* [RFC PATCH 1/2] rust: crypto: add library AES-128 / SHA-256 / HMAC-SHA256 bindings
2026-06-17 15:01 [RFC PATCH 0/2] rust: crypto: library AES-128 / SHA-256 / HMAC + RSA Mike Lothian
@ 2026-06-17 15:01 ` Mike Lothian
2026-06-17 17:18 ` Eric Biggers
2026-06-17 15:01 ` [RFC PATCH 2/2] rust: crypto: add RSA public-key encryption via crypto_akcipher Mike Lothian
2026-06-17 15:13 ` [RFC PATCH 0/2] rust: crypto: library AES-128 / SHA-256 / HMAC + RSA Miguel Ojeda
2 siblings, 1 reply; 7+ messages in thread
From: Mike Lothian @ 2026-06-17 15:01 UTC (permalink / raw)
To: rust-for-linux
Cc: Mike Lothian, linux-crypto, Eric Biggers, Miguel Ojeda,
Boqun Feng, Gary Guo, Björn Roy Baron, Benno Lossin,
Andreas Hindborg, Alice Ryhl, Trevor Gross, Danilo Krummrich,
Daniel Almeida, Greg Kroah-Hartman, Yury Norov (NVIDIA),
Asahi Lina, Lorenzo Stoakes, Joel Fernandes, Alexandre Courbot,
FUJITA Tomonori, Krishna Ketan Rai, linux-kernel
Add a small `kernel::crypto` module exposing the kernel's synchronous
library crypto (lib/crypto) to Rust: SHA-256, HMAC-SHA256 and single-block
AES-128 ECB. These are one-shot, allocation-free and run in the calling
context, suitable for in-kernel Rust users that need a hash or a block
cipher without the full asynchronous crypto API.
SHA-256 (`sha256()`) and HMAC-SHA256 (`hmac_sha256_usingrawkey()`) are
plain exported functions and are bound directly via bindgen, so their
header `<crypto/sha2.h>` is added to bindings_helper.h. AES single-block
encryption goes through a `rust_helper_` shim because `aes_encrypt()` takes
a transparent union (`aes_encrypt_arg`) that bindgen cannot express; the
shim also zeroes the expanded key schedule before returning.
The Rust API: `crypto::sha256(&[u8]) -> [u8; 32]`,
`crypto::hmac_sha256(key, data) -> [u8; 32]`, and the `crypto::Aes128`
type, created with `Aes128::new(key)` and used via
`encrypt_block(&[u8; 16]) -> Result<[u8; 16]>`.
Signed-off-by: Mike Lothian <mike@fireburn.co.uk>
Assisted-by: Claude:claude-opus-4-8 [Claude-Code]
---
rust/bindings/bindings_helper.h | 2 +
rust/helpers/crypto.c | 25 +++++++++++
rust/helpers/helpers.c | 1 +
rust/kernel/crypto.rs | 77 +++++++++++++++++++++++++++++++++
rust/kernel/lib.rs | 1 +
5 files changed, 106 insertions(+)
create mode 100644 rust/helpers/crypto.c
create mode 100644 rust/kernel/crypto.rs
diff --git a/rust/bindings/bindings_helper.h b/rust/bindings/bindings_helper.h
index 1124785e210b..14671e1825bb 100644
--- a/rust/bindings/bindings_helper.h
+++ b/rust/bindings/bindings_helper.h
@@ -28,6 +28,8 @@
*/
#include <linux/hrtimer_types.h>
+#include <crypto/sha2.h>
+
#include <linux/acpi.h>
#include <linux/gpu_buddy.h>
#include <drm/drm_device.h>
diff --git a/rust/helpers/crypto.c b/rust/helpers/crypto.c
new file mode 100644
index 000000000000..dc9614f6fc8e
--- /dev/null
+++ b/rust/helpers/crypto.c
@@ -0,0 +1,25 @@
+// SPDX-License-Identifier: GPL-2.0
+
+#include <crypto/aes.h>
+#include <linux/string.h>
+
+/*
+ * AES-128 single-block ECB encryption: out = AES(key, in).
+ *
+ * A helper because aes_encrypt() takes a transparent union (aes_encrypt_arg)
+ * that bindgen cannot express. SHA-256 and HMAC-SHA256 are plain extern
+ * functions and are bound directly.
