mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
synced 2025-01-17 02:15:57 +00:00
f235bc11cc
In aes-neonbs, instead of going through the crypto API for the parts that the bit-sliced AES code doesn't handle, namely AES-CBC encryption and single-block AES, just call the ARM scalar AES cipher directly. This basically goes back to the original approach that was used before commit b56f5cbc7e08 ("crypto: arm/aes-neonbs - resolve fallback cipher at runtime"). Calling the ARM scalar AES cipher directly is faster, simpler, and avoids any chance of bugs specific to the use of fallback ciphers such as module loading deadlocks which have happened twice. The deadlocks turned out to be fixable in other ways, but there's no need to rely on anything so fragile in the first place. The rationale for the above-mentioned commit was to allow people to choose to use a time-invariant AES implementation for the fallback cipher. There are a couple problems with that rationale, though: - In practice the ARM scalar AES cipher (aes-arm) was used anyway, since it has a higher priority than aes-fixed-time. Users *could* go out of their way to disable or blacklist aes-arm, or to lower its priority using NETLINK_CRYPTO, but very few users customize the crypto API to this extent. Systems with the ARMv8 Crypto Extensions used aes-ce, but the bit-sliced algorithms are irrelevant on such systems anyway. - Since commit 913a3aa07d16 ("crypto: arm/aes - add some hardening against cache-timing attacks"), the ARM scalar AES cipher is partially hardened against cache-timing attacks. It actually works like aes-fixed-time, in that it disables interrupts and prefetches its lookup table. It does use a larger table than aes-fixed-time, but even so, it is not clear that aes-fixed-time is meaningfully more time-invariant than aes-arm. And of course, the real solution for time-invariant AES is to use a CPU that supports AES instructions. Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
252 lines
7.4 KiB
Plaintext
252 lines
7.4 KiB
Plaintext
# SPDX-License-Identifier: GPL-2.0
|
|
|
|
menu "Accelerated Cryptographic Algorithms for CPU (arm)"
|
|
|
|
config CRYPTO_CURVE25519_NEON
|
|
tristate "Public key crypto: Curve25519 (NEON)"
|
|
depends on KERNEL_MODE_NEON
|
|
select CRYPTO_LIB_CURVE25519_GENERIC
|
|
select CRYPTO_ARCH_HAVE_LIB_CURVE25519
|
|
help
|
|
Curve25519 algorithm
|
|
|
|
Architecture: arm with
|
|
- NEON (Advanced SIMD) extensions
|
|
|
|
config CRYPTO_GHASH_ARM_CE
|
|
tristate "Hash functions: GHASH (PMULL/NEON/ARMv8 Crypto Extensions)"
|
|
depends on KERNEL_MODE_NEON
|
|
select CRYPTO_AEAD
|
|
select CRYPTO_HASH
|
|
select CRYPTO_CRYPTD
|
|
select CRYPTO_LIB_AES
|
|
select CRYPTO_LIB_GF128MUL
|
|
help
|
|
GCM GHASH function (NIST SP800-38D)
|
|
|
|
Architecture: arm using
|
|
- PMULL (Polynomial Multiply Long) instructions
|
|
- NEON (Advanced SIMD) extensions
|
|
- ARMv8 Crypto Extensions
|
|
|
|
Use an implementation of GHASH (used by the GCM AEAD chaining mode)
|
|
that uses the 64x64 to 128 bit polynomial multiplication (vmull.p64)
|
|
that is part of the ARMv8 Crypto Extensions, or a slower variant that
|
|
uses the vmull.p8 instruction that is part of the basic NEON ISA.
|
|
|
|
config CRYPTO_NHPOLY1305_NEON
|
|
tristate "Hash functions: NHPoly1305 (NEON)"
|
|
depends on KERNEL_MODE_NEON
|
|
select CRYPTO_NHPOLY1305
|
|
help
|
|
NHPoly1305 hash function (Adiantum)
|
|
|
|
Architecture: arm using:
|
|
- NEON (Advanced SIMD) extensions
|
|
|
|
config CRYPTO_POLY1305_ARM
|
|
tristate "Hash functions: Poly1305 (NEON)"
|
|
select CRYPTO_HASH
|
|
select CRYPTO_ARCH_HAVE_LIB_POLY1305
|
|
help
|
|
Poly1305 authenticator algorithm (RFC7539)
|
|
|
|
Architecture: arm optionally using
|
|
- NEON (Advanced SIMD) extensions
|
|
|
|
config CRYPTO_BLAKE2S_ARM
|
|
bool "Hash functions: BLAKE2s"
|
|
select CRYPTO_ARCH_HAVE_LIB_BLAKE2S
|
|
help
|
|
BLAKE2s cryptographic hash function (RFC 7693)
|
|
|
|
Architecture: arm
|
|
|
|
This is faster than the generic implementations of BLAKE2s and
|
|
BLAKE2b, but slower than the NEON implementation of BLAKE2b.
