From patchwork Mon Oct 8 11:16:59 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ard Biesheuvel X-Patchwork-Id: 148357 Delivered-To: patch@linaro.org Received: by 2002:a2e:8595:0:0:0:0:0 with SMTP id b21-v6csp3510408lji; Mon, 8 Oct 2018 04:17:34 -0700 (PDT) X-Google-Smtp-Source: ACcGV60JkBmPV9jFuOvXHIN8topkAhW6qt2amKGiPEMid3zVZEsn0xRMGt6ZvJYwmgi2n6FxBPXP X-Received: by 2002:a62:14ce:: with SMTP id 197-v6mr24594377pfu.50.1538997454295; Mon, 08 Oct 2018 04:17:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1538997454; cv=none; d=google.com; s=arc-20160816; b=wx+fjQQU5T58hCXcCN75tQ2GYys3Z+yiOJYbCQ8I/8K7d5R9pM+/RTMPdc7nBVGu6r UBnmJuLm1JNVubDeV4/irEB7DVQuObmpt/e9wnRD5QyspcWuR8wx5I1kyeNjCsxTP9cx 8vu6BlHCohT1O+60nk8gX4RRkGDQqFpMNT/PjS1nkKyl8zoXBnlh8mfd9KRt6s4RWbaV 8JQnrye+rPrJw9uqPsU9c3nvIG3ttrDFHG9tOWrO2BqpJCLF/60soOnr6149c9aIQdiw oJHJaMZbIzt+/XQxDTVx9sI3EDaf9qCe+liwor5vJSqU08GQ5eLd3wg9fgZzNp7I4s7W Y9cg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature; bh=FvvMCnO4yVi6bA3oAnMlkiNI/zBroN1/Pf07I7c2Ptk=; b=Jni5Ke0cokgD3mIvaMCFOGt8doLRsTVvLrKCfC8e3ooOxgMRxZjq0VuWAIwWiKhNW1 AR819vzdvPaXAZzipenhTgbMvWyghcf9oJA1x+nf0bVPqlSZ8Zn8Ot/STlIq1eQrJjPq lme6yI5E/6aL7b3Lu2USs47T3rZre1zWGjnlQ5oOZA1hZRwPAvqVozfqB1Ely1LkV5t3 g+HDyfqzr8yRwihKQey9eVktFvcdTFW9zulOBJIcsfElZXKzSyhZmF1Yhm1HRYOpkCjY sSo3PbsD4XaHJBAYuIDNPR2mIAcqg0GxDsVKi9Fntz9uMSURCyTnl+EY35j4dWg+wrcq xqFQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=eHQvE3BC; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f132-v6si15601871pgc.484.2018.10.08.04.17.34; Mon, 08 Oct 2018 04:17:34 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=eHQvE3BC; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726771AbeJHS2r (ORCPT + 2 others); Mon, 8 Oct 2018 14:28:47 -0400 Received: from mail-wr1-f67.google.com ([209.85.221.67]:34303 "EHLO mail-wr1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726728AbeJHS2q (ORCPT ); Mon, 8 Oct 2018 14:28:46 -0400 Received: by mail-wr1-f67.google.com with SMTP id z4-v6so20376944wrb.1 for ; Mon, 08 Oct 2018 04:17:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id; bh=FvvMCnO4yVi6bA3oAnMlkiNI/zBroN1/Pf07I7c2Ptk=; b=eHQvE3BCGEonVeYUscNwt1dWgCGNcoSZV7od6F4AQULNVLCN/zprTMWph5Xrfa9B75 N67VjX43vIBZI9Lvkg++pJBB2HM/h0ZTskP+A+Iz/lwFuNTeCYat88zKQ4PRgCHtq9Zo /Jd+O3xEpVz+EPj4n1HP0OU3CZDqoNIveAK5A= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=FvvMCnO4yVi6bA3oAnMlkiNI/zBroN1/Pf07I7c2Ptk=; b=FSTX6xTSosy2wzRyO4B7GwR6eb/Txg4EeOPB9npDEpBEter3n09jXosfXqP94B3OHn z84q76oF9Z0A+6OUnMh7xSWpXYsyX8fBdLH/yBK5Pilp4zhdbAr6Vn4b9ayA2eZxt8Dq IK8711e+WyxoyU5/VsL6gnpk1AsNwNb/IcYKN8V2S15hWF9yWU3kDDU2tcN9J6BRsOVA KY2rKyBZxMfDShqQT6nhUOdPPFMr3GI7XQ8R0znvPDh12YMMXsCi+wX8NsP31REOij0L bkyMowPvfSS63lX+b/GCL0hVNNWmr7CfhuFlCrQsiho9/QB2t3GZbkJqfxpVqBvwuvnh U1rg== X-Gm-Message-State: ABuFfogWwDcZ0byAf0U/rVdWfruY9wDWiO9p3OweD1ljDIfq2QkLp7dI iBzqOOAcJmDwm2hnhgZxDC1yhQwoQ98= X-Received: by 2002:adf:dd83:: with SMTP id x3-v6mr15742828wrl.212.1538997450818; Mon, 08 Oct 2018 04:17:30 -0700 (PDT) Received: from localhost.localdomain ([2a01:cb1d:112:6f00:8084:9715:d038:c67d]) by smtp.gmail.com with ESMTPSA id o3-v6sm10924460wrw.93.2018.10.08.04.17.29 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 08 Oct 2018 04:17:30 -0700 (PDT) From: Ard Biesheuvel To: linux-crypto@vger.kernel.org Cc: herbert@gondor.apana.org.au, ebiggers@kernel.org, Ard Biesheuvel Subject: [PATCH] crypto: arm64/aes-blk - ensure XTS mask is always loaded Date: Mon, 8 Oct 2018 13:16:59 +0200 Message-Id: <20181008111659.28719-1-ard.biesheuvel@linaro.org> X-Mailer: git-send-email 2.11.0 Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Commit 2e5d2f33d1db ("crypto: arm64/aes-blk - improve XTS mask handling") optimized away some reloads of the XTS mask vector, but failed to take into account that calls into the XTS en/decrypt routines will take a slightly different code path if a single block of input is split across different buffers. So let's ensure that the first load occurs unconditionally, and move the reload to the end so it doesn't occur needlessly. Fixes: 2e5d2f33d1db ("crypto: arm64/aes-blk - improve XTS mask handling") Signed-off-by: Ard Biesheuvel --- arch/arm64/crypto/aes-modes.S | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) -- 2.11.0 diff --git a/arch/arm64/crypto/aes-modes.S b/arch/arm64/crypto/aes-modes.S index 039738ae23f6..67700045a0e0 100644 --- a/arch/arm64/crypto/aes-modes.S +++ b/arch/arm64/crypto/aes-modes.S @@ -359,18 +359,17 @@ AES_ENTRY(aes_xts_encrypt) mov x29, sp ld1 {v4.16b}, [x6] + xts_load_mask v8 cbz w7, .Lxtsencnotfirst enc_prepare w3, x5, x8 encrypt_block v4, w3, x5, x8, w7 /* first tweak */ enc_switch_key w3, x2, x8 - xts_load_mask v8 b .LxtsencNx .Lxtsencnotfirst: enc_prepare w3, x2, x8 .LxtsencloopNx: - xts_reload_mask v8 next_tweak v4, v4, v8 .LxtsencNx: subs w4, w4, #4 @@ -391,6 +390,7 @@ AES_ENTRY(aes_xts_encrypt) st1 {v0.16b-v3.16b}, [x0], #64 mov v4.16b, v7.16b cbz w4, .Lxtsencout + xts_reload_mask v8 b .LxtsencloopNx .Lxtsenc1x: adds w4, w4, #4 @@ -417,18 +417,17 @@ AES_ENTRY(aes_xts_decrypt) mov x29, sp ld1 {v4.16b}, [x6] + xts_load_mask v8 cbz w7, .Lxtsdecnotfirst enc_prepare w3, x5, x8 encrypt_block v4, w3, x5, x8, w7 /* first tweak */ dec_prepare w3, x2, x8 - xts_load_mask v8 b .LxtsdecNx .Lxtsdecnotfirst: dec_prepare w3, x2, x8 .LxtsdecloopNx: - xts_reload_mask v8 next_tweak v4, v4, v8 .LxtsdecNx: subs w4, w4, #4 @@ -449,6 +448,7 @@ AES_ENTRY(aes_xts_decrypt) st1 {v0.16b-v3.16b}, [x0], #64 mov v4.16b, v7.16b cbz w4, .Lxtsdecout + xts_reload_mask v8 b .LxtsdecloopNx .Lxtsdec1x: adds w4, w4, #4