| Message ID | 20230216201410.15010-2-James.Bottomley@HansenPartnership.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | add integrity and security to TPM2 transactions | expand |
On Thu, Feb 16, 2023 at 03:13:59PM -0500, James Bottomley wrote: > From: Ard Biesheuvel <ardb@kernel.org> > > Implement AES in CFB mode using the existing, mostly constant-time > generic AES library implementation. > > Signed-off-by: Ard Biesheuvel <ardb@kernel.org> > Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com> > --- > include/crypto/aes.h | 5 +++ > lib/crypto/Kconfig | 5 +++ > lib/crypto/Makefile | 3 ++ > lib/crypto/aescfb.c | 75 ++++++++++++++++++++++++++++++++++++++++++++ > 4 files changed, 88 insertions(+) > create mode 100644 lib/crypto/aescfb.c > > diff --git a/include/crypto/aes.h b/include/crypto/aes.h > index 2090729701ab..7b9e1df1ccb0 100644 > --- a/include/crypto/aes.h > +++ b/include/crypto/aes.h > @@ -87,4 +87,9 @@ void aes_decrypt(const struct crypto_aes_ctx *ctx, u8 *out, const u8 *in); > extern const u8 crypto_aes_sbox[]; > extern const u8 crypto_aes_inv_sbox[]; > > +void aescfb_encrypt(const struct crypto_aes_ctx *ctx, u8 *dst, const u8 *src, > + int len, const u8 *iv); > +void aescfb_decrypt(const struct crypto_aes_ctx *ctx, u8 *dst, const u8 *src, > + int len, const u8 *iv); > + > #endif > diff --git a/lib/crypto/Kconfig b/lib/crypto/Kconfig > index 45436bfc6dff..b01253cac70a 100644 > --- a/lib/crypto/Kconfig > +++ b/lib/crypto/Kconfig > @@ -8,6 +8,11 @@ config CRYPTO_LIB_UTILS > config CRYPTO_LIB_AES > tristate > > +config CRYPTO_LIB_AESCFB > + tristate > + select CRYPTO_LIB_AES > + select CRYPTO_LIB_UTILS > + > config CRYPTO_LIB_AESGCM > tristate > select CRYPTO_LIB_AES > diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile > index 6ec2d4543d9c..33213a01aab1 100644 > --- a/lib/crypto/Makefile > +++ b/lib/crypto/Makefile > @@ -10,6 +10,9 @@ obj-$(CONFIG_CRYPTO_LIB_CHACHA_GENERIC) += libchacha.o > obj-$(CONFIG_CRYPTO_LIB_AES) += libaes.o > libaes-y := aes.o > > +obj-$(CONFIG_CRYPTO_LIB_AESCFB) += libaescfb.o > +libaescfb-y := aescfb.o > + > obj-$(CONFIG_CRYPTO_LIB_AESGCM) += libaesgcm.o > libaesgcm-y := aesgcm.o > > diff --git a/lib/crypto/aescfb.c b/lib/crypto/aescfb.c > new file mode 100644 > index 000000000000..e9de1c6d874a > --- /dev/null > +++ b/lib/crypto/aescfb.c > @@ -0,0 +1,75 @@ > +// SPDX-License-Identifier: GPL-2.0 > +/* > + * Minimal library implementation of AES in CFB mode > + * > + * Copyright 2023 Google LLC > + */ > + > +#include <linux/module.h> > + > +#include <crypto/algapi.h> > +#include <crypto/aes.h> > + > +#include <asm/irqflags.h> I'd remove the newlines in-between. > + > +static void aescfb_encrypt_block(const struct crypto_aes_ctx *ctx, void *dst, > + const void *src) > +{ > + unsigned long flags; > + > + /* > + * In AES-CFB, the AES encryption operates on known 'plaintext' (the IV > + * and ciphertext), making it susceptible to timing attacks on the > + * encryption key. The AES library already mitigates this risk to some > + * extent by pulling the entire S-box into the caches before doing any > + * substitutions, but this strategy is more effective when running with > + * interrupts disabled. > + */ > + local_irq_save(flags); > + aes_encrypt(ctx, dst, src); > + local_irq_restore(flags); > +} > + > +void aescfb_encrypt(const struct crypto_aes_ctx *ctx, u8 *dst, const u8 *src, > + int len, const u8 *iv) > +{ > + while (len > 0) { > + u8 ks[AES_BLOCK_SIZE]; > + > + aescfb_encrypt_block(ctx, ks, iv); > + crypto_xor_cpy(dst, src, ks, min(len, AES_BLOCK_SIZE)); > + iv = dst; > + > + dst += AES_BLOCK_SIZE; > + src += AES_BLOCK_SIZE; > + len -= AES_BLOCK_SIZE; > + } > +} > + > +void aescfb_decrypt(const struct crypto_aes_ctx *ctx, u8 *dst, const u8 *src, > + int len, const u8 *iv) > +{ > + u8 ks[2][AES_BLOCK_SIZE]; > + > + aescfb_encrypt_block(ctx, ks[0], iv); > + > + for (int i = 0; len > 0; i ^= 1) { > + if (len > AES_BLOCK_SIZE) > + /* > + * Generate the keystream for the next block before > + * performing the XOR, as that may update in place and > + * overwrite the ciphertext. > + */ > + aescfb_encrypt_block(ctx, ks[!i], src); > + > + crypto_xor_cpy(dst, src, ks[i], min(len, AES_BLOCK_SIZE)); > + > + dst += AES_BLOCK_SIZE; > + src += AES_BLOCK_SIZE; > + len -= AES_BLOCK_SIZE; > + } > +} > + > +MODULE_DESCRIPTION("Generic AES-CFB library"); > +MODULE_AUTHOR("Ard Biesheuvel <ardb@kernel.org>"); > +MODULE_LICENSE("GPL"); > -- > 2.35.3 > Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> BR, Jarkko
