From patchwork Tue Jan 25 01:44:15 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: Nathan Huckleberry <nhuck@google.com>
X-Patchwork-Id: 12723122
Return-Path: 
 <linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from bombadil.infradead.org (bombadil.infradead.org
 [198.137.202.133])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 90BEEC433F5
	for <linux-arm-kernel@archiver.kernel.org>;
 Tue, 25 Jan 2022 01:46:50 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
	d=lists.infradead.org; s=bombadil.20210309; h=Sender:
	Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post:
	List-Archive:List-Unsubscribe:List-Id:Cc:To:From:Subject:Mime-Version:
	Message-Id:Date:Reply-To:Content-ID:Content-Description:Resent-Date:
	Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:
	References:List-Owner; bh=tb92+mxY7eZVAT/XTmu5X93jjR4LIE1Jlg6CDzI/blw=; b=W7Y
	9pSHX1cQIMcaNqVhJJ6zAWKXi+SXOrZ+DH68VuQTB9VKepHLlsz2c6P1iPvl9BC5ywzzFFvr7pSF0
	dU4SK54sDx+imU9cBfdPEXO+D00aLQHpcvPNJqY01psOdxmDPytb1+2FuMm0EgiTUrNO+QnrPHfu6
	JrvT6jL1ig16SZBGepyv3hh4Bd0xUrFx3eOUJnwG6Dw+336WiGz9IC7XihUinhC5x/y/Phtuwi2TO
	7pi1OzaEpx1Yww8Bulj/c7M/5BAnWCo1aW+u1rGT6PGr9Z1B7Ud27sdREXUjAgU9xKnXZveIhDqlk
	CZErkhJITE7aHmaoQOIbFIo+C2uKI9A==;
Received: from localhost ([::1] helo=bombadil.infradead.org)
	by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux))
	id 1nCAtU-0066BI-Gy; Tue, 25 Jan 2022 01:45:12 +0000
Received: from mail-yb1-xb4a.google.com ([2607:f8b0:4864:20::b4a])
 by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux))
 id 1nCAtQ-0066Af-KX
 for linux-arm-kernel@lists.infradead.org; Tue, 25 Jan 2022 01:45:10 +0000
Received: by mail-yb1-xb4a.google.com with SMTP id
 b61-20020a25a243000000b006126ea65191so38368494ybi.19
 for <linux-arm-kernel@lists.infradead.org>;
 Mon, 24 Jan 2022 17:45:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=20210112;
 h=date:message-id:mime-version:subject:from:to:cc
 :content-transfer-encoding;
 bh=oe74CoShjtAShwA7kMPhYzttzX+wC9lwSs6Wtzn+UiI=;
 b=CiJVitmQbgwpYEz1XHuuG/u51SF4CuxUGZieetjHHWTpKdSdH/LCREqBt63HAdQVir
 m8BFHx/7skf/xezHoDdHQkvdEMJjWHjAuMx6pTwTZOTYrgXDWti700EDLJ2GU3wIU9VI
 VulVlvTS2xh2W/BuF/0UCLnXCRTfXLXjLXcbpArphSlsiVuyEsX/pUdbUJIJkxBU74es
 hoIWR7OeBqTDbS+ubxLPORaMcMlXYCLzWsiWuSgL8XjySH25/y0zUopyXnOZC/g8odKz
 pp46vvQXnOQGnhsiEQNroMJjKL8XlbkXMMwuqvK9aJ6xUNzB+pY+Y7AhOdrZ8/hqScjg
 rs8w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=x-gm-message-state:date:message-id:mime-version:subject:from:to:cc
 :content-transfer-encoding;
 bh=oe74CoShjtAShwA7kMPhYzttzX+wC9lwSs6Wtzn+UiI=;
 b=yeteJfUeewCDVBeudCQUyXl23TWYxzGDm4+0IzdwyXO2G2ULgjWKm34keqDObLDa3f
 Oq72euDl1P52n6regMBYxL66bHukgWnXDt5giHP5rZ2oJNn5uhVTIKfQvp2ukvix0iHZ
 Vug+FYvpppPBKg/uELD//u6L/0LKdbeL06nRQk9wwhOXbnw9JqiTOI1FSlGJpanmGTlM
 t8M219m+YpSBAQFVKVIiDIDzpRH9nZqdmAq0QadMQM6ZXZZhank7v5+1goMm/UwQGHV3
 nKXQySiezqamL6QPk63GDsPeq+24yGJ5Z/p/Pc2fHk1C/yEjjgzVC/xw8zd7CsLLqbqG
 ueig==
X-Gm-Message-State: AOAM531bcUPfUQa3d8wYFbHbS8tNY6XPfLMUIa7EnxZZEwzqiZ8AkVi2
 MEgG8jbTvcdalc3Oo+lAgevX3LCESg==
X-Google-Smtp-Source: 
 ABdhPJzxQ5VH8+X1dJPluxeqZp5+21h70mE7AqZs/dsSeEhtcWXiqCC8FuQ+YS81y0Q2KhWNhoIZgpApQQ==
X-Received: from nhuck.c.googlers.com ([fda3:e722:ac3:cc00:14:4d90:c0a8:39cc])
 (user=nhuck job=sendgmr) by 2002:a81:9347:0:b0:2ca:287c:6c59 with
 SMTP id
 00721157ae682-2ca287c6ea9mr2801297b3.254.1643075106090; Mon, 24 Jan 2022
 17:45:06 -0800 (PST)
Date: Mon, 24 Jan 2022 19:44:15 -0600
Message-Id: <20220125014422.80552-1-nhuck@google.com>
Mime-Version: 1.0
X-Mailer: git-send-email 2.35.0.rc0.227.g00780c9af4-goog
Subject: [RFC PATCH 0/7] crypto: HCTR2 support
From: Nathan Huckleberry <nhuck@google.com>
To: linux-crypto@vger.kernel.org
Cc: Herbert Xu <herbert@gondor.apana.org.au>,
 "David S. Miller" <davem@davemloft.net>,
 linux-arm-kernel@lists.infradead.org, Paul Crowley <paulcrowley@google.com>,
 Eric Biggers <ebiggers@google.com>, Sami Tolvanen <samitolvanen@google.com>,
 Nathan Huckleberry <nhuck@google.com>
X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 
X-CRM114-CacheID: sfid-20220124_174508_717200_C73E6006 
X-CRM114-Status: GOOD (  16.37  )
X-BeenThere: linux-arm-kernel@lists.infradead.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: <linux-arm-kernel.lists.infradead.org>
List-Unsubscribe: 
 <http://lists.infradead.org/mailman/options/linux-arm-kernel>,
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=unsubscribe>
List-Archive: <http://lists.infradead.org/pipermail/linux-arm-kernel/>
List-Post: <mailto:linux-arm-kernel@lists.infradead.org>
List-Help: <mailto:linux-arm-kernel-request@lists.infradead.org?subject=help>
List-Subscribe: 
 <http://lists.infradead.org/mailman/listinfo/linux-arm-kernel>,
 <mailto:linux-arm-kernel-request@lists.infradead.org?subject=subscribe>
Sender: "linux-arm-kernel" <linux-arm-kernel-bounces@lists.infradead.org>
Errors-To: 
 linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org

