tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

crypto: aes - Remove aes-fixed-time / CONFIG_CRYPTO_AES_TI

Remove aes-fixed-time, i.e. CONFIG_CRYPTO_AES_TI. This was a wrapper
around the 256-byte-table-based AES implementation in lib/crypto/aes.c,
with extra code to enable and disable IRQs for constant-time hardening.

While nice in theory, in practice this had the following issues:

- For bulk en/decryption it was 2-4 times slower than aes-generic. This
resulted in aes-generic still being needed, creating fragmentation.

- Having both aes-generic and aes-fixed-time punted an AES
implementation decision to distros and users who are generally
unprepared to handle it. In practice, whether aes-fixed-time gets
used tends to be incidental and not match an explicit distro or user
intent. (While aes-fixed-time has a higher priority than aes-generic,
whether it actually gets enabled, loaded, and used depends on the
kconfig and whether a modprobe of "aes" happens to be done. It also
has a lower priority than aes-arm and aes-arm64.)

- My changes to the generic AES code (in other commits) significantly
close the gap with aes-fixed-time anyway. The table size is reduced
from 8192 bytes to 1024 bytes, and prefetching is added.

- While AES code *should* be constant-time, the real solutions for that
are AES instructions (which most CPUs have now) or bit-slicing. arm
and arm64 already have bit-sliced AES code for many modes; generic
bit-sliced code could be written but would be very slow for single
blocks. Overall, I suggest that trying to write constant-time
table-based AES code is a bit futile anyway, and in the rare cases
where a proper AES implementation is still unavailable it's reasonable
to compromise with an implementation that simply prefetches the table.

Thus, this commit removes aes-fixed-time and CONFIG_CRYPTO_AES_TI. The
replacement is just the existing CONFIG_CRYPTO_AES, which for now maps
to the existing aes-generic code, but I'll soon be changing to use the
improved AES library code instead.

Acked-by: Ard Biesheuvel <ardb@kernel.org>
Link: https://lore.kernel.org/r/20260112192035.10427-9-ebiggers@kernel.org
Signed-off-by: Eric Biggers <ebiggers@kernel.org>

