diff mbox series

[01/12] crypto: lib - implement library version of AES in CFB mode

Message ID 20230216201410.15010-2-James.Bottomley@HansenPartnership.com (mailing list archive)
State New
Headers show
Series add integrity and security to TPM2 transactions | expand

Commit Message

James Bottomley Feb. 16, 2023, 8:13 p.m. UTC
From: Ard Biesheuvel <ardb@kernel.org>

Implement AES in CFB mode using the existing, mostly constant-time
generic AES library implementation.

Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
---
 include/crypto/aes.h |  5 +++
 lib/crypto/Kconfig   |  5 +++
 lib/crypto/Makefile  |  3 ++
 lib/crypto/aescfb.c  | 75 ++++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 88 insertions(+)
 create mode 100644 lib/crypto/aescfb.c

Comments

Jarkko Sakkinen Feb. 27, 2023, 7:47 a.m. UTC | #1
On Thu, Feb 16, 2023 at 03:13:59PM -0500, James Bottomley wrote:
> From: Ard Biesheuvel <ardb@kernel.org>
> 
> Implement AES in CFB mode using the existing, mostly constant-time
> generic AES library implementation.
> 
> Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
> Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
> ---
>  include/crypto/aes.h |  5 +++
>  lib/crypto/Kconfig   |  5 +++
>  lib/crypto/Makefile  |  3 ++
>  lib/crypto/aescfb.c  | 75 ++++++++++++++++++++++++++++++++++++++++++++
>  4 files changed, 88 insertions(+)
>  create mode 100644 lib/crypto/aescfb.c
> 
> diff --git a/include/crypto/aes.h b/include/crypto/aes.h
> index 2090729701ab..7b9e1df1ccb0 100644
> --- a/include/crypto/aes.h
> +++ b/include/crypto/aes.h
> @@ -87,4 +87,9 @@ void aes_decrypt(const struct crypto_aes_ctx *ctx, u8 *out, const u8 *in);
>  extern const u8 crypto_aes_sbox[];
>  extern const u8 crypto_aes_inv_sbox[];
>  
> +void aescfb_encrypt(const struct crypto_aes_ctx *ctx, u8 *dst, const u8 *src,
> +		    int len, const u8 *iv);
> +void aescfb_decrypt(const struct crypto_aes_ctx *ctx, u8 *dst, const u8 *src,
> +		    int len, const u8 *iv);
> +
>  #endif
> diff --git a/lib/crypto/Kconfig b/lib/crypto/Kconfig
> index 45436bfc6dff..b01253cac70a 100644
> --- a/lib/crypto/Kconfig
> +++ b/lib/crypto/Kconfig
> @@ -8,6 +8,11 @@ config CRYPTO_LIB_UTILS
>  config CRYPTO_LIB_AES
>  	tristate
>  
> +config CRYPTO_LIB_AESCFB
> +	tristate
> +	select CRYPTO_LIB_AES
> +	select CRYPTO_LIB_UTILS
> +
>  config CRYPTO_LIB_AESGCM
>  	tristate
>  	select CRYPTO_LIB_AES
> diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile
> index 6ec2d4543d9c..33213a01aab1 100644
> --- a/lib/crypto/Makefile
> +++ b/lib/crypto/Makefile
> @@ -10,6 +10,9 @@ obj-$(CONFIG_CRYPTO_LIB_CHACHA_GENERIC)		+= libchacha.o
>  obj-$(CONFIG_CRYPTO_LIB_AES)			+= libaes.o
>  libaes-y					:= aes.o
>  
> +obj-$(CONFIG_CRYPTO_LIB_AESCFB)			+= libaescfb.o
> +libaescfb-y					:= aescfb.o
> +
>  obj-$(CONFIG_CRYPTO_LIB_AESGCM)			+= libaesgcm.o
>  libaesgcm-y					:= aesgcm.o
>  
> diff --git a/lib/crypto/aescfb.c b/lib/crypto/aescfb.c
> new file mode 100644
> index 000000000000..e9de1c6d874a
> --- /dev/null
> +++ b/lib/crypto/aescfb.c
> @@ -0,0 +1,75 @@
> +// SPDX-License-Identifier: GPL-2.0
> +/*
> + * Minimal library implementation of AES in CFB mode
> + *
> + * Copyright 2023 Google LLC
> + */
> +
> +#include <linux/module.h>
> +
> +#include <crypto/algapi.h>
> +#include <crypto/aes.h>
> +
> +#include <asm/irqflags.h>

I'd remove the newlines in-between.

