1. 11 2月, 2017 6 次提交
    • A
      crypto: ccm - switch to separate cbcmac driver · f15f05b0
      Ard Biesheuvel 提交于
      Update the generic CCM driver to defer CBC-MAC processing to a
      dedicated CBC-MAC ahash transform rather than open coding this
      transform (and much of the associated scatterwalk plumbing) in
      the CCM driver itself.
      
      This cleans up the code considerably, but more importantly, it allows
      the use of alternative CBC-MAC implementations that don't suffer from
      performance degradation due to significant setup time (e.g., the NEON
      based AES code needs to enable/disable the NEON, and load the S-box
      into 16 SIMD registers, which cannot be amortized over the entire input
      when using the cipher interface)
      Signed-off-by: NArd Biesheuvel <ard.biesheuvel@linaro.org>
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      f15f05b0
    • A
      crypto: testmgr - add test cases for cbcmac(aes) · 092acf06
      Ard Biesheuvel 提交于
      In preparation of splitting off the CBC-MAC transform in the CCM
      driver into a separate algorithm, define some test cases for the
      AES incarnation of cbcmac.
      Signed-off-by: NArd Biesheuvel <ard.biesheuvel@linaro.org>
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      092acf06
    • A
      crypto: aes - add generic time invariant AES cipher · b5e0b032
      Ard Biesheuvel 提交于
      Lookup table based AES is sensitive to timing attacks, which is due to
      the fact that such table lookups are data dependent, and the fact that
      8 KB worth of tables covers a significant number of cachelines on any
      architecture, resulting in an exploitable correlation between the key
      and the processing time for known plaintexts.
      
      For network facing algorithms such as CTR, CCM or GCM, this presents a
      security risk, which is why arch specific AES ports are typically time
      invariant, either through the use of special instructions, or by using
      SIMD algorithms that don't rely on table lookups.
      
      For generic code, this is difficult to achieve without losing too much
      performance, but we can improve the situation significantly by switching
      to an implementation that only needs 256 bytes of table data (the actual
      S-box itself), which can be prefetched at the start of each block to
      eliminate data dependent latencies.
      
      This code encrypts at ~25 cycles per byte on ARM Cortex-A57 (while the
      ordinary generic AES driver manages 18 cycles per byte on this
      hardware). Decryption is substantially slower.
      Signed-off-by: NArd Biesheuvel <ard.biesheuvel@linaro.org>
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      b5e0b032
    • A
      crypto: aes-generic - drop alignment requirement · ec38a937
      Ard Biesheuvel 提交于
      The generic AES code exposes a 32-bit align mask, which forces all
      users of the code to use temporary buffers or take other measures to
      ensure the alignment requirement is adhered to, even on architectures
      that don't care about alignment for software algorithms such as this
      one.
      
      So drop the align mask, and fix the code to use get_unaligned_le32()
      where appropriate, which will resolve to whatever is optimal for the
      architecture.
      Signed-off-by: NArd Biesheuvel <ard.biesheuvel@linaro.org>
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      ec38a937
    • T
      crypto: sha512-mb - Protect sha512 mb ctx mgr access · c459bd7b
      Tim Chen 提交于
      The flusher and regular multi-buffer computation via mcryptd may race with another.
      Add here a lock and turn off interrupt to to access multi-buffer
      computation state cstate->mgr before a round of computation. This should
      prevent the flusher code jumping in.
      Signed-off-by: NTim Chen <tim.c.chen@linux.intel.com>
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      c459bd7b
    • A
      crypto: arm64/crc32 - merge CRC32 and PMULL instruction based drivers · 5d3d9c8b
      Ard Biesheuvel 提交于
      The PMULL based CRC32 implementation already contains code based on the
      separate, optional CRC32 instructions to fallback to when operating on
      small quantities of data. We can expose these routines directly on systems
      that lack the 64x64 PMULL instructions but do implement the CRC32 ones,
      which makes the driver that is based solely on those CRC32 instructions
      redundant. So remove it.
      
      Note that this aligns arm64 with ARM, whose accelerated CRC32 driver
      also combines the CRC32 extension based and the PMULL based versions.
      Signed-off-by: NArd Biesheuvel <ard.biesheuvel@linaro.org>
      Tested-by: NMatthias Brugger <mbrugger@suse.com>
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      5d3d9c8b
  2. 03 2月, 2017 34 次提交