Bug 247986 - geli: authentication panics on Via Nano
Summary: geli: authentication panics on Via Nano
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Many People
Assignee: Alan Somers
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-07-14 23:58 UTC by Alan Somers
Modified: 2020-09-19 18:14 UTC (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alan Somers freebsd_committer freebsd_triage 2020-07-14 23:58:00 UTC 
Attempting to use geli on a Via Nano CPU with Padlock causes a panic "panic: crypto_dispatch() failed (error=89)"

Steps to reproduce
==================

# kldload padlock
# cd /usr/tests/sys/geom/class/eli/
# kyua test init_test:init_a

Stack trace
===========

db_trace_self_wrapper()
vpanic()
panic()
g_eli_auth_run()
g_eli_worker()
fork_exit()
fork_trampoline()

System Info
===========

# uname -a
FreeBSD mixie 13.0-CURRENT FreeBSD 13.0-CURRENT #2 r363155: Tue Jul 14 17:41:23 MDT 2020     somers@alanine.lauralan.noip.me:/usr/obj/srv/home/somers/freebsd/base/head/amd64.amd64/sys/GENERIC  amd64
# sysctl hw.model
hw.model: VIA Nano X2 L4350 @ 1.6+ GHz
Comment 1 John Baldwin freebsd_committer freebsd_triage 2020-07-16 23:31:24 UTC 
89 is EBADMSG which means that a verify failed.

Can you start off by first checking the driver via cryptocheck.  For example:

kldload cryptodev
sysctl kern.crypto.allow_soft=1
cd src/tools/tools/crypto
make cryptocheck
cryptocheck -a all -d padlock0 -v

This will be much simpler to debug than geli if it finds errors.
Comment 2 Alan Somers freebsd_committer freebsd_triage 2020-07-17 00:01:15 UTC 
cryptocheck doesn't show anything that looks like an error.  Here's what I get:

> ./cryptocheck -a all -d padlock0 -v
cryptocheck: cryptodev HASH sha1 not supported for device padlock0: Operation not supported
cryptocheck: cryptodev HASH sha224 not supported for device padlock0: Operation not supported
cryptocheck: cryptodev HASH sha256 not supported for device padlock0: Operation not supported
cryptocheck: cryptodev HASH sha384 not supported for device padlock0: Operation not supported
cryptocheck: cryptodev HASH sha512 not supported for device padlock0: Operation not supported
cryptocheck: cryptodev HASH blake2b not supported for device padlock0: Operation not supported
cryptocheck: cryptodev HASH blake2s not supported for device padlock0: Operation not supported
cryptocheck: cryptodev HMAC sha1hmac not supported for device padlock0: Operation not supported
cryptocheck: cryptodev HMAC sha224hmac not supported for device padlock0: Operation not supported
cryptocheck: cryptodev HMAC sha256hmac not supported for device padlock0: Operation not supported
cryptocheck: cryptodev HMAC sha384hmac not supported for device padlock0: Operation not supported
cryptocheck: cryptodev HMAC sha512hmac not supported for device padlock0: Operation not supported
cryptocheck: cryptodev GMAC gmac not supported for device padlock0: Operation not supported
cryptocheck: cryptodev GMAC gmac192 not supported for device padlock0: Operation not supported
cryptocheck: cryptodev GMAC gmac256 not supported for device padlock0: Operation not supported
aes-cbc (16) matched (cryptodev device padlock0)
cryptocheck: cryptodev cipher aes-cbc192 not supported for device padlock0: Invalid argument
aes-cbc256 (16) matched (cryptodev device padlock0)
cryptocheck: cryptodev cipher aes-ctr not supported for device padlock0: Operation not supported
cryptocheck: cryptodev cipher aes-ctr192 not supported for device padlock0: Operation not supported
cryptocheck: cryptodev cipher aes-ctr256 not supported for device padlock0: Operation not supported
cryptocheck: cryptodev cipher aes-xts not supported for device padlock0: Operation not supported
cryptocheck: cryptodev cipher aes-xts256 not supported for device padlock0: Operation not supported
cryptocheck: cryptodev cipher chacha20 not supported for device padlock0: Operation not supported
aes-cbc+sha1hmac (0, 16) matched (cryptodev device padlock0)
cryptocheck: cryptodev ETA aes-cbc+sha224hmac not supported for device padlock0: Operation not supported
aes-cbc+sha256hmac (0, 16) matched (cryptodev device padlock0)
aes-cbc+sha384hmac (0, 16) matched (cryptodev device padlock0)
aes-cbc+sha512hmac (0, 16) matched (cryptodev device padlock0)
cryptocheck: cryptodev ETA aes-cbc192+sha1hmac not supported for device padlock0: Invalid argument
cryptocheck: cryptodev ETA aes-cbc192+sha224hmac not supported for device padlock0: Operation not supported
cryptocheck: cryptodev ETA aes-cbc192+sha256hmac not supported for device padlock0: Invalid argument
cryptocheck: cryptodev ETA aes-cbc192+sha384hmac not supported for device padlock0: Invalid argument
cryptocheck: cryptodev ETA aes-cbc192+sha512hmac not supported for device padlock0: Invalid argument
aes-cbc256+sha1hmac (0, 16) matched (cryptodev device padlock0)
cryptocheck: cryptodev ETA aes-cbc256+sha224hmac not supported for device padlock0: Operation not supported
aes-cbc256+sha256hmac (0, 16) matched (cryptodev device padlock0)
aes-cbc256+sha384hmac (0, 16) matched (cryptodev device padlock0)
aes-cbc256+sha512hmac (0, 16) matched (cryptodev device padlock0)
cryptocheck: cryptodev ETA aes-ctr+sha1hmac not supported for device padlock0: Operation not supported
cryptocheck: cryptodev ETA aes-ctr+sha224hmac not supported for device padlock0: Operation not supported
cryptocheck: cryptodev ETA aes-ctr+sha256hmac not supported for device padlock0: Operation not supported
cryptocheck: cryptodev ETA aes-ctr+sha384hmac not supported for device padlock0: Operation not supported
cryptocheck: cryptodev ETA aes-ctr+sha512hmac not supported for device padlock0: Operation not supported
cryptocheck: cryptodev ETA aes-ctr192+sha1hmac not supported for device padlock0: Operation not supported
cryptocheck: cryptodev ETA aes-ctr192+sha224hmac not supported for device padlock0: Operation not supported
cryptocheck: cryptodev ETA aes-ctr192+sha256hmac not supported for device padlock0: Operation not supported
cryptocheck: cryptodev ETA aes-ctr192+sha384hmac not supported for device padlock0: Operation not supported
cryptocheck: cryptodev ETA aes-ctr192+sha512hmac not supported for device padlock0: Operation not supported
cryptocheck: cryptodev ETA aes-ctr256+sha1hmac not supported for device padlock0: Operation not supported
cryptocheck: cryptodev ETA aes-ctr256+sha224hmac not supported for device padlock0: Operation not supported
cryptocheck: cryptodev ETA aes-ctr256+sha256hmac not supported for device padlock0: Operation not supported
cryptocheck: cryptodev ETA aes-ctr256+sha384hmac not supported for device padlock0: Operation not supported
cryptocheck: cryptodev ETA aes-ctr256+sha512hmac not supported for device padlock0: Operation not supported
cryptocheck: cryptodev ETA aes-xts+sha1hmac not supported for device padlock0: Operation not supported
cryptocheck: cryptodev ETA aes-xts+sha224hmac not supported for device padlock0: Operation not supported
cryptocheck: cryptodev ETA aes-xts+sha256hmac not supported for device padlock0: Operation not supported
cryptocheck: cryptodev ETA aes-xts+sha384hmac not supported for device padlock0: Operation not supported
cryptocheck: cryptodev ETA aes-xts+sha512hmac not supported for device padlock0: Operation not supported
cryptocheck: cryptodev ETA aes-xts256+sha1hmac not supported for device padlock0: Operation not supported
cryptocheck: cryptodev ETA aes-xts256+sha224hmac not supported for device padlock0: Operation not supported
cryptocheck: cryptodev ETA aes-xts256+sha256hmac not supported for device padlock0: Operation not supported
cryptocheck: cryptodev ETA aes-xts256+sha384hmac not supported for device padlock0: Operation not supported
cryptocheck: cryptodev ETA aes-xts256+sha512hmac not supported for device padlock0: Operation not supported
cryptocheck: cryptodev ETA chacha20+sha1hmac not supported for device padlock0: Operation not supported
cryptocheck: cryptodev ETA chacha20+sha224hmac not supported for device padlock0: Operation not supported
cryptocheck: cryptodev ETA chacha20+sha256hmac not supported for device padlock0: Operation not supported
cryptocheck: cryptodev ETA chacha20+sha384hmac not supported for device padlock0: Operation not supported
cryptocheck: cryptodev ETA chacha20+sha512hmac not supported for device padlock0: Operation not supported
cryptocheck: cryptodev AEAD aes-gcm not supported for device padlock0: Operation not supported
cryptocheck: cryptodev AEAD aes-gcm192 not supported for device padlock0: Operation not supported
cryptocheck: cryptodev AEAD aes-gcm256 not supported for device padlock0: Operation not supported
cryptocheck: cryptodev AEAD aes-ccm not supported for device padlock0: Operation not supported
cryptocheck: cryptodev AEAD aes-ccm192 not supported for device padlock0: Operation not supported
cryptocheck: cryptodev AEAD aes-ccm256 not supported for device padlock0: Operation not supported
Comment 3 John Baldwin freebsd_committer freebsd_triage 2020-07-17 17:26:36 UTC 
Ok, it may have to do with the size of the request.  The '-z' flag will try various sizes.  However, it may be good to figure out what algorithms the kyua test is using and then test that specifically, e.g. 'cryptocheck -a aes-xts+sha256hmac -d padlock0 -z'.

