git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Harald Freudenberger <freude@linux.ibm.com>
	Thu, 15 Jan 2026 12:00:26 +0000 (13:00 +0100)
committer	Herbert Xu <herbert@gondor.apana.org.au>
	Sat, 31 Jan 2026 02:52:30 +0000 (10:52 +0800)
commit	9d58d22f367f6fc08f949b1ba9625e56414be92a
tree	24aaf34b93fbe41efee5ca86460c45db604c6c1c	tree
parent	452770a4fafcdb2d80bb793a91aec9ff84769fdc	commit \| diff

crypto: s390/paes - Refuse clear key material by default

This patch exploits the new xflag PKEY_XFLAG_NOCLEARKEY from the pkey
layer. So now by default all the paes algorithms refuse the use of
clear key material ("clear key tokens") in the setkey function with
-EINVAL.

With a new kernel module parameter "clrkey" this behavior can be
controlled. By default clrkey is 'N' but for testing purpose on module
load a true value (1, 'Y') may be given to accept clear key tokens.

Note that during selftest clear keys are always used and thus the
xflag PKEY_XFLAG_NOCLEARKEY is NOT set as long as the algorithm is in
a larval state indicated by crypto_skcipher_tested() returning false.

Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
Reviewed-by: Holger Dengler <dengler@linux.ibm.com>
Reviewed-by: Ingo Franzki <ifranzki@linux.ibm.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>