Received: by 2002:a05:6358:7058:b0:131:369:b2a3 with SMTP id 24csp10780148rwp; Fri, 21 Jul 2023 05:03:21 -0700 (PDT) X-Google-Smtp-Source: APBJJlF31K6Z2nt4l4uqORnkXHqvnKz861X+8HMpGgNUtjdF7WIsnR4NeoTk8dfTrXchLhR17IDJ X-Received: by 2002:a17:906:d7:b0:99b:56f1:3002 with SMTP id 23-20020a17090600d700b0099b56f13002mr1773878eji.61.1689941001169; Fri, 21 Jul 2023 05:03:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1689941001; cv=none; d=google.com; s=arc-20160816; b=TWBHjxa3REnmj7XftZfj3Ky2STjxkHnQMdC5Popk2xEcB9heAI2rXldTGgDoo1ZKjZ CNG7O0ff03E/aWW4qWPXc4kbwvjX8OmaLH7TtjIk0h1AUOZRUMjDE97uaMz6xK0UFoZZ 2SjpfumEfryz95ELquEJ46s6dT22coRaIZdom4ph6oHfVqfxUa0kvwxCocBm2oipQfc2 lBJ21I8fSi5UEA5c/FkiuJmwtCfS5WOldU1AEeMVs7+AbNiiO7xYSos6uJDn+Scb5mCu ZS5APF1eGjLs89hIZBMA9B+nKQB5tlAhn1C42oyD3JcgXcX9L88rf5hc9n0ZnNjhl5Ue plZQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=oP9fgvbMMadHCCbRv5XRh1TgfClc6WPyRnR7H/WQ2CU=; fh=9KbfglO0p9NffpuFHKJ0OQAPcw6rXMFyxAE1AEgKb/s=; b=zNIlUTY4jFGlTNy+vcGbzy5h/jXGzwvDnkfPuBjMi2tpeEEMqoBXouOy15DyXC8tDn Umf1FzrgrOfkFFsr4O4+eUPo/xwzwczQbBP+Iswts9ohCvZV7MZbu86a3Vg5A4XiAdXB 7H/F2tpQdJgPRCss4fJN99S5ojzm9ehCHyk9a1DtqCYOyhwG+rJ3wDWnbleWXJ3ttLnz rzlQbkGUpu8PNXO8pRPAwqtwY7t/fCaK3Y3mPwmtnY1KiGlsPwpIC+D8ZiilqEFTc7kO OYFPbWF4cRfsEHiycooDCyXTswyNL62IYvcSdNSF+G5ud+4CnvoUaaWAwRMiyJfYsAAY Kicg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=byMPQs+W; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id x3-20020a170906804300b00987acac4c40si1999691ejw.596.2023.07.21.05.02.49; Fri, 21 Jul 2023 05:03:21 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=byMPQs+W; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229570AbjGULjt (ORCPT + 99 others); Fri, 21 Jul 2023 07:39:49 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43022 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229536AbjGULjt (ORCPT ); Fri, 21 Jul 2023 07:39:49 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 99E602D75; Fri, 21 Jul 2023 04:39:45 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 258D961A32; Fri, 21 Jul 2023 11:39:45 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 466C6C43391; Fri, 21 Jul 2023 11:39:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1689939584; bh=ixcyPI+tRpHz9AI3BMtu2lOFnZGfsu9wB3fa27jasCs=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=byMPQs+WrmgchWqISNjIN7asmtO1iXkgIlVIsv+Xdnz7Qc7VZQTXRaVacoAwAgZSw tXdHLLnn3dYw907IDn39Ql4ucmZlH1ZCmKTJBXSAMM7PeinD2wFawWwbXD/de+S5UY bcfFAu7M4bGRTV1Sbbdp2XqXc1YRP+HBIe5U8v7TxJBTXdiqLxSY/rVIk79bjzCevH ib6tGgNhWifxjtPh88ZOE7Yxxo6uJlAZpZQXQyKwuUgX1aNTX+MbErMDd03vJYlp0T CRtKYI6c8dWrhuymV5H6f4tXPr1XgrpxoCQsvLND3iPHpwCVeQ5pEYhRwcKq6rRDql 37fyiury4Mk1Q== Received: by mail-lf1-f49.google.com with SMTP id 2adb3069b0e04-4fbf1f6c771so2950108e87.1; Fri, 21 Jul 2023 04:39:44 -0700 (PDT) X-Gm-Message-State: ABy/qLa2xFQKt/NfslRj/w6O1L7eKmU8KfYamNk8oVIqZTrqHfp39VWq RhMM7OswcLXKudd6LNNH0FrKA4Wp1x+9ZGqmo6I= X-Received: by 2002:a05:6512:4022:b0:4fd:d016:c2dd with SMTP id br34-20020a056512402200b004fdd016c2ddmr1315548lfb.12.1689939582014; Fri, 