mirror of
https://github.com/torvalds/linux.git
synced 2026-05-13 00:28:54 +02:00
a22fd0e3c4
The kernel's AES library currently has the following issues: - It doesn't take advantage of the architecture-optimized AES code, including the implementations using AES instructions. - It's much slower than even the other software AES implementations: 2-4 times slower than "aes-generic", "aes-arm", and "aes-arm64". - It requires that both the encryption and decryption round keys be computed and cached. This is wasteful for users that need only the forward (encryption) direction of the cipher: the key struct is 484 bytes when only 244 are actually needed. This missed optimization is very common, as many AES modes (e.g. GCM, CFB, CTR, CMAC, and even the tweak key in XTS) use the cipher only in the forward (encryption) direction even when doing decryption. - It doesn't provide the flexibility to customize the prepared key format. The API is defined to do key expansion, and several callers in drivers/crypto/ use it specifically to expand the key. This is an issue when integrating the existing powerpc, s390, and sparc code, which is necessary to provide full parity with the traditional API. To resolve these issues, I'm proposing the following changes: 1. New structs 'aes_key' and 'aes_enckey' are introduced, with corresponding functions aes_preparekey() and aes_prepareenckey(). Generally these structs will include the encryption+decryption round keys and the encryption round keys, respectively. However, the exact format will be under control of the architecture-specific AES code. (The verb "prepare" is chosen over "expand" since key expansion isn't necessarily done. It's also consistent with hmac*_preparekey().) 2. aes_encrypt() and aes_decrypt() will be changed to operate on the new structs instead of struct crypto_aes_ctx. 3. aes_encrypt() and aes_decrypt() will use architecture-optimized code when available, or else fall back to a new generic AES implementation that unifies the existing two fragmented generic AES implementations. The new generic AES implementation uses tables for both SubBytes and MixColumns, making it almost as fast as "aes-generic". However, instead of aes-generic's huge 8192-byte tables per direction, it uses only 1024 bytes for encryption and 1280 bytes for decryption (similar to "aes-arm"). The cost is just some extra rotations. The new generic AES implementation also includes table prefetching, making it have some "constant-time hardening". That's an improvement from aes-generic which has no constant-time hardening. It does slightly regress in constant-time hardening vs. the old lib/crypto/aes.c which had smaller tables, and from aes-fixed-time which disabled IRQs on top of that. But I think this is tolerable. The real solutions for constant-time AES are AES instructions or bit-slicing. The table-based code remains a best-effort fallback for the increasingly-rare case where a real solution is unavailable. 