From patchwork Fri Jun 16 11:17:43 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ard Biesheuvel X-Patchwork-Id: 105705 Delivered-To: patch@linaro.org Received: by 10.140.91.77 with SMTP id y71csp1249309qgd; Fri, 16 Jun 2017 04:18:02 -0700 (PDT) X-Received: by 10.84.196.1 with SMTP id k1mr12336355pld.149.1497611882641; Fri, 16 Jun 2017 04:18:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1497611882; cv=none; d=google.com; s=arc-20160816; b=iNJdrvWUiZEtTQD1sUP3W16uk0jbX3Guo4azx6FyfdBOGuUk5xERkeqZadIZExRF2O Jdso4F8iAJA9dd7u8llkrwwI6NZazp061bT0KsQO0K+baNSCTaymffLOcZooEhoROztS XirumN384PWG+cyAp1TpcMJ4woZiZb1qwt70VZlI6TOTWmXuwgDze0AbUgGfupayuS2E nlmwWH7GpR/56Vm88Af244vv1JFertzO3+4+WJg+vEpBhu+s7YKe1QmKRt3z6Vf+xUNa wYzKMN2EfCcDQQt9juYRLM56b6USbncS4SN+CFDBvq3k5d/7XPbFQ/PuILRzkbhHhWM+ nG7Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature:arc-authentication-results; bh=ENHBxeEsFTpzGcI+gphCHp4HxoNJy2b75DPnPbPP8yg=; b=aS3vLu47Y8nwz4FZFUKhOzhrKX2w3Vf1eYqMTeDv9hq1hpu9ok7D94uFK0JNRDVs6O 1yK4pEGb0XJIPg6EnjZZBRHJAUyY58bxeW3l5RRkuliSxACV4JdLd6oBaFix4istwBMH WsbKO6GaHS8z8I1hXueJAPel/sDWbltVaU3vC24GLAxoudWAQzKu9fpDOQcTy/mZ3FhG QHpLt3aUPypJzsls3XdECo6ffFpi5IE7MVqH238VYL+2XV1FgR6Sn78wBRp+4tIZZ3xX bSZ0djGGgznrMmUKdmpsWFqwSBcW05Ulg9kXGZXJF1N0JwpxyeUM0uAJxjbxbcb5nM0i wfJw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.b=fnE2x8Oi; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a7si1740382pgn.206.2017.06.16.04.18.01; Fri, 16 Jun 2017 04:18:02 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.b=fnE2x8Oi; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752610AbdFPLSA (ORCPT + 1 other); Fri, 16 Jun 2017 07:18:00 -0400 Received: from mail-wm0-f53.google.com ([74.125.82.53]:35105 "EHLO mail-wm0-f53.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752587AbdFPLR7 (ORCPT ); Fri, 16 Jun 2017 07:17:59 -0400 Received: by mail-wm0-f53.google.com with SMTP id x70so23059970wme.0 for ; Fri, 16 Jun 2017 04:17:59 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id; bh=ENHBxeEsFTpzGcI+gphCHp4HxoNJy2b75DPnPbPP8yg=; b=fnE2x8OilAEl7uAE1C94Zeop8EJQzmB/dn+iG+41/SEJEu9KG6yUf9uK5J0m/iDwd7 QoDcFWlvIqb/rtx2S+l7VhWaovCIljOhGbwKAmmcycKADTSgsW0j7E4OpEIEun/B9+uo ycz4Dc4MYmpUg2atZBQ4wSUslVzgSBwjqPJWk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=ENHBxeEsFTpzGcI+gphCHp4HxoNJy2b75DPnPbPP8yg=; b=cAO7u1I/HBCdaQmpxPcf9wvT1ZLcwVmuQ12enIpx4sCy7YCK/FhxCi72c8WcNzjaBu M5Rjd4pMMWnQAEIBFc9yuFz+T4dhrP8syT2n/CJOzzv/WWkExeOAsBlb17iJrDe2SxCO qMOdNNmpturgMqZWUoKg2xI7+stqiQtDcr9APZ5+n9IgjpA9N9khItncbiDi8HRFrTF/ +kZueTxVcPCoRgy4uBURuQ3cCEHXw/DGUXEf83jGqeTCFnk6b/QWN/fAqrYA3HRzr9A5 zhjdwg9D+Ek/uS9mkq+fjE5EO+PR/6OzK6DHG5Jyxdpbkd/oC9JoCvyl180GUfiDNath 4kSQ== X-Gm-Message-State: AKS2vOzd840LwEr/jLdMAQ4YZ2ew1xxXSnF92QLOG9bZTTEYo/eKlrm+ n+p6lCfMCSNWdGIVxrHh+w== X-Received: by 10.80.132.225 with SMTP id 88mr6968191edq.80.1497611878039; Fri, 16 Jun 2017 04:17:58 -0700 (PDT) Received: from ards-macbook-pro.arnhem.chello.nl (dhcp-077-251-017-237.chello.nl. [77.251.17.237]) by smtp.gmail.com with ESMTPSA id k17sm984880edb.37.2017.06.16.04.17.56 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 16 Jun 2017 04:17:56 -0700 (PDT) From: Ard Biesheuvel To: linux-crypto@vger.kernel.org Cc: herbert@gondor.apana.org.au, nico@linaro.org, ebiggers3@gmail.com, Ard Biesheuvel Subject: [PATCH v2 0/6] crypto: aes - allow generic AES to be omitted Date: Fri, 16 Jun 2017 13:17:43 +0200 Message-Id: <1497611869-6126-1-git-send-email-ard.biesheuvel@linaro.org> X-Mailer: git-send-email 2.7.4 Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org The generic AES driver uses 16 lookup tables of 1 KB each, and has encryption and decryption