> -----Original Message----- > From: Ard Biesheuvel <ardb@xxxxxxxxxx> > Sent: Thursday, November 3, 2022 2:23 PM > Subject: [PATCH v5 3/3] crypto: aesgcm - Provide minimal library implementation > Given include/crypto/aes.h: struct crypto_aes_ctx { u32 key_enc[AES_MAX_KEYLENGTH_U32]; u32 key_dec[AES_MAX_KEYLENGTH_U32]; u32 key_length; }; plus: ... +struct aesgcm_ctx { + be128 ghash_key; + struct crypto_aes_ctx aes_ctx; + unsigned int authsize; +}; ... > +static void aesgcm_encrypt_block(const struct crypto_aes_ctx *ctx, void *dst, ... > + local_irq_save(flags); > + aes_encrypt(ctx, dst, src); > + local_irq_restore(flags); > +} ... > +int aesgcm_expandkey(struct aesgcm_ctx *ctx, const u8 *key, > + unsigned int keysize, unsigned int authsize) > +{ > + u8 kin[AES_BLOCK_SIZE] = {}; > + int ret; > + > + ret = crypto_gcm_check_authsize(authsize) ?: > + aes_expandkey(&ctx->aes_ctx, key, keysize); Since GCM uses the underlying cipher's encrypt algorithm for both encryption and decryption, is there any need for the 240-byte aesctx->key_dec decryption key schedule that aes_expandkey also prepares? For modes like this, it might be worth creating a specialized struct that only holds the encryption key schedule (key_enc), with a derivative of aes_expandkey() that only updates it.