lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <B4290995-3983-41D8-991E-ABA2213656B1@sifive.com>
Date:   Mon, 20 Nov 2023 10:36:19 +0800
From:   Jerry Shih <jerry.shih@...ive.com>
To:     Eric Biggers <ebiggers@...nel.org>
Cc:     Paul Walmsley <paul.walmsley@...ive.com>, palmer@...belt.com,
        Albert Ou <aou@...s.berkeley.edu>, herbert@...dor.apana.org.au,
        davem@...emloft.net, andy.chiu@...ive.com, greentime.hu@...ive.com,
        conor.dooley@...rochip.com, guoren@...nel.org, bjorn@...osinc.com,
        heiko@...ech.de, ardb@...nel.org, phoebe.chen@...ive.com,
        hongrong.hsu@...ive.com, linux-riscv@...ts.infradead.org,
        linux-kernel@...r.kernel.org, linux-crypto@...r.kernel.org
Subject: Re: [PATCH 06/12] RISC-V: crypto: add accelerated AES-CBC/CTR/ECB/XTS
 implementations

On Nov 10, 2023, at 12:06, Jerry Shih <jerry.shih@...ive.com> wrote:
> On Nov 9, 2023, at 16:05, Eric Biggers <ebiggers@...nel.org> wrote:
>> On Thu, Oct 26, 2023 at 02:36:38AM +0800, Jerry Shih wrote:
>>> +# prepare input data(v24), iv(v28), bit-reversed-iv(v16), bit-reversed-iv-multiplier(v20)
>>> +sub init_first_round {
>>> ....
>>> +    # Prepare GF(2^128) multiplier [1, x, x^2, x^3, ...] in v8.
>>> +    slli $T0, $LEN32, 2
>>> +    @{[vsetvli "zero", $T0, "e32", "m1", "ta", "ma"]}
>>> +    # v2: [`1`, `1`, `1`, `1`, ...]
>>> +    @{[vmv_v_i $V2, 1]}
>>> +    # v3: [`0`, `1`, `2`, `3`, ...]
>>> +    @{[vid_v $V3]}
>>> +    @{[vsetvli "zero", $T0, "e64", "m2", "ta", "ma"]}
>>> +    # v4: [`1`, 0, `1`, 0, `1`, 0, `1`, 0, ...]
>>> +    @{[vzext_vf2 $V4, $V2]}
>>> +    # v6: [`0`, 0, `1`, 0, `2`, 0, `3`, 0, ...]
>>> +    @{[vzext_vf2 $V6, $V3]}
>>> +    slli $T0, $LEN32, 1
>>> +    @{[vsetvli "zero", $T0, "e32", "m2", "ta", "ma"]}
>>> +    # v8: [1<<0=1, 0, 0, 0, 1<<1=x, 0, 0, 0, 1<<2=x^2, 0, 0, 0, ...]
>>> +    @{[vwsll_vv $V8, $V4, $V6]}
>> 
>> This code assumes that '1 << i' fits in 64 bits, for 0 <= i < vl.
>> 
>> I think that works out to an implicit assumption that VLEN <= 2048.  I.e.,
>> AES-XTS encryption/decryption would produce the wrong result on RISC-V
>> implementations with VLEN > 2048.
>> 
>> Perhaps it should be explicitly checked that VLEN <= 2048?
>> 
>> - Eric
> 
> Yes, we could just have the simple checking like:
> 
>  riscv_vector_vlen() >= 128 || riscv_vector_vlen() <=2048
> 
> We could also truncate the VL inside for VLEN>2048 case.
> Let me think more about these two approaches. 
> 
> -Jerry

I use the simplest solution. Setup the check for vlen:
	riscv_vector_vlen() >= 128 || riscv_vector_vlen() <=2048
It will have a situation that we will not enable accelerated aes-xts for `vlen>2048`.
I would like to make a `todo` task to fix that in the future.

-Jerry

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