* [PATCH 087/106] crypto: convert exported crypto symbol into pluggable interface for CONFIG_CRYPTO_USER_API_RNG crypto
From: Jay Wang @ 2026-02-12 2:47 UTC (permalink / raw)
To: Herbert Xu, David S . Miller, linux-crypto
Cc: Jay Wang, Vegard Nossum, Nicolai Stange, Ilia Okomin,
Catalin Marinas, Will Deacon, Thomas Gleixner, Ingo Molnar,
Borislav Petkov, Luis Chamberlain, Petr Pavlu, Nathan Chancellor,
Nicolas Schier, linux-arm-kernel, x86, linux-kbuild,
linux-modules
In-Reply-To: <20260212024725.11264-1-wanjay@amazon.com>
Apply Crypto API wrappers to the exported crypto symbol in
CONFIG_CRYPTO_USER_API_RNG-related crypto to convert them into pluggable
interface.
Signed-off-by: Jay Wang <wanjay@amazon.com>
---
crypto/Makefile | 2 +-
crypto/algif_rng.c | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/crypto/Makefile b/crypto/Makefile
index 13d0ee856885..9d96e67cdfdf 100644
--- a/crypto/Makefile
+++ b/crypto/Makefile
@@ -175,7 +175,7 @@ crypto-objs-$(CONFIG_CRYPTO_GHASH) += ghash-generic.o
crypto-objs-$(CONFIG_CRYPTO_USER_API) += af_alg.o
crypto-objs-$(CONFIG_CRYPTO_USER_API_HASH) += algif_hash.o
crypto-objs-$(CONFIG_CRYPTO_USER_API_SKCIPHER) += algif_skcipher.o
-obj-$(CONFIG_CRYPTO_USER_API_RNG) += algif_rng.o
+crypto-objs-$(CONFIG_CRYPTO_USER_API_RNG) += algif_rng.o
obj-$(CONFIG_CRYPTO_USER_API_AEAD) += algif_aead.o
obj-$(CONFIG_CRYPTO_ZSTD) += zstd.o
crypto-objs-$(CONFIG_CRYPTO_ECC) += ecc.o
diff --git a/crypto/algif_rng.c b/crypto/algif_rng.c
index 1a86e40c8372..1604b164d973 100644
--- a/crypto/algif_rng.c
+++ b/crypto/algif_rng.c
@@ -335,5 +335,5 @@ static void __exit rng_exit(void)
BUG_ON(err);
}
-module_init(rng_init);
-module_exit(rng_exit);
+crypto_module_init(rng_init);
+crypto_module_exit(rng_exit);
--
2.47.3
^ permalink raw reply related
* [PATCH 088/106] crypto: convert exported crypto symbol into pluggable interface for CONFIG_CRYPTO_USER_API_AEAD crypto
From: Jay Wang @ 2026-02-12 2:47 UTC (permalink / raw)
To: Herbert Xu, David S . Miller, linux-crypto
Cc: Jay Wang, Vegard Nossum, Nicolai Stange, Ilia Okomin,
Catalin Marinas, Will Deacon, Thomas Gleixner, Ingo Molnar,
Borislav Petkov, Luis Chamberlain, Petr Pavlu, Nathan Chancellor,
Nicolas Schier, linux-arm-kernel, x86, linux-kbuild,
linux-modules
In-Reply-To: <20260212024725.11264-1-wanjay@amazon.com>
Apply Crypto API wrappers to the exported crypto symbol in
CONFIG_CRYPTO_USER_API_AEAD-related crypto to convert them into pluggable
interface.
Signed-off-by: Jay Wang <wanjay@amazon.com>
---
crypto/Makefile | 2 +-
crypto/algif_aead.c | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/crypto/Makefile b/crypto/Makefile
index 9d96e67cdfdf..3f4cd954ef06 100644
--- a/crypto/Makefile
+++ b/crypto/Makefile
@@ -176,7 +176,7 @@ crypto-objs-$(CONFIG_CRYPTO_USER_API) += af_alg.o
crypto-objs-$(CONFIG_CRYPTO_USER_API_HASH) += algif_hash.o
crypto-objs-$(CONFIG_CRYPTO_USER_API_SKCIPHER) += algif_skcipher.o
crypto-objs-$(CONFIG_CRYPTO_USER_API_RNG) += algif_rng.o
-obj-$(CONFIG_CRYPTO_USER_API_AEAD) += algif_aead.o
+crypto-objs-$(CONFIG_CRYPTO_USER_API_AEAD) += algif_aead.o
obj-$(CONFIG_CRYPTO_ZSTD) += zstd.o
crypto-objs-$(CONFIG_CRYPTO_ECC) += ecc.o
obj-$(CONFIG_CRYPTO_ESSIV) += essiv.o
diff --git a/crypto/algif_aead.c b/crypto/algif_aead.c
index 79b016a899a1..59df4eabd2f5 100644
--- a/crypto/algif_aead.c
+++ b/crypto/algif_aead.c
@@ -521,8 +521,8 @@ static void __exit algif_aead_exit(void)
BUG_ON(err);
}
-module_init(algif_aead_init);
-module_exit(algif_aead_exit);
+crypto_module_init(algif_aead_init);
+crypto_module_exit(algif_aead_exit);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Stephan Mueller <smueller@chronox.de>");
MODULE_DESCRIPTION("AEAD kernel crypto API user space interface");
--
2.47.3
^ permalink raw reply related
* [PATCH 089/106] crypto: convert exported crypto symbol into pluggable interface for CONFIG_CRYPTO_ZSTD crypto
From: Jay Wang @ 2026-02-12 2:47 UTC (permalink / raw)
To: Herbert Xu, David S . Miller, linux-crypto
Cc: Jay Wang, Vegard Nossum, Nicolai Stange, Ilia Okomin,
Catalin Marinas, Will Deacon, Thomas Gleixner, Ingo Molnar,
Borislav Petkov, Luis Chamberlain, Petr Pavlu, Nathan Chancellor,
Nicolas Schier, linux-arm-kernel, x86, linux-kbuild,
linux-modules
In-Reply-To: <20260212024725.11264-1-wanjay@amazon.com>
Apply Crypto API wrappers to the exported crypto symbol in
CONFIG_CRYPTO_ZSTD-related crypto to convert them into pluggable
interface.
Signed-off-by: Jay Wang <wanjay@amazon.com>
---
crypto/Makefile | 2 +-
crypto/zstd.c | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/crypto/Makefile b/crypto/Makefile
index 3f4cd954ef06..c4516e1943a7 100644
--- a/crypto/Makefile
+++ b/crypto/Makefile
@@ -177,7 +177,7 @@ crypto-objs-$(CONFIG_CRYPTO_USER_API_HASH) += algif_hash.o
crypto-objs-$(CONFIG_CRYPTO_USER_API_SKCIPHER) += algif_skcipher.o
crypto-objs-$(CONFIG_CRYPTO_USER_API_RNG) += algif_rng.o
crypto-objs-$(CONFIG_CRYPTO_USER_API_AEAD) += algif_aead.o
-obj-$(CONFIG_CRYPTO_ZSTD) += zstd.o
+crypto-objs-$(CONFIG_CRYPTO_ZSTD) += zstd.o
crypto-objs-$(CONFIG_CRYPTO_ECC) += ecc.o
obj-$(CONFIG_CRYPTO_ESSIV) += essiv.o
diff --git a/crypto/zstd.c b/crypto/zstd.c
index cbbd0413751a..3b9fe204c68c 100644
--- a/crypto/zstd.c
+++ b/crypto/zstd.c
@@ -307,8 +307,8 @@ static void __exit zstd_mod_fini(void)
crypto_acomp_free_streams(&zstd_streams);
}
-module_init(zstd_mod_init);
-module_exit(zstd_mod_fini);
+crypto_module_init(zstd_mod_init);
+crypto_module_exit(zstd_mod_fini);
MODULE_LICENSE("GPL");
MODULE_DESCRIPTION("Zstd Compression Algorithm");
--
2.47.3
^ permalink raw reply related
* [PATCH 090/106] crypto: convert exported crypto symbol into pluggable interface for CONFIG_CRYPTO_ESSIV crypto
From: Jay Wang @ 2026-02-12 2:47 UTC (permalink / raw)
To: Herbert Xu, David S . Miller, linux-crypto
Cc: Jay Wang, Vegard Nossum, Nicolai Stange, Ilia Okomin,
Catalin Marinas, Will Deacon, Thomas Gleixner, Ingo Molnar,
Borislav Petkov, Luis Chamberlain, Petr Pavlu, Nathan Chancellor,
Nicolas Schier, linux-arm-kernel, x86, linux-kbuild,
linux-modules
In-Reply-To: <20260212024725.11264-1-wanjay@amazon.com>
Apply Crypto API wrappers to the exported crypto symbol in
CONFIG_CRYPTO_ESSIV-related crypto to convert them into pluggable
interface.
Signed-off-by: Jay Wang <wanjay@amazon.com>
---
crypto/Makefile | 2 +-
crypto/essiv.c | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/crypto/Makefile b/crypto/Makefile
index c4516e1943a7..3247d53c1fc6 100644
--- a/crypto/Makefile
+++ b/crypto/Makefile
@@ -179,7 +179,7 @@ crypto-objs-$(CONFIG_CRYPTO_USER_API_RNG) += algif_rng.o
crypto-objs-$(CONFIG_CRYPTO_USER_API_AEAD) += algif_aead.o
crypto-objs-$(CONFIG_CRYPTO_ZSTD) += zstd.o
crypto-objs-$(CONFIG_CRYPTO_ECC) += ecc.o
-obj-$(CONFIG_CRYPTO_ESSIV) += essiv.o
+crypto-objs-$(CONFIG_CRYPTO_ESSIV) += essiv.o
ecdh_generic-y += ecdh.o
ecdh_generic-y += ecdh_helper.o
diff --git a/crypto/essiv.c b/crypto/essiv.c
index a47a3eab6935..859486b9b063 100644
--- a/crypto/essiv.c
+++ b/crypto/essiv.c
@@ -639,8 +639,8 @@ static void __exit essiv_module_exit(void)
crypto_unregister_template(&essiv_tmpl);
}
-module_init(essiv_module_init);
-module_exit(essiv_module_exit);
+crypto_module_init(essiv_module_init);
+crypto_module_exit(essiv_module_exit);
MODULE_DESCRIPTION("ESSIV skcipher/aead wrapper for block encryption");
MODULE_LICENSE("GPL v2");
--
2.47.3
^ permalink raw reply related
* [PATCH 091/106] crypto: convert exported crypto symbol into pluggable interface for CONFIG_CRYPTO_ECDH crypto
From: Jay Wang @ 2026-02-12 2:47 UTC (permalink / raw)
To: Herbert Xu, David S . Miller, linux-crypto
Cc: Jay Wang, Vegard Nossum, Nicolai Stange, Ilia Okomin,
Catalin Marinas, Will Deacon, Thomas Gleixner, Ingo Molnar,
Borislav Petkov, Luis Chamberlain, Petr Pavlu, Nathan Chancellor,
Nicolas Schier, linux-arm-kernel, x86, linux-kbuild,
linux-modules
In-Reply-To: <20260212024725.11264-1-wanjay@amazon.com>
Apply Crypto API wrappers to the exported crypto symbol in
CONFIG_CRYPTO_ECDH-related crypto to convert them into pluggable
interface.
This patch is partially based on work by Vegard Nossum, with
modifications. Unlike the original, we do not include
DEFINE_CRYPTO_API since only one copy of the crypto symbols is
kept, either in the crypto module or in the main kernel, and we ensure
such wrapper do not have impact on crypto already chosen built as
module.
Co-developed-by: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: Jay Wang <wanjay@amazon.com>
---
crypto/Makefile | 2 +-
crypto/ecdh.c | 4 ++--
crypto/fips140/fips140-api.c | 12 ++++++++++++
include/crypto/ecdh.h | 14 +++++++++++---
4 files changed, 26 insertions(+), 6 deletions(-)
diff --git a/crypto/Makefile b/crypto/Makefile
index 3247d53c1fc6..cdc74dcea2f1 100644
--- a/crypto/Makefile
+++ b/crypto/Makefile
@@ -183,7 +183,7 @@ crypto-objs-$(CONFIG_CRYPTO_ESSIV) += essiv.o
ecdh_generic-y += ecdh.o
ecdh_generic-y += ecdh_helper.o
-obj-$(CONFIG_CRYPTO_ECDH) += ecdh_generic.o
+crypto-objs-$(CONFIG_CRYPTO_ECDH) += ecdh_generic.o
$(obj)/ecrdsa_params.asn1.o: $(obj)/ecrdsa_params.asn1.c $(obj)/ecrdsa_params.asn1.h
$(obj)/ecrdsa_pub_key.asn1.o: $(obj)/ecrdsa_pub_key.asn1.c $(obj)/ecrdsa_pub_key.asn1.h
diff --git a/crypto/ecdh.c b/crypto/ecdh.c
index 9f0b93b3166d..32c98cebfda6 100644
--- a/crypto/ecdh.c
+++ b/crypto/ecdh.c
@@ -240,8 +240,8 @@ static void __exit ecdh_exit(void)
crypto_unregister_kpp(&ecdh_nist_p384);
}
-module_init(ecdh_init);
-module_exit(ecdh_exit);
+crypto_module_init(ecdh_init);
+crypto_module_exit(ecdh_exit);
MODULE_ALIAS_CRYPTO("ecdh");
MODULE_LICENSE("GPL");
MODULE_DESCRIPTION("ECDH generic algorithm");
diff --git a/crypto/fips140/fips140-api.c b/crypto/fips140/fips140-api.c
index 70b57939c753..298ab496a395 100644
--- a/crypto/fips140/fips140-api.c
+++ b/crypto/fips140/fips140-api.c
@@ -785,3 +785,15 @@ DEFINE_CRYPTO_API_STUB(aria_decrypt);
DEFINE_CRYPTO_API_STUB(crypto_krb5enc_extractkeys);
#endif
+/*
+ * crypto/ecdh_helper.c
+ */
+#if IS_BUILTIN(CONFIG_CRYPTO_ECDH)
+
+#include <crypto/ecdh.h>
+
+DEFINE_CRYPTO_API_STUB(crypto_ecdh_key_len);
+DEFINE_CRYPTO_API_STUB(crypto_ecdh_encode_key);
+DEFINE_CRYPTO_API_STUB(crypto_ecdh_decode_key);
+
+#endif
\ No newline at end of file
diff --git a/include/crypto/ecdh.h b/include/crypto/ecdh.h
index 9784ecdd2fb4..03d54f531ca2 100644
--- a/include/crypto/ecdh.h
+++ b/include/crypto/ecdh.h
@@ -8,6 +8,8 @@
#ifndef _CRYPTO_ECDH_
#define _CRYPTO_ECDH_
+#include <crypto/api.h>
+
/**
* DOC: ECDH Helper Functions
*
@@ -49,7 +51,9 @@ struct ecdh {
*
* Return: size of the key in bytes
*/
-unsigned int crypto_ecdh_key_len(const struct ecdh *params);
+DECLARE_CRYPTO_API(CONFIG_CRYPTO_ECDH, crypto_ecdh_key_len, unsigned int,
+ (const struct ecdh *params),
+ (params));
/**
* crypto_ecdh_encode_key() - encode the private key
@@ -64,7 +68,9 @@ unsigned int crypto_ecdh_key_len(const struct ecdh *params);
*
* Return: -EINVAL if buffer has insufficient size, 0 on success
*/
-int crypto_ecdh_encode_key(char *buf, unsigned int len, const struct ecdh *p);
+DECLARE_CRYPTO_API(CONFIG_CRYPTO_ECDH, crypto_ecdh_encode_key, int,
+ (char *buf, unsigned int len, const struct ecdh *p),
+ (buf, len, p));
/**
* crypto_ecdh_decode_key() - decode a private key
@@ -78,6 +84,8 @@ int crypto_ecdh_encode_key(char *buf, unsigned int len, const struct ecdh *p);
*
* Return: -EINVAL if buffer has insufficient size, 0 on success
*/
-int crypto_ecdh_decode_key(const char *buf, unsigned int len, struct ecdh *p);
+DECLARE_CRYPTO_API(CONFIG_CRYPTO_ECDH, crypto_ecdh_decode_key, int,
+ (const char *buf, unsigned int len, struct ecdh *p),
+ (buf, len, p));
#endif
--
2.47.3
^ permalink raw reply related
* [PATCH 092/106] crypto: convert exported crypto symbol into pluggable interface for CONFIG_CRYPTO_ECRDSA crypto
From: Jay Wang @ 2026-02-12 2:47 UTC (permalink / raw)
To: Herbert Xu, David S . Miller, linux-crypto
Cc: Jay Wang, Vegard Nossum, Nicolai Stange, Ilia Okomin,
Catalin Marinas, Will Deacon, Thomas Gleixner, Ingo Molnar,
Borislav Petkov, Luis Chamberlain, Petr Pavlu, Nathan Chancellor,
Nicolas Schier, linux-arm-kernel, x86, linux-kbuild,
linux-modules
In-Reply-To: <20260212024725.11264-1-wanjay@amazon.com>
Apply Crypto API wrappers to the exported crypto symbol in
CONFIG_CRYPTO_ECRDSA-related crypto to convert them into pluggable
interface.
Signed-off-by: Jay Wang <wanjay@amazon.com>
---
crypto/Makefile | 2 +-
crypto/ecrdsa.c | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/crypto/Makefile b/crypto/Makefile
index cdc74dcea2f1..dc70a464fc1a 100644
--- a/crypto/Makefile
+++ b/crypto/Makefile
@@ -191,7 +191,7 @@ $(obj)/ecrdsa.o: $(obj)/ecrdsa_params.asn1.h $(obj)/ecrdsa_pub_key.asn1.h
ecrdsa_generic-y += ecrdsa.o
ecrdsa_generic-y += ecrdsa_params.asn1.o
ecrdsa_generic-y += ecrdsa_pub_key.asn1.o
-obj-$(CONFIG_CRYPTO_ECRDSA) += ecrdsa_generic.o
+crypto-objs-$(CONFIG_CRYPTO_ECRDSA) += ecrdsa_generic.o
#
# generic algorithms and the async_tx api
diff --git a/crypto/ecrdsa.c b/crypto/ecrdsa.c
index 2c0602f0cd40..b9cd02a7e515 100644
--- a/crypto/ecrdsa.c
+++ b/crypto/ecrdsa.c
@@ -288,8 +288,8 @@ static void __exit ecrdsa_mod_fini(void)
crypto_unregister_sig(&ecrdsa_alg);
}
-module_init(ecrdsa_mod_init);
-module_exit(ecrdsa_mod_fini);
+crypto_module_init(ecrdsa_mod_init);
+crypto_module_exit(ecrdsa_mod_fini);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Vitaly Chikunov <vt@altlinux.org>");
--
2.47.3
^ permalink raw reply related
* [PATCH 093/106] crypto: convert exported crypto symbol into pluggable interface for CONFIG_XOR_BLOCKS crypto
From: Jay Wang @ 2026-02-12 2:47 UTC (permalink / raw)
To: Herbert Xu, David S . Miller, linux-crypto
Cc: Jay Wang, Vegard Nossum, Nicolai Stange, Ilia Okomin,
Catalin Marinas, Will Deacon, Thomas Gleixner, Ingo Molnar,
Borislav Petkov, Luis Chamberlain, Petr Pavlu, Nathan Chancellor,
Nicolas Schier, linux-arm-kernel, x86, linux-kbuild,
linux-modules
In-Reply-To: <20260212024725.11264-1-wanjay@amazon.com>
Apply Crypto API wrappers to the exported crypto symbol in
CONFIG_XOR_BLOCKS-related crypto to convert them into pluggable
interface.
Signed-off-by: Jay Wang <wanjay@amazon.com>
---
crypto/Makefile | 2 +-
crypto/fips140/fips140-api.c | 10 ++++++++++
crypto/xor.c | 4 ++--
include/linux/raid/xor.h | 7 +++++--
4 files changed, 18 insertions(+), 5 deletions(-)
diff --git a/crypto/Makefile b/crypto/Makefile
index dc70a464fc1a..29e674c1f2ad 100644
--- a/crypto/Makefile
+++ b/crypto/Makefile
@@ -196,7 +196,7 @@ crypto-objs-$(CONFIG_CRYPTO_ECRDSA) += ecrdsa_generic.o
#
# generic algorithms and the async_tx api
#
-obj-$(CONFIG_XOR_BLOCKS) += xor.o
+crypto-objs-$(CONFIG_XOR_BLOCKS) += xor.o
obj-$(CONFIG_ASYNC_CORE) += async_tx/
obj-$(CONFIG_ASYMMETRIC_KEY_TYPE) += asymmetric_keys/
crypto_simd-y := simd.o
diff --git a/crypto/fips140/fips140-api.c b/crypto/fips140/fips140-api.c
index 298ab496a395..5bcfc1a3cc7e 100644
--- a/crypto/fips140/fips140-api.c
+++ b/crypto/fips140/fips140-api.c
@@ -784,6 +784,16 @@ DEFINE_CRYPTO_API_STUB(aria_decrypt);
DEFINE_CRYPTO_API_STUB(crypto_krb5enc_extractkeys);
+#endif
+/*
+ * crypto/xor.c
+ */
+#if IS_BUILTIN(CONFIG_XOR_BLOCKS)
+
+#include <linux/raid/xor.h>
+
+DEFINE_CRYPTO_API_STUB(xor_blocks);
+
#endif
/*
* crypto/ecdh_helper.c
diff --git a/crypto/xor.c b/crypto/xor.c
index f39621a57bb3..a6b4e3b88f67 100644
--- a/crypto/xor.c
+++ b/crypto/xor.c
@@ -170,5 +170,5 @@ MODULE_LICENSE("GPL");
core_initcall(register_xor_blocks);
#endif
-module_init(calibrate_xor_blocks);
-module_exit(xor_exit);
+crypto_module_init(calibrate_xor_blocks);
+crypto_module_exit(xor_exit);
diff --git a/include/linux/raid/xor.h b/include/linux/raid/xor.h
index 51b811b62322..df8797d00b78 100644
--- a/include/linux/raid/xor.h
+++ b/include/linux/raid/xor.h
@@ -2,10 +2,13 @@
#ifndef _XOR_H
#define _XOR_H
+#include <crypto/api.h>
+
#define MAX_XOR_BLOCKS 4
-extern void xor_blocks(unsigned int count, unsigned int bytes,
- void *dest, void **srcs);
+DECLARE_CRYPTO_API(CONFIG_XOR_BLOCKS, xor_blocks, void,
+ (unsigned int count, unsigned int bytes, void *dest, void **srcs),
+ (count, bytes, dest, srcs));
struct xor_block_template {
struct xor_block_template *next;
--
2.47.3
^ permalink raw reply related
* [PATCH 094/106] crypto: convert exported crypto symbol into pluggable interface for CONFIG_ASYNC_CORE crypto
From: Jay Wang @ 2026-02-12 2:47 UTC (permalink / raw)
To: Herbert Xu, David S . Miller, linux-crypto
Cc: Jay Wang, Vegard Nossum, Nicolai Stange, Ilia Okomin,
Catalin Marinas, Will Deacon, Thomas Gleixner, Ingo Molnar,
Borislav Petkov, Luis Chamberlain, Petr Pavlu, Nathan Chancellor,
Nicolas Schier, linux-arm-kernel, x86, linux-kbuild,
linux-modules
In-Reply-To: <20260212024725.11264-1-wanjay@amazon.com>
Apply Crypto API wrappers to the exported crypto symbol in
CONFIG_ASYNC_CORE-related crypto to convert them into pluggable
interface.
