2005-04-16 22:20:36 +00:00
|
|
|
#
|
|
|
|
# Cryptographic API
|
|
|
|
#
|
|
|
|
|
2008-03-30 08:36:09 +00:00
|
|
|
obj-$(CONFIG_CRYPTO) += crypto.o
|
crypto: crypto_memneq - add equality testing of memory regions w/o timing leaks
When comparing MAC hashes, AEAD authentication tags, or other hash
values in the context of authentication or integrity checking, it
is important not to leak timing information to a potential attacker,
i.e. when communication happens over a network.
Bytewise memory comparisons (such as memcmp) are usually optimized so
that they return a nonzero value as soon as a mismatch is found. E.g,
on x86_64/i5 for 512 bytes this can be ~50 cyc for a full mismatch
and up to ~850 cyc for a full match (cold). This early-return behavior
can leak timing information as a side channel, allowing an attacker to
iteratively guess the correct result.
This patch adds a new method crypto_memneq ("memory not equal to each
other") to the crypto API that compares memory areas of the same length
in roughly "constant time" (cache misses could change the timing, but
since they don't reveal information about the content of the strings
being compared, they are effectively benign). Iow, best and worst case
behaviour take the same amount of time to complete (in contrast to
memcmp).
Note that crypto_memneq (unlike memcmp) can only be used to test for
equality or inequality, NOT for lexicographical order. This, however,
is not an issue for its use-cases within the crypto API.
We tried to locate all of the places in the crypto API where memcmp was
being used for authentication or integrity checking, and convert them
over to crypto_memneq.
crypto_memneq is declared noinline, placed in its own source file,
and compiled with optimizations that might increase code size disabled
("Os") because a smart compiler (or LTO) might notice that the return
value is always compared against zero/nonzero, and might then
reintroduce the same early-return optimization that we are trying to
avoid.
Using #pragma or __attribute__ optimization annotations of the code
for disabling optimization was avoided as it seems to be considered
broken or unmaintained for long time in GCC [1]. Therefore, we work
around that by specifying the compile flag for memneq.o directly in
the Makefile. We found that this seems to be most appropriate.
As we use ("Os"), this patch also provides a loop-free "fast-path" for
frequently used 16 byte digests. Similarly to kernel library string
functions, leave an option for future even further optimized architecture
specific assembler implementations.
This was a joint work of James Yonan and Daniel Borkmann. Also thanks
for feedback from Florian Weimer on this and earlier proposals [2].
[1] http://gcc.gnu.org/ml/gcc/2012-07/msg00211.html
[2] https://lkml.org/lkml/2013/2/10/131
Signed-off-by: James Yonan <james@openvpn.net>
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Cc: Florian Weimer <fw@deneb.enyo.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2013-09-26 08:20:39 +00:00
|
|
|
crypto-y := api.o cipher.o compress.o memneq.o
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2009-02-19 06:33:40 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_WORKQUEUE) += crypto_wq.o
|
|
|
|
|
2016-01-26 12:25:39 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_ENGINE) += crypto_engine.o
|
2008-08-05 06:13:08 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_FIPS) += fips.o
|
|
|
|
|
2006-08-21 11:08:13 +00:00
|
|
|
crypto_algapi-$(CONFIG_PROC_FS) += proc.o
|
2010-11-27 08:32:57 +00:00
|
|
|
crypto_algapi-y := algapi.o scatterwalk.o $(crypto_algapi-y)
|
2008-12-10 12:29:44 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_ALGAPI2) += crypto_algapi.o
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2008-12-10 12:29:44 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_AEAD2) += aead.o
|
2007-11-27 11:48:27 +00:00
|
|
|
|
2010-11-27 08:32:57 +00:00
|
|
|
crypto_blkcipher-y := ablkcipher.o
|
|
|
|
crypto_blkcipher-y += blkcipher.o
|
2015-08-20 07:21:45 +00:00
|
|
|
crypto_blkcipher-y += skcipher.o
|
2008-12-10 12:29:44 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_BLKCIPHER2) += crypto_blkcipher.o
|
2007-11-30 10:38:37 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_SEQIV) += seqiv.o
|
2015-05-21 07:11:15 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_ECHAINIV) += echainiv.o
|
2006-08-21 14:07:53 +00:00
|
|
|
|
2010-11-27 08:32:57 +00:00
|
|
|
crypto_hash-y += ahash.o
|
|
|
|
crypto_hash-y += shash.o
|
2008-12-10 12:29:44 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_HASH2) += crypto_hash.o
|
2006-08-19 12:24:23 +00:00
|
|
|
|
2015-06-16 17:30:55 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_AKCIPHER2) += akcipher.o
|
2016-06-22 16:49:13 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_KPP2) += kpp.o
|
crypto: compress - Add pcomp interface
The current "comp" crypto interface supports one-shot (de)compression only,
i.e. the whole data buffer to be (de)compressed must be passed at once, and
the whole (de)compressed data buffer will be received at once.
In several use-cases (e.g. compressed file systems that store files in big
compressed blocks), this workflow is not suitable.
Furthermore, the "comp" type doesn't provide for the configuration of
(de)compression parameters, and always allocates workspace memory for both
compression and decompression, which may waste memory.
To solve this, add a "pcomp" partial (de)compression interface that provides
the following operations:
- crypto_compress_{init,update,final}() for compression,
- crypto_decompress_{init,update,final}() for decompression,
- crypto_{,de}compress_setup(), to configure (de)compression parameters
(incl. allocating workspace memory).
The (de)compression methods take a struct comp_request, which was mimicked
after the z_stream object in zlib, and contains buffer pointer and length
pairs for input and output.
The setup methods take an opaque parameter pointer and length pair. Parameters
are supposed to be encoded using netlink attributes, whose meanings depend on
the actual (name of the) (de)compression algorithm.
Signed-off-by: Geert Uytterhoeven <Geert.Uytterhoeven@sonycom.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2009-03-04 07:05:33 +00:00
|
|
|
|
2016-06-22 16:49:14 +00:00
|
|
|
dh_generic-y := dh.o
|
|
|
|
dh_generic-y += dh_helper.o
|
|
|
|
obj-$(CONFIG_CRYPTO_DH) += dh_generic.o
|
2016-06-22 16:49:15 +00:00
|
|
|
ecdh_generic-y := ecc.o
|
|
|
|
ecdh_generic-y += ecdh.o
|
|
|
|
ecdh_generic-y += ecdh_helper.o
|
|
|
|
obj-$(CONFIG_CRYPTO_ECDH) += ecdh_generic.o
|
2016-06-22 16:49:14 +00:00
|
|
|
|
2015-10-08 16:26:55 +00:00
|
|
|
$(obj)/rsapubkey-asn1.o: $(obj)/rsapubkey-asn1.c $(obj)/rsapubkey-asn1.h
|
|
|
|
$(obj)/rsaprivkey-asn1.o: $(obj)/rsaprivkey-asn1.c $(obj)/rsaprivkey-asn1.h
|
2016-11-29 19:15:12 +00:00
|
|
|
$(obj)/rsa_helper.o: $(obj)/rsapubkey-asn1.h $(obj)/rsaprivkey-asn1.h
|
2015-10-08 16:26:55 +00:00
|
|
|
clean-files += rsapubkey-asn1.c rsapubkey-asn1.h
|
|
|
|
clean-files += rsaprivkey-asn1.c rsaprivkey-asn1.h
|
2015-06-16 17:31:01 +00:00
|
|
|
|
2015-10-08 16:26:55 +00:00
|
|
|
rsa_generic-y := rsapubkey-asn1.o
|
|
|
|
rsa_generic-y += rsaprivkey-asn1.o
|
2015-06-16 17:31:01 +00:00
|
|
|
rsa_generic-y += rsa.o
|
|
|
|
rsa_generic-y += rsa_helper.o
|
2015-12-05 16:09:34 +00:00
|
|
|
rsa_generic-y += rsa-pkcs1pad.o
|
2015-06-16 17:31:01 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_RSA) += rsa_generic.o
|
|
|
|
|
2016-10-26 09:56:45 +00:00
|
|
|
crypto_acompress-y := acompress.o
|
|
|
|
crypto_acompress-y += scompress.o
|
|
|
|
obj-$(CONFIG_CRYPTO_ACOMP2) += crypto_acompress.o
|
2016-10-21 12:19:47 +00:00
|
|
|
|
2010-11-27 08:32:57 +00:00
|
|
|
cryptomgr-y := algboss.o testmgr.o
|
2008-07-31 09:08:25 +00:00
|
|
|
|
2008-12-10 12:29:44 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_MANAGER2) += cryptomgr.o
|
2011-09-27 05:23:50 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_USER) += crypto_user.o
|
2013-04-08 07:48:44 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_CMAC) += cmac.o
|
2005-04-16 22:20:36 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_HMAC) += hmac.o
|
2009-09-02 10:05:22 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_VMAC) += vmac.o
|
2006-10-28 03:15:24 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_XCBC) += xcbc.o
|
2015-08-17 09:45:27 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_NULL2) += crypto_null.o
|
2005-04-16 22:20:36 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_MD4) += md4.o
|
|
|
|
obj-$(CONFIG_CRYPTO_MD5) += md5.o
|
2008-05-07 14:14:10 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_RMD128) += rmd128.o
|
|
|
|
obj-$(CONFIG_CRYPTO_RMD160) += rmd160.o
|
2008-05-09 13:27:02 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_RMD256) += rmd256.o
|
|
|
|
obj-$(CONFIG_CRYPTO_RMD320) += rmd320.o
|
2007-10-08 03:45:10 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_SHA1) += sha1_generic.o
|
|
|
|
obj-$(CONFIG_CRYPTO_SHA256) += sha256_generic.o
|
2008-03-06 11:55:38 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_SHA512) += sha512_generic.o
|
2016-06-17 05:00:35 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_SHA3) += sha3_generic.o
|
2005-04-16 22:20:36 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_WP512) += wp512.o
|
crypto: improve gcc optimization flags for serpent and wp512
An ancient gcc bug (first reported in 2003) has apparently resurfaced
on MIPS, where kernelci.org reports an overly large stack frame in the
whirlpool hash algorithm:
crypto/wp512.c:987:1: warning: the frame size of 1112 bytes is larger than 1024 bytes [-Wframe-larger-than=]
With some testing in different configurations, I'm seeing large
variations in stack frames size up to 1500 bytes for what should have
around 300 bytes at most. I also checked the reference implementation,
which is essentially the same code but also comes with some test and
benchmarking infrastructure.
It seems that recent compiler versions on at least arm, arm64 and powerpc
have a partial fix for this problem, but enabling "-fsched-pressure", but
even with that fix they suffer from the issue to a certain degree. Some
testing on arm64 shows that the time needed to hash a given amount of
data is roughly proportional to the stack frame size here, which makes
sense given that the wp512 implementation is doing lots of loads for
table lookups, and the problem with the overly large stack is a result
of doing a lot more loads and stores for spilled registers (as seen from
inspecting the object code).
Disabling -fschedule-insns consistently fixes the problem for wp512,
in my collection of cross-compilers, the results are consistently better
or identical when comparing the stack sizes in this function, though
some architectures (notable x86) have schedule-insns disabled by
default.
The four columns are:
default: -O2
press: -O2 -fsched-pressure
nopress: -O2 -fschedule-insns -fno-sched-pressure
nosched: -O2 -no-schedule-insns (disables sched-pressure)
default press nopress nosched
alpha-linux-gcc-4.9.3 1136 848 1136 176
am33_2.0-linux-gcc-4.9.3 2100 2076 2100 2104
arm-linux-gnueabi-gcc-4.9.3 848 848 1048 352
cris-linux-gcc-4.9.3 272 272 272 272
frv-linux-gcc-4.9.3 1128 1000 1128 280
hppa64-linux-gcc-4.9.3 1128 336 1128 184
hppa-linux-gcc-4.9.3 644 308 644 276
i386-linux-gcc-4.9.3 352 352 352 352
m32r-linux-gcc-4.9.3 720 656 720 268
microblaze-linux-gcc-4.9.3 1108 604 1108 256
mips64-linux-gcc-4.9.3 1328 592 1328 208
mips-linux-gcc-4.9.3 1096 624 1096 240
powerpc64-linux-gcc-4.9.3 1088 432 1088 160
powerpc-linux-gcc-4.9.3 1080 584 1080 224
s390-linux-gcc-4.9.3 456 456 624 360
sh3-linux-gcc-4.9.3 292 292 292 292
sparc64-linux-gcc-4.9.3 992 240 992 208
sparc-linux-gcc-4.9.3 680 592 680 312
x86_64-linux-gcc-4.9.3 224 240 272 224
xtensa-linux-gcc-4.9.3 1152 704 1152 304
aarch64-linux-gcc-7.0.0 224 224 1104 208
arm-linux-gnueabi-gcc-7.0.1 824 824 1048 352
mips-linux-gcc-7.0.0 1120 648 1120 272
x86_64-linux-gcc-7.0.1 240 240 304 240
arm-linux-gnueabi-gcc-4.4.7 840 392
arm-linux-gnueabi-gcc-4.5.4 784 728 784 320
arm-linux-gnueabi-gcc-4.6.4 736 728 736 304
arm-linux-gnueabi-gcc-4.7.4 944 784 944 352
arm-linux-gnueabi-gcc-4.8.5 464 464 760 352
arm-linux-gnueabi-gcc-4.9.3 848 848 1048 352
arm-linux-gnueabi-gcc-5.3.1 824 824 1064 336
arm-linux-gnueabi-gcc-6.1.1 808 808 1056 344
arm-linux-gnueabi-gcc-7.0.1 824 824 1048 352
Trying the same test for serpent-generic, the picture is a bit different,
and while -fno-schedule-insns is generally better here than the default,
-fsched-pressure wins overall, so I picked that instead.
