From 2f3a24142edda7117471e4d36d03e572450698c1 Mon Sep 17 00:00:00 2001 From: Ben Avison Date: Mon, 8 Mar 2021 15:32:25 +0000 Subject: [PATCH] Assign crypto aliases to different AES implementation modules The kernel modules aes-neon-blk and aes-neon-bs perform poorly, at least on Cortex-A72 without crypto extensions. In fact, aes-arm64 outperforms them on benchmarks, despite it being a simpler implementation (only accelerating the single-block AES cipher). For modes of operation where multiple cipher blocks can be processed in parallel, aes-neon-bs outperforms aes-neon-blk by around 60-70% and aes-arm64 is another 10-20% faster still. But the difference is even more marked with modes of operation with dependencies between neighbouring blocks, such as CBC encryption, which defeat parallelism: in these cases, aes-arm64 is typically around 250% faster than either aes-neon-blk or aes-neon-bs. The key trade-off with aes-arm64 is that the look-up tables are situated in RAM. This leaves them potentially open to cache timing attacks. The two other modules, by contrast, load the look-up tables into NEON registers and so are able to perform in constant time. This patch aims to load aes-arm64 more often. If none of the currently-loaded crypto modules implement a given algorithm, a new one is typically selected for loading using a platform-neutral alias describing the required algorithm. To enable users to still load aes-neon-blk or aes-neon-bs if they really want them, while still ensuring that aes-arm64 is usually selected, remove the aliases from aes-neonbs-glue.c and aes-glue.c and apply them to aes-cipher-glue.c, but still build the two NEON modules. Since aes-glue.c can also be used to build aes-ce-blk, leave them enabled if USE_V8_CRYPTO_EXTENSIONS is defined, to ensure they are selected if we in future use a CPU which has the crypto extensions enabled. Note that the algorithm priority specifiers are unchanged, so if aes-neon-bs is loaded at the same time as aes-arm64, the former will be used in preference. However, aes-neon-blk and aes-arm64 have tied priority, so whichever module was loaded first will be used (assuming aes-neon-bs is not loaded). Signed-off-by: Ben Avison --- arch/arm64/crypto/aes-cipher-glue.c | 11 +++++++++++ arch/arm64/crypto/aes-glue.c | 4 ++-- arch/arm64/crypto/aes-neonbs-glue.c | 5 ----- 3 files changed, 13 insertions(+), 7 deletions(-) diff --git a/arch/arm64/crypto/aes-cipher-glue.c b/arch/arm64/crypto/aes-cipher-glue.c index 4ec55e5..bfaa0f1d 100644 --- a/arch/arm64/crypto/aes-cipher-glue.c +++ b/arch/arm64/crypto/aes-cipher-glue.c @@ -9,6 +9,17 @@ #include #include +MODULE_ALIAS_CRYPTO("ecb(aes)"); +MODULE_ALIAS_CRYPTO("cbc(aes)"); +MODULE_ALIAS_CRYPTO("ctr(aes)"); +MODULE_ALIAS_CRYPTO("xts(aes)"); +MODULE_ALIAS_CRYPTO("xctr(aes)"); +MODULE_ALIAS_CRYPTO("cts(cbc(aes))"); +MODULE_ALIAS_CRYPTO("essiv(cbc(aes),sha256)"); +MODULE_ALIAS_CRYPTO("cmac(aes)"); +MODULE_ALIAS_CRYPTO("xcbc(aes)"); +MODULE_ALIAS_CRYPTO("cbcmac(aes)"); + asmlinkage void __aes_arm64_encrypt(u32 *rk, u8 *out, const u8 *in, int rounds); asmlinkage void __aes_arm64_decrypt(u32 *rk, u8 *out, const u8 *in, int rounds); diff --git a/arch/arm64/crypto/aes-glue.c b/arch/arm64/crypto/aes-glue.c index 162787c..0b9626c 100644 --- a/arch/arm64/crypto/aes-glue.c +++ b/arch/arm64/crypto/aes-glue.c @@ -57,18 +57,18 @@ MODULE_DESCRIPTION("AES-ECB/CBC/CTR/XTS/XCTR using ARMv8 Crypto Extensions"); #define aes_mac_update neon_aes_mac_update MODULE_DESCRIPTION("AES-ECB/CBC/CTR/XTS/XCTR using ARMv8 NEON"); #endif -#if defined(USE_V8_CRYPTO_EXTENSIONS) || !IS_ENABLED(CONFIG_CRYPTO_AES_ARM64_BS) +#if defined(USE_V8_CRYPTO_EXTENSIONS) MODULE_ALIAS_CRYPTO("ecb(aes)"); MODULE_ALIAS_CRYPTO("cbc(aes)"); MODULE_ALIAS_CRYPTO("ctr(aes)"); MODULE_ALIAS_CRYPTO("xts(aes)"); MODULE_ALIAS_CRYPTO("xctr(aes)"); -#endif MODULE_ALIAS_CRYPTO("cts(cbc(aes))"); MODULE_ALIAS_CRYPTO("essiv(cbc(aes),sha256)"); MODULE_ALIAS_CRYPTO("cmac(aes)"); MODULE_ALIAS_CRYPTO("xcbc(aes)"); MODULE_ALIAS_CRYPTO("cbcmac(aes)"); +#endif MODULE_AUTHOR("Ard Biesheuvel "); MODULE_LICENSE("GPL v2"); diff --git a/arch/arm64/crypto/aes-neonbs-glue.c b/arch/arm64/crypto/aes-neonbs-glue.c index bac4cab..937189b 100644 --- a/arch/arm64/crypto/aes-neonbs-glue.c +++ b/arch/arm64/crypto/aes-neonbs-glue.c @@ -18,11 +18,6 @@ MODULE_AUTHOR("Ard Biesheuvel "); MODULE_LICENSE("GPL v2"); -MODULE_ALIAS_CRYPTO("ecb(aes)"); -MODULE_ALIAS_CRYPTO("cbc(aes)"); -MODULE_ALIAS_CRYPTO("ctr(aes)"); -MODULE_ALIAS_CRYPTO("xts(aes)"); - asmlinkage void aesbs_convert_key(u8 out[], u32 const rk[], int rounds); asmlinkage void aesbs_ecb_encrypt(u8 out[], u8 const in[], u8 const rk[], -- 2.7.4