Eric Lee / smarc-fsl-linux-kernel

16 Jan, 2020

1 commit

  • 1c08a1043   crypto: poly1305 - add new 32 and 64-bit generic versions ... Browse Code »

    These two C implementations from Zinc -- a 32x32 one and a 64x64 one,
    depending on the platform -- come from Andrew Moon's public domain
    poly1305-donna portable code, modified for usage in the kernel. The
    precomputation in the 32-bit version and the use of 64x64 multiplies in
    the 64-bit version make these perform better than the code it replaces.
    Moon's code is also very widespread and has received many eyeballs of
    scrutiny.

    There's a bit of interference between the x86 implementation, which
    relies on internal details of the old scalar implementation. In the next
    commit, the x86 implementation will be replaced with a faster one that
    doesn't rely on this, so none of this matters much. But for now, to keep
    this passing the tests, we inline the bits of the old implementation
    that the x86 implementation relied on. Also, since we now support a
    slightly larger key space, via the union, some offsets had to be fixed
    up.

    Nonce calculation was folded in with the emit function, to take
    advantage of 64x64 arithmetic. However, Adiantum appeared to rely on no
    nonce handling in emit, so this path was conditionalized. We also
    introduced a new struct, poly1305_core_key, to represent the precise
    amount of space that particular implementation uses.

    Testing with kbench9000, depending on the CPU, the update function for
    the 32x32 version has been improved by 4%-7%, and for the 64x64 by
    19%-30%. The 32x32 gains are small, but I think there's great value in
    having a parallel implementation to the 64x64 one so that the two can be
    compared side-by-side as nice stand-alone units.

    Signed-off-by: Jason A. Donenfeld
    Signed-off-by: Herbert Xu

    Jason A. Donenfeld
     

17 Nov, 2019

4 commits

  • 1b2c6a512   crypto: x86/poly1305 - depend on generic library not generic shash ... Browse Code »

    Remove the dependency on the generic Poly1305 driver. Instead, depend
    on the generic library so that we only reuse code without pulling in
    the generic skcipher implementation as well.

    While at it, remove the logic that prefers the non-SIMD path for short
    inputs - this is no longer necessary after recent FPU handling changes
    on x86.

    Since this removes the last remaining user of the routines exported
    by the generic shash driver, unexport them and make them static.

    Signed-off-by: Ard Biesheuvel
    Signed-off-by: Herbert Xu

    Ard Biesheuvel
     
  • a1d930640   crypto: poly1305 - expose init/update/final library interface ... Browse Code »

    Expose the existing generic Poly1305 code via a init/update/final
    library interface so that callers are not required to go through
    the crypto API's shash abstraction to access it. At the same time,
    make some preparations so that the library implementation can be
    superseded by an accelerated arch-specific version in the future.

    Signed-off-by: Ard Biesheuvel
    Signed-off-by: Herbert Xu

    Ard Biesheuvel
     
  • ad8f5b883   crypto: x86/poly1305 - unify Poly1305 state struct with generic code ... Browse Code »

    In preparation of exposing a Poly1305 library interface directly from
    the accelerated x86 driver, align the state descriptor of the x86 code
    with the one used by the generic driver. This is needed to make the
    library interface unified between all implementations.

    Signed-off-by: Ard Biesheuvel
    Signed-off-by: Herbert Xu

    Ard Biesheuvel
     
  • 48ea8c6eb   crypto: poly1305 - move core routines into a separate library ... Browse Code »

    Move the core Poly1305 routines shared between the generic Poly1305
    shash driver and the Adiantum and NHPoly1305 drivers into a separate
    library so that using just this pieces does not pull in the crypto
    API pieces of the generic Poly1305 routine.

    In a subsequent patch, we will augment this generic library with
    init/update/final routines so that Poyl1305 algorithm can be used
    directly without the need for using the crypto API's shash abstraction.

    Signed-off-by: Ard Biesheuvel
    Signed-off-by: Herbert Xu

    Ard Biesheuvel
     

18 Apr, 2019

1 commit

  • c4741b230   crypto: run initcalls for generic implementations earlier ... Browse Code »

    Use subsys_initcall for registration of all templates and generic
    algorithm implementations, rather than module_init. Then change
    cryptomgr to use arch_initcall, to place it before the subsys_initcalls.

    This is needed so that when both a generic and optimized implementation
    of an algorithm are built into the kernel (not loadable modules), the
    generic implementation is registered before the optimized one.
    Otherwise, the self-tests for the optimized implementation are unable to
    allocate the generic implementation for the new comparison fuzz tests.