default press nopress nosched
alpha-linux-gcc-4.9.3 1392 864 1392 960
am33_2.0-linux-gcc-4.9.3 536 524 536 528
arm-linux-gnueabi-gcc-4.9.3 552 552 776 536
cris-linux-gcc-4.9.3 528 528 528 528
frv-linux-gcc-4.9.3 536 400 536 504
hppa64-linux-gcc-4.9.3 524 208 524 480
hppa-linux-gcc-4.9.3 768 472 768 508
i386-linux-gcc-4.9.3 564 564 564 564
m32r-linux-gcc-4.9.3 712 576 712 532
microblaze-linux-gcc-4.9.3 724 392 724 512
mips64-linux-gcc-4.9.3 720 384 720 496
mips-linux-gcc-4.9.3 728 384 728 496
powerpc64-linux-gcc-4.9.3 704 304 704 480
powerpc-linux-gcc-4.9.3 704 296 704 480
s390-linux-gcc-4.9.3 560 560 592 536
sh3-linux-gcc-4.9.3 540 540 540 540
sparc64-linux-gcc-4.9.3 544 352 544 496
sparc-linux-gcc-4.9.3 544 344 544 496
x86_64-linux-gcc-4.9.3 528 536 576 528
xtensa-linux-gcc-4.9.3 752 544 752 544
aarch64-linux-gcc-7.0.0 432 432 656 480
arm-linux-gnueabi-gcc-7.0.1 616 616 808 536
mips-linux-gcc-7.0.0 720 464 720 488
x86_64-linux-gcc-7.0.1 536 528 600 536
arm-linux-gnueabi-gcc-4.4.7 592 440
arm-linux-gnueabi-gcc-4.5.4 776 448 776 544
arm-linux-gnueabi-gcc-4.6.4 776 448 776 544
arm-linux-gnueabi-gcc-4.7.4 768 448 768 544
arm-linux-gnueabi-gcc-4.8.5 488 488 776 544
arm-linux-gnueabi-gcc-4.9.3 552 552 776 536
arm-linux-gnueabi-gcc-5.3.1 552 552 776 536
arm-linux-gnueabi-gcc-6.1.1 560 560 776 536
arm-linux-gnueabi-gcc-7.0.1 616 616 808 536
I did not do any runtime tests with serpent, so it is possible that stack
frame size does not directly correlate with runtime performance here and
it actually makes things worse, but it's more likely to help here, and
the reduced stack frame size is probably enough reason to apply the patch,
especially given that the crypto code is often used in deep call chains.
Link: https://kernelci.org/build/id/58797d7559b5149efdf6c3a9/logs/
Link: http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html
Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=11488
Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=79149
Cc: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2017-02-03 22:33:23 +00:00
|
|
|
CFLAGS_wp512.o := $(call cc-option,-fno-schedule-insns) # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=79149
|
2005-04-16 22:20:36 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_TGR192) += tgr192.o
|
2006-11-29 07:59:44 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_GF128MUL) += gf128mul.o
|
2006-09-21 01:44:08 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_ECB) += ecb.o
|
|
|
|
obj-$(CONFIG_CRYPTO_CBC) += cbc.o
|
2006-12-16 01:09:02 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_PCBC) += pcbc.o
|
2008-03-24 13:26:16 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_CTS) += cts.o
|
2006-11-25 22:43:10 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_LRW) += lrw.o
|
2007-09-19 12:23:13 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_XTS) += xts.o
|
[CRYPTO] ctr: Add CTR (Counter) block cipher mode
This patch implements CTR mode for IPsec.
It is based off of RFC 3686.
Please note:
1. CTR turns a block cipher into a stream cipher.
Encryption is done in blocks, however the last block
may be a partial block.
A "counter block" is encrypted, creating a keystream
that is xor'ed with the plaintext. The counter portion
of the counter block is incremented after each block
of plaintext is encrypted.
Decryption is performed in same manner.
2. The CTR counterblock is composed of,
nonce + IV + counter
The size of the counterblock is equivalent to the
blocksize of the cipher.
sizeof(nonce) + sizeof(IV) + sizeof(counter) = blocksize
The CTR template requires the name of the cipher
algorithm, the sizeof the nonce, and the sizeof the iv.
ctr(cipher,sizeof_nonce,sizeof_iv)
So for example,
ctr(aes,4,8)
specifies the counterblock will be composed of 4 bytes
from a nonce, 8 bytes from the iv, and 4 bytes for counter
since aes has a blocksize of 16 bytes.
3. The counter portion of the counter block is stored
in big endian for conformance to rfc 3686.
