AW: [PATCH v1 2/7] AES for PPC/SPE - aes tables
Von: linux-crypto-ow...@vger.kernel.org [linux-crypto-ow...@vger.kernel.org]quot; im Auftrag von quot;Segher Boessenkool [seg...@kernel.crashing.org] Gesendet: Montag, 16. Februar 2015 15:37 An: David Laight Cc: Markus Stockhausen; linux-crypto@vger.kernel.org; linuxppc-...@lists.ozlabs.org Betreff: Re: [PATCH v1 2/7] AES for PPC/SPE - aes tables On Mon, Feb 16, 2015 at 02:19:50PM +, David Laight wrote: From: Markus Stockhausen 4K AES tables for big endian I can't help feeling that you could give more information about how the values are generated. ... and an explanation of why this does not open you up to a timing attack? Good points, the tables are only big endian reversed ones of those found in crypto/aes_generic.c. Regarding timing attacks: I understand, that reducing AES table sizes for a constant AES processing time is important to avoid cache timing attacks. Hopefully the following points will mitigate the concern. Target architecture are low performance e500 cores without available caam features. These can currently use only aes-generic module. That one depends on 16K T-tables. 2*4K for encryption and 2*4K for decryption. The new module reduces the T-table sizes to 8K+256 bytes. Far away from a minimal 256 byte S-BOX but at least an improvement. To narrow it down further. Intended use is for cheap routers. So no multiuser environments where a malicous process could drive complex flush+reload attacks. In case someone gains unallowed access there will be a lot of other and simpler ways to compromise the system. In case that is sufficient for you I will add respective notes into a patch v2. Markus Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. Ãber das Internet versandte E-Mails können unter fremden Namen erstellt oder manipuliert werden. Deshalb ist diese als E-Mail verschickte Nachricht keine rechtsverbindliche Willenserklärung. Collogia Unternehmensberatung AG Ubierring 11 D-50678 Köln Vorstand: Kadir Akin Dr. Michael Höhnerbach Vorsitzender des Aufsichtsrates: Hans Kristian Langva Registergericht: Amtsgericht Köln Registernummer: HRB 52 497 This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. e-mails sent over the internet may have been written under a wrong name or been manipulated. That is why this message sent as an e-mail is not a legally binding declaration of intention. Collogia Unternehmensberatung AG Ubierring 11 D-50678 Köln executive board: Kadir Akin Dr. Michael Höhnerbach President of the supervisory board: Hans Kristian Langva Registry office: district court Cologne Register number: HRB 52 497
RE: [PATCH v1 2/7] AES for PPC/SPE - aes tables
From: Markus Stockhausen 4K AES tables for big endian I can't help feeling that you could give more information about how the values are generated. ... + * These big endian AES encryption/decryption tables are designed to be simply + * accessed by a combination of rlwimi/lwz instructions with a minimum + * of table registers (usually only one required). Thus they are aligned to + * 4K. The locality of rotated values is derived from the reduced offsets that + * are available in the SPE load instructions. E.g. evldw, evlwwsplat, ... + * + */ +.data +.align 12 +.globl PPC_AES_4K_ENCTAB +PPC_AES_4K_ENCTAB: + .long 0xc66363a5,0xa5c66363,0x63a5c663,0x6363a5c6 These seem to be byte rotates (all down the table). If so then use a CPP define to generate the rotated values. I'd like to see a reference to where the values themselves come from. + .long 0xf87c7c84,0x84f87c7c,0x7c84f87c,0x7c7c84f8 ... + .long 0x6dd6,0xd66d,0xbbd66dbb,0xd66d + .long 0x2c16163a,0x3a2c1616,0x163a2c16,0x16163a2c +.globl PPC_AES_4K_DECTAB +PPC_AES_4K_DECTAB: + .long 0x51f4a750,0x5051f4a7,0xa75051f4,0xf4a75051 ... + .long 0xd0b85742,0x42d0b857,0x5742d0b8,0xb85742d0 Some explanation of this third dataset is also needed. + .byte 0x52, 0x09, 0x6a, 0xd5, 0x30, 0x36, 0xa5, 0x38 ... + .byte 0xe1, 0x69, 0x14, 0x63, 0x55, 0x21, 0x0c, 0x7d David -- To unsubscribe from this list: send the line unsubscribe linux-crypto in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 4/4] hw_random: bcm63xx-rng: use devm_* helpers
Simplify the driver's probe function and error handling by using the device managed allocators, while at it, drop the redundant out of memory messages since these are already printed by the allocator. Signed-off-by: Florian Fainelli f.faine...