+ */
+__rust_helper int
+rust_helper_aes128_encrypt_block(const u8 *key, const u8 *in, u8 *out)
+{
+ struct aes_enckey enckey;
+ int ret;
+
+ ret = aes_prepareenckey(&enckey, key, AES_KEYSIZE_128);
+ if (ret)
+ return ret;
+ aes_encrypt(&enckey, out, in);
+ memzero_explicit(&enckey, sizeof(enckey));
+ return 0;
+}
diff --git a/rust/helpers/helpers.c b/rust/helpers/helpers.c
index 4488a87223b9..45e67929251e 100644
--- a/rust/helpers/helpers.c
+++ b/rust/helpers/helpers.c
@@ -55,6 +55,7 @@
#include "cpufreq.c"
#include "cpumask.c"
#include "cred.c"
+#include "crypto.c"
#include "device.c"
#include "dma.c"
#include "dma-resv.c"
diff --git a/rust/kernel/crypto.rs b/rust/kernel/crypto.rs
new file mode 100644
index 000000000000..c8f2cb994cfd
--- /dev/null
+++ b/rust/kernel/crypto.rs
@@ -0,0 +1,77 @@
+// SPDX-License-Identifier: GPL-2.0
+
+//! Safe wrappers over the kernel's synchronous library crypto.
+//!
+//! Exposes the one-shot `lib/crypto` primitives — AES-128 single-block ECB,
+//! SHA-256 and HMAC-SHA256 — for use from Rust. They run synchronously in the
+//! calling context with no allocation; the hashes are infallible.
+//!
+//! C headers: [`include/crypto/aes.h`](srctree/include/crypto/aes.h),
+//! [`include/crypto/sha2.h`](srctree/include/crypto/sha2.h).
+
+use crate::{bindings, error::to_result, prelude::*};
+
+/// Size of a SHA-256 / HMAC-SHA256 digest, in bytes.
+pub const SHA256_DIGEST_SIZE: usize = 32;
+/// AES-128 block and key size, in bytes.
+pub const AES128_BLOCK_SIZE: usize = 16;
+
+/// Returns the SHA-256 digest of `data`.
+pub fn sha256(data: &[u8]) -> [u8; SHA256_DIGEST_SIZE] {
+ let mut out = [0u8; SHA256_DIGEST_SIZE];
+ // SAFETY: `data` is valid for `data.len()` reads and `out` is a valid
+ // `SHA256_DIGEST_SIZE`-byte output buffer, as `sha256()` requires.
+ unsafe { bindings::sha256(data.as_ptr(), data.len(), out.as_mut_ptr()) };
+ out
+}
+
+/// Returns `HMAC-SHA256(key, data)`.
+pub fn hmac_sha256(key: &[u8], data: &[u8]) -> [u8; SHA256_DIGEST_SIZE] {
+ let mut out = [0u8; SHA256_DIGEST_SIZE];
+ // SAFETY: `key` and `data` are valid for their respective lengths and `out`
+ // is a valid `SHA256_DIGEST_SIZE`-byte output buffer, as required.
+ unsafe {
+ bindings::hmac_sha256_usingrawkey(
+ key.as_ptr(),
+ key.len(),
+ data.as_ptr(),
+ data.len(),
+ out.as_mut_ptr(),
+ )
+ };
+ out
+}
+
+/// An AES-128 key usable for single-block ECB encryption.
+///
+/// # Examples
+///
+/// ```
+/// use kernel::crypto::Aes128;
+/// let cipher = Aes128::new([0u8; 16]);
+/// let _ct = cipher.encrypt_block(&[0u8; 16])?;
+/// # Ok::<(), Error>(())
+/// ```
+pub struct Aes128([u8; AES128_BLOCK_SIZE]);
+
+impl Aes128 {
+ /// Creates an AES-128 key from 16 raw key bytes.
+ pub fn new(key: [u8; AES128_BLOCK_SIZE]) -> Self {
+ Self(key)
+ }
+
+ /// Encrypts one 16-byte block: returns `AES-128-ECB(key, block)`.