Signed-off-by: Joy Latten <latten@austin.ibm.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2007-10-23 00:50:32 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_CTR) += ctr.o
|
2015-09-21 18:58:56 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_KEYWRAP) += keywrap.o
|
2007-11-26 14:24:11 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_GCM) += gcm.o
|
2007-12-12 12:25:13 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_CCM) += ccm.o
|
2015-06-01 11:44:00 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_CHACHA20POLY1305) += chacha20poly1305.o
|
2010-01-07 04:57:19 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_PCRYPT) += pcrypt.o
|
2007-04-16 10:49:20 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_CRYPTD) += cryptd.o
|
2014-07-31 17:29:51 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_MCRYPTD) += mcryptd.o
|
2007-10-05 08:42:03 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_DES) += des_generic.o
|
2006-12-16 01:13:14 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_FCRYPT) += fcrypt.o
|
2011-09-01 22:45:12 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_BLOWFISH) += blowfish_generic.o
|
2011-09-01 22:45:07 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_BLOWFISH_COMMON) += blowfish_common.o
|
2010-06-03 11:02:51 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_TWOFISH) += twofish_generic.o
|
2006-06-20 10:37:23 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_TWOFISH_COMMON) += twofish_common.o
|
2011-10-17 21:03:13 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_SERPENT) += serpent_generic.o
|
crypto: improve gcc optimization flags for serpent and wp512
An ancient gcc bug (first reported in 2003) has apparently resurfaced
on MIPS, where kernelci.org reports an overly large stack frame in the
whirlpool hash algorithm:
crypto/wp512.c:987:1: warning: the frame size of 1112 bytes is larger than 1024 bytes [-Wframe-larger-than=]
With some testing in different configurations, I'm seeing large
variations in stack frames size up to 1500 bytes for what should have
around 300 bytes at most. I also checked the reference implementation,
which is essentially the same code but also comes with some test and
benchmarking infrastructure.
It seems that recent compiler versions on at least arm, arm64 and powerpc
have a partial fix for this problem, but enabling "-fsched-pressure", but
even with that fix they suffer from the issue to a certain degree. Some
testing on arm64 shows that the time needed to hash a given amount of
data is roughly proportional to the stack frame size here, which makes
sense given that the wp512 implementation is doing lots of loads for
table lookups, and the problem with the overly large stack is a result
of doing a lot more loads and stores for spilled registers (as seen from
inspecting the object code).
Disabling -fschedule-insns consistently fixes the problem for wp512,
in my collection of cross-compilers, the results are consistently better
or identical when comparing the stack sizes in this function, though
some architectures (notable x86) have schedule-insns disabled by
default.
The four columns are:
default: -O2
press: -O2 -fsched-pressure
nopress: -O2 -fschedule-insns -fno-sched-pressure
nosched: -O2 -no-schedule-insns (disables sched-pressure)
default press nopress nosched
alpha-linux-gcc-4.9.3 1136 848 1136 176
am33_2.0-linux-gcc-4.9.3 2100 2076 2100 2104
arm-linux-gnueabi-gcc-4.9.3 848 848 1048 352
cris-linux-gcc-4.9.3 272 272 272 272
frv-linux-gcc-4.9.3 1128 1000 1128 280
hppa64-linux-gcc-4.9.3 1128 336 1128 184
hppa-linux-gcc-4.9.3 644 308 644 276
i386-linux-gcc-4.9.3 352 352 352 352
m32r-linux-gcc-4.9.3 720 656 720 268
microblaze-linux-gcc-4.9.3 1108 604 1108 256
mips64-linux-gcc-4.9.3 1328 592 1328 208
mips-linux-gcc-4.9.3 1096 624 1096 240
powerpc64-linux-gcc-4.9.3 1088 432 1088 160
powerpc-linux-gcc-4.9.3 1080 584 1080 224
s390-linux-gcc-4.9.3 456 456 624 360
sh3-linux-gcc-4.9.3 292 292 292 292
sparc64-linux-gcc-4.9.3 992 240 992 208
sparc-linux-gcc-4.9.3 680 592 680 312
x86_64-linux-gcc-4.9.3 224 240 272 224
xtensa-linux-gcc-4.9.3 1152 704 1152 304
aarch64-linux-gcc-7.0.0 224 224 1104 208
arm-linux-gnueabi-gcc-7.0.1 824 824 1048 352
mips-linux-gcc-7.0.0 1120 648 1120 272
x86_64-linux-gcc-7.0.1 240 240 304 240
arm-linux-gnueabi-gcc-4.4.7 840 392
arm-linux-gnueabi-gcc-4.5.4 784 728 784 320
arm-linux-gnueabi-gcc-4.6.4 736 728 736 304
arm-linux-gnueabi-gcc-4.7.4 944 784 944 352
arm-linux-gnueabi-gcc-4.8.5 464 464 760 352
arm-linux-gnueabi-gcc-4.9.3 848 848 1048 352
arm-linux-gnueabi-gcc-5.3.1 824 824 1064 336
arm-linux-gnueabi-gcc-6.1.1 808 808 1056 344
arm-linux-gnueabi-gcc-7.0.1 824 824 1048 352
Trying the same test for serpent-generic, the picture is a bit different,
and while -fno-schedule-insns is generally better here than the default,
-fsched-pressure wins overall, so I picked that instead.