    Note that on arm, a side effect of this change is that self-tests for
    generic implementations may run before the unaligned access handler has
    been installed. So, unaligned accesses will crash the kernel. This is
    arguably a good thing as it makes it easier to detect that type of bug.

    Signed-off-by: Eric Biggers
    Signed-off-by: Herbert Xu

    Eric Biggers
     

20 Nov, 2018

2 commits

  • 1b6fd3d5d   crypto: poly1305 - add Poly1305 core API ... Browse Code »

    Expose a low-level Poly1305 API which implements the
    ε-almost-∆-universal (εA∆U) hash function underlying the Poly1305 MAC
    and supports block-aligned inputs only.

    This is needed for Adiantum hashing, which builds an εA∆U hash function
    from NH and a polynomial evaluation in GF(2^{130}-5); this polynomial
    evaluation is identical to the one the Poly1305 MAC does. However, the
    crypto_shash Poly1305 API isn't very appropriate for this because its
    calling convention assumes it is used as a MAC, with a 32-byte "one-time
    key" provided for every digest.

    But by design, in Adiantum hashing the performance of the polynomial
    evaluation isn't nearly as critical as NH. So it suffices to just have
    some C helper functions. Thus, this patch adds such functions.

    Acked-by: Martin Willi
    Signed-off-by: Eric Biggers
    Acked-by: Ard Biesheuvel
    Signed-off-by: Herbert Xu

    Eric Biggers
     
  • 878afc35c   crypto: poly1305 - use structures for key and accumulator ... Browse Code »

    In preparation for exposing a low-level Poly1305 API which implements
    the ε-almost-∆-universal (εA∆U) hash function underlying the Poly1305
    MAC and supports block-aligned inputs only, create structures
    poly1305_key and poly1305_state which hold the limbs of the Poly1305
    "r" key and accumulator, respectively.

    These structures could actually have the same type (e.g. poly1305_val),
    but different types are preferable, to prevent misuse.

    Acked-by: Martin Willi
    Signed-off-by: Eric Biggers
    Acked-by: Ard Biesheuvel
    Signed-off-by: Herbert Xu

    Eric Biggers
     

09 Jul, 2018

1 commit

  • e50944e21   crypto: shash - remove useless setting of type flags ... Browse Code »

    Many shash algorithms set .cra_flags = CRYPTO_ALG_TYPE_SHASH. But this
    is redundant with the C structure type ('struct shash_alg'), and
    crypto_register_shash() already sets the type flag automatically,
    clearing any type flag that was already there. Apparently the useless
    assignment has just been copy+pasted around.

    So, remove the useless assignment from all the shash algorithms.

    This patch shouldn't change any actual behavior.

    Signed-off-by: Eric Biggers
    Signed-off-by: Herbert Xu

    Eric Biggers
     

12 Jan, 2018

1 commit

  • a16e772e6   crypto: poly1305 - remove ->setkey() method ... Browse Code »

    Since Poly1305 requires a nonce per invocation, the Linux kernel
    implementations of Poly1305 don't use the crypto API's keying mechanism
    and instead expect the key and nonce as the first 32 bytes of the data.
    But ->setkey() is still defined as a stub returning an error code. This
    prevents Poly1305 from being used through AF_ALG and will also break it
    completely once we start enforcing that all crypto API users (not just
    AF_ALG) call ->setkey() if present.

    Fix it by removing crypto_poly1305_setkey(), leaving ->setkey as NULL.

    Cc: stable@vger.kernel.org
    Signed-off-by: Eric Biggers
    Signed-off-by: Herbert Xu

    Eric Biggers
     

05 Jan, 2018

2 commits

13 Nov, 2016

1 commit

17 Jul, 2015

1 commit

17 Jun, 2015

1 commit

04 Jun, 2015

1 commit

  • f979e014c   crypto: poly1305 - Add a generic Poly1305 authenticator implementation ... Browse Code »

    Poly1305 is a fast message authenticator designed by Daniel J. Bernstein.
    It is further defined in RFC7539 as a building block for the ChaCha20-Poly1305
    AEAD for use in IETF protocols.

    This is a portable C implementation of the algorithm without architecture
    specific optimizations, based on public domain code by Daniel J. Bernstein and
    Andrew Moon.

    Signed-off-by: Martin Willi
    Acked-by: Steffen Klassert
    Signed-off-by: Herbert Xu

    Martin Willi