Signed-off-by: Jay Wang <wanjay@amazon.com>
---
crypto/async_tx/Makefile | 2 +-
crypto/async_tx/async_tx.c | 4 ++--
crypto/fips140/fips140-api.c | 15 +++++++++++++++
include/linux/async_tx.h | 21 ++++++++++++++-------
4 files changed, 32 insertions(+), 10 deletions(-)
diff --git a/crypto/async_tx/Makefile b/crypto/async_tx/Makefile
index 056e48245373..2cfa2dc1947d 100644
--- a/crypto/async_tx/Makefile
+++ b/crypto/async_tx/Makefile
@@ -1,5 +1,5 @@
# SPDX-License-Identifier: GPL-2.0
-obj-$(CONFIG_ASYNC_CORE) += async_tx.o
+crypto-objs-$(CONFIG_ASYNC_CORE) += async_tx.o
obj-$(CONFIG_ASYNC_MEMCPY) += async_memcpy.o
obj-$(CONFIG_ASYNC_XOR) += async_xor.o
obj-$(CONFIG_ASYNC_PQ) += async_pq.o
diff --git a/crypto/async_tx/async_tx.c b/crypto/async_tx/async_tx.c
index ad72057a5e0d..4df0363f4764 100644
--- a/crypto/async_tx/async_tx.c
+++ b/crypto/async_tx/async_tx.c
@@ -30,8 +30,8 @@ static void __exit async_tx_exit(void)
async_dmaengine_put();
}
-module_init(async_tx_init);
-module_exit(async_tx_exit);
+crypto_module_init(async_tx_init);
+crypto_module_exit(async_tx_exit);
/**
* __async_tx_find_channel - find a channel to carry out the operation or let
diff --git a/crypto/fips140/fips140-api.c b/crypto/fips140/fips140-api.c
index 5bcfc1a3cc7e..ff58e8946821 100644
--- a/crypto/fips140/fips140-api.c
+++ b/crypto/fips140/fips140-api.c
@@ -794,6 +794,21 @@ DEFINE_CRYPTO_API_STUB(crypto_krb5enc_extractkeys);
DEFINE_CRYPTO_API_STUB(xor_blocks);
+#endif
+/*
+ * crypto/async_tx/async_tx.c
+ */
+#if IS_BUILTIN(CONFIG_ASYNC_CORE)
+
+#include <linux/async_tx.h>
+
+#ifdef CONFIG_DMA_ENGINE
+DEFINE_CRYPTO_API_STUB(__async_tx_find_channel);
+#endif
+DEFINE_CRYPTO_API_STUB(async_tx_submit);
+DEFINE_CRYPTO_API_STUB(async_trigger_callback);
+DEFINE_CRYPTO_API_STUB(async_tx_quiesce);
+
#endif
/*
* crypto/ecdh_helper.c
diff --git a/include/linux/async_tx.h b/include/linux/async_tx.h
index 1ca9f9e05f4f..25dfd3750859 100644
--- a/include/linux/async_tx.h
+++ b/include/linux/async_tx.h
@@ -4,6 +4,8 @@
*/
#ifndef _ASYNC_TX_H_
#define _ASYNC_TX_H_
+
+#include <crypto/api.h>
#include <linux/dmaengine.h>
#include <linux/spinlock.h>
#include <linux/interrupt.h>
@@ -99,9 +101,9 @@ static inline void async_tx_issue_pending(struct dma_async_tx_descriptor *tx)
#else
#define async_tx_find_channel(dep, type, dst, dst_count, src, src_count, len) \
__async_tx_find_channel(dep, type)
-struct dma_chan *
-__async_tx_find_channel(struct async_submit_ctl *submit,
- enum dma_transaction_type tx_type);
+DECLARE_CRYPTO_API(CONFIG_ASYNC_CORE, __async_tx_find_channel, struct dma_chan *,
+ (struct async_submit_ctl *submit, enum dma_transaction_type tx_type),
+ (submit, tx_type));
#endif /* CONFIG_ARCH_HAS_ASYNC_TX_FIND_CHANNEL */
#else
static inline void async_tx_issue_pending_all(void)
@@ -155,8 +157,9 @@ init_async_submit(struct async_submit_ctl *args, enum async_tx_flags flags,
args->scribble = scribble;
}
-void async_tx_submit(struct dma_chan *chan, struct dma_async_tx_descriptor *tx,
- struct async_submit_ctl *submit);
+DECLARE_CRYPTO_API(CONFIG_ASYNC_CORE, async_tx_submit, void,
+ (struct dma_chan *chan, struct dma_async_tx_descriptor *tx, struct async_submit_ctl *submit),
+ (chan, tx, submit));
struct dma_async_tx_descriptor *
async_xor(struct page *dest, struct page **src_list, unsigned int offset,
@@ -178,7 +181,9 @@ async_memcpy(struct page *dest, struct page *src, unsigned int dest_offset,
unsigned int src_offset, size_t len,
struct async_submit_ctl *submit);
-struct dma_async_tx_descriptor *async_trigger_callback(struct async_submit_ctl *submit);
+DECLARE_CRYPTO_API(CONFIG_ASYNC_CORE, async_trigger_callback, struct dma_async_tx_descriptor *,
+ (struct async_submit_ctl *submit),
+ (submit));
struct dma_async_tx_descriptor *
async_gen_syndrome(struct page **blocks, unsigned int *offsets, int src_cnt,
@@ -199,5 +204,7 @@ async_raid6_datap_recov(int src_num, size_t bytes, int faila,
struct page **ptrs, unsigned int *offs,
struct async_submit_ctl *submit);
-void async_tx_quiesce(struct dma_async_tx_descriptor **tx);
+DECLARE_CRYPTO_API(CONFIG_ASYNC_CORE, async_tx_quiesce, void,
+ (struct dma_async_tx_descriptor **tx),
+ (tx));
#endif /* _ASYNC_TX_H_ */
--
2.47.3
^ permalink raw reply related
* [PATCH 095/106] crypto: convert exported crypto symbol into pluggable interface for CONFIG_ASYNC_MEMCPY crypto
From: Jay Wang @ 2026-02-12 2:47 UTC (permalink / raw)
To: Herbert Xu, David S . Miller, linux-crypto
Cc: Jay Wang, Vegard Nossum, Nicolai Stange, Ilia Okomin,
Catalin Marinas, Will Deacon, Thomas Gleixner, Ingo Molnar,
Borislav Petkov, Luis Chamberlain, Petr Pavlu, Nathan Chancellor,
Nicolas Schier, linux-arm-kernel, x86, linux-kbuild,
linux-modules
In-Reply-To: <20260212024725.11264-1-wanjay@amazon.com>
Apply Crypto API wrappers to the exported crypto symbol in
CONFIG_ASYNC_MEMCPY-related crypto to convert them into pluggable
interface.
Signed-off-by: Jay Wang <wanjay@amazon.com>
---
crypto/async_tx/Makefile | 2 +-
crypto/fips140/fips140-api.c | 10 ++++++++++
include/linux/async_tx.h | 7 +++----
3 files changed, 14 insertions(+), 5 deletions(-)
diff --git a/crypto/async_tx/Makefile b/crypto/async_tx/Makefile
index 2cfa2dc1947d..9de69630d930 100644
--- a/crypto/async_tx/Makefile
+++ b/crypto/async_tx/Makefile
@@ -1,6 +1,6 @@
# SPDX-License-Identifier: GPL-2.0
crypto-objs-$(CONFIG_ASYNC_CORE) += async_tx.o
-obj-$(CONFIG_ASYNC_MEMCPY) += async_memcpy.o
+crypto-objs-$(CONFIG_ASYNC_MEMCPY) += async_memcpy.o
obj-$(CONFIG_ASYNC_XOR) += async_xor.o
obj-$(CONFIG_ASYNC_PQ) += async_pq.o
obj-$(CONFIG_ASYNC_RAID6_RECOV) += async_raid6_recov.o
diff --git a/crypto/fips140/fips140-api.c b/crypto/fips140/fips140-api.c
index ff58e8946821..6644fce6555a 100644
--- a/crypto/fips140/fips140-api.c
+++ b/crypto/fips140/fips140-api.c
@@ -809,6 +809,16 @@ DEFINE_CRYPTO_API_STUB(async_tx_submit);
DEFINE_CRYPTO_API_STUB(async_trigger_callback);
DEFINE_CRYPTO_API_STUB(async_tx_quiesce);
+#endif
+/*
+ * crypto/async_tx/async_memcpy.c
+ */
+#if IS_BUILTIN(CONFIG_ASYNC_MEMCPY)
+
+#include <linux/async_tx.h>
+
+DEFINE_CRYPTO_API_STUB(async_memcpy);
+
#endif
/*
* crypto/ecdh_helper.c
diff --git a/include/linux/async_tx.h b/include/linux/async_tx.h
index 25dfd3750859..194228a8d1c4 100644
--- a/include/linux/async_tx.h
+++ b/include/linux/async_tx.h
@@ -176,10 +176,9 @@ async_xor_val_offs(struct page *dest, unsigned int offset,
int src_cnt, size_t len, enum sum_check_flags *result,
struct async_submit_ctl *submit);
-struct dma_async_tx_descriptor *
-async_memcpy(struct page *dest, struct page *src, unsigned int dest_offset,
- unsigned int src_offset, size_t len,
- struct async_submit_ctl *submit);
+DECLARE_CRYPTO_API(CONFIG_ASYNC_MEMCPY, async_memcpy, struct dma_async_tx_descriptor *,
+ (struct page *dest, struct page *src, unsigned int dest_offset, unsigned int src_offset, size_t len, struct async_submit_ctl *submit),
+ (dest, src, dest_offset, src_offset, len, submit));
DECLARE_CRYPTO_API(CONFIG_ASYNC_CORE, async_trigger_callback, struct dma_async_tx_descriptor *,
(struct async_submit_ctl *submit),
--
2.47.3
^ permalink raw reply related
* [PATCH 096/106] crypto: convert exported crypto symbol into pluggable interface for CONFIG_ASYNC_XOR crypto
From: Jay Wang @ 2026-02-12 2:47 UTC (permalink / raw)
To: Herbert Xu, David S . Miller, linux-crypto
Cc: Jay Wang, Vegard Nossum, Nicolai Stange, Ilia Okomin,
Catalin Marinas, Will Deacon, Thomas Gleixner, Ingo Molnar,
Borislav Petkov, Luis Chamberlain, Petr Pavlu, Nathan Chancellor,
Nicolas Schier, linux-arm-kernel, x86, linux-kbuild,
linux-modules
In-Reply-To: <20260212024725.11264-1-wanjay@amazon.com>
Apply Crypto API wrappers to the exported crypto symbol in
CONFIG_ASYNC_XOR-related crypto to convert them into pluggable
interface.
