| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <YajWYuwFAy81VP5t@hirez.programming.kicks-ass.net>
Date: Thu, 2 Dec 2021 15:21:22 +0100
From: Peter Zijlstra <peterz@...radead.org>
To: "Chang S. Bae" <chang.seok.bae@...el.com>
Cc: tglx@...utronix.de, bp@...e.de, dave.hansen@...ux.intel.com,
mingo@...nel.org, luto@...nel.org, x86@...nel.org,
herbert@...dor.apana.org.au, linux-kernel@...r.kernel.org,
linux-crypto@...r.kernel.org, dan.j.williams@...el.com,
charishma1.gairuboyina@...el.com, kumar.n.dwarakanath@...el.com,
lalithambika.krishnakumar@...el.com, ravi.v.shankar@...el.com
Subject: Re: [PATCH v3 11/15] crypto: x86/aes-kl - Support AES algorithm
using Key Locker instructions
On Wed, Nov 24, 2021 at 12:06:56PM -0800, Chang S. Bae wrote:
> + encodekey256 %eax, %eax
So this thing uses the fancy new keylocker instructions, however:
> diff --git a/crypto/Kconfig b/crypto/Kconfig
> index 285f82647d2b..784a04433549 100644
> --- a/crypto/Kconfig
> +++ b/crypto/Kconfig
> @@ -1113,6 +1113,50 @@ config CRYPTO_AES_NI_INTEL
> ECB, CBC, LRW, XTS. The 64 bit version has additional
> acceleration for CTR.
>
> +config CRYPTO_AES_KL
> + tristate "AES cipher algorithms (AES-KL)"
> + depends on (LD_VERSION >= 23600) || (LLD_VERSION >= 120000)
> + depends on DM_CRYPT
> + select X86_KEYLOCKER
> + select CRYPTO_AES_NI_INTEL
There is no dependency on the compiler actually supporting them..
config AS_HAS_KEYLOCKER
def_bool $(as-instr,encodekey256)
depends on AS_HAS_KEYLOCKER
Hmm?
> +
> + help
> + Key Locker provides AES SIMD instructions (AES-KL) for secure
> + data encryption and decryption. While this new instruction
> + set is analogous to AES-NI, AES-KL supports to encode an AES
> + key to an encoded form ('key handle') and uses it to transform
> + data instead of accessing the AES key.
> +
> + The setkey() transforms an AES key to a key handle, then the AES
> + key is no longer needed for data transformation. A user may
> + displace their keys from possible exposition.
> +
> + This key encryption is done by the CPU-internal wrapping key. The
> + x86 core code loads a new random key at every boot time and
> + restores it from deep sleep states. This wrapping key support is
> + provided with X86_KEYLOCKER.
> +
> + AES-KL supports 128-/256-bit keys only. While giving a 192-bit
> + key does not return an error, as AES-NI is chosen to process it,
> + the claimed security property is not available with that.
> +
> + GNU binutils version 2.36 or above and LLVM version 12 or above
> + are assemblers that support AES-KL instructions.
> +
> + Bare metal disk encryption is the preferred use case. Make it
> + depend on DM_CRYPT.
> +
> + This selection enables an alternative crypto cipher for
> + cryptsetup, e.g. "capi:xts-aes-aeskl-plain", to use with dm-crypt
> + volumes. It trades off raw performance for reduced clear-text key
> + exposure and has an additional failure mode compared to AES-NI.
> + See Documentation/x86/keylocker.rst for more details. Key Locker
> + usage requires explicit opt-in at cryptsetup time. So, select it
> + if unsure.
> +
> + See also the CRYPTO_AES_NI_INTEL description for more about the
> + AES cipher algorithm.
> +
> config CRYPTO_AES_SPARC64
> tristate "AES cipher algorithms (SPARC64)"
> depends on SPARC64
> --
> 2.17.1
>
Powered by blists - more mailing lists