Eric Biggers 641e7056 637e73ef

+2 -119
-1
arch/m68k/configs/amiga_defconfig
··· 555 555 CONFIG_CRYPTO_ECDSA=m 556 556 CONFIG_CRYPTO_ECRDSA=m 557 557 CONFIG_CRYPTO_AES=y 558 - CONFIG_CRYPTO_AES_TI=m 559 558 CONFIG_CRYPTO_ANUBIS=m 560 559 CONFIG_CRYPTO_ARIA=m 561 560 CONFIG_CRYPTO_BLOWFISH=m
-1
arch/m68k/configs/apollo_defconfig
··· 512 512 CONFIG_CRYPTO_ECDSA=m 513 513 CONFIG_CRYPTO_ECRDSA=m 514 514 CONFIG_CRYPTO_AES=y 515 - CONFIG_CRYPTO_AES_TI=m 516 515 CONFIG_CRYPTO_ANUBIS=m 517 516 CONFIG_CRYPTO_ARIA=m 518 517 CONFIG_CRYPTO_BLOWFISH=m
-1
arch/m68k/configs/atari_defconfig
··· 532 532 CONFIG_CRYPTO_ECDSA=m 533 533 CONFIG_CRYPTO_ECRDSA=m 534 534 CONFIG_CRYPTO_AES=y 535 - CONFIG_CRYPTO_AES_TI=m 536 535 CONFIG_CRYPTO_ANUBIS=m 537 536 CONFIG_CRYPTO_ARIA=m 538 537 CONFIG_CRYPTO_BLOWFISH=m
-1
arch/m68k/configs/bvme6000_defconfig
··· 504 504 CONFIG_CRYPTO_ECDSA=m 505 505 CONFIG_CRYPTO_ECRDSA=m 506 506 CONFIG_CRYPTO_AES=y 507 - CONFIG_CRYPTO_AES_TI=m 508 507 CONFIG_CRYPTO_ANUBIS=m 509 508 CONFIG_CRYPTO_ARIA=m 510 509 CONFIG_CRYPTO_BLOWFISH=m
-1
arch/m68k/configs/hp300_defconfig
··· 514 514 CONFIG_CRYPTO_ECDSA=m 515 515 CONFIG_CRYPTO_ECRDSA=m 516 516 CONFIG_CRYPTO_AES=y 517 - CONFIG_CRYPTO_AES_TI=m 518 517 CONFIG_CRYPTO_ANUBIS=m 519 518 CONFIG_CRYPTO_ARIA=m 520 519 CONFIG_CRYPTO_BLOWFISH=m
-1
arch/m68k/configs/mac_defconfig
··· 531 531 CONFIG_CRYPTO_ECDSA=m 532 532 CONFIG_CRYPTO_ECRDSA=m 533 533 CONFIG_CRYPTO_AES=y 534 - CONFIG_CRYPTO_AES_TI=m 535 534 CONFIG_CRYPTO_ANUBIS=m 536 535 CONFIG_CRYPTO_ARIA=m 537 536 CONFIG_CRYPTO_BLOWFISH=m
-1
arch/m68k/configs/multi_defconfig
··· 618 618 CONFIG_CRYPTO_ECDSA=m 619 619 CONFIG_CRYPTO_ECRDSA=m 620 620 CONFIG_CRYPTO_AES=y 621 - CONFIG_CRYPTO_AES_TI=m 622 621 CONFIG_CRYPTO_ANUBIS=m 623 622 CONFIG_CRYPTO_ARIA=m 624 623 CONFIG_CRYPTO_BLOWFISH=m
-1
arch/m68k/configs/mvme147_defconfig
··· 504 504 CONFIG_CRYPTO_ECDSA=m 505 505 CONFIG_CRYPTO_ECRDSA=m 506 506 CONFIG_CRYPTO_AES=y 507 - CONFIG_CRYPTO_AES_TI=m 508 507 CONFIG_CRYPTO_ANUBIS=m 509 508 CONFIG_CRYPTO_ARIA=m 510 509 CONFIG_CRYPTO_BLOWFISH=m
-1
arch/m68k/configs/mvme16x_defconfig
··· 505 505 CONFIG_CRYPTO_ECDSA=m 506 506 CONFIG_CRYPTO_ECRDSA=m 507 507 CONFIG_CRYPTO_AES=y 508 - CONFIG_CRYPTO_AES_TI=m 509 508 CONFIG_CRYPTO_ANUBIS=m 510 509 CONFIG_CRYPTO_ARIA=m 511 510 CONFIG_CRYPTO_BLOWFISH=m
-1
arch/m68k/configs/q40_defconfig
··· 521 521 CONFIG_CRYPTO_ECDSA=m 522 522 CONFIG_CRYPTO_ECRDSA=m 523 523 CONFIG_CRYPTO_AES=y 524 - CONFIG_CRYPTO_AES_TI=m 525 524 CONFIG_CRYPTO_ANUBIS=m 526 525 CONFIG_CRYPTO_ARIA=m 527 526 CONFIG_CRYPTO_BLOWFISH=m
-1
arch/m68k/configs/sun3_defconfig
··· 502 502 CONFIG_CRYPTO_ECDSA=m 503 503 CONFIG_CRYPTO_ECRDSA=m 504 504 CONFIG_CRYPTO_AES=y 505 - CONFIG_CRYPTO_AES_TI=m 506 505 CONFIG_CRYPTO_ANUBIS=m 507 506 CONFIG_CRYPTO_ARIA=m 508 507 CONFIG_CRYPTO_BLOWFISH=m
-1
arch/m68k/configs/sun3x_defconfig
··· 502 502 CONFIG_CRYPTO_ECDSA=m 503 503 CONFIG_CRYPTO_ECRDSA=m 504 504 CONFIG_CRYPTO_AES=y 505 - CONFIG_CRYPTO_AES_TI=m 506 505 CONFIG_CRYPTO_ANUBIS=m 507 506 CONFIG_CRYPTO_ARIA=m 508 507 CONFIG_CRYPTO_BLOWFISH=m
+1 -1
arch/s390/configs/debug_defconfig
··· 770 770 CONFIG_CRYPTO_ECDH=m 771 771 CONFIG_CRYPTO_ECDSA=m 772 772 CONFIG_CRYPTO_ECRDSA=m 773 - CONFIG_CRYPTO_AES_TI=m 773 + CONFIG_CRYPTO_AES=m 774 774 CONFIG_CRYPTO_ANUBIS=m 775 775 CONFIG_CRYPTO_ARIA=m 776 776 CONFIG_CRYPTO_BLOWFISH=m
+1 -1
arch/s390/configs/defconfig
··· 754 754 CONFIG_CRYPTO_ECDH=m 755 755 CONFIG_CRYPTO_ECDSA=m 756 756 CONFIG_CRYPTO_ECRDSA=m 757 - CONFIG_CRYPTO_AES_TI=m 757 + CONFIG_CRYPTO_AES=m 758 758 CONFIG_CRYPTO_ANUBIS=m 759 759 CONFIG_CRYPTO_ARIA=m 760 760 CONFIG_CRYPTO_BLOWFISH=m
-21
crypto/Kconfig
