alc...@google.com>
Cc: Paul Crowley <paulcrow...@google.com>
Cc: Martin Willi <mar...@strongswan.org>
Cc: David Gstir <da...@sigma-star.at>
Cc: "Jason A . Donenfeld" <ja...@zx2c4.com>
Cc: Stephan Mueller <smuel...@chronox.de>
Signed-off-by: Ard Biesheuvel
On 8 December 2017 at 10:14, Stephan Mueller <smuel...@chronox.de> wrote:
> Am Freitag, 8. Dezember 2017, 11:06:31 CET schrieb Ard Biesheuvel:
>
> Hi Ard,
>
>>
>> Given how it is not uncommon for counters to be used as IV, this is a
>> fundamental flaw that
On 8 December 2017 at 09:11, Ard Biesheuvel <ard.biesheu...@linaro.org> wrote:
> On 8 December 2017 at 09:11, Ard Biesheuvel <ard.biesheu...@linaro.org> wrote:
>> Hi Eric,
>>
>> On 8 December 2017 at 01:38, Eric Biggers <ebigge...@gmail.com> wrote:
>
On 8 December 2017 at 09:11, Ard Biesheuvel <ard.biesheu...@linaro.org> wrote:
> Hi Eric,
>
> On 8 December 2017 at 01:38, Eric Biggers <ebigge...@gmail.com> wrote:
>> From: Eric Biggers <ebigg...@google.com>
>>
>> fscrypt currently only supports AES
Hi Eric,
On 8 December 2017 at 01:38, Eric Biggers wrote:
> From: Eric Biggers
>
> fscrypt currently only supports AES encryption. However, many low-end
> mobile devices still use older CPUs such as ARMv7, which do not support
> the AES instructions
On 8 December 2017 at 02:51, Jason A. Donenfeld wrote:
> Hi Eric,
>
> Nice to see more use of ChaCha20. However...
>
> Can we skip over the "sort of worse than XTS, but not having _real_
> authentication sucks anyway in either case, so whatever" and move
> directly to, "linux
On 7 December 2017 at 14:50, Ard Biesheuvel <ard.biesheu...@linaro.org> wrote:
> On 7 December 2017 at 14:39, Dave Martin <dave.mar...@arm.com> wrote:
>> On Wed, Dec 06, 2017 at 07:43:37PM +, Ard Biesheuvel wrote:
>>> Add support macros to conditionally yi
On 7 December 2017 at 15:47, Ard Biesheuvel <ard.biesheu...@linaro.org> wrote:
> On 7 December 2017 at 14:50, Ard Biesheuvel <ard.biesheu...@linaro.org> wrote:
>> On 7 December 2017 at 14:39, Dave Martin <dave.mar...@arm.com> wrote:
>>> On Wed, Dec 06, 2017
On 7 December 2017 at 14:53, Dave Martin <dave.mar...@arm.com> wrote:
> On Thu, Dec 07, 2017 at 02:21:17PM +0000, Ard Biesheuvel wrote:
>> On 7 December 2017 at 14:11, Dave Martin <dave.mar...@arm.com> wrote:
>> > On Wed, Dec 06, 2017 at 07:43:36PM +, Ard Bieshe
On 7 December 2017 at 14:39, Dave Martin <dave.mar...@arm.com> wrote:
> On Wed, Dec 06, 2017 at 07:43:37PM +0000, Ard Biesheuvel wrote:
>> Add support macros to conditionally yield the NEON (and thus the CPU)
>> that may be called from the assembler code.
>>
>>
On 7 December 2017 at 14:11, Dave Martin <dave.mar...@arm.com> wrote:
> On Wed, Dec 06, 2017 at 07:43:36PM +0000, Ard Biesheuvel wrote:
>> We are going to add code to all the NEON crypto routines that will
>> turn them into non-leaf functions, so we need to manage the sta
Avoid excessive scheduling delays under a preemptible kernel by
yielding the NEON after every block of input.
Signed-off-by: Ard Biesheuvel <ard.biesheu...@linaro.org>
---
arch/arm64/crypto/crct10dif-ce-core.S | 32 +---
1 file changed, 28 insertions(+), 4 deletions(-)
Test code to force a kernel_neon_end+begin sequence at every yield point,
and wipe the entire NEON state before resuming the algorithm.
