Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=master 2026-04-15T22:22:26+00:00 2026-04-15T22:22:26+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-04-15T22:22:26+00:00 urn:sha1:aec2f682d47c54ef434b2d440992626d80b1ebdc Pull crypto update from Herbert Xu: "API: - Replace crypto_get_default_rng with crypto_stdrng_get_bytes - Remove simd skcipher support - Allow algorithm types to be disabled when CRYPTO_SELFTESTS is off Algorithms: - Remove CPU-based des/3des acceleration - Add test vectors for authenc(hmac(md5),cbc({aes,des})) and authenc(hmac({md5,sha1,sha224,sha256,sha384,sha512}),rfc3686(ctr(aes))) - Replace spin lock with mutex in jitterentropy Drivers: - Add authenc algorithms to safexcel - Add support for zstd in qat - Add wireless mode support for QAT GEN6 - Add anti-rollback support for QAT GEN6 - Add support for ctr(aes), gcm(aes), and ccm(aes) in dthev2" * tag 'v7.1-p1' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: (129 commits) crypto: af_alg - use sock_kmemdup in alg_setkey_by_key_serial crypto: vmx - remove CRYPTO_DEV_VMX from Kconfig crypto: omap - convert reqctx buffer to fixed-size array crypto: atmel-sha204a - add Thorsten Blum as maintainer crypto: atmel-ecc - add Thorsten Blum as maintainer crypto: qat - fix IRQ cleanup on 6xxx probe failure crypto: geniv - Remove unused spinlock from struct aead_geniv_ctx crypto: qce - simplify qce_xts_swapiv() crypto: hisilicon - Fix dma_unmap_single() direction crypto: talitos - rename first/last to first_desc/last_desc crypto: talitos - fix SEC1 32k ahash request limitation crypto: jitterentropy - replace long-held spinlock with mutex crypto: hisilicon - remove unused and non-public APIs for qm and sec crypto: hisilicon/qm - drop redundant variable initialization crypto: hisilicon/qm - remove else after return crypto: hisilicon/qm - add const qualifier to info_name in struct qm_cmd_dump_item crypto: hisilicon - fix the format string type error crypto: ccree - fix a memory leak in cc_mac_digest() crypto: qat - add support for zstd crypto: qat - use swab32 macro ... 2026-04-03T00:56:12+00:00 Eric Biggers ebiggers@kernel.org 2026-03-26T20:12:43+00:00 urn:sha1:622d42ef977adeae3d5a5d0eb893e4aaf1d5330c Since DES and Triple DES are obsolete, there is very little point in maintining architecture-optimized code for them. Remove it. Signed-off-by: Eric Biggers <ebiggers@kernel.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2026-03-23T23:44:29+00:00 Eric Biggers ebiggers@kernel.org 2026-03-19T06:17:14+00:00 urn:sha1:efd1d2c8f3c073c43d5616d0c2d698cbe8a3ecde Remove the "ghash-s390" crypto_shash algorithm, and replace it with an implementation of ghash_blocks_arch() for the GHASH library. This makes the GHASH library be optimized with CPACF. It also greatly reduces the amount of s390-specific glue code that is needed, and it fixes the issue where this GHASH optimization was disabled by default. Acked-by: Ard Biesheuvel <ardb@kernel.org> Link: https://lore.kernel.org/r/20260319061723.1140720-14-ebiggers@kernel.org Signed-off-by: Eric Biggers <ebiggers@kernel.org> 2026-02-10T16:36:42+00:00 Linus Torvalds torvalds@linux-foundation.org 2026-02-10T16:36:42+00:00 urn:sha1:08df88fa142f3ba298bf0f7840fa9187e2fb5956 Pull crypto update from Herbert Xu: "API: - Fix race condition in hwrng core by using RCU Algorithms: - Allow authenc(sha224,rfc3686) in fips mode - Add test vectors for authenc(hmac(sha384),cbc(aes)) - Add test vectors for authenc(hmac(sha224),cbc(aes)) - Add test vectors for authenc(hmac(md5),cbc(des3_ede)) - Add lz4 support in hisi_zip - Only allow clear key use during self-test in s390/{phmac,paes} Drivers: - Set rng quality to 900 in airoha - Add gcm(aes) support for AMD/Xilinx Versal device - Allow tfms to share device in hisilicon/trng" * tag 'v7.0-p1' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6: (100 commits) crypto: img-hash - Use unregister_ahashes in img_{un}register_algs crypto: testmgr - Add test vectors for authenc(hmac(md5),cbc(des3_ede)) crypto: cesa - Simplify return statement in mv_cesa_dequeue_req_locked crypto: testmgr - Add test vectors for authenc(hmac(sha224),cbc(aes)) crypto: testmgr - Add test vectors for authenc(hmac(sha384),cbc(aes)) hwrng: core - use RCU and work_struct to fix race condition crypto: starfive - Fix memory leak in starfive_aes_aead_do_one_req() crypto: xilinx - Fix inconsistant indentation crypto: rng - Use unregister_rngs in register_rngs crypto: atmel - Use unregister_{aeads,ahashes,skciphers} hwrng: optee - simplify OP-TEE context match crypto: ccp - Add sysfs attribute for boot integrity dt-bindings: crypto: atmel,at91sam9g46-sha: add microchip,lan9691-sha dt-bindings: crypto: atmel,at91sam9g46-aes: add microchip,lan9691-aes dt-bindings: crypto: qcom,inline-crypto-engine: document the Milos ICE crypto: caam - fix netdev memory leak in dpaa2_caam_probe crypto: hisilicon/qm - increase wait time for mailbox crypto: hisilicon/qm - obtain the mailbox configuration at one time crypto: hisilicon/qm - remove unnecessary code in qm_mb_write() crypto: hisilicon/qm - move the barrier before writing to the mailbox register ... 