[PATCH] crypto: arm/blake2s - fix for big endian

[PATCH] crypto: arm/blake2s - fix for big endian

[Eric Biggers]

From: Eric Biggers <ebiggers@google.com>

The new ARM BLAKE2s code doesn't work correctly (fails the self-tests)
in big endian kernel builds because it doesn't swap the endianness of
the message words when loading them.  Fix this.

Fixes: 5172d322d34c ("crypto: arm/blake2s - add ARM scalar optimized BLAKE2s")
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
 arch/arm/crypto/blake2s-core.S | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/arch/arm/crypto/blake2s-core.S b/arch/arm/crypto/blake2s-core.S
index bed897e9a181a..86345751bbf3a 100644
--- a/arch/arm/crypto/blake2s-core.S
+++ b/arch/arm/crypto/blake2s-core.S
@@ -8,6 +8,7 @@
  */
 
 #include <linux/linkage.h>
+#include <asm/assembler.h>
 
 	// Registers used to hold message words temporarily.  There aren't
 	// enough ARM registers to hold the whole message block, so we have to
@@ -38,6 +39,23 @@
 #endif
 .endm
 
+.macro _le32_bswap	a, tmp
+#ifdef __ARMEB__
+	rev_l		\a, \tmp
+#endif
+.endm
+
+.macro _le32_bswap_8x	a, b, c, d, e, f, g, h,  tmp
+	_le32_bswap	\a, \tmp
+	_le32_bswap	\b, \tmp
+	_le32_bswap	\c, \tmp
+	_le32_bswap	\d, \tmp
+	_le32_bswap	\e, \tmp
+	_le32_bswap	\f, \tmp
+	_le32_bswap	\g, \tmp
+	_le32_bswap	\h, \tmp
+.endm
+
 // Execute a quarter-round of BLAKE2s by mixing two columns or two diagonals.
 // (a0, b0, c0, d0) and (a1, b1, c1, d1) give the registers containing the two
 // columns/diagonals.  s0-s1 are the word offsets to the message words the first
@@ -180,8 +198,10 @@ ENTRY(blake2s_compress_arch)
 	tst		r1, #3
 	bne		.Lcopy_block_misaligned
 	ldmia		r1!, {r2-r9}
+	_le32_bswap_8x	r2, r3, r4, r5, r6, r7, r8, r9,  r14
 	stmia		r12!, {r2-r9}
 	ldmia		r1!, {r2-r9}
+	_le32_bswap_8x	r2, r3, r4, r5, r6, r7, r8, r9,  r14
 	stmia		r12, {r2-r9}
 .Lcopy_block_done:
 	str		r1, [sp, #68]		// Update message pointer
@@ -268,6 +288,7 @@ ENTRY(blake2s_compress_arch)
 1:
 #ifdef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
 	ldr		r3, [r1], #4
+	_le32_bswap	r3, r4
 #else
 	ldrb		r3, [r1, #0]
 	ldrb		r4, [r1, #1]
-- 
2.30.1

[PATCH] crypto: arm/blake2s - fix for big endian

[Eric Biggers]

From: Eric Biggers <ebiggers@google.com>

The new ARM BLAKE2s code doesn't work correctly (fails the self-tests)
in big endian kernel builds because it doesn't swap the endianness of
the message words when loading them.  Fix this.

Fixes: 5172d322d34c ("crypto: arm/blake2s - add ARM scalar optimized BLAKE2s")
Signed-off-by: Eric Biggers <ebiggers@google.com>
---
 arch/arm/crypto/blake2s-core.S | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/arch/arm/crypto/blake2s-core.S b/arch/arm/crypto/blake2s-core.S
index bed897e9a181a..86345751bbf3a 100644
--- a/arch/arm/crypto/blake2s-core.S
+++ b/arch/arm/crypto/blake2s-core.S
@@ -8,6 +8,7 @@
  */
 
 #include <linux/linkage.h>
+#include <asm/assembler.h>
 
 	// Registers used to hold message words temporarily.  There aren't
 	// enough ARM registers to hold the whole message block, so we have to
@@ -38,6 +39,23 @@
 #endif
 .endm
 
