From patchwork Tue Jul 18 12:06:45 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ard Biesheuvel X-Patchwork-Id: 108129 Delivered-To: patch@linaro.org Received: by 10.182.45.195 with SMTP id p3csp5810951obm; Tue, 18 Jul 2017 05:07:21 -0700 (PDT) X-Received: by 10.99.4.3 with SMTP id 3mr1357887pge.102.1500379641209; Tue, 18 Jul 2017 05:07:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1500379641; cv=none; d=google.com; s=arc-20160816; b=P2NyU4L5Iy3C21MRTebQ7aihkL/de2/kWUGrlE0aWO6a/pF6fe21uE9qCRUeAnRAP6 j8q2fZIfe2P/4lGNtrplRZgWP5plfpFNjaTJfnGqqw5IzWriMLOwZh1z3mMtl6U0LTgn 7Dv/5nAPOgvtpZ1pMnl1rbMxeRGgJr05fheUAU7SVUT7dNg0AQ/p1NjJ+NXQpYycpil4 CyjYO4D3wyjGzOCc/adSMzZ7Dw8HaZgl5uqm1U8C9Hy7D1BWiKu096zB7R8cus1zOW6/ 3VpGGTJ0GEJv+8Y3WP0xCnAc9UHSrCnk/9QZ9iykfi24etQEvIZOeJdk9nDmFTdo+y6t zERQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=zBFloqFtnyGZC+1i19L5hS76Bt9BSSWC8k5Qjx8Wdho=; b=RRvkCnPcfwqQ87dR55mFyn5PBEFfvu4JwDSQXHeCsAIabcGDJbPu/MIpIJm87W6x3K 1PjfieS/tklLOq/wexVJkh4Ja1aMy6TIdDtGQ1brK9NWGkvRxE7Mv0rsV37gbd5EFa1J Usz7vxFt5n3RI+0Z4KaYnxuH27BkFvoL/IWmXnvgb5N16rmtIfSAMvkxehHNUPIEFPjV GR5oc3GeQXvyVJ1bRkk0Ef5WHYYKxiTslNb5IZxd6ogvLiOQl+5LBiJjhTfqoKjEVQ+O odSPnhoDe7lEPU3jO+HOeA4pXOmxTmDbxNBNss1+L0n4GV3eZ849dReMpfn17ZfE3WZb 6QPw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.b=ZuBow0Jg; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o131si1563241pfg.413.2017.07.18.05.07.20; Tue, 18 Jul 2017 05:07:21 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.b=ZuBow0Jg; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751365AbdGRMHT (ORCPT + 1 other); Tue, 18 Jul 2017 08:07:19 -0400 Received: from mail-wr0-f180.google.com ([209.85.128.180]:35035 "EHLO mail-wr0-f180.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751386AbdGRMHQ (ORCPT ); Tue, 18 Jul 2017 08:07:16 -0400 Received: by mail-wr0-f180.google.com with SMTP id w4so25821627wrb.2 for ; Tue, 18 Jul 2017 05:07:15 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=zBFloqFtnyGZC+1i19L5hS76Bt9BSSWC8k5Qjx8Wdho=; b=ZuBow0Jg+P3MoCai6snYvHcSndK9ZWs5brLSOk0J/o+exL05MVp4XIlfbeDMgZW/Ca 3Kbk5uAKQXp6kL66MJEplDrmBvv0yllxh9WjNWJzlU8nUEDub+2Yv7GNlt7xkgsatkTb beJMALJBfxlD/7xASc4TUOAV4TGUM4k5bs13k= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=zBFloqFtnyGZC+1i19L5hS76Bt9BSSWC8k5Qjx8Wdho=; b=L6w7dKZ78cuQEZRtVQDR+7lDvWeCkQ06TIBrFzY9HxAugskwimLOoQ3JxE9JJzynhF nAWT+kDhI4+WVBUvsoRpEnUfW7Nv7MG5LQcX5zcHildAWsX5lRt3RXBk3BDO/H3ehgRk wYM3gO5LF8cyJhrKeiqq0fKd9KLJrJ2DjgZEqoF4Nbol16davXFqoje8ucz5Tk0mUyJK n1OBnVCXSZv6IfE0Zq1n9nNEL4C/yOzp9PKvzRFbmolj5HTrKCYglf8Dy4AmG8pjSDxT ekyIE1tWgeGsJHgE4NVJ67lruz3fSnAK3gG4qpg22pC6Q9VdSYO9uLY5FmH8+XMLWpVm 6KaQ== X-Gm-Message-State: AIVw110LjfFSBvHT7ayAcvlIcSSyfCYrEHE8TandkdrrxLyWlE7jvnih m4LPCQRfBpNiM+LPA7oV3Q== X-Received: by 10.223.170.219 with SMTP id i27mr993586wrc.49.1500379634362; Tue, 18 Jul 2017 05:07:14 -0700 (PDT) Received: from localhost.localdomain ([154.145.198.181]) by smtp.gmail.com with ESMTPSA id l46sm2174532wrl.15.2017.07.18.05.07.12 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 18 Jul 2017 05:07:13 -0700 (PDT) From: Ard Biesheuvel To: linux-crypto@vger.kernel.org, herbert@gondor.apana.org.au, nico@linaro.org, ebiggers@google.com Cc: Ard Biesheuvel Subject: [PATCH v4 8/8] crypto: aes - add meaningful help text to the various AES drivers Date: Tue, 18 Jul 2017 13:06:45 +0100 Message-Id: <20170718120645.15880-9-ard.biesheuvel@linaro.org> X-Mailer: git-send-email 2.9.3 In-Reply-To: <20170718120645.15880-1-ard.biesheuvel@linaro.org> References: <20170718120645.15880-1-ard.biesheuvel@linaro.org> Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Remove the duplicated boilerplate help text and add a bit of explanation about the nature of the various AES implementations that exist for various architectures. In particular, highlight the time variant nature of some implementations, and the fact that they can be omitted if required. Signed-off-by: Ard Biesheuvel --- arch/arm/crypto/Kconfig | 16 ++- arch/arm64/crypto/Kconfig | 30 +++++- crypto/Kconfig | 104 +++++++------------- 3 files changed, 75 insertions(+), 75 deletions(-) -- 2.9.3 diff --git a/arch/arm/crypto/Kconfig b/arch/arm/crypto/Kconfig index b9adedcc5b2e..f611127c5ef9 100644 --- a/arch/arm/crypto/Kconfig +++ b/arch/arm/crypto/Kconfig @@ -62,11 +62,23 @@ config CRYPTO_SHA512_ARM using optimized ARM assembler and NEON, when available. config CRYPTO_AES_ARM - tristate "Scalar AES cipher for ARM" + tristate "Table based AES cipher for 32-bit ARM" select CRYPTO_ALGAPI select CRYPTO_AES help - Use optimized AES assembler routines for ARM platforms. + Table based implementation in 32-bit ARM assembler of the FIPS-197 + Advanced Encryption Standard (AES) symmetric cipher algorithm. This + driver reuses the tables exposed by the generic AES driver. + + For CPUs that lack the special ARMv8-CE instructions, this is the + fastest implementation available of the core cipher, but it may be + susceptible to known-plaintext attacks on the key due to the + correlation between the processing time and the input of the first + round. Therefore, it is recommended to also enable the time invariant + NEON based driver below (CRYPTO_AES_ARM_BS), which will supersede + this driver on NEON capable CPUs when using AES in CBC, CTR and XTS + modes. If time invariance is a requirement, this driver should not + be enabled. config CRYPTO_AES_ARM_BS tristate "Bit sliced AES using NEON instructions" diff --git a/arch/arm64/crypto/Kconfig b/arch/arm64/crypto/Kconfig index d92293747d63..bf38680a2dbb 100644 --- a/arch/arm64/crypto/Kconfig +++ b/arch/arm64/crypto/Kconfig @@ -42,13 +42,37 @@ config CRYPTO_CRC32_ARM64_CE select CRYPTO_HASH config CRYPTO_AES_ARM64 - tristate "AES core cipher using scalar instructions" + tristate "Table based AES cipher for 64-bit ARM" select CRYPTO_AES + help + Table based implementation in 64-bit ARM assembler of the FIPS-197 + Advanced Encryption Standard (AES) symmetric cipher algorithm. This + driver reuses the tables exposed by the generic AES driver. + + For CPUs that lack the special ARMv8-CE instructions, this is the + fastest implementation available of the core cipher, but it may be + susceptible to known-plaintext attacks on the key due to the + correlation between the processing time and the input of the first + round. Therefore, it is recommended to also enable the time invariant + drivers below (CRYPTO_AES_ARM64_NEON_BLK and CRYPTO_AES_ARM64_BS), + which will supersede this driver when using AES in the specific modes + that they implement. If time invariance is a requirement, this driver + should not be enabled. config CRYPTO_AES_ARM64_CE - tristate "AES core cipher using ARMv8 Crypto Extensions" - depends on ARM64 && KERNEL_MODE_NEON + tristate "AES cipher using ARMv8 Crypto Extensions" + depends on KERNEL_MODE_NEON select CRYPTO_ALGAPI + help + Implementation in assembler of the FIPS-197 Advanced Encryption + Standard (AES) symmetric