On Thu, Nov 03, 2022 at 08:22:56PM +0100, Ard Biesheuvel wrote: > Provide a generic library implementation of AES-GCM which can be used > really early during boot, e.g., to communicate with the security > coprocessor on SEV-SNP virtual machines to bring up secondary cores. > This is needed because the crypto API is not available yet this early. > > We cannot rely on special instructions for AES or polynomial > multiplication, which are arch specific and rely on in-kernel SIMD > infrastructure. Instead, add a generic C implementation that combines > the existing C implementations of AES and multiplication in GF(2^128). > > To reduce the risk of forgery attacks, replace data dependent table > lookups and conditional branches in the used gf128mul routine with > constant-time equivalents. The AES library has already been robustified > to some extent to prevent known-plaintext timing attacks on the key, but > we call it with interrupts disabled to make it a bit more robust. (Note > that in SEV-SNP context, the VMM is untrusted, and is able to inject > interrupts arbitrarily, and potentially maliciously.) > > Changes since v4: > - Rename CONFIG_CRYPTO_GF128MUL to CONFIG_CRYPTO_LIB_GF128MUL > - Use bool return value for decrypt routine to align with other AEAD > library code > - Return -ENODEV on selftest failure to align with other algos > - Use pr_err() not WARN() on selftest failure for the same reason > - Mention in a code comment that the counter cannot roll over or result > in a carry due to the width of the type representing the size of the > input > > Changes since v3: > - rename GCM-AES to AES-GCM > > Changes since v2: > - move gf128mul to lib/crypto > - add patch #2 to make gf128mul_lle constant time > - fix kerneldoc headers and drop them from the .h file > > Changes since v1: > - rename gcm to gcmaes to reflect that GCM is also used in > combination with other symmetric ciphers (Jason) > - add Nikunj's Tested-by > > Cc: Eric Biggers <ebiggers@xxxxxxxxxx> > Cc: Robert Elliott <elliott@xxxxxxx> > Cc: Jason A. Donenfeld <Jason@xxxxxxxxx> > Cc: Nikunj A Dadhania <nikunj@xxxxxxx> > > Ard Biesheuvel (3): > crypto: move gf128mul library into lib/crypto > crypto: gf128mul - make gf128mul_lle time invariant > crypto: aesgcm - Provide minimal library implementation > > arch/arm/crypto/Kconfig | 2 +- > arch/arm64/crypto/Kconfig | 2 +- > crypto/Kconfig | 9 +- > crypto/Makefile | 1 - > drivers/crypto/chelsio/Kconfig | 2 +- > include/crypto/gcm.h | 22 + > lib/crypto/Kconfig | 9 + > lib/crypto/Makefile | 5 + > lib/crypto/aesgcm.c | 727 ++++++++++++++++++++ > {crypto => lib/crypto}/gf128mul.c | 58 +- > 10 files changed, 808 insertions(+), 29 deletions(-) > create mode 100644 lib/crypto/aesgcm.c > rename {crypto => lib/crypto}/gf128mul.c (87%) > > -- > 2.35.1 All applied. Thanks. -- Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt