Linux kernel documentation tree maintained by Jonathan Corbet http://mirrors.hust.edu.cn/git/lwn.git/atom?h=v4.13 2017-06-10T04:04:35+00:00 2017-06-10T04:04:35+00:00 Tudor-Dan Ambarus tudor.ambarus@microchip.com 2017-05-30T14:52:48+00:00 urn:sha1:6755fd269d5c100b0eca420db501ae58435efd6e Add support for generating ecc private keys. Generation of ecc private keys is helpful in a user-space to kernel ecdh offload because the keys are not revealed to user-space. Private key generation is also helpful to implement forward secrecy. If the user provides a NULL ecc private key, the kernel will generate it and further use it for ecdh. Move ecdh's object files below drbg's. drbg must be present in the kernel at the time of calling. Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com> Reviewed-by: Stephan Müller <smueller@chronox.de> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2017-04-05T13:58:37+00:00 Ondrej Mosnáček omosnacek@gmail.com 2017-04-02T19:19:16+00:00 urn:sha1:ad1064cd612e11b807eb764140deb5c1875ca5dc Since the gf128mul_x_ble function used by xts.c is now defined inline in the header file, the XTS module no longer depends on gf128mul. Therefore, the 'select CRYPTO_GF128MUL' line can be safely removed. Signed-off-by: Ondrej Mosnacek <omosnacek@gmail.com> Reviewd-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2017-03-24T14:02:54+00:00 Daniel Axtens dja@axtens.net 2017-03-15T12:37:37+00:00 urn:sha1:146c8688d99c574d9ff0af17eca51bbd6402a57f vpmsum implementations often don't kick in for short test vectors. This is a simple test module that does a configurable number of random tests, each up to 64kB and each with random offsets. Both CRC-T10DIF and CRC32C are tested. Cc: Anton Blanchard <anton@samba.org> Signed-off-by: Daniel Axtens <dja@axtens.net> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2017-03-24T14:02:53+00:00 Daniel Axtens dja@axtens.net 2017-03-15T12:37:36+00:00 urn:sha1:b01df1c16c9a6f7a14f843d3ac6b9eef5a7bb17e T10DIF is a CRC16 used heavily in NVMe. It turns out we can accelerate it with a CRC32 library and a few little tricks. Provide the accelerator based the refactored CRC32 code. Cc: Anton Blanchard <anton@samba.org> Thanks-to: Hong Bo Peng <penghb@cn.ibm.com> Signed-off-by: Daniel Axtens <dja@axtens.net> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2017-02-23T12:11:06+00:00 Milan Broz gmazyland@gmail.com 2017-02-23T07:38:26+00:00 urn:sha1:12cb3a1c4184f891d965d1f39f8cfcc9ef617647 Since the commit f1c131b45410a202eb45cc55980a7a9e4e4b4f40 crypto: xts - Convert to skcipher the XTS mode is based on ECB, so the mode must select ECB otherwise it can fail to initialize. Signed-off-by: Milan Broz <gmazyland@gmail.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2017-02-11T09:50:45+00:00 Ard Biesheuvel ard.biesheuvel@linaro.org 2017-02-03T14:49:36+00:00 urn:sha1:f15f05b0a5de667c821a9727c33bce9d1d9b26dd Update the generic CCM driver to defer CBC-MAC processing to a dedicated CBC-MAC ahash transform rather than open coding this transform (and much of the associated scatterwalk plumbing) in the CCM driver itself. This cleans up the code considerably, but more importantly, it allows the use of alternative CBC-MAC implementations that don't suffer from performance degradation due to significant setup time (e.g., the NEON based AES code needs to enable/disable the NEON, and load the S-box into 16 SIMD registers, which cannot be amortized over the entire input when using the cipher interface) Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2017-02-11T09:50:43+00:00 Ard Biesheuvel ard.biesheuvel@linaro.org 2017-02-02T16:37:40+00:00 urn:sha1:b5e0b032b6c31c052ee0132ee70b155c22cf7b28 Lookup table based AES is sensitive to timing attacks, which is due to the fact that such table lookups are data dependent, and the fact that 8 KB worth of tables covers a significant number of cachelines on any architecture, resulting in an exploitable correlation between the key and the processing time for known plaintexts. For network facing algorithms such as CTR, CCM or GCM, this presents a security risk, which is why arch specific AES ports are typically time invariant, either through the use of special instructions, or by using SIMD algorithms that don't rely on table lookups. For generic code, this is difficult to achieve without losing too much performance, but we can improve the situation significantly by switching to an implementation that only needs 256 bytes of table data (the actual S-box itself), which can be prefetched at the start of each block to eliminate data dependent latencies. This code encrypts at ~25 cycles per byte on ARM Cortex-A57 (while the ordinary generic AES driver manages 18 cycles per byte on this hardware). Decryption is substantially slower. Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2016-11-28T13:23:20+00:00 Herbert Xu herbert@gondor.apana.org.au 2016-11-22T12:08:33+00:00 urn:sha1:85671860caaca2f3831f675d48356810731a33eb This patch converts aesni (including fpu) over to the skcipher interface. The LRW implementation has been removed as the generic LRW code can now be used directly on top of the accelerated ECB implementation. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2016-11-28T13:23:20+00:00 Herbert Xu herbert@gondor.apana.org.au 2016-11-22T12:08:29+00:00 urn:sha1:065ce3273782b632f3e16ab789b432e12deb6823 This patch adds xts helpers that use the skcipher interface rather than blkcipher. This will be used by aesni_intel. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> 2016-11-28T13:23:18+00:00 Herbert Xu herbert@gondor.apana.org.au 2016-11-22T12:08:25+00:00 urn:sha1:266d05160101752a12e43bb6bbed45aea9f2e788 This patch adds the simd skcipher helper which is meant to be a replacement for ablk helper. It replaces the underlying blkcipher interface with skcipher, and also presents the top-level algorithm as an skcipher. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>