routines that are fully unrolled. Given how the dependencies between this code and other drivers are declared in Kconfig files, this code is always pulled into the core kernel, even if it is usually superseded at runtime by accelerated drivers that exist for many architectures. This leaves us with 25 KB of dead code in the kernel, which is negligible in typical environments, but which is actually a big deal for the IoT domain, where every kilobyte counts. Also, the scalar, table based AES routines that exist for ARM, arm64, i586 and x86_64 share the lookup tables with AES generic, and may be invoked occasionally when the time-invariant AES-NI or other special instruction drivers are called in interrupt context, at which time the SIMD register file cannot be used. Pulling 16 KB of code and 9 KB of instructions into the L1s (and evicting what was already there) when a softirq happens to be handled in the context of an interrupt taken from kernel mode (which means no SIMD on x86) is also something that we may like to avoid, by falling back to a much smaller and moderately less performant driver. (Note that arm64 will be updated shortly to supply fallbacks for all SIMD based AES implementations, which will be based on the core routines [if they are accepted].) For the reasons above, this series refactors the way the various AES implementations are wired up, to allow the generic version in crypto/aes_generic.c to be omitted from the build entirely. Patch #1 removes some bogus 'select CRYPTO_AES' statement. Patch #2 introduces CRYPTO_AES_CORE and its implementation crypto/aes_core.c, which contains the existing key expansion routines, and default encrypt and decrypt routines that are not exposed as a crypto_cipher themselves, but can be pulled in by other AES drivers. These routines only depend on the two 256 byte Sboxes Patch #3 switches the fallback in the AES-NI code to the new, generic encrypt and decrypt routines so it no longer depends on the x86 scalar code or [transitively] on AES-generic. Patch #4 repurposes the CRYPTO_AES Kconfig symbol as an abstract symbol that indicates whether some implementation of AES needs to be available. The existing generic code is now controlled by CRYPTO_AES_GENERIC. Patch #5 updates the Kconfig help text to be more descriptive of what they actually control, rather than duplicating AES's wikipedia entry a number of times. Patch #6 updates the Kconfig logic so CRYPTO_AES_GENERIC can be disabled if any CRYPTO_AES dependencies are satisfied by the fixed time driver. v2: - repurpose CRYPTO_AES and avoid HAVE_AES/NEED_AES Kconfig symbols - don't factor out tables from AES generic to be reused by per arch drivers, since the space saving is moderate (the generic code only), and the drivers weren't made to be small anyway Ard Biesheuvel (6): drivers/crypto/Kconfig: drop bogus CRYPTO_AES dependencies crypto: aes - refactor shared routines into separate core module crypto: x86/aes-ni - switch to generic fallback crypto: aes - repurpose CRYPTO_AES and introduce CRYPTO_AES_GENERIC crypto: aes - add meaningful help text to the various AES drivers crypto: aes - allow generic AES to be replaced by fixed time AES arch/arm/crypto/Kconfig | 8 +- arch/arm64/crypto/Kconfig | 11 +- arch/x86/crypto/aesni-intel_glue.c | 4 +- crypto/Kconfig | 85 ++--- crypto/Makefile | 3 +- crypto/aes_core.c | 333 ++++++++++++++++++++ crypto/aes_generic.c | 178 ----------- crypto/aes_ti.c | 305 ++---------------- drivers/crypto/Kconfig | 13 +- include/crypto/aes.h | 6 + net/sunrpc/Kconfig | 3 +- 11 files changed, 407 insertions(+), 542 deletions(-) create mode 100644 crypto/aes_core.c -- 2.7.4