Re: [PATCH v4 10/12] RISC-V: crypto: add Zvkned accelerated AES encryption implementation
From: Ard Biesheuvel
Date: Fri Jul 21 2023 - 10:24:10 EST
On Fri, 21 Jul 2023 at 13:39, Ard Biesheuvel <ardb@xxxxxxxxxx> wrote:
>
> On Fri, 21 Jul 2023 at 07:40, Eric Biggers <ebiggers@xxxxxxxxxx> wrote:
> >
> > On Tue, Jul 11, 2023 at 05:37:41PM +0200, Heiko Stuebner wrote:
> ...
> > > +static int riscv64_aes_setkey_zvkned(struct crypto_tfm *tfm, const u8 *key,
> > > + unsigned int keylen)
> > > +{
> > > + struct riscv_aes_ctx *ctx = crypto_tfm_ctx(tfm);
> > > + int ret;
> > > +
> > > + ctx->keylen = keylen;
> > > +
> > > + if (keylen == 16 || keylen == 32) {
> > > + kernel_rvv_begin();
> > > + ret = rv64i_zvkned_set_encrypt_key(key, keylen * 8, &ctx->enc_key);
> > > + if (ret != 1) {
> > > + kernel_rvv_end();
> > > + return -EINVAL;
> > > + }
> > > +
> > > + ret = rv64i_zvkned_set_decrypt_key(key, keylen * 8, &ctx->dec_key);
>
> The asm suggests that the encryption and decryption key schedules are
> the same, and the decryption algorithm does not implement the
> Equivalent Inverse Cipher, but simply iterates over they key schedule
> in reverse order. This makes much more sense for instruction based
> AES, so it doesn't surprise me but it does mean you can just drop this
> part, and pass enc_key everywhere.
>
> > > + kernel_rvv_end();
> > > + if (ret != 1)
> > > + return -EINVAL;
> > > + }
> > > +
> > > + ret = crypto_cipher_setkey(ctx->fallback, key, keylen);
> > > +
> > > + return ret ? -EINVAL : 0;
> > > +}
> >
> > It's a bit annoying that RISC-V doesn't support AES-192, though also not
> > particularly surprising, seeing as AES-192 is almost never used. (Intel's Key
> > Locker, for example, is another recent CPU feature that doesn't support
> > AES-192.) IMO the issue here is really with the kernel crypto API -- it should
> > treat AES-128, AES-192, and AES-256 as separate algorithms so that
> > implementations aren't forced to support all three key sizes...
> >
>
> Why is this a fundamental limitation? AES-192 uses the same AES block
> size and round structure, the only difference is the number of rounds
> and how the round keys are calculated.
>
> Creating the key schedule should never be performance critical, so if
> the lack of AES-192 support is due to a limitation in the key schedule
> generation instructions, I'd suggest to avoid those if possible and
> just use the generic library code to derive the key schedule. If that
> works, I'm pretty sure AES-192 support is just a matter of
> implementing a 12-round variant modeled after the existing 10/14 round
> ones.
This seems to work:
https://git.kernel.org/pub/scm/linux/kernel/git/ardb/linux.git/log/?h=riscv-crypto
Feel free to incorporate/squash any of those changes into your series.