2026-01-31T02:52:30+00:00 Harald Freudenberger freude@linux.ibm.com 2026-01-15T12:00:26+00:00 urn:sha1:9d58d22f367f6fc08f949b1ba9625e56414be92a This patch exploits the new xflag PKEY_XFLAG_NOCLEARKEY from the pkey layer. So now by default all the paes algorithms refuse the use of clear key material ("clear key tokens") in the setkey function with -EINVAL. With a new kernel module parameter "clrkey" this behavior can be controlled. By default clrkey is 'N' but for testing purpose on module load a true value (1, 'Y') may be given to accept clear key tokens. Note that during selftest clear keys are always used and thus the xflag PKEY_XFLAG_NOCLEARKEY is NOT set as long as the algorithm is in a larval state indicated by crypto_skcipher_tested() returning false. Signed-off-by: Harald Freudenberger <freude@linux.ibm.com> Reviewed-by: Holger Dengler <dengler@linux.ibm.com> Reviewed-by: Ingo Franzki <ifranzki@linux.ibm.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2026-01-31T02:52:30+00:00 Harald Freudenberger freude@linux.ibm.com 2026-01-15T12:00:25+00:00 urn:sha1:452770a4fafcdb2d80bb793a91aec9ff84769fdc This patch exploits the new xflag PKEY_XFLAG_NOCLEARKEY from the pkey layer. So now by default the phmac refuses the use of clear key material ("clear key tokens") in the setkey function with -EINVAL. With a new kernel module parameter "clrkey" this behavior can be controlled. By default clrkey is 'N' but for testing purpose on module load a true value (1, 'Y') may be given to accept clear key tokens. Note that during selftest clear keys are always used and thus the xflag PKEY_XFLAG_NOCLEARKEY is NOT set as long as the algorithm is in a larval state indicated by crypto_ahash_tested() returning false. Signed-off-by: Harald Freudenberger <freude@linux.ibm.com> Reviewed-by: Holger Dengler <dengler@linux.ibm.com> Reviewed-by: Ingo Franzki <ifranzki@linux.ibm.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2026-01-15T22:08:55+00:00 Eric Biggers ebiggers@kernel.org 2026-01-12T19:20:13+00:00 urn:sha1:0cab15611e839142f4fd3c8a366acd1f7334b30b Implement aes_preparekey_arch(), aes_encrypt_arch(), and aes_decrypt_arch() using the CPACF AES instructions. Then, remove the superseded "aes-s390" crypto_cipher. The result is that both the AES library and crypto_cipher APIs use the CPACF AES instructions, whereas previously only crypto_cipher did (and it wasn't enabled by default, which this commit fixes as well). Note that this preserves the optimization where the AES key is stored in raw form rather than expanded form. CPACF just takes the raw key. Acked-by: Ard Biesheuvel <ardb@kernel.org> Tested-by: Holger Dengler <dengler@linux.ibm.com> Reviewed-by: Holger Dengler <dengler@linux.ibm.com> Link: https://lore.kernel.org/r/20260112192035.10427-16-ebiggers@kernel.org Signed-off-by: Eric Biggers <ebiggers@kernel.org> 2025-12-03T02:01:03+00:00 Linus Torvalds torvalds@linux-foundation.org 2025-12-03T02:01:03+00:00 urn:sha1:5abe8d8efc022cc78b6273d01e4a453242b9f4d8 Pull crypto library updates from Eric Biggers: "This is the main crypto library pull request for 6.19. It includes: - Add SHA-3 support to lib/crypto/, including support for both the hash functions and the extendable-output functions. Reimplement the existing SHA-3 crypto_shash support on top of the library. This is motivated mainly by the upcoming support for the ML-DSA signature algorithm, which needs the SHAKE128 and SHAKE256 functions. But even on its own it's a useful cleanup. This also fixes the longstanding issue where the architecture-optimized SHA-3 code was disabled by default. - Add BLAKE2b support to lib/crypto/, and reimplement the existing BLAKE2b crypto_shash support on top of the library. This is motivated mainly by btrfs, which supports BLAKE2b checksums. With this change, all btrfs checksum algorithms now have library APIs. btrfs is planned to start just using the library directly. This refactor also improves consistency between the BLAKE2b code and BLAKE2s code. And as usual, it also fixes the issue where the architecture-optimized BLAKE2b code was disabled by default. - Add POLYVAL support to lib/crypto/, replacing the existing POLYVAL support in crypto_shash. Reimplement HCTR2 on top of the library. This simplifies the code and improves HCTR2 performance. As usual, it also makes the architecture-optimized code be enabled by default. The generic implementation of POLYVAL is greatly improved as well. - Clean up the BLAKE2s code - Add FIPS self-tests for SHA-1, SHA-2, and SHA-3" * tag 'libcrypto-updates-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/linux: (37 commits) fscrypt: Drop obsolete recommendation to enable optimized POLYVAL crypto: polyval - Remove the polyval crypto_shash crypto: hctr2 - Convert to use POLYVAL library lib/crypto: x86/polyval: Migrate optimized code into library lib/crypto: arm64/polyval: Migrate optimized code into library lib/crypto: polyval: Add POLYVAL library crypto: polyval - Rename conflicting functions lib/crypto: x86/blake2s: Use vpternlogd for 3-input XORs lib/crypto: x86/blake2s: Avoid writing back unchanged 'f' value lib/crypto: x86/blake2s: Improve readability lib/crypto: x86/blake2s: Use local labels for data lib/crypto: x86/blake2s: Drop check for nblocks == 0 lib/crypto: x86/blake2s: Fix 32-bit arg treated as 64-bit lib/crypto: arm, arm64: Drop filenames from file comments lib/crypto: arm/blake2s: Fix some comments crypto: s390/sha3 - Remove superseded SHA-3 code crypto: sha3 - Reimplement using library API crypto: jitterentropy - Use default sha3 implementation lib/crypto: s390/sha3: Add optimized one-shot SHA-3 digest functions lib/crypto: sha3: Support arch overrides of one-shot digest functions ... 2025-12-03T00:37:00+00:00 Linus Torvalds torvalds@linux-foundation.org 2025-12-03T00:37:00+00:00 urn:sha1:2547f79b0b0cd969ae6f736890af4ebd9368cda5 Pull s390 updates from Heiko Carstens: - Provide a new interface for dynamic configuration and deconfiguration of hotplug memory, allowing with and without memmap_on_memory support. This makes the way memory hotplug is handled on s390 much more similar to other architectures - Remove compat support. There shouldn't be any compat user space around anymore, therefore get rid of a lot of code which also doesn't need to be tested anymore - Add stackprotector support. GCC 16 will get new compiler options, which allow to generate code required for kernel stackprotector support - Merge pai_crypto and pai_ext PMU drivers into a new driver. This removes a lot of duplicated code. The new driver is also extendable and allows to support new PMUs - Add driver override support for AP queues - Rework and extend zcrypt and AP trace events to allow for tracing of crypto requests - Support block sizes larger than 65535 bytes for CCW tape devices - Since the rework of the virtual kernel address space the module area and the kernel image are within the same 4GB area. This eliminates the need of weak per cpu variables. Get rid of ARCH_MODULE_NEEDS_WEAK_PER_CPU - Various other small improvements and fixes * tag 's390-6.19-1' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux: (92 commits) watchdog: diag288_wdt: Remove KMSG_COMPONENT macro s390/entry: Use lay instead of aghik s390/vdso: Get rid of -m64 flag handling s390/vdso: Rename vdso64 to vdso s390: Rename head64.S to head.S s390/vdso: Use common STABS_DEBUG and DWARF_DEBUG macros s390: Add stackprotector support s390/modules: Simplify module_finalize() slightly s390: Remove KMSG_COMPONENT macro s390/percpu: Get rid of ARCH_MODULE_NEEDS_WEAK_PER_CPU s390/ap: Restrict driver_override versus apmask and aqmask use s390/ap: Rename mutex ap_perms_mutex to ap_attr_mutex s390/ap: Support driver_override for AP queue devices s390/ap: Use all-bits-one apmask/aqmask for vfio in_use() checks s390/debug: Update description of resize operation s390/syscalls: Switch to generic system call table generation s390/syscalls: Remove system call table pointer from thread_struct s390/uapi: Remove 31 bit support from uapi header files s390: Remove compat support tools: Remove s390 compat support ... 2025-11-24T10:45:21+00:00 Heiko Carstens hca@linux.ibm.com 2025-11-20T15:30:53+00:00 urn:sha1:c3d17464f0262c9e3c156d4c6306e32cf530fa47 The KMSG_COMPONENT macro is a leftover of the s390 specific "kernel message catalog" which never made it upstream. Remove the macro in order to get rid of a pointless indirection. Replace all users with the string it defines. In almost all cases this leads to a simple replacement like this: - #define KMSG_COMPONENT "appldata" - #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt + #define pr_fmt(fmt) "appldata: " fmt Except for some special cases this is just mechanical/scripted work. Acked-by: Thomas Richter <tmricht@linux.ibm.com> Signed-off-by: Heiko Carstens <hca@linux.ibm.com>