Home
last modified time | relevance | path

Searched hist:"89 fb00f245681d0c951cd889d3d165cf9959d70c" (Results 1 – 2 of 2) sorted by relevance

/linux/drivers/crypto/allwinner/sun4i-ss/
H A Dsun4i-ss.hdiff 89fb00f245681d0c951cd889d3d165cf9959d70c Tue Jul 07 08:31:54 CEST 2020 Ard Biesheuvel <ardb@kernel.org> crypto: sun4i - permit asynchronous skcipher as fallback

Even though the sun4i driver implements asynchronous versions of ecb(aes)
and cbc(aes), the fallbacks it allocates are required to be synchronous.
Given that SIMD based software implementations are usually asynchronous
as well, even though they rarely complete asynchronously (this typically
only happens in cases where the request was made from softirq context,
while SIMD was already in use in the task context that it interrupted),
these implementations are disregarded, and either the generic C version
or another table based version implemented in assembler is selected
instead.

Since falling back to synchronous AES is not only a performance issue, but
potentially a security issue as well (due to the fact that table based AES
is not time invariant), let's fix this, by allocating an ordinary skcipher
as the fallback, and invoke it with the completion routine that was given
to the outer request.

Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Tested-by: Corentin Labbe <clabbe.montjoie@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
H A Dsun4i-ss-cipher.cdiff 89fb00f245681d0c951cd889d3d165cf9959d70c Tue Jul 07 08:31:54 CEST 2020 Ard Biesheuvel <ardb@kernel.org> crypto: sun4i - permit asynchronous skcipher as fallback

Even though the sun4i driver implements asynchronous versions of ecb(aes)
and cbc(aes), the fallbacks it allocates are required to be synchronous.
Given that SIMD based software implementations are usually asynchronous
as well, even though they rarely complete asynchronously (this typically
only happens in cases where the request was made from softirq context,
while SIMD was already in use in the task context that it interrupted),
these implementations are disregarded, and either the generic C version
or another table based version implemented in assembler is selected
instead.

Since falling back to synchronous AES is not only a performance issue, but
potentially a security issue as well (due to the fact that table based AES
is not time invariant), let's fix this, by allocating an ordinary skcipher
as the fallback, and invoke it with the completion routine that was given
to the outer request.

Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Tested-by: Corentin Labbe <clabbe.montjoie@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>