![[BACK]](/icons/back.gif){kind=icon}
Up to [cvs.NetBSD.org] / src / sys / crypto / aes
Request diff between arbitrary revisions
Default branch: MAIN
Revision 1.2 / (download) - annotate - [select for diffs], Mon Jun 29 23:36:59 2020 UTC (3 years, 9 months ago) by riastradh
Branch: MAIN
CVS Tags: thorpej-ifq-base,
thorpej-ifq,
thorpej-i2c-spi-conf2-base,
thorpej-i2c-spi-conf2,
thorpej-i2c-spi-conf-base,
thorpej-i2c-spi-conf,
thorpej-futex2-base,
thorpej-futex2,
thorpej-futex-base,
thorpej-futex,
thorpej-cfargs2-base,
thorpej-cfargs2,
thorpej-cfargs-base,
thorpej-cfargs,
thorpej-altq-separation-base,
thorpej-altq-separation,
netbsd-10-base,
netbsd-10-0-RELEASE,
netbsd-10-0-RC6,
netbsd-10-0-RC5,
netbsd-10-0-RC4,
netbsd-10-0-RC3,
netbsd-10-0-RC2,
netbsd-10-0-RC1,
netbsd-10,
cjep_sun2x-base1,
cjep_sun2x-base,
cjep_sun2x,
cjep_staticlib_x-base1,
cjep_staticlib_x-base,
cjep_staticlib_x,
bouyer-sunxi-drm-base,
bouyer-sunxi-drm,
HEAD
Changes since 1.1: +7 -1
lines
Diff to previous 1.1 (colored)
Provide the standard AES key schedule. Different AES implementations prefer different variations on it, but some of them -- notably VIA -- require the standard key schedule to be available and don't provide hardware support for computing it themselves. So adapt BearSSL's logic to generate the standard key schedule (and decryption keys, with InvMixColumns), rather than the bitsliced key schedule that BearSSL uses natively.
Revision 1.1 / (download) - annotate - [select for diffs], Mon Jun 29 23:27:52 2020 UTC (3 years, 9 months ago) by riastradh
Branch: MAIN
Rework AES in kernel to finally address CVE-2005-1797.
1. Rip out old variable-time reference implementation.
2. Replace it by BearSSL's constant-time 32-bit logic.
=> Obtained from commit dda1f8a0c46e15b4a235163470ff700b2f13dcc5.
=> We could conditionally adopt the 64-bit logic too, which would
likely give a modest performance boost on 64-bit platforms
without AES-NI, but that's a bit more trouble.
3. Select the AES implementation at boot-time; allow an MD override.
=> Use self-tests to verify basic correctness at boot.
=> The implementation selection policy is rather rudimentary at
the moment but it is isolated to one place so it's easy to
change later on.
This (a) plugs a host of timing attacks on, e.g., cgd, and (b) paves
the way to take advantage of CPU support for AES -- both things we
should've done a decade ago. Downside: Computing AES takes 2-3x the
CPU time. But that's what hardware support will be coming for.
Rudimentary measurement of performance impact done by:
mount -t tmpfs tmpfs /tmp
dd if=/dev/zero of=/tmp/disk bs=1m count=512
vnconfig -cv vnd0 /tmp/disk
cgdconfig -s cgd0 /dev/vnd0 aes-cbc 256 < /dev/zero
dd if=/dev/rcgd0d of=/dev/null bs=64k
dd if=/dev/zero of=/dev/rcgd0d bs=64k
The AES-CBC encryption performance impact is closer to 3x because it
is inherently sequential; the AES-CBC decryption impact is closer to
2x because the bitsliced AES logic can process two blocks at once.
Discussed on tech-kern:
https://mail-index.NetBSD.org/tech-kern/2020/06/18/msg026505.html