+ pub fn encrypt_block(
+ &self,
+ block: &[u8; AES128_BLOCK_SIZE],
+ ) -> Result<[u8; AES128_BLOCK_SIZE]> {
+ let mut out = [0u8; AES128_BLOCK_SIZE];
+ // SAFETY: `self.0`, `block` and `out` are all valid 16-byte buffers, as
+ // the helper requires.
+ let ret = unsafe {
+ bindings::aes128_encrypt_block(self.0.as_ptr(), block.as_ptr(), out.as_mut_ptr())
+ };
+ to_result(ret)?;
+ Ok(out)
+ }
+}
diff --git a/rust/kernel/lib.rs b/rust/kernel/lib.rs
index b72b2fbe046d..3448fa3a0e9e 100644
--- a/rust/kernel/lib.rs
+++ b/rust/kernel/lib.rs
@@ -58,6 +58,7 @@
pub mod cpufreq;
pub mod cpumask;
pub mod cred;
+pub mod crypto;
pub mod debugfs;
pub mod device;
pub mod device_id;
--
2.54.0
^ permalink raw reply related [flat|nested] 7+ messages in thread* [RFC PATCH 2/2] rust: crypto: add RSA public-key encryption via crypto_akcipher
2026-06-17 15:01 [RFC PATCH 0/2] rust: crypto: library AES-128 / SHA-256 / HMAC + RSA Mike Lothian
2026-06-17 15:01 ` [RFC PATCH 1/2] rust: crypto: add library AES-128 / SHA-256 / HMAC-SHA256 bindings Mike Lothian
@ 2026-06-17 15:01 ` Mike Lothian
2026-06-17 17:52 ` Eric Biggers
2026-06-17 15:13 ` [RFC PATCH 0/2] rust: crypto: library AES-128 / SHA-256 / HMAC + RSA Miguel Ojeda
2 siblings, 1 reply; 7+ messages in thread
From: Mike Lothian @ 2026-06-17 15:01 UTC (permalink / raw)
To: rust-for-linux
Cc: Mike Lothian, linux-crypto, Eric Biggers, Miguel Ojeda,
Boqun Feng, Gary Guo, Björn Roy Baron, Benno Lossin,
Andreas Hindborg, Alice Ryhl, Trevor Gross, Danilo Krummrich,
Daniel Almeida, Greg Kroah-Hartman, Yury Norov (NVIDIA),
Asahi Lina, Lorenzo Stoakes, Joel Fernandes, Alexandre Courbot,
FUJITA Tomonori, Krishna Ketan Rai, linux-kernel
Add a Rust binding for the asynchronous public-key cipher API
(crypto_akcipher), driven synchronously, and a crypto::rsa_pubkey_encrypt()
convenience built on it.
crypto::Akcipher wraps a tfm allocated with crypto_alloc_akcipher(): new()
selects the algorithm by name, set_pub_key() installs the key in the
algorithm's wire format, and encrypt() runs one public-key operation and
blocks until it completes. crypto::rsa_pubkey_encrypt() DER-encodes the
RSAPublicKey { modulus, publicExponent } that the "rsa" transform's
set_pub_key expects and computes out = (input ^ e) mod n; the caller
applies any padding (PKCS#1 v1.5, EME-OAEP, ...) to the input first, and
out is zeroed on any error so it never retains data from a partial
computation.
The request object, scatterlists and the completion wait are static-inline
or on-stack state that cannot be expressed from Rust, and the akcipher
data path needs DMA-capable (kmalloc, not vmap-stack) buffers, so the
canonical synchronous encrypt sequence and a kmalloc bounce live in a
single rust_helper_ shim; crypto_free_akcipher() and
crypto_akcipher_set_pub_key() are exposed through 1:1 shims as they too
are static inlines.
This goes through the crypto_akcipher subsystem rather than the raw MPI
math library, so it composes with any registered akcipher implementation
(including hardware offload) and does not open-code modular exponentiation.
