The NetBSD Project

CVS log for src/sys/crypto/aes/aes_impl.c

[BACK] Up to [cvs.NetBSD.org] / src / sys / crypto / aes

Request diff between arbitrary revisions


Default branch: MAIN


Revision 1.10 / (download) - annotate - [select for diffs], Sat Nov 5 17:36:33 2022 UTC (15 months, 3 weeks ago) by jmcneill
Branch: MAIN
CVS Tags: thorpej-ifq-base, thorpej-ifq, thorpej-altq-separation-base, thorpej-altq-separation, netbsd-10-base, netbsd-10-0-RC5, netbsd-10-0-RC4, netbsd-10-0-RC3, netbsd-10-0-RC2, netbsd-10-0-RC1, netbsd-10, HEAD
Changes since 1.9: +3 -3 lines
Diff to previous 1.9 (colored)

Make aes and chacha prints debug only.

Revision 1.9 / (download) - annotate - [select for diffs], Mon Jul 27 20:45:15 2020 UTC (3 years, 7 months ago) by riastradh
Branch: MAIN
CVS Tags: thorpej-i2c-spi-conf2-base, thorpej-i2c-spi-conf2, thorpej-i2c-spi-conf-base, thorpej-i2c-spi-conf, thorpej-futex2-base, thorpej-futex2, thorpej-futex-base, thorpej-futex, thorpej-cfargs2-base, thorpej-cfargs2, thorpej-cfargs-base, thorpej-cfargs, cjep_sun2x-base1, cjep_sun2x-base, cjep_sun2x, cjep_staticlib_x-base1, cjep_staticlib_x-base, cjep_staticlib_x, bouyer-sunxi-drm-base, bouyer-sunxi-drm
Changes since 1.8: +18 -8 lines
Diff to previous 1.8 (colored)

New sysctl subtree kern.crypto.

kern.crypto.aes.selected (formerly hw.aes_impl)
kern.crypto.chacha.selected (formerly hw.chacha_impl)

XXX Should maybe deduplicate creation of kern.crypto.

Revision 1.8 / (download) - annotate - [select for diffs], Sat Jul 25 22:42:03 2020 UTC (3 years, 7 months ago) by riastradh
Branch: MAIN
Changes since 1.7: +3 -3 lines
Diff to previous 1.7 (colored)

Make aes boot message verbose-only.

Revision 1.7 / (download) - annotate - [select for diffs], Sat Jul 25 22:36:42 2020 UTC (3 years, 7 months ago) by riastradh
Branch: MAIN
Changes since 1.6: +5 -51 lines
Diff to previous 1.6 (colored)

Remove now-needless AES-CCM fallback logic.

These paths are no longer exercised because all of the aes_impls now
do the AES-CCM operations.

Revision 1.6 / (download) - annotate - [select for diffs], Sat Jul 25 22:27:53 2020 UTC (3 years, 7 months ago) by riastradh
Branch: MAIN
Changes since 1.5: +86 -2 lines
Diff to previous 1.5 (colored)

Push CBC-MAC and CCM block updates into the aes_impl API.

This should help reduce the setup and teardown overhead (enabling and
disabling fpu, or expanding bitsliced keys) for CCM, as used in
802.11 WPA2 CCMP.  But all the fiddly formatting details remain in
aes_ccm.c to reduce the effort of implementing it -- at the cost of a
handful additional setups and teardowns per message.

Not yet implemented by any of the aes_impls, so leave a fallback that
just calls aes_enc for now.  This should be removed when all of the
aes_impls provide CBC-MAC and CCM block updates.

Revision 1.5 / (download) - annotate - [select for diffs], Sat Jul 25 22:14:35 2020 UTC (3 years, 7 months ago) by riastradh
Branch: MAIN
Changes since 1.4: +4 -2 lines
Diff to previous 1.4 (colored)

Split aes_cbc_* and aes_xts_* into their own header files.

aes.h will remain just for key setup; any particular construction using
AES can have its own header file so we can have many of them without
rebuilding everything AES-related whenever one of them changes.

(Planning to add AES-CCM and AES-GCM too.)

Revision 1.4 / (download) - annotate - [select for diffs], Sat Jul 25 22:12:57 2020 UTC (3 years, 7 months ago) by riastradh
Branch: MAIN
Changes since 1.3: +3 -2 lines
Diff to previous 1.3 (colored)

Split aes_impl declarations out into aes_impl.h.

This will make it less painful to add more operations to struct
aes_impl without having to recompile everything that just uses the
block cipher directly or similar.

Revision 1.3 / (download) - annotate - [select for diffs], Tue Jun 30 16:21:17 2020 UTC (3 years, 8 months ago) by riastradh
Branch: MAIN
Changes since 1.2: +27 -2 lines
Diff to previous 1.2 (colored)

New sysctl node hw.aes_impl for selected AES implementation.

Revision 1.2 / (download) - annotate - [select for diffs], Mon Jun 29 23:36:59 2020 UTC (3 years, 8 months ago) by riastradh
Branch: MAIN
Changes since 1.1: +135 -2 lines
Diff to previous 1.1 (colored)

Provide the standard AES key schedule.

Different AES implementations prefer different variations on it, but
some of them -- notably VIA -- require the standard key schedule to
be available and don't provide hardware support for computing it
themselves.  So adapt BearSSL's logic to generate the standard key
schedule (and decryption keys, with InvMixColumns), rather than the
bitsliced key schedule that BearSSL uses natively.

Revision 1.1 / (download) - annotate - [select for diffs], Mon Jun 29 23:27:52 2020 UTC (3 years, 8 months ago) by riastradh
Branch: MAIN

Rework AES in kernel to finally address CVE-2005-1797.

1. Rip out old variable-time reference implementation.
2. Replace it by BearSSL's constant-time 32-bit logic.
   => Obtained from commit dda1f8a0c46e15b4a235163470ff700b2f13dcc5.
   => We could conditionally adopt the 64-bit logic too, which would
      likely give a modest performance boost on 64-bit platforms
      without AES-NI, but that's a bit more trouble.
3. Select the AES implementation at boot-time; allow an MD override.
   => Use self-tests to verify basic correctness at boot.
   => The implementation selection policy is rather rudimentary at
      the moment but it is isolated to one place so it's easy to
      change later on.

This (a) plugs a host of timing attacks on, e.g., cgd, and (b) paves
the way to take advantage of CPU support for AES -- both things we
should've done a decade ago.  Downside: Computing AES takes 2-3x the
CPU time.  But that's what hardware support will be coming for.

Rudimentary measurement of performance impact done by:

mount -t tmpfs tmpfs /tmp
dd if=/dev/zero of=/tmp/disk bs=1m count=512
vnconfig -cv vnd0 /tmp/disk
cgdconfig -s cgd0 /dev/vnd0 aes-cbc 256 < /dev/zero
dd if=/dev/rcgd0d of=/dev/null bs=64k
dd if=/dev/zero of=/dev/rcgd0d bs=64k

The AES-CBC encryption performance impact is closer to 3x because it
is inherently sequential; the AES-CBC decryption impact is closer to
2x because the bitsliced AES logic can process two blocks at once.

Discussed on tech-kern:

https://mail-index.NetBSD.org/tech-kern/2020/06/18/msg026505.html

This form allows you to request diff's between any two revisions of a file. You may select a symbolic revision name using the selection box or you may type in a numeric name using the type-in text box.




CVSweb <webmaster@jp.NetBSD.org>