HCTR2 is a length-preserving encryption mode that is efficient on
processors with instructions to accelerate AES and carryless
multiplication, e.g. x86 processors with AES-NI and CLMUL, and ARM
processors with the ARMv8 Crypto Extensions.

HCTR2 is specified in https://ia.cr/2021/1441 “Length-preserving
encryption with HCTR2” which shows that if AES is secure and HCTR2 is
instantiated with AES, then HCTR2 is secure.  Reference code and test
vectors are at https://github.com/google/hctr2.

As a length-preserving encryption mode, HCTR2 is suitable for applications
such as storage encryption where ciphertext expansion is not possible, and
thus authenticated encryption cannot be used.  Currently, such
applications usually use XTS, or in some cases Adiantum.  XTS has the
disadvantage that it is a narrow-block mode: a bitflip will only change 16
bytes in the resulting ciphertext or plaintext.  This reveals more
information to an attacker than necessary.

HCTR2 is a wide-block mode, so it provides a stronger security property: a
bitflip will change the entire message.  HCTR2 is somewhat similar to
Adiantum, which is also a wide-block mode.  However, HCTR2 is designed to
take advantage of existing crypto instructions, while Adiantum targets
devices without such hardware support.  Adiantum is also designed with
longer messages in mind, while HCTR2 is designed to be efficient even on
short messages.

The first intended use of this mode in the kernel is for the encryption of
filenames, where for efficiency reasons encryption must be fully
deterministic (only one ciphertext for each plaintext) and the existing
CBC solution leaks more information than necessary for filenames with
common prefixes.

HCTR2 uses two passes of an ε-almost-∆-universal hash function called
POLYVAL and one pass of a block cipher mode called XCTR.  POLYVAL is a
polynomial hash designed for efficiency on modern processors and was
originally specified for use in AES-GCM-SIV (RFC 8452).  XCTR mode is a
variant of CTR mode that is more efficient on little-endian machines.

This patchset adds HCTR2 to Linux's crypto API, including generic
implementations of XCTR and POLYVAL, hardware accelerated implementations
of XCTR and POLYVAL for both x86-64 and ARM64, and a templated
implementation of HCTR2.

Nathan Huckleberry (7):
  crypto: xctr - Add XCTR support
  crypto: polyval - Add POLYVAL support
  crypto: hctr2 - Add HCTR2 support
  crypto: x86/aesni-xctr: Add accelerated implementation of XCTR
  crypto: arm64/aes-xctr: Add accelerated implementation of XCTR
  crypto: x86/polyval: Add PCLMULQDQ accelerated implementation of
    POLYVAL
  crypto: arm64/polyval: Add PMULL accelerated implementation of POLYVAL

 arch/arm64/crypto/Kconfig                    |   10 +-
 arch/arm64/crypto/Makefile                   |    3 +
 arch/arm64/crypto/aes-glue.c                 |   70 +-
 arch/arm64/crypto/aes-modes.S                |  128 ++
 arch/arm64/crypto/polyval-ce-core.S          |  317 ++++
 arch/arm64/crypto/polyval-ce-glue.c          |  164 ++
 arch/x86/crypto/Makefile                     |    5 +-
 arch/x86/crypto/aes_xctrby8_avx-x86_64.S     |  529 ++++++
 arch/x86/crypto/aesni-intel_asm.S            |   70 +
 arch/x86/crypto/aesni-intel_glue.c           |   88 +
 arch/x86/crypto/polyval-clmulni-intel_asm.S  |  319 ++++
 arch/x86/crypto/polyval-clmulni-intel_glue.c |  165 ++
 crypto/Kconfig                               |   37 +
 crypto/Makefile                              |    3 +
 crypto/hctr2.c                               |  475 +++++
 crypto/polyval-generic.c                     |  183 ++
 crypto/tcrypt.c                              |   10 +
 crypto/testmgr.c                             |   18 +
 crypto/testmgr.h                             | 1617 ++++++++++++++++++
 crypto/xctr.c                                |  202 +++
 include/crypto/polyval.h                     |   22 +
 include/crypto/xctr.h                        |   19 +
 22 files changed, 4449 insertions(+), 5 deletions(-)
 create mode 100644 arch/arm64/crypto/polyval-ce-core.S
 create mode 100644 arch/arm64/crypto/polyval-ce-glue.c
 create mode 100644 arch/x86/crypto/aes_xctrby8_avx-x86_64.S
 create mode 100644 arch/x86/crypto/polyval-clmulni-intel_asm.S
 create mode 100644 arch/x86/crypto/polyval-clmulni-intel_glue.c
 create mode 100644 crypto/hctr2.c
 create mode 100644 crypto/polyval-generic.c
 create mode 100644 crypto/xctr.c
 create mode 100644 include/crypto/polyval.h
 create mode 100644 include/crypto/xctr.h