Signed-off-by: Mike Lothian <mike@fireburn.co.uk>
Assisted-by: Claude:claude-opus-4-8 [Claude-Code]
---
rust/bindings/bindings_helper.h | 1 +
rust/helpers/crypto.c | 70 +++++++++++++
rust/kernel/crypto.rs | 180 +++++++++++++++++++++++++++++++-
3 files changed, 250 insertions(+), 1 deletion(-)
diff --git a/rust/bindings/bindings_helper.h b/rust/bindings/bindings_helper.h
index 14671e1825bb..e6add9754acd 100644
--- a/rust/bindings/bindings_helper.h
+++ b/rust/bindings/bindings_helper.h
@@ -28,6 +28,7 @@
*/
#include <linux/hrtimer_types.h>
+#include <crypto/akcipher.h>
#include <crypto/sha2.h>
#include <linux/acpi.h>
diff --git a/rust/helpers/crypto.c b/rust/helpers/crypto.c
index dc9614f6fc8e..6681e9155c84 100644
--- a/rust/helpers/crypto.c
+++ b/rust/helpers/crypto.c
@@ -1,6 +1,10 @@
// SPDX-License-Identifier: GPL-2.0
#include <crypto/aes.h>
+#include <crypto/akcipher.h>
+#include <linux/crypto.h>
+#include <linux/scatterlist.h>
+#include <linux/slab.h>
#include <linux/string.h>
/*
@@ -23,3 +27,69 @@ rust_helper_aes128_encrypt_block(const u8 *key, const u8 *in, u8 *out)
memzero_explicit(&enckey, sizeof(enckey));
return 0;
}
+
+/*
+ * crypto_free_akcipher() and crypto_akcipher_set_pub_key() are static inlines,
+ * so they are exposed to Rust through these 1:1 shims (the same convention as
+ * the other rust_helper_ wrappers).
+ */
+__rust_helper void
+rust_helper_crypto_free_akcipher(struct crypto_akcipher *tfm)
+{
+ crypto_free_akcipher(tfm);
+}
+
+__rust_helper int
+rust_helper_crypto_akcipher_set_pub_key(struct crypto_akcipher *tfm,
+ const void *key, unsigned int keylen)
+{
+ return crypto_akcipher_set_pub_key(tfm, key, keylen);
+}
+
+/*
+ * One-shot synchronous public-key encrypt over the akcipher API: encrypts
+ * @src_len bytes at @src into @dst (capacity @dst_len) and returns the
+ * ciphertext length or -errno.
+ *
+ * The request object, the scatterlists and the completion wait are all
+ * static-inline or on-stack state that cannot be expressed from Rust, so the
+ * canonical synchronous akcipher sequence lives here. The akcipher data path
+ * also needs DMA-capable (kmalloc, not vmap-stack) buffers, so @src/@dst are
+ * bounced through kmalloc'd copies; @dst is overwritten only on success and
+ * the bounce buffers are wiped on free.
+ */
+__rust_helper int
+rust_helper_akcipher_encrypt_oneshot(struct crypto_akcipher *tfm,
+ const u8 *src, unsigned int src_len,
+ u8 *dst, unsigned int dst_len)
+{
+ struct akcipher_request *req;
+ struct scatterlist src_sg, dst_sg;
+ DECLARE_CRYPTO_WAIT(wait);
+ u8 *in, *out;
+ int ret = -ENOMEM;
+
+ req = akcipher_request_alloc(tfm, GFP_KERNEL);
+ in = kmemdup(src, src_len, GFP_KERNEL);
+ out = kzalloc(dst_len, GFP_KERNEL);
+ if (!req || !in || !out)
+ goto out;
+
+ sg_init_one(&src_sg, in, src_len);
+ sg_init_one(&dst_sg, out, dst_len);
+ akcipher_request_set_crypt(req, &src_sg, &dst_sg, src_len, dst_len);
+ akcipher_request_set_callback(req, CRYPTO_TFM_REQ_MAY_BACKLOG,
+ crypto_req_done, &wait);
+
+ ret = crypto_wait_req(crypto_akcipher_encrypt(req), &wait);
+ if (ret == 0) {
+ memcpy(dst, out, dst_len);
+ ret = req->dst_len;
+ }
+out:
+ kfree_sensitive(in);
+ kfree_sensitive(out);
+ if (req)
+ akcipher_request_free(req);
+ return ret;
+}
diff --git a/rust/kernel/crypto.rs b/rust/kernel/crypto.rs
index c8f2cb994cfd..0824f6ec81df 100644
--- a/rust/kernel/crypto.rs
+++ b/rust/kernel/crypto.rs
@@ -6,10 +6,21 @@
//! SHA-256 and HMAC-SHA256 — for use from Rust. They run synchronously in the
//! calling context with no allocation; the hashes are infallible.