+.macro _le32_bswap	a, tmp
+#ifdef __ARMEB__
+	rev_l		\a, \tmp
+#endif
+.endm
+
+.macro _le32_bswap_8x	a, b, c, d, e, f, g, h,  tmp
+	_le32_bswap	\a, \tmp
+	_le32_bswap	\b, \tmp
+	_le32_bswap	\c, \tmp
+	_le32_bswap	\d, \tmp
+	_le32_bswap	\e, \tmp
+	_le32_bswap	\f, \tmp
+	_le32_bswap	\g, \tmp
+	_le32_bswap	\h, \tmp
+.endm
+
 // Execute a quarter-round of BLAKE2s by mixing two columns or two diagonals.
 // (a0, b0, c0, d0) and (a1, b1, c1, d1) give the registers containing the two
 // columns/diagonals.  s0-s1 are the word offsets to the message words the first
@@ -180,8 +198,10 @@ ENTRY(blake2s_compress_arch)
 	tst		r1, #3
 	bne		.Lcopy_block_misaligned
 	ldmia		r1!, {r2-r9}
+	_le32_bswap_8x	r2, r3, r4, r5, r6, r7, r8, r9,  r14
 	stmia		r12!, {r2-r9}
 	ldmia		r1!, {r2-r9}
+	_le32_bswap_8x	r2, r3, r4, r5, r6, r7, r8, r9,  r14
 	stmia		r12, {r2-r9}
 .Lcopy_block_done:
 	str		r1, [sp, #68]		// Update message pointer
@@ -268,6 +288,7 @@ ENTRY(blake2s_compress_arch)
 1:
 #ifdef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
 	ldr		r3, [r1], #4
+	_le32_bswap	r3, r4
 #else
 	ldrb		r3, [r1, #0]
 	ldrb		r4, [r1, #1]
-- 
2.30.1


_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

Re: [PATCH] crypto: arm/blake2s - fix for big endian

[Ard Biesheuvel]

On Wed, 10 Mar 2021 at 08:29, Eric Biggers <ebiggers@kernel.org> wrote:
>
> From: Eric Biggers <ebiggers@google.com>
>
> The new ARM BLAKE2s code doesn't work correctly (fails the self-tests)
> in big endian kernel builds because it doesn't swap the endianness of
> the message words when loading them.  Fix this.
>
> Fixes: 5172d322d34c ("crypto: arm/blake2s - add ARM scalar optimized BLAKE2s")
> Signed-off-by: Eric Biggers <ebiggers@google.com>

Acked-by: Ard Biesheuvel <ardb@kernel.org>

> ---
>  arch/arm/crypto/blake2s-core.S | 21 +++++++++++++++++++++
>  1 file changed, 21 insertions(+)
>
> diff --git a/arch/arm/crypto/blake2s-core.S b/arch/arm/crypto/blake2s-core.S
> index bed897e9a181a..86345751bbf3a 100644
> --- a/arch/arm/crypto/blake2s-core.S
> +++ b/arch/arm/crypto/blake2s-core.S
> @@ -8,6 +8,7 @@
>   */
>
>  #include <linux/linkage.h>
> +#include <asm/assembler.h>
>
>         // Registers used to hold message words temporarily.  There aren't
>         // enough ARM registers to hold the whole message block, so we have to
> @@ -38,6 +39,23 @@
>  #endif
>  .endm
>
> +.macro _le32_bswap     a, tmp
> +#ifdef __ARMEB__
> +       rev_l           \a, \tmp
> +#endif
> +.endm
> +
> +.macro _le32_bswap_8x  a, b, c, d, e, f, g, h,  tmp
> +       _le32_bswap     \a, \tmp
> +       _le32_bswap     \b, \tmp
> +       _le32_bswap     \c, \tmp
> +       _le32_bswap     \d, \tmp
> +       _le32_bswap     \e, \tmp
> +       _le32_bswap     \f, \tmp
> +       _le32_bswap     \g, \tmp
> +       _le32_bswap     \h, \tmp
> +.endm
> +
>  // Execute a quarter-round of BLAKE2s by mixing two columns or two diagonals.
>  // (a0, b0, c0, d0) and (a1, b1, c1, d1) give the registers containing the two
>  // columns/diagonals.  s0-s1 are the word offsets to the message words the first
> @@ -180,8 +198,10 @@ ENTRY(blake2s_compress_arch)
>         tst             r1, #3
>         bne             .Lcopy_block_misaligned
>         ldmia           r1!, {r2-r9}
> +       _le32_bswap_8x  r2, r3, r4, r5, r6, r7, r8, r9,  r14
>         stmia           r12!, {r2-r9}
>         ldmia           r1!, {r2-r9}
> +       _le32_bswap_8x  r2, r3, r4, r5, r6, r7, r8, r9,  r14
>         stmia           r12, {r2-r9}
>  .Lcopy_block_done:
>         str             r1, [sp, #68]           // Update message pointer
> @@ -268,6 +288,7 @@ ENTRY(blake2s_compress_arch)
>  1:
>  #ifdef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
>         ldr             r3, [r1], #4
> +       _le32_bswap     r3, r4
>  #else
>         ldrb            r3, [r1, #0]
>         ldrb            r4, [r1, #1]
> --
> 2.30.1
>

Re: [PATCH] crypto: arm/blake2s - fix for big endian

[Ard Biesheuvel]