---
arch/arm64/include/asm/assembler.h | 33
1 file changed, 33 insertions(+)
diff --git a/arch/arm64/include/asm/assembler.h
Avoid excessive scheduling delays under a preemptible kernel by
yielding the NEON after every block of input.
Signed-off-by: Ard Biesheuvel <ard.biesheu...@linaro.org>
---
arch/arm64/crypto/crc32-ce-core.S | 44 ++--
1 file changed, 32 insertions(+), 12 deletions(-)
diff
Avoid excessive scheduling delays under a preemptible kernel by
yielding the NEON after every block of input.
Signed-off-by: Ard Biesheuvel <ard.biesheu...@linaro.org>
---
arch/arm64/crypto/ghash-ce-core.S | 113 ++--
arch/arm64/crypto/ghash-ce-glue.c | 28 +++--
2 files c
Avoid excessive scheduling delays under a preemptible kernel by
yielding the NEON after every block of input.
Signed-off-by: Ard Biesheuvel <ard.biesheu...@linaro.org>
---
arch/arm64/crypto/sha2-ce-core.S | 37 ++--
1 file changed, 26 insertions(+), 11 deletions(-)
diff
, and the code in between is only
executed when the yield path is taken, allowing the context to be preserved.
The third macro takes an optional label argument that marks the resume
path after a yield has been performed.
Signed-off-by: Ard Biesheuvel <ard.biesheu...@linaro.org>
---
arch/arm64/inclu
Avoid excessive scheduling delays under a preemptible kernel by
yielding the NEON after every block of input.
Signed-off-by: Ard Biesheuvel <ard.biesheu...@linaro.org>
---
arch/arm64/crypto/sha1-ce-core.S | 42 ++--
1 file changed, 29 insertions(+), 13 deletions(-)
diff
Avoid excessive scheduling delays under a preemptible kernel by
yielding the NEON after every block of input.
Signed-off-by: Ard Biesheuvel <ard.biesheu...@linaro.org>
---
arch/arm64/crypto/aes-ce.S| 15 +-
arch/arm64/crypto/aes-modes.S | 331
2 files change
Avoid excessive scheduling delays under a preemptible kernel by
yielding the NEON after every block of input.
Signed-off-by: Ard Biesheuvel <ard.biesheu...@linaro.org>
---
arch/arm64/crypto/aes-ce-ccm-core.S | 150 +---
1 file changed, 95 insertions(+), 55 deletions(-)
Avoid excessive scheduling delays under a preemptible kernel by
yielding the NEON after every block of input.
Signed-off-by: Ard Biesheuvel <ard.biesheu...@linaro.org>
---
arch/arm64/crypto/aes-neonbs-core.S | 305 +++-
1 file changed, 170 insertions(+), 135 deletions(-)
in the stack frame (for locals) and emit
the ldp/stp sequences.
Signed-off-by: Ard Biesheuvel <ard.biesheu...@linaro.org>
---
arch/arm64/include/asm/assembler.h | 60
1 file changed, 60 insertions(+)
diff --git a/arch/arm64/include/asm/assembler.h
b/arch/arm64/inclu
routines yield every 64 bytes and not have
an exception for CBC encrypt which yields every 16 bytes)
So unroll the loop by 4. We still cannot perform the AES algorithm in
parallel, but we can at least merge the loads and stores.
Signed-off-by: Ard Biesheuvel <ard.biesheu...@linaro.org>
---
arch
INTERLEAVE=4 with inlining disabled for both flavors
of the core AES routines, so let's stick with that, and remove the option
to configure this at build time. This makes the code easier to modify,
which is nice now that we're adding yield support.
Signed-off-by: Ard Biesheuvel <ard.bies
contexts.
Signed-off-by: Ard Biesheuvel <ard.biesheu...@linaro.org>
---
arch/arm64/crypto/sha256-glue.c | 36 +---
1 file changed, 23 insertions(+), 13 deletions(-)
diff --git a/arch/arm64/crypto/sha256-glue.c b/arch/arm64/crypto/sha256-glue.c
index b064d925fe2a..e8880c
every 64 bytes and not have an exception for
CBC MAC which yields every 16 bytes)
So unroll the loop by 4. We still cannot perform the AES algorithm in
parallel, but we can at least merge the loads and stores.
Signed-off-by: Ard Biesheuvel <ard.biesheu...@linaro.org>
---
arch/arm64/cryp
code, and run the remainder of
the code with kernel mode NEON disabled (and preemption enabled)
Note that this requires some reshuffling of the registers in the asm
code, because the XTS routines can no longer rely on the registers to
retain their contents between invocations.
Signed-off-by: Ard
us...@vger.kernel.org
Cc: Peter Zijlstra <pet...@infradead.org>
Cc: Catalin Marinas <catalin.mari...@arm.com>
Cc: Will Deacon <will.dea...@arm.com>
Cc: Steven Rostedt <rost...@goodmis.org>
Cc: Thomas Gleixner <t...@linutronix.de>
Ard Biesheuvel (20):
crypto: testmgr -
In order to be able to test yield support under preempt, add a test
vector for CRC-T10DIF that is long enough to take multiple iterations
(and thus possible preemption between them) of the primary loop of the
accelerated x86 and arm64 implementations.
Signed-off-by: Ard Biesheuvel <ard.bies
code, and run the remainder of
the code with kernel mode NEON disabled (and preemption enabled)
Signed-off-by: Ard Biesheuvel <ard.biesheu...@linaro.org>
---
arch/arm64/crypto/aes-neonbs-glue.c | 36 +---
1 file changed, 17 insertions(+), 19 deletions(-)
diff --git a/arch
code, and run the remainder of
the code with kernel mode NEON disabled (and preemption enabled)
Signed-off-by: Ard Biesheuvel <ard.biesheu...@linaro.org>
---
arch/arm64/crypto/aes-ce-ccm-glue.c | 47 ++--
1 file changed, 23 insertions(+), 24 deletions(-)
diff --git a/arch
code, and run the remainder of
the code with kernel mode NEON disabled (and preemption enabled)
Signed-off-by: Ard Biesheuvel <ard.biesheu...@linaro.org>
---
arch/arm64/crypto/chacha20-neon-glue.c | 12 +---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/arch/arm64/
On 6 December 2017 at 12:12, Dave P Martin <dave.mar...@arm.com> wrote:
> On Wed, Dec 06, 2017 at 11:57:12AM +0000, Ard Biesheuvel wrote:
>> On 6 December 2017 at 11:51, Dave Martin <dave.mar...@arm.com> wrote:
>> > On Tue, Dec 05, 2017 at 06:04:34PM +, Ar
On 6 December 2017 at 11:51, Dave Martin <dave.mar...@arm.com> wrote:
> On Tue, Dec 05, 2017 at 06:04:34PM +0000, Ard Biesheuvel wrote:
>> On 5 December 2017 at 12:45, Ard Biesheuvel <ard.biesheu...@linaro.org>
>> wrote:
>> >
>> >
>> >>
On 5 December 2017 at 12:45, Ard Biesheuvel <ard.biesheu...@linaro.org> wrote:
>
>
>> On 5 Dec 2017, at 12:28, Dave Martin <dave.mar...@arm.com> wrote:
>>
>>> On Mon, Dec 04, 2017 at 12:26:37PM +, Ard Biesheuvel wrote:
>>> Add a support macro t
> On 5 Dec 2017, at 12:28, Dave Martin <dave.mar...@arm.com> wrote:
>
>> On Mon, Dec 04, 2017 at 12:26:37PM +0000, Ard Biesheuvel wrote:
>> Add a support macro to conditionally yield the NEON (and thus the CPU)
>> that may be called from the assembl
Avoid excessive scheduling delays under a preemptible kernel by
yielding the NEON every 8 blocks of input.
Signed-off-by: Ard Biesheuvel <ard.biesheu...@linaro.org>
---
arch/arm64/crypto/crct10dif-ce-core.S | 39 ++--
1 file changed, 35 insertions(+), 4 deletions(-)
diff
every 64 bytes and not have an exception for
CBC MAC which yields every 16 bytes)
So unroll the loop by 4. We still cannot perform the AES algorithm in
parallel, but we can at least merge the loads and stores.
Signed-off-by: Ard Biesheuvel <ard.biesheu...@linaro.org>
---
arch/arm64/cryp
Test code to force a kernel_neon_end+begin sequence at every yield point,
and wipe the entire NEON state before resuming the algorithm.
---
arch/arm64/include/asm/assembler.h | 33
1 file changed, 33 insertions(+)
diff --git a/arch/arm64/include/asm/assembler.h
contexts.
Signed-off-by: Ard Biesheuvel <ard.biesheu...@linaro.org>
---
arch/arm64/crypto/sha256-glue.c | 36 +---
1 file changed, 23 insertions(+), 13 deletions(-)
diff --git a/arch/arm64/crypto/sha256-glue.c b/arch/arm64/crypto/sha256-glue.c
index b064d925fe2a..e8880c
bytes for that one.
Signed-off-by: Ard Biesheuvel <ard.biesheu...@linaro.org>
---
arch/arm64/crypto/ghash-ce-core.S | 128 ++--
1 file changed, 92 insertions(+), 36 deletions(-)
diff --git a/arch/arm64/crypto/ghash-ce-core.S
b/arch/arm64/crypto/ghash-ce-core.S
index 11ebf1
routines yield every 64 bytes and not have
an exception for CBC encrypt which yields every 16 bytes)
So unroll the loop by 4. We still cannot perform the AES algorithm in
parallel, but we can at least merge the loads and stores.
Signed-off-by: Ard Biesheuvel <ard.biesheu...@linaro.org>
---
arch
Avoid excessive scheduling delays under a preemptible kernel by
yielding the NEON every 16 blocks of input.
Signed-off-by: Ard Biesheuvel <ard.biesheu...@linaro.org>
---
arch/arm64/crypto/crc32-ce-core.S | 55 +++-
1 file changed, 43 insertions(+), 12 deletions(-)
diff
let's add a yield after each 128 bytes of input,
(i.e., 8x the AES block size, which is the natural granularity for a bit
sliced algorithm.) This will disable and re-enable kernel mode NEON if a
reschedule is pending.
Signed-off-by: Ard Biesheuvel <ard.biesheu...@linaro.org>
---
arch/arm64/
add a yield after each 16 blocks (for
the CE case) or after every block (for the pure NEON case), which will
disable and re-enable kernel mode NEON if a reschedule is pending.
Signed-off-by: Ard Biesheuvel <ard.biesheu...@linaro.org>
---
arch/arm64/crypto/aes-ce.S| 17 +-
arch/arm64/
Avoid excessive scheduling delays under a preemptible kernel by
yielding the NEON every 8 blocks of input.
Signed-off-by: Ard Biesheuvel <ard.biesheu...@linaro.org>
---
arch/arm64/crypto/sha2-ce-core.S | 40 ++--
1 file changed, 29 insertions(+), 11 deletions(-)
diff
Avoid excessive scheduling delays under a preemptible kernel by
yielding the NEON every 8 blocks of input.
Signed-off-by: Ard Biesheuvel <ard.biesheu...@linaro.org>
---
arch/arm64/crypto/sha1-ce-core.S | 45 ++--
1 file changed, 32 insertions(+), 13 deletions(-)
diff
code, and run the remainder of
the code with kernel mode NEON disabled (and preemption enabled)
Note that this requires some reshuffling of the registers in the asm
code, because the XTS routines can no longer rely on the registers to
retain their contents between invocations.
Signed-off-by: Ard
code, and run the remainder of
the code with kernel mode NEON disabled (and preemption enabled)
Signed-off-by: Ard Biesheuvel <ard.biesheu...@linaro.org>
---
arch/arm64/crypto/ghash-ce-glue.c | 17 ++---
1 file changed, 10 insertions(+), 7 deletions(-)
diff --git a/arch/arm64/
code, and run the remainder of
the code with kernel mode NEON disabled (and preemption enabled)
Signed-off-by: Ard Biesheuvel <ard.biesheu...@linaro.org>
---
arch/arm64/crypto/aes-ce-ccm-glue.c | 47 ++--
1 file changed, 23 insertions(+), 24 deletions(-)
diff --git a/arch
to be preserved.
The second macro takes a label argument that marks the resume-from-yield
path, which should restore the preserved context again.
Signed-off-by: Ard Biesheuvel <ard.biesheu...@linaro.org>
---
arch/arm64/include/asm/assembler.h | 50
1 file changed, 50 insertions(+)
INTERLEAVE=4 with inlining disabled for both flavors
of the core AES routines, so let's stick with that, and remove the option
to configure this at build time. This makes the code easier to modify,
which is nice now that we're adding yield support.
Signed-off-by: Ard Biesheuvel <ard.bies
code, and run the remainder of
the code with kernel mode NEON disabled (and preemption enabled)
Signed-off-by: Ard Biesheuvel <ard.biesheu...@linaro.org>
---
arch/arm64/crypto/chacha20-neon-glue.c | 12 +---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/arch/arm64/
code, and run the remainder of
the code with kernel mode NEON disabled (and preemption enabled)
Signed-off-by: Ard Biesheuvel <ard.biesheu...@linaro.org>
---
arch/arm64/crypto/aes-neonbs-glue.c | 36 +---
1 file changed, 17 insertions(+), 19 deletions(-)
diff --git a/arch
In order to be able to test yield support under preempt, add a test
vector for CRC-T10DIF that is long enough to take multiple iterations
(and thus possible preemption between them) of the primary loop of the
accelerated x86 and arm64 implementations.
Signed-off-by: Ard Biesheuvel <ard.bies
<rost...@goodmis.org>
Cc: Thomas Gleixner <t...@linutronix.de>
Ard Biesheuvel (19):
crypto: testmgr - add a new test case for CRC-T10DIF
crypto: arm64/aes-ce-ccm - move kernel mode neon en/disable into loop
crypto: arm64/aes-blk - move kernel mode neon en/disable into loop
crypto:
On 2 December 2017 at 13:59, Peter Zijlstra <pet...@infradead.org> wrote:
> On Sat, Dec 02, 2017 at 11:15:14AM +0000, Ard Biesheuvel wrote:
>> On 2 December 2017 at 09:11, Ard Biesheuvel <ard.biesheu...@linaro.org>
>> wrote:
>
>> > They consume the entir
On 2 December 2017 at 09:11, Ard Biesheuvel <ard.biesheu...@linaro.org> wrote:
> On 2 December 2017 at 09:01, Peter Zijlstra <pet...@infradead.org> wrote:
>> On Fri, Dec 01, 2017 at 09:19:22PM +, Ard Biesheuvel wrote:
>>> Note that the remaining crypto drivers s
On 2 December 2017 at 09:01, Peter Zijlstra <pet...@infradead.org> wrote:
> On Fri, Dec 01, 2017 at 09:19:22PM +0000, Ard Biesheuvel wrote:
>> Note that the remaining crypto drivers simply operate on fixed buffers, so
>> while the RT crowd may still feel the need to disabl
code, and run the remainder of
the code with kernel mode NEON disabled (and preemption enabled)
Signed-off-by: Ard Biesheuvel <ard.biesheu...@linaro.org>
---
arch/arm64/crypto/ghash-ce-glue.c | 9 ++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/arch/arm64/crypto/gh
code, and run the remainder of
the code with kernel mode NEON disabled (and preemption enabled)
Signed-off-by: Ard Biesheuvel <ard.biesheu...@linaro.org>
---
arch/arm64/crypto/chacha20-neon-glue.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/arm64/crypto/chacha2
code, and run the remainder of
the code with kernel mode NEON disabled (and preemption enabled)
Signed-off-by: Ard Biesheuvel <ard.biesheu...@linaro.org>
---
arch/arm64/crypto/aes-neonbs-glue.c | 26 +---
1 file changed, 12 insertions(+), 14 deletions(-)
diff --git a/arch
code, and run the remainder of
the code with kernel mode NEON disabled (and preemption enabled)
Signed-off-by: Ard Biesheuvel <ard.biesheu...@linaro.org>
---
arch/arm64/crypto/aes-ce-ccm-glue.c | 47 ++--
1 file changed, 23 insertions(+), 24 deletions(-)
diff --git a/arch
con <will.dea...@arm.com>
Cc: Steven Rostedt <rost...@goodmis.org>
Cc: Thomas Gleixner <t...@linutronix.de>
Ard Biesheuvel (5):
crypto: arm64/aes-ce-ccm - move kernel mode neon en/disable into loop
crypto: arm64/aes-blk - move kernel mode neon en/disable into loop
c
code, and run the remainder of
the code with kernel mode NEON disabled (and preemption enabled)
Note that this requires some reshuffling of the registers in the asm
code, because the XTS routines can no longer rely on the registers to
retain their contents between invocations.
Signed-off-by: Ard
On 22 November 2017 at 21:29, Eric Biggers <ebigge...@gmail.com> wrote:
> On Wed, Nov 22, 2017 at 08:51:57PM +0000, Ard Biesheuvel wrote:
>> On 22 November 2017 at 19:51, Eric Biggers <ebigge...@gmail.com> wrote:
>> > From: Eric Biggers <ebigg...@google.com>
>
On 22 November 2017 at 19:51, Eric Biggers wrote:
> From: Eric Biggers
>
> When chacha20_block() outputs the keystream block, it uses 'u32' stores
> directly. However, the callers (crypto/chacha20_generic.c and
> drivers/char/random.c) declare the
t need the alignment itself.
>
> Signed-off-by: Eric Biggers <ebigg...@google.com>
Acked-by: Ard Biesheuvel <ard.biesheu...@linaro.org>
> ---
> arch/x86/crypto/chacha20_glue.c | 1 -
> 1 file changed, 1 deletion(-)
>
> diff --git a/arch/x86/crypto/chacha20_g
t; there is no need to have a cra_alignmask set for chacha20-generic.
>
> Signed-off-by: Eric Biggers <ebigg...@google.com>
Acked-by: Ard Biesheuvel <ard.biesheu...@linaro.org>
> ---
> crypto/chacha20_generic.c | 1 -
> 1 file changed, 1 deletion(-)
>
> diff --git a/c
ers without the unaligned access macros.
>
> Fix it by using the unaligned access macros when loading the key and IV.
>
> Signed-off-by: Eric Biggers <ebigg...@google.com>
Acked-by: Ard Biesheuvel <ard.biesheu...@linaro.org>
> ---
> crypto/chacha20_generic.c |
> Fix it by just assigning the constants directly instead.
>
> Signed-off-by: Eric Biggers <ebigg...@google.com>
I'm not thrilled about the open coded hex numbers but I don't care
enough to object.
Acked-by: Ard Biesheuvel <ard.biesheu...@linaro.org>
> ---
> crypto/c
cesses.
> On Tue, 21 Nov 2017 13:40:17 +
> Ard Biesheuvel <ard.biesheu...@linaro.org> wrote:
>
>> Most crypto drivers involving kernel mode NEON take care to put the
>> code that actually touches the NEON register file in a separate
>> compilation unit, to preve
Hello Corentin,
On 22 November 2017 at 08:08, Corentin Labbe wrote:
> When a cipher fail
fails
> to register in aes_init(), the error path go thought
goes through
> aes_exit() then crypto_unregister_skciphers().
> Since aes_exit calls also crypto_unregister_skcipher,
() and kernel_neon_end() with instantiations
of the IR that make up its implementation, allowing further reordering
with the asm block.
So let's clean this up, and move the asm() blocks into a separate .S
file.
Signed-off-by: Ard Biesheuvel <ard.biesheu...@linaro.org>
---
arch/arm64/crypto/Ma
-
> replace bit-sliced OpenSSL NEON code"), but it was just a small part of
> a complete rewrite. This patch just fixes the priority bug for older
> kernels.
>
> Signed-off-by: Eric Biggers <ebigg...@google.com>
Acked-by: Ard Biesheuvel <ard.biesheu...@linaro.org>
>
On 1 November 2017 at 15:45, Bart Van Assche <bart.vanass...@wdc.com> wrote:
> On Wed, 2017-11-01 at 15:17 +0000, Ard Biesheuvel wrote:
>> On 1 November 2017 at 14:50, Bart Van Assche <bart.vanass...@wdc.com> wrote:
>> > On Mon, 2017-10-16 at 15:49 -0700, Bar
he <bart.vanass...@wdc.com>
>> Cc: Ard Biesheuvel <ard.biesheu...@linaro.org>
>> Cc: Herbert Xu <herb...@gondor.apana.org.au>
>
> Ard and/or Herbert, can you please have a look at this patch and let us know
> whether or not it looks fine to you?
>
The pat
9 ("crypto: chacha20 - convert generic and x86 ...")
Cc: <sta...@vger.kernel.org> # v4.11+
Cc: Steffen Klassert <steffen.klass...@secunet.com>
Reported-by: Tobias Brunner <tob...@strongswan.org>
Signed-off-by: Ard Biesheuvel <ard.biesheu...@linaro.org>
---
cry
We failed to catch a bug in the chacha20 code after porting it to the
skcipher API. We would have caught it if any chunked tests had been
defined, so define some now so we will catch future regressions.
Signed-off-by: Ard Biesheuvel <ard.biesheu...@linaro.org>
---
crypto/testmgr.h | 7
> On 26 Jul 2017, at 00:36, Giovanni Cabiddu <giovanni.cabi...@intel.com> wrote:
>
> Hi Ard,
>
>> On Fri, Jul 21, 2017 at 04:42:38PM +0100, Ard Biesheuvel wrote:
>> +static int crypto_scomp_init_tfm(struct crypto_tfm *tfm)
>> +{
>> +int ret;
&
On 24 July 2017 at 17:57, Eric Biggers <ebigge...@gmail.com> wrote:
> On Mon, Jul 24, 2017 at 07:59:43AM +0100, Ard Biesheuvel wrote:
>> On 18 July 2017 at 13:06, Ard Biesheuvel <ard.biesheu...@linaro.org> wrote:
>> > The generic AES driver uses 16 looku
AES module for the shared key expansion routines.
It also frees up register x18, which is not available as a scratch
register on all platforms, which and so avoiding it improves
shareability of this code.
Signed-off-by: Ard Biesheuvel <ard.biesheu...@linaro.org>
---
arch/arm64/crypto/aes-
AES module for the shared key expansion routines.
Signed-off-by: Ard Biesheuvel <ard.biesheu...@linaro.org>
---
arch/arm/crypto/aes-cipher-core.S | 88 +++-
1 file changed, 65 insertions(+), 23 deletions(-)
diff --git a/arch/arm/crypto/aes-cipher-core.S
b/arch/arm/crypto/aes-
.
So implement a new GCM driver that combines the AES and PMULL instructions
at the block level. This improves performance on Cortex-A57 by ~37% (from
3.5 cpb to 2.6 cpb)
Signed-off-by: Ard Biesheuvel <ard.biesheu...@linaro.org>
---
arch/arm64/crypto/Kconfig | 4 +-
arch/arm64/crypto
ble based one, and
is time invariant as well, making it less vulnerable to timing attacks.
When combined with the bit-sliced NEON implementation of AES-CTR, the
AES-GCM performance increases by 2x (from 58 to 29 cycles per byte).
Signed-off-by: Ard Biesheuvel <ard.biesheu...@linaro.org>
---
arch/ar
mull.p64 code is 16x faster on
this core).
Signed-off-by: Ard Biesheuvel <ard.biesheu...@linaro.org>
---
arch/arm/crypto/Kconfig | 5 +-
arch/arm/crypto/ghash-ce-core.S | 234
arch/arm/crypto/ghash-ce-glue.c | 24 +-
3 files changed, 215 insertions(+), 48 delet
The arm64 kernel will shortly disallow nested kernel mode NEON, so
add a fallback to scalar code that can be invoked in that case.
Signed-off-by: Ard Biesheuvel <ard.biesheu...@linaro.org>
---
arch/arm64/crypto/Kconfig| 3 +-
arch/arm64/crypto/sha2-ce-glue.
The arm64 kernel will shortly disallow nested kernel mode NEON, so
add a fallback to scalar C code that can be invoked in that case.