Signed-off-by: Jay Wang <wanjay@amazon.com>
---
crypto/async_tx/Makefile | 2 +-
crypto/fips140/fips140-api.c | 12 ++++++++++++
include/linux/async_tx.h | 21 +++++++++------------
3 files changed, 22 insertions(+), 13 deletions(-)
diff --git a/crypto/async_tx/Makefile b/crypto/async_tx/Makefile
index 9de69630d930..3ceb7c8d7598 100644
--- a/crypto/async_tx/Makefile
+++ b/crypto/async_tx/Makefile
@@ -1,7 +1,7 @@
# SPDX-License-Identifier: GPL-2.0
crypto-objs-$(CONFIG_ASYNC_CORE) += async_tx.o
crypto-objs-$(CONFIG_ASYNC_MEMCPY) += async_memcpy.o
-obj-$(CONFIG_ASYNC_XOR) += async_xor.o
+crypto-objs-$(CONFIG_ASYNC_XOR) += async_xor.o
obj-$(CONFIG_ASYNC_PQ) += async_pq.o
obj-$(CONFIG_ASYNC_RAID6_RECOV) += async_raid6_recov.o
obj-$(CONFIG_ASYNC_RAID6_TEST) += raid6test.o
diff --git a/crypto/fips140/fips140-api.c b/crypto/fips140/fips140-api.c
index 6644fce6555a..67e7b03e4dc4 100644
--- a/crypto/fips140/fips140-api.c
+++ b/crypto/fips140/fips140-api.c
@@ -819,6 +819,18 @@ DEFINE_CRYPTO_API_STUB(async_tx_quiesce);
DEFINE_CRYPTO_API_STUB(async_memcpy);
+#endif
+/*
+ * crypto/async_tx/async_xor.c
+ */
+#if IS_BUILTIN(CONFIG_ASYNC_XOR)
+
+#include <linux/async_tx.h>
+
+DEFINE_CRYPTO_API_STUB(async_xor);
+DEFINE_CRYPTO_API_STUB(async_xor_offs);
+DEFINE_CRYPTO_API_STUB(async_xor_val_offs);
+
#endif
/*
* crypto/ecdh_helper.c
diff --git a/include/linux/async_tx.h b/include/linux/async_tx.h
index 194228a8d1c4..36bcc93c6944 100644
--- a/include/linux/async_tx.h
+++ b/include/linux/async_tx.h
@@ -161,20 +161,17 @@ DECLARE_CRYPTO_API(CONFIG_ASYNC_CORE, async_tx_submit, void,
(struct dma_chan *chan, struct dma_async_tx_descriptor *tx, struct async_submit_ctl *submit),
(chan, tx, submit));
-struct dma_async_tx_descriptor *
-async_xor(struct page *dest, struct page **src_list, unsigned int offset,
- int src_cnt, size_t len, struct async_submit_ctl *submit);
+DECLARE_CRYPTO_API(CONFIG_ASYNC_XOR, async_xor, struct dma_async_tx_descriptor *,
+ (struct page *dest, struct page **src_list, unsigned int offset, int src_cnt, size_t len, struct async_submit_ctl *submit),
+ (dest, src_list, offset, src_cnt, len, submit));
-struct dma_async_tx_descriptor *
-async_xor_offs(struct page *dest, unsigned int offset,
- struct page **src_list, unsigned int *src_offset,
- int src_cnt, size_t len, struct async_submit_ctl *submit);
+DECLARE_CRYPTO_API(CONFIG_ASYNC_XOR, async_xor_offs, struct dma_async_tx_descriptor *,
+ (struct page *dest, unsigned int offset, struct page **src_list, unsigned int *src_offset, int src_cnt, size_t len, struct async_submit_ctl *submit),
+ (dest, offset, src_list, src_offset, src_cnt, len, submit));
-struct dma_async_tx_descriptor *
-async_xor_val_offs(struct page *dest, unsigned int offset,
- struct page **src_list, unsigned int *src_offset,
- int src_cnt, size_t len, enum sum_check_flags *result,
- struct async_submit_ctl *submit);
+DECLARE_CRYPTO_API(CONFIG_ASYNC_XOR, async_xor_val_offs, struct dma_async_tx_descriptor *,
+ (struct page *dest, unsigned int offset, struct page **src_list, unsigned int *src_offset, int src_cnt, size_t len, enum sum_check_flags *result, struct async_submit_ctl *submit),
+ (dest, offset, src_list, src_offset, src_cnt, len, result, submit));
DECLARE_CRYPTO_API(CONFIG_ASYNC_MEMCPY, async_memcpy, struct dma_async_tx_descriptor *,
(struct page *dest, struct page *src, unsigned int dest_offset, unsigned int src_offset, size_t len, struct async_submit_ctl *submit),
--
2.47.3
^ permalink raw reply related
* [PATCH 097/106] crypto: convert exported crypto symbol into pluggable interface for CONFIG_ASYNC_PQ crypto
From: Jay Wang @ 2026-02-12 2:47 UTC (permalink / raw)
To: Herbert Xu, David S . Miller, linux-crypto
Cc: Jay Wang, Vegard Nossum, Nicolai Stange, Ilia Okomin,
Catalin Marinas, Will Deacon, Thomas Gleixner, Ingo Molnar,
Borislav Petkov, Luis Chamberlain, Petr Pavlu, Nathan Chancellor,
Nicolas Schier, linux-arm-kernel, x86, linux-kbuild,
linux-modules
In-Reply-To: <20260212024725.11264-1-wanjay@amazon.com>
Apply Crypto API wrappers to the exported crypto symbol in
CONFIG_ASYNC_PQ-related crypto to convert them into pluggable
interface.
Signed-off-by: Jay Wang <wanjay@amazon.com>
---
crypto/async_tx/Makefile | 2 +-
crypto/async_tx/async_pq.c | 4 ++--
crypto/fips140/fips140-api.c | 11 +++++++++++
include/linux/async_tx.h | 13 ++++++-------
4 files changed, 20 insertions(+), 10 deletions(-)
diff --git a/crypto/async_tx/Makefile b/crypto/async_tx/Makefile
index 3ceb7c8d7598..9b0277843bb3 100644
--- a/crypto/async_tx/Makefile
+++ b/crypto/async_tx/Makefile
@@ -2,6 +2,6 @@
crypto-objs-$(CONFIG_ASYNC_CORE) += async_tx.o
crypto-objs-$(CONFIG_ASYNC_MEMCPY) += async_memcpy.o
crypto-objs-$(CONFIG_ASYNC_XOR) += async_xor.o
-obj-$(CONFIG_ASYNC_PQ) += async_pq.o
+crypto-objs-$(CONFIG_ASYNC_PQ) += async_pq.o
obj-$(CONFIG_ASYNC_RAID6_RECOV) += async_raid6_recov.o
obj-$(CONFIG_ASYNC_RAID6_TEST) += raid6test.o
diff --git a/crypto/async_tx/async_pq.c b/crypto/async_tx/async_pq.c
index 9e4bb7fbde25..b80fb50fffb2 100644
--- a/crypto/async_tx/async_pq.c
+++ b/crypto/async_tx/async_pq.c
@@ -456,8 +456,8 @@ static void __exit async_pq_exit(void)
__free_page(pq_scribble_page);
}
-module_init(async_pq_init);
-module_exit(async_pq_exit);
+crypto_module_init(async_pq_init);
+crypto_module_exit(async_pq_exit);
MODULE_DESCRIPTION("asynchronous raid6 syndrome generation/validation");
MODULE_LICENSE("GPL");
diff --git a/crypto/fips140/fips140-api.c b/crypto/fips140/fips140-api.c
index 67e7b03e4dc4..6c22baf0ce10 100644
--- a/crypto/fips140/fips140-api.c
+++ b/crypto/fips140/fips140-api.c
@@ -831,6 +831,17 @@ DEFINE_CRYPTO_API_STUB(async_xor);
DEFINE_CRYPTO_API_STUB(async_xor_offs);
DEFINE_CRYPTO_API_STUB(async_xor_val_offs);
+#endif
+/*
+ * crypto/async_tx/async_pq.c
+ */
+#if IS_BUILTIN(CONFIG_ASYNC_PQ)
+
+#include <linux/async_tx.h>
+
+DEFINE_CRYPTO_API_STUB(async_gen_syndrome);
+DEFINE_CRYPTO_API_STUB(async_syndrome_val);
+
#endif
/*
* crypto/ecdh_helper.c
diff --git a/include/linux/async_tx.h b/include/linux/async_tx.h
index 36bcc93c6944..9f733d01f69e 100644
--- a/include/linux/async_tx.h
+++ b/include/linux/async_tx.h
@@ -181,14 +181,13 @@ DECLARE_CRYPTO_API(CONFIG_ASYNC_CORE, async_trigger_callback, struct dma_async_t
(struct async_submit_ctl *submit),
(submit));
-struct dma_async_tx_descriptor *
-async_gen_syndrome(struct page **blocks, unsigned int *offsets, int src_cnt,
- size_t len, struct async_submit_ctl *submit);
+DECLARE_CRYPTO_API(CONFIG_ASYNC_PQ, async_gen_syndrome, struct dma_async_tx_descriptor *,
+ (struct page **blocks, unsigned int *offsets, int src_cnt, size_t len, struct async_submit_ctl *submit),
+ (blocks, offsets, src_cnt, len, submit));
-struct dma_async_tx_descriptor *
-async_syndrome_val(struct page **blocks, unsigned int *offsets, int src_cnt,
- size_t len, enum sum_check_flags *pqres, struct page *spare,
- unsigned int s_off, struct async_submit_ctl *submit);
+DECLARE_CRYPTO_API(CONFIG_ASYNC_PQ, async_syndrome_val, struct dma_async_tx_descriptor *,
+ (struct page **blocks, unsigned int *offsets, int src_cnt, size_t len, enum sum_check_flags *pqres, struct page *spare, unsigned int s_off, struct async_submit_ctl *submit),
+ (blocks, offsets, src_cnt, len, pqres, spare, s_off, submit));
struct dma_async_tx_descriptor *
async_raid6_2data_recov(int src_num, size_t bytes, int faila, int failb,
--
2.47.3
^ permalink raw reply related
* [PATCH 098/106] crypto: convert exported crypto symbol into pluggable interface for CONFIG_ASYNC_RAID6_RECOV crypto
From: Jay Wang @ 2026-02-12 2:47 UTC (permalink / raw)
To: Herbert Xu, David S . Miller, linux-crypto
Cc: Jay Wang, Vegard Nossum, Nicolai Stange, Ilia Okomin,
Catalin Marinas, Will Deacon, Thomas Gleixner, Ingo Molnar,
Borislav Petkov, Luis Chamberlain, Petr Pavlu, Nathan Chancellor,
Nicolas Schier, linux-arm-kernel, x86, linux-kbuild,
linux-modules
In-Reply-To: <20260212024725.11264-1-wanjay@amazon.com>
Apply Crypto API wrappers to the exported crypto symbol in
CONFIG_ASYNC_RAID6_RECOV-related crypto to convert them into pluggable
interface.
Signed-off-by: Jay Wang <wanjay@amazon.com>
---
crypto/async_tx/Makefile | 2 +-
crypto/fips140/fips140-api.c | 11 +++++++++++
include/linux/async_tx.h | 16 +++++++---------
3 files changed, 19 insertions(+), 10 deletions(-)
diff --git a/crypto/async_tx/Makefile b/crypto/async_tx/Makefile
index 9b0277843bb3..2f700c2312af 100644
--- a/crypto/async_tx/Makefile
+++ b/crypto/async_tx/Makefile
@@ -3,5 +3,5 @@ crypto-objs-$(CONFIG_ASYNC_CORE) += async_tx.o
crypto-objs-$(CONFIG_ASYNC_MEMCPY) += async_memcpy.o
crypto-objs-$(CONFIG_ASYNC_XOR) += async_xor.o
crypto-objs-$(CONFIG_ASYNC_PQ) += async_pq.o
-obj-$(CONFIG_ASYNC_RAID6_RECOV) += async_raid6_recov.o
+crypto-objs-$(CONFIG_ASYNC_RAID6_RECOV) += async_raid6_recov.o
obj-$(CONFIG_ASYNC_RAID6_TEST) += raid6test.o
diff --git a/crypto/fips140/fips140-api.c b/crypto/fips140/fips140-api.c
index 6c22baf0ce10..7159c796d87f 100644
--- a/crypto/fips140/fips140-api.c
+++ b/crypto/fips140/fips140-api.c
@@ -842,6 +842,17 @@ DEFINE_CRYPTO_API_STUB(async_xor_val_offs);
DEFINE_CRYPTO_API_STUB(async_gen_syndrome);
DEFINE_CRYPTO_API_STUB(async_syndrome_val);
+#endif
+/*
+ * crypto/async_tx/async_raid6_recov.c
+ */
+#if IS_BUILTIN(CONFIG_ASYNC_RAID6_RECOV)
+
+#include <linux/async_tx.h>
+
+DEFINE_CRYPTO_API_STUB(async_raid6_2data_recov);
+DEFINE_CRYPTO_API_STUB(async_raid6_datap_recov);
+
#endif
/*
* crypto/ecdh_helper.c
diff --git a/include/linux/async_tx.h b/include/linux/async_tx.h
index 9f733d01f69e..4e791a978ac3 100644
--- a/include/linux/async_tx.h
+++ b/include/linux/async_tx.h
@@ -189,15 +189,13 @@ DECLARE_CRYPTO_API(CONFIG_ASYNC_PQ, async_syndrome_val, struct dma_async_tx_desc
(struct page **blocks, unsigned int *offsets, int src_cnt, size_t len, enum sum_check_flags *pqres, struct page *spare, unsigned int s_off, struct async_submit_ctl *submit),
(blocks, offsets, src_cnt, len, pqres, spare, s_off, submit));
-struct dma_async_tx_descriptor *
-async_raid6_2data_recov(int src_num, size_t bytes, int faila, int failb,
- struct page **ptrs, unsigned int *offs,
- struct async_submit_ctl *submit);
-
-struct dma_async_tx_descriptor *
-async_raid6_datap_recov(int src_num, size_t bytes, int faila,
- struct page **ptrs, unsigned int *offs,
- struct async_submit_ctl *submit);
+DECLARE_CRYPTO_API(CONFIG_ASYNC_RAID6_RECOV, async_raid6_2data_recov, struct dma_async_tx_descriptor *,
+ (int src_num, size_t bytes, int faila, int failb, struct page **ptrs, unsigned int *offs, struct async_submit_ctl *submit),
+ (src_num, bytes, faila, failb, ptrs, offs, submit));
+
+DECLARE_CRYPTO_API(CONFIG_ASYNC_RAID6_RECOV, async_raid6_datap_recov, struct dma_async_tx_descriptor *,
+ (int src_num, size_t bytes, int faila, struct page **ptrs, unsigned int *offs, struct async_submit_ctl *submit),
+ (src_num, bytes, faila, ptrs, offs, submit));
DECLARE_CRYPTO_API(CONFIG_ASYNC_CORE, async_tx_quiesce, void,
(struct dma_async_tx_descriptor **tx),
--
2.47.3
^ permalink raw reply related
* [PATCH 099/106] crypto: convert exported crypto symbol into pluggable interface for CONFIG_CRYPTO_KDF800108_CTR crypto
From: Jay Wang @ 2026-02-12 2:47 UTC (permalink / raw)
To: Herbert Xu, David S . Miller, linux-crypto
Cc: Jay Wang, Vegard Nossum, Nicolai Stange, Ilia Okomin,
Catalin Marinas, Will Deacon, Thomas Gleixner, Ingo Molnar,
Borislav Petkov, Luis Chamberlain, Petr Pavlu, Nathan Chancellor,
Nicolas Schier, linux-arm-kernel, x86, linux-kbuild,
linux-modules
In-Reply-To: <20260212024725.11264-1-wanjay@amazon.com>
Apply Crypto API wrappers to the exported crypto symbol in
CONFIG_CRYPTO_KDF800108_CTR-related crypto to convert them into
pluggable interface.
Signed-off-by: Jay Wang <wanjay@amazon.com>
---
crypto/Makefile | 2 +-
crypto/fips140/fips140-api.c | 11 +++++++++++
crypto/kdf_sp800108.c | 4 ++--
include/crypto/kdf_sp800108.h | 14 ++++++++------
4 files changed, 22 insertions(+), 9 deletions(-)
diff --git a/crypto/Makefile b/crypto/Makefile
index 29e674c1f2ad..c1088b10f49a 100644
--- a/crypto/Makefile
+++ b/crypto/Makefile
@@ -205,7 +205,7 @@ obj-$(CONFIG_CRYPTO_SIMD) += crypto_simd.o
#
# Key derivation function
#
-obj-$(CONFIG_CRYPTO_KDF800108_CTR) += kdf_sp800108.o
+crypto-objs-$(CONFIG_CRYPTO_KDF800108_CTR) += kdf_sp800108.o
obj-$(CONFIG_CRYPTO_DF80090A) += df_sp80090a.o
diff --git a/crypto/fips140/fips140-api.c b/crypto/fips140/fips140-api.c
index 7159c796d87f..0ed89baa3865 100644
--- a/crypto/fips140/fips140-api.c
+++ b/crypto/fips140/fips140-api.c
@@ -853,6 +853,17 @@ DEFINE_CRYPTO_API_STUB(async_syndrome_val);
DEFINE_CRYPTO_API_STUB(async_raid6_2data_recov);
DEFINE_CRYPTO_API_STUB(async_raid6_datap_recov);
+#endif
+/*
+ * crypto/kdf_sp800108.c
+ */
+#if IS_BUILTIN(CONFIG_CRYPTO_KDF800108_CTR)
+
+#include <crypto/kdf_sp800108.h>
+
+DEFINE_CRYPTO_API_STUB(crypto_kdf108_ctr_generate);
+DEFINE_CRYPTO_API_STUB(crypto_kdf108_setkey);
+
#endif
/*
* crypto/ecdh_helper.c
diff --git a/crypto/kdf_sp800108.c b/crypto/kdf_sp800108.c
index b7a6bf9da773..bf23a39bb657 100644
--- a/crypto/kdf_sp800108.c
+++ b/crypto/kdf_sp800108.c
@@ -149,8 +149,8 @@ static int __init crypto_kdf108_init(void)
static void __exit crypto_kdf108_exit(void) { }
-module_init(crypto_kdf108_init);
-module_exit(crypto_kdf108_exit);
+crypto_module_init(crypto_kdf108_init);
+crypto_module_exit(crypto_kdf108_exit);
MODULE_LICENSE("GPL v2");
MODULE_AUTHOR("Stephan Mueller <smueller@chronox.de>");
diff --git a/include/crypto/kdf_sp800108.h b/include/crypto/kdf_sp800108.h
index b7b20a778fb7..33cc2e75b014 100644
--- a/include/crypto/kdf_sp800108.h
+++ b/include/crypto/kdf_sp800108.h
@@ -7,6 +7,8 @@
#ifndef _CRYPTO_KDF108_H
#define _CRYPTO_KDF108_H
+#include <crypto/api.h>
+
#include <crypto/hash.h>
#include <linux/uio.h>
@@ -28,9 +30,9 @@
*
* @return 0 on success, < 0 on error
*/
-int crypto_kdf108_ctr_generate(struct crypto_shash *kmd,
- const struct kvec *info, unsigned int info_nvec,
- u8 *dst, unsigned int dlen);
+DECLARE_CRYPTO_API(CONFIG_CRYPTO_KDF800108_CTR, crypto_kdf108_ctr_generate, int,
+ (struct crypto_shash *kmd, const struct kvec *info, unsigned int info_nvec, u8 *dst, unsigned int dlen),
+ (kmd, info, info_nvec, dst, dlen));
/**
* Counter KDF setkey operation
@@ -54,8 +56,8 @@ int crypto_kdf108_ctr_generate(struct crypto_shash *kmd,
*
* @return 0 on success, < 0 on error
*/
-int crypto_kdf108_setkey(struct crypto_shash *kmd,
- const u8 *key, size_t keylen,
- const u8 *ikm, size_t ikmlen);
+DECLARE_CRYPTO_API(CONFIG_CRYPTO_KDF800108_CTR, crypto_kdf108_setkey, int,
+ (struct crypto_shash *kmd, const u8 *key, size_t keylen, const u8 *ikm, size_t ikmlen),
+ (kmd, key, keylen, ikm, ikmlen));
#endif /* _CRYPTO_KDF108_H */
--
2.47.3
^ permalink raw reply related
* [PATCH 100/106] crypto: convert exported crypto symbol into pluggable interface for CONFIG_CRYPTO_KRB5 crypto
From: Jay Wang @ 2026-02-12 2:47 UTC (permalink / raw)
To: Herbert Xu, David S . Miller, linux-crypto
Cc: Jay Wang, Vegard Nossum, Nicolai Stange, Ilia Okomin,
Catalin Marinas, Will Deacon, Thomas Gleixner, Ingo Molnar,
Borislav Petkov, Luis Chamberlain, Petr Pavlu, Nathan Chancellor,
Nicolas Schier, linux-arm-kernel, x86, linux-kbuild,
linux-modules
In-Reply-To: <20260212024725.11264-1-wanjay@amazon.com>
Apply Crypto API wrappers to the exported crypto symbol in
CONFIG_CRYPTO_KRB5-related crypto to convert them into pluggable
interface.
Signed-off-by: Jay Wang <wanjay@amazon.com>
---
crypto/fips140/fips140-api.c | 27 +++++++++++++
crypto/krb5/Makefile | 2 +-
crypto/krb5/krb5_api.c | 4 +-
include/crypto/krb5.h | 78 ++++++++++++++++--------------------
4 files changed, 65 insertions(+), 46 deletions(-)
diff --git a/crypto/fips140/fips140-api.c b/crypto/fips140/fips140-api.c
index 0ed89baa3865..3e4203dd2aeb 100644
--- a/crypto/fips140/fips140-api.c
+++ b/crypto/fips140/fips140-api.c
@@ -864,6 +864,33 @@ DEFINE_CRYPTO_API_STUB(async_raid6_datap_recov);
DEFINE_CRYPTO_API_STUB(crypto_kdf108_ctr_generate);
DEFINE_CRYPTO_API_STUB(crypto_kdf108_setkey);
+#endif
+/*
+ * crypto/krb5/krb5.o
+ */
+#if IS_BUILTIN(CONFIG_CRYPTO_KRB5)
+
+#include <crypto/krb5.h>
+
+/*
+ * crypto/krb5/krb5_kdf.c
+ */
+DEFINE_CRYPTO_API_STUB(crypto_krb5_calc_PRFplus);
+
+/*
+ * crypto/krb5/krb5_api.c
+ */
+DEFINE_CRYPTO_API_STUB(crypto_krb5_find_enctype);
+DEFINE_CRYPTO_API_STUB(crypto_krb5_how_much_buffer);
+DEFINE_CRYPTO_API_STUB(crypto_krb5_how_much_data);
+DEFINE_CRYPTO_API_STUB(crypto_krb5_where_is_the_data);
+DEFINE_CRYPTO_API_STUB(crypto_krb5_prepare_encryption);
+DEFINE_CRYPTO_API_STUB(crypto_krb5_prepare_checksum);
+DEFINE_CRYPTO_API_STUB(crypto_krb5_encrypt);
+DEFINE_CRYPTO_API_STUB(crypto_krb5_decrypt);
+DEFINE_CRYPTO_API_STUB(crypto_krb5_get_mic);
+DEFINE_CRYPTO_API_STUB(crypto_krb5_verify_mic);
+
#endif
/*
* crypto/ecdh_helper.c
diff --git a/crypto/krb5/Makefile b/crypto/krb5/Makefile
index d38890c0b247..513759fc8dcc 100644
--- a/crypto/krb5/Makefile
+++ b/crypto/krb5/Makefile
@@ -15,4 +15,4 @@ krb5-$(CONFIG_CRYPTO_KRB5_SELFTESTS) += \
selftest.o \
selftest_data.o
-obj-$(CONFIG_CRYPTO_KRB5) += krb5.o
+crypto-objs-$(CONFIG_CRYPTO_KRB5) += krb5.o
diff --git a/crypto/krb5/krb5_api.c b/crypto/krb5/krb5_api.c
index 23026d4206c8..5725ed1cb4b7 100644
--- a/crypto/krb5/krb5_api.c
+++ b/crypto/krb5/krb5_api.c
@@ -444,9 +444,9 @@ static int __init crypto_krb5_init(void)
{
return krb5_selftest();
}
-module_init(crypto_krb5_init);
+crypto_module_init(crypto_krb5_init);
static void __exit crypto_krb5_exit(void)
