Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp171933imm;
        Fri, 19 Oct 2018 20:37:19 -0700 (PDT)
X-Google-Smtp-Source: ACcGV63yGaYmmWInx9gDHetGoGxw2xNNi0PizjpnxdHpj7xgo+LFr0VEEJ39WepcrpJAOeKsGsfa
X-Received: by 2002:a17:902:2e81:: with SMTP id r1-v6mr30602767plb.212.1540006639853;
        Fri, 19 Oct 2018 20:37:19 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1540006639; cv=none;
        d=google.com; s=arc-20160816;
        b=Ob+f7pbkqoWc4MUhC8ehq0fEO4A34EOrEHjI+99p89RCIELrsI1x4XYr3cWn23NBlj
         o+bzx6qyiOH6OphbCg4gPhZxgnTaZJsTfHGqtZS4QAltDdn3mayCPpe+Ndu8eHxPI6Cv
         OFpNIdmKgV6Y+sBRM4TY0CfiRr5esh5qp35z8DZ4bOQfk62VEWTRe6jJfBYM+kUgImdE
         aDsolRzuJKguuEkIXmuH1VHNUs9hz7xCplbbo4+/htvheVJHpk9HxXl1n1wF48dnaLOe
         qQMOnC/xCJnGnB5GildTYcsHNxdM4nPTvlMf+GIvxR1mSlDsoGCpxvodMakM6dkL5hYo
         Dr5A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :references:in-reply-to:mime-version:dkim-signature;
        bh=JetETkZz58YSpa7TBF0LQ4b8VevGaMi232vEE+xJ/yU=;
        b=ytLKX7aIM6EAFSoTqp4VfxA6qQbD6FEf6y+uRH1ioyhVo33GrKj3lw5jz0PptYRhib
         I+jVlUGvAUj4CqcCloUy1OActYBtxbXP4zgVp+Xq8BlgbKBd7vKAbXKp9h+oJI5/3LCC
         vrVCRmGNpRZ/H1WG6xUF+SfgNtvzqb8AstbKcVjPuaFcgNPqBw16k+9hdmSBAzYFb/EA
         JMRRxsSjN54xm/uozU9fRJxrsbJeHnWCWquwUBm0QQpXbfV552zi0s3vCvfQU3y4hsv2
         amy6X96+BDQaRhptN42zy+JO7CEXpcRCP5OxCscIiRSRZkwAt4SN7nNLliasYURYHfOJ
         nf0A==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linaro.org header.s=google header.b=E0fRca7B;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id p71-v6si26338929pfk.275.2018.10.19.20.37.04;
        Fri, 19 Oct 2018 20:37:19 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linaro.org header.s=google header.b=E0fRca7B;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726733AbeJTLpM (ORCPT <rfc822;kernelgary@gmail.com>
        + 99 others); Sat, 20 Oct 2018 07:45:12 -0400
Received: from mail-io1-f65.google.com ([209.85.166.65]:32768 "EHLO
        mail-io1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726599AbeJTLpL (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 20 Oct 2018 07:45:11 -0400
Received: by mail-io1-f65.google.com with SMTP id l25-v6so24159045ioj.0
        for <linux-kernel@vger.kernel.org>; Fri, 19 Oct 2018 20:36:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=linaro.org; s=google;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc;
        bh=JetETkZz58YSpa7TBF0LQ4b8VevGaMi232vEE+xJ/yU=;
        b=E0fRca7B17+o255dqlRN0Z0TLylq8T4BMunWhTvPLszZi79BrJnxmEmS6vNq+5FA7R
         qLZ+pMn94Z1G0dDrcAYLz8CU4HtXR1yCAAjPV7m4eyZ3EmKxb0hj+GL1Dsjl3SuCt8mF
         amfR11uqia7gD/D5wB2dQaByjfXXrPBKGRiKA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:in-reply-to:references:from:date
         :message-id:subject:to:cc;
        bh=JetETkZz58YSpa7TBF0LQ4b8VevGaMi232vEE+xJ/yU=;
        b=jA9YMiqS74Mg2LXEOn/9v9inSnybZPRNoyuVT8x2hoJD6kZyP3cvEc+gQR2BelNNpL
         zU+L2j7MyDkB/bFfFnGso82wn7xT/rbEGWSPiiq9q46MMh2RfpBaVXA9ZYpuCjgDccbY
         JslCmeHys82NcinBkzh9I+Ddcxsz0iigaH0QByyUxCnXdWSTl0yf/gIBlVAzTmkRohFV
         /P6lQqEvR2VU+eM8YXv9uNwZ80YjKiN61OrIT8lf5kRPgcllQ+JhNAu+/vN/mHIfI49u
         UZoCptiD2AEZE6p5OiLT1taQHoLw5XW1X6269a8ZZgzKXhCci9sQY5JKzFqgaIb9dkUb
         zshg==
X-Gm-Message-State: AGRZ1gLMcW8punGmEvhmcjE5sTB6rijpPx6KB7AI/JFPY6vGKzw16JRN
        GIWThe2sQD03RAkj7roM2AbLExcy4LuOjhYhDjsqNQ==
X-Received: by 2002:a6b:5d12:: with SMTP id r18-v6mr4248786iob.170.1540006576409;
 Fri, 19 Oct 2018 20:36:16 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a6b:5910:0:0:0:0:0 with HTTP; Fri, 19 Oct 2018 20:36:15
 -0700 (PDT)
In-Reply-To: <20181015175424.97147-8-ebiggers@kernel.org>
References: <20181015175424.97147-1-ebiggers@kernel.org> <20181015175424.97147-8-ebiggers@kernel.org>
From:   Ard Biesheuvel <ard.biesheuvel@linaro.org>
Date:   Sat, 20 Oct 2018 11:36:15 +0800
Message-ID: <CAKv+Gu91O99D48Dr-2UKrXdPrzGSFDGr_qH9zLpbvqDwd50DAw@mail.gmail.com>
Subject: Re: [RFC PATCH v2 07/12] crypto: arm/chacha - add XChaCha12 support
To:     Eric Biggers <ebiggers@kernel.org>
Cc:     "open list:HARDWARE RANDOM NUMBER GENERATOR CORE" 
        <linux-crypto@vger.kernel.org>, linux-fscrypt@vger.kernel.org,
        linux-arm-kernel <linux-arm-kernel@lists.infradead.org>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>,
        Herbert Xu <herbert@gondor.apana.org.au>,
        Paul Crowley <paulcrowley@google.com>,
        Greg Kaiser <gkaiser@google.com>,
        Michael Halcrow <mhalcrow@google.com>,
        "Jason A . Donenfeld" <Jason@zx2c4.com>,
        Samuel Neves <samuel.c.p.neves@gmail.com>,
        Tomer Ashur <tomer.ashur@esat.kuleuven.be>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 16 October 2018 at 01:54, Eric Biggers <ebiggers@kernel.org> wrote:
> From: Eric Biggers <ebiggers@google.com>
>
> Now that the 32-bit ARM NEON implementation of ChaCha20 and XChaCha20
> has been refactored to support varying the number of rounds, add support
> for XChaCha12.  This is identical to XChaCha20 except for the number of
> rounds, which is 12 instead of 20.
>
> XChaCha12 is faster than XChaCha20 but has a lower security margin,
> though still greater than AES-256's since the best known attacks make it
> through only 7 rounds.  See the patch "crypto: chacha - add XChaCha12
> support" for more details about why we need XChaCha12 support.
>
> Signed-off-by: Eric Biggers <ebiggers@google.com>

Reviewed-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>

> ---
>  arch/arm/crypto/Kconfig            |  2 +-
>  arch/arm/crypto/chacha-neon-glue.c | 21 ++++++++++++++++++++-
>  2 files changed, 21 insertions(+), 2 deletions(-)
>
> diff --git a/arch/arm/crypto/Kconfig b/arch/arm/crypto/Kconfig
> index 0aa1471f27d2e..cc932d9bba561 100644
> --- a/arch/arm/crypto/Kconfig
> +++ b/arch/arm/crypto/Kconfig
> @@ -117,7 +117,7 @@ config CRYPTO_CRC32_ARM_CE
>         select CRYPTO_HASH
>
>  config CRYPTO_CHACHA20_NEON
> -       tristate "NEON accelerated ChaCha20 stream cipher algorithms"
> +       tristate "NEON accelerated ChaCha stream cipher algorithms"
>         depends on KERNEL_MODE_NEON
>         select CRYPTO_BLKCIPHER
>         select CRYPTO_CHACHA20
> diff --git a/arch/arm/crypto/chacha-neon-glue.c b/arch/arm/crypto/chacha-neon-glue.c
> index b236af4889c61..0b1b238227707 100644
> --- a/arch/arm/crypto/chacha-neon-glue.c
> +++ b/arch/arm/crypto/chacha-neon-glue.c
> @@ -1,5 +1,6 @@
>  /*
> - * ChaCha20 (RFC7539) and XChaCha20 stream ciphers, NEON accelerated
> + * ARM NEON accelerated ChaCha and XChaCha stream ciphers,
> + * including ChaCha20 (RFC7539)
>   *
>   * Copyright (C) 2016 Linaro, Ltd. <ard.biesheuvel@linaro.org>
>   *
> @@ -160,6 +161,22 @@ static struct skcipher_alg algs[] = {
>                 .setkey                 = crypto_chacha20_setkey,
>                 .encrypt                = xchacha_neon,
>                 .decrypt                = xchacha_neon,
> +       }, {
> +               .base.cra_name          = "xchacha12",
> +               .base.cra_driver_name   = "xchacha12-neon",
> +               .base.cra_priority      = 300,
> +               .base.cra_blocksize     = 1,
> +               .base.cra_ctxsize       = sizeof(struct chacha_ctx),
> +               .base.cra_module        = THIS_MODULE,
> +
> +               .min_keysize            = CHACHA_KEY_SIZE,
> +               .max_keysize            = CHACHA_KEY_SIZE,
> +               .ivsize                 = XCHACHA_IV_SIZE,
> +               .chunksize              = CHACHA_BLOCK_SIZE,
> +               .walksize               = 4 * CHACHA_BLOCK_SIZE,
> +               .setkey                 = crypto_chacha12_setkey,
> +               .encrypt                = xchacha_neon,
> +               .decrypt                = xchacha_neon,
>         }
>  };
>
> @@ -186,3 +203,5 @@ MODULE_ALIAS_CRYPTO("chacha20");
>  MODULE_ALIAS_CRYPTO("chacha20-neon");
>  MODULE_ALIAS_CRYPTO("xchacha20");
>  MODULE_ALIAS_CRYPTO("xchacha20-neon");
> +MODULE_ALIAS_CRYPTO("xchacha12");
> +MODULE_ALIAS_CRYPTO("xchacha12-neon");
> --
> 2.19.1.331.ge82ca0e54c-goog
>