1. 11 Feb, 2017 4 commits
    • Ard Biesheuvel's avatar
      crypto: aes - add generic time invariant AES cipher · b5e0b032
      Ard Biesheuvel authored
      Lookup table based AES is sensitive to timing attacks, which is due to
      the fact that such table lookups are data dependent, and the fact that
      8 KB worth of tables covers a significant number of cachelines on any
      architecture, resulting in an exploitable correlation between the key
      and the processing time for known plaintexts.
      
      For network facing algorithms such as CTR, CCM or GCM, this presents a
      security risk, which is why arch specific AES ports are typically time
      invariant, either through the use of special instructions, or by using
      SIMD algorithms that don't rely on table lookups.
      
      For generic code, this is difficult to achieve without losing too much
      performance, but we can improve the situation significantly by switching
      to an implementation that only needs 256 bytes of table data (the actual
      S-box itself), which can be prefetched at the start of each block to
      eliminate data dependent latencies.
      
      This code encrypts at ~25 cycles per byte on ARM Cortex-A57 (while the
      ordinary generic AES driver manages 18 cycles per byte on this
      hardware). Decryption is substantially slower.
      Signed-off-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      b5e0b032
    • Ard Biesheuvel's avatar
      crypto: aes-generic - drop alignment requirement · ec38a937
      Ard Biesheuvel authored
      The generic AES code exposes a 32-bit align mask, which forces all
      users of the code to use temporary buffers or take other measures to
      ensure the alignment requirement is adhered to, even on architectures
      that don't care about alignment for software algorithms such as this
      one.
      
      So drop the align mask, and fix the code to use get_unaligned_le32()
      where appropriate, which will resolve to whatever is optimal for the
      architecture.
      Signed-off-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      ec38a937
    • Tim Chen's avatar
      crypto: sha512-mb - Protect sha512 mb ctx mgr access · c459bd7b
      Tim Chen authored
      The flusher and regular multi-buffer computation via mcryptd may race with another.
      Add here a lock and turn off interrupt to to access multi-buffer
      computation state cstate->mgr before a round of computation. This should
      prevent the flusher code jumping in.
      Signed-off-by: default avatarTim Chen <tim.c.chen@linux.intel.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      c459bd7b
    • Ard Biesheuvel's avatar
      crypto: arm64/crc32 - merge CRC32 and PMULL instruction based drivers · 5d3d9c8b
      Ard Biesheuvel authored
      The PMULL based CRC32 implementation already contains code based on the
      separate, optional CRC32 instructions to fallback to when operating on
      small quantities of data. We can expose these routines directly on systems
      that lack the 64x64 PMULL instructions but do implement the CRC32 ones,
      which makes the driver that is based solely on those CRC32 instructions
      redundant. So remove it.
      
      Note that this aligns arm64 with ARM, whose accelerated CRC32 driver
      also combines the CRC32 extension based and the PMULL based versions.
      Signed-off-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
      Tested-by: default avatarMatthias Brugger <mbrugger@suse.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      5d3d9c8b
  2. 03 Feb, 2017 36 commits