> +
> +static void aescfb_encrypt_block(const struct crypto_aes_ctx *ctx, void *dst,
> +				 const void *src)
> +{
> +	unsigned long flags;
> +
> +	/*
> +	 * In AES-CFB, the AES encryption operates on known 'plaintext' (the IV
> +	 * and ciphertext), making it susceptible to timing attacks on the
> +	 * encryption key. The AES library already mitigates this risk to some
> +	 * extent by pulling the entire S-box into the caches before doing any
> +	 * substitutions, but this strategy is more effective when running with
> +	 * interrupts disabled.
> +	 */
> +	local_irq_save(flags);
> +	aes_encrypt(ctx, dst, src);
> +	local_irq_restore(flags);
> +}
> +
> +void aescfb_encrypt(const struct crypto_aes_ctx *ctx, u8 *dst, const u8 *src,
> +		    int len, const u8 *iv)
> +{
> +	while (len > 0) {
> +		u8 ks[AES_BLOCK_SIZE];
> +
> +		aescfb_encrypt_block(ctx, ks, iv);
> +		crypto_xor_cpy(dst, src, ks, min(len, AES_BLOCK_SIZE));
> +		iv = dst;
> +
> +		dst += AES_BLOCK_SIZE;
> +		src += AES_BLOCK_SIZE;
> +		len -= AES_BLOCK_SIZE;
> +	}
> +}
> +
> +void aescfb_decrypt(const struct crypto_aes_ctx *ctx, u8 *dst, const u8 *src,
> +		    int len, const u8 *iv)
> +{
> +	u8 ks[2][AES_BLOCK_SIZE];
> +
> +	aescfb_encrypt_block(ctx, ks[0], iv);
> +
> +	for (int i = 0; len > 0; i ^= 1) {
> +		if (len > AES_BLOCK_SIZE)
> +			/*
> +			 * Generate the keystream for the next block before
> +			 * performing the XOR, as that may update in place and
> +			 * overwrite the ciphertext.
> +			 */
> +			aescfb_encrypt_block(ctx, ks[!i], src);
> +
> +		crypto_xor_cpy(dst, src, ks[i], min(len, AES_BLOCK_SIZE));
> +
> +		dst += AES_BLOCK_SIZE;
> +		src += AES_BLOCK_SIZE;
> +		len -= AES_BLOCK_SIZE;
> +	}
> +}
> +
> +MODULE_DESCRIPTION("Generic AES-CFB library");
> +MODULE_AUTHOR("Ard Biesheuvel <ardb@kernel.org>");
> +MODULE_LICENSE("GPL");
> -- 
> 2.35.3
> 

Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>

BR, Jarkko
diff mbox series

Patch

diff --git a/include/crypto/aes.h b/include/crypto/aes.h
index 2090729701ab..7b9e1df1ccb0 100644
--- a/include/crypto/aes.h
+++ b/include/crypto/aes.h
@@ -87,4 +87,9 @@  void aes_decrypt(const struct crypto_aes_ctx *ctx, u8 *out, const u8 *in);
 extern const u8 crypto_aes_sbox[];
 extern const u8 crypto_aes_inv_sbox[];
 
+void aescfb_encrypt(const struct crypto_aes_ctx *ctx, u8 *dst, const u8 *src,
+		    int len, const u8 *iv);
+void aescfb_decrypt(const struct crypto_aes_ctx *ctx, u8 *dst, const u8 *src,
+		    int len, const u8 *iv);
+
 #endif
diff --git a/lib/crypto/Kconfig b/lib/crypto/Kconfig
index 45436bfc6dff..b01253cac70a 100644
--- a/lib/crypto/Kconfig
+++ b/lib/crypto/Kconfig
@@ -8,6 +8,11 @@  config CRYPTO_LIB_UTILS
 config CRYPTO_LIB_AES
 	tristate
 
