| Message ID | 20171117195027.88288-1-ebiggers@google.com (mailing list archive) |
|---|---|
| State | Not Applicable |
| Delegated to: | Herbert Xu |
| Headers | show |
On 17 November 2017 at 19:50, Eric Biggers <ebiggers@google.com> wrote: > Hi, > > I'd like the following patch to be applied to stable for versions > between 4.1 and 4.10 (inclusively). > > This is a minimal fix for a bug where arm32 kernels can use a much > slower implementation of AES than is actually available, potentially > forcing vendors to disable encryption on their devices. > > Min version is 4.1 because that was the first version to include the > aes-ce algorithms. > > Max version is 4.10 because in 4.11, this bug was fixed incidentally as > part of a complete rewrite of the bit-sliced AES implementation. > > ---8<--- > > All the aes-bs (bit-sliced) and aes-ce (cryptographic extensions) > algorithms had a priority of 300. This is undesirable because it means > an aes-bs algorithm may be used when an aes-ce algorithm is available. > The aes-ce algorithms have much better performance (up to 10x faster). > I'd say up to 20x is more accurate. > Fix it by decreasing the priority of the aes-bs algorithms to 250. > > This was fixed upstream by commit cc477bf64573 ("crypto: arm/aes - > replace bit-sliced OpenSSL NEON code"), but it was just a small part of > a complete rewrite. This patch just fixes the priority bug for older > kernels. > > Signed-off-by: Eric Biggers <ebiggers@google.com> Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> > --- > arch/arm/crypto/aesbs-glue.c | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > > diff --git a/arch/arm/crypto/aesbs-glue.c b/arch/arm/crypto/aesbs-glue.c > index 0511a6cafe24..5d934a0039d7 100644 > --- a/arch/arm/crypto/aesbs-glue.c > +++ b/arch/arm/crypto/aesbs-glue.c > @@ -363,7 +363,7 @@ static struct crypto_alg aesbs_algs[] = { { > }, { > .cra_name = "cbc(aes)", > .cra_driver_name = "cbc-aes-neonbs", > - .cra_priority = 300, > + .cra_priority = 250, > .cra_flags = CRYPTO_ALG_TYPE_ABLKCIPHER|CRYPTO_ALG_ASYNC, > .cra_blocksize = AES_BLOCK_SIZE, > .cra_ctxsize = sizeof(struct async_helper_ctx), > @@ -383,7 +383,7 @@ static struct crypto_alg aesbs_algs[] = { { > }, { > .cra_name = "ctr(aes)", > .cra_driver_name = "ctr-aes-neonbs", > - .cra_priority = 300, > + .cra_priority = 250, > .cra_flags = CRYPTO_ALG_TYPE_ABLKCIPHER|CRYPTO_ALG_ASYNC, > .cra_blocksize = 1, > .cra_ctxsize = sizeof(struct async_helper_ctx), > @@ -403,7 +403,7 @@ static struct crypto_alg aesbs_algs[] = { { > }, { > .cra_name = "xts(aes)", > .cra_driver_name = "xts-aes-neonbs", > - .cra_priority = 300, > + .cra_priority = 250, > .cra_flags = CRYPTO_ALG_TYPE_ABLKCIPHER|CRYPTO_ALG_ASYNC, > .cra_blocksize = AES_BLOCK_SIZE, > .cra_ctxsize = sizeof(struct async_helper_ctx), > -- > 2.15.0.448.gf294e3d99a-goog >
On Fri, Nov 17, 2017 at 11:50:27AM -0800, Eric Biggers wrote: > Hi, > > I'd like the following patch to be applied to stable for versions > between 4.1 and 4.10 (inclusively). > > This is a minimal fix for a bug where arm32 kernels can use a much > slower implementation of AES than is actually available, potentially > forcing vendors to disable encryption on their devices. > > Min version is 4.1 because that was the first version to include the > aes-ce algorithms. > > Max version is 4.10 because in 4.11, this bug was fixed incidentally as > part of a complete rewrite of the bit-sliced AES implementation. Thanks for the patch, now queued up. greg k-h
diff --git a/arch/arm/crypto/aesbs-glue.c b/arch/arm/crypto/aesbs-glue.c index 0511a6cafe24..5d934a0039d7 100644 --- a/arch/arm/crypto/aesbs-glue.c +++ b/arch/arm/crypto/aesbs-glue.c @@ -363,7 +363,7 @@ static struct crypto_alg aesbs_algs[] = { { }, { .cra_name = "cbc(aes)", .cra_driver_name = "cbc-aes-neonbs", - .cra_priority = 300, + .cra_priority = 250, .cra_flags = CRYPTO_ALG_TYPE_ABLKCIPHER|CRYPTO_ALG_ASYNC, .cra_blocksize = AES_BLOCK_SIZE, .cra_ctxsize = sizeof(struct async_helper_ctx), @@ -383,7 +383,7 @@ static struct crypto_alg aesbs_algs[] = { { }, { .cra_name = "ctr(aes)", .cra_driver_name = "ctr-aes-neonbs", - .cra_priority = 300, + .cra_priority = 250, .cra_flags = CRYPTO_ALG_TYPE_ABLKCIPHER|CRYPTO_ALG_ASYNC, .cra_blocksize = 1, .cra_ctxsize = sizeof(struct async_helper_ctx), @@ -403,7 +403,7 @@ static struct crypto_alg aesbs_algs[] = { { }, { .cra_name = "xts(aes)", .cra_driver_name = "xts-aes-neonbs", - .cra_priority = 300, + .cra_priority = 250, .cra_flags = CRYPTO_ALG_TYPE_ABLKCIPHER|CRYPTO_ALG_ASYNC, .cra_blocksize = AES_BLOCK_SIZE, .cra_ctxsize = sizeof(struct async_helper_ctx),
Hi, I'd like the following patch to be applied to stable for versions between 4.1 and 4.10 (inclusively). This is a minimal fix for a bug where arm32 kernels can use a much slower implementation of AES than is actually available, potentially forcing vendors to disable encryption on their devices. Min version is 4.1 because that was the first version to include the aes-ce algorithms. Max version is 4.10 because in 4.11, this bug was fixed incidentally as part of a complete rewrite of the bit-sliced AES implementation. ---8<--- All the aes-bs (bit-sliced) and aes-ce (cryptographic extensions) algorithms had a priority of 300. This is undesirable because it means an aes-bs algorithm may be used when an aes-ce algorithm is available. The aes-ce algorithms have much better performance (up to 10x faster). Fix it by decreasing the priority of the aes-bs algorithms to 250. This was fixed upstream by commit cc477bf64573 ("crypto: arm/aes - replace bit-sliced OpenSSL NEON code"), but it was just a small part of a complete rewrite. This patch just fixes the priority bug for older kernels. Signed-off-by: Eric Biggers <ebiggers@google.com> --- arch/arm/crypto/aesbs-glue.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)