{
}
-module_exit(crypto_krb5_exit);
+crypto_module_exit(crypto_krb5_exit);
diff --git a/include/crypto/krb5.h b/include/crypto/krb5.h
index 71dd38f59be1..e2de2d0391a1 100644
--- a/include/crypto/krb5.h
+++ b/include/crypto/krb5.h
@@ -8,6 +8,8 @@
#ifndef _CRYPTO_KRB5_H
#define _CRYPTO_KRB5_H
+#include <crypto/api.h>
+
#include <linux/crypto.h>
#include <crypto/aead.h>
#include <crypto/hash.h>
@@ -114,52 +116,42 @@ struct krb5_enctype {
/*
* krb5_api.c
*/
-const struct krb5_enctype *crypto_krb5_find_enctype(u32 enctype);
-size_t crypto_krb5_how_much_buffer(const struct krb5_enctype *krb5,
- enum krb5_crypto_mode mode,
- size_t data_size, size_t *_offset);
-size_t crypto_krb5_how_much_data(const struct krb5_enctype *krb5,
- enum krb5_crypto_mode mode,
- size_t *_buffer_size, size_t *_offset);
-void crypto_krb5_where_is_the_data(const struct krb5_enctype *krb5,
- enum krb5_crypto_mode mode,
- size_t *_offset, size_t *_len);
-struct crypto_aead *crypto_krb5_prepare_encryption(const struct krb5_enctype *krb5,
- const struct krb5_buffer *TK,
- u32 usage, gfp_t gfp);
-struct crypto_shash *crypto_krb5_prepare_checksum(const struct krb5_enctype *krb5,
- const struct krb5_buffer *TK,
- u32 usage, gfp_t gfp);
-ssize_t crypto_krb5_encrypt(const struct krb5_enctype *krb5,
- struct crypto_aead *aead,
- struct scatterlist *sg, unsigned int nr_sg,
- size_t sg_len,
- size_t data_offset, size_t data_len,
- bool preconfounded);
-int crypto_krb5_decrypt(const struct krb5_enctype *krb5,
- struct crypto_aead *aead,
- struct scatterlist *sg, unsigned int nr_sg,
- size_t *_offset, size_t *_len);
-ssize_t crypto_krb5_get_mic(const struct krb5_enctype *krb5,
- struct crypto_shash *shash,
- const struct krb5_buffer *metadata,
- struct scatterlist *sg, unsigned int nr_sg,
- size_t sg_len,
- size_t data_offset, size_t data_len);
-int crypto_krb5_verify_mic(const struct krb5_enctype *krb5,
- struct crypto_shash *shash,
- const struct krb5_buffer *metadata,
- struct scatterlist *sg, unsigned int nr_sg,
- size_t *_offset, size_t *_len);
+DECLARE_CRYPTO_API(CONFIG_CRYPTO_KRB5, crypto_krb5_find_enctype, const struct krb5_enctype *,
+ (u32 enctype),
+ (enctype));
+DECLARE_CRYPTO_API(CONFIG_CRYPTO_KRB5, crypto_krb5_how_much_buffer, size_t,
+ (const struct krb5_enctype *krb5, enum krb5_crypto_mode mode, size_t data_size, size_t *_offset),
+ (krb5, mode, data_size, _offset));
+DECLARE_CRYPTO_API(CONFIG_CRYPTO_KRB5, crypto_krb5_how_much_data, size_t,
+ (const struct krb5_enctype *krb5, enum krb5_crypto_mode mode, size_t *_buffer_size, size_t *_offset),
+ (krb5, mode, _buffer_size, _offset));
+DECLARE_CRYPTO_API(CONFIG_CRYPTO_KRB5, crypto_krb5_where_is_the_data, void,
+ (const struct krb5_enctype *krb5, enum krb5_crypto_mode mode, size_t *_offset, size_t *_len),
+ (krb5, mode, _offset, _len));
+DECLARE_CRYPTO_API(CONFIG_CRYPTO_KRB5, crypto_krb5_prepare_encryption, struct crypto_aead *,
+ (const struct krb5_enctype *krb5, const struct krb5_buffer *TK, u32 usage, gfp_t gfp),
+ (krb5, TK, usage, gfp));
+DECLARE_CRYPTO_API(CONFIG_CRYPTO_KRB5, crypto_krb5_prepare_checksum, struct crypto_shash *,
+ (const struct krb5_enctype *krb5, const struct krb5_buffer *TK, u32 usage, gfp_t gfp),
+ (krb5, TK, usage, gfp));
+DECLARE_CRYPTO_API(CONFIG_CRYPTO_KRB5, crypto_krb5_encrypt, ssize_t,
+ (const struct krb5_enctype *krb5, struct crypto_aead *aead, struct scatterlist *sg, unsigned int nr_sg, size_t sg_len, size_t data_offset, size_t data_len, bool preconfounded),
+ (krb5, aead, sg, nr_sg, sg_len, data_offset, data_len, preconfounded));
+DECLARE_CRYPTO_API(CONFIG_CRYPTO_KRB5, crypto_krb5_decrypt, int,
+ (const struct krb5_enctype *krb5, struct crypto_aead *aead, struct scatterlist *sg, unsigned int nr_sg, size_t *_offset, size_t *_len),
+ (krb5, aead, sg, nr_sg, _offset, _len));
+DECLARE_CRYPTO_API(CONFIG_CRYPTO_KRB5, crypto_krb5_get_mic, ssize_t,
+ (const struct krb5_enctype *krb5, struct crypto_shash *shash, const struct krb5_buffer *metadata, struct scatterlist *sg, unsigned int nr_sg, size_t sg_len, size_t data_offset, size_t data_len),
+ (krb5, shash, metadata, sg, nr_sg, sg_len, data_offset, data_len));
+DECLARE_CRYPTO_API(CONFIG_CRYPTO_KRB5, crypto_krb5_verify_mic, int,
+ (const struct krb5_enctype *krb5, struct crypto_shash *shash, const struct krb5_buffer *metadata, struct scatterlist *sg, unsigned int nr_sg, size_t *_offset, size_t *_len),
+ (krb5, shash, metadata, sg, nr_sg, _offset, _len));
/*
* krb5_kdf.c
*/
-int crypto_krb5_calc_PRFplus(const struct krb5_enctype *krb5,
- const struct krb5_buffer *K,
- unsigned int L,
- const struct krb5_buffer *S,
- struct krb5_buffer *result,
- gfp_t gfp);
+DECLARE_CRYPTO_API(CONFIG_CRYPTO_KRB5, crypto_krb5_calc_PRFplus, int,
+ (const struct krb5_enctype *krb5, const struct krb5_buffer *K, unsigned int L, const struct krb5_buffer *S, struct krb5_buffer *result, gfp_t gfp),
+ (krb5, K, L, S, result, gfp));
#endif /* _CRYPTO_KRB5_H */
--
2.47.3
^ permalink raw reply related
* [PATCH 101/106] crypto: convert exported crypto symbol into pluggable interface for CONFIG_FIPS_SIGNATURE_SELFTEST crypto
From: Jay Wang @ 2026-02-12 2:47 UTC (permalink / raw)
To: Herbert Xu, David S . Miller, linux-crypto
Cc: Jay Wang, Vegard Nossum, Nicolai Stange, Ilia Okomin,
Catalin Marinas, Will Deacon, Thomas Gleixner, Ingo Molnar,
Borislav Petkov, Luis Chamberlain, Petr Pavlu, Nathan Chancellor,
Nicolas Schier, linux-arm-kernel, x86, linux-kbuild,
linux-modules
In-Reply-To: <20260212024725.11264-1-wanjay@amazon.com>
Apply Crypto API wrappers to the exported crypto symbol in
CONFIG_FIPS_SIGNATURE_SELFTEST-related crypto to convert them into
pluggable interface.
Signed-off-by: Jay Wang <wanjay@amazon.com>
---
crypto/asymmetric_keys/Makefile | 2 +-
crypto/asymmetric_keys/selftest.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makefile
index c68fdcd2c5cf..bffa2e199a5d 100644
--- a/crypto/asymmetric_keys/Makefile
+++ b/crypto/asymmetric_keys/Makefile
@@ -22,7 +22,7 @@ x509_key_parser-y := \
x509_cert_parser.o \
x509_loader.o \
x509_public_key.o
-obj-$(CONFIG_FIPS_SIGNATURE_SELFTEST) += x509_selftest.o
+crypto-objs-$(CONFIG_FIPS_SIGNATURE_SELFTEST) += x509_selftest.o
x509_selftest-y += selftest.o
x509_selftest-$(CONFIG_FIPS_SIGNATURE_SELFTEST_RSA) += selftest_rsa.o
x509_selftest-$(CONFIG_FIPS_SIGNATURE_SELFTEST_ECDSA) += selftest_ecdsa.o
diff --git a/crypto/asymmetric_keys/selftest.c b/crypto/asymmetric_keys/selftest.c
index 98dc5cdfdebe..4f3b6ef85d1b 100644
--- a/crypto/asymmetric_keys/selftest.c
+++ b/crypto/asymmetric_keys/selftest.c
@@ -65,7 +65,7 @@ static int __init fips_signature_selftest_init(void)
return 0;
}
-late_initcall(fips_signature_selftest_init);
+crypto_late_initcall(fips_signature_selftest_init);
MODULE_DESCRIPTION("X.509 self tests");
MODULE_AUTHOR("Red Hat, Inc.");
--
2.47.3
^ permalink raw reply related
* [PATCH 102/106] crypto: convert exported crypto symbol into pluggable interface for CONFIG_PKCS8_PRIVATE_KEY_PARSER crypto
From: Jay Wang @ 2026-02-12 2:47 UTC (permalink / raw)
To: Herbert Xu, David S . Miller, linux-crypto
Cc: Jay Wang, Vegard Nossum, Nicolai Stange, Ilia Okomin,
Catalin Marinas, Will Deacon, Thomas Gleixner, Ingo Molnar,
Borislav Petkov, Luis Chamberlain, Petr Pavlu, Nathan Chancellor,
Nicolas Schier, linux-arm-kernel, x86, linux-kbuild,
linux-modules
In-Reply-To: <20260212024725.11264-1-wanjay@amazon.com>
Apply Crypto API wrappers to the exported crypto symbol in
CONFIG_PKCS8_PRIVATE_KEY_PARSER-related crypto to convert them into
pluggable interface.
Signed-off-by: Jay Wang <wanjay@amazon.com>
---
crypto/asymmetric_keys/Makefile | 2 +-
crypto/asymmetric_keys/pkcs8_parser.c | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makefile
index bffa2e199a5d..3fdd11ea399a 100644
--- a/crypto/asymmetric_keys/Makefile
+++ b/crypto/asymmetric_keys/Makefile
@@ -37,7 +37,7 @@ $(obj)/x509_akid.asn1.o: $(obj)/x509_akid.asn1.c $(obj)/x509_akid.asn1.h
#
# PKCS#8 private key handling
#
-obj-$(CONFIG_PKCS8_PRIVATE_KEY_PARSER) += pkcs8_key_parser.o
+crypto-objs-$(CONFIG_PKCS8_PRIVATE_KEY_PARSER) += pkcs8_key_parser.o
pkcs8_key_parser-y := \
pkcs8.asn1.o \
pkcs8_parser.o
diff --git a/crypto/asymmetric_keys/pkcs8_parser.c b/crypto/asymmetric_keys/pkcs8_parser.c
index 105dcce27f71..f26464639232 100644
--- a/crypto/asymmetric_keys/pkcs8_parser.c
+++ b/crypto/asymmetric_keys/pkcs8_parser.c
@@ -173,8 +173,8 @@ static void __exit pkcs8_key_exit(void)
unregister_asymmetric_key_parser(&pkcs8_key_parser);
}
-module_init(pkcs8_key_init);
-module_exit(pkcs8_key_exit);
+crypto_module_init(pkcs8_key_init);
+crypto_module_exit(pkcs8_key_exit);
MODULE_DESCRIPTION("PKCS#8 certificate parser");
MODULE_LICENSE("GPL");
--
2.47.3
^ permalink raw reply related
* [PATCH 103/106] crypto: convert exported crypto symbol into pluggable interface for CONFIG_PKCS7_TEST_KEY crypto
From: Jay Wang @ 2026-02-12 2:47 UTC (permalink / raw)
To: Herbert Xu, David S . Miller, linux-crypto
Cc: Jay Wang, Vegard Nossum, Nicolai Stange, Ilia Okomin,
Catalin Marinas, Will Deacon, Thomas Gleixner, Ingo Molnar,
Borislav Petkov, Luis Chamberlain, Petr Pavlu, Nathan Chancellor,
Nicolas Schier, linux-arm-kernel, x86, linux-kbuild,
linux-modules
In-Reply-To: <20260212024725.11264-1-wanjay@amazon.com>
Apply Crypto API wrappers to the exported crypto symbol in
CONFIG_PKCS7_TEST_KEY-related crypto to convert them into pluggable
interface.