4. crypto_aes_ctx and aes_expandkey() will remain for now, but only for callers that are using them specifically for the AES key expansion (as opposed to en/decrypting data with the AES library). This commit begins the migration process by introducing the new structs and functions, backed by the new generic AES implementation. To allow callers to be incrementally converted, aes_encrypt() and aes_decrypt() are temporarily changed into macros that use a _Generic expression to call either the old functions (which take crypto_aes_ctx) or the new functions (which take the new types). Once all callers have been updated, these macros will go away, the old functions will be removed, and the "_new" suffix will be dropped from the new functions. Acked-by: Ard Biesheuvel <ardb@kernel.org> Link: https://lore.kernel.org/r/20260112192035.10427-3-ebiggers@kernel.org Signed-off-by: Eric Biggers <ebiggers@kernel.org> |
||
|---|---|---|
| .. | ||
| 842 | ||
| crc | ||
| crypto | ||
| dim | ||
| fonts | ||
| kunit | ||
| lz4 | ||
| lzo | ||
| math | ||
| pldmfw | ||
| raid6 | ||
| reed_solomon | ||
| test_fortify | ||
| tests | ||
| vdso | ||
| xz | ||
| zlib_deflate | ||
| zlib_dfltcc | ||
| zlib_inflate | ||
| zstd | ||
| .gitignore | ||
| alloc_tag.c | ||
| argv_split.c | ||
| ashldi3.c | ||
| ashrdi3.c | ||
| asn1_decoder.c | ||
| asn1_encoder.c | ||
| assoc_array.c | ||
| atomic64_test.c | ||
| atomic64.c | ||
| audit.c | ||
| base64.c | ||
| bcd.c | ||
| bch.c | ||
| bitmap-str.c | ||
| bitmap.c | ||
| bitrev.c | ||
| bootconfig-data.S | ||
| bootconfig.c | ||
| bsearch.c | ||
| btree.c | ||
| bucket_locks.c | ||
| bug.c | ||
| build_OID_registry | ||
| buildid.c | ||
| bust_spinlocks.c | ||
| cache_maint.c | ||
| check_signature.c | ||
| checksum.c | ||
| closure.c | ||
| clz_ctz.c | ||
| clz_tab.c | ||
| cmdline.c | ||
| cmpdi2.c | ||
| cmpxchg-emu.c | ||
| codetag.c | ||
| compat_audit.c | ||
| cpu_rmap.c | ||
| cpumask.c | ||
| ctype.c | ||
| debug_info.c | ||
| debug_locks.c | ||
| debugobjects.c | ||
| dec_and_lock.c | ||
| decompress_bunzip2.c | ||
| decompress_inflate.c | ||
| decompress_unlz4.c | ||
| decompress_unlzma.c | ||
| decompress_unlzo.c | ||
| decompress_unxz.c | ||
| decompress_unzstd.c | ||
| decompress.c | ||
| devmem_is_allowed.c | ||
| devres.c | ||
| dhry_1.c | ||
| dhry_2.c | ||
| dhry_run.c | ||
| dhry.h | ||
| digsig.c | ||
| dump_stack.c | ||
| dynamic_debug.c | ||
| dynamic_queue_limits.c | ||
| earlycpio.c | ||
| errname.c | ||
| error-inject.c | ||
| errseq.c | ||
| extable.c | ||
| fault-inject-usercopy.c | ||
| fault-inject.c | ||
| fdt_addresses.c | ||
| fdt_empty_tree.c | ||
| fdt_ro.c | ||
| fdt_rw.c | ||
| fdt_strerror.c | ||
| fdt_sw.c | ||
| fdt_wip.c | ||
| fdt.c | ||
| find_bit_benchmark_rust.rs | ||
| find_bit_benchmark.c | ||
| find_bit.c | ||
| flex_proportions.c | ||
| fw_table.c | ||
| genalloc.c | ||
| generic-radix-tree.c | ||
| glob.c | ||
| globtest.c | ||
| group_cpus.c | ||
| hexdump.c | ||
| hweight.c | ||
| idr.c | ||
| inflate.c | ||
| interval_tree_test.c | ||
| interval_tree.c | ||
| iomap_copy.c | ||
| iomap.c | ||
| iomem_copy.c | ||
| iommu-helper.c | ||
| iov_iter.c | ||
| irq_poll.c | ||
| irq_regs.c | ||
| is_single_threaded.c | ||
| kasprintf.c | ||
| Kconfig | ||
| Kconfig.debug | ||
| Kconfig.kasan | ||
| Kconfig.kcsan | ||
| Kconfig.kfence | ||
| Kconfig.kgdb | ||
| Kconfig.kmsan | ||
| Kconfig.ubsan | ||
| kfifo.c | ||
| klist.c | ||
| kobject_uevent.c | ||
| kobject.c | ||
| kstrtox.c | ||
| kstrtox.h | ||
| linear_ranges.c | ||
| list_debug.c | ||
| list_sort.c | ||
| llist.c | ||
| locking-selftest-hardirq.h | ||
| locking-selftest-mutex.h | ||
| locking-selftest-rlock-hardirq.h | ||
| locking-selftest-rlock-softirq.h | ||
| locking-selftest-rlock.h | ||
| locking-selftest-rsem.h | ||
| locking-selftest-rtmutex.h | ||
| locking-selftest-softirq.h | ||
| locking-selftest-spin-hardirq.h | ||
| locking-selftest-spin-softirq.h | ||
| locking-selftest-spin.h | ||
| locking-selftest-wlock-hardirq.h | ||
| locking-selftest-wlock-softirq.h | ||
| locking-selftest-wlock.h | ||
| locking-selftest-wsem.h | ||
| locking-selftest.c | ||
| lockref.c | ||
| logic_iomem.c | ||
| logic_pio.c | ||
| lru_cache.c | ||
| lshrdi3.c | ||
| lwq.c | ||
| Makefile | ||
| maple_tree.c | ||
| memcat_p.c | ||
| memory-notifier-error-inject.c | ||
| memregion.c | ||
| memweight.c | ||
| min_heap.c | ||
| muldi3.c | ||
| net_utils.c | ||
| netdev-notifier-error-inject.c | ||
| nlattr.c | ||
| nmi_backtrace.c | ||
| notifier-error-inject.c | ||
| notifier-error-inject.h | ||
| objagg.c | ||
| objpool.c | ||
| of-reconfig-notifier-error-inject.c | ||
| oid_registry.c | ||
| once.c | ||
| packing_test.c | ||
| packing.c | ||
| parman.c | ||
| parser.c | ||
| percpu_counter.c | ||
| percpu_test.c | ||
| percpu-refcount.c | ||
| plist.c | ||
| pm-notifier-error-inject.c | ||
| polynomial.c | ||
| radix-tree.c | ||
| radix-tree.h | ||
| random32.c | ||
| ratelimit.c | ||
| rbtree_test.c | ||
| rbtree.c | ||
| rcuref.c | ||
| ref_tracker.c | ||
| refcount.c | ||
| rhashtable.c | ||
| sbitmap.c | ||
| scatterlist.c | ||
| seq_buf.c | ||
| sg_pool.c | ||
| sg_split.c | ||
| siphash.c | ||
| smp_processor_id.c | ||
| sort.c | ||
| stackdepot.c | ||
| stmp_device.c | ||
| string_helpers.c | ||
| string.c | ||
| strncpy_from_user.c | ||
| strnlen_user.c | ||
| sys_info.c | ||
| syscall.c | ||
| test_bitmap.c | ||
| test_bitops.c | ||
| test_bpf.c | ||
| test_debug_virtual.c | ||
| test_dynamic_debug.c | ||
| test_firmware.c | ||
| test_fpu_glue.c | ||
| test_fpu_impl.c | ||
| test_fpu.h | ||
| test_free_pages.c | ||
| test_hexdump.c | ||
| test_hmm_uapi.h | ||
| test_hmm.c | ||
| test_ida.c | ||
| test_kho.c | ||
| test_kmod.c | ||
| test_lockup.c | ||
| test_maple_tree.c | ||
| test_memcat_p.c | ||
| test_meminit.c | ||
| test_min_heap.c | ||
| test_module.c | ||
| test_objagg.c | ||
| test_objpool.c | ||
| test_parman.c | ||
| test_ref_tracker.c | ||
| test_rhashtable.c | ||
| test_static_key_base.c | ||
| test_static_keys.c | ||
| test_sysctl.c | ||
| test_ubsan.c | ||
| test_uuid.c | ||
| test_vmalloc.c | ||
| test_xarray.c | ||
| test-kstrtox.c | ||
| textsearch.c | ||
| timerqueue.c | ||
| trace_readwrite.c | ||
| ts_bm.c | ||
| ts_fsm.c | ||
| ts_kmp.c | ||
| ubsan.c | ||
| ubsan.h | ||
| ucmpdi2.c | ||
| ucs2_string.c | ||
| union_find.c | ||
| usercopy.c | ||
| uuid.c | ||
| vsprintf.c | ||
| win_minmax.c | ||
| xarray.c | ||
| xxhash.c | ||