From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
To: linux-crypto@vger.kernel.org
Cc: herbert@gondor.apana.org.au, ebiggers@kernel.org,
Ard Biesheuvel <ard.biesheuvel@linaro.org>
Subject: [PATCH v3 03/32] crypto: aes/fixed-time - align key schedule with other implementations
Date: Thu, 27 Jun 2019 12:26:18 +0200 [thread overview]
Message-ID: <20190627102647.2992-4-ard.biesheuvel@linaro.org> (raw)
In-Reply-To: <20190627102647.2992-1-ard.biesheuvel@linaro.org>
The fixed time AES code mangles the key schedule so that xoring the
first round key with values at fixed offsets across the Sbox produces
the correct value. This primes the D-cache with the entire Sbox before
any data dependent lookups are done, making it more difficult to infer
key bits from timing variances when the plaintext is known.
The downside of this approach is that it renders the key schedule
incompatible with other implementations of AES in the kernel, which
makes it cumbersome to use this implementation as a fallback for SIMD
based AES in contexts where this is not allowed.
So let's tweak the fixed Sbox indexes so that they add up to zero under
the xor operation. While at it, increase the granularity to 16 bytes so
we cover the entire Sbox even on systems with 16 byte cachelines.
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
---
crypto/aes_ti.c | 52 ++++++++------------
1 file changed, 21 insertions(+), 31 deletions(-)
diff --git a/crypto/aes_ti.c b/crypto/aes_ti.c
index 1ff9785b30f5..fd70dc322634 100644
--- a/crypto/aes_ti.c
+++ b/crypto/aes_ti.c
@@ -237,30 +237,8 @@ static int aesti_set_key(struct crypto_tfm *tfm, const u8 *in_key,
unsigned int key_len)
{
struct crypto_aes_ctx *ctx = crypto_tfm_ctx(tfm);
- int err;
- err = aesti_expand_key(ctx, in_key, key_len);
- if (err)
- return err;
-
- /*
- * In order to force the compiler to emit data independent Sbox lookups
- * at the start of each block, xor the first round key with values at
- * fixed indexes in the Sbox. This will need to be repeated each time
- * the key is used, which will pull the entire Sbox into the D-cache
- * before any data dependent Sbox lookups are performed.
- */
- ctx->key_enc[0] ^= __aesti_sbox[ 0] ^ __aesti_sbox[128];
- ctx->key_enc[1] ^= __aesti_sbox[32] ^ __aesti_sbox[160];
- ctx->key_enc[2] ^= __aesti_sbox[64] ^ __aesti_sbox[192];
- ctx->key_enc[3] ^= __aesti_sbox[96] ^ __aesti_sbox[224];
-
- ctx->key_dec[0] ^= __aesti_inv_sbox[ 0] ^ __aesti_inv_sbox[128];
- ctx->key_dec[1] ^= __aesti_inv_sbox[32] ^ __aesti_inv_sbox[160];
- ctx->key_dec[2] ^= __aesti_inv_sbox[64] ^ __aesti_inv_sbox[192];
- ctx->key_dec[3] ^= __aesti_inv_sbox[96] ^ __aesti_inv_sbox[224];
-
- return 0;
+ return aesti_expand_key(ctx, in_key, key_len);
}
static void aesti_encrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in)
@@ -283,10 +261,16 @@ static void aesti_encrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in)
*/
local_irq_save(flags);
- st0[0] ^= __aesti_sbox[ 0] ^ __aesti_sbox[128];
- st0[1] ^= __aesti_sbox[32] ^ __aesti_sbox[160];
- st0[2] ^= __aesti_sbox[64] ^ __aesti_sbox[192];
- st0[3] ^= __aesti_sbox[96] ^ __aesti_sbox[224];
+ /*
+ * Force the compiler to emit data independent Sbox references,
+ * by xoring the input with Sbox values that are known to add up
+ * to zero. This pulls the entire Sbox into the D-cache before any
+ * data dependent lookups are done.
