On Mon, 17 Oct 2022 at 20:20, Eric Biggers <ebiggers@xxxxxxxxxx> wrote: > > On Fri, Oct 14, 2022 at 12:47:13PM +0200, Ard Biesheuvel wrote: > > Note that table based AES implementations are susceptible to known > > plaintext timing attacks on the encryption key. The AES library already > > attempts to mitigate this to some extent, but given that the counter > > mode encryption used by GCM operates exclusively on known plaintext by > > construction (the IV and therefore the initial counter value are known > > to an attacker), let's take some extra care to mitigate this, by calling > > the AES library with interrupts disabled. > > Note that crypto/gf128mul.c has no mitigations against timing attacks. I take > it that is something that needs to be tolerated here? > Ah good point - I misremembered and thought that the 'slow' version without the expanded key uses not table lookups at all. I can add a patch to address this, it doesn't seem all that difficult to remove the table lookups and data or key dependent conditionals. > > diff --git a/include/crypto/gcm.h b/include/crypto/gcm.h > > index 9d7eff04f224..dfbc381df5ae 100644 > > --- a/include/crypto/gcm.h > > +++ b/include/crypto/gcm.h > > @@ -3,6 +3,9 @@ > > > > #include <linux/errno.h> > > > > +#include <crypto/aes.h> > > +#include <crypto/gf128mul.h> > > + > > #define GCM_AES_IV_SIZE 12 > > #define GCM_RFC4106_IV_SIZE 8 > > #define GCM_RFC4543_IV_SIZE 8 > > @@ -60,4 +63,67 @@ static inline int crypto_ipsec_check_assoclen(unsigned int assoclen) > > > > return 0; > > } > > + > > +struct gcmaes_ctx { > > + be128 ghash_key; > > + struct crypto_aes_ctx aes_ctx; > > + unsigned int authsize; > > +}; > > + > > +/** > > + * gcmaes_expandkey - Expands the AES and GHASH keys for the GCM-AES key > > + * schedule > > + * > > + * @ctx: The data structure that will hold the GCM-AES key schedule > > + * @key: The AES encryption input key > > + * @keysize: The length in bytes of the input key > > + * @authsize: The size in bytes of the GCM authentication tag > > + * > > + * Returns 0 on success, or -EINVAL if @keysize or @authsize contain values > > + * that are not permitted by the GCM specification. > > + */ > > +int gcmaes_expandkey(struct gcmaes_ctx *ctx, const u8 *key, > > + unsigned int keysize, unsigned int authsize); > > These comments are duplicated in the .c file too. They should be in just one > place, probably the .c file since that approach is more common in the kernel. > OK > Also, this seems to be intended to be a kerneldoc comment, but the return value > isn't documented in the correct format. It needs to be "Return:". Try this: > > $ ./scripts/kernel-doc -v -none lib/crypto/gcmaes.c > lib/crypto/gcmaes.c:35: info: Scanning doc for function gcmaes_expandkey > lib/crypto/gcmaes.c:48: warning: No description found for return value of 'gcmaes_expandkey' > lib/crypto/gcmaes.c:114: info: Scanning doc for function gcmaes_encrypt > lib/crypto/gcmaes.c:142: info: Scanning doc for function gcmaes_decrypt > lib/crypto/gcmaes.c:162: warning: No description found for return value of 'gcmaes_decrypt' > OK, will fix. > > +config CRYPTO_LIB_GCMAES > > + tristate > > + select CRYPTO_GF128MUL > > + select CRYPTO_LIB_AES > > + select CRYPTO_LIB_UTILS > > Doesn't this mean that crypto/gf128mul.c needs to be moved into lib/crypto/? > Probably, I'll address that as well in v3. Thanks, Ard.