Received: by 2002:a05:6358:1087:b0:cb:c9d3:cd90 with SMTP id j7csp6361305rwi; Sun, 23 Oct 2022 23:36:44 -0700 (PDT) X-Google-Smtp-Source: AMsMyM66ZjBm64+svPvcz30z3RjHW5Ci0ivRF9sBtRqJvQ82JoVQla84pPjIfWI7mJ9tbYHMSHZy X-Received: by 2002:a17:907:2c74:b0:7a1:d333:f214 with SMTP id ib20-20020a1709072c7400b007a1d333f214mr8046511ejc.14.1666593404616; Sun, 23 Oct 2022 23:36:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666593404; cv=none; d=google.com; s=arc-20160816; b=bm59+SMlNzW0S7tCHYrveaP7PROC71qD43NGTigyuYzQdDDE/qIDutRzmHYrSei/RL j6uWwBMNezexWDH00RAUBquZvMZE5RALX6BsEaXMVd1811cDr80gJq3PyNktoK6hOaNi JGVuh9erzDmjIaY8BW6wm0VhSOM9q/Tf195vuIm/p5VBwepgkJRmF7JRviXaL2UWDxGT 4NWyp0ZSPHJnDrRiPrrkF0u+lYFbAYkmlGbaYPZVVifH2cu/bqdc1hWpEkpj4BlOho98 Px20BZQ8839V2Z8+QRXlG0NiRI1k+pkNwEtq7iX1IthIyRL7DbeKU7bU1FP+45CPaZ1f oQRA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=6oMGqXBh1LmPFqTwPrynIu4W7M1fDYMlJebtBodfjVg=; b=xSSWMtt+0YJeDmriSIZEY4mqiFDnHpb7VyLPcH79Amn8IrVS3yT4+w3qL8Gm/yA6lm 2QaD/0S/Dnb2L6mBeD9F20P6/iv9QY9lyd+c846xPXeWlqWQ0qYvRlqReFxQPH2+kVgv GsMoJ53jCfpG0o+mLu9Zac4JqRfAIlCfIKNKarBde3sqcxPiEKRrpHcE+M7+SQQMMDA4 of44HWedIknqa7mXCBcIBMMaYX8zv0bdexJEY72jN+vcY7tLp/tQr0s3zbvexrS/sVhW 2w3lcAP87psumcF7yEQPUDhzAqyeUxWPmvKjZTJJZxOoX67mJXH6lLYssjKXgjfYKfdk PuqA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b="iLv5l/jr"; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id p7-20020a170906498700b0073d8659db5csi24108414eju.966.2022.10.23.23.36.12; Sun, 23 Oct 2022 23:36:44 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b="iLv5l/jr"; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230327AbiJXGb0 (ORCPT + 99 others); Mon, 24 Oct 2022 02:31:26 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57736 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229752AbiJXGbS (ORCPT ); Mon, 24 Oct 2022 02:31:18 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 028BD5B7AC for ; Sun, 23 Oct 2022 23:31:17 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 9C026B80ED7 for ; Mon, 24 Oct 2022 06:31:15 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id ACBB2C433D6; Mon, 24 Oct 2022 06:31:12 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1666593074; bh=tzliwd919YHPSnBymIAw8/q1/Fe8hN6NNMU9NT0KVHw=; h=From:To:Cc:Subject:Date:From; b=iLv5l/jrr3NirxqrLE6YZQ4OQIiFJQwWfrVKiQdA32lvy0BqAkTTaMd0j1mWEEeEm gY9TDdoeQmNFMv7TWbEiHjWaBwUuEi2SvCvKfQbfxnPucJFBwFn5kXocYFfxZdvdnu Hd/p3fsbjqITM6R9jkrixc+XztqDz9qk+KbW715yR1rqg5nqLkRPfJr1XmCwsbXVTw G7DmykVnfjO4GEYt+sSGWFuJNVuZH/Rpc05CPRSq3tLoEv4WYowqVlB+fO+VYpzTeF 0CGD/sTq9YLWjrbLHXYIckYQYF4IMiUDqhJztrcZfTXHB+UlI2t5V21uEJqqKbUO86 jzINT95yUyG1g== From: Ard Biesheuvel To: linux-crypto@vger.kernel.org Cc: herbert@gondor.apana.org.au, ebiggers@kernel.org, keescook@chromium.org, jason@zx2c4.com, nikunj@amd.com, Ard Biesheuvel Subject: [PATCH v4 0/3] crypto: Add AES-GCM implementation to lib/crypto Date: Mon, 24 Oct 2022 08:30:49 +0200 Message-Id: <20221024063052.109148-1-ardb@kernel.org> X-Mailer: git-send-email 2.35.1 MIME-Version: 1.0 X-Developer-Signature: v=1; a=openpgp-sha256; l=2081; i=ardb@kernel.org; h=from:subject; bh=tzliwd919YHPSnBymIAw8/q1/Fe8hN6NNMU9NT0KVHw=; b=owEB7QES/pANAwAKAcNPIjmS2Y8kAcsmYgBjVjEWM0G1Wh0RijfOgvjltPKAPfwxoXL2rhkQ2h75 JFJh5siJAbMEAAEKAB0WIQT72WJ8QGnJQhU3VynDTyI5ktmPJAUCY1YxFgAKCRDDTyI5ktmPJE1DDA CwH2c2EENwhW0wiDBx/BpplPNimxVsAjW3AoO/fwPB0J5CDq/KH8wFQZoGz2o5kF1zIqL8ZaaCkVMW 7qUNJle/jEdpL8NAqyN6uRHMKHIEIT73XIltRnXUB6vAoHfcd6Mdpcz3ENPBOXz++5GaEiCHZGZg4j C4ucTTROzrFkjzWiXIy3VaucaUdLW044mvlbAMtrtG3TBTIneTWR4U+1K7BmSJ82WSZcgGMZHSgMtd Z0d/O9rHmO1KXNZwieWO0+RpM2RXNuITfkj3QBP2x1ZCs+pn0sKiCBzXFRSwQAR1sVSYUpVKmyzPuK 3S6AcGgbaRc66dh3zp+/EDn/vhXItiIILaFLTeNRt5IMl9W9RV3jqtlWYLdUJfKOwcZTKnfm3qeBPQ 7X0xNOwj0Z6+/QtsQfRkUehMrOcpSdoc8BU4yj4BmlyjBq8F4V+hoqtzmVfuC7h+yOildjRI24YlVx wao2e69HFXBE4kQ5uNBwvNz9XaRzlgbfiD0DEf/+Nf0DY= X-Developer-Key: i=ardb@kernel.org; a=openpgp; fpr=F43D03328115A198C90016883D200E9CA6329909 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.6 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Provide a generic library implementation of AES-GCM which can be used really early during boot, e.g., to communicate with the security coprocessor on SEV-SNP virtual machines to bring up secondary cores. This is needed because the crypto API is not available yet this early. We cannot rely on special instructions for AES or polynomial multiplication, which are arch specific and rely on in-kernel SIMD infrastructure. Instead, add a generic C implementation that combines the existing C implementations of AES and multiplication in GF(2^128). To reduce the risk of forgery attacks, replace data dependent table lookups and conditional branches in the used gf128mul routine with constant-time equivalents. The AES library has already been robustified to some extent to prevent known-plaintext timing attacks on the key, but we call it with interrupts disabled to make it a bit more robust. (Note that in SEV-SNP context, the VMM is untrusted, and is able to inject interrupts arbitrarily, and potentially maliciously.) Changes since v3: - rename GCM-AES to AES-GCM Changes since v2: - move gf128mul to lib/crypto - add patch #2 to make gf128mul_lle constant time - fix kerneldoc headers and drop them from the .h file Changes since v1: - rename gcm to gcmaes to reflect that GCM is also used in combination with other symmetric ciphers (Jason) - add Nikunj's Tested-by Ard Biesheuvel (3): crypto: move gf128mul library into lib/crypto crypto: gf128mul - make gf128mul_lle time invariant crypto: aesgcm - Provide minimal library implementation crypto/Kconfig | 3 - crypto/Makefile | 1 - include/crypto/gcm.h | 22 + lib/crypto/Kconfig | 9 + lib/crypto/Makefile | 5 + lib/crypto/aesgcm.c | 720 ++++++++++++++++++++ {crypto => lib/crypto}/gf128mul.c | 58 +- 7 files changed, 795 insertions(+), 23 deletions(-) create mode 100644 lib/crypto/aesgcm.c rename {crypto => lib/crypto}/gf128mul.c (87%) -- 2.35.1