+ */
+ st0[0] ^= __aesti_sbox[ 0] ^ __aesti_sbox[ 64] ^ __aesti_sbox[134] ^ __aesti_sbox[195];
+ st0[1] ^= __aesti_sbox[16] ^ __aesti_sbox[ 82] ^ __aesti_sbox[158] ^ __aesti_sbox[221];
+ st0[2] ^= __aesti_sbox[32] ^ __aesti_sbox[ 96] ^ __aesti_sbox[160] ^ __aesti_sbox[234];
+ st0[3] ^= __aesti_sbox[48] ^ __aesti_sbox[112] ^ __aesti_sbox[186] ^ __aesti_sbox[241];
for (round = 0;; round += 2, rkp += 8) {
st1[0] = mix_columns(subshift(st0, 0)) ^ rkp[0];
@@ -331,10 +315,16 @@ static void aesti_decrypt(struct crypto_tfm *tfm, u8 *out, const u8 *in)
*/
local_irq_save(flags);
- st0[0] ^= __aesti_inv_sbox[ 0] ^ __aesti_inv_sbox[128];
- st0[1] ^= __aesti_inv_sbox[32] ^ __aesti_inv_sbox[160];
- st0[2] ^= __aesti_inv_sbox[64] ^ __aesti_inv_sbox[192];
- st0[3] ^= __aesti_inv_sbox[96] ^ __aesti_inv_sbox[224];
+ /*
+ * Force the compiler to emit data independent Sbox references,
+ * by xoring the input with Sbox values that are known to add up
+ * to zero. This pulls the entire Sbox into the D-cache before any
+ * data dependent lookups are done.
+ */
+ st0[0] ^= __aesti_inv_sbox[ 0] ^ __aesti_inv_sbox[ 64] ^ __aesti_inv_sbox[129] ^ __aesti_inv_sbox[200];
+ st0[1] ^= __aesti_inv_sbox[16] ^ __aesti_inv_sbox[ 83] ^ __aesti_inv_sbox[150] ^ __aesti_inv_sbox[212];
+ st0[2] ^= __aesti_inv_sbox[32] ^ __aesti_inv_sbox[ 96] ^ __aesti_inv_sbox[160] ^ __aesti_inv_sbox[236];
+ st0[3] ^= __aesti_inv_sbox[48] ^ __aesti_inv_sbox[112] ^ __aesti_inv_sbox[187] ^ __aesti_inv_sbox[247];
for (round = 0;; round += 2, rkp += 8) {
st1[0] = inv_mix_columns(inv_subshift(st0, 0)) ^ rkp[0];
--
2.20.1
next prev parent reply other threads:[~2019-06-27 10:27 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-06-27 10:26 [PATCH v3 00/32] crypto: AES cleanup Ard Biesheuvel
2019-06-27 10:26 ` [PATCH v3 01/32] crypto: arm/aes-ce - cosmetic/whitespace cleanup Ard Biesheuvel
2019-06-27 10:26 ` [PATCH v3 02/32] crypto: aes - rename local routines to prevent future clashes Ard Biesheuvel
2019-06-27 10:26 ` Ard Biesheuvel [this message]
2019-06-27 10:26 ` [PATCH v3 04/32] crypto: aes - create AES library based on the fixed time AES code Ard Biesheuvel
2019-06-27 10:26 ` [PATCH v3 05/32] crypto: x86/aes-ni - switch to generic for fallback and key routines Ard Biesheuvel
2019-06-27 10:26 ` [PATCH v3 06/32] crypto: x86/aes - drop scalar assembler implementations Ard Biesheuvel
2019-06-27 10:26 ` [PATCH v3 07/32] crypto: padlock/aes - switch to library version of key expansion routine Ard Biesheuvel
2019-06-27 10:26 ` [PATCH v3 08/32] crypto: cesa/aes " Ard Biesheuvel
2019-06-27 10:26 ` [PATCH v3 09/32] crypto: safexcel/aes " Ard Biesheuvel
2019-06-27 10:26 ` [PATCH v3 10/32] crypto: arm64/ghash - switch to AES library Ard Biesheuvel
2019-06-27 10:26 ` [PATCH v3 11/32] crypto: arm/aes-neonbs - switch to library version of key expansion routine Ard Biesheuvel
2019-06-27 10:26 ` [PATCH v3 12/32] crypto: arm64/aes-ccm - switch to AES library Ard Biesheuvel
2019-06-27 10:26 ` [PATCH v3 13/32] crypto: arm64/aes-neonbs - switch to library version of key expansion routine Ard Biesheuvel
2019-06-27 10:26 ` [PATCH v3 14/32] crypto: arm64/aes-ce " Ard Biesheuvel
2019-06-27 10:26 ` [PATCH v3 15/32] crypto: generic/aes - drop key expansion routine in favor of library version Ard Biesheuvel
2019-06-27 10:26 ` [PATCH v3 16/32] crypto: ctr - add helper for performing a CTR encryption walk Ard Biesheuvel
2019-06-27 10:26 ` [PATCH v3 17/32] crypto: aes - move sync ctr(aes) to AES library and generic helper Ard Biesheuvel
2019-06-27 10:26 ` [PATCH v3 18/32] crypto: arm64/aes-ce-cipher - use AES library as fallback Ard Biesheuvel
2019-06-27 10:26 ` [PATCH v3 19/32] crypto: aes/arm - use native endiannes for key schedule Ard Biesheuvel
2019-06-27 10:26 ` [PATCH v3 20/32] crypto: arm/aes-ce - provide a synchronous version of ctr(aes) Ard Biesheuvel
2019-06-27 10:26 ` [PATCH v3 21/32] crypto: arm/aes-neonbs " Ard Biesheuvel
2019-06-27 10:26 ` [PATCH v3 22/32] crypto: arm/ghash - provide a synchronous version Ard Biesheuvel
2019-06-27 10:26 ` [PATCH v3 23/32] bluetooth: switch to AES library Ard Biesheuvel
2019-06-27 10:26 ` [PATCH v3 24/32] crypto: amcc/aes - switch to AES library for GCM key derivation Ard Biesheuvel
2019-06-27 10:26 ` [PATCH v3 25/32] crypto: ccp - move to AES library for CMAC " Ard Biesheuvel
2019-06-27 10:26 ` [PATCH v3 26/32] crypto: chelsio/aes - replace AES cipher calls with library calls Ard Biesheuvel
2019-06-27 10:26 ` [PATCH v3 27/32] crypto: aes/generic - unexport last-round AES tables Ard Biesheuvel
2019-06-27 10:26 ` [PATCH v3 28/32] crypto: lib/aes - export sbox and inverse sbox Ard Biesheuvel
2019-06-27 17:52 ` Eric Biggers
2019-06-28 9:45 ` Ard Biesheuvel
2019-06-27 10:26 ` [PATCH v3 29/32] crypto: arm64/aes-neon - switch to shared AES Sboxes Ard Biesheuvel
2019-06-27 10:26 ` [PATCH v3 30/32] crypto: arm/aes-cipher - switch to shared AES inverse Sbox Ard Biesheuvel
2019-06-27 10:26 ` [PATCH v3 31/32] crypto: arm64/aes-cipher " Ard Biesheuvel
2019-06-27 10:26 ` [PATCH v3 32/32] crypto: arm/aes-scalar - unexport en/decryption routines Ard Biesheuvel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190627102647.2992-4-ard.biesheuvel@linaro.org \
--to=ard.biesheuvel@linaro.org \
--cc=ebiggers@kernel.org \
--cc=herbert@gondor.apana.org.au \
--cc=linux-crypto@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox