[PATCH 2/5] crypto: remove RIPE-MD 256 hash algorithm

RIPE-MD 256 is never referenced anywhere in the kernel, and unlikely to be depended upon by userspace via AF_ALG. So let's remove it Signed-off-by: Ard Biesheuvel --- crypto/Kconfig | 12 - crypto/Makefile | 1 - crypto/ripemd.h | 3 - crypto/rmd256.c

[PATCH 0/5] crypto: remove some obsolete algorithms

Remove a set of algorithms that are never used in the kernel, and are highly unlikely to be depended upon by user space either. Cc: Eric Biggers Cc: Herbert Xu Ard Biesheuvel (5): crypto: remove RIPE-MD 128 hash algorithm crypto: remove RIPE-MD 256 hash algorithm crypto: remove RIPE-MD

Re: [PATCH 1/2] crypto: talitos - Work around SEC6 ERRATA (AES-CTR mode data size error)

On Thu, 21 Jan 2021 at 10:54, Christophe Leroy wrote: > > > > Le 21/01/2021 à 08:31, Ard Biesheuvel a écrit : > > On Thu, 21 Jan 2021 at 06:35, Christophe Leroy > > wrote: > >> > >> > >> > >> Le 20/01/2021 à 23:23, Ard Biesheuvel a

Re: [RFC PATCH 0/6] Keem Bay OCS ECC crypto driver

On Wed, 20 Jan 2021 at 20:00, Alessandrelli, Daniele wrote: > > Hi Ard, > > Thank you very much for your valuable feedback. > > On Mon, 2021-01-18 at 13:09 +0100, Ard Biesheuvel wrote: > > This is rather unusual compared with how the crypto API is typically > > us

Re: [PATCH 1/2] crypto: talitos - Work around SEC6 ERRATA (AES-CTR mode data size error)

On Thu, 21 Jan 2021 at 06:35, Christophe Leroy wrote: > > > > Le 20/01/2021 à 23:23, Ard Biesheuvel a écrit : > > On Wed, 20 Jan 2021 at 19:59, Christophe Leroy > > wrote: > >> > >> Talitos Security Engine AESU considers any input > >> data siz

Re: [PATCH 1/2] crypto: talitos - Work around SEC6 ERRATA (AES-CTR mode data size error)

On Wed, 20 Jan 2021 at 19:59, Christophe Leroy wrote: > > Talitos Security Engine AESU considers any input > data size that is not a multiple of 16 bytes to be an error. > This is not a problem in general, except for Counter mode > that is a stream cipher and can have an input of any size. > > Tes

Re: [RFC PATCH 4/5] arm64: fpsimd: run kernel mode NEON with softirqs disabled

On Tue, 19 Jan 2021 at 17:01, Dave Martin wrote: > > On Fri, Dec 18, 2020 at 06:01:05PM +0100, Ard Biesheuvel wrote: > > Kernel mode NEON can be used in task or softirq context, but only in > > a non-nesting manner, i.e., softirq context is only permitted if the > > inte

Re: [RFC PATCH 0/6] Keem Bay OCS ECC crypto driver

On Mon, 18 Jan 2021 at 12:55, Reshetova, Elena wrote: > > > On Thu, 14 Jan 2021 at 11:25, Reshetova, Elena > > wrote: > > > > > > > > On Mon, Jan 04, 2021 at 08:04:15AM +, Reshetova, Elena wrote: > > > > > > > 2. The OCS ECC HW does not support the NIST P-192 curve. We were > > planning > > >

Re: [RFC V1 0/7] Introduce AVX512 optimized crypto algorithms

On Mon, 28 Dec 2020 at 20:11, Dey, Megha wrote: > > Hi Eric, > > On 12/21/2020 3:20 PM, Eric Biggers wrote: > > On Fri, Dec 18, 2020 at 01:10:57PM -0800, Megha Dey wrote: > >> Optimize crypto algorithms using VPCLMULQDQ and VAES AVX512 instructions > >> (first implemented on Intel's Icelake client

Re: [RFC V1 3/7] crypto: ghash - Optimized GHASH computations

On Sat, 16 Jan 2021 at 06:13, Dave Hansen wrote: > > On 1/15/21 6:04 PM, Eric Biggers wrote: > > On Fri, Jan 15, 2021 at 04:20:44PM -0800, Dave Hansen wrote: > >> On 1/15/21 4:14 PM, Dey, Megha wrote: > >>> Also, I do not know of any cores that implement PCLMULQDQ and not AES-NI. > >> That's true,

Re: [RFC V1 1/7] x86: Probe assembler capabilities for VAES and VPLCMULQDQ support

On Fri, 18 Dec 2020 at 22:07, Megha Dey wrote: > > This is a preparatory patch to introduce the optimized crypto algorithms > using AVX512 instructions which would require VAES and VPLCMULQDQ support. > > Check for VAES and VPCLMULQDQ assembler support using AVX512 registers. > > Cc: x...@kernel.o