@gmail.com --- drivers/char/hw_random/bcm63xx-rng.c | 20 ++-- 1 file changed, 6 insertions(+), 14 deletions(-) diff --git a/drivers/char/hw_random/bcm63xx-rng.c b/drivers/char/hw_random/bcm63xx-rng.c index c7f3af852599..27da00f68c8f 100644 --- a/drivers/char/hw_random/bcm63xx-rng.c +++ b/drivers/char/hw_random/bcm63xx-rng.c @@ -83,18 +83,16 @@ static int bcm63xx_rng_probe(struct platform_device *pdev) goto out; } - priv = kzalloc(sizeof(*priv), GFP_KERNEL); + priv = devm_kzalloc(pdev-dev, sizeof(*priv), GFP_KERNEL); if (!priv) { - dev_err(pdev-dev, no memory for private structure\n); ret = -ENOMEM; goto out; } - rng = kzalloc(sizeof(*rng), GFP_KERNEL); + rng = devm_kzalloc(pdev-dev, sizeof(*rng), GFP_KERNEL); if (!rng) { - dev_err(pdev-dev, no memory for rng structure\n); ret = -ENOMEM; - goto out_free_priv; + goto out; } platform_set_drvdata(pdev, rng); @@ -109,7 +107,7 @@ static int bcm63xx_rng_probe(struct platform_device *pdev) if (IS_ERR(clk)) { dev_err(pdev-dev, no clock for device\n); ret = PTR_ERR(clk); - goto out_free_rng; + goto out; } priv-clk = clk; @@ -118,7 +116,7 @@ static int bcm63xx_rng_probe(struct platform_device *pdev) resource_size(r), pdev-name)) { dev_err(pdev-dev, request mem failed); ret = -ENOMEM; - goto out_free_rng; + goto out; } priv-regs = devm_ioremap_nocache(pdev-dev, r-start, @@ -126,7 +124,7 @@ static int bcm63xx_rng_probe(struct platform_device *pdev) if (!priv-regs) { dev_err(pdev-dev, ioremap failed); ret = -ENOMEM; - goto out_free_rng; + goto out; } clk_enable(clk); @@ -143,10 +141,6 @@ static int bcm63xx_rng_probe(struct platform_device *pdev) out_clk_disable: clk_disable(clk); -out_free_rng: - kfree(rng); -out_free_priv: - kfree(priv); out: return ret; } @@ -158,8 +152,6 @@ static int bcm63xx_rng_remove(struct platform_device *pdev) hwrng_unregister(rng); clk_disable(priv-clk); - kfree(priv); - kfree(rng); return 0; } -- 2.1.0 -- To unsubscribe from this list: send the line unsubscribe linux-crypto in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 2/4] hw_random: bcm63xx-rng: move register definitions to driver
arch/mips/include/asm/mach-bcm63xx/bcm63xx_regs.h contains the register definitions for this random number generator block, incorporate these register definitions directly into the bcm63xx-rng driver so we do not rely on this header to be provided. Signed-off-by: Florian Fainelli f.faine...@gmail.com --- drivers/char/hw_random/bcm63xx-rng.c | 10 +- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/drivers/char/hw_random/bcm63xx-rng.c b/drivers/char/hw_random/bcm63xx-rng.c index ed9b28b35a39..c7f3af852599 100644 --- a/drivers/char/hw_random/bcm63xx-rng.c +++ b/drivers/char/hw_random/bcm63xx-rng.c @@ -13,7 +13,15 @@ #include linux/platform_device.h #include linux/hw_random.h -#include bcm63xx_regs.h +#define RNG_CTRL 0x00 +#define RNG_EN (1 0) + +#define RNG_STAT 0x04 +#define RNG_AVAIL_MASK (0xff00) + +#define RNG_DATA 0x08 +#define RNG_THRES 0x0c +#define RNG_MASK 0x10 struct bcm63xx_rng_priv { struct clk *clk; -- 2.1.0 -- To unsubscribe from this list: send the line unsubscribe linux-crypto in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 3/4] MIPS: BCM63xx: remove RSET_RNG register definitions
Now that these definitions have been moved to drivers/char/hw_random/bcm63xx-rng.c where they belong to make the driver standalone, we can safely remove these definitions from bcm63xx_regs.h. Signed-off-by: Florian Fainelli f.faine...@gmail.com --- arch/mips/include/asm/mach-bcm63xx/bcm63xx_regs.h | 14 -- 1 file changed, 14 deletions(-) diff --git a/arch/mips/include/asm/mach-bcm63xx/bcm63xx_regs.h b/arch/mips/include/asm/mach-bcm63xx/bcm63xx_regs.h index 4794067cb5a7..5035f09c5427 100644 --- a/arch/mips/include/asm/mach-bcm63xx/bcm63xx_regs.h +++ b/arch/mips/include/asm/mach-bcm63xx/bcm63xx_regs.h @@ -1259,20 +1259,6 @@ #define M2M_DSTID_REG(x) ((x) * 0x40 + 0x18) /* - * _REG relative to RSET_RNG - */ - -#define RNG_CTRL 0x00 -#define RNG_EN (1 0) - -#define RNG_STAT 0x04 -#define RNG_AVAIL_MASK (0xff00) - -#define RNG_DATA 0x08 -#define RNG_THRES 0x0c -#define RNG_MASK 0x10 - -/* * _REG relative to RSET_SPI */ -- 2.1.0 -- To unsubscribe from this list: send the line unsubscribe linux-crypto in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[BISECTED] 4943ba16 (include crypto- module prefix) breaks wifi
I discovered when (belatedly) testing 3.19-rc7 the other week that my laptop wifi was broken and would no longer associate. I wasted a lot of time trying to bisect changes in net/wireless and net/drivers wireless before figuring out that it was sonewhere else in the kernel. An unrestricted bisect quickly homed in on this commit. Apparently this is causing some necessary crypto algorithms to fail to load, breaking my wifi. Perhaps I'm displaying my ignorance of what's supposed to happen, but shouldn't make install have installed some files with names like /lib/modules/`uname r`/kernel/crypto/crypto-*.ko? Or is it something only I'm hitting because I have a lot of common crypto algorithms statically compiled into my kernel? CONFIG_CRYPTO_CBC=y CONFIG_CRYPTO_HMAC=y CONFIG_CRYPTO_MD5=y CONFIG_CRYPTO_SHA1=y CONFIG_CRYPTO_AES=y CONFIG_CRYPTO_AES_586=y CONFIG_CRYPTO_ARC4=y In more detail, when things are working, (such as on commit 4943ba1^ = 476c7fe2), wpa_supplicant logs: wlan1: SME: Trying to authenticate with aa:bb:cc:dd:ee:ff (SSID='FOO' freq=24xx MHz) wlan1: Trying to associate with aa:bb:cc:dd:ee:ff (SSID='FOO' freq=24xx MHz) wlan1: Associated with aa:bb:cc:dd:ee:ff wlan1: WPA: Key negotiation completed with aa:bb:cc:dd:ee:ff [PTK=CCMP GTK=CCMP] wlan1: CTRL-EVENT-CONNECTED - Connection to aa:bb:cc:dd:ee:ff completed (aith) [id=0 id_str=] Followed by group rekeying completed messages at 10 minute intervals. Trying this on