From patchwork Tue Oct 11 18:15:13 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ard Biesheuvel <ard.biesheuvel@linaro.org>
X-Patchwork-Id: 77511
Delivered-To: patch@linaro.org
Received: by 10.140.97.247 with SMTP id m110csp121472qge;
 Tue, 11 Oct 2016 11:16:12 -0700 (PDT)
X-Received: by 10.66.50.40 with SMTP id z8mr8854503pan.109.1476209772685;
 Tue, 11 Oct 2016 11:16:12 -0700 (PDT)
Return-Path: <linux-crypto-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
 by mx.google.com with ESMTP id
 bm3si4261943pab.286.2016.10.11.11.16.12; 
 Tue, 11 Oct 2016 11:16:12 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of
 linux-crypto-owner@vger.kernel.org designates 209.132.180.67
 as permitted sender) client-ip=209.132.180.67; 
Authentication-Results: mx.google.com;
 dkim=neutral (body hash did not verify) header.i=@linaro.org;
 spf=pass (google.com: best guess record for domain of
 linux-crypto-owner@vger.kernel.org designates 209.132.180.67
 as permitted sender)
 smtp.mailfrom=linux-crypto-owner@vger.kernel.org; 
 dmarc=fail (p=NONE dis=NONE) header.from=linaro.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S1751917AbcJKSQK (ORCPT <rfc822;victor.chong@linaro.org>
 + 1 other); Tue, 11 Oct 2016 14:16:10 -0400
Received: from mail-wm0-f44.google.com ([74.125.82.44]:38602 "EHLO
 mail-wm0-f44.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
 with ESMTP id S1752444AbcJKSQJ (ORCPT
 <rfc822;linux-crypto@vger.kernel.org>);
 Tue, 11 Oct 2016 14:16:09 -0400
Received: by mail-wm0-f44.google.com with SMTP id c78so856380wme.1
 for <linux-crypto@vger.kernel.org>;
 Tue, 11 Oct 2016 11:15:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; 
 h=from:to:cc:subject:date:message-id:in-reply-to:references;
 bh=nUsx2xeqVT+9joaKdxem/Kts9QmLAXSRW8yBMpmO3Ls=;
 b=kWaoE53a0AvM9Er4fpE6VP6TGSIGbvxqKkUJQIA5F5+S1+o6bVX6fMFShjvLTvJXaa
 p1rpGzQigvFWbc+QVzQBWnj0SXFc0ly0bZ/pL2jwIoZeTqwWF2vrsaB0ay3XI4uiSPue
 T1iPUZxpBpHsvvR2WyGjJ0ql10rMfy6mUzFNs=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references;
 bh=nUsx2xeqVT+9joaKdxem/Kts9QmLAXSRW8yBMpmO3Ls=;
 b=BinadJtbUah55sBMAIqvHZxDBz/VrE3Ox3J/b9puxY9S4a1gjKLYxt7gzo5T5sVacv
 7kChRIeDC6j7NtoRkMhBh3uPoiPccwBQ2ihpFADX7oj8AqDRJFZSw7W9PALkFtreOngU
 erte695BXd/fzLLX8eY2QMaxEedLYJSlNdZb5nXCFQGH69cvKF3NASDhsuIfiITfhuvf
 sypshuxuBi/EUSN1Rx128KOIkmr2gvv0zgRJl1IKTK32fVSZYip+b0IbFeOUWuNcBlx9
 5zRrpf4o/nt7pNO0lkd1hIYOF672TjqvtOe8C+ro9sS24Owl69Ha//32jWzw/kGfsTuu
 X4Aw==
X-Gm-Message-State: AA6/9RlJ1mBK5fndsdLdpULRDV7nqzYq6ao5H4LgIyJA6X54LKzylAMqfGdVZFyGW3LsFkf3
X-Received: by 10.28.191.73 with SMTP id p70mr61229wmf.72.1476209732067;
 Tue, 11 Oct 2016 11:15:32 -0700 (PDT)
Received: from localhost.localdomain ([105.147.31.57])
 by smtp.gmail.com with ESMTPSA id
 ya1sm8341523wjb.23.2016.10.11.11.15.29
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
 Tue, 11 Oct 2016 11:15:31 -0700 (PDT)
From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
To: linux-crypto@vger.kernel.org, linux-arm-kernel@lists.infradead.org,
 herbert@gondor.apana.org.au
Cc: will.deacon@arm.com, catalin.marinas@arm.com,
 linux@arm.linux.org.uk, Ard Biesheuvel <ard.biesheuvel@linaro.org>
Subject: [PATCH v2 1/8] crypto: arm64/aes-ce - fix for big endian
Date: Tue, 11 Oct 2016 19:15:13 +0100
Message-Id: <1476209720-21114-2-git-send-email-ard.biesheuvel@linaro.org>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1476209720-21114-1-git-send-email-ard.biesheuvel@linaro.org>
References: <1476209720-21114-1-git-send-email-ard.biesheuvel@linaro.org>
Sender: linux-crypto-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-crypto.vger.kernel.org>
X-Mailing-List: linux-crypto@vger.kernel.org

The core AES cipher implementation that uses ARMv8 Crypto Extensions
instructions erroneously loads the round keys as 64-bit quantities,
which causes the algorithm to fail when built for big endian. In
addition, the key schedule generation routine fails to take endianness
into account as well, when loading the combining the input key with
the round constants. So fix both issues.

