Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp299993iob; Tue, 3 May 2022 18:00:31 -0700 (PDT) X-Google-Smtp-Source: ABdhPJww1vc3zbXm3ZKnNVA40PSEDKyiIpAPPlhTfZHtJJ4NlIGunH/sTdk2K2C0N4wcxoR7beiV X-Received: by 2002:a17:907:2da8:b0:6f4:7a93:fd7 with SMTP id gt40-20020a1709072da800b006f47a930fd7mr7199757ejc.139.1651626030869; Tue, 03 May 2022 18:00:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1651626030; cv=none; d=google.com; s=arc-20160816; b=JkwBGziHN5h0OrX5oeofo+cI3cZH+bjZmbHgUcy+Er9zTa+W8YLPdEeVINOvcJmgSa uzKnUpO0gLaAtj/efwriU/1w2bNEFJrHuRdabxp5d6QfeK4q0Gev5TOyDjV/rLmQXrMe 1gauNw0RUJ8mDLeSaSOklBqRafvKtmWRZZj/P9Ep4swB2SA27Jswk2HKs2YwnAXSu3rs WzI+3ZeJwGHQe1CHb+DE+tisyoUtHtu49Fga8Vn1Qtmih9cZWolAdrvMwnNeXr7J3MNd Zmc8zBOyCbxqYwAqN/J7HzJFB9zQbHEsKlJ2+U6CXBv7Pq6S9yke95fStszx9m6bjk3d /5yw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:from:subject :mime-version:message-id:date:dkim-signature; bh=mj48fHHaUDuN4yy8hcAAY5+2UaHiNilq4RJZoBQ5Oc8=; b=oVbt+0KkoggMUDvSC1N5suDHV+JlmPgVJGUuYwA7AJEvg3wI9ZekFxk7hkIS1IE1u1 68DXUGVvXXUpzUsggRFf7VUYxUQFrn3i9ujqoCPq2lVovI0oGPEBB3Pwzxx/ssLbS975 acStK093nWEW2RP9dTeIn70vVr2jjZivl+Gu5+yi75IBkkv3g910s7SRqJajwcfpTTcK PlBC4JAMYzXAZeyHMmy4G7qrXLJviUina6LvOHxX3p77MRvYLAeVxdgYpi7sy0DUZ6WK a5kYGpBXIk5AvcWH+6nkaTzpDBFIqsMcXDyUcjidpltnuLCySHfRHtkfSl8tneqLmUOn MoxA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=IxvLtmaP; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id u5-20020a056402064500b00425fffc1a30si14108797edx.397.2022.05.03.17.59.42; Tue, 03 May 2022 18:00:30 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=IxvLtmaP; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230071AbiEDAWM (ORCPT + 99 others); Tue, 3 May 2022 20:22:12 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55036 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238802AbiEDAWL (ORCPT ); Tue, 3 May 2022 20:22:11 -0400 Received: from mail-yw1-x1149.google.com (mail-yw1-x1149.google.com [IPv6:2607:f8b0:4864:20::1149]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C2CC042EFE for ; Tue, 3 May 2022 17:18:37 -0700 (PDT) Received: by mail-yw1-x1149.google.com with SMTP id 00721157ae682-2d7eaa730d9so102467b3.13 for ; Tue, 03 May 2022 17:18:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=date:message-id:mime-version:subject:from:to:cc :content-transfer-encoding; bh=mj48fHHaUDuN4yy8hcAAY5+2UaHiNilq4RJZoBQ5Oc8=; b=IxvLtmaP7cvO5HZ/GJvfdOkQpkyZAbERyP59coJGc8rt2yYoH0VHDayFN9sBvUh07Z qG1YCvior3FsOeftw4ZD+keFM+Srk35Q4qUpZ7UaDNTNGI1cK927Fd28vXC40EViZBO0 pdjr8gT/oM03+TCQ0yK3MiJx7p59E2Qb5DdsULSi908yjq/onn0wLcfpv+LtueKVnHFO 3YkZUFyoBswcnIUF6Y67nppP1oANT4rapYToJRYg9Mg3cbsAfs6gBmQtE8ijT/voi6do i5+kr7yv6wZv+uSSdjS+M1qokxDd+3Lm4EBMtNQUWy0/a2nLAS+ZOSmW+11SOtLBcPPZ 2KpA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc :content-transfer-encoding; bh=mj48fHHaUDuN4yy8hcAAY5+2UaHiNilq4RJZoBQ5Oc8=; b=chcEQsss8X4x0+bVMTWSgMA0biQ06R3LodjpyKycClpXDsqb9B9zjNuKHU7Jh9YKCU gJi62s2og6VoDTrpBXq/sicTRFl/4n1OZAwU5FJS2Wpvo9QdQLMFZWSwcSs6nknZeX+X S1CUT11Ew2CbNyMkzgtZjH6EnVPdoCgMbZ7dxQdcWEzZKknwfB58oLOi+fxsSpuadC7k OMTvRH0R8qFbBiXTZ4V9GrTNgW3HJ7nFiPuc8MulkmJ543VTW1OmYfn/D9bPWc2PVS6k TEVr536pXuwyugYV3etPVN91zfM/Rh75rW/w68ZdpHb2Msu5q5Lc+yobfnnHWLBGhnID MvLQ== X-Gm-Message-State: AOAM531tJu4LCMnIY6wUPDjRr0YOuq38560VQX9ljdGWfL7t8Dzj+ALO AhHLM4QA72rg9QLu+3Q8SksGkZi7QpOLUHWq3dOGsZqXadMCIn/4mhocweKs7bJAhGIjfISG76L ickOB7C5Wuqvpn6Rnk8tJhNw8OKiLnPzstFoaDQhZ0rjHjkGZLVc5MQhb/BTyHe8rRIc= X-Received: from nhuck.c.googlers.com ([fda3:e722:ac3:cc00:14:4d90:c0a8:39cc]) (user=nhuck job=sendgmr) by 2002:a0d:ddc6:0:b0:2f8:a506:a5c0 with SMTP id g189-20020a0dddc6000000b002f8a506a5c0mr18521523ywe.140.1651623515866; Tue, 03 May 2022 17:18:35 -0700 (PDT) Date: Wed, 4 May 2022 00:18:14 +0000 Message-Id: <20220504001823.2483834-1-nhuck@google.com> Mime-Version: 1.0 X-Mailer: git-send-email 2.36.0.464.gb9c8b46e94-goog Subject: [PATCH v6 0/9] crypto: HCTR2 support From: Nathan Huckleberry To: linux-crypto@vger.kernel.org Cc: linux-fscrypt@vger.kernel.org, Herbert Xu , "David S. Miller" , linux-arm-kernel@lists.infradead.org, Paul Crowley , Eric Biggers , Sami Tolvanen , Ard Biesheuvel , Nathan Huckleberry Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-9.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org HCTR2 is a length-preserving encryption mode that is efficient on processors with instructions to accelerate AES and carryless multiplication, e.g. x86 processors with AES-NI and CLMUL, and ARM processors with the ARMv8 Crypto Extensions. HCTR2 is specified in https://ia.cr/2021/1441 "Length-preserving encryption with HCTR2" which shows that if AES is secure and HCTR2 is instantiated with AES, then HCTR2 is secure. Reference code and test vectors are at https://github.com/google/hctr2. As a length-preserving encryption mode, HCTR2 is suitable for applications such as storage encryption where ciphertext expansion is not possible, and thus authenticated encryption cannot be used. Currently, such applications usually use XTS, or in some cases Adiantum. XTS has the disadvantage that it is a narrow-block mode: a bitflip will only change 16 bytes in the resulting ciphertext or plaintext. This reveals more information to an attacker than necessary. HCTR2 is a wide-block mode, so it provides a stronger security property: a bitflip will change the entire message. HCTR2 is somewhat similar to Adiantum, which is also a wide-block mode. However, HCTR2 is designed to take advantage of existing crypto instructions, while Adiantum targets devices without such hardware support. Adiantum is also designed with longer messages in mind, while HCTR2 is designed to be efficient even on short messages. The first intended use of this mode in the kernel is for the encryption of filenames, where for efficiency reasons encryption must be fully deterministic (only one ciphertext for each plaintext) and the existing CBC solution leaks more information than necessary for filenames with common prefixes. HCTR2 uses two passes of an =CE=B5-almost-=E2=88=86-universal hash function= called POLYVAL and one pass of a block cipher mode called XCTR. POLYVAL is a polynomial hash designed for efficiency on modern processors and was originally specified for use in AES-GCM-SIV (RFC 8452). XCTR mode is a variant of CTR mode that is more efficient on little-endian machines. This patchset adds HCTR2 to Linux's crypto API, including generic implementations of XCTR and POLYVAL, hardware accelerated implementations of XCTR and POLYVAL for both x86-64 and ARM64, a templated implementation of HCTR2, and an fscrypt policy for using HCTR2 for filename encryption. Changes in v6: * Split ARM64 XCTR/CTR refactoring into separate patch * Allow simd POLYVAL implementations to be preempted * Fix uninitialized bug in HCTR2 * Fix streamcipher name handling bug in HCTR2 * Various small style fixes Changes in v5: * Refactor HCTR2 tweak hashing * Remove non-AVX x86-64 XCTR implementation * Combine arm64 CTR and XCTR modes * Comment and alias CTR and XCTR modes * Move generic fallback code for simd POLYVAL into polyval-generic.c * Various small style fixes Changes in v4: * Small style fixes in generic POLYVAL and XCTR * Move HCTR2 hash exporting/importing to helper functions * Rewrite montgomery reduction for x86-64 POLYVAL * Rewrite partial block handling for x86-64 POLYVAL * Optimize x86-64 POLYVAL loop handling * Remove ahash wrapper from x86-64 POLYVAL * Add simd-unavailable handling to x86-64 POLYVAL * Rewrite montgomery reduction for ARM64 POLYVAL * Rewrite partial block handling for ARM64 POLYVAL * Optimize ARM64 POLYVAL loop handling * Remove ahash wrapper from ARM64 POLYVAL * Add simd-unavailable handling to ARM64 POLYVAL Changes in v3: * Improve testvec coverage for XCTR, POLYVAL and HCTR2 * Fix endianness bug in xctr.c * Fix alignment issues in polyval-generic.c * Optimize hctr2.c by exporting/importing hash states * Fix blockcipher name derivation in hctr2.c * Move x86-64 XCTR implementation into aes_ctrby8_avx-x86_64.S * Reuse ARM64 CTR mode tail handling in ARM64 XCTR * Fix x86-64 POLYVAL comments * Fix x86-64 POLYVAL key_powers type to match asm * Fix ARM64 POLYVAL comments * Fix ARM64 POLYVAL key_powers type to match asm * Add XTS + HCTR2 policy to fscrypt Nathan Huckleberry (9): crypto: xctr - Add XCTR support crypto: polyval - Add POLYVAL support crypto: hctr2 - Add HCTR2 support crypto: x86/aesni-xctr: Add accelerated implementation of XCTR crypto: arm64/aes-xctr: Add accelerated implementation of XCTR crypto: arm64/aes-xctr: Improve readability of XCTR and CTR modes crypto: x86/polyval: Add PCLMULQDQ accelerated implementation of POLYVAL crypto: arm64/polyval: Add PMULL accelerated implementation of POLYVAL fscrypt: Add HCTR2 support for filename encryption Documentation/filesystems/fscrypt.rst | 22 +- arch/arm64/crypto/Kconfig | 9 +- arch/arm64/crypto/Makefile | 3 + arch/arm64/crypto/aes-glue.c | 64 +- arch/arm64/crypto/aes-modes.S | 309 +++-- arch/arm64/crypto/polyval-ce-core.S | 367 ++++++ arch/arm64/crypto/polyval-ce-glue.c | 190 +++ arch/x86/crypto/Makefile | 3 + arch/x86/crypto/aes_ctrby8_avx-x86_64.S | 232 ++-- arch/x86/crypto/aesni-intel_glue.c | 114 +- arch/x86/crypto/polyval-clmulni_asm.S | 331 +++++ arch/x86/crypto/polyval-clmulni_glue.c | 202 +++ crypto/Kconfig | 39 +- crypto/Makefile | 3 + crypto/hctr2.c | 581 +++++++++ crypto/polyval-generic.c | 245 ++++ crypto/tcrypt.c | 10 + crypto/testmgr.c | 20 + crypto/testmgr.h | 1536 +++++++++++++++++++++++ crypto/xctr.c | 191 +++ fs/crypto/fscrypt_private.h | 2 +- fs/crypto/keysetup.c | 7 + fs/crypto/policy.c | 14 +- include/crypto/polyval.h | 22 + include/uapi/linux/fscrypt.h | 3 +- 25 files changed, 4321 insertions(+), 198 deletions(-) create mode 100644 arch/arm64/crypto/polyval-ce-core.S create mode 100644 arch/arm64/crypto/polyval-ce-glue.c create mode 100644 arch/x86/crypto/polyval-clmulni_asm.S create mode 100644 arch/x86/crypto/polyval-clmulni_glue.c create mode 100644 crypto/hctr2.c create mode 100644 crypto/polyval-generic.c create mode 100644 crypto/xctr.c create mode 100644 include/crypto/polyval.h --=20 2.36.0.464.gb9c8b46e94-goog