diff mbox series

crypto: x86/aes-gcm - simplify GCM hash subkey derivation

Message ID 20240420060037.26014-1-ebiggers@kernel.org
State New
Headers show
Series crypto: x86/aes-gcm - simplify GCM hash subkey derivation | expand

Commit Message

Eric Biggers April 20, 2024, 6 a.m. UTC
From: Eric Biggers <ebiggers@google.com>

Remove a redundant expansion of the AES key, and utilize the zero page.
Also rename rfc4106_set_hash_subkey() to aes_gcm_derive_hash_subkey()
because it's used for both versions of AES-GCM, not just RFC4106.

Signed-off-by: Eric Biggers <ebiggers@google.com>
---
 arch/x86/crypto/aesni-intel_glue.c | 26 +++++++-------------------
 1 file changed, 7 insertions(+), 19 deletions(-)


base-commit: 543ea178fbfadeaf79e15766ac989f3351349f02

Comments

Eric Biggers April 20, 2024, 6:19 p.m. UTC | #1
On Fri, Apr 19, 2024 at 11:00:37PM -0700, Eric Biggers wrote:
> +	aes_encrypt(aes_key, hash_subkey, page_address(ZERO_PAGE(0)));

Actually, page_address(ZERO_PAGE(0)) expands into a surprisingly large number of
instructions.  Using empty_zero_page directly would avoid this, but there's
little precedent for doing that.  For now, I think just using something like
'static const u8 zeroes[16]' is the way to go for small buffers like this.

- Eric
Herbert Xu April 26, 2024, 9:39 a.m. UTC | #2
Eric Biggers <ebiggers@kernel.org> wrote:
> On Fri, Apr 19, 2024 at 11:00:37PM -0700, Eric Biggers wrote:
>> +     aes_encrypt(aes_key, hash_subkey, page_address(ZERO_PAGE(0)));
> 
> Actually, page_address(ZERO_PAGE(0)) expands into a surprisingly large number of
> instructions.  Using empty_zero_page directly would avoid this, but there's
> little precedent for doing that.  For now, I think just using something like
> 'static const u8 zeroes[16]' is the way to go for small buffers like this.

Yes it's not worth the effort given the small size.  But still it
looks like lib/raid6 could benefit from using a shared zero page
too.

Cheers,
diff mbox series

Patch

diff --git a/arch/x86/crypto/aesni-intel_glue.c b/arch/x86/crypto/aesni-intel_glue.c
index 110b3282a1f2..b4058c3d410d 100644
--- a/arch/x86/crypto/aesni-intel_glue.c
+++ b/arch/x86/crypto/aesni-intel_glue.c
@@ -38,11 +38,10 @@ 
 
 
 #define AESNI_ALIGN	16
 #define AESNI_ALIGN_ATTR __attribute__ ((__aligned__(AESNI_ALIGN)))
 #define AES_BLOCK_MASK	(~(AES_BLOCK_SIZE - 1))
-#define RFC4106_HASH_SUBKEY_SIZE 16
 #define AESNI_ALIGN_EXTRA ((AESNI_ALIGN - 1) & ~(CRYPTO_MINALIGN - 1))
 #define CRYPTO_AES_CTX_SIZE (sizeof(struct crypto_aes_ctx) + AESNI_ALIGN_EXTRA)
 #define XTS_AES_CTX_SIZE (sizeof(struct aesni_xts_ctx) + AESNI_ALIGN_EXTRA)
 
 /* This data is stored at the end of the crypto_tfm struct.
@@ -588,27 +587,14 @@  static int xctr_crypt(struct skcipher_request *req)
 		err = skcipher_walk_done(&walk, nbytes);
 	}
 	return err;
 }
 
-static int
-rfc4106_set_hash_subkey(u8 *hash_subkey, const u8 *key, unsigned int key_len)
+static int aes_gcm_derive_hash_subkey(const struct crypto_aes_ctx *aes_key,
+				      u8 hash_subkey[AES_BLOCK_SIZE])
 {
-	struct crypto_aes_ctx ctx;
-	int ret;
-
-	ret = aes_expandkey(&ctx, key, key_len);
-	if (ret)
-		return ret;
-
-	/* Clear the data in the hash sub key container to zero.*/
-	/* We want to cipher all zeros to create the hash sub key. */
-	memset(hash_subkey, 0, RFC4106_HASH_SUBKEY_SIZE);
-
-	aes_encrypt(&ctx, hash_subkey, hash_subkey);
-
-	memzero_explicit(&ctx, sizeof(ctx));
+	aes_encrypt(aes_key, hash_subkey, page_address(ZERO_PAGE(0)));
 	return 0;
 }
 
 static int common_rfc4106_set_key(struct crypto_aead *aead, const u8 *key,
 				  unsigned int key_len)
@@ -622,11 +608,12 @@  static int common_rfc4106_set_key(struct crypto_aead *aead, const u8 *key,
 	key_len -= 4;
 
 	memcpy(ctx->nonce, key + key_len, sizeof(ctx->nonce));
 
 	return aes_set_key_common(&ctx->aes_key_expanded, key, key_len) ?:
-	       rfc4106_set_hash_subkey(ctx->hash_subkey, key, key_len);
+	       aes_gcm_derive_hash_subkey(&ctx->aes_key_expanded,
+					  ctx->hash_subkey);
 }
 
 /* This is the Integrity Check Value (aka the authentication tag) length and can
  * be 8, 12 or 16 bytes long. */
 static int common_rfc4106_set_authsize(struct crypto_aead *aead,
@@ -1328,11 +1315,12 @@  static int generic_gcmaes_set_key(struct crypto_aead *aead, const u8 *key,
 				  unsigned int key_len)
 {
 	struct generic_gcmaes_ctx *ctx = generic_gcmaes_ctx_get(aead);
 
 	return aes_set_key_common(&ctx->aes_key_expanded, key, key_len) ?:
-	       rfc4106_set_hash_subkey(ctx->hash_subkey, key, key_len);
+	       aes_gcm_derive_hash_subkey(&ctx->aes_key_expanded,
+					  ctx->hash_subkey);
 }
 
 static int generic_gcmaes_encrypt(struct aead_request *req)
 {
 	struct crypto_aead *tfm = crypto_aead_reqtfm(req);