diff --git a/include/crypto/aes.h b/include/crypto/aes.h index 2090729701ab..7b9e1df1ccb0 100644 --- a/include/crypto/aes.h +++ b/include/crypto/aes.h @@ -87,4 +87,9 @@ void aes_decrypt(const struct crypto_aes_ctx *ctx, u8 *out, const u8 *in); extern const u8 crypto_aes_sbox[]; extern const u8 crypto_aes_inv_sbox[]; +void aescfb_encrypt(const struct crypto_aes_ctx *ctx, u8 *dst, const u8 *src, + int len, const u8 *iv); +void aescfb_decrypt(const struct crypto_aes_ctx *ctx, u8 *dst, const u8 *src, + int len, const u8 *iv); + #endif diff --git a/lib/crypto/Kconfig b/lib/crypto/Kconfig index 45436bfc6dff..b01253cac70a 100644 --- a/lib/crypto/Kconfig +++ b/lib/crypto/Kconfig @@ -8,6 +8,11 @@ config CRYPTO_LIB_UTILS config CRYPTO_LIB_AES tristate +config CRYPTO_LIB_AESCFB + tristate + select CRYPTO_LIB_AES + select CRYPTO_LIB_UTILS + config CRYPTO_LIB_AESGCM tristate select CRYPTO_LIB_AES diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile index 6ec2d4543d9c..33213a01aab1 100644 --- a/lib/crypto/Makefile +++ b/lib/crypto/Makefile @@ -10,6 +10,9 @@ obj-$(CONFIG_CRYPTO_LIB_CHACHA_GENERIC) += libchacha.o obj-$(CONFIG_CRYPTO_LIB_AES) += libaes.o libaes-y := aes.o +obj-$(CONFIG_CRYPTO_LIB_AESCFB) += libaescfb.o +libaescfb-y := aescfb.o + obj-$(CONFIG_CRYPTO_LIB_AESGCM) += libaesgcm.o libaesgcm-y := aesgcm.o diff --git a/lib/crypto/aescfb.c b/lib/crypto/aescfb.c new file mode 100644 index 000000000000..e9de1c6d874a --- /dev/null +++ b/lib/crypto/aescfb.c @@ -0,0 +1,75 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Minimal library implementation of AES in CFB mode + * + * Copyright 2023 Google LLC + */ + +#include <linux/module.h> + +#include <crypto/algapi.h> +#include <crypto/aes.h> + +#include <asm/irqflags.h> + +static void aescfb_encrypt_block(const struct crypto_aes_ctx *ctx, void *dst, + const void *src) +{ + unsigned long flags; + + /* + * In AES-CFB, the AES encryption operates on known 'plaintext' (the IV + * and ciphertext), making it susceptible to timing attacks on the + * encryption key. The AES library already mitigates this risk to some + * extent by pulling the entire S-box into the caches before doing any + * substitutions, but this strategy is more effective when running with + * interrupts disabled. + */ + local_irq_save(flags); + aes_encrypt(ctx, dst, src); + local_irq_restore(flags); +} + +void aescfb_encrypt(const struct crypto_aes_ctx *ctx, u8 *dst, const u8 *src, + int len, const u8 *iv) +{ + while (len > 0) { + u8 ks[AES_BLOCK_SIZE]; + + aescfb_encrypt_block(ctx, ks, iv); + crypto_xor_cpy(dst, src, ks, min(len, AES_BLOCK_SIZE)); + iv = dst; + + dst += AES_BLOCK_SIZE; + src += AES_BLOCK_SIZE; + len -= AES_BLOCK_SIZE; + } +} + +void aescfb_decrypt(const struct crypto_aes_ctx *ctx, u8 *dst, const u8 *src, + int len, const u8 *iv) +{ + u8 ks[2][AES_BLOCK_SIZE]; + + aescfb_encrypt_block(ctx, ks[0], iv); + + for (int i = 0; len > 0; i ^= 1) { + if (len > AES_BLOCK_SIZE) + /* + * Generate the keystream for the next block before + * performing the XOR, as that may update in place and + * overwrite the ciphertext. + */ + aescfb_encrypt_block(ctx, ks[!i], src); + + crypto_xor_cpy(dst, src, ks[i], min(len, AES_BLOCK_SIZE)); + + dst += AES_BLOCK_SIZE; + src += AES_BLOCK_SIZE; + len -= AES_BLOCK_SIZE; + } +} + +MODULE_DESCRIPTION("Generic AES-CFB library"); +MODULE_AUTHOR("Ard Biesheuvel <ardb@kernel.org>"); +MODULE_LICENSE("GPL");