Re: [RFC V1 7/7] crypto: aesni - AVX512 version of AESNI-GCM using VPCLMULQDQ

On Fri, 18 Dec 2020 at 22:08, Megha Dey wrote: > > Introduce the AVX512 implementation that optimizes the AESNI-GCM encode > and decode routines using VPCLMULQDQ. > > The glue code in AESNI module overrides the existing AVX2 GCM mode > encryption/decryption routines with the AX512 AES GCM mode one

Re: [RFC V1 5/7] crypto: aesni - AES CTR x86_64 "by16" AVX512 optimization

On Fri, 18 Dec 2020 at 22:08, Megha Dey wrote: > > Introduce the "by16" implementation of the AES CTR mode using AVX512 > optimizations. "by16" means that 16 independent blocks (each block > being 128 bits) can be ciphered simultaneously as opposed to the > current 8 blocks. > > The glue code in A

[PATCH 2/2] crypto: aesni - release FPU during skcipher walk API calls

can change the 'atomic' bool argument in the calls to skcipher_walk_virt() to false as well. Signed-off-by: Ard Biesheuvel --- arch/x86/crypto/aesni-intel_glue.c | 73 +--- 1 file changed, 32 insertions(+), 41 deletions(-) diff --git a/arch/x86/crypto/aesni-intel_glue

[PATCH 0/2] crypto: aesni - fix more FPU handling and indirect call issues

which is unnecessary, and potentially problematic for workloads that are sensitive to scheduling latency. Let's also switch to a static call for the CTR mode asm helper, which gets chosen once at driver init time. Cc: Megha Dey Cc: Eric Biggers Cc: Herbert Xu Ard Biesheuvel (2): cry

[PATCH 1/2] crypto: aesni - replace CTR function pointer with static call

Indirect calls are very expensive on x86, so use a static call to set the system-wide AES-NI/CTR asm helper. Signed-off-by: Ard Biesheuvel --- arch/x86/crypto/aesni-intel_glue.c | 13 +++-- 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/arch/x86/crypto/aesni-intel_glue.c

Re: [RFC V1 2/7] crypto: crct10dif - Accelerated CRC T10 DIF with vectorized instruction

On Fri, 18 Dec 2020 at 22:07, Megha Dey wrote: > > From: Kyung Min Park > > Update the crc_pcl function that calculates T10 Data Integrity Field > CRC16 (CRC T10 DIF) using VPCLMULQDQ instruction. VPCLMULQDQ instruction > with AVX-512F adds EVEX encoded 512 bit version of PCLMULQDQ instruction. >

Re: [PATCH] crypto: lib/chacha20poly1305 - define empty module exit function

gt; > Reported-by: John Donnelly > Signed-off-by: Jason A. Donenfeld Acked-by: Ard Biesheuvel > --- > lib/crypto/chacha20poly1305.c | 5 + > 1 file changed, 5 insertions(+) > > diff --git a/lib/crypto/chacha20poly1305.c b/lib/crypto/chacha20poly1305.c > index 5850f

Re: [RFC PATCH 0/6] Keem Bay OCS ECC crypto driver

On Thu, 14 Jan 2021 at 11:25, Reshetova, Elena wrote: > > > > On Mon, Jan 04, 2021 at 08:04:15AM +, Reshetova, Elena wrote: > > > > > 2. The OCS ECC HW does not support the NIST P-192 curve. We were > > > > > planning > > to > > > > >add SW fallback for P-192 in the driver, but the Intel

[PATCH] crypto: arm64/sha - add missing module aliases

: Ard Biesheuvel --- arch/arm64/crypto/sha1-ce-glue.c | 1 + arch/arm64/crypto/sha2-ce-glue.c | 2 ++ arch/arm64/crypto/sha3-ce-glue.c | 4 arch/arm64/crypto/sha512-ce-glue.c | 2 ++ 4 files changed, 9 insertions(+) diff --git a/arch/arm64/crypto/sha1-ce-glue.c b/arch/arm64/crypto/sha1

Re: [RFC PATCH 0/5] running kernel mode SIMD with softirqs disabled

On Sat, 19 Dec 2020 at 03:05, Herbert Xu wrote: > > On Fri, Dec 18, 2020 at 06:01:01PM +0100, Ard Biesheuvel wrote: > > > > Questions: > > - what did I miss or break horribly? > > - does any of this matter for RT? AIUI, RT runs softirqs from a dedicated > >

Re: [PATCH RESEND] random: remove dead code left over from blocking pool

Horn > Cc: Theodore Ts'o > Reviewed-by: Andy Lutomirski > Signed-off-by: Eric Biggers Acked-by: Ard Biesheuvel > --- > > Andrew, please consider taking this patch since the maintainer has been > ignoring it for 4 months > (https://lkml.kernel.org/lkml/202009160436

Re: [PATCH RESEND] random: initialize ChaCha20 constants with correct endianness

haCha20 anymore. Fix it to always use the standard constants. > > Cc: linux-crypto@vger.kernel.org > Cc: Andy Lutomirski > Cc: Jann Horn > Cc: Theodore Ts'o > Acked-by: Herbert Xu > Signed-off-by: Eric Biggers Acked-by: Ard Biesheuvel > --- > > An

