1b2441318SGreg Kroah-Hartman# SPDX-License-Identifier: GPL-2.0 2652ccae5SArd Biesheuvel 34a329fecSRobert Elliottmenu "Accelerated Cryptographic Algorithms for CPU (arm)" 4652ccae5SArd Biesheuvel 54a95d4aeSRobert Elliottconfig CRYPTO_GHASH_ARM_CE 63f342a23SRobert Elliott tristate "Hash functions: GHASH (PMULL/NEON/ARMv8 Crypto Extensions)" 74a95d4aeSRobert Elliott depends on KERNEL_MODE_NEON 8b575b5a1SArd Biesheuvel select CRYPTO_AEAD 94a95d4aeSRobert Elliott select CRYPTO_HASH 104a95d4aeSRobert Elliott select CRYPTO_CRYPTD 11b575b5a1SArd Biesheuvel select CRYPTO_LIB_AES 1261c581a4SArd Biesheuvel select CRYPTO_LIB_GF128MUL 134a95d4aeSRobert Elliott help 143f342a23SRobert Elliott GCM GHASH function (NIST SP800-38D) 153f342a23SRobert Elliott 163f342a23SRobert Elliott Architecture: arm using 173f342a23SRobert Elliott - PMULL (Polynomial Multiply Long) instructions 183f342a23SRobert Elliott - NEON (Advanced SIMD) extensions 193f342a23SRobert Elliott - ARMv8 Crypto Extensions 203f342a23SRobert Elliott 214a95d4aeSRobert Elliott Use an implementation of GHASH (used by the GCM AEAD chaining mode) 224a95d4aeSRobert Elliott that uses the 64x64 to 128 bit polynomial multiplication (vmull.p64) 234a95d4aeSRobert Elliott that is part of the ARMv8 Crypto Extensions, or a slower variant that 244a95d4aeSRobert Elliott uses the vmull.p8 instruction that is part of the basic NEON ISA. 254a95d4aeSRobert Elliott 264a95d4aeSRobert Elliottconfig CRYPTO_NHPOLY1305_NEON 273f342a23SRobert Elliott tristate "Hash functions: NHPoly1305 (NEON)" 284a95d4aeSRobert Elliott depends on KERNEL_MODE_NEON 294a95d4aeSRobert Elliott select CRYPTO_NHPOLY1305 303f342a23SRobert Elliott help 313f342a23SRobert Elliott NHPoly1305 hash function (Adiantum) 323f342a23SRobert Elliott 333f342a23SRobert Elliott Architecture: arm using: 343f342a23SRobert Elliott - NEON (Advanced SIMD) extensions 354a95d4aeSRobert Elliott 36652ccae5SArd Biesheuvelconfig CRYPTO_AES_ARM 37cf514b2aSRobert Elliott tristate "Ciphers: AES" 38652ccae5SArd Biesheuvel select CRYPTO_ALGAPI 39652ccae5SArd Biesheuvel select CRYPTO_AES 40652ccae5SArd Biesheuvel help 41cf514b2aSRobert Elliott Block ciphers: AES cipher algorithms (FIPS-197) 42cf514b2aSRobert Elliott 43cf514b2aSRobert Elliott Architecture: arm 44652ccae5SArd Biesheuvel 45913a3aa0SEric Biggers On ARM processors without the Crypto Extensions, this is the 46913a3aa0SEric Biggers fastest AES implementation for single blocks. For multiple 47913a3aa0SEric Biggers blocks, the NEON bit-sliced implementation is usually faster. 48913a3aa0SEric Biggers 49913a3aa0SEric Biggers This implementation may be vulnerable to cache timing attacks, 50913a3aa0SEric Biggers since it uses lookup tables. However, as countermeasures it 51913a3aa0SEric Biggers disables IRQs and preloads the tables; it is hoped this makes 52913a3aa0SEric Biggers such attacks very difficult. 