On Tue, Jul 07, 2020 at 09:31:57AM +0300, Ard Biesheuvel wrote: > Even though the ccp driver implements an asynchronous version of xts(aes), > the fallback it allocates is required to be synchronous. Given that SIMD > based software implementations are usually asynchronous as well, even > though they rarely complete asynchronously (this typically only happens > in cases where the request was made from softirq context, while SIMD was > already in use in the task context that it interrupted), these > implementations are disregarded, and either the generic C version or > another table based version implemented in assembler is selected instead. > > Since falling back to synchronous AES is not only a performance issue, but > potentially a security issue as well (due to the fact that table based AES > is not time invariant), let's fix this, by allocating an ordinary skcipher > as the fallback, and invoke it with the completion routine that was given > to the outer request. > > Signed-off-by: Ard Biesheuvel <ardb@xxxxxxxxxx> Acked-by: John Allen <john.allen@xxxxxxx>
