[PATCH] lib/crypto: arm/curve25519: Disable on CPU_BIG_ENDIAN

[PATCH] lib/crypto: arm/curve25519: Disable on CPU_BIG_ENDIAN

[Eric Biggers]

On big endian arm kernels, the arm optimized Curve25519 code produces
incorrect outputs and fails the Curve25519 test.  This has been true
ever since this code was added.

It seems that hardly anyone (or even no one?) actually uses big endian
arm kernels.  But as long as they're ostensibly supported, we should
disable this code on them so that it's not accidentally used.

Note: for future-proofing, use !CPU_BIG_ENDIAN instead of
CPU_LITTLE_ENDIAN.  Both of these are arch-specific options that could
get removed in the future if big endian support gets dropped.

Fixes: d8f1308a025f ("crypto: arm/curve25519 - wire up NEON implementation")
Cc: stable@vger.kernel.org
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
---

This patch is targeting libcrypto-fixes

 lib/crypto/Kconfig | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/crypto/Kconfig b/lib/crypto/Kconfig
index 8886055e938f..16859c6226dd 100644
--- a/lib/crypto/Kconfig
+++ b/lib/crypto/Kconfig
@@ -62,11 +62,11 @@ config CRYPTO_LIB_CURVE25519
 	  of the functions from <crypto/curve25519.h>.
 
 config CRYPTO_LIB_CURVE25519_ARCH
 	bool
 	depends on CRYPTO_LIB_CURVE25519 && !UML && !KMSAN
-	default y if ARM && KERNEL_MODE_NEON
+	default y if ARM && KERNEL_MODE_NEON && !CPU_BIG_ENDIAN
 	default y if PPC64 && CPU_LITTLE_ENDIAN
 	default y if X86_64
 
 config CRYPTO_LIB_CURVE25519_GENERIC
 	bool

base-commit: 1af424b15401d2be789c4dc2279889514e7c5c94
-- 
2.51.2

Re: [PATCH] lib/crypto: arm/curve25519: Disable on CPU_BIG_ENDIAN

[Ard Biesheuvel]

On Tue, 4 Nov 2025 at 06:51, Eric Biggers <ebiggers@kernel.org> wrote:
>
> On big endian arm kernels, the arm optimized Curve25519 code produces
> incorrect outputs and fails the Curve25519 test.  This has been true
> ever since this code was added.
>
> It seems that hardly anyone (or even no one?) actually uses big endian
> arm kernels.  But as long as they're ostensibly supported, we should
> disable this code on them so that it's not accidentally used.
>
> Note: for future-proofing, use !CPU_BIG_ENDIAN instead of
> CPU_LITTLE_ENDIAN.  Both of these are arch-specific options that could
> get removed in the future if big endian support gets dropped.
>
> Fixes: d8f1308a025f ("crypto: arm/curve25519 - wire up NEON implementation")
> Cc: stable@vger.kernel.org
> Signed-off-by: Eric Biggers <ebiggers@kernel.org>
> ---
>
> This patch is targeting libcrypto-fixes
>
>  lib/crypto/Kconfig | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>

Acked-by: Ard Biesheuvel <ardb@kernel.org>

> diff --git a/lib/crypto/Kconfig b/lib/crypto/Kconfig
> index 8886055e938f..16859c6226dd 100644
> --- a/lib/crypto/Kconfig
> +++ b/lib/crypto/Kconfig
> @@ -62,11 +62,11 @@ config CRYPTO_LIB_CURVE25519
>           of the functions from <crypto/curve25519.h>.
>
>  config CRYPTO_LIB_CURVE25519_ARCH
>         bool
>         depends on CRYPTO_LIB_CURVE25519 && !UML && !KMSAN
> -       default y if ARM && KERNEL_MODE_NEON
> +       default y if ARM && KERNEL_MODE_NEON && !CPU_BIG_ENDIAN
>         default y if PPC64 && CPU_LITTLE_ENDIAN
>         default y if X86_64
>
>  config CRYPTO_LIB_CURVE25519_GENERIC
>         bool
>
> base-commit: 1af424b15401d2be789c4dc2279889514e7c5c94
> --
> 2.51.2
>

Re: [PATCH] lib/crypto: arm/curve25519: Disable on CPU_BIG_ENDIAN

[Eric Biggers]

On Mon, Nov 03, 2025 at 09:49:06PM -0800, Eric Biggers wrote:
> On big endian arm kernels, the arm optimized Curve25519 code produces
> incorrect outputs and fails the Curve25519 test.  This has been true
> ever since this code was added.
> 
> It seems that hardly anyone (or even no one?) actually uses big endian
> arm kernels.  But as long as they're ostensibly supported, we should
> disable this code on them so that it's not accidentally used.
> 
> Note: for future-proofing, use !CPU_BIG_ENDIAN instead of
> CPU_LITTLE_ENDIAN.  Both of these are arch-specific options that could
> get removed in the future if big endian support gets dropped.
> 
> Fixes: d8f1308a025f ("crypto: arm/curve25519 - wire up NEON implementation")
> Cc: stable@vger.kernel.org
> Signed-off-by: Eric Biggers <ebiggers@kernel.org>
> ---
> 
> This patch is targeting libcrypto-fixes
> 
>  lib/crypto/Kconfig | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/lib/crypto/Kconfig b/lib/crypto/Kconfig
> index 8886055e938f..16859c6226dd 100644
> --- a/lib/crypto/Kconfig
> +++ b/lib/crypto/Kconfig
> @@ -62,11 +62,11 @@ config CRYPTO_LIB_CURVE25519
>  	  of the functions from <crypto/curve25519.h>.
>  
>  config CRYPTO_LIB_CURVE25519_ARCH
>  	bool
>  	depends on CRYPTO_LIB_CURVE25519 && !UML && !KMSAN
> -	default y if ARM && KERNEL_MODE_NEON
> +	default y if ARM && KERNEL_MODE_NEON && !CPU_BIG_ENDIAN
>  	default y if PPC64 && CPU_LITTLE_ENDIAN
>  	default y if X86_64
>  
>  config CRYPTO_LIB_CURVE25519_GENERIC
>  	bool
> 
> base-commit: 1af424b15401d2be789c4dc2279889514e7c5c94
> -- 
> 2.51.2
> 

Applied to https://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/linux.git/log/?h=libcrypto-fixes

- Eric