default press nopress nosched
alpha-linux-gcc-4.9.3 1392 864 1392 960
am33_2.0-linux-gcc-4.9.3 536 524 536 528
arm-linux-gnueabi-gcc-4.9.3 552 552 776 536
cris-linux-gcc-4.9.3 528 528 528 528
frv-linux-gcc-4.9.3 536 400 536 504
hppa64-linux-gcc-4.9.3 524 208 524 480
hppa-linux-gcc-4.9.3 768 472 768 508
i386-linux-gcc-4.9.3 564 564 564 564
m32r-linux-gcc-4.9.3 712 576 712 532
microblaze-linux-gcc-4.9.3 724 392 724 512
mips64-linux-gcc-4.9.3 720 384 720 496
mips-linux-gcc-4.9.3 728 384 728 496
powerpc64-linux-gcc-4.9.3 704 304 704 480
powerpc-linux-gcc-4.9.3 704 296 704 480
s390-linux-gcc-4.9.3 560 560 592 536
sh3-linux-gcc-4.9.3 540 540 540 540
sparc64-linux-gcc-4.9.3 544 352 544 496
sparc-linux-gcc-4.9.3 544 344 544 496
x86_64-linux-gcc-4.9.3 528 536 576 528
xtensa-linux-gcc-4.9.3 752 544 752 544
aarch64-linux-gcc-7.0.0 432 432 656 480
arm-linux-gnueabi-gcc-7.0.1 616 616 808 536
mips-linux-gcc-7.0.0 720 464 720 488
x86_64-linux-gcc-7.0.1 536 528 600 536
arm-linux-gnueabi-gcc-4.4.7 592 440
arm-linux-gnueabi-gcc-4.5.4 776 448 776 544
arm-linux-gnueabi-gcc-4.6.4 776 448 776 544
arm-linux-gnueabi-gcc-4.7.4 768 448 768 544
arm-linux-gnueabi-gcc-4.8.5 488 488 776 544
arm-linux-gnueabi-gcc-4.9.3 552 552 776 536
arm-linux-gnueabi-gcc-5.3.1 552 552 776 536
arm-linux-gnueabi-gcc-6.1.1 560 560 776 536
arm-linux-gnueabi-gcc-7.0.1 616 616 808 536
I did not do any runtime tests with serpent, so it is possible that stack
frame size does not directly correlate with runtime performance here and
it actually makes things worse, but it's more likely to help here, and
the reduced stack frame size is probably enough reason to apply the patch,
especially given that the crypto code is often used in deep call chains.
Link: https://kernelci.org/build/id/58797d7559b5149efdf6c3a9/logs/
Link: http://www.larc.usp.br/~pbarreto/WhirlpoolPage.html
Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=11488
Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=79149
Cc: Ralf Baechle <ralf@linux-mips.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2017-02-03 22:33:23 +00:00
|
|
|
CFLAGS_serpent_generic.o := $(call cc-option,-fsched-pressure) # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=79149
|
2007-10-05 08:52:01 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_AES) += aes_generic.o
|
crypto: aes - add generic time invariant AES cipher
Lookup table based AES is sensitive to timing attacks, which is due to
the fact that such table lookups are data dependent, and the fact that
8 KB worth of tables covers a significant number of cachelines on any
architecture, resulting in an exploitable correlation between the key
and the processing time for known plaintexts.
For network facing algorithms such as CTR, CCM or GCM, this presents a
security risk, which is why arch specific AES ports are typically time
invariant, either through the use of special instructions, or by using
SIMD algorithms that don't rely on table lookups.
For generic code, this is difficult to achieve without losing too much
performance, but we can improve the situation significantly by switching
to an implementation that only needs 256 bytes of table data (the actual
S-box itself), which can be prefetched at the start of each block to
eliminate data dependent latencies.
