On Wed, Jul 26, 2023 at 07:29:58PM +0200, Ard Biesheuvel wrote: > The generic AES implementation we rely on if no architecture specific > one is available relies on lookup tables that are relatively large with > respect to the typical L1 D-cache size, which not only affects > performance, it may also result in timing variances that correlate with > the encryption keys. > > So we tend to avoid the generic code if we can, usually by using a > driver that makes use of special AES instructions which supplant most of > the logic of the table based implementation the AES algorithm. > > The Zkn RISC-V extension provides another interesting take on this: it > defines instructions operating on scalar registers that implement the > table lookups without relying on tables in memory. Those tables carry > 32-bit quantities, making them a natural fit for a 32-bit architecture. > And given the use of scalars, we don't have to rely in in-kernel SIMD, > which is a bonus. > > So let's use the instructions to implement the core AES cipher for RV32. > > Cc: Paul Walmsley <paul.walmsley@xxxxxxxxxx> > Cc: Palmer Dabbelt <palmer@xxxxxxxxxxx> > Cc: Albert Ou <aou@xxxxxxxxxxxxxxxxx> > Cc: Christoph Müllner <christoph.muellner@xxxxxxxx> > Cc: Heiko Stuebner <heiko.stuebner@xxxxxxxx> > Signed-off-by: Ard Biesheuvel <ardb@xxxxxxxxxx> > --- > arch/riscv/crypto/Kconfig | 12 ++ > arch/riscv/crypto/Makefile | 3 + > arch/riscv/crypto/aes-riscv32-glue.c | 75 ++++++++++++ > arch/riscv/crypto/aes-riscv32-zkned.S | 119 ++++++++++++++++++++ > 4 files changed, 209 insertions(+) Hi Ard: Any chance you could postpone this til after I've finished removing crypto_cipher? Thanks, -- Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt