On Thu, Nov 03, 2022 at 08:22:56PM +0100, Ard Biesheuvel wrote:
> Provide a generic library implementation of AES-GCM which can be used
> really early during boot, e.g., to communicate with the security
> coprocessor on SEV-SNP virtual machines to bring up secondary cores.
> This is needed because the crypto API is not available yet this early.
>
> We cannot rely on special instructions for AES or polynomial
> multiplication, which are arch specific and rely on in-kernel SIMD
> infrastructure. Instead, add a generic C implementation that combines
> the existing C implementations of AES and multiplication in GF(2^128).
>
> To reduce the risk of forgery attacks, replace data dependent table
> lookups and conditional branches in the used gf128mul routine with
> constant-time equivalents. The AES library has already been robustified
> to some extent to prevent known-plaintext timing attacks on the key, but
> we call it with interrupts disabled to make it a bit more robust. (Note
> that in SEV-SNP context, the VMM is untrusted, and is able to inject
> interrupts arbitrarily, and potentially maliciously.)
>
> Changes since v4:
> - Rename CONFIG_CRYPTO_GF128MUL to CONFIG_CRYPTO_LIB_GF128MUL
> - Use bool return value for decrypt routine to align with other AEAD
> library code
> - Return -ENODEV on selftest failure to align with other algos
> - Use pr_err() not WARN() on selftest failure for the same reason
> - Mention in a code comment that the counter cannot roll over or result
> in a carry due to the width of the type representing the size of the
> input
>
> Changes since v3:
> - rename GCM-AES to AES-GCM
>
> Changes since v2:
> - move gf128mul to lib/crypto
> - add patch #2 to make gf128mul_lle constant time
> - fix kerneldoc headers and drop them from the .h file
>
> Changes since v1:
> - rename gcm to gcmaes to reflect that GCM is also used in
> combination with other symmetric ciphers (Jason)
> - add Nikunj's Tested-by
>
> Cc: Eric Biggers <ebiggers@xxxxxxxxxx>
> Cc: Robert Elliott <elliott@xxxxxxx>
> Cc: Jason A. Donenfeld <Jason@xxxxxxxxx>
> Cc: Nikunj A Dadhania <nikunj@xxxxxxx>
>
> Ard Biesheuvel (3):
> crypto: move gf128mul library into lib/crypto
> crypto: gf128mul - make gf128mul_lle time invariant
> crypto: aesgcm - Provide minimal library implementation
>
> arch/arm/crypto/Kconfig | 2 +-
> arch/arm64/crypto/Kconfig | 2 +-
> crypto/Kconfig | 9 +-
> crypto/Makefile | 1 -
> drivers/crypto/chelsio/Kconfig | 2 +-
> include/crypto/gcm.h | 22 +
> lib/crypto/Kconfig | 9 +
> lib/crypto/Makefile | 5 +
> lib/crypto/aesgcm.c | 727 ++++++++++++++++++++
> {crypto => lib/crypto}/gf128mul.c | 58 +-
> 10 files changed, 808 insertions(+), 29 deletions(-)
> create mode 100644 lib/crypto/aesgcm.c
> rename {crypto => lib/crypto}/gf128mul.c (87%)
>
> --
> 2.35.1
All applied. Thanks.
--
Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