kernel 4943ba16 produces instead an endless loop of: wlan1: SME: Trying to authenticate with aa:bb:cc:dd:ee:ff (SSID='FOO' freq=24xx MHz) wlan1: Trying to associate with aa:bb:cc:dd:ee:ff (SSID='FOO' freq=24xx MHz) wlan1: Associated with aa:bb:cc:dd:ee:ff wlan1: WPA: Failed to set PTK to the driver (alg=3 keylen=16 bssid=aa:bb:cc:dd:ee:ff) wlan1: CTRL-EVENT-DISCONNECTED bssid=aa:bb:cc:dd:ee:ff reason=1 The kernel logs are not particularly informative. They just go through the usual successful series, but end with wlan1: RxAssocResp from aa:bb:cc:dd:ee:ff (capab=0x431 status=0 aid=1) wlan1: associated wlan1: deauthenticating from 11:bb:cc:dd:ee:ff by local choice (Reason: 1=UNSPECIFIED) While successful connection ends before that last line. -- To unsubscribe from this list: send the line unsubscribe linux-crypto in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH v1 3/7] AES for PPC/SPE - assembler core
[PATCH v1 3/7] AES for PPC/SPE - assembler core The assembler AES encryption and decryption core routines. Implemented optimized for big endian. Nevertheless they work on little endian too. For most efficient reuse in (higher level) block cipher routines they are implemented as fast call modules without any stack handling or register saving. The caller must take care of that part. Signed-off-by: Markus Stockhausen stockhau...@collogia.de diff --git a/arch/powerpc/crypto/aes-spe-core.S b/arch/powerpc/crypto/aes-spe-core.S new file mode 100644 index 000..5dc6bce --- /dev/null +++ b/arch/powerpc/crypto/aes-spe-core.S @@ -0,0 +1,351 @@ +/* + * Fast AES implementation for SPE instruction set (PPC) + * + * This code makes use of the SPE SIMD instruction set as defined in + * http://cache.freescale.com/files/32bit/doc/ref_manual/SPEPIM.pdf + * Implementation is based on optimization guide notes from + * http://cache.freescale.com/files/32bit/doc/app_note/AN2665.pdf + * + * Copyright (c) 2015 Markus Stockhausen stockhau...@collogia.de + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the Free + * Software Foundation; either version 2 of the License, or (at your option) + * any later version. + * + */ + +#include asm/ppc_asm.h +#include aes-spe-regs.h + +#defineEAD(in, bpos) \ + rlwimi rT0,in,28-((bpos+3)%4)*8,20,27; + +#define DAD(in, bpos) \ + rlwimi rT1,in,24-((bpos+3)%4)*8,24,31; + +#define LWH(out, off) \ + evlwwsplat out,off(rT0); /* load word high */ + +#define LWL(out, off) \ + lwz out,off(rT0); /* load word low*/ + +#define LBZ(out, tab, off) \ + lbz out,off(tab); /* load byte*/ + +#define LAH(out, in, bpos, off) \ + EAD(in, bpos) /* calc addr + load word high */ \ + LWH(out, off) + +#define LAL(out, in, bpos, off) \ + EAD(in, bpos) /* calc addr + load word low*/ \ + LWL(out, off) + +#define LAE(out, in, bpos) \ + EAD(in, bpos) /* calc addr + load enc byte*/ \ + LBZ(out, rT0, 8) + +#define LBE(out) \ + LBZ(out, rT0, 8)/* load enc byte*/ + +#define LAD(out, in, bpos) \ + DAD(in, bpos) /* calc addr + load dec byte*/ \ + LBZ(out, rT1, 0) + +#define LBD(out) \ + LBZ(out, rT1, 0) + +/* + * ppc_encrypt_block: The central encryption function for a single 16 bytes + * block. It does no stack handling or register saving to support fast calls + * via bl/blr. It expects that caller has pre-xored input data with first + * 4 words of encryption key into rD0-rD3. Pointer/counter registers must + * have also been set up before (rT0, rKP, CTR). Output is stored in rD0-rD3 + * and rW0-rW3 and caller must execute a final xor on the ouput registers. + * All working registers rD0-rD3 rW0-rW7 are overwritten during processing. + * + */ +_GLOBAL(ppc_encrypt_block) + LAH(rW4, rD1, 2, 4) + LAH(rW6, rD0, 3, 0) + LAH(rW3, rD0, 1, 8) +ppc_encrypt_block_loop: + LAH(rW0, rD3, 0, 12) + LAL(rW0, rD0, 0, 12) + LAH(rW1, rD1, 0, 12) + LAH(rW2, rD2, 1, 8) + LAL(rW2, rD3, 1, 8) + LAL(rW3, rD1, 1, 8) + LAL(rW4, rD2, 2, 4) + LAL(rW6, rD1, 3, 0) + LAH(rW5, rD3, 2, 4) + LAL(rW5, rD0, 2, 4) + LAH(rW7, rD2, 3, 0) + evldw rD1,16(rKP) + EAD(rD3, 3) + evxor rW2,rW2,rW4 + LWL(rW7, 0) + evxor rW2,rW2,rW6 + EAD(rD2, 0) + evxor rD1,rD1,rW2 + LWL(rW1, 12) + evxor rD1,rD1,rW0 + evldw rD3,24(rKP) + evmergehi rD0,rD0,rD1 + EAD(rD1, 2) + evxor rW3,rW3,rW5 + LWH(rW4, 4) + evxor rW3,rW3,rW7 + EAD(rD0, 3) + evxor rD3,rD3,rW3 + LWH(rW6, 0) + evxor rD3,rD3,rW1 + EAD(rD0, 1) + evmergehi rD2,rD2,rD3 + LWH(rW3, 8) + LAH(rW0, rD3, 0, 12) + LAL(rW0, rD0, 0, 12) + LAH(rW1, rD1, 0, 12) + LAH(rW2, rD2, 1, 8) + LAL(rW2, rD3, 1, 8) + LAL(rW3, rD1, 1, 8) + LAL(rW4, rD2, 2, 4) + LAL(rW6, rD1, 3, 0) + LAH(rW5, rD3, 2, 4) + LAL(rW5, rD0, 2, 4) + LAH(rW7, rD2, 3, 0) + evldw rD1,32(rKP) + EAD(rD3, 3) + evxor rW2,rW2,rW4 + LWL(rW7, 0) + evxor rW2,rW2,rW6 + EAD(rD2, 0) + evxor rD1,rD1,rW2 + LWL(rW1, 12) + evxor rD1,rD1,rW0 + evldw rD3,40(rKP) + evmergehi rD0,rD0,rD1 + EAD(rD1, 2) + evxor rW3,rW3,rW5 + LWH(rW4, 4) + evxor rW3,rW3,rW7 + EAD(rD0, 3) + evxor rD3,rD3,rW3 +
[PATCH v1 7/7] AES for PPC/SPE - kernel config
[PATCH v1 7/7] AES for PPC/SPE - kernel config Integrate the module into the kernel configuration Signed-off-by: Markus Stockhausen stockhau...@collogia.de diff --git a/arch/powerpc/crypto/Makefile b/arch/powerpc/crypto/Makefile index a07e763..1698fb9 100644 --- a/arch/powerpc/crypto/Makefile +++ b/arch/powerpc/crypto/Makefile @@ -4,8 +4,10 @@ # Arch-specific CryptoAPI modules. # +obj-$(CONFIG_CRYPTO_AES_PPC_SPE) += aes-ppc-spe.o obj-$(CONFIG_CRYPTO_SHA1_PPC) += sha1-powerpc.o obj-$(CONFIG_CRYPTO_SHA256_PPC_SPE) += sha256-ppc-spe.o +aes-ppc-spe-y := aes-spe-core.o aes-spe-keys.o aes-tab-4k.o aes-spe-modes.o aes_spe_glue.o sha1-powerpc-y := sha1-powerpc-asm.o sha1.o sha256-ppc-spe-y := sha256-spe-asm.o sha256_spe_glue.o diff --git a/crypto/Kconfig b/crypto/Kconfig index 86d35be..87dc274 100644 --- a/crypto/Kconfig +++ b/crypto/Kconfig @@ -857,6 +857,13 @@ config CRYPTO_AES_ARM_BS This implementation does not rely on any lookup tables so it is believed to be invulnerable to cache timing attacks. +config CRYPTO_AES_PPC_SPE + tristate AES cipher algorithms (PPC SPE) + depends on PPC SPE + help + AES cipher algorithms (FIPS-197). Additionally the acceleration + for popular block cipher modes ECB, CBC, CTR and XTS is supported. + config CRYPTO_ANUBIS tristate Anubis cipher algorithm select CRYPTO_ALGAPI Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. Ãber das Internet versandte E-Mails können unter fremden Namen erstellt oder manipuliert werden. Deshalb ist diese als E-Mail verschickte Nachricht keine rechtsverbindliche Willenserklärung. Collogia Unternehmensberatung AG Ubierring 11 D-50678 Köln Vorstand: Kadir Akin Dr. Michael Höhnerbach Vorsitzender des Aufsichtsrates: Hans Kristian Langva Registergericht: Amtsgericht Köln Registernummer: HRB 52 497 This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. e-mails sent over the internet may have been written under a wrong name or been manipulated. That is why this message sent as an e-mail is not a legally binding declaration of intention. Collogia Unternehmensberatung AG Ubierring 11 D-50678 Köln executive board: Kadir Akin Dr. Michael Höhnerbach President of the supervisory board: Hans Kristian Langva Registry office: district court Cologne Register number: HRB 52 497
[PATCH v1 4/7] AES for PPC/SPE - key handling
[PATCH v1 4/7] AES for PPC/SPE - key handling Key generation for big endian core routines. Signed-off-by: Markus Stockhausen stockhau...@collogia.de diff --git a/arch/powerpc/crypto/aes-spe-keys.S b/arch/powerpc/crypto/aes-spe-keys.S new file mode 100644 index 000..55b258c --- /dev/null +++ b/arch/powerpc/crypto/aes-spe-keys.S @@ -0,0 +1,283 @@ +/* + * Key handling functions for PPC AES implementation + * + * Copyright (c) 2015 Markus Stockhausen stockhau...@collogia.de + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the Free + * Software Foundation; either version 2 of the License, or (at your option) + * any later version. + * + */ + +#include asm/ppc_asm.h + +#ifdef __BIG_ENDIAN__ +#define LOAD_KEY(d, s, off) \ + lwz d,off(s); +#else +#define LOAD_KEY(d, s, off) \ + li r0,off; \ + lwbrx d,s,r0; +#endif + +#define INITIALIZE_KEY \ + stwur1,-32(r1); /* create stack frame */ \ + stw r14,8(r1); /* save registers */ \ + stw r15,12(r1);\ + stw r16,16(r1); + +#define FINALIZE_KEY \ + lwz r14,8(r1); /* restore registers*/ \ + lwz r15,12(r1);\ + lwz r16,16(r1);\ + xor r5,r5,r5; /* clear sensitive data */ \ + xor r6,r6,r6; \ + xor r7,r7,r7; \ + xor r8,r8,r8; \ + xor r9,r9,r9; \ + xor r10,r10,r10; \ + xor r11,r11,r11; \ + xor r12,r12,r12; \ + addir1,r1,32; /* cleanup stack*/ + +#define LS_BOX(r, t1, t2) \ + lis t2,PPC_AES_4K_ENCTAB@h;\ + ori t2,t2,PPC_AES_4K_ENCTAB@l; \ + rlwimi t2,r,4,20,27; \ + lbz t1,8(t2); \ + rlwimi r,t1,0,24,31; \ + rlwimi t2,r,28,20,27; \ + lbz t1,8(t2); \ + rlwimi r,t1,8,16,23; \ + rlwimi t2,r,20,20,27; \ + lbz t1,8(t2); \ + rlwimi r,t1,16,8,15; \ + rlwimi t2,r,12,20,27; \ + lbz t1,8(t2); \ + rlwimi r,t1,24,0,7; + +#define GF8_MUL(out, in, t1, t2) \ + lis t1,0x8080; /* multiplication in GF8*/ \ + ori t1,t1,0x8080; \ + and t1,t1,in; \ + srwi t1,t1,7; \ + mulli t1,t1,0x1b; \ + lis t2,0x7f7f; \ + ori t2,t2,0x7f7f; \ + and t2,t2,in; \ + slwi t2,t2,1; \ + xor out,t1,t2; + +/* + * ppc_expand_key_128(u32 *key_enc, const u8 *key) + * + * Expand 128 bit key into 176 bytes encryption key. It consists of + * key itself plus 10 rounds with 16 bytes each + * + */ +_GLOBAL(ppc_expand_key_128) + INITIALIZE_KEY + LOAD_KEY(r5,r4,0) + LOAD_KEY(r6,r4,4) + LOAD_KEY(r7,r4,8) + LOAD_KEY(r8,r4,12) + stw r5,0(r3)/* key[0..3] = input data */ + stw r6,4(r3) + stw r7,8(r3) + stw r8,12(r3) + li r16,10 /* 10 expansion rounds */ + lis r0,0x0100 /* RCO(1) */ +ppc_expand_128_loop: + addir3,r3,16 + mr r14,r8 /* apply LS_BOX to 4th temp */ + rotlwi r14,r14,8 + LS_BOX(r14, r15, r4) + xor r14,r14,r0 + xor r5,r5,r14 /* xor next 4
[PATCH v1 0/7] AES for PPC/SPE