Fixes: 12ac3efe74f8 ("arm64/crypto: use crypto instructions to generate AES key schedule")
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
---
 arch/arm64/crypto/aes-ce-cipher.c | 25 ++++++++++++--------
 1 file changed, 15 insertions(+), 10 deletions(-)

-- 
2.7.4

--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/arch/arm64/crypto/aes-ce-cipher.c b/arch/arm64/crypto/aes-ce-cipher.c
index f7bd9bf0bbb3..50d9fe11d0c8 100644
--- a/arch/arm64/crypto/aes-ce-cipher.c
+++ b/arch/arm64/crypto/aes-ce-cipher.c
@@ -47,24 +47,24 @@ static void aes_cipher_encrypt(struct crypto_tfm *tfm, u8 dst[], u8 const src[])
 	kernel_neon_begin_partial(4);
 
 	__asm__("	ld1	{v0.16b}, %[in]			;"
-		"	ld1	{v1.2d}, [%[key]], #16		;"
+		"	ld1	{v1.16b}, [%[key]], #16		;"
 		"	cmp	%w[rounds], #10			;"
 		"	bmi	0f				;"
 		"	bne	3f				;"
 		"	mov	v3.16b, v1.16b			;"
 		"	b	2f				;"
 		"0:	mov	v2.16b, v1.16b			;"
-		"	ld1	{v3.2d}, [%[key]], #16		;"
+		"	ld1	{v3.16b}, [%[key]], #16		;"
 		"1:	aese	v0.16b, v2.16b			;"
 		"	aesmc	v0.16b, v0.16b			;"
-		"2:	ld1	{v1.2d}, [%[key]], #16		;"
+		"2:	ld1	{v1.16b}, [%[key]], #16		;"
 		"	aese	v0.16b, v3.16b			;"
 		"	aesmc	v0.16b, v0.16b			;"
-		"3:	ld1	{v2.2d}, [%[key]], #16		;"
+		"3:	ld1	{v2.16b}, [%[key]], #16		;"
 		"	subs	%w[rounds], %w[rounds], #3	;"
 		"	aese	v0.16b, v1.16b			;"
 		"	aesmc	v0.16b, v0.16b			;"
-		"	ld1	{v3.2d}, [%[key]], #16		;"
+		"	ld1	{v3.16b}, [%[key]], #16		;"
 		"	bpl	1b				;"
 		"	aese	v0.16b, v2.16b			;"
 		"	eor	v0.16b, v0.16b, v3.16b		;"
@@ -92,24 +92,24 @@ static void aes_cipher_decrypt(struct crypto_tfm *tfm, u8 dst[], u8 const src[])
 	kernel_neon_begin_partial(4);
 
 	__asm__("	ld1	{v0.16b}, %[in]			;"
-		"	ld1	{v1.2d}, [%[key]], #16		;"
+		"	ld1	{v1.16b}, [%[key]], #16		;"
 		"	cmp	%w[rounds], #10			;"
 		"	bmi	0f				;"
 		"	bne	3f				;"
 		"	mov	v3.16b, v1.16b			;"
 		"	b	2f				;"
 		"0:	mov	v2.16b, v1.16b			;"
-		"	ld1	{v3.2d}, [%[key]], #16		;"
+		"	ld1	{v3.16b}, [%[key]], #16		;"
 		"1:	aesd	v0.16b, v2.16b			;"
 		"	aesimc	v0.16b, v0.16b			;"
-		"2:	ld1	{v1.2d}, [%[key]], #16		;"
+		"2:	ld1	{v1.16b}, [%[key]], #16		;"
 		"	aesd	v0.16b, v3.16b			;"
 		"	aesimc	v0.16b, v0.16b			;"
-		"3:	ld1	{v2.2d}, [%[key]], #16		;"
+		"3:	ld1	{v2.16b}, [%[key]], #16		;"
 		"	subs	%w[rounds], %w[rounds], #3	;"
 		"	aesd	v0.16b, v1.16b			;"
 		"	aesimc	v0.16b, v0.16b			;"
-		"	ld1	{v3.2d}, [%[key]], #16		;"
+		"	ld1	{v3.16b}, [%[key]], #16		;"
 		"	bpl	1b				;"
 		"	aesd	v0.16b, v2.16b			;"
 		"	eor	v0.16b, v0.16b, v3.16b		;"
@@ -173,7 +173,12 @@ int ce_aes_expandkey(struct crypto_aes_ctx *ctx, const u8 *in_key,
 		u32 *rki = ctx->key_enc + (i * kwords);
 		u32 *rko = rki + kwords;
 
+#ifndef CONFIG_CPU_BIG_ENDIAN
 		rko[0] = ror32(aes_sub(rki[kwords - 1]), 8) ^ rcon[i] ^ rki[0];
+#else
+		rko[0] = rol32(aes_sub(rki[kwords - 1]), 8) ^ (rcon[i] << 24) ^
+			 rki[0];
+#endif
 		rko[1] = rko[0] ^ rki[1];
 		rko[2] = rko[1] ^ rki[2];
 		rko[3] = rko[2] ^ rki[3];