kernel/arch/arm/crypto/aes-ce-core.S, branch linux-6.2.y

crypto: arm/aes-ce - work around Cortex-A57/A72 silion errata

2020-12-04T07:13:14Z

ARM Cortex-A57 and Cortex-A72 cores running in 32-bit mode are affected by silicon errata #1742098 and #1655431, respectively, where the second instruction of a AES instruction pair may execute twice if an interrupt is taken right after the first instruction consumes an input register of which a single 32-bit lane has been updated the last time it was modified. This is not such a rare occurrence as it may seem: in counter mode, only the least significant 32-bit word is incremented in the absence of a carry, which makes our counter mode implementation susceptible to these errata. So let's shuffle the counter assignments around a bit so that the most recent updates when the AES instruction pair executes are 128-bit wide. [0] ARM-EPM-049219 v23 Cortex-A57 MPCore Software Developers Errata Notice [1] ARM-EPM-012079 v11.0 Cortex-A72 MPCore Software Developers Errata Notice Cc: # v5.4+ Signed-off-by: Ard Biesheuvel Signed-off-by: Herbert Xu

crypto: arm/aes-ce - build for v8 architecture explicitly

2019-10-01T13:06:42Z

The NEON/Crypto Extensions based AES implementation for 32-bit ARM can be built in a kernel that targets ARMv6 CPUs and higher, even though the actual code will not be able to run on that generation, but it allows for a portable image to be generated that can will use the special instructions only when they are available. Since those instructions are part of a FPU profile rather than a CPU profile, we don't override the architecture in the assembler code, and most of the scalar code is simple enough to be ARMv6 compatible. However, that changes with commit c61b1607ed4fbbf2, which introduces calls to the movw/movt instructions, which are v7+ only. So override the architecture in the .S file to armv8-a, which matches the architecture specification in the crypto-neon-fp-armv8 FPU specificier that we already using. Note that using armv7-a here may trigger an issue with the upcoming Clang 10 release, which no longer permits .arch/.fpu combinations it views as incompatible. Reported-by: kbuild test robot Fixes: c61b1607ed4fbbf2 ("crypto: arm/aes-ce - implement ciphertext stealing ...") Signed-off-by: Ard Biesheuvel Signed-off-by: Herbert Xu

crypto: arm/aes-ce - implement ciphertext stealing for CBC

2019-09-09T07:35:39Z

Instead of relying on the CTS template to wrap the accelerated CBC skcipher, implement the ciphertext stealing part directly. Signed-off-by: Ard Biesheuvel Signed-off-by: Herbert Xu

crypto: arm/aes-ce - implement ciphertext stealing for XTS

2019-09-09T07:35:39Z

Update the AES-XTS implementation based on AES instructions so that it can deal with inputs whose size is not a multiple of the cipher block size. This is part of the original XTS specification, but was never implemented before in the Linux kernel. Signed-off-by: Ard Biesheuvel Signed-off-by: Herbert Xu

crypto: arm/aes-ce - replace tweak mask literal with composition

2019-09-09T07:35:28Z

Replace the vector load from memory sequence with a simple instruction sequence to compose the tweak vector directly. Signed-off-by: Ard Biesheuvel Signed-off-by: Herbert Xu

crypto: arm/aes-ce - switch to 4x interleave

2019-09-09T07:35:28Z

When the ARM AES instruction based crypto driver was introduced, there were no known implementations that could benefit from a 4-way interleave, and so a 3-way interleave was used instead. Since we have sufficient space in the SIMD register file, let's switch to a 4-way interleave to align with the 64-bit driver, and to ensure that we can reach optimum performance when running under emulation on high end 64-bit cores. Signed-off-by: Ard Biesheuvel Signed-off-by: Herbert Xu

crypto: arm/aes - fix round key prototypes

2019-09-09T07:35:28Z

The AES round keys are arrays of u32s in native endianness now, so update the function prototypes accordingly. Signed-off-by: Ard Biesheuvel Signed-off-by: Herbert Xu

crypto: arm/aes - use native endiannes for key schedule

2019-07-26T04:58:09Z

Align ARM's hw instruction based AES implementation with other versions that keep the key schedule in native endianness. This will allow us to merge the various implementations going forward. Signed-off-by: Ard Biesheuvel Signed-off-by: Herbert Xu

treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500

2019-06-19T15:09:55Z

Based on 2 normalized pattern(s): this program is free software you can redistribute it and or modify it under the terms of the gnu general public license version 2 as published by the free software foundation this program is free software you can redistribute it and or modify it under the terms of the gnu general public license version 2 as published by the free software foundation # extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 4122 file(s). Signed-off-by: Thomas Gleixner Reviewed-by: Enrico Weigelt Reviewed-by: Kate Stewart Reviewed-by: Allison Randal Cc: linux-spdx@vger.kernel.org Link: https://lkml.kernel.org/r/20190604081206.933168790@linutronix.de Signed-off-by: Greg Kroah-Hartman

crypto: arm/aes-ce - update IV after partial final CTR block

2019-02-22T04:47:27Z

Make the arm ctr-aes-ce algorithm update the IV buffer to contain the next counter after processing a partial final block, rather than leave it as the last counter. This makes ctr-aes-ce pass the updated AES-CTR tests. This change also makes the code match the arm64 version in arch/arm64/crypto/aes-modes.S more closely. Signed-off-by: Eric Biggers Signed-off-by: Herbert Xu