| Message ID | 20221103192259.2229-1-ardb@kernel.org (mailing list archive) |
|---|---|
| Headers | show |
| Series | crypto: Add AES-GCM implementation to lib/crypto | expand |
On Thu, Nov 03, 2022 at 08:22:56PM +0100, Ard Biesheuvel wrote: > Provide a generic library implementation of AES-GCM which can be used > really early during boot, e.g., to communicate with the security > coprocessor on SEV-SNP virtual machines to bring up secondary cores. > This is needed because the crypto API is not available yet this early. > > We cannot rely on special instructions for AES or polynomial > multiplication, which are arch specific and rely on in-kernel SIMD > infrastructure. Instead, add a generic C implementation that combines > the existing C implementations of AES and multiplication in GF(2^128). > > To reduce the risk of forgery attacks, replace data dependent table > lookups and conditional branches in the used gf128mul routine with > constant-time equivalents. The AES library has already been robustified > to some extent to prevent known-plaintext timing attacks on the key, but > we call it with interrupts disabled to make it a bit more robust. (Note > that in SEV-SNP context, the VMM is untrusted, and is able to inject > interrupts arbitrarily, and potentially maliciously.) > > Changes since v4: > - Rename CONFIG_CRYPTO_GF128MUL to CONFIG_CRYPTO_LIB_GF128MUL > - Use bool return value for decrypt routine to align with other AEAD > library code > - Return -ENODEV on selftest failure to align with other algos > - Use pr_err() not WARN() on selftest failure for the same reason > - Mention in a code comment that the counter cannot roll over or result > in a carry due to the width of the type representing the size of the > input > > Changes since v3: > - rename GCM-AES to AES-GCM > > Changes since v2: > - move gf128mul to lib/crypto > - add patch #2 to make gf128mul_lle constant time > - fix kerneldoc headers and drop them from the .h file > > Changes since v1: > - rename gcm to gcmaes to reflect that GCM is also used in > combination with other symmetric ciphers (Jason) > - add Nikunj's Tested-by > > Cc: Eric Biggers <ebiggers@kernel.org> > Cc: Robert Elliott <elliott@hpe.com> > Cc: Jason A. Donenfeld <Jason@zx2c4.com> > Cc: Nikunj A Dadhania <nikunj@amd.com> > > Ard Biesheuvel (3): > crypto: move gf128mul library into lib/crypto > crypto: gf128mul - make gf128mul_lle time invariant > crypto: aesgcm - Provide minimal library implementation > > arch/arm/crypto/Kconfig | 2 +- > arch/arm64/crypto/Kconfig | 2 +- > crypto/Kconfig | 9 +- > crypto/Makefile | 1 - > drivers/crypto/chelsio/Kconfig | 2 +- > include/crypto/gcm.h | 22 + > lib/crypto/Kconfig | 9 + > lib/crypto/Makefile | 5 + > lib/crypto/aesgcm.c | 727 ++++++++++++++++++++ > {crypto => lib/crypto}/gf128mul.c | 58 +- > 10 files changed, 808 insertions(+), 29 deletions(-) > create mode 100644 lib/crypto/aesgcm.c > rename {crypto => lib/crypto}/gf128mul.c (87%) > > -- > 2.35.1 All applied. Thanks.
Provide a generic library implementation of AES-GCM which can be used really early during boot, e.g., to communicate with the security coprocessor on SEV-SNP virtual machines to bring up secondary cores. This is needed because the crypto API is not available yet this early. We cannot rely on special instructions for AES or polynomial multiplication, which are arch specific and rely on in-kernel SIMD infrastructure. Instead, add a generic C implementation that combines the existing C implementations of AES and multiplication in GF(2^128). To reduce the risk of forgery attacks, replace data dependent table lookups and conditional branches in the used gf128mul routine with constant-time equivalents. The AES library has already been robustified to some extent to prevent known-plaintext timing attacks on the key, but we call it with interrupts disabled to make it a bit more robust. (Note that in SEV-SNP context, the VMM is untrusted, and is able to inject interrupts arbitrarily, and potentially maliciously.) Changes since v4: - Rename CONFIG_CRYPTO_GF128MUL to CONFIG_CRYPTO_LIB_GF128MUL - Use bool return value for decrypt routine to align with other AEAD library code - Return -ENODEV on selftest failure to align with other algos - Use pr_err() not WARN() on selftest failure for the same reason - Mention in a code comment that the counter cannot roll over or result in a carry due to the width of the type representing the size of the input Changes since v3: - rename GCM-AES to AES-GCM Changes since v2: - move gf128mul to lib/crypto - add patch #2 to make gf128mul_lle constant time - fix kerneldoc headers and drop them from the .h file Changes since v1: - rename gcm to gcmaes to reflect that GCM is also used in combination with other symmetric ciphers (Jason) - add Nikunj's Tested-by Cc: Eric Biggers <ebiggers@kernel.org> Cc: Robert Elliott <elliott@hpe.com> Cc: Jason A. Donenfeld <Jason@zx2c4.com> Cc: Nikunj A Dadhania <nikunj@amd.com> Ard Biesheuvel (3): crypto: move gf128mul library into lib/crypto crypto: gf128mul - make gf128mul_lle time invariant crypto: aesgcm - Provide minimal library implementation arch/arm/crypto/Kconfig | 2 +- arch/arm64/crypto/Kconfig | 2 +- crypto/Kconfig | 9 +- crypto/Makefile | 1 - drivers/crypto/chelsio/Kconfig | 2 +- include/crypto/gcm.h | 22 + lib/crypto/Kconfig | 9 + lib/crypto/Makefile | 5 + lib/crypto/aesgcm.c | 727 ++++++++++++++++++++ {crypto => lib/crypto}/gf128mul.c | 58 +- 10 files changed, 808 insertions(+), 29 deletions(-) create mode 100644 lib/crypto/aesgcm.c rename {crypto => lib/crypto}/gf128mul.c (87%)