linux-crypto.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
To: linux-crypto@vger.kernel.org
Cc: herbert@gondor.apana.org.au, ebiggers@google.com,
	Ard Biesheuvel <ard.biesheuvel@linaro.org>
Subject: [PATCH v4 10/32] crypto: arm64/ghash - switch to AES library
Date: Tue,  2 Jul 2019 21:41:28 +0200	[thread overview]
Message-ID: <20190702194150.10405-11-ard.biesheuvel@linaro.org> (raw)
In-Reply-To: <20190702194150.10405-1-ard.biesheuvel@linaro.org>

The GHASH code uses the generic AES key expansion routines, and calls
directly into the scalar table based AES cipher for arm64 from the
fallback path, and since this implementation is known to be non-time
invariant, doing so from a time invariant SIMD cipher is a bit nasty.

So let's switch to the AES library - this makes the code more robust,
and drops the dependency on the generic AES cipher, allowing us to
omit it entirely in the future.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
---
 arch/arm64/crypto/Kconfig         |  3 +-
 arch/arm64/crypto/ghash-ce-glue.c | 30 +++++++-------------
 2 files changed, 11 insertions(+), 22 deletions(-)

diff --git a/arch/arm64/crypto/Kconfig b/arch/arm64/crypto/Kconfig
index d9a523ecdd83..1762055e7093 100644
--- a/arch/arm64/crypto/Kconfig
+++ b/arch/arm64/crypto/Kconfig
@@ -58,8 +58,7 @@ config CRYPTO_GHASH_ARM64_CE
 	depends on KERNEL_MODE_NEON
 	select CRYPTO_HASH
 	select CRYPTO_GF128MUL
-	select CRYPTO_AES
-	select CRYPTO_AES_ARM64
+	select CRYPTO_LIB_AES
 
 config CRYPTO_CRCT10DIF_ARM64_CE
 	tristate "CRCT10DIF digest algorithm using PMULL instructions"
diff --git a/arch/arm64/crypto/ghash-ce-glue.c b/arch/arm64/crypto/ghash-ce-glue.c
index b39ed99b06fb..90496765d22f 100644
--- a/arch/arm64/crypto/ghash-ce-glue.c
+++ b/arch/arm64/crypto/ghash-ce-glue.c
@@ -73,8 +73,6 @@ asmlinkage void pmull_gcm_decrypt(int blocks, u64 dg[], u8 dst[],
 asmlinkage void pmull_gcm_encrypt_block(u8 dst[], u8 const src[],
 					u32 const rk[], int rounds);
 
-asmlinkage void __aes_arm64_encrypt(u32 *rk, u8 *out, const u8 *in, int rounds);
-
 static int ghash_init(struct shash_desc *desc)
 {
 	struct ghash_desc_ctx *ctx = shash_desc_ctx(desc);
@@ -312,14 +310,13 @@ static int gcm_setkey(struct crypto_aead *tfm, const u8 *inkey,
 	u8 key[GHASH_BLOCK_SIZE];
 	int ret;
 
-	ret = crypto_aes_expand_key(&ctx->aes_key, inkey, keylen);
+	ret = aes_expandkey(&ctx->aes_key, inkey, keylen);
 	if (ret) {
 		tfm->base.crt_flags |= CRYPTO_TFM_RES_BAD_KEY_LEN;
 		return -EINVAL;
 	}
 
-	__aes_arm64_encrypt(ctx->aes_key.key_enc, key, (u8[AES_BLOCK_SIZE]){},
-			    num_rounds(&ctx->aes_key));
+	aes_encrypt(&ctx->aes_key, key, (u8[AES_BLOCK_SIZE]){});
 
 	return __ghash_setkey(&ctx->ghash_key, key, sizeof(be128));
 }
@@ -470,7 +467,7 @@ static int gcm_encrypt(struct aead_request *req)
 			rk = ctx->aes_key.key_enc;
 		} while (walk.nbytes >= 2 * AES_BLOCK_SIZE);
 	} else {
-		__aes_arm64_encrypt(ctx->aes_key.key_enc, tag, iv, nrounds);
+		aes_encrypt(&ctx->aes_key, tag, iv);
 		put_unaligned_be32(2, iv + GCM_IV_SIZE);
 
 		while (walk.nbytes >= (2 * AES_BLOCK_SIZE)) {
@@ -481,8 +478,7 @@ static int gcm_encrypt(struct aead_request *req)
 			int remaining = blocks;
 
 			do {
-				__aes_arm64_encrypt(ctx->aes_key.key_enc,
-						    ks, iv, nrounds);
+				aes_encrypt(&ctx->aes_key, ks, iv);
 				crypto_xor_cpy(dst, src, ks, AES_BLOCK_SIZE);
 				crypto_inc(iv, AES_BLOCK_SIZE);
 