Signed-off-by: Ard Biesheuvel <ard.biesheu...@linaro.org>
---
arch/arm64/crypto/Kconfig | 3 +-
arch/arm64/crypto/ghash-ce-glue.
The arm64 kernel will shortly disallow nested kernel mode NEON, so
add a fallback to scalar code that can be invoked in that case.
Signed-off-by: Ard Biesheuvel <ard.biesheu...@linaro.org>
---
arch/arm64/crypto/Kconfig | 1 +
arch/arm64/crypto/aes-ce-cipher.
The arm64 kernel will shortly disallow nested kernel mode NEON, so
add a fallback to scalar C code that can be invoked in that case.
Signed-off-by: Ard Biesheuvel <ard.biesheu...@linaro.org>
---
arch/arm64/crypto/Kconfig| 3 ++-
arch/arm64/crypto/sha1-ce-glue.
The arm64 kernel will shortly disallow nested kernel mode NEON, so
add a fallback to scalar C code that can be invoked in that case.
Signed-off-by: Ard Biesheuvel <ard.biesheu...@linaro.org>
---
arch/arm64/crypto/crct10dif-ce-glue.c | 13 +
1 file changed, 9 insertions
To accommodate systems that may disallow use of the NEON in kernel mode
in some circumstances, introduce a C fallback for synchronous AES in CTR
mode, and use it if may_use_simd() returns false.
Signed-off-by: Ard Biesheuvel <ard.biesheu...@linaro.org>
---
arch/arm64/crypto/K
To accommodate systems that disallow the use of kernel mode NEON in
some circumstances, take the return value of may_use_simd into
account when deciding whether to invoke the C fallback routine.
Signed-off-by: Ard Biesheuvel <ard.biesheu...@linaro.org>
---
arch/arm64/crypto/chacha20-neon-
called crypto_xor_cpy(),
taking separate input and output arguments. This removes the need for
the separate memcpy().
Signed-off-by: Ard Biesheuvel <ard.biesheu...@linaro.org>
---
arch/arm/crypto/aes-ce-glue.c | 4 +---
arch/arm/crypto/aes-neonbs-glue.c | 5 ++---
arch/arm64/cryp
The arm64 kernel will shortly disallow nested kernel mode NEON, so
add a fallback to scalar C code that can be invoked in that case.
Signed-off-by: Ard Biesheuvel <ard.biesheu...@linaro.org>
---
arch/arm64/crypto/crc32-ce-glue.c | 11 ++-
1 file changed, 6 insertions(+), 5 del
to be updated to reflect that.
Signed-off-by: Ard Biesheuvel <ard.biesheu...@linaro.org>
---
arch/arm64/crypto/aes-ce-ccm-core.S | 30 -
arch/arm64/crypto/aes-ce-cipher.c | 35 +---
arch/arm64/crypto/aes-ce.S | 12 +++
3 files changed, 37 insertions(
In preparation of introducing crypto_xor_cpy(), which will use separate
operands for input and output, modify the __crypto_xor() implementation,
which it will share with the existing crypto_xor(), which provides the
actual functionality when not using the inline version.
Signed-off-by: Ard
.
This supersedes all other crypto patches I have outstanding, including the
AES refactor ones which I will rework later.
Ard Biesheuvel (18):
crypto/algapi - use separate dst and src operands for __crypto_xor()
crypto/algapi - make crypto_xor() take separate dst and src arguments
crypto: arm64
The arm64 kernel will shortly disallow nested kernel mode NEON.
So honour this in the ARMv8 Crypto Extensions implementation of
CCM-AES, and fall back to a scalar implementation using the generic
crypto helpers for AES, XOR and incrementing the CTR counter.
Signed-off-by: Ard Biesheuvel
-by: Ard Biesheuvel <ard.biesheu...@linaro.org>
---
arch/arm64/crypto/Kconfig | 1 +
arch/arm64/crypto/aes-neonbs-glue.c | 48 ++--
2 files changed, 44 insertions(+), 5 deletions(-)
diff --git a/arch/arm64/crypto/Kconfig b/arch/arm64/crypto/Kconfig
index a068dc
201 - 300 of 837 matches
Mail list logo