53913a3aa0SEric Biggers 54652ccae5SArd Biesheuvelconfig CRYPTO_AES_ARM_BS 55cf514b2aSRobert Elliott tristate "Ciphers: AES, modes: ECB/CBC/CTR/XTS (bit-sliced NEON)" 56652ccae5SArd Biesheuvel depends on KERNEL_MODE_NEON 57*f235bc11SEric Biggers select CRYPTO_AES_ARM 58b95bba5dSEric Biggers select CRYPTO_SKCIPHER 59aa6e2d2bSArd Biesheuvel select CRYPTO_LIB_AES 60652ccae5SArd Biesheuvel help 61cf514b2aSRobert Elliott Length-preserving ciphers: AES cipher algorithms (FIPS-197) 62cf514b2aSRobert Elliott with block cipher modes: 63cf514b2aSRobert Elliott - ECB (Electronic Codebook) mode (NIST SP800-38A) 64cf514b2aSRobert Elliott - CBC (Cipher Block Chaining) mode (NIST SP800-38A) 65cf514b2aSRobert Elliott - CTR (Counter) mode (NIST SP800-38A) 66cf514b2aSRobert Elliott - XTS (XOR Encrypt XOR with ciphertext stealing) mode (NIST SP800-38E 67cf514b2aSRobert Elliott and IEEE 1619) 68652ccae5SArd Biesheuvel 69652ccae5SArd Biesheuvel Bit sliced AES gives around 45% speedup on Cortex-A15 for CTR mode 70652ccae5SArd Biesheuvel and for XTS mode encryption, CBC and XTS mode decryption speedup is 71652ccae5SArd Biesheuvel around 25%. (CBC encryption speed is not affected by this driver.) 72*f235bc11SEric Biggers 73*f235bc11SEric Biggers The bit sliced AES code does not use lookup tables, so it is believed 74*f235bc11SEric Biggers to be invulnerable to cache timing attacks. However, since the bit 75*f235bc11SEric Biggers sliced AES code cannot process single blocks efficiently, in certain 76*f235bc11SEric Biggers cases table-based code with some countermeasures against cache timing 77*f235bc11SEric Biggers attacks will still be used as a fallback method; specifically CBC 78*f235bc11SEric Biggers encryption (not CBC decryption), the encryption of XTS tweaks, XTS 79*f235bc11SEric Biggers ciphertext stealing when the message isn't a multiple of 16 bytes, and 80*f235bc11SEric Biggers CTR when invoked in a context in which NEON instructions are unusable. 81652ccae5SArd Biesheuvel 8286464859SArd Biesheuvelconfig CRYPTO_AES_ARM_CE 83cf514b2aSRobert Elliott tristate "Ciphers: AES, modes: ECB/CBC/CTS/CTR/XTS (ARMv8 Crypto Extensions)" 845429ef62SWill Deacon depends on KERNEL_MODE_NEON 85b95bba5dSEric Biggers select CRYPTO_SKCIPHER 86f703964fSArd Biesheuvel select CRYPTO_LIB_AES 8786464859SArd Biesheuvel help 88cf514b2aSRobert Elliott Length-preserving ciphers: AES cipher algorithms (FIPS-197) 89cf514b2aSRobert Elliott with block cipher modes: 90cf514b2aSRobert Elliott - ECB (Electronic Codebook) mode (NIST SP800-38A) 91cf514b2aSRobert Elliott - CBC (Cipher Block Chaining) mode (NIST SP800-38A) 92cf514b2aSRobert Elliott - CTR (Counter) mode (NIST SP800-38A) 93cf514b2aSRobert Elliott - CTS (Cipher Text Stealing) mode (NIST SP800-38A) 94cf514b2aSRobert Elliott - XTS (XOR Encrypt XOR with ciphertext stealing) mode (NIST SP800-38E 95cf514b2aSRobert Elliott and IEEE 1619) 96cf514b2aSRobert Elliott 97cf514b2aSRobert Elliott Architecture: arm using: 98cf514b2aSRobert Elliott - ARMv8 Crypto Extensions 9986464859SArd Biesheuvel 1004a329fecSRobert Elliottendmenu 1014a95d4aeSRobert Elliott 102