15 Aug, 2019
1 commit
-
crypto/aes_generic.c:64:18: warning:
rco_tab defined but not used [-Wunused-const-variable=]It is never used, so can be removed.
Reported-by: Hulk Robot
Signed-off-by: YueHaibing
Acked-by: Ard Biesheuvel
Signed-off-by: Herbert Xu
26 Jul, 2019
3 commits
-
The versions of the AES lookup tables that are only used during the last
round are never used outside of the driver, so there is no need to
export their symbols.Signed-off-by: Ard Biesheuvel
Signed-off-by: Herbert Xu -
Drop aes-generic's version of crypto_aes_expand_key(), and switch to
the key expansion routine provided by the AES library. AES key expansion
is not performance critical, and it is better to have a single version
shared by all AES implementations.Signed-off-by: Ard Biesheuvel
Signed-off-by: Herbert Xu -
Rename some local AES encrypt/decrypt routines so they don't clash with
the names we are about to introduce for the routines exposed by the
generic AES library.Signed-off-by: Ard Biesheuvel
Signed-off-by: Herbert Xu
18 Apr, 2019
1 commit
-
Use subsys_initcall for registration of all templates and generic
algorithm implementations, rather than module_init. Then change
cryptomgr to use arch_initcall, to place it before the subsys_initcalls.This is needed so that when both a generic and optimized implementation
of an algorithm are built into the kernel (not loadable modules), the
generic implementation is registered before the optimized one.
Otherwise, the self-tests for the optimized implementation are unable to
allocate the generic implementation for the new comparison fuzz tests.Note that on arm, a side effect of this change is that self-tests for
generic implementations may run before the unaligned access handler has
been installed. So, unaligned accesses will crash the kernel. This is
arguably a good thing as it makes it easier to detect that type of bug.Signed-off-by: Eric Biggers
Signed-off-by: Herbert Xu
08 Apr, 2019
1 commit
-
cacheline_aligned is a special section. It cannot be const at the same
time because it's not read-only. It doesn't give any MMU protection.Mark it ____cacheline_aligned to not place it in a special section,
but just align it in .rodataCc: herbert@gondor.apana.org.au
Suggested-by: Rasmus Villemoes
Signed-off-by: Andi Kleen
Acked-by: Ard Biesheuvel
Signed-off-by: Herbert Xu
09 Nov, 2018
1 commit
-
Make the ARM scalar AES implementation closer to constant-time by
disabling interrupts and prefetching the tables into L1 cache. This is
feasible because due to ARM's "free" rotations, the main tables are only
1024 bytes instead of the usual 4096 used by most AES implementations.On ARM Cortex-A7, the speed loss is only about 5%. The resulting code
is still over twice as fast as aes_ti.c. Responsiveness is potentially
a concern, but interrupts are only disabled for a single AES block.Note that even after these changes, the implementation still isn't
necessarily guaranteed to be constant-time; see
https://cr.yp.to/antiforgery/cachetiming-20050414.pdf for a discussion
of the many difficulties involved in writing truly constant-time AES
software. But it's valuable to make such attacks more difficult.Much of this patch is based on patches suggested by Ard Biesheuvel.
Suggested-by: Ard Biesheuvel
Signed-off-by: Eric Biggers
Reviewed-by: Ard Biesheuvel
Signed-off-by: Herbert Xu