@@ -498,13 +494,10 @@ static int gcm_encrypt(struct aead_request *req)
 						 walk.nbytes % (2 * AES_BLOCK_SIZE));
 		}
 		if (walk.nbytes) {
-			__aes_arm64_encrypt(ctx->aes_key.key_enc, ks, iv,
-					    nrounds);
+			aes_encrypt(&ctx->aes_key, ks, iv);
 			if (walk.nbytes > AES_BLOCK_SIZE) {
 				crypto_inc(iv, AES_BLOCK_SIZE);
-				__aes_arm64_encrypt(ctx->aes_key.key_enc,
-					            ks + AES_BLOCK_SIZE, iv,
-						    nrounds);
+				aes_encrypt(&ctx->aes_key, ks + AES_BLOCK_SIZE, iv);
 			}
 		}
 	}
@@ -608,7 +601,7 @@ static int gcm_decrypt(struct aead_request *req)
 			rk = ctx->aes_key.key_enc;
 		} while (walk.nbytes >= 2 * AES_BLOCK_SIZE);
 	} else {
-		__aes_arm64_encrypt(ctx->aes_key.key_enc, tag, iv, nrounds);
+		aes_encrypt(&ctx->aes_key, tag, iv);
 		put_unaligned_be32(2, iv + GCM_IV_SIZE);
 
 		while (walk.nbytes >= (2 * AES_BLOCK_SIZE)) {
@@ -621,8 +614,7 @@ static int gcm_decrypt(struct aead_request *req)
 					pmull_ghash_update_p64);
 
 			do {
-				__aes_arm64_encrypt(ctx->aes_key.key_enc,
-						    buf, iv, nrounds);
+				aes_encrypt(&ctx->aes_key, buf, iv);
 				crypto_xor_cpy(dst, src, buf, AES_BLOCK_SIZE);
 				crypto_inc(iv, AES_BLOCK_SIZE);
 
@@ -640,11 +632,9 @@ static int gcm_decrypt(struct aead_request *req)
 				memcpy(iv2, iv, AES_BLOCK_SIZE);
 				crypto_inc(iv2, AES_BLOCK_SIZE);
 
-				__aes_arm64_encrypt(ctx->aes_key.key_enc, iv2,
-						    iv2, nrounds);
+				aes_encrypt(&ctx->aes_key, iv2, iv2);
 			}
-			__aes_arm64_encrypt(ctx->aes_key.key_enc, iv, iv,
-					    nrounds);
+			aes_encrypt(&ctx->aes_key, iv, iv);
 		}
 	}
 
-- 
2.17.1


  parent reply	other threads:[~2019-07-02 19:42 UTC|newest]

