Re: [PATCH v4 10/12] RISC-V: crypto: add Zvkned accelerated AES encryption implementation

From: Ard Biesheuvel
Date: Fri Jul 21 2023 - 07:39:52 EST

Next message: Francesco Dolcini: "Re: [PATCH v6 2/3] ARM: dts: imx6qdl: Add Variscite VAR-SOM-MX6 SoM support"
Previous message: Greg Kroah-Hartman: "Re: [RFC PATCH 6/6] block: implement NVMEM provider"
In reply to: Eric Biggers: "Re: [PATCH v4 10/12] RISC-V: crypto: add Zvkned accelerated AES encryption implementation"
Next in thread: Ard Biesheuvel: "Re: [PATCH v4 10/12] RISC-V: crypto: add Zvkned accelerated AES encryption implementation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 21 Jul 2023 at 07:40, Eric Biggers <ebiggers@xxxxxxxxxx> wrote:
>
> On Tue, Jul 11, 2023 at 05:37:41PM +0200, Heiko Stuebner wrote:
...
> > +static int riscv64_aes_setkey_zvkned(struct crypto_tfm *tfm, const u8 *key,
> > + unsigned int keylen)
> > +{
> > + struct riscv_aes_ctx *ctx = crypto_tfm_ctx(tfm);
> > + int ret;
> > +
> > + ctx->keylen = keylen;
> > +
> > + if (keylen == 16 || keylen == 32) {
> > + kernel_rvv_begin();
> > + ret = rv64i_zvkned_set_encrypt_key(key, keylen * 8, &ctx->enc_key);
> > + if (ret != 1) {
> > + kernel_rvv_end();
> > + return -EINVAL;
> > + }
> > +
> > + ret = rv64i_zvkned_set_decrypt_key(key, keylen * 8, &ctx->dec_key);

The asm suggests that the encryption and decryption key schedules are
the same, and the decryption algorithm does not implement the
Equivalent Inverse Cipher, but simply iterates over they key schedule
in reverse order. This makes much more sense for instruction based
AES, so it doesn't surprise me but it does mean you can just drop this
part, and pass enc_key everywhere.

> > + kernel_rvv_end();
> > + if (ret != 1)
> > + return -EINVAL;
> > + }
> > +
> > + ret = crypto_cipher_setkey(ctx->fallback, key, keylen);
> > +
> > + return ret ? -EINVAL : 0;
> > +}
>
> It's a bit annoying that RISC-V doesn't support AES-192, though also not
> particularly surprising, seeing as AES-192 is almost never used. (Intel's Key
> Locker, for example, is another recent CPU feature that doesn't support
> AES-192.) IMO the issue here is really with the kernel crypto API -- it should
> treat AES-128, AES-192, and AES-256 as separate algorithms so that
> implementations aren't forced to support all three key sizes...
>

Why is this a fundamental limitation? AES-192 uses the same AES block
size and round structure, the only difference is the number of rounds
and how the round keys are calculated.

Creating the key schedule should never be performance critical, so if
the lack of AES-192 support is due to a limitation in the key schedule
generation instructions, I'd suggest to avoid those if possible and
just use the generic library code to derive the key schedule. If that
works, I'm pretty sure AES-192 support is just a matter of
implementing a 12-round variant modeled after the existing 10/14 round
ones.

Next message: Francesco Dolcini: "Re: [PATCH v6 2/3] ARM: dts: imx6qdl: Add Variscite VAR-SOM-MX6 SoM support"
Previous message: Greg Kroah-Hartman: "Re: [RFC PATCH 6/6] block: implement NVMEM provider"
In reply to: Eric Biggers: "Re: [PATCH v4 10/12] RISC-V: crypto: add Zvkned accelerated AES encryption implementation"
Next in thread: Ard Biesheuvel: "Re: [PATCH v4 10/12] RISC-V: crypto: add Zvkned accelerated AES encryption implementation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]