cipher algorithm, using instructions from + ARM's optional ARMv8 Crypto Extensions. This implementation is time + invariant, and is by far the preferred option for CPUs that support + this extension. + + If in doubt, enable as a module: it will be loaded automatically on + CPUs that support it, and supersede other implementations of the AES + cipher. config CRYPTO_AES_ARM64_CE_CCM tristate "AES in CCM mode using ARMv8 Crypto Extensions" diff --git a/crypto/Kconfig b/crypto/Kconfig index 8f4b9f3381e2..9bec9f7a81d9 100644 --- a/crypto/Kconfig +++ b/crypto/Kconfig @@ -909,51 +909,37 @@ config CRYPTO_AES block. config CRYPTO_AES_586 - tristate "AES cipher algorithms (i586)" + tristate "Table based AES cipher for 32-bit x86" depends on (X86 || UML_X86) && !64BIT select CRYPTO_ALGAPI select CRYPTO_AES help - AES cipher algorithms (FIPS-197). AES uses the Rijndael - algorithm. - - Rijndael appears to be consistently a very good performer in - both hardware and software across a wide range of computing - environments regardless of its use in feedback or non-feedback - modes. Its key setup time is excellent, and its key agility is - good. Rijndael's very low memory requirements make it very well - suited for restricted-space environments, in which it also - demonstrates excellent performance. Rijndael's operations are - among the easiest to defend against power and timing attacks. - - The AES specifies three key sizes: 128, 192 and 256 bits - - See for more information. + Table based implementation in 32-bit x86 assembler of the FIPS-197 + Advanced Encryption Standard (AES) symmetric cipher algorithm. For + older 32-bit x86 CPUs that lack the special AES-NI instructions, it + is the fastest implementation available, but it may be susceptible to + known-plaintext attacks on the key due to the correlation between the + processing time and the input of the first round. It reuses the + tables exposed by the generic AES driver. If time invariance is a + requirement, this driver should not be enabled. config CRYPTO_AES_X86_64 - tristate "AES cipher algorithms (x86_64)" + tristate "Table based AES cipher for 64-bit x86" depends on (X86 || UML_X86) && 64BIT select CRYPTO_ALGAPI select CRYPTO_AES help - AES cipher algorithms (FIPS-197). AES uses the Rijndael - algorithm. - - Rijndael appears to be consistently a very good performer in - both hardware and software across a wide range of computing - environments regardless of its use in feedback or non-feedback - modes. Its key setup time is excellent, and its key agility is - good. Rijndael's very low memory requirements make it very well - suited for restricted-space environments, in which it also - demonstrates excellent performance. Rijndael's operations are - among the easiest to defend against power and timing attacks. - - The AES specifies three key sizes: 128, 192 and 256 bits - - See for more information. + Table based implementation in 64-bit x86 assembler of the FIPS-197 + Advanced Encryption Standard (AES) symmetric cipher algorithm. For + older 64-bit x86 CPUs that lack the special AES-NI instructions, it + is the fastest implementation available, but it may be susceptible to + known-plaintext attacks on the key due to the correlation between the + processing time and the input of the first round. It reuses the + tables exposed by the generic AES driver. If time invariance is a + requirement, this driver should not be enabled. config CRYPTO_AES_NI_INTEL - tristate "AES cipher algorithms (AES-NI)" + tristate "AES cipher for x86 using AES-NI instructions" depends on X86 select CRYPTO_AEAD select CRYPTO_AES_CORE @@ -962,52 +948,29 @@ config CRYPTO_AES_NI_INTEL select CRYPTO_GLUE_HELPER_X86 if 64BIT select CRYPTO_SIMD help - Use Intel AES-NI instructions for AES algorithm. - - AES cipher algorithms (FIPS-197). AES uses the Rijndael - algorithm. - - Rijndael appears to be consistently a very good performer in - both hardware and software across a wide range of computing - environments regardless of its use in feedback or non-feedback - modes. Its key setup time is excellent, and its key agility is - good. Rijndael's very low memory requirements make it very well - suited for restricted-space environments, in which it also - demonstrates excellent performance. Rijndael's operations are - among the easiest to defend against power and timing attacks. - - The AES specifies three key sizes: 128, 192 and 256 bits - - See for more information. + Implementation in x86 assembler of the FIPS-197 Advanced Encryption + Standard (AES) symmetric cipher algorithm, using instructions from + Intel's optional AES-NI ISA extension. This implementation is time + invariant, and is by far the preferred option for CPUs that support + this extension. In addition to AES cipher algorithm support, the acceleration for some popular block cipher mode is supported too, including ECB, CBC, LRW, PCBC, XTS. The 64 bit version has additional acceleration for CTR. + If in doubt, enable as a module: it will be loaded automatically on + CPUs that support it, and supersede other implementations of the AES + cipher. + config CRYPTO_AES_SPARC64 - tristate "AES cipher algorithms (SPARC64)" + tristate "AES cipher for SPARC64 using crypto opcodes" depends on SPARC64 select CRYPTO_CRYPTD select CRYPTO_ALGAPI help - Use SPARC64 crypto opcodes for AES algorithm. - - AES cipher algorithms (FIPS-197). AES uses the Rijndael - algorithm. - - Rijndael appears to be consistently a very good performer in - both hardware and software across a wide range of computing - environments regardless of its use in feedback or non-feedback - modes. Its key setup time is excellent, and its key agility is - good. Rijndael's very low memory requirements make it very well - suited for restricted-space environments, in which it also - demonstrates excellent performance. Rijndael's operations are - among the easiest to defend against power and timing attacks. - - The AES specifies three key sizes: 128, 192 and 256 bits - - See for more information. + Implementation of the FIPS-197 Advanced Encryption Standard (AES) + symmetric cipher algorithm, using SPARC64 crypto opcodes. In addition to AES cipher algorithm support, the acceleration for some popular block cipher mode is supported too, including @@ -1017,8 +980,9 @@ config CRYPTO_AES_PPC_SPE tristate "AES cipher algorithms (PPC SPE)" depends on PPC && SPE help - AES cipher algorithms (FIPS-197). Additionally the acceleration - for popular block cipher modes ECB, CBC, CTR and XTS is supported. + Implementation of the FIPS-197 Advanced Encryption Standard (AES) + symmetric cipher algorithm. Additionally, the acceleration for + popular block cipher modes ECB, CBC, CTR and XTS is supported. This module should only be used for low power (router) devices without hardware AES acceleration (e.g. caam crypto). It reduces the size of the AES tables from 16KB to 8KB + 256 bytes and mitigates