Signed-off-by: Jay Wang <wanjay@amazon.com>
---
crypto/asymmetric_keys/Makefile | 2 +-
crypto/asymmetric_keys/pkcs7_key_type.c | 6 +++---
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makefile
index 3fdd11ea399a..6a17f563c359 100644
--- a/crypto/asymmetric_keys/Makefile
+++ b/crypto/asymmetric_keys/Makefile
@@ -63,7 +63,7 @@ $(obj)/pkcs7.asn1.o: $(obj)/pkcs7.asn1.c $(obj)/pkcs7.asn1.h
#
# PKCS#7 parser testing key
#
-obj-$(CONFIG_PKCS7_TEST_KEY) += pkcs7_test_key.o
+crypto-objs-$(CONFIG_PKCS7_TEST_KEY) += pkcs7_test_key.o
pkcs7_test_key-y := \
pkcs7_key_type.o
diff --git a/crypto/asymmetric_keys/pkcs7_key_type.c b/crypto/asymmetric_keys/pkcs7_key_type.c
index b930d3bbf1af..a6921222ced1 100644
--- a/crypto/asymmetric_keys/pkcs7_key_type.c
+++ b/crypto/asymmetric_keys/pkcs7_key_type.c
@@ -4,8 +4,8 @@
* Copyright (C) 2014 Red Hat, Inc. All Rights Reserved.
* Written by David Howells (dhowells@redhat.com)
*/
-
#define pr_fmt(fmt) "PKCS7key: "fmt
+#include <crypto/api.h>
#include <linux/key.h>
#include <linux/err.h>
#include <linux/module.h>
@@ -91,5 +91,5 @@ static void __exit pkcs7_key_cleanup(void)
unregister_key_type(&key_type_pkcs7);
}
-module_init(pkcs7_key_init);
-module_exit(pkcs7_key_cleanup);
+crypto_module_init(pkcs7_key_init);
+crypto_module_exit(pkcs7_key_cleanup);
--
2.47.3
^ permalink raw reply related
* [PATCH 104/106] crypto: convert exported crypto symbol into pluggable interface for CONFIG_SIGNED_PE_FILE_VERIFICATION crypto
From: Jay Wang @ 2026-02-12 2:47 UTC (permalink / raw)
To: Herbert Xu, David S . Miller, linux-crypto
Cc: Jay Wang, Vegard Nossum, Nicolai Stange, Ilia Okomin,
Catalin Marinas, Will Deacon, Thomas Gleixner, Ingo Molnar,
Borislav Petkov, Luis Chamberlain, Petr Pavlu, Nathan Chancellor,
Nicolas Schier, linux-arm-kernel, x86, linux-kbuild,
linux-modules
In-Reply-To: <20260212024725.11264-1-wanjay@amazon.com>
Apply Crypto API wrappers to the exported crypto symbol in
CONFIG_SIGNED_PE_FILE_VERIFICATION-related crypto to convert them into
pluggable interface.
Signed-off-by: Jay Wang <wanjay@amazon.com>
---
crypto/asymmetric_keys/Makefile | 2 +-
crypto/asymmetric_keys/verify_pefile.c | 1 +
crypto/fips140/fips140-api.c | 10 ++++++++++
include/linux/verification.h | 8 +++++---
4 files changed, 17 insertions(+), 4 deletions(-)
diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makefile
index 6a17f563c359..bccf6952e0e5 100644
--- a/crypto/asymmetric_keys/Makefile
+++ b/crypto/asymmetric_keys/Makefile
@@ -70,7 +70,7 @@ pkcs7_test_key-y := \
#
# Signed PE binary-wrapped key handling
#
-obj-$(CONFIG_SIGNED_PE_FILE_VERIFICATION) += verify_signed_pefile.o
+crypto-objs-$(CONFIG_SIGNED_PE_FILE_VERIFICATION) += verify_signed_pefile.o
verify_signed_pefile-y := \
verify_pefile.o \
diff --git a/crypto/asymmetric_keys/verify_pefile.c b/crypto/asymmetric_keys/verify_pefile.c
index 1f3b227ba7f2..15e4e51f9f35 100644
--- a/crypto/asymmetric_keys/verify_pefile.c
+++ b/crypto/asymmetric_keys/verify_pefile.c
@@ -454,3 +454,4 @@ int verify_pefile_signature(const void *pebuf, unsigned pelen,
kfree_sensitive(ctx.digest);
return ret;
}
+EXPORT_SYMBOL(verify_pefile_signature);
\ No newline at end of file
diff --git a/crypto/fips140/fips140-api.c b/crypto/fips140/fips140-api.c
index 3e4203dd2aeb..74eae8815067 100644
--- a/crypto/fips140/fips140-api.c
+++ b/crypto/fips140/fips140-api.c
@@ -903,4 +903,14 @@ DEFINE_CRYPTO_API_STUB(crypto_ecdh_key_len);
DEFINE_CRYPTO_API_STUB(crypto_ecdh_encode_key);
DEFINE_CRYPTO_API_STUB(crypto_ecdh_decode_key);
+#endif
+/*
+ * crypto/asymmetric_keys/verify_pefile.c
+ */
+#if IS_BUILTIN(CONFIG_SIGNED_PE_FILE_VERIFICATION)
+
+#include <linux/verification.h>
+
+DEFINE_CRYPTO_API_STUB(verify_pefile_signature);
+
#endif
\ No newline at end of file
diff --git a/include/linux/verification.h b/include/linux/verification.h
index dec7f2beabfd..b050da314117 100644
--- a/include/linux/verification.h
+++ b/include/linux/verification.h
@@ -8,6 +8,8 @@
#ifndef _LINUX_VERIFICATION_H
#define _LINUX_VERIFICATION_H
+#include <crypto/api.h>
+
#include <linux/errno.h>
#include <linux/types.h>
@@ -63,9 +65,9 @@ extern int verify_pkcs7_message_sig(const void *data, size_t len,
void *ctx);
#ifdef CONFIG_SIGNED_PE_FILE_VERIFICATION
-extern int verify_pefile_signature(const void *pebuf, unsigned pelen,
- struct key *trusted_keys,
- enum key_being_used_for usage);
+DECLARE_CRYPTO_API(CONFIG_SIGNED_PE_FILE_VERIFICATION, verify_pefile_signature, int,
+ (const void *pebuf, unsigned pelen, struct key *trusted_keys, enum key_being_used_for usage),
+ (pebuf, pelen, trusted_keys, usage));
#endif
#endif /* CONFIG_SYSTEM_DATA_VERIFICATION */
--
2.47.3
^ permalink raw reply related
* [PATCH 105/106] crypto: convert exported crypto symbol into pluggable interface for CONFIG_CRYPTO_SIMD crypto
From: Jay Wang @ 2026-02-12 2:47 UTC (permalink / raw)
To: Herbert Xu, David S . Miller, linux-crypto
Cc: Jay Wang, Vegard Nossum, Nicolai Stange, Ilia Okomin,
Catalin Marinas, Will Deacon, Thomas Gleixner, Ingo Molnar,
Borislav Petkov, Luis Chamberlain, Petr Pavlu, Nathan Chancellor,
Nicolas Schier, linux-arm-kernel, x86, linux-kbuild,
linux-modules
In-Reply-To: <20260212024725.11264-1-wanjay@amazon.com>
Apply Crypto API wrappers to the exported crypto symbol in
CONFIG_CRYPTO_SIMD-related crypto to convert them into pluggable
interface.
This patch is partially based on work by Vegard Nossum, with
modifications. Unlike the original, we do not include
DEFINE_CRYPTO_API since only one copy of the crypto symbols is
kept, either in the crypto module or in the main kernel, and we ensure
such wrapper do not have impact on crypto already chosen built as
module.
Co-developed-by: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: Jay Wang <wanjay@amazon.com>
---
crypto/Makefile | 2 +-
crypto/fips140/fips140-api.c | 15 +++++++++++++++
include/crypto/internal/simd.h | 33 ++++++++++++++++++++-------------
3 files changed, 36 insertions(+), 14 deletions(-)
diff --git a/crypto/Makefile b/crypto/Makefile
index c1088b10f49a..7403364c9afa 100644
--- a/crypto/Makefile
+++ b/crypto/Makefile
@@ -200,7 +200,7 @@ crypto-objs-$(CONFIG_XOR_BLOCKS) += xor.o
obj-$(CONFIG_ASYNC_CORE) += async_tx/
obj-$(CONFIG_ASYMMETRIC_KEY_TYPE) += asymmetric_keys/
crypto_simd-y := simd.o
-obj-$(CONFIG_CRYPTO_SIMD) += crypto_simd.o
+crypto-objs-$(CONFIG_CRYPTO_SIMD) += crypto_simd.o
#
# Key derivation function
diff --git a/crypto/fips140/fips140-api.c b/crypto/fips140/fips140-api.c
index 74eae8815067..126ecd09ae07 100644
--- a/crypto/fips140/fips140-api.c
+++ b/crypto/fips140/fips140-api.c
@@ -913,4 +913,19 @@ DEFINE_CRYPTO_API_STUB(crypto_ecdh_decode_key);
DEFINE_CRYPTO_API_STUB(verify_pefile_signature);
+#endif
+/*
+ * crypto/simd.c
+ */
+#if IS_BUILTIN(CONFIG_CRYPTO_SIMD)
+
+#include <crypto/internal/simd.h>
+
+DEFINE_CRYPTO_API_STUB(simd_skcipher_create_compat);
+DEFINE_CRYPTO_API_STUB(simd_skcipher_free);
+DEFINE_CRYPTO_API_STUB(simd_register_skciphers_compat);
+DEFINE_CRYPTO_API_STUB(simd_unregister_skciphers);
+DEFINE_CRYPTO_API_STUB(simd_register_aeads_compat);
+DEFINE_CRYPTO_API_STUB(simd_unregister_aeads);
+
#endif
\ No newline at end of file
diff --git a/include/crypto/internal/simd.h b/include/crypto/internal/simd.h
index 9e338e7aafbd..be84d67f3ceb 100644
--- a/include/crypto/internal/simd.h
+++ b/include/crypto/internal/simd.h
@@ -6,6 +6,8 @@
#ifndef _CRYPTO_INTERNAL_SIMD_H
#define _CRYPTO_INTERNAL_SIMD_H
+#include <crypto/api.h>
+
#include <asm/simd.h>
#include <linux/percpu.h>
#include <linux/types.h>
@@ -15,28 +17,33 @@
struct simd_skcipher_alg;
struct skcipher_alg;
-struct simd_skcipher_alg *simd_skcipher_create_compat(struct skcipher_alg *ialg,
- const char *algname,
- const char *drvname,
- const char *basename);
-void simd_skcipher_free(struct simd_skcipher_alg *alg);
+DECLARE_CRYPTO_API(CONFIG_CRYPTO_SIMD, simd_skcipher_create_compat, struct simd_skcipher_alg *,
+ (struct skcipher_alg *ialg, const char *algname, const char *drvname, const char *basename),
+ (ialg, algname, drvname, basename));
+DECLARE_CRYPTO_API(CONFIG_CRYPTO_SIMD, simd_skcipher_free, void,
+ (struct simd_skcipher_alg *alg),
+ (alg));
-int simd_register_skciphers_compat(struct skcipher_alg *algs, int count,
- struct simd_skcipher_alg **simd_algs);
+DECLARE_CRYPTO_API(CONFIG_CRYPTO_SIMD, simd_register_skciphers_compat, int,
+ (struct skcipher_alg *algs, int count, struct simd_skcipher_alg **simd_algs),
+ (algs, count, simd_algs));
-void simd_unregister_skciphers(struct skcipher_alg *algs, int count,
- struct simd_skcipher_alg **simd_algs);
+DECLARE_CRYPTO_API(CONFIG_CRYPTO_SIMD, simd_unregister_skciphers, void,
+ (struct skcipher_alg *algs, int count, struct simd_skcipher_alg **simd_algs),
+ (algs, count, simd_algs));
/* AEAD support */
struct simd_aead_alg;
struct aead_alg;
-int simd_register_aeads_compat(struct aead_alg *algs, int count,
- struct simd_aead_alg **simd_algs);
+DECLARE_CRYPTO_API(CONFIG_CRYPTO_SIMD, simd_register_aeads_compat, int,
+ (struct aead_alg *algs, int count, struct simd_aead_alg **simd_algs),
+ (algs, count, simd_algs));
-void simd_unregister_aeads(struct aead_alg *algs, int count,
- struct simd_aead_alg **simd_algs);
+DECLARE_CRYPTO_API(CONFIG_CRYPTO_SIMD, simd_unregister_aeads, void,
+ (struct aead_alg *algs, int count, struct simd_aead_alg **simd_algs),
+ (algs, count, simd_algs));
/*
* crypto_simd_usable() - is it allowed at this time to use SIMD instructions or
--
2.47.3
^ permalink raw reply related
* [PATCH 106/106] crypto: convert exported crypto symbol into pluggable interface for CONFIG_ASYNC_RAID6_TEST crypto
From: Jay Wang @ 2026-02-12 2:47 UTC (permalink / raw)
To: Herbert Xu, David S . Miller, linux-crypto
Cc: Jay Wang, Vegard Nossum, Nicolai Stange, Ilia Okomin,
Catalin Marinas, Will Deacon, Thomas Gleixner, Ingo Molnar,
Borislav Petkov, Luis Chamberlain, Petr Pavlu, Nathan Chancellor,
Nicolas Schier, linux-arm-kernel, x86, linux-kbuild,
linux-modules
In-Reply-To: <20260212024725.11264-1-wanjay@amazon.com>
Apply Crypto API wrappers to the exported crypto symbol in
CONFIG_ASYNC_RAID6_TEST-related crypto to convert them into pluggable
interface.
