On Fri, Aug 09, 2024 at 04:11:49PM -0700, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@xxxxxxxxxx>
>
> In aes-neonbs, instead of going through the crypto API for the parts
> that the bit-sliced AES code doesn't handle, namely AES-CBC encryption
> and single-block AES, just call the ARM scalar AES cipher directly.
>
> This basically goes back to the original approach that was used before
> commit b56f5cbc7e08 ("crypto: arm/aes-neonbs - resolve fallback cipher
> at runtime"). Calling the ARM scalar AES cipher directly is faster,
> simpler, and avoids any chance of bugs specific to the use of fallback
> ciphers such as module loading deadlocks which have happened twice. The
> deadlocks turned out to be fixable in other ways, but there's no need to
> rely on anything so fragile in the first place.
>
> The rationale for the above-mentioned commit was to allow people to
> choose to use a time-invariant AES implementation for the fallback
> cipher. There are a couple problems with that rationale, though:
>
> - In practice the ARM scalar AES cipher (aes-arm) was used anyway, since
> it has a higher priority than aes-fixed-time. Users *could* go out of
> their way to disable or blacklist aes-arm, or to lower its priority
> using NETLINK_CRYPTO, but very few users customize the crypto API to
> this extent. Systems with the ARMv8 Crypto Extensions used aes-ce,
> but the bit-sliced algorithms are irrelevant on such systems anyway.
>
> - Since commit 913a3aa07d16 ("crypto: arm/aes - add some hardening
> against cache-timing attacks"), the ARM scalar AES cipher is partially
> hardened against cache-timing attacks. It actually works like
> aes-fixed-time, in that it disables interrupts and prefetches its
> lookup table. It does use a larger table than aes-fixed-time, but
> even so, it is not clear that aes-fixed-time is meaningfully more
> time-invariant than aes-arm. And of course, the real solution for
> time-invariant AES is to use a CPU that supports AES instructions.
>
> Signed-off-by: Eric Biggers <ebiggers@xxxxxxxxxx>
> ---
> arch/arm/crypto/Kconfig | 14 +++-
> arch/arm/crypto/aes-cipher-glue.c | 5 +-
> arch/arm/crypto/aes-cipher.h | 13 +++
> arch/arm/crypto/aes-neonbs-glue.c | 131 ++++++++++--------------------
> 4 files changed, 67 insertions(+), 96 deletions(-)
> create mode 100644 arch/arm/crypto/aes-cipher.h
Patch applied. Thanks.
--
Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