Re: [PATCH RESEND] random: fix the RNDRESEEDCRNG ioctl

ioctl RNDRESEEDCRNG") > Cc: sta...@vger.kernel.org > Cc: linux-crypto@vger.kernel.org > Cc: Andy Lutomirski > Cc: Jann Horn > Cc: Theodore Ts'o > Reviewed-by: Jann Horn > Signed-off-by: Eric Biggers Acked-by: Ard Biesheuvel > --- > > Andrew, please consider tak

[PATCH v3] crypto - shash: reduce minimum alignment of shash_desc structure

esulting in an increased stack footprint of up to 232 bytes.) So instead, let's switch to the minimum SLAB alignment, which does not take DMA constraints into account. Note that this is a no-op for x86. Signed-off-by: Ard Biesheuvel --- v3: - drop skcipher_request change again - this needs

Re: [PATCH v2] crypto: reduce minimum alignment of on-stack structures

On Wed, 13 Jan 2021 at 07:27, Herbert Xu wrote: > > On Fri, Jan 08, 2021 at 11:49:32PM +0100, Ard Biesheuvel wrote: > > > > The assumption is that ARCH_SLAB_MINALIGN should be sufficient for any > > POD type, But I guess that in order to be fully correct, the actual >

Re: [PATCH 0/7] crypto: switch to static calls for CRC-T10DIF

On Mon, 11 Jan 2021 at 22:05, Eric Biggers wrote: > > On Mon, Jan 11, 2021 at 05:52:30PM +0100, Ard Biesheuvel wrote: > > CRC-T10DIF is a very poor match for the crypto API: > > - every user in the kernel calls it via a library wrapper around the > > shash API, so al

Re: [PATCH 0/7] crypto: switch to static calls for CRC-T10DIF

On Mon, 11 Jan 2021 at 21:56, Peter Zijlstra wrote: > > On Mon, Jan 11, 2021 at 07:36:20PM +0100, Ard Biesheuvel wrote: > > On Mon, 11 Jan 2021 at 18:27, Ard Biesheuvel wrote: > > > On Mon, 11 Jan 2021 at 17:52, Ard Biesheuvel wrote: > > > > > Special request

Re: [PATCH 0/7] crypto: switch to static calls for CRC-T10DIF

On Mon, 11 Jan 2021 at 18:27, Ard Biesheuvel wrote: > > On Mon, 11 Jan 2021 at 17:52, Ard Biesheuvel wrote: > > > > CRC-T10DIF is a very poor match for the crypto API: > > - every user in the kernel calls it via a library wrapper around the > > shash API, so all c

Re: [PATCH 0/7] crypto: switch to static calls for CRC-T10DIF

On Mon, 11 Jan 2021 at 17:52, Ard Biesheuvel wrote: > > CRC-T10DIF is a very poor match for the crypto API: > - every user in the kernel calls it via a library wrapper around the > shash API, so all callers share a single instance of the transform > - each architecture provides a

[PATCH 5/7] crypto: arm/crc-t10dif - convert to static call library API

Get rid of the shash boilerplate, and register the accelerated ARM version of the CRC-T10DIF algorithm with the library interface instead. Signed-off-by: Ard Biesheuvel --- arch/arm/crypto/crct10dif-ce-glue.c | 58 1 file changed, 11 insertions(+), 47 deletions(-) diff

[PATCH 7/7] crypto: powerpc/crc-t10dif - convert to static call API

Get rid of the shash boilerplate, and register the accelerated PowerPC version of the CRC-T10DIF algorithm with the library interface instead. Signed-off-by: Ard Biesheuvel --- arch/powerpc/crypto/crct10dif-vpmsum_glue.c | 51 ++-- 1 file changed, 4 insertions(+), 47 deletions

[PATCH 6/7] crypto: arm64/crc-t10dif - convert to static call API

Get rid of the shash boilerplate, and register the accelerated arm64 version of the CRC-T10DIF algorithm with the library interface instead. Signed-off-by: Ard Biesheuvel --- arch/arm64/crypto/crct10dif-ce-glue.c | 85 1 file changed, 15 insertions(+), 70 deletions(-) diff

[PATCH 2/7] crypto: lib/crc-t10dif - add static call support for optimized versions

Wire up the new static call facility to the CRC-T10DIF library code, so that optimized implementations can be swapped in easily, without having to rely on the complexity of the crypto API shash infrastructure. Signed-off-by: Ard Biesheuvel --- include/linux/crc-t10dif.h | 21 -- lib

[PATCH 3/7] crypto: generic/crc-t10dif - expose both arch and generic shashes

modules in question are autoloaded via CPU feature matching, but let's use a module soft-dependency as well to trigger a load of such modules if they exist on the system. Signed-off-by: Ard Biesheuvel --- crypto/crct10dif_generic.c | 100 ++-- 1 file changed, 72 insertions(+

[PATCH 4/7] crypto: x86/crc-t10dif - convert to static call library API

Get rid of the shash boilerplate, and register the accelerated x86 version of the CRC-T10DIF algorithm with the library interface instead. Signed-off-by: Ard Biesheuvel --- arch/x86/crypto/crct10dif-pclmul_glue.c | 90 +++- 1 file changed, 10 insertions(+), 80 deletions(-) diff

[PATCH 1/7] crypto: crc-t10dif - turn library wrapper for shash into generic library

register and unregister optimized implementations. Signed-off-by: Ard Biesheuvel --- arch/arm/crypto/Kconfig | 2 +- arch/arm64/crypto/Kconfig | 3 +- crypto/Kconfig| 7 +- crypto/Makefile | 2 +- crypto/crct10dif_common.c | 82 lib/Kconfig

[PATCH 0/7] crypto: switch to static calls for CRC-T10DIF

r Zijlstra Ard Biesheuvel (7): crypto: crc-t10dif - turn library wrapper for shash into generic library crypto: lib/crc-t10dif - add static call support for optimized versions crypto: generic/crc-t10dif - expose both arch and generic shashes crypto: x86/crc-t10dif - convert to s

Re: [PATCH v2] crypto: reduce minimum alignment of on-stack structures

On Fri, 8 Jan 2021 at 22:16, Eric Biggers wrote: > > On Fri, Jan 08, 2021 at 06:17:06PM +0100, Ard Biesheuvel wrote: > > diff --git a/include/crypto/skcipher.h b/include/crypto/skcipher.h > > index 6a733b171a5d..aa133dc3bf39 100644 > > --- a/include/crypto/skcipher.h

[PATCH v2] crypto: reduce minimum alignment of on-stack structures

, document the DMA aspect of this in the comment that explains the purpose of CRYPTO_MINALIGN_ATTR. Note that this is a no-op for x86. Signed-off-by: Ard Biesheuvel --- v2: - reduce alignment for SYNC_SKCIPHER_REQUEST_ON_STACK as well - update CRYPTO_MINALIGN_ATTR comment with DMA requi

Re: [PATCH] crypto - shash: reduce minimum alignment of shash_desc structure

On Fri, 8 Jan 2021 at 11:59, Arnd Bergmann wrote: > > On Fri, Jan 8, 2021 at 11:44 AM Herbert Xu > wrote: > > > > On Fri, Jan 08, 2021 at 11:42:53AM +0100, Arnd Bergmann wrote: > > > > > > How does this work for kernels with CONFIG_VMAP_STACK? > > > I remember some other subsystems (usb, hid) ad

Re: [PATCH] crypto - shash: reduce minimum alignment of shash_desc structure

On Fri, 8 Jan 2021 at 10:23, Herbert Xu wrote: > > On Fri, Jan 08, 2021 at 09:36:23AM +0100, Ard Biesheuvel wrote: > > > > scatterlists, and I don't think we permit pointing the scatterlist > > into request structures) > > Not only do we allow that, we do tha

Re: [PATCH] crypto - shash: reduce minimum alignment of shash_desc structure

On Thu, 7 Jan 2021 at 20:02, Eric Biggers wrote: > > On Thu, Jan 07, 2021 at 01:41:28PM +0100, Ard Biesheuvel wrote: > > Unlike many other structure types defined in the crypto API, the > > 'shash_desc' structure is permitted to live on the stack, which > &g

[PATCH] crypto - shash: reduce minimum alignment of shash_desc structure

esulting in an increased stack footprint of up to 232 bytes.) So instead, let's switch to the minimum SLAB alignment, which does not take DMA constraints into account. Note that this is a no-op for x86. Signed-off-by: Ard Biesheuvel --- include/crypto/hash.h | 8 1 file changed, 4

[PATCH v2 20/21] crypto: x86 - remove glue helper module

All dependencies on the x86 glue helper module have been replaced by local instantiations of the new ECB/CBC preprocessor helper macros, so the glue helper module can be retired. Acked-by: Eric Biggers Signed-off-by: Ard Biesheuvel --- arch/x86/crypto/Makefile | 2 - arch

[PATCH v2 02/21] crypto: x86/cast6 - switch to XTS template

Now that the XTS template can wrap accelerated ECB modes, it can be used to implement CAST6 in XTS mode as well, which turns out to be at least as fast, and sometimes even faster Acked-by: Eric Biggers Signed-off-by: Ard Biesheuvel --- arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 56

[PATCH v2 01/21] crypto: x86/camellia - switch to XTS template

Now that the XTS template can wrap accelerated ECB modes, it can be used to implement Camellia in XTS mode as well, which turns out to be at least as fast, and sometimes even faster. Acked-by: Eric Biggers Signed-off-by: Ard Biesheuvel --- arch/x86/crypto/camellia-aesni-avx-asm_64.S | 181

[PATCH v2 16/21] crypto: x86/serpent - drop dependency on glue helper

Replace the glue helper dependency with implementations of ECB and CBC based on the new CPP macros, which avoid the need for indirect calls. Acked-by: Eric Biggers Signed-off-by: Ard Biesheuvel --- arch/x86/crypto/serpent_avx2_glue.c | 73 +- arch/x86/crypto/serpent_avx_glue.c

[PATCH v2 17/21] crypto: x86/cast5 - drop dependency on glue helper

Replace the glue helper dependency with implementations of ECB and CBC based on the new CPP macros, which avoid the need for indirect calls. Acked-by: Eric Biggers Signed-off-by: Ard Biesheuvel --- arch/x86/crypto/cast5_avx_glue.c | 184 ++-- 1 file changed, 17 insertions

[PATCH v2 19/21] crypto: x86/twofish - drop dependency on glue helper

Replace the glue helper dependency with implementations of ECB and CBC based on the new CPP macros, which avoid the need for indirect calls. Acked-by: Eric Biggers Signed-off-by: Ard Biesheuvel --- arch/x86/crypto/twofish_avx_glue.c | 73 +- arch/x86/crypto/twofish_glue_3way.c

[PATCH v2 21/21] crypto: x86 - use local headers for x86 specific shared declarations

use local #includes instead. Acked-by: Eric Biggers Signed-off-by: Ard Biesheuvel --- arch/x86/{include/asm => }/crypto/camellia.h | 0 arch/x86/crypto/camellia_aesni_avx2_glue.c | 2 +- arch/x86/crypto/camellia_aesni_avx_glue.c| 2 +- arch/x86/crypto/camellia_glu

[PATCH v2 15/21] crypto: x86/camellia - drop dependency on glue helper

Replace the glue helper dependency with implementations of ECB and CBC based on the new CPP macros, which avoid the need for indirect calls. Acked-by: Eric Biggers Signed-off-by: Ard Biesheuvel --- arch/x86/crypto/camellia_aesni_avx2_glue.c | 85 ++-- arch/x86/crypto

[PATCH v2 18/21] crypto: x86/cast6 - drop dependency on glue helper

Replace the glue helper dependency with implementations of ECB and CBC based on the new CPP macros, which avoid the need for indirect calls. Acked-by: Eric Biggers Signed-off-by: Ard Biesheuvel --- arch/x86/crypto/cast6_avx_glue.c | 61 ++-- crypto/Kconfig

[PATCH v2 13/21] crypto: x86/blowfish - drop CTR mode implementation

Blowfish in counter mode is never used in the kernel, so there is no point in keeping an accelerated implementation around. Acked-by: Eric Biggers Signed-off-by: Ard Biesheuvel --- arch/x86/crypto/blowfish_glue.c | 107 crypto/Kconfig | 1 + 2 files

[PATCH v2 14/21] crypto: x86 - add some helper macros for ECB and CBC modes

essing, so we can wire them up for existing users of the glue helper module, i.e., Camellia, Serpent, Twofish and CAST6. Acked-by: Eric Biggers Signed-off-by: Ard Biesheuvel --- arch/x86/crypto/ecb_cbc_helpers.h | 76 1 file changed, 76 insertions(+) diff --git a/arch/

[PATCH v2 11/21] crypto: x86/glue-helper - drop CTR helper routines

The glue helper's CTR routines are no longer used, so drop them. Acked-by: Eric Biggers Signed-off-by: Ard Biesheuvel --- arch/x86/crypto/glue_helper-asm-avx.S | 45 arch/x86/crypto/glue_helper-asm-avx2.S| 58 arch/x86/crypto/glue_helper.c

[PATCH v2 12/21] crypto: x86/des - drop CTR mode implementation

DES or Triple DES in counter mode is never used in the kernel, so there is no point in keeping an accelerated implementation around. Acked-by: Eric Biggers Signed-off-by: Ard Biesheuvel --- arch/x86/crypto/des3_ede_glue.c | 104 crypto/Kconfig | 1 + 2

[PATCH v2 10/21] crypto: x86/twofish - drop CTR mode implementation

Twofish in CTR mode is never used by the kernel directly, and is highly unlikely to be relied upon by dm-crypt or algif_skcipher. So let's drop the accelerated CTR mode implementation, and instead, rely on the CTR template and the bare cipher. Acked-by: Eric Biggers Signed-off-by: Ard Biesh

[PATCH v2 07/21] crypto: x86/serpent - drop CTR mode implementation

Serpent in CTR mode is never used by the kernel directly, and is highly unlikely to be relied upon by dm-crypt or algif_skcipher. So let's drop the accelerated CTR mode implementation, and instead, rely on the CTR template and the bare cipher. Acked-by: Eric Biggers Signed-off-by: Ard Biesh

[PATCH v2 09/21] crypto: x86/cast6 - drop CTR mode implementation

CAST6 in CTR mode is never used by the kernel directly, and is highly unlikely to be relied upon by dm-crypt or algif_skcipher. So let's drop the accelerated CTR mode implementation, and instead, rely on the CTR template and the bare cipher. Acked-by: Eric Biggers Signed-off-by: Ard Biesh

[PATCH v2 06/21] crypto: x86/camellia - drop CTR mode implementation

Camellia in CTR mode is never used by the kernel directly, and is highly unlikely to be relied upon by dm-crypt or algif_skcipher. So let's drop the accelerated CTR mode implementation, and instead, rely on the CTR template and the bare cipher. Acked-by: Eric Biggers Signed-off-by

[PATCH v2 08/21] crypto: x86/cast5 - drop CTR mode implementation

CAST5 in CTR mode is never used by the kernel directly, and is highly unlikely to be relied upon by dm-crypt or algif_skcipher. So let's drop the accelerated CTR mode implementation, and instead, rely on the CTR template and the bare cipher. Acked-by: Eric Biggers Signed-off-by: Ard Biesh

[PATCH v2 05/21] crypto: x86/glue-helper - drop XTS helper routines

The glue helper's XTS routines are no longer used, so drop them. Acked-by: Eric Biggers Signed-off-by: Ard Biesheuvel --- arch/x86/crypto/glue_helper-asm-avx.S | 59 arch/x86/crypto/glue_helper-asm-avx2.S| 78 -- arch/x86/crypto/glue_helper.c

[PATCH v2 04/21] crypto: x86/twofish - switch to XTS template

Now that the XTS template can wrap accelerated ECB modes, it can be used to implement Twofish in XTS mode as well, which turns out to be at least as fast, and sometimes even faster Acked-by: Eric Biggers Signed-off-by: Ard Biesheuvel --- arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 53

[PATCH v2 03/21] crypto: x86/serpent- switch to XTS template

Now that the XTS template can wrap accelerated ECB modes, it can be used to implement Serpent in XTS mode as well, which turns out to be at least as fast, and sometimes even faster Acked-by: Eric Biggers Signed-off-by: Ard Biesheuvel --- arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 48

[PATCH v2 00/21] crypto: x86 - remove glue helper module

ary memcpy() in camellia_decrypt_cbc_2way() - add Eric's ack Changes since RFC: - add Eric's ack to the initial XTS and CTR patches - add patches to convert ECB and CBC modes - add patches to remove DES and Blowfish in CTR mode Cc: Megha Dey Cc: Eric Biggers Cc: Herbert Xu Cc: Milan Broz Cc: Mike

[PATCH v2 5/5] crypto: x86/gcm-aes-ni - replace function pointers with static branches

the implementation based on the input size on cores that support AVX and AVX2, use static branches instead of static calls. Signed-off-by: Ard Biesheuvel --- arch/x86/crypto/aesni-intel_glue.c | 98 +++- 1 file changed, 54 insertions(+), 44 deletions(-) diff --git a/arch/x86

[PATCH v2 4/5] crypto: x86/gcm-aes-ni - refactor scatterlist processing

which always do one or the other. Signed-off-by: Ard Biesheuvel --- arch/x86/crypto/aesni-intel_glue.c | 139 1 file changed, 56 insertions(+), 83 deletions(-) diff --git a/arch/x86/crypto/aesni-intel_glue.c b/arch/x86/crypto/aesni-intel_glue.c index 26b012065701..d0b4fa7

[PATCH v2 2/5] crypto: x86/gcm-aes-ni - drop unused asm prototypes

Drop some prototypes that are declared but never called. Signed-off-by: Ard Biesheuvel --- arch/x86/crypto/aesni-intel_glue.c | 67 1 file changed, 67 deletions(-) diff --git a/arch/x86/crypto/aesni-intel_glue.c b/arch/x86/crypto/aesni-intel_glue.c index 880f9f8b5153

[PATCH v2 3/5] crypto: x86/gcm-aes-ni - clean up mapping of associated data

The gcm(aes-ni) driver is only built for x86_64, which does not make use of highmem. So testing for PageHighMem is pointless and can be omitted. While at it, replace GFP_ATOMIC with the appropriate runtime decided value based on the context. Signed-off-by: Ard Biesheuvel --- arch/x86/crypto

[PATCH v2 1/5] crypto: x86/gcm-aes-ni - prevent misaligned buffers on the stack

stack realignment sequence that is needed, and so the alignment is not guaranteed to be more than 8 bytes. So instead, allocate some padding on the stack, and realign the IV pointer by hand. Cc: Signed-off-by: Ard Biesheuvel --- arch/x86/crypto/aesni-intel_glue.c | 28 +++- 1 file

[PATCH v2 0/5] crypto: gcm-aes-ni cleanups

Clean up some issues and peculiarities in the gcm(aes-ni) driver. Changes since v1: - fix sleep while atomic issue reported by Eric - add patch to get rid of indirect calls, to avoid taking the retpoline performance hit Cc: Megha Dey Cc: Eric Biggers Cc: Herbert Xu Ard Biesheuvel (5

Re: [PATCH] crypto: qat - replace CRYPTO_AES with CRYPTO_LIB_AES in Kconfig

On Mon, 4 Jan 2021 at 16:13, Marco Chiappero wrote: > > Use CRYPTO_LIB_AES in place of CRYPTO_AES in the dependences for the QAT > common code. > > Fixes: c0e583ab2016 ("crypto: qat - add CRYPTO_AES to Kconfig dependencies") > Reported-by: Ard Biesheuvel > Signed-

Re: [PATCH v2 2/2] crypto: x86/aes-ni-xts - rewrite and drop indirections via glue helper

is now in the cryptodev tree I will try to remember to use --base next time. > url: > https://github.com/0day-ci/linux/commits/Ard-Biesheuvel/crypto-x86-aes-ni-xts-recover-and-improve-performance/20210101-004902 > base: > https://git.kernel.org/pub/scm/linux/kernel/g

[PATCH] crypto: ecdh - avoid buffer overflow in ecdh_set_secret()

result of intentional tampering. So check params.key_size explicitly against the size of the target buffer before validating the key further. Fixes: 17858b140bf4 ("crypto: ecdh - avoid unaligned accesses in ecdh_set_secret()") Reported-by: Pavel Machek Cc: Signed-off-by: Ard Biesheuvel --

[PATCH 03/21] crypto: x86/serpent- switch to XTS template

Now that the XTS template can wrap accelerated ECB modes, it can be used to implement Serpent in XTS mode as well, which turns out to be at least as fast, and sometimes even faster Acked-by: Eric Biggers Signed-off-by: Ard Biesheuvel --- arch/x86/crypto/serpent-avx-x86_64-asm_64.S | 48

[PATCH 20/21] crypto: x86 - remove glue helper module

All dependencies on the x86 glue helper module have been replaced by local instantiations of the new ECB/CBC preprocessor helper macros, so the glue helper module can be retired. Signed-off-by: Ard Biesheuvel --- arch/x86/crypto/Makefile | 2 - arch/x86/crypto/glue_helper.c

[PATCH 16/21] crypto: x86/serpent - drop dependency on glue helper

Replace the glue helper dependency with implementations of ECB and CBC based on the new CPP macros, which avoid the need for indirect calls. Signed-off-by: Ard Biesheuvel --- arch/x86/crypto/serpent_avx2_glue.c | 73 +- arch/x86/crypto/serpent_avx_glue.c | 61

[PATCH 18/21] crypto: x86/cast6 - drop dependency on glue helper

Replace the glue helper dependency with implementations of ECB and CBC based on the new CPP macros, which avoid the need for indirect calls. Signed-off-by: Ard Biesheuvel --- arch/x86/crypto/cast6_avx_glue.c | 61 ++-- crypto/Kconfig | 1 - 2 files changed, 17

[PATCH 02/21] crypto: x86/cast6 - switch to XTS template

Now that the XTS template can wrap accelerated ECB modes, it can be used to implement CAST6 in XTS mode as well, which turns out to be at least as fast, and sometimes even faster Acked-by: Eric Biggers Signed-off-by: Ard Biesheuvel --- arch/x86/crypto/cast6-avx-x86_64-asm_64.S | 56

[PATCH 21/21] crypto: x86 - use local headers for x86 specific shared declarations

use local #includes instead. Signed-off-by: Ard Biesheuvel --- arch/x86/{include/asm => }/crypto/camellia.h | 0 arch/x86/crypto/camellia_aesni_avx2_glue.c | 2 +- arch/x86/crypto/camellia_aesni_avx_glue.c| 2 +- arch/x86/crypto/camellia_glue.c | 2 +- arch/

[PATCH 17/21] crypto: x86/cast5 - drop dependency on glue helper

Replace the glue helper dependency with implementations of ECB and CBC based on the new CPP macros, which avoid the need for indirect calls. Signed-off-by: Ard Biesheuvel --- arch/x86/crypto/cast5_avx_glue.c | 184 ++-- 1 file changed, 17 insertions(+), 167 deletions(-) diff

[PATCH 19/21] crypto: x86/twofish - drop dependency on glue helper

Replace the glue helper dependency with implementations of ECB and CBC based on the new CPP macros, which avoid the need for indirect calls. Signed-off-by: Ard Biesheuvel --- arch/x86/crypto/twofish_avx_glue.c | 73 +- arch/x86/crypto/twofish_glue_3way.c | 80

[PATCH 14/21] crypto: x86 - add some helper macros for ECB and CBC modes

tatic inline helper routines modeled after the existing ones. So instead, let's create some CPP macros that encapsulate the core of the ECB and CBC processing, so we can wire them up for existing users of the glue helper module, i.e., Camellia, Serpent, Twofish and CAST6. Signed-off-by: Ard

[PATCH 15/21] crypto: x86/camellia - drop dependency on glue helper

Replace the glue helper dependency with implementations of ECB and CBC based on the new CPP macros, which avoid the need for indirect calls. Signed-off-by: Ard Biesheuvel --- arch/x86/crypto/camellia_aesni_avx2_glue.c | 85 ++-- arch/x86/crypto/camellia_aesni_avx_glue.c | 73

[PATCH 11/21] crypto: x86/glue-helper - drop CTR helper routines

The glue helper's CTR routines are no longer used, so drop them. Acked-by: Eric Biggers Signed-off-by: Ard Biesheuvel --- arch/x86/crypto/glue_helper-asm-avx.S | 45 arch/x86/crypto/glue_helper-asm-avx2.S| 58 arch/x86/crypto/glue_helper.c

[PATCH 13/21] crypto: x86/blowfish - drop CTR mode implementation

Blowfish in counter mode is never used in the kernel, so there is no point in keeping an accelerated implementation around. Signed-off-by: Ard Biesheuvel --- arch/x86/crypto/blowfish_glue.c | 107 crypto/Kconfig | 1 + 2 files changed, 1 insertion(+), 107

[PATCH 10/21] crypto: x86/twofish - drop CTR mode implementation

Twofish in CTR mode is never used by the kernel directly, and is highly unlikely to be relied upon by dm-crypt or algif_skcipher. So let's drop the accelerated CTR mode implementation, and instead, rely on the CTR template and the bare cipher. Acked-by: Eric Biggers Signed-off-by: Ard Biesh