This code encrypts at ~25 cycles per byte on ARM Cortex-A57 (while the
ordinary generic AES driver manages 18 cycles per byte on this
hardware). Decryption is substantially slower.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2017-02-02 16:37:40 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_AES_TI) += aes_ti.o
|
2012-03-05 18:26:32 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_CAMELLIA) += camellia_generic.o
|
2012-11-13 09:43:14 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_CAST_COMMON) += cast_common.o
|
2012-07-11 17:37:04 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_CAST5) += cast5_generic.o
|
2012-07-11 17:38:12 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_CAST6) += cast6_generic.o
|
2005-04-16 22:20:36 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_ARC4) += arc4.o
|
|
|
|
obj-$(CONFIG_CRYPTO_TEA) += tea.o
|
|
|
|
obj-$(CONFIG_CRYPTO_KHAZAD) += khazad.o
|
|
|
|
obj-$(CONFIG_CRYPTO_ANUBIS) += anubis.o
|
2007-08-21 12:01:03 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_SEED) += seed.o
|
2007-11-23 11:45:00 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_SALSA20) += salsa20_generic.o
|
2015-06-01 11:43:56 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_CHACHA20) += chacha20_generic.o
|
2015-06-01 11:43:58 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_POLY1305) += poly1305_generic.o
|
2005-04-16 22:20:36 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_DEFLATE) += deflate.o
|
|
|
|
obj-$(CONFIG_CRYPTO_MICHAEL_MIC) += michael_mic.o
|
2014-01-23 11:25:47 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_CRC32C) += crc32c_generic.o
|
2016-01-29 10:20:17 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_CRC32) += crc32_generic.o
|
2013-09-12 05:31:34 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_CRCT10DIF) += crct10dif_common.o crct10dif_generic.o
|
2011-03-08 00:04:58 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_AUTHENC) += authenc.o authencesn.o
|
2007-12-07 08:53:23 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_LZO) += lzo.o
|
2013-07-08 23:01:51 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_LZ4) += lz4.o
|
|
|
|
obj-$(CONFIG_CRYPTO_LZ4HC) += lz4hc.o
|
2012-07-19 14:42:41 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_842) += 842.o
|
2008-12-10 12:29:44 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_RNG2) += rng.o
|
2008-08-14 12:15:52 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_ANSI_CPRNG) += ansi_cprng.o
|
2014-07-04 14:15:08 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_DRBG) += drbg.o
|
2015-06-23 14:18:54 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_JITTERENTROPY) += jitterentropy_rng.o
|
|
|
|
CFLAGS_jitterentropy.o = -O0
|
|
|
|
jitterentropy_rng-y := jitterentropy.o jitterentropy-kcapi.o
|
2005-04-16 22:20:36 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_TEST) += tcrypt.o
|
2009-08-06 05:32:38 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_GHASH) += ghash-generic.o
|
2010-10-19 13:12:39 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_USER_API) += af_alg.o
|
2010-10-19 13:23:00 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_USER_API_HASH) += algif_hash.o
|
2010-10-19 13:31:55 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_USER_API_SKCIPHER) += algif_skcipher.o
|
2014-12-25 22:00:39 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_USER_API_RNG) += algif_rng.o
|
2015-02-28 19:50:40 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_USER_API_AEAD) += algif_aead.o
|
2007-07-09 18:56:42 +00:00
|
|
|
|
|
|
|
#
|
|
|
|
# generic algorithms and the async_tx api
|
|
|
|
#
|
|
|
|
obj-$(CONFIG_XOR_BLOCKS) += xor.o
|
async_tx: add the async_tx api
The async_tx api provides methods for describing a chain of asynchronous
bulk memory transfers/transforms with support for inter-transactional
dependencies. It is implemented as a dmaengine client that smooths over
the details of different hardware offload engine implementations. Code
that is written to the api can optimize for asynchronous operation and the
api will fit the chain of operations to the available offload resources.
I imagine that any piece of ADMA hardware would register with the
'async_*' subsystem, and a call to async_X would be routed as
appropriate, or be run in-line. - Neil Brown
async_tx exploits the capabilities of struct dma_async_tx_descriptor to
provide an api of the following general format:
struct dma_async_tx_descriptor *
async_<operation>(..., struct dma_async_tx_descriptor *depend_tx,
dma_async_tx_callback cb_fn, void *cb_param)
{
struct dma_chan *chan = async_tx_find_channel(depend_tx, <operation>);
struct dma_device *device = chan ? chan->device : NULL;
int int_en = cb_fn ? 1 : 0;
struct dma_async_tx_descriptor *tx = device ?
device->device_prep_dma_<operation>(chan, len, int_en) : NULL;
if (tx) { /* run <operation> asynchronously */
...
tx->tx_set_dest(addr, tx, index);
...
tx->tx_set_src(addr, tx, index);
...
async_tx_submit(chan, tx, flags, depend_tx, cb_fn, cb_param);
} else { /* run <operation> synchronously */
...
