520af5da66
Implement a minimal library version of AES-GCM based on the existing library implementations of AES and multiplication in GF(2^128). Using these primitives, GCM can be implemented in a straight-forward manner. GCM has a couple of sharp edges, i.e., the amount of input data processed with the same initialization vector (IV) should be capped to protect the counter from 32-bit rollover (or carry), and the size of the authentication tag should be fixed for a given key. [0] The former concern is addressed trivially, given that the function call API uses 32-bit signed types for the input lengths. It is still up to the caller to avoid IV reuse in general, but this is not something we can police at the implementation level. As for the latter concern, let's make the authentication tag size part of the key schedule, and only permit it to be configured as part of the key expansion routine. Note that table based AES implementations are susceptible to known plaintext timing attacks on the encryption key. The AES library already attempts to mitigate this to some extent, but given that the counter mode encryption used by GCM operates exclusively on known plaintext by construction (the IV and therefore the initial counter value are known to an attacker), let's take some extra care to mitigate this, by calling the AES library with interrupts disabled. [0] https://nvlpubs.nist.gov/nistpubs/legacy/sp/nistspecialpublication800-38d.pdf Link: https://lore.kernel.org/all/c6fb9b25-a4b6-2e4a-2dd1-63adda055a49@amd.com/ Signed-off-by: Ard Biesheuvel <ardb@kernel.org> Tested-by: Nikunj A Dadhania <nikunj@amd.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
4.3 KiB
SPDX-License-Identifier: GPL-2.0
menu "Crypto library routines"
config CRYPTO_LIB_UTILS tristate
config CRYPTO_LIB_AES tristate
config CRYPTO_LIB_AESGCM tristate select CRYPTO_LIB_AES select CRYPTO_LIB_GF128MUL select CRYPTO_LIB_UTILS
config CRYPTO_LIB_ARC4 tristate
config CRYPTO_LIB_GF128MUL tristate
config CRYPTO_ARCH_HAVE_LIB_BLAKE2S bool help Declares whether the architecture provides an arch-specific accelerated implementation of the Blake2s library interface, either builtin or as a module.
config CRYPTO_LIB_BLAKE2S_GENERIC def_bool !CRYPTO_ARCH_HAVE_LIB_BLAKE2S help This symbol can be depended upon by arch implementations of the Blake2s library interface that require the generic code as a fallback, e.g., for SIMD implementations. If no arch specific implementation is enabled, this implementation serves the users of CRYPTO_LIB_BLAKE2S.
config CRYPTO_ARCH_HAVE_LIB_CHACHA tristate help Declares whether the architecture provides an arch-specific accelerated implementation of the ChaCha library interface, either builtin or as a module.
config CRYPTO_LIB_CHACHA_GENERIC tristate select CRYPTO_LIB_UTILS help This symbol can be depended upon by arch implementations of the ChaCha library interface that require the generic code as a fallback, e.g., for SIMD implementations. If no arch specific implementation is enabled, this implementation serves the users of CRYPTO_LIB_CHACHA.
config CRYPTO_LIB_CHACHA tristate "ChaCha library interface" depends on CRYPTO_ARCH_HAVE_LIB_CHACHA || !CRYPTO_ARCH_HAVE_LIB_CHACHA select CRYPTO_LIB_CHACHA_GENERIC if CRYPTO_ARCH_HAVE_LIB_CHACHA=n help Enable the ChaCha library interface. This interface may be fulfilled by either the generic implementation or an arch-specific one, if one is available and enabled.
config CRYPTO_ARCH_HAVE_LIB_CURVE25519 tristate help Declares whether the architecture provides an arch-specific accelerated implementation of the Curve25519 library interface, either builtin or as a module.
config CRYPTO_LIB_CURVE25519_GENERIC tristate help This symbol can be depended upon by arch implementations of the Curve25519 library interface that require the generic code as a fallback, e.g., for SIMD implementations. If no arch specific implementation is enabled, this implementation serves the users of CRYPTO_LIB_CURVE25519.
config CRYPTO_LIB_CURVE25519 tristate "Curve25519 scalar multiplication library" depends on CRYPTO_ARCH_HAVE_LIB_CURVE25519 || !CRYPTO_ARCH_HAVE_LIB_CURVE25519 select CRYPTO_LIB_CURVE25519_GENERIC if CRYPTO_ARCH_HAVE_LIB_CURVE25519=n select CRYPTO_LIB_UTILS help Enable the Curve25519 library interface. This interface may be fulfilled by either the generic implementation or an arch-specific one, if one is available and enabled.
config CRYPTO_LIB_DES tristate
config CRYPTO_LIB_POLY1305_RSIZE int default 2 if MIPS default 11 if X86_64 default 9 if ARM || ARM64 default 1
config CRYPTO_ARCH_HAVE_LIB_POLY1305 tristate help Declares whether the architecture provides an arch-specific accelerated implementation of the Poly1305 library interface, either builtin or as a module.
config CRYPTO_LIB_POLY1305_GENERIC tristate help This symbol can be depended upon by arch implementations of the Poly1305 library interface that require the generic code as a fallback, e.g., for SIMD implementations. If no arch specific implementation is enabled, this implementation serves the users of CRYPTO_LIB_POLY1305.
config CRYPTO_LIB_POLY1305 tristate "Poly1305 library interface" depends on CRYPTO_ARCH_HAVE_LIB_POLY1305 || !CRYPTO_ARCH_HAVE_LIB_POLY1305 select CRYPTO_LIB_POLY1305_GENERIC if CRYPTO_ARCH_HAVE_LIB_POLY1305=n help Enable the Poly1305 library interface. This interface may be fulfilled by either the generic implementation or an arch-specific one, if one is available and enabled.
config CRYPTO_LIB_CHACHA20POLY1305 tristate "ChaCha20-Poly1305 AEAD support (8-byte nonce library version)" depends on CRYPTO_ARCH_HAVE_LIB_CHACHA || !CRYPTO_ARCH_HAVE_LIB_CHACHA depends on CRYPTO_ARCH_HAVE_LIB_POLY1305 || !CRYPTO_ARCH_HAVE_LIB_POLY1305 depends on CRYPTO select CRYPTO_LIB_CHACHA select CRYPTO_LIB_POLY1305 select CRYPTO_ALGAPI
config CRYPTO_LIB_SHA1 tristate
config CRYPTO_LIB_SHA256 tristate
endmenu