[PATCH 12/21] crypto: x86/des - drop CTR mode implementation

DES or Triple DES in counter mode is never used in the kernel, so there is no point in keeping an accelerated implementation around. Signed-off-by: Ard Biesheuvel --- arch/x86/crypto/des3_ede_glue.c | 104 crypto/Kconfig | 1 + 2 files changed, 1

[PATCH 07/21] crypto: x86/serpent - drop CTR mode implementation

Serpent in CTR mode is never used by the kernel directly, and is highly unlikely to be relied upon by dm-crypt or algif_skcipher. So let's drop the accelerated CTR mode implementation, and instead, rely on the CTR template and the bare cipher. Acked-by: Eric Biggers Signed-off-by: Ard Biesh

[PATCH 09/21] crypto: x86/cast6 - drop CTR mode implementation

CAST6 in CTR mode is never used by the kernel directly, and is highly unlikely to be relied upon by dm-crypt or algif_skcipher. So let's drop the accelerated CTR mode implementation, and instead, rely on the CTR template and the bare cipher. Acked-by: Eric Biggers Signed-off-by: Ard Biesh

[PATCH 08/21] crypto: x86/cast5 - drop CTR mode implementation

CAST5 in CTR mode is never used by the kernel directly, and is highly unlikely to be relied upon by dm-crypt or algif_skcipher. So let's drop the accelerated CTR mode implementation, and instead, rely on the CTR template and the bare cipher. Signed-off-by: Ard Biesheuvel --- arch/x86/c

[PATCH 05/21] crypto: x86/glue-helper - drop XTS helper routines

The glue helper's XTS routines are no longer used, so drop them. Acked-by: Eric Biggers Signed-off-by: Ard Biesheuvel --- arch/x86/crypto/glue_helper-asm-avx.S | 59 arch/x86/crypto/glue_helper-asm-avx2.S| 78 -- arch/x86/crypto/glue_helper.c

[PATCH 06/21] crypto: x86/camellia - drop CTR mode implementation

Camellia in CTR mode is never used by the kernel directly, and is highly unlikely to be relied upon by dm-crypt or algif_skcipher. So let's drop the accelerated CTR mode implementation, and instead, rely on the CTR template and the bare cipher. Acked-by: Eric Biggers Signed-off-by

[PATCH 01/21] crypto: x86/camellia - switch to XTS template

Now that the XTS template can wrap accelerated ECB modes, it can be used to implement Camellia in XTS mode as well, which turns out to be at least as fast, and sometimes even faster. Acked-by: Eric Biggers Signed-off-by: Ard Biesheuvel --- arch/x86/crypto/camellia-aesni-avx-asm_64.S | 181

[PATCH 00/21] crypto: x86 - remove glue helper module

des - add patches to remove DES and Blowfish in CTR mode Cc: Megha Dey Cc: Eric Biggers Cc: Herbert Xu Cc: Milan Broz Cc: Mike Snitzer Ard Biesheuvel (21): crypto: x86/camellia - switch to XTS template crypto: x86/cast6 - switch to XTS template crypto: x86/serpent- switch to XTS template

[PATCH 04/21] crypto: x86/twofish - switch to XTS template

Now that the XTS template can wrap accelerated ECB modes, it can be used to implement Twofish in XTS mode as well, which turns out to be at least as fast, and sometimes even faster Acked-by: Eric Biggers Signed-off-by: Ard Biesheuvel --- arch/x86/crypto/twofish-avx-x86_64-asm_64.S | 53

[PATCH v2 2/2] crypto: x86/aes-ni-xts - rewrite and drop indirections via glue helper

ic Biggers # x86_64 Signed-off-by: Ard Biesheuvel --- arch/x86/crypto/aesni-intel_asm.S | 280 arch/x86/crypto/aesni-intel_glue.c | 220 --- crypto/Kconfig | 1 - 3 files changed, 356 insertions(+), 145 deletions(-) diff --git a/arch/x86/cr

[PATCH v2 1/2] crypto: x86/aes-ni-xts - use direct calls to and 4-way stride

fd3f ("x86/retpoline/crypto: Convert crypto assembler indirect jumps") Tested-by: Eric Biggers # x86_64 Signed-off-by: Ard Biesheuvel --- arch/x86/crypto/aesni-intel_asm.S | 115 arch/x86/crypto/aesni-intel_glue.c | 25 +++-- 2 files changed, 84 insertions(+), 56 deleti

[PATCH v2 0/2] crypto: x86/aes-ni-xts - recover and improve performance

] https://lore.kernel.org/linux-crypto/20201207233402.17472-1-a...@kernel.org/ Cc: Megha Dey Cc: Eric Biggers Cc: Herbert Xu Cc: Uros Bizjak Ard Biesheuvel (2): crypto: x86/aes-ni-xts - use direct calls to and 4-way stride crypto: x86/aes-ni-xts - rewrite and drop indirections via glue helpe

<    1   2   3   4   5   6   7   8   9   10   >