Bug 203515 - [crypto] alg: skcipher: p8_aes_ctr encryption test failed (wrong result) on test vector 3, cfg="uneven misaligned splits, may sleep"
Summary: [crypto] alg: skcipher: p8_aes_ctr encryption test failed (wrong result) on t...
Status: RESOLVED CODE_FIX
Alias: None
Product: Platform Specific/Hardware
Classification: Unclassified
Component: PPC-64 (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: platform_ppc-64
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-05-05 00:05 UTC by Erhard F.
Modified: 2019-06-04 20:30 UTC (History)
1 user (show)

See Also:
Kernel Version: 5.1.0-rc1
Subsystem:
Regression: Yes
Bisected commit-id:


Attachments
dmesg (5.1.0-rc7, Talos II) (68.45 KB, text/plain)
2019-05-05 00:05 UTC, Erhard F.
Details
kernel .config (5.1.0-rc7, Talos II) (88.49 KB, text/plain)
2019-05-05 00:06 UTC, Erhard F.
Details
bisect.log (4.03 KB, text/plain)
2019-05-05 19:19 UTC, Erhard F.
Details
kernel .config of the final bisect (5.0.0-rc1+, Talos II) (87.46 KB, text/plain)
2019-05-05 19:23 UTC, Erhard F.
Details

Description Erhard F. 2019-05-05 00:05:40 UTC
Created attachment 282609 [details]
dmesg (5.1.0-rc7, Talos II)

Seems like some POWER8/9 specific encrytion test fails in 5.1.0-rc7. This did not happen in 5.0.x and before.

[...]
[    5.246612] crypto_register_alg 'cbc(aes)' = 0
[    5.254268] alg: skcipher: p8_aes_ctr encryption test failed (wrong result) on test vector 3, cfg="uneven misaligned splits, may sleep"
[    5.255266] xhci_hcd 0003:01:00.0: xHCI Host Controller
[    5.255346] xhci_hcd 0003:01:00.0: new USB bus registered, assigned bus number 1
[    5.255522] xhci_hcd 0003:01:00.0: hcc params 0x0270f06d hci version 0x96 quirks 0x0000000004000000
[    5.256008] crypto_register_alg 'ctr(aes)' = 0
[...]
Comment 1 Erhard F. 2019-05-05 00:06:26 UTC
Created attachment 282611 [details]
kernel .config (5.1.0-rc7, Talos II)
Comment 2 Erhard F. 2019-05-05 19:15:53 UTC
Did some testing, -rc1 is already is affected.
Comment 3 Erhard F. 2019-05-05 19:19:07 UTC
Created attachment 282623 [details]
bisect.log

git-bisect found 4e7babba30d820c4195b1d58cf51dce3c22ecf2b as the 1st bad commit:

# git bisect good | tee -a ~/bisect01.log
4e7babba30d820c4195b1d58cf51dce3c22ecf2b is the first bad commit
commit 4e7babba30d820c4195b1d58cf51dce3c22ecf2b
Author: Eric Biggers <ebiggers@google.com>
Date:   Thu Jan 31 23:51:46 2019 -0800

    crypto: testmgr - convert skcipher testing to use testvec_configs
    
    Convert alg_test_skcipher() to use the new test framework, adding a list
    of testvec_configs to test by default.  When the extra self-tests are
    enabled, randomly generated testvec_configs are tested as well.
    
    This improves skcipher test coverage mainly because now all algorithms
    have a variety of data layouts tested, whereas before each algorithm was
    responsible for declaring its own chunked test cases which were often
    missing or provided poor test coverage.  The new code also tests both
    the MAY_SLEEP and !MAY_SLEEP cases, different IV alignments, and buffers
    that cross pages.
    
    This has already found a bug in the arm64 ctr-aes-neonbs algorithm.
    It would have easily found many past bugs.
    
    I removed the skcipher chunked test vectors that were the same as
    non-chunked ones, but left the ones that were unique.
    
    Signed-off-by: Eric Biggers <ebiggers@google.com>
    Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

:040000 040000 c533a4dce0d9954923cd56a69e0d26eeee5324a3 c199b3af7a05160aede1522c4860abae5fbe2716 M	crypto
Comment 4 Erhard F. 2019-05-05 19:23:29 UTC
Created attachment 282625 [details]
kernel .config of the final bisect (5.0.0-rc1+, Talos II)
Comment 5 Eric Biggers 2019-05-06 15:51:56 UTC
This is an existing bug in the VMX implementation of AES-CTR which the improved crypto self-tests are detecting.  Apparently someone is planning to fix it: https://marc.info/?l=linux-crypto&m=155502414423504&w=2.  That was almost a month ago though; I'm not sure whether anyone has actually done anything yet.  I'll send a reminder.
Comment 6 Erhard F. 2019-05-06 19:45:50 UTC
(In reply to Eric Biggers from comment #5)
> [...] That was almost a month ago though; I'm not sure whether anyone has
> actually done anything yet.  I'll send a reminder.
Thanks! Apparently not, the newly released 5.1.0 is still affected.
Comment 7 Erhard F. 2019-06-04 20:30:32 UTC
The fix trickled down from mainline to stable. 5.1.7 passes tests now:

$ dmesg | grep -i aes
[    4.902294] crypto_register_alg 'aes' = 0
[    4.928003] crypto_register_alg 'cbc(aes)' = 0
[    4.944002] crypto_register_alg 'ctr(aes)' = 0
[    5.011290] crypto_register_alg 'xts(aes)' = 0

Thanks!

Note You need to log in before you can comment on or make changes to this bug.