<operation>
...
async_tx_sync_epilog(flags, depend_tx, cb_fn, cb_param);
}
return tx;
}
async_tx_find_channel() returns a capable channel from its pool. The
channel pool is organized as a per-cpu array of channel pointers. The
async_tx_rebalance() routine is tasked with managing these arrays. In the
uniprocessor case async_tx_rebalance() tries to spread responsibility
evenly over channels of similar capabilities. For example if there are two
copy+xor channels, one will handle copy operations and the other will
handle xor. In the SMP case async_tx_rebalance() attempts to spread the
operations evenly over the cpus, e.g. cpu0 gets copy channel0 and xor
channel0 while cpu1 gets copy channel 1 and xor channel 1. When a
dependency is specified async_tx_find_channel defaults to keeping the
operation on the same channel. A xor->copy->xor chain will stay on one
channel if it supports both operation types, otherwise the transaction will
transition between a copy and a xor resource.
Currently the raid5 implementation in the MD raid456 driver has been
converted to the async_tx api. A driver for the offload engines on the
Intel Xscale series of I/O processors, iop-adma, is provided in a later
commit. With the iop-adma driver and async_tx, raid456 is able to offload
copy, xor, and xor-zero-sum operations to hardware engines.
On iop342 tiobench showed higher throughput for sequential writes (20 - 30%
improvement) and sequential reads to a degraded array (40 - 55%
improvement). For the other cases performance was roughly equal, +/- a few
percentage points. On a x86-smp platform the performance of the async_tx
implementation (in synchronous mode) was also +/- a few percentage points
of the original implementation. According to 'top' on iop342 CPU
utilization drops from ~50% to ~15% during a 'resync' while the speed
according to /proc/mdstat doubles from ~25 MB/s to ~50 MB/s.
The tiobench command line used for testing was: tiobench --size 2048
--block 4096 --block 131072 --dir /mnt/raid --numruns 5
* iop342 had 1GB of memory available
Details:
* if CONFIG_DMA_ENGINE=n the asynchronous path is compiled away by making
async_tx_find_channel a static inline routine that always returns NULL
* when a callback is specified for a given transaction an interrupt will
fire at operation completion time and the callback will occur in a
tasklet. if the the channel does not support interrupts then a live
polling wait will be performed
* the api is written as a dmaengine client that requests all available
channels
* In support of dependencies the api implicitly schedules channel-switch
interrupts. The interrupt triggers the cleanup tasklet which causes
pending operations to be scheduled on the next channel
* Xor engines treat an xor destination address differently than a software
xor routine. To the software routine the destination address is an implied
source, whereas engines treat it as a write-only destination. This patch
modifies the xor_blocks routine to take a an explicit destination address
to mirror the hardware.
Changelog:
* fixed a leftover debug print
* don't allow callbacks in async_interrupt_cond
* fixed xor_block changes
* fixed usage of ASYNC_TX_XOR_DROP_DEST
* drop dma mapping methods, suggested by Chris Leech
* printk warning fixups from Andrew Morton
* don't use inline in C files, Adrian Bunk
* select the API when MD is enabled
* BUG_ON xor source counts <= 1
* implicitly handle hardware concerns like channel switching and
interrupts, Neil Brown
* remove the per operation type list, and distribute operation capabilities
evenly amongst the available channels
* simplify async_tx_find_channel to optimize the fast path
* introduce the channel_table_initialized flag to prevent early calls to
the api
* reorganize the code to mimic crypto
* include mm.h as not all archs include it in dma-mapping.h
* make the Kconfig options non-user visible, Adrian Bunk
* move async_tx under crypto since it is meant as 'core' functionality, and
the two may share algorithms in the future
* move large inline functions into c files
* checkpatch.pl fixes
* gpl v2 only correction
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Dan Williams <dan.j.williams@intel.com>
Acked-By: NeilBrown <neilb@suse.de>
2007-01-02 18:10:44 +00:00
|
|
|
obj-$(CONFIG_ASYNC_CORE) += async_tx/
|
2012-09-13 14:17:21 +00:00
|
|
|
obj-$(CONFIG_ASYMMETRIC_KEY_TYPE) += asymmetric_keys/
|
2013-05-06 12:40:01 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_HASH_INFO) += hash_info.o
|
2013-09-20 07:55:40 +00:00
|
|
|
obj-$(CONFIG_CRYPTO_ABLK_HELPER) += ablk_helper.o
|
2016-11-22 12:08:25 +00:00
|
|
|
crypto_simd-y := simd.o
|
|
|
|
obj-$(CONFIG_CRYPTO_SIMD) += crypto_simd.o
|