Thread overview: 35+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-07-02 19:41 [PATCH v4 00/32] crypto: AES cleanup Ard Biesheuvel
2019-07-02 19:41 ` [PATCH v4 01/32] crypto: arm/aes-ce - cosmetic/whitespace cleanup Ard Biesheuvel
2019-07-02 19:41 ` [PATCH v4 02/32] crypto: aes - rename local routines to prevent future clashes Ard Biesheuvel
2019-07-02 19:41 ` [PATCH v4 03/32] crypto: aes/fixed-time - align key schedule with other implementations Ard Biesheuvel
2019-07-02 19:41 ` [PATCH v4 04/32] crypto: aes - create AES library based on the fixed time AES code Ard Biesheuvel
2019-07-02 19:41 ` [PATCH v4 05/32] crypto: x86/aes-ni - switch to generic for fallback and key routines Ard Biesheuvel
2019-07-02 19:41 ` [PATCH v4 06/32] crypto: x86/aes - drop scalar assembler implementations Ard Biesheuvel
2019-07-02 19:41 ` [PATCH v4 07/32] crypto: padlock/aes - switch to library version of key expansion routine Ard Biesheuvel
2019-07-02 19:41 ` [PATCH v4 08/32] crypto: cesa/aes " Ard Biesheuvel
2019-07-02 19:41 ` [PATCH v4 09/32] crypto: safexcel/aes " Ard Biesheuvel
2019-07-02 19:41 ` Ard Biesheuvel [this message]
2019-07-02 19:41 ` [PATCH v4 11/32] crypto: arm/aes-neonbs " Ard Biesheuvel
2019-07-02 19:41 ` [PATCH v4 12/32] crypto: arm64/aes-ccm - switch to AES library Ard Biesheuvel
2019-07-02 19:41 ` [PATCH v4 13/32] crypto: arm64/aes-neonbs - switch to library version of key expansion routine Ard Biesheuvel
2019-07-02 19:41 ` [PATCH v4 14/32] crypto: arm64/aes-ce " Ard Biesheuvel
2019-07-02 19:41 ` [PATCH v4 15/32] crypto: generic/aes - drop key expansion routine in favor of library version Ard Biesheuvel
2019-07-02 19:41 ` [PATCH v4 16/32] crypto: ctr - add helper for performing a CTR encryption walk Ard Biesheuvel
2019-07-02 19:41 ` [PATCH v4 17/32] crypto: aes - move sync ctr(aes) to AES library and generic helper Ard Biesheuvel
2019-07-02 19:41 ` [PATCH v4 18/32] crypto: arm64/aes-ce-cipher - use AES library as fallback Ard Biesheuvel
2019-07-02 19:41 ` [PATCH v4 19/32] crypto: aes/arm - use native endiannes for key schedule Ard Biesheuvel
2019-07-02 19:41 ` [PATCH v4 20/32] crypto: arm/aes-ce - provide a synchronous version of ctr(aes) Ard Biesheuvel
2019-07-02 19:41 ` [PATCH v4 21/32] crypto: arm/aes-neonbs " Ard Biesheuvel
2019-07-02 19:41 ` [PATCH v4 22/32] crypto: arm/ghash - provide a synchronous version Ard Biesheuvel
2019-07-02 19:41 ` [PATCH v4 23/32] bluetooth: switch to AES library Ard Biesheuvel
2019-07-02 19:41 ` [PATCH v4 24/32] crypto: amcc/aes - switch to AES library for GCM key derivation Ard Biesheuvel
2019-10-27 10:08   ` Christian Lamparter
2019-07-02 19:41 ` [PATCH v4 25/32] crypto: ccp - move to AES library for CMAC " Ard Biesheuvel
2019-07-02 19:41 ` [PATCH v4 26/32] crypto: chelsio/aes - replace AES cipher calls with library calls Ard Biesheuvel
2019-07-02 19:41 ` [PATCH v4 27/32] crypto: aes/generic - unexport last-round AES tables Ard Biesheuvel
2019-07-02 19:41 ` [PATCH v4 28/32] crypto: lib/aes - export sbox and inverse sbox Ard Biesheuvel
2019-07-02 19:41 ` [PATCH v4 29/32] crypto: arm64/aes-neon - switch to shared AES Sboxes Ard Biesheuvel
2019-07-02 19:41 ` [PATCH v4 30/32] crypto: arm/aes-cipher - switch to shared AES inverse Sbox Ard Biesheuvel
2019-07-02 19:41 ` [PATCH v4 31/32] crypto: arm64/aes-cipher " Ard Biesheuvel
2019-07-02 19:41 ` [PATCH v4 32/32] crypto: arm/aes-scalar - unexport en/decryption routines Ard Biesheuvel
2019-07-26 12:31 ` [PATCH v4 00/32] crypto: AES cleanup Herbert Xu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190702194150.10405-11-ard.biesheuvel@linaro.org \
    --to=ard.biesheuvel@linaro.org \
    --cc=ebiggers@google.com \
    --cc=herbert@gondor.apana.org.au \
    --cc=linux-crypto@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).