Hmm, however, I do see a bug, but it's a bug in 12 as well.  The padlock() function returns the crp_error value from its process() callback.  Probably the cipher and hash functions just never returned errors before until gaining verify mode in head which can return EBADMSG.

Try this:

Index: sys/crypto/via/padlock.c
===================================================================
--- padlock.c	(revision 363276)
+++ padlock.c	(working copy)
@@ -275,7 +275,7 @@ out:
 #endif
 	crp->crp_etype = error;
 	crypto_done(crp);
-	return (error);
+	return (0);
 }
 
 static device_method_t padlock_methods[] = {
Comment 4 Alan Somers freebsd_committer freebsd_triage 2020-07-17 18:20:41 UTC 
(In reply to John Baldwin from comment #3)
Yes, that fixed the panics.  There's another problem, though, that I'll address separately.
Comment 5 commit-hook freebsd_committer freebsd_triage 2020-09-06 19:26:28 UTC 
A commit references this bug:

Author: asomers
Date: Sun Sep  6 19:25:31 UTC 2020
New revision: 365389
URL: https://svnweb.freebsd.org/changeset/base/365389

Log:
  padlock(4): fix instapanics with geli authentication

  cryptodev_process implementations are supposed to return 0

  PR:		247986
  Submitted by:	jhb
  MFC after:	1 week

Changes:
  head/sys/crypto/via/padlock.c
Comment 6 Alan Somers freebsd_committer freebsd_triage 2020-09-06 19:28:52 UTC 
I submitted your fix.  However, I see that three other cryptodev_process implementations also return errors: armv8_crypto_process, hifn_process, and safe_process.  Do they need to be changed as well?  I'm not able to test any of them.
Comment 7 commit-hook freebsd_committer freebsd_triage 2020-09-08 22:42:02 UTC 
A commit references this bug:

Author: jhb
Date: Tue Sep  8 22:41:36 UTC 2020
New revision: 365478
URL: https://svnweb.freebsd.org/changeset/base/365478

Log:
  Don't return errors from the cryptodev_process() method.

  The cryptodev_process() method should either return 0 if it has
  completed a request, or ERESTART to defer the request until later.  If
  a request encounters an error, the error should be reported via
  crp_etype before completing the request via crypto_done().

  Fix a few more drivers noticed by asomers@ similar to the fix in
  r365389.  This is an old bug, but went unnoticed since crypto requests
  did not start failing as a normal part of operation until digest
  verification was introduced which can fail requests with EBADMSG.

  PR:		247986
  Reported by:	asomers
  Sponsored by:	Chelsio Communications
  Differential Revision:	https://reviews.freebsd.org/D26361

Changes:
  head/sys/crypto/armv8/armv8_crypto.c
  head/sys/dev/hifn/hifn7751.c
  head/sys/dev/safe/safe.c
Comment 8 Alan Somers freebsd_committer freebsd_triage 2020-09-19 18:14:19 UTC 
MFC is not necessary since I believe the bug was introduced by r359374, which was never MFCed.