|
|
There is no NEON implementation of BLAKE2s, since NEON doesn't
|
|
really help with it.
|
|
|
|
config CRYPTO_BLAKE2B_NEON
|
|
tristate "Hash functions: BLAKE2b (NEON)"
|
|
depends on KERNEL_MODE_NEON
|
|
select CRYPTO_BLAKE2B
|
|
help
|
|
BLAKE2b cryptographic hash function (RFC 7693)
|
|
|
|
Architecture: arm using
|
|
- NEON (Advanced SIMD) extensions
|
|
|
|
BLAKE2b digest algorithm optimized with ARM NEON instructions.
|
|
On ARM processors that have NEON support but not the ARMv8
|
|
Crypto Extensions, typically this BLAKE2b implementation is
|
|
much faster than the SHA-2 family and slightly faster than
|
|
SHA-1.
|
|
|
|
config CRYPTO_SHA1_ARM
|
|
tristate "Hash functions: SHA-1"
|
|
select CRYPTO_SHA1
|
|
select CRYPTO_HASH
|
|
help
|
|
SHA-1 secure hash algorithm (FIPS 180)
|
|
|
|
Architecture: arm
|
|
|
|
config CRYPTO_SHA1_ARM_NEON
|
|
tristate "Hash functions: SHA-1 (NEON)"
|
|
depends on KERNEL_MODE_NEON
|
|
select CRYPTO_SHA1_ARM
|
|
select CRYPTO_SHA1
|
|
select CRYPTO_HASH
|
|
help
|
|
SHA-1 secure hash algorithm (FIPS 180)
|
|
|
|
Architecture: arm using
|
|
- NEON (Advanced SIMD) extensions
|
|
|
|
config CRYPTO_SHA1_ARM_CE
|
|
tristate "Hash functions: SHA-1 (ARMv8 Crypto Extensions)"
|
|
depends on KERNEL_MODE_NEON
|
|
select CRYPTO_SHA1_ARM
|
|
select CRYPTO_HASH
|
|
help
|
|
SHA-1 secure hash algorithm (FIPS 180)
|
|
|
|
Architecture: arm using ARMv8 Crypto Extensions
|
|
|
|
config CRYPTO_SHA2_ARM_CE
|
|
tristate "Hash functions: SHA-224 and SHA-256 (ARMv8 Crypto Extensions)"
|
|
depends on KERNEL_MODE_NEON
|
|
select CRYPTO_SHA256_ARM
|
|
select CRYPTO_HASH
|
|
help
|
|
SHA-224 and SHA-256 secure hash algorithms (FIPS 180)
|
|
|
|
Architecture: arm using
|
|
- ARMv8 Crypto Extensions
|
|
|
|
config CRYPTO_SHA256_ARM
|
|
tristate "Hash functions: SHA-224 and SHA-256 (NEON)"
|
|
select CRYPTO_HASH
|
|
depends on !CPU_V7M
|
|
help
|
|
SHA-224 and SHA-256 secure hash algorithms (FIPS 180)
|
|
|
|
Architecture: arm using
|
|
- NEON (Advanced SIMD) extensions
|
|
|
|
config CRYPTO_SHA512_ARM
|
|
tristate "Hash functions: SHA-384 and SHA-512 (NEON)"
|
|
select CRYPTO_HASH
|
|
depends on !CPU_V7M
|
|
help
|
|
SHA-384 and SHA-512 secure hash algorithms (FIPS 180)
|
|
|
|
Architecture: arm using
|
|
- NEON (Advanced SIMD) extensions
|
|
|
|
config CRYPTO_AES_ARM
|
|
tristate "Ciphers: AES"
|
|
select CRYPTO_ALGAPI
|
|
select CRYPTO_AES
|
|
help
|
|
Block ciphers: AES cipher algorithms (FIPS-197)
|
|
|
|
Architecture: arm
|
|
|
|
On ARM processors without the Crypto Extensions, this is the
|
|
fastest AES implementation for single blocks. For multiple
|
|
blocks, the NEON bit-sliced implementation is usually faster.
|
|
|
|
This implementation may be vulnerable to cache timing attacks,
|
|
since it uses lookup tables. However, as countermeasures it
|
|
disables IRQs and preloads the tables; it is hoped this makes
|
|
such attacks very difficult.
|
|
|
|
config CRYPTO_AES_ARM_BS
|
|
tristate "Ciphers: AES, modes: ECB/CBC/CTR/XTS (bit-sliced NEON)"
|
|
depends on KERNEL_MODE_NEON
|
|
select CRYPTO_AES_ARM
|
|
select CRYPTO_SKCIPHER
|
|
select CRYPTO_LIB_AES
|
|
select CRYPTO_SIMD
|
|
help
|
|
Length-preserving ciphers: AES cipher algorithms (FIPS-197)
|
|
with block cipher modes:
|
|
- ECB (Electronic Codebook) mode (NIST SP800-38A)
|
|
- CBC (Cipher Block Chaining) mode (NIST SP800-38A)
|
|
- CTR (Counter) mode (NIST SP800-38A)
|
|
- XTS (XOR Encrypt XOR with ciphertext stealing) mode (NIST SP800-38E
|
|
and IEEE 1619)
|
|
|
|
Bit sliced AES gives around 45% speedup on Cortex-A15 for CTR mode
|
|
and for XTS mode encryption, CBC and XTS mode decryption speedup is
|
|
around 25%. (CBC encryption speed is not affected by this driver.)
|
|
|
|
The bit sliced AES code does not use lookup tables, so it is believed
|
|
to be invulnerable to cache timing attacks. However, since the bit
|
|
sliced AES code cannot process single blocks efficiently, in certain
|
|
cases table-based code with some countermeasures against cache timing
|
|
attacks will still be used as a fallback method; specifically CBC
|
|
encryption (not CBC decryption), the encryption of XTS tweaks, XTS
|
|
ciphertext stealing when the message isn't a multiple of 16 bytes, and
|
|
CTR when invoked in a context in which NEON instructions are unusable.
|
|
|
|
config CRYPTO_AES_ARM_CE
|
|
tristate "Ciphers: AES, modes: ECB/CBC/CTS/CTR/XTS (ARMv8 Crypto Extensions)"
|
|
depends on KERNEL_MODE_NEON
|
|
select CRYPTO_SKCIPHER
|
|
select CRYPTO_LIB_AES
|
|
select CRYPTO_SIMD
|
|
help
|
|
Length-preserving ciphers: AES cipher algorithms (FIPS-197)
|
|
with block cipher modes:
|
|
- ECB (Electronic Codebook) mode (NIST SP800-38A)
|
|
- CBC (Cipher Block Chaining) mode (NIST SP800-38A)
|
|
- CTR (Counter) mode (NIST SP800-38A)
|
|
- CTS (Cipher Text Stealing) mode (NIST SP800-38A)
|
|
- XTS (XOR Encrypt XOR with ciphertext stealing) mode (NIST SP800-38E
|
|
and IEEE 1619)
|
|
|
|
Architecture: arm using:
|
|
- ARMv8 Crypto Extensions
|
|
|
|
config CRYPTO_CHACHA20_NEON
|
|
tristate "Ciphers: ChaCha20, XChaCha20, XChaCha12 (NEON)"
|
|
select CRYPTO_SKCIPHER
|
|
select CRYPTO_ARCH_HAVE_LIB_CHACHA
|
|
help
|
|
Length-preserving ciphers: ChaCha20, XChaCha20, and XChaCha12
|
|
stream cipher algorithms
|
|
|
|
Architecture: arm using:
|
|
- NEON (Advanced SIMD) extensions
|
|
|
|
config CRYPTO_CRC32_ARM_CE
|
|
tristate "CRC32C and CRC32"
|
|
depends on KERNEL_MODE_NEON
|
|
depends on CRC32
|
|
select CRYPTO_HASH
|
|
help
|
|
CRC32c CRC algorithm with the iSCSI polynomial (RFC 3385 and RFC 3720)
|
|
and CRC32 CRC algorithm (IEEE 802.3)
|
|
|
|
Architecture: arm using:
|
|
- CRC and/or PMULL instructions
|
|
|
|
Drivers: crc32-arm-ce and crc32c-arm-ce
|
|
|
|
config CRYPTO_CRCT10DIF_ARM_CE
|
|
tristate "CRCT10DIF"
|
|
depends on KERNEL_MODE_NEON
|
|
depends on CRC_T10DIF
|
|
select CRYPTO_HASH
|
|
help
|
|
CRC16 CRC algorithm used for the T10 (SCSI) Data Integrity Field (DIF)
|
|
|
|
Architecture: arm using:
|
|
- PMULL (Polynomial Multiply Long) instructions
|
|
|
|
endmenu
|
|
|