[PATCH v1 0/7] AES for PPC/SPE The following patches add support for 64bit accelerated AES calculation on PPC processors with SPE instruction set. Besides the AES core module it implements ECB/CBC/CTR/XTS as block ciphers. The implementation takes care of the following constraints: - save SPE registers for interrupt context compatibility - disable preemption only for short intervals - endian independant Module passes tcrypt mode=10 tests. Synthethic AES speedup factors from insmod tcrypt sec=3 mode=200 taken on e500v2 800 MHz (TP Link WDR4900) compared with the generic kernel module. key bytes ecb ecb cbc cbc ctr ctr xts xts enc dec enc dec enc dec enc dec --- - 12816 1.14 1.14 1.20 1.28 1.20 1.19 1.20 1.21 12864 1.35 1.36 1.48 1.51 1.50 1.50 1.41 1.41 128 256 1.49 1.49 1.66 1.65 1.69 1.69 1.58 1.57 128 1024 1.51 1.51 1.69 1.68 1.72 1.72 1.61 1.60 128 8192 1.52 1.52 1.70 1.68 1.73 1.73 1.62 1.61 19216 1.14 1.15 1.22 1.28 1.21 1.21 1.22 1.23 19264 1.36 1.37 1.48 1.49 1.49 1.50 1.41 1.41 192 256 1.48 1.48 1.63 1.63 1.65 1.65 1.56 1.55 192 1024 1.50 1.50 1.65 1.64 1.68 1.68 1.59 1.58 192 8192 1.52 1.52 1.67 1.66 1.68 1.68 1.60 1.59 25616 1.17 1.18 1.24 1.30 1.23 1.22 1.24 1.25 25664 1.37 1.37 1.47 1.50 1.49 1.49 1.42 1.41 256 256 1.48 1.47 1.60 1.60 1.63 1.63 1.54 1.53 256 1024 1.50 1.49 1.62 1.61 1.65 1.65 1.57 1.56 256 8192 1.50 1.49 1.63 1.62 1.66 1.66 1.58 1.57 Additionally numbers from an iperf transfer benchmark. They include the AES optimized and the SHA256 optimized module. - Server : Xeon X3470 2.93GHz - Client : Core I5 2.4GHz Windows (Shrew VPN client) - Gateway: e500v2 800 MHz (TP Link WDR4900) AES256 generic / SHA256 generic modules: iperf.exe -c a.b.c.d -t 60 -i 10 Client connecting to a.b.c.d, TCP port 5001 TCP window size: 63.0 KByte (default) [ 3] local u.v.w.x port 50730 connected with a.b.c.d port 5001 [ ID] Interval Transfer Bandwidth [ 3] 0.0-10.0 sec 51.1 MBytes 42.9 Mbits/sec [ 3] 10.0-20.0 sec 51.9 MBytes 43.5 Mbits/sec [ 3] 20.0-30.0 sec 51.5 MBytes 43.2 Mbits/sec [ 3] 30.0-40.0 sec 51.5 MBytes 43.2 Mbits/sec [ 3] 40.0-50.0 sec 51.2 MBytes 43.0 Mbits/sec [ 3] 50.0-60.0 sec 50.6 MBytes 42.5 Mbits/sec [ 3] 0.0-60.0 sec 308 MBytes 43.0 Mbits/sec AES256 (this patch) / SHA256 (my last patch) iperf.exe -c a.b.c.d -t 60 -i 10 Client connecting to a.b.c.d, TCP port 5001 TCP window size: 63.0 KByte (default) [ 3] local u.v.w.x port 50730 connected with a.b.c.d port 5001 [ ID] Interval Transfer Bandwidth [ 3] 0.0-10.0 sec 69.6 MBytes 58.4 Mbits/sec [ 3] 10.0-20.0 sec 69.1 MBytes 58.0 Mbits/sec [ 3] 20.0-30.0 sec 69.2 MBytes 58.1 Mbits/sec [ 3] 30.0-40.0 sec 67.1 MBytes 56.3 Mbits/sec [ 3] 40.0-50.0 sec 67.6 MBytes 56.7 Mbits/sec [ 3] 50.0-60.0 sec 65.9 MBytes 55.3 Mbits/sec [ 3] 0.0-60.0 sec 409 MBytes 57.1 Mbits/sec Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. Ãber das Internet versandte E-Mails können unter fremden Namen erstellt oder manipuliert werden. Deshalb ist diese als E-Mail verschickte Nachricht keine rechtsverbindliche Willenserklärung. Collogia Unternehmensberatung AG Ubierring 11 D-50678 Köln Vorstand: Kadir Akin Dr. Michael Höhnerbach Vorsitzender des Aufsichtsrates: Hans Kristian Langva Registergericht: Amtsgericht Köln Registernummer: HRB 52 497 This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. e-mails sent over the internet may have been written under a wrong name or been manipulated. That is why this message sent as an e-mail is not a legally binding declaration of intention. Collogia Unternehmensberatung AG Ubierring 11 D-50678 Köln executive board: Kadir Akin Dr. Michael Höhnerbach President of the supervisory board: Hans Kristian Langva Registry office: district court Cologne Register number: HRB 52 497
[PATCH v1 2/7] AES for PPC/SPE - aes tables
[PATCH v1 2/7] AES for PPC/SPE - aes tables 4K AES tables for big endian Signed-off-by: Markus Stockhausen stockhau...@collogia.de diff --git a/arch/powerpc/crypto/aes-tab-4k.S b/arch/powerpc/crypto/aes-tab-4k.S new file mode 100644 index 000..6bc1755 --- /dev/null +++ b/arch/powerpc/crypto/aes-tab-4k.S @@ -0,0 +1,570 @@ +/* + * 4K AES tables for PPC AES implementation + * + * Copyright (c) 2015 Markus Stockhausen stockhau...@collogia.de + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the Free + * Software Foundation; either version 2 of the License, or (at your option) + * any later version. + * + */ + +/* + * These big endian AES encryption/decryption tables are designed to be simply + * accessed by a combination of rlwimi/lwz instructions with a minimum + * of table registers (usually only one required). Thus they are aligned to + * 4K. The locality of rotated values is derived from the reduced offsets that + * are available in the SPE load instructions. E.g. evldw, evlwwsplat, ... + * + */ +.data +.align 12 +.globl PPC_AES_4K_ENCTAB +PPC_AES_4K_ENCTAB: + .long 0xc66363a5,0xa5c66363,0x63a5c663,0x6363a5c6 + .long 0xf87c7c84,0x84f87c7c,0x7c84f87c,0x7c7c84f8 + .long 0xee99,0x99ee,0x7799ee77,0x99ee + .long 0xf67b7b8d,0x8df67b7b,0x7b8df67b,0x7b7b8df6 + .long 0xfff2f20d,0x0dfff2f2,0xf20dfff2,0xf2f20dff + .long 0xd66b6bbd,0xbdd66b6b,0x6bbdd66b,0x6b6bbdd6 + .long 0xde6f6fb1,0xb1de6f6f,0x6fb1de6f,0x6f6fb1de + .long 0x91c5c554,0x5491c5c5,0xc55491c5,0xc5c55491 + .long 0x60303050,0x50603030,0x30506030,0x30305060 + .long 0x02010103,0x03020101,0x01030201,0x01010302 + .long 0xce6767a9,0xa9ce6767,0x67a9ce67,0x6767a9ce + .long 0x562b2b7d,0x7d562b2b,0x2b7d562b,0x2b2b7d56 + .long 0xe7fefe19,0x19e7fefe,0xfe19e7fe,0xfefe19e7 + .long 0xb5d7d762,0x62b5d7d7,0xd762b5d7,0xd7d762b5 + .long 0x4dababe6,0xe64dabab,0xabe64dab,0xababe64d + .long 0xec76769a,0x9aec7676,0x769aec76,0x76769aec + .long 0x8fcaca45,0x458fcaca,0xca458fca,0xcaca458f + .long 0x1f82829d,0x9d1f8282,0x829d1f82,0x82829d1f + .long 0x89c9c940,0x4089c9c9,0xc94089c9,0xc9c94089 + .long 0xfa7d7d87,0x87fa7d7d,0x7d87fa7d,0x7d7d87fa + .long 0xeffafa15,0x15effafa,0xfa15effa,0xfafa15ef + .long 0xb25959eb,0xebb25959,0x59ebb259,0x5959ebb2 + .long 0x8e4747c9,0xc98e4747,0x47c98e47,0x4747c98e + .long 0xfbf0f00b,0x0bfbf0f0,0xf00bfbf0,0xf0f00bfb + .long 0x41adadec,0xec41adad,0xadec41ad,0xadadec41 + .long 0xb3d4d467,0x67b3d4d4,0xd467b3d4,0xd4d467b3 + .long 0x5fa2a2fd,0xfd5fa2a2,0xa2fd5fa2,0xa2a2fd5f + .long 0x45afafea,0xea45afaf,0xafea45af,0xafafea45 + .long 0x239c9cbf,0xbf239c9c,0x9cbf239c,0x9c9cbf23 + .long 0x53a4a4f7,0xf753a4a4,0xa4f753a4,0xa4a4f753 + .long 0xe4727296,0x96e47272,0x7296e472,0x727296e4 + .long 0x9bc0c05b,0x5b9bc0c0,0xc05b9bc0,0xc0c05b9b + .long 0x75b7b7c2,0xc275b7b7,0xb7c275b7,0xb7b7c275 + .long 0xe1fdfd1c,0x1ce1fdfd,0xfd1ce1fd,0xfdfd1ce1 + .long 0x3d9393ae,0xae3d9393,0x93ae3d93,0x9393ae3d + .long 0x4c26266a,0x6a4c2626,0x266a4c26,0x26266a4c + .long 0x6c36365a,0x5a6c3636,0x365a6c36,0x36365a6c + .long 0x7e3f3f41,0x417e3f3f,0x3f417e3f,0x3f3f417e + .long 0xf5f7f702,0x02f5f7f7,0xf702f5f7,0xf7f702f5 + .long 0x834f,0x4f83,0xcc4f83cc,0x4f83 + .long 0x6834345c,0x5c683434,0x345c6834,0x34345c68 + .long 0x51a5a5f4,0xf451a5a5,0xa5f451a5,0xa5a5f451 + .long 0xd1e5e534,0x34d1e5e5,0xe534d1e5,0xe5e534d1 + .long 0xf9f1f108,0x08f9f1f1,0xf108f9f1,0xf1f108f9 + .long 0xe2717193,0x93e27171,0x7193e271,0x717193e2 + .long 0xabd8d873,0x73abd8d8,0xd873abd8,0xd8d873ab + .long 0x62313153,0x53623131,0x31536231,0x31315362 + .long 0x2a15153f,0x3f2a1515,0x153f2a15,0x15153f2a + .long 0x0804040c,0x0c080404,0x040c0804,0x04040c08 + .long 0x95c7c752,0x5295c7c7,0xc75295c7,0xc7c75295 + .long 0x46232365,0x65462323,0x23654623,0x23236546 + .long 0x9dc3c35e,0x5e9dc3c3,0xc35e9dc3,0xc3c35e9d + .long 0x30181828,0x28301818,0x18283018,0x18182830 + .long 0x379696a1,0xa1379696,0x96a13796,0x9696a137 + .long 0x0a05050f,0x0f0a0505,0x050f0a05,0x05050f0a + .long 0x2f9a9ab5,0xb52f9a9a,0x9ab52f9a,0x9a9ab52f + .long 0x0e070709,0x090e0707,0x07090e07,0x0707090e + .long 0x24121236,0x36241212,0x12362412,0x12123624 + .long 0x1b80809b,0x9b1b8080,0x809b1b80,0x80809b1b + .long 0xdfe2e23d,0x3ddfe2e2,0xe23ddfe2,0xe2e23ddf + .long 0xcdebeb26,0x26cdebeb,0xeb26cdeb,0xebeb26cd + .long 0x4e272769,0x694e2727,0x27694e27,0x2727694e + .long 0x7fb2b2cd,0xcd7fb2b2,0xb2cd7fb2,0xb2b2cd7f + .long 0xea75759f,0x9fea7575,0x759fea75,0x75759fea + .long 0x1209091b,0x1b120909,0x091b1209,0x09091b12 + .long
[PATCH v1 1/7] AES for PPC/SPE - register defines
[PATCH v1 1/7] AES for PPC/SPE - register defines Define some register aliases for better readability. Signed-off-by: Markus Stockhausen stockhau...@collogia.de diff --git a/arch/powerpc/crypto/aes-spe-regs.h b/arch/powerpc/crypto/aes-spe-regs.h new file mode 100644 index 000..30d217b --- /dev/null +++ b/arch/powerpc/crypto/aes-spe-regs.h @@ -0,0 +1,42 @@ +/* + * Common registers for PPC AES implementation + * + * Copyright (c) 2015 Markus Stockhausen stockhau...@collogia.de + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the Free + * Software Foundation; either version 2 of the License, or (at your option) + * any later version. + * + */ + +#define rKS r0 /* copy of en-/decryption key pointer */ +#define rDP r3 /* destination pointer */ +#define rSP r4 /* source pointer */ +#define rKP r5 /* pointer to en-/decryption key pointer*/ +#define rRR r6 /* en-/decryption rounds*/ +#define rLN r7 /* length of data to be processed */ +#define rIP r8 /* potiner to IV (CBC/CTR/XTS modes)*/ +#define rKT r9 /* pointer to tweak key (XTS mode) */ +#define rT0 r11/* pointers to en-/decrpytion tables */ +#define rT1 r10 +#define rD0 r9 /* data */ +#define rD1 r14 +#define rD2 r12 +#define rD3 r15 +#define rW0 r16/* working registers */ +#define rW1 r17 +#define rW2 r18 +#define rW3 r19 +#define rW4 r20 +#define rW5 r21 +#define rW6 r22 +#define rW7 r23 +#define rI0 r24/* IV */ +#define rI1 r25 +#define rI2 r26 +#define rI3 r27 +#define rG0 r28/* endian reversed tweak (XTS mode) */ +#define rG1 r29 +#define rG2 r30 +#define rG3 r31 Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet. Ãber das Internet versandte E-Mails können unter fremden Namen erstellt oder manipuliert werden. Deshalb ist diese als E-Mail verschickte Nachricht keine rechtsverbindliche Willenserklärung. Collogia Unternehmensberatung AG Ubierring 11 D-50678 Köln Vorstand: Kadir Akin Dr. Michael Höhnerbach Vorsitzender des Aufsichtsrates: Hans Kristian Langva Registergericht: Amtsgericht Köln Registernummer: HRB 52 497 This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. e-mails sent over the internet may have been written under a wrong name or been manipulated. That is why this message sent as an e-mail is not a legally binding declaration of intention. Collogia Unternehmensberatung AG Ubierring 11 D-50678 Köln executive board: Kadir Akin Dr. Michael Höhnerbach President of the supervisory board: Hans Kristian Langva Registry office: district court Cologne Register number: HRB 52 497
[PATCH v1 5/7] AES for PPC/SPE - ECB/CBC/CTR/XTS modes
[PATCH v1 5/7] AES for PPC/SPE - ECB/CBC/CTR/XTS modes The assembler block cipher module that controls the core AES functions. Signed-off-by: Markus Stockhausen stockhau...@collogia.de diff --git a/arch/powerpc/crypto/aes-spe-modes.S b/arch/powerpc/crypto/aes-spe-modes.S new file mode 100644 index 000..1141841 --- /dev/null +++ b/arch/powerpc/crypto/aes-spe-modes.S @@ -0,0 +1,630 @@ +/* + * AES modes (ECB/CBC/CTR/XTS) for PPC AES implementation + * + * Copyright (c) 2015 Markus Stockhausen stockhau...@collogia.de + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the Free + * Software Foundation; either version 2 of the License, or (at your option) + * any later version. + * + */ + +#include asm/ppc_asm.h +#include aes-spe-regs.h + +#ifdef __BIG_ENDIAN__ /* Macros for big endian builds */ + +#define LOAD_DATA(reg, off) \ + lwz reg,off(rSP); /* load with offset */ +#define SAVE_DATA(reg, off) \ + stw reg,off(rDP); /* save with offset */ +#define NEXT_BLOCK \ + addirSP,rSP,16; /* increment pointers per bloc */ \ + addirDP,rDP,16; +#define LOAD_IV(reg, off) \ + lwz reg,off(rIP); /* IV loading with offset */ +#define SAVE_IV(reg, off) \ + stw reg,off(rIP); /* IV saving with offset*/ +#define START_IV /* nothing to reset */ +#define CBC_DEC 16 /* CBC decrement per block */ +#define CTR_DEC 1 /* CTR decrement one byte */ + +#else /* Macros for little endian */ + +#define LOAD_DATA(reg, off) \ + lwbrx reg,0,rSP; /* load reversed*/ \ + addirSP,rSP,4; /* and increment pointer*/ +#define SAVE_DATA(reg, off) \ + stwbrx reg,0,rDP; /* save reversed*/ \ + addirDP,rDP,4; /* and increment pointer*/ +#define NEXT_BLOCK /* nothing todo */ +#define LOAD_IV(reg, off) \ + lwbrx reg,0,rIP; /* load reversed*/ \ + addirIP,rIP,4; /* and increment pointer*/ +#define SAVE_IV(reg, off) \ + stwbrx reg,0,rIP; /* load reversed*/ \ + addirIP,rIP,4; /* and increment pointer*/ +#define START_IV \ + subirIP,rIP,16; /* must reset pointer */ +#define CBC_DEC 32 /* 2 blocks because of incs */ +#define CTR_DEC 17 /* 1 block because of incs */ + +#endif + +#define SAVE_0_REGS +#define LOAD_0_REGS + +#define SAVE_4_REGS \ + stw rI0,96(r1); /* save 32 bit registers*/ \ + stw rI1,100(r1); \ + stw rI2,104(r1); \ + stw rI3,108(r1); + +#define LOAD_4_REGS \ + lwz rI0,96(r1); /* restore 32 bit registers */ \ + lwz rI1,100(r1); \ + lwz rI2,104(r1); \ + lwz rI3,108(r1); + +#define SAVE_8_REGS \ + SAVE_4_REGS\ + stw rG0,112(r1);/* save 32 bit registers*/ \ + stw rG1,116(r1); \ + stw rG2,120(r1); \ + stw rG3,124(r1); + +#define LOAD_8_REGS \ + LOAD_4_REGS\ + lwz rG0,112(r1);/* restore 32 bit registers */ \ + lwz rG1,116(r1); \ + lwz rG2,120(r1); \ + lwz rG3,124(r1); + +#define INITIALIZE_CRYPT(tab,nr32bitregs) \ + mflrr0;\ + stwur1,-160(r1);/* create stack frame */ \ + lis rT0,tab@h; /* en-/decryption table pointer */ \ + stw r0,8(r1); /* save link register */ \ + ori rT0,rT0,tab@l; \ + evstdw r14,16(r1);\ + mr rKS,rKP; \ + evstdw r15,24(r1); /* We must save non volatile*/ \ + evstdw r16,32(r1); /* registers. Take the chance */ \ + evstdw r17,40(r1); /*
[PATCH v1 6/7] AES for PPC/SPE - glue code
[PATCH v1 6/7] AES for PPC/SPE - glue code Integrate the assembler modules into the kernel crypto framework. Take care to avoid long intervals of disabled preemption. Signed-off-by: Markus Stockhausen stockhau...@collogia.de diff --git a/arch/powerpc/crypto/aes_spe_glue.c b/arch/powerpc/crypto/aes_spe_glue.c new file mode 100644 index 000..bd5e63f --- /dev/null +++ b/arch/powerpc/crypto/aes_spe_glue.c @@ -0,0 +1,512 @@ +/* + * Glue code for AES implementation for SPE instructions (PPC) + * + * Based on generic implementation. The assembler module takes care + * about the SPE registers so it can run from interrupt context. + * + * Copyright (c) 2015 Markus Stockhausen stockhau...@collogia.de + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the Free + * Software Foundation; either version 2 of the License, or (at your option) + * any later version. + * + */ + +#include crypto/aes.h +#include linux/module.h +#include linux/init.h +#include linux/types.h +#include linux/errno.h +#include linux/crypto.h +#include asm/byteorder.h +#include asm/switch_to.h +#include crypto/algapi.h + +/* + * MAX_BYTES defines the number of bytes that are allowed to be processed + * between preempt_disable() and preempt_enable(). e500 cores can issue two + * instructions per clock cycle using one 32/64 bit unit (SU1) and one 32 + * bit unit (SU2). One of these can be a memory access that is executed via + * a single load and store unit (LSU). XTS-AES-256 takes ~780 operations per + * 16 byte block block or 25 cycles per byte. Thus 768 bytes of input data + * will need an estimated maximum of 20,000 cycles. Headroom for cache misses + * included. Even with the low end model clocked at 667 MHz this equals to a + * critical time window of less