Signed-off-by: Jay Wang <wanjay@amazon.com>
---
crypto/async_tx/Makefile | 2 +-
crypto/async_tx/raid6test.c | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/crypto/async_tx/Makefile b/crypto/async_tx/Makefile
index 2f700c2312af..9642987ebd71 100644
--- a/crypto/async_tx/Makefile
+++ b/crypto/async_tx/Makefile
@@ -4,4 +4,4 @@ crypto-objs-$(CONFIG_ASYNC_MEMCPY) += async_memcpy.o
crypto-objs-$(CONFIG_ASYNC_XOR) += async_xor.o
crypto-objs-$(CONFIG_ASYNC_PQ) += async_pq.o
crypto-objs-$(CONFIG_ASYNC_RAID6_RECOV) += async_raid6_recov.o
-obj-$(CONFIG_ASYNC_RAID6_TEST) += raid6test.o
+crypto-objs-$(CONFIG_ASYNC_RAID6_TEST) += raid6test.o
diff --git a/crypto/async_tx/raid6test.c b/crypto/async_tx/raid6test.c
index d3fbee1e03e5..253aa4787f5a 100644
--- a/crypto/async_tx/raid6test.c
+++ b/crypto/async_tx/raid6test.c
@@ -243,8 +243,8 @@ static void __exit raid6_test_exit(void)
/* when compiled-in wait for drivers to load first (assumes dma drivers
* are also compiled-in)
*/
-late_initcall(raid6_test);
-module_exit(raid6_test_exit);
+crypto_late_initcall(raid6_test);
+crypto_module_exit(raid6_test_exit);
MODULE_AUTHOR("Dan Williams <dan.j.williams@intel.com>");
MODULE_DESCRIPTION("asynchronous RAID-6 recovery self tests");
MODULE_LICENSE("GPL");
--
2.47.3
^ permalink raw reply related
* [PATCH v1 00/21] crypto: Standalone crypto module (Series 3/4): x86_64 crypto
From: Jay Wang @ 2026-02-12 3:14 UTC (permalink / raw)
To: Herbert Xu, David S . Miller, linux-crypto
Cc: Jay Wang, Vegard Nossum, Nicolai Stange, Ilia Okomin,
Catalin Marinas, Will Deacon, Thomas Gleixner, Ingo Molnar,
Borislav Petkov, Luis Chamberlain, Petr Pavlu, Nathan Chancellor,
Nicolas Schier, linux-arm-kernel, x86, linux-kbuild,
linux-modules
This patch series is a follow up of Series 2/4:
https://lore.kernel.org/all/20260212024725.11264-1-wanjay@amazon.com/
This feature is organized into four patch series for submission to the mainline (up to the "Merge tag 'landlock-7.0-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/mic/linux"):
- Patch Series 1/4: "[PATCH v1 0...17] crypto: Standalone crypto module (Series 1/4): Core implementation"
- Patch Series 2/4: "[PATCH v1 0...106] crypto: Standalone crypto module (Series 2/4): Arch-independent crypto"
- Patch Series 3/4: "[PATCH v1 0...21] crypto: Standalone crypto module (Series 3/4): x86_64 crypto"
- Patch Series 4/4: "[PATCH v1 0...12] crypto: Standalone crypto module (Series 4/4): arm64 crypto"
The full source code is available at https://github.com/amazonlinux/linux/tree/fips-kernel-module.
Details on this feature and what each patch series covers can be found below.
## 1. Introduction
Amazon Linux is releasing a new kernel feature that converts the previously built-in kernel crypto subsystem into a standalone kernel module. This module becomes the carrier of the kernel crypto subsystem and can be loaded at early boot to provide the same functionality as the original built-in crypto. The primary motivation for this modularization is to streamline Federal Information Processing Standards (FIPS) validation, a critical cryptographic certification for cloud computing users doing business with the U.S. government.
In a bit more detail, previously, FIPS certification was tied to the entire kernel image, meaning non-crypto updates could potentially invalidate certification. With this feature, FIPS certification is tied only to the crypto module. Therefore, once the module is certified, loading this certified module on newer kernels automatically makes those kernels FIPS-certified. As a result, this approach can save re-certification costs and 12-18 months of waiting time by reducing the need for repeated FIPS re-certification cycles.
This feature is organized into four patch series:
- Patch Series 1 - Core feature implementation
- Patch Series 2 - Architecture-independent crypto: Modularize built-in crypto under `crypto/`
- Patch Series 3 - x86_64 crypto: Modularize built-in crypto under `arch/x86/crypto/`
- Patch Series 4 - arm64 crypto: Modularize built-in crypto under `arch/arm64/crypto/`
This document provides technical details on how this feature is designed and implemented for users or developers who are interested in developing upon it, and is organized as follows:
- Section 2 - Getting Started: Quick start on how to enable the feature
- Section 3 - Workflow Overview: Changes this feature brings to build and runtime
- Section 4 - Design Implementation Details: Technical deep-dive into each component
- Section 5 - Customizing and Extending Crypto Module: How to select crypto to be included and extend to new crypto/architectures
- Section 6 - Related Work and Comparison
- Section 7 - Summary
## 2. Getting Started
This section provides a quick start guide for developers on how to enable, compile and use the standalone cryptography module feature.
### 2.1 Basic Configuration
The feature is controlled by a single configuration option:
```
CONFIG_CRYPTO_FIPS140_EXTMOD=y
```
What it does: When enabled, automatically redirects a set of cryptographic algorithms from the main kernel into a standalone module `crypto/fips140/fips140.ko`. The cryptographic algorithms that are redirected need to satisfy all the following conditions, otherwise the cryptography will remain in its original form:
1. Must be configured as built-in (i.e., `CONFIG_CRYPTO_*=y`). This means cryptography already configured as modular (i.e., `CONFIG_CRYPTO_*=m`) are not redirected as they are already modularized.
2. Must be among a list, which can be customized by developers as described in Section 5.
When disabled, the kernel behaves as before.
### 2.2 Build Process
Once `CONFIG_CRYPTO_FIPS140_EXTMOD=y` is set, no additional steps are required. The standalone module will be built automatically as part of the standard kernel build process:
```
make -j$(nproc)
# or
make vmlinux
```
**What happens automatically (No user action required):**
1. Build the module as `crypto/fips140/fips140.ko`
2. The cryptography module will be loaded at boot time
3. All kernel cryptographic services will provide the same functionality as before (i.e., prior to introducing this new feature) once boot completes.
### 2.3 Advanced Configuration Options
**Using External Cryptography Module:**
```
CONFIG_CRYPTO_FIPS140_EXTMOD_SOURCE=y
```
By default, `CONFIG_CRYPTO_FIPS140_EXTMOD_SOURCE` is not set, meaning the freshly built cryptography module is used. Otherwise, the pre-built standalone cryptography module from `fips140_build/crypto/fips140/fips140.ko` and modular cryptography such as `fips140_build/crypto/aes.ko` (need to manually place pre-built modules in these locations before the build) are included in kernel packaging (e.g., during `make modules_install`) and are used at later boot time.
**Dual Version Support:**
```
CONFIG_CRYPTO_FIPS140_DUAL_VERSION=y
```
Encapsulate two versions of `fips140.ko` into kernel: one is freshly built for non-FIPS mode usage, another is pre-built specified by `fips140_build/crypto/fips140/fips140.ko` for FIPS mode usage. The appropriate version is selected and loaded at boot time based on boot time FIPS mode status.
### 2.4 Verification
To verify the feature is working, after install and boot with the new kernel:
```
# Check if fips140.ko module is loaded
lsmod | grep fips140
```
## 3. Workflow Overview
This section provides an overview without delving into deep technical details of the changes the standalone cryptography module feature introduces. When this feature is enabled, it introduces changes to both the kernel build and booting process.
3.1 Build-Time Changes
Kernel cryptography subsystem consists of both cryptography management infrastructure (e.g., `crypto/api.c`, `crypto/algapi.c`, etc), along with hundreds of different cryptography algorithms (e.g., `crypto/arc4.c`).
**Traditional Build Process:**
Traditionally, cryptography management infrastructure are always built-in to the kernel, while cryptographic algorithms can be configured to be built either as built-in (`CONFIG_CRYPTO_*=y`) or as separate modular (`CONFIG_CRYPTO_*=m`) `.ko` file depending on kernel configuration:
As a result, the builtin cryptography management infrastructure and cryptographic algorithms are statically linked into the kernel binary:
```
cryptographic algorithms source files → compiled as .o objfiles → linked into vmlinux → single kernel binary
```
**With Standalone Cryptography Module:**
This feature automatically transforms the builtin cryptographic components into a standalone cryptography module, `fips140.ko`. To do so, it develops a new kernel build rule `crypto-objs-$(CONFIG_CRYPTO_*)` such that, once this build rule is applied to a cryptographic algorithm, such cryptographic algorithm will be automatically collected into the cryptography module if it is configured as built-in (i.e, `CONFIG_CRYPTO_*=y`), for example:
```
// in crypto/asymmetric_keys/Makefile
- obj-$(CONFIG_ASYMMETRIC_KEY_TYPE) += asymmetric_keys.o
+ crypto-objs-$(CONFIG_ASYMMETRIC_KEY_TYPE) += asymmetric_keys.o
```
Such build change allows the modularization transformation to only affect selected cryptographic algorithms (i.e, where the `crypto-objs-$(CONFIG_CRYPTO_*`) is applied).
Then, after the `fips140.ko` is generated, it will be embedded back into main kernel vmlinux as a replacement part. The purpose of this embedding, instead of traditionally putting the `fips140.ko` into filesystem, is a preparation to allow the module to be loaded early enough even before the filesystem is ready.
The new build process is illustrated below.
```
cryptographic algorithms source files → compiled as .o objfiles → automatically collected and linked into fips140.ko → embedded fips140.ko into vmlinux as a replaceable binary
```
### 3.2 Runtime Changes
**Traditional Boot Process:**
The kernel initializes the cryptographic subsystem early during boot, executing each cryptographic initialization