On Mon, 5 Jan 2026 at 06:14, Eric Biggers <[email protected]> wrote: > > This series applies to libcrypto-next. It can also be retrieved from: > > git fetch > https://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/linux.git aes-lib-v1 > > This series makes three main improvements to the kernel's AES library: > > 1. Make it use the kernel's existing architecture-optimized AES code, > including AES instructions, when available. Previously, only the > traditional crypto API gave access to the optimized AES code. > (As a reminder, AES instructions typically make AES over 10 times > as fast as the generic code. They also make it constant-time.) > > 2. Support preparing an AES key for only the forward direction of the > block cipher, using about half as much memory. This is a helpful > optimization for many common AES modes of operation. It also helps > keep structs small enough to be allocated on the stack, especially > considering potential future library APIs for AES modes. > > 3. Replace the library's generic AES implementation with a much faster > one that is almost as fast as "aes-generic", while still keeping > the table size reasonably small and maintaining some constant-time > hardening. This allows removing "aes-generic", unifying the > current two generic AES implementations in the kernel tree. >
Architectures that support memory operands will be impacted by dropping the pre-rotated lookup tables, especially if they have few GPRs. I suspect that doesn't really matter in practice: if your pre-AESNI IA-32 workload has a bottleneck on "aes-generic", you would have probably moved it to a different machine by now. But the performance delta will likely be noticeable so it is something that deserves a mention. > (1) and (2) end up being interrelated: the existing > 'struct crypto_aes_ctx' does not work for either one (in general). > Thus, this series reworks the AES library to be based around new data > types 'struct aes_key' and 'struct aes_enckey'. > > As has been the case for other algorithms, to achieve (1) without > duplicating the architecture-optimized code, it had to be moved into > lib/crypto/ rather than copied. To allow actually removing the > arch-specific crypto_cipher "aes" algorithms, a consolidated "aes-lib" > crypto_cipher algorithm which simply wraps the library is also added. > That's most easily done with it replacing "aes-generic" too, so that is > done too. (That's another reason for doing (3) at the same time.) > > As usual, care is taken to support all the existing arch-optimized code. > This makes it possible for users of the traditional crypto API to switch > to the library API, which is generally much easier to use, without being > concerned about performance regressions. > > That being said, this series only deals with the bare (single-block) AES > library. Future patchsets are expected to build on this work to provide > architecture-optimized library APIs for specific AES modes of operation. > > Eric Biggers (36): > crypto: powerpc/aes - Rename struct aes_key > lib/crypto: aes: Introduce improved AES library > crypto: arm/aes-neonbs - Use AES library for single blocks > crypto: arm/aes - Switch to aes_enc_tab[] and aes_dec_tab[] > crypto: arm64/aes - Switch to aes_enc_tab[] and aes_dec_tab[] > crypto: arm64/aes - Select CRYPTO_LIB_SHA256 from correct places > crypto: aegis - Switch from crypto_ft_tab[] to aes_enc_tab[] > crypto: aes - Remove aes-fixed-time / CONFIG_CRYPTO_AES_TI > crypto: aes - Replace aes-generic with wrapper around lib > lib/crypto: arm/aes: Migrate optimized code into library > lib/crypto: arm64/aes: Migrate optimized code into library > lib/crypto: powerpc/aes: Migrate SPE optimized code into library > lib/crypto: powerpc/aes: Migrate POWER8 optimized code into library > lib/crypto: riscv/aes: Migrate optimized code into library > lib/crypto: s390/aes: Migrate optimized code into library > lib/crypto: sparc/aes: Migrate optimized code into library > lib/crypto: x86/aes: Add AES-NI optimization > crypto: x86/aes - Remove the superseded AES-NI crypto_cipher > Bluetooth: SMP: Use new AES library API > chelsio: Use new AES library API > net: phy: mscc: macsec: Use new AES library API > staging: rtl8723bs: core: Use new AES library API > crypto: arm/ghash - Use new AES library API > crypto: arm64/ghash - Use new AES library API > crypto: x86/aes-gcm - Use new AES library API > crypto: ccp - Use new AES library API > crypto: chelsio - Use new AES library API > crypto: crypto4xx - Use new AES library API > crypto: drbg - Use new AES library API > crypto: inside-secure - Use new AES library API > crypto: omap - Use new AES library API > lib/crypto: aescfb: Use new AES library API > lib/crypto: aesgcm: Use new AES library API > lib/crypto: aes: Remove old AES en/decryption functions > lib/crypto: aes: Drop "_new" suffix from en/decryption functions > lib/crypto: aes: Drop 'volatile' from aes_sbox and aes_inv_sbox > Nice cleanup Acked-by: Ard Biesheuvel <[email protected]>