··· 366 366 367 367 The AES specifies three key sizes: 128, 192 and 256 bits 368 368 369 - config CRYPTO_AES_TI 370 - tristate "AES (Advanced Encryption Standard) (fixed time)" 371 - select CRYPTO_ALGAPI 372 - select CRYPTO_LIB_AES 373 - help 374 - AES cipher algorithms (Rijndael)(FIPS-197, ISO/IEC 18033-3) 375 - 376 - This is a generic implementation of AES that attempts to eliminate 377 - data dependent latencies as much as possible without affecting 378 - performance too much. It is intended for use by the generic CCM 379 - and GCM drivers, and other CTR or CMAC/XCBC based modes that rely 380 - solely on encryption (although decryption is supported as well, but 381 - with a more dramatic performance hit) 382 - 383 - Instead of using 16 lookup tables of 1 KB each, (8 for encryption and 384 - 8 for decryption), this implementation only uses just two S-boxes of 385 - 256 bytes each, and attempts to eliminate data dependent latencies by 386 - prefetching the entire table into the cache at the start of each 387 - block. Interrupts are also disabled to avoid races where cachelines 388 - are evicted when the CPU is interrupted to do something else. 389 - 390 369 config CRYPTO_ANUBIS 391 370 tristate "Anubis" 392 371 depends on CRYPTO_USER_API_ENABLE_OBSOLETE
-1
crypto/Makefile
··· 134 134 CFLAGS_aes_generic.o := $(call cc-option,-fno-code-hoisting) # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=83356 135 135 obj-$(CONFIG_CRYPTO_SM4) += sm4.o 136 136 obj-$(CONFIG_CRYPTO_SM4_GENERIC) += sm4_generic.o 137 - obj-$(CONFIG_CRYPTO_AES_TI) += aes_ti.o 138 137 obj-$(CONFIG_CRYPTO_CAMELLIA) += camellia_generic.o 139 138 obj-$(CONFIG_CRYPTO_CAST_COMMON) += cast_common.o 140 139 obj-$(CONFIG_CRYPTO_CAST5) += cast5_generic.o
-83
crypto/aes_ti.c
··· 1 - // SPDX-License-Identifier: GPL-2.0-only 2 - /* 3 - * Scalar fixed time AES core transform 4 - * 5 - * Copyright (C) 2017 Linaro Ltd <ard.biesheuvel@linaro.org> 6 - */ 7 - 8 - #include <crypto/aes.h> 9 - #include <crypto/algapi.h> 10 - #include <linux/module.h> 11 - 12 - static int aesti_set_key(struct crypto_tfm *tfm, const u8 *in_key, 13 - unsigned int key_len) 14 - { 15 - struct crypto_aes_ctx *ctx = crypto_tfm_ctx(tfm); 16 - 17 - return aes_expandkey(ctx, in_key, key_len); 18 - } 19 - 20 - static void aesti_encrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in) 21 - { 22 - const struct crypto_aes_ctx *ctx = crypto_tfm_ctx(tfm); 23 - unsigned long flags; 24 - 25 - /* 26 - * Temporarily disable interrupts to avoid races where cachelines are 27 - * evicted when the CPU is interrupted to do something else. 28 - */ 29 - local_irq_save(flags); 30 - 31 - aes_encrypt(ctx, out, in); 32 - 33 - local_irq_restore(flags); 34 - } 35 - 36 - static void aesti_decrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in) 37 - { 38 - const struct crypto_aes_ctx *ctx = crypto_tfm_ctx(tfm); 39 - unsigned long flags; 40 - 41 - /* 42 - * Temporarily disable interrupts to avoid races where cachelines are 43 - * evicted when the CPU is interrupted to do something else. 44 - */ 45 - local_irq_save(flags); 46 - 47 - aes_decrypt(ctx, out, in); 48 - 49 - local_irq_restore(flags); 50 - } 51 - 52 - static struct crypto_alg aes_alg = { 53 - .cra_name = "aes", 54 - .cra_driver_name = "aes-fixed-time", 55 - .cra_priority = 100 + 1, 56 - .cra_flags = CRYPTO_ALG_TYPE_CIPHER, 57 - .cra_blocksize = AES_BLOCK_SIZE, 58 - .cra_ctxsize = sizeof(struct crypto_aes_ctx), 59 - .cra_module = THIS_MODULE, 60 - 61 - .cra_cipher.cia_min_keysize = AES_MIN_KEY_SIZE, 62 - .cra_cipher.cia_max_keysize = AES_MAX_KEY_SIZE, 63 - .cra_cipher.cia_setkey = aesti_set_key, 64 - .cra_cipher.cia_encrypt = aesti_encrypt, 65 - .cra_cipher.cia_decrypt = aesti_decrypt 66 - }; 67 - 68 - static int __init aes_init(void) 69 - { 70 - return crypto_register_alg(&aes_alg); 71 - } 72 - 73 - static void __exit aes_fini(void) 74 - { 75 - crypto_unregister_alg(&aes_alg); 76 - } 77 - 78 - module_init(aes_init); 79 - module_exit(aes_fini); 80 - 81 - MODULE_DESCRIPTION("Generic fixed time AES"); 82 - MODULE_AUTHOR("Ard Biesheuvel <ard.biesheuvel@linaro.org>"); 83 - MODULE_LICENSE("GPL v2");