1 From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
2 From: Ard Biesheuvel <ardb@kernel.org>
3 Date: Fri, 8 Nov 2019 13:22:11 +0100
4 Subject: [PATCH] crypto: arm64/chacha - depend on generic chacha library
5 instead of crypto driver
7 commit c77da4867cbb7841177275dbb250f5c09679fae4 upstream.
9 Depend on the generic ChaCha library routines instead of pulling in the
10 generic ChaCha skcipher driver, which is more than we need, and makes
11 managing the dependencies between the generic library, generic driver,
12 accelerated library and driver more complicated.
14 While at it, drop the logic to prefer the scalar code on short inputs.
15 Turning the NEON on and off is cheap these days, and one major use case
16 for ChaCha20 is ChaCha20-Poly1305, which is guaranteed to hit the scalar
17 path upon every invocation (when doing the Poly1305 nonce generation)
19 Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
20 Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
21 Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
23 arch/arm64/crypto/Kconfig | 2 +-
24 arch/arm64/crypto/chacha-neon-glue.c | 40 +++++++++++++++-------------
25 2 files changed, 23 insertions(+), 19 deletions(-)
27 --- a/arch/arm64/crypto/Kconfig
28 +++ b/arch/arm64/crypto/Kconfig
29 @@ -103,7 +103,7 @@ config CRYPTO_CHACHA20_NEON
30 tristate "ChaCha20, XChaCha20, and XChaCha12 stream ciphers using NEON instructions"
31 depends on KERNEL_MODE_NEON
32 select CRYPTO_BLKCIPHER
33 - select CRYPTO_CHACHA20
34 + select CRYPTO_LIB_CHACHA_GENERIC
36 config CRYPTO_NHPOLY1305_NEON
37 tristate "NHPoly1305 hash function using NEON instructions (for Adiantum)"
38 --- a/arch/arm64/crypto/chacha-neon-glue.c
39 +++ b/arch/arm64/crypto/chacha-neon-glue.c
40 @@ -68,7 +68,7 @@ static int chacha_neon_stream_xor(struct
42 err = skcipher_walk_virt(&walk, req, false);
44 - crypto_chacha_init(state, ctx, iv);
45 + chacha_init_generic(state, ctx->key, iv);
47 while (walk.nbytes > 0) {
48 unsigned int nbytes = walk.nbytes;
49 @@ -76,10 +76,16 @@ static int chacha_neon_stream_xor(struct
50 if (nbytes < walk.total)
51 nbytes = rounddown(nbytes, walk.stride);
53 - kernel_neon_begin();
54 - chacha_doneon(state, walk.dst.virt.addr, walk.src.virt.addr,
55 - nbytes, ctx->nrounds);
57 + if (!crypto_simd_usable()) {
58 + chacha_crypt_generic(state, walk.dst.virt.addr,
59 + walk.src.virt.addr, nbytes,
62 + kernel_neon_begin();
63 + chacha_doneon(state, walk.dst.virt.addr,
64 + walk.src.virt.addr, nbytes, ctx->nrounds);
67 err = skcipher_walk_done(&walk, walk.nbytes - nbytes);
70 @@ -91,9 +97,6 @@ static int chacha_neon(struct skcipher_r
71 struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
72 struct chacha_ctx *ctx = crypto_skcipher_ctx(tfm);
74 - if (req->cryptlen <= CHACHA_BLOCK_SIZE || !crypto_simd_usable())
75 - return crypto_chacha_crypt(req);
77 return chacha_neon_stream_xor(req, ctx, req->iv);
80 @@ -105,14 +108,15 @@ static int xchacha_neon(struct skcipher_
84 - if (req->cryptlen <= CHACHA_BLOCK_SIZE || !crypto_simd_usable())
85 - return crypto_xchacha_crypt(req);
87 - crypto_chacha_init(state, ctx, req->iv);
88 + chacha_init_generic(state, ctx->key, req->iv);
90 - kernel_neon_begin();
91 - hchacha_block_neon(state, subctx.key, ctx->nrounds);
93 + if (crypto_simd_usable()) {
94 + kernel_neon_begin();
95 + hchacha_block_neon(state, subctx.key, ctx->nrounds);
98 + hchacha_block_generic(state, subctx.key, ctx->nrounds);
100 subctx.nrounds = ctx->nrounds;
102 memcpy(&real_iv[0], req->iv + 24, 8);
103 @@ -134,7 +138,7 @@ static struct skcipher_alg algs[] = {
104 .ivsize = CHACHA_IV_SIZE,
105 .chunksize = CHACHA_BLOCK_SIZE,
106 .walksize = 5 * CHACHA_BLOCK_SIZE,
107 - .setkey = crypto_chacha20_setkey,
108 + .setkey = chacha20_setkey,
109 .encrypt = chacha_neon,
110 .decrypt = chacha_neon,
112 @@ -150,7 +154,7 @@ static struct skcipher_alg algs[] = {
113 .ivsize = XCHACHA_IV_SIZE,
114 .chunksize = CHACHA_BLOCK_SIZE,
115 .walksize = 5 * CHACHA_BLOCK_SIZE,
116 - .setkey = crypto_chacha20_setkey,
117 + .setkey = chacha20_setkey,
118 .encrypt = xchacha_neon,
119 .decrypt = xchacha_neon,
121 @@ -166,7 +170,7 @@ static struct skcipher_alg algs[] = {
122 .ivsize = XCHACHA_IV_SIZE,
123 .chunksize = CHACHA_BLOCK_SIZE,
124 .walksize = 5 * CHACHA_BLOCK_SIZE,
125 - .setkey = crypto_chacha12_setkey,
126 + .setkey = chacha12_setkey,
127 .encrypt = xchacha_neon,
128 .decrypt = xchacha_neon,