+config CRYPTO_LIB_AESCFB
+	tristate
+	select CRYPTO_LIB_AES
+	select CRYPTO_LIB_UTILS
+
 config CRYPTO_LIB_AESGCM
 	tristate
 	select CRYPTO_LIB_AES
diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile
index 6ec2d4543d9c..33213a01aab1 100644
--- a/lib/crypto/Makefile
+++ b/lib/crypto/Makefile
@@ -10,6 +10,9 @@  obj-$(CONFIG_CRYPTO_LIB_CHACHA_GENERIC)		+= libchacha.o
 obj-$(CONFIG_CRYPTO_LIB_AES)			+= libaes.o
 libaes-y					:= aes.o
 
+obj-$(CONFIG_CRYPTO_LIB_AESCFB)			+= libaescfb.o
+libaescfb-y					:= aescfb.o
+
 obj-$(CONFIG_CRYPTO_LIB_AESGCM)			+= libaesgcm.o
 libaesgcm-y					:= aesgcm.o
 
diff --git a/lib/crypto/aescfb.c b/lib/crypto/aescfb.c
new file mode 100644
index 000000000000..e9de1c6d874a
--- /dev/null
+++ b/lib/crypto/aescfb.c
@@ -0,0 +1,75 @@ 
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Minimal library implementation of AES in CFB mode
+ *
+ * Copyright 2023 Google LLC
+ */
+
+#include <linux/module.h>
+
+#include <crypto/algapi.h>
+#include <crypto/aes.h>
+
+#include <asm/irqflags.h>
+
+static void aescfb_encrypt_block(const struct crypto_aes_ctx *ctx, void *dst,
+				 const void *src)
+{
+	unsigned long flags;
+
+	/*
+	 * In AES-CFB, the AES encryption operates on known 'plaintext' (the IV
+	 * and ciphertext), making it susceptible to timing attacks on the
+	 * encryption key. The AES library already mitigates this risk to some
+	 * extent by pulling the entire S-box into the caches before doing any
+	 * substitutions, but this strategy is more effective when running with
+	 * interrupts disabled.
+	 */
+	local_irq_save(flags);
+	aes_encrypt(ctx, dst, src);
+	local_irq_restore(flags);
+}
+
+void aescfb_encrypt(const struct crypto_aes_ctx *ctx, u8 *dst, const u8 *src,
+		    int len, const u8 *iv)
+{
+	while (len > 0) {
+		u8 ks[AES_BLOCK_SIZE];
+
+		aescfb_encrypt_block(ctx, ks, iv);
+		crypto_xor_cpy(dst, src, ks, min(len, AES_BLOCK_SIZE));
+		iv = dst;
+
+		dst += AES_BLOCK_SIZE;
+		src += AES_BLOCK_SIZE;
+		len -= AES_BLOCK_SIZE;
+	}
+}
+
+void aescfb_decrypt(const struct crypto_aes_ctx *ctx, u8 *dst, const u8 *src,
+		    int len, const u8 *iv)
+{
+	u8 ks[2][AES_BLOCK_SIZE];
+
+	aescfb_encrypt_block(ctx, ks[0], iv);
+
+	for (int i = 0; len > 0; i ^= 1) {
+		if (len > AES_BLOCK_SIZE)
+			/*
+			 * Generate the keystream for the next block before
+			 * performing the XOR, as that may update in place and
+			 * overwrite the ciphertext.
+			 */
+			aescfb_encrypt_block(ctx, ks[!i], src);
+
+		crypto_xor_cpy(dst, src, ks[i], min(len, AES_BLOCK_SIZE));
+
+		dst += AES_BLOCK_SIZE;
+		src += AES_BLOCK_SIZE;
+		len -= AES_BLOCK_SIZE;
+	}
+}
+
+MODULE_DESCRIPTION("Generic AES-CFB library");
+MODULE_AUTHOR("Ard Biesheuvel <ardb@kernel.org>");
+MODULE_LICENSE("GPL");