//!
+//! Also exposes the asynchronous public-key API ([`Akcipher`]) over
+//! `crypto_akcipher`, driven synchronously, and a convenience RSA public-key
+//! primitive built on it for callers that do their own padding (see
+//! [`rsa_pubkey_encrypt`]).
+//!
//! C headers: [`include/crypto/aes.h`](srctree/include/crypto/aes.h),
+//! [`include/crypto/akcipher.h`](srctree/include/crypto/akcipher.h),
//! [`include/crypto/sha2.h`](srctree/include/crypto/sha2.h).
-use crate::{bindings, error::to_result, prelude::*};
+use crate::{
+ bindings,
+ error::{from_err_ptr, to_result},
+ prelude::*,
+};
+use core::ptr::NonNull;
/// Size of a SHA-256 / HMAC-SHA256 digest, in bytes.
pub const SHA256_DIGEST_SIZE: usize = 32;
@@ -75,3 +86,170 @@ pub fn encrypt_block(
Ok(out)
}
}
+
+/// An asynchronous public-key cipher transform (`struct crypto_akcipher`),
+/// driven synchronously.
+///
+/// Wraps a tfm allocated with `crypto_alloc_akcipher()`; the underlying
+/// algorithm (e.g. `"rsa"`) is selected by name in [`Akcipher::new`]. After a
+/// key is installed with [`set_pub_key`](Akcipher::set_pub_key), [`encrypt`]
+/// performs one public-key operation, blocking until the request completes.
+///
+/// [`encrypt`]: Akcipher::encrypt
+///
+/// # Examples
+///
+/// ```
+/// use kernel::crypto::Akcipher;
+/// // `der` is a DER-encoded RSAPublicKey; `pt` is already padded to key size.
+/// # fn f(der: &[u8], pt: &[u8]) -> Result {
+/// let mut tfm = Akcipher::new(c"rsa")?;
+/// tfm.set_pub_key(der)?;
+/// let mut ct = [0u8; 256];
+/// let n = tfm.encrypt(pt, &mut ct)?;
+/// # let _ = n; Ok(())
+/// # }
+/// ```
+pub struct Akcipher(NonNull<bindings::crypto_akcipher>);
+
+// SAFETY: a tfm is a self-contained kernel object with no thread affinity; the
+// synchronous request path takes its own per-call state, so the handle may be
+// moved and used from any thread.
+unsafe impl Send for Akcipher {}
+
+impl Akcipher {
+ /// Allocates a transform for the named akcipher algorithm (e.g. `c"rsa"`).
+ pub fn new(alg_name: &core::ffi::CStr) -> Result<Self> {
+ // SAFETY: `alg_name` is a valid NUL-terminated C string; the call
+ // returns a valid tfm pointer or an `ERR_PTR`.
+ let tfm = from_err_ptr(unsafe {
+ bindings::crypto_alloc_akcipher(alg_name.as_ptr().cast(), 0, 0)
+ })?;
+ Ok(Self(NonNull::new(tfm).ok_or(ENOMEM)?))
+ }
+
+ /// Installs the public key, encoded in the algorithm's expected wire format
+ /// (for `"rsa"`, a DER-encoded `RSAPublicKey`).
+ pub fn set_pub_key(&mut self, key: &[u8]) -> Result {
+ // SAFETY: `self.0` is a live tfm; `key` is valid for `key.len()` reads.
+ to_result(unsafe {
+ bindings::crypto_akcipher_set_pub_key(
+ self.0.as_ptr(),
+ key.as_ptr().cast(),
+ key.len() as u32,
+ )
+ })
+ }
+
+ /// Encrypts `src` into `dst`, returning the ciphertext length. Blocks until
+ /// the operation completes. `dst` must be at least the algorithm's maximum
+ /// output size (the key/modulus size for RSA).
+ pub fn encrypt(&self, src: &[u8], dst: &mut [u8]) -> Result<usize> {
+ // SAFETY: `self.0` is a live tfm; `src`/`dst` are valid for their
+ // lengths. The helper bounces them through kmalloc'd buffers, runs one
+ // synchronous akcipher encrypt, and returns the length or a negative
+ // errno.