21 Jul 2023 04:39:42 -0700 (PDT) MIME-Version: 1.0 References: <20230711153743.1970625-1-heiko@sntech.de> <20230711153743.1970625-11-heiko@sntech.de> <20230721054036.GD847@sol.localdomain> In-Reply-To: <20230721054036.GD847@sol.localdomain> From: Ard Biesheuvel Date: Fri, 21 Jul 2023 13:39:30 +0200 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH v4 10/12] RISC-V: crypto: add Zvkned accelerated AES encryption implementation To: Eric Biggers Cc: Heiko Stuebner , palmer@dabbelt.com, paul.walmsley@sifive.com, aou@eecs.berkeley.edu, herbert@gondor.apana.org.au, davem@davemloft.net, conor.dooley@microchip.com, linux-riscv@lists.infradead.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, christoph.muellner@vrull.eu, Heiko Stuebner Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On Fri, 21 Jul 2023 at 07:40, Eric Biggers wrote: > > On Tue, Jul 11, 2023 at 05:37:41PM +0200, Heiko Stuebner wrote: ... > > +static int riscv64_aes_setkey_zvkned(struct crypto_tfm *tfm, const u8 *key, > > + unsigned int keylen) > > +{ > > + struct riscv_aes_ctx *ctx = crypto_tfm_ctx(tfm); > > + int ret; > > + > > + ctx->keylen = keylen; > > + > > + if (keylen == 16 || keylen == 32) { > > + kernel_rvv_begin(); > > + ret = rv64i_zvkned_set_encrypt_key(key, keylen * 8, &ctx->enc_key); > > + if (ret != 1) { > > + kernel_rvv_end(); > > + return -EINVAL; > > + } > > + > > + ret = rv64i_zvkned_set_decrypt_key(key, keylen * 8, &ctx->dec_key); The asm suggests that the encryption and decryption key schedules are the same, and the decryption algorithm does not implement the Equivalent Inverse Cipher, but simply iterates over they key schedule in reverse order. This makes much more sense for instruction based AES, so it doesn't surprise me but it does mean you can just drop this part, and pass enc_key everywhere. > > + kernel_rvv_end(); > > + if (ret != 1) > > + return -EINVAL; > > + } > > + > > + ret = crypto_cipher_setkey(ctx->fallback, key, keylen); > > + > > + return ret ? -EINVAL : 0; > > +} > > It's a bit annoying that RISC-V doesn't support AES-192, though also not > particularly surprising, seeing as AES-192 is almost never used. (Intel's Key > Locker, for example, is another recent CPU feature that doesn't support > AES-192.) IMO the issue here is really with the kernel crypto API -- it should > treat AES-128, AES-192, and AES-256 as separate algorithms so that > implementations aren't forced to support all three key sizes... > Why is this a fundamental limitation? AES-192 uses the same AES block size and round structure, the only difference is the number of rounds and how the round keys are calculated. Creating the key schedule should never be performance critical, so if the lack of AES-192 support is due to a limitation in the key schedule generation instructions, I'd suggest to avoid those if possible and just use the generic library code to derive the key schedule. If that works, I'm pretty sure AES-192 support is just a matter of implementing a 12-round variant modeled after the existing 10/14 round ones.