On Wed, 10 Mar 2021 at 08:29, Eric Biggers <ebiggers@kernel.org> wrote:
>
> From: Eric Biggers <ebiggers@google.com>
>
> The new ARM BLAKE2s code doesn't work correctly (fails the self-tests)
> in big endian kernel builds because it doesn't swap the endianness of
> the message words when loading them.  Fix this.
>
> Fixes: 5172d322d34c ("crypto: arm/blake2s - add ARM scalar optimized BLAKE2s")
> Signed-off-by: Eric Biggers <ebiggers@google.com>

Acked-by: Ard Biesheuvel <ardb@kernel.org>

> ---
>  arch/arm/crypto/blake2s-core.S | 21 +++++++++++++++++++++
>  1 file changed, 21 insertions(+)
>
> diff --git a/arch/arm/crypto/blake2s-core.S b/arch/arm/crypto/blake2s-core.S
> index bed897e9a181a..86345751bbf3a 100644
> --- a/arch/arm/crypto/blake2s-core.S
> +++ b/arch/arm/crypto/blake2s-core.S
> @@ -8,6 +8,7 @@
>   */
>
>  #include <linux/linkage.h>
> +#include <asm/assembler.h>
>
>         // Registers used to hold message words temporarily.  There aren't
>         // enough ARM registers to hold the whole message block, so we have to
> @@ -38,6 +39,23 @@
>  #endif
>  .endm
>
> +.macro _le32_bswap     a, tmp
> +#ifdef __ARMEB__
> +       rev_l           \a, \tmp
> +#endif
> +.endm
> +
> +.macro _le32_bswap_8x  a, b, c, d, e, f, g, h,  tmp
> +       _le32_bswap     \a, \tmp
> +       _le32_bswap     \b, \tmp
> +       _le32_bswap     \c, \tmp
> +       _le32_bswap     \d, \tmp
> +       _le32_bswap     \e, \tmp
> +       _le32_bswap     \f, \tmp
> +       _le32_bswap     \g, \tmp
> +       _le32_bswap     \h, \tmp
> +.endm
> +
>  // Execute a quarter-round of BLAKE2s by mixing two columns or two diagonals.
>  // (a0, b0, c0, d0) and (a1, b1, c1, d1) give the registers containing the two
>  // columns/diagonals.  s0-s1 are the word offsets to the message words the first
> @@ -180,8 +198,10 @@ ENTRY(blake2s_compress_arch)
>         tst             r1, #3
>         bne             .Lcopy_block_misaligned
>         ldmia           r1!, {r2-r9}
> +       _le32_bswap_8x  r2, r3, r4, r5, r6, r7, r8, r9,  r14
>         stmia           r12!, {r2-r9}
>         ldmia           r1!, {r2-r9}
> +       _le32_bswap_8x  r2, r3, r4, r5, r6, r7, r8, r9,  r14
>         stmia           r12, {r2-r9}
>  .Lcopy_block_done:
>         str             r1, [sp, #68]           // Update message pointer
> @@ -268,6 +288,7 @@ ENTRY(blake2s_compress_arch)
>  1:
>  #ifdef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
>         ldr             r3, [r1], #4
> +       _le32_bswap     r3, r4
>  #else
>         ldrb            r3, [r1, #0]
>         ldrb            r4, [r1, #1]
> --
> 2.30.1
>

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel

Re: [PATCH] crypto: arm/blake2s - fix for big endian

[Herbert Xu]

Eric Biggers <ebiggers@kernel.org> wrote:
> From: Eric Biggers <ebiggers@google.com>
> 
> The new ARM BLAKE2s code doesn't work correctly (fails the self-tests)
> in big endian kernel builds because it doesn't swap the endianness of
> the message words when loading them.  Fix this.
> 
> Fixes: 5172d322d34c ("crypto: arm/blake2s - add ARM scalar optimized BLAKE2s")
> Signed-off-by: Eric Biggers <ebiggers@google.com>
> ---
> arch/arm/crypto/blake2s-core.S | 21 +++++++++++++++++++++
> 1 file changed, 21 insertions(+)

Patch applied.  Thanks.
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: [PATCH] crypto: arm/blake2s - fix for big endian

[Herbert Xu]

Eric Biggers <ebiggers@kernel.org> wrote:
> From: Eric Biggers <ebiggers@google.com>
> 
> The new ARM BLAKE2s code doesn't work correctly (fails the self-tests)
> in big endian kernel builds because it doesn't swap the endianness of
> the message words when loading them.  Fix this.
> 
> Fixes: 5172d322d34c ("crypto: arm/blake2s - add ARM scalar optimized BLAKE2s")
> Signed-off-by: Eric Biggers <ebiggers@google.com>
> ---
> arch/arm/crypto/blake2s-core.S | 21 +++++++++++++++++++++
> 1 file changed, 21 insertions(+)

Patch applied.  Thanks.
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

_______________________________________________
linux-arm-kernel mailing list
linux-arm-kernel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-arm-kernel