+ let ret = unsafe {
+ bindings::akcipher_encrypt_oneshot(
+ self.0.as_ptr(),
+ src.as_ptr(),
+ src.len() as u32,
+ dst.as_mut_ptr(),
+ dst.len() as u32,
+ )
+ };
+ to_result(ret)?;
+ Ok(ret as usize)
+ }
+}
+
+impl Drop for Akcipher {
+ fn drop(&mut self) {
+ // SAFETY: `self.0` was allocated by `crypto_alloc_akcipher()` and is
+ // freed exactly once here.
+ unsafe { bindings::crypto_free_akcipher(self.0.as_ptr()) };
+ }
+}
+
+/// Appends a DER definite length to `out`.
+fn der_len(out: &mut KVec<u8>, len: usize) -> Result {
+ if len < 0x80 {
+ out.push(len as u8, GFP_KERNEL)?;
+ return Ok(());
+ }
+ let mut bytes = [0u8; core::mem::size_of::<usize>()];
+ let mut n = 0;
+ let mut rest = len;
+ while rest > 0 {
+ bytes[n] = rest as u8;
+ rest >>= 8;
+ n += 1;
+ }
+ out.push(0x80 | n as u8, GFP_KERNEL)?;
+ for i in (0..n).rev() {
+ out.push(bytes[i], GFP_KERNEL)?;
+ }
+ Ok(())
+}
+
+/// Appends a DER `INTEGER` carrying the unsigned big-endian magnitude `bytes`.
+fn der_integer(out: &mut KVec<u8>, bytes: &[u8]) -> Result {
+ // Canonicalise: drop leading zero octets, keeping at least one.
+ let mut mag = bytes;
+ while mag.len() > 1 && mag[0] == 0 {
+ mag = &mag[1..];
+ }
+ // A leading zero is needed to keep the value positive if the top bit is set
+ // (or to represent zero when the magnitude is empty).
+ let pad = mag.is_empty() || mag[0] & 0x80 != 0;
+ out.push(0x02, GFP_KERNEL)?;
+ der_len(out, mag.len() + pad as usize)?;
+ if pad {
+ out.push(0x00, GFP_KERNEL)?;
+ }
+ out.extend_from_slice(mag, GFP_KERNEL)?;
+ Ok(())
+}
+
+/// DER-encodes `RSAPublicKey ::= SEQUENCE { modulus INTEGER, publicExponent
+/// INTEGER }` from big-endian `modulus`/`exponent`, as `rsa`'s `set_pub_key`
+/// expects.
+fn der_rsa_pubkey(modulus: &[u8], exponent: &[u8]) -> Result<KVec<u8>> {
+ let mut body = KVec::new();
+ der_integer(&mut body, modulus)?;
+ der_integer(&mut body, exponent)?;
+ let mut der = KVec::new();
+ der.push(0x30, GFP_KERNEL)?;
+ der_len(&mut der, body.len())?;
+ der.extend_from_slice(&body, GFP_KERNEL)?;
+ Ok(der)
+}
+
+/// Computes the RSA public-key operation `out = (input ^ exponent) mod modulus`
+/// through the `crypto_akcipher` `"rsa"` transform.
+///
+/// All buffers are unsigned big-endian. `out` is written fixed-width to exactly
+/// `out.len()` bytes (left zero-padded by the cipher); pass `out.len()` equal to
+/// the modulus size (e.g. 128 for RSA-1024). This is the bare primitive: the
+/// caller applies any padding (PKCS#1 v1.5, EME-OAEP, …) to `input` first.
+///
+/// `input` interpreted as an integer must be less than `modulus`, as RSA
+/// requires; otherwise an error is returned. On any error `out` is zeroed, so
+/// it never retains data from a partial computation.
+pub fn rsa_pubkey_encrypt(
+ modulus: &[u8],
+ exponent: &[u8],
+ input: &[u8],
+ out: &mut [u8],
+) -> Result {
+ let der = der_rsa_pubkey(modulus, exponent)?;
+ let mut tfm = Akcipher::new(c"rsa")?;
+ tfm.set_pub_key(&der)?;
+ match tfm.encrypt(input, out) {
+ Ok(_) => Ok(()),
+ Err(e) => {
+ out.fill(0);
+ Err(e)
+ }
+ }
+}
--
2.54.0
^ permalink raw reply related [flat|nested] 7+ messages in thread