than 30us. The value has been choosen to + * process a 512 byte disk block in one or a large 1400 bytes IPsec network + * packet in two runs. + * + */ +#define MAX_BYTES 768 + +struct ppc_aes_ctx { + u32 key_enc[AES_MAX_KEYLENGTH_U32]; + u32 key_dec[AES_MAX_KEYLENGTH_U32]; + u32 rounds; +}; + +struct ppc_xts_ctx { + u32 key_enc[AES_MAX_KEYLENGTH_U32]; + u32 key_dec[AES_MAX_KEYLENGTH_U32]; + u32 key_twk[AES_MAX_KEYLENGTH_U32]; + u32 rounds; +}; + +extern void ppc_encrypt_aes(u8 *out, const u8 *in, u32 *key_enc, u32 rounds); +extern void ppc_decrypt_aes(u8 *out, const u8 *in, u32 *key_dec, u32 rounds); +extern void ppc_encrypt_ecb(u8 *out, const u8 *in, u32 *key_enc, u32 rounds, + u32 bytes); +extern void ppc_decrypt_ecb(u8 *out, const u8 *in, u32 *key_dec, u32 rounds, + u32 bytes); +extern void ppc_encrypt_cbc(u8 *out, const u8 *in, u32 *key_enc, u32 rounds, + u32 bytes, u8 *iv); +extern void ppc_decrypt_cbc(u8 *out, const u8 *in, u32 *key_dec, u32 rounds, + u32 bytes, u8 *iv); +extern void ppc_crypt_ctr (u8 *out, const u8 *in, u32 *key_enc, u32 rounds, + u32 bytes, u8 *iv); +extern void ppc_encrypt_xts(u8 *out, const u8 *in, u32 *key_enc, u32 rounds, + u32 bytes, u8 *iv, u32 *key_twk); +extern void ppc_decrypt_xts(u8 *out, const u8 *in, u32 *key_dec, u32 rounds, + u32 bytes, u8 *iv, u32 *key_twk); + +extern void ppc_expand_key_128(u32 *key_enc, const u8 *key); +extern void ppc_expand_key_192(u32 *key_enc, const u8 *key); +extern void ppc_expand_key_256(u32 *key_enc, const u8 *key); + +extern void ppc_generate_decrypt_key(u32 *key_dec,u32 *key_enc, +unsigned int key_len); + +static void spe_begin(void) +{ + /* disable preemption and save users SPE registers if required */ + preempt_disable(); + enable_kernel_spe(); +} + +static void spe_end(void) +{ + /* reenable preemption */ + preempt_enable(); +} + +static int ppc_aes_setkey(struct crypto_tfm *tfm, const u8 *in_key, + unsigned int key_len) +{ + struct ppc_aes_ctx *ctx = crypto_tfm_ctx(tfm); + + if (key_len != AES_KEYSIZE_128 + key_len != AES_KEYSIZE_192 + key_len != AES_KEYSIZE_256) { + tfm-crt_flags |= CRYPTO_TFM_RES_BAD_KEY_LEN; + return -EINVAL; + } + + switch (key_len) { + case AES_KEYSIZE_128: + ctx-rounds = 4; + ppc_expand_key_128(ctx-key_enc, in_key); + break; + case AES_KEYSIZE_192: + ctx-rounds = 5; + ppc_expand_key_192(ctx-key_enc, in_key); + break; + case AES_KEYSIZE_256: + ctx-rounds = 6; + ppc_expand_key_256(ctx-key_enc, in_key); + break; + } + + ppc_generate_decrypt_key(ctx-key_dec, ctx-key_enc, key_len); + + return 0; +} + +static int ppc_xts_setkey(struct crypto_tfm *tfm, const u8
Re: [BISECTED] 4943ba16 (include crypto- module prefix) breaks wifi
On 17 February 2015 at 04:09, George Spelvin li...@horizon.com wrote: I discovered when (belatedly) testing 3.19-rc7 the other week that my laptop wifi was broken and would no longer associate. Apparently this is causing some necessary crypto algorithms to fail to load, breaking my wifi. Perhaps I'm displaying my ignorance of what's supposed to happen, but shouldn't make install have installed some files with names like /lib/modules/`uname r`/kernel/crypto/crypto-*.ko? No, the module names do not change. They just got another module alias with the crypto- prefix. Or is it something only I'm hitting because I have a lot of common crypto algorithms statically compiled into my kernel? CONFIG_CRYPTO_CBC=y CONFIG_CRYPTO_HMAC=y CONFIG_CRYPTO_MD5=y CONFIG_CRYPTO_SHA1=y CONFIG_CRYPTO_AES=y CONFIG_CRYPTO_AES_586=y CONFIG_CRYPTO_ARC4=y Trying this on kernel 4943ba16 produces instead an endless loop of: wlan1: SME: Trying to authenticate with aa:bb:cc:dd:ee:ff (SSID='FOO' freq=24xx MHz) wlan1: Trying to associate with aa:bb:cc:dd:ee:ff (SSID='FOO' freq=24xx MHz) wlan1: Associated with aa:bb:cc:dd:ee:ff wlan1: WPA: Failed to set PTK to the driver (alg=3 keylen=16 bssid=aa:bb:cc:dd:ee:ff) wlan1: CTRL-EVENT-DISCONNECTED bssid=aa:bb:cc:dd:ee:ff reason=1 The kernel logs are not particularly informative. They just go through the usual successful series, but end with wlan1: RxAssocResp from aa:bb:cc:dd:ee:ff (capab=0x431 status=0 aid=1) wlan1: associated wlan1: deauthenticating from 11:bb:cc:dd:ee:ff by local choice (Reason: 1=UNSPECIFIED) While successful connection ends before that last line. Commit 4943ba16bbc2 was incomplete and could have caused regressions like the above. Those should have been fixed with commits 4943ba16bbc2 + 3e14dcf7cb80. However, those should be in v3.19-rc7 already, so I'm not much of a help here :( Mathias -- To unsubscribe from this list: send the line unsubscribe linux-crypto in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v1 2/7] AES for PPC/SPE - aes tables
On Mon, Feb 16, 2015 at 02:19:50PM +, David Laight wrote: From: Markus Stockhausen 4K AES tables for big endian I can't help feeling that you could give more information about how the values are generated. ... and an explanation of why this does not open you up to a timing attack? Segher -- To unsubscribe from this list: send the line unsubscribe linux-crypto in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html