:54 ` [EXT] [PATCH net 0/2] macsec: clear encryption keys in h/w drivers Igor Russkikh
@ 2022-11-10 11:10 ` patchwork-bot+netdevbpf
3 siblings, 0 replies; 5+ messages in thread
From: patchwork-bot+netdevbpf @ 2022-11-10 11:10 UTC (permalink / raw)
To: Antoine Tenart; +Cc: davem, kuba, pabeni, edumazet, sd, irusskikh, netdev
Hello:
This series was applied to netdev/net.git (master)
by Paolo Abeni <pabeni@redhat•com>:
On Tue, 8 Nov 2022 16:34:57 +0100 you wrote:
> Hello,
>
> Commit aaab73f8fba4 ("macsec: clear encryption keys from the stack after
> setting up offload") made sure to clean encryption keys from the stack
> after setting up offloading but some h/w drivers did a copy of the key
> which need to be zeroed as well.
>
> [...]
Here is the summary with links:
- [net,1/2] net: phy: mscc: macsec: clear encryption keys when freeing a flow
https://git.kernel.org/netdev/net/c/1b16b3fdf675
- [net,2/2] net: atlantic: macsec: clear encryption keys from the stack
https://git.kernel.org/netdev/net/c/879785def0f5
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2022-11-10 11:10 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-11-08 15:34 [PATCH net 0/2] macsec: clear encryption keys in h/w drivers Antoine Tenart
2022-11-08 15:34 ` [PATCH net 1/2] net: phy: mscc: macsec: clear encryption keys when freeing a flow Antoine Tenart
2022-11-08 15:34 ` [PATCH net 2/2] net: atlantic: macsec: clear encryption keys from the stack Antoine Tenart
2022-11-09 9:54 ` [EXT] [PATCH net 0/2] macsec: clear encryption keys in h/w drivers Igor Russkikh
2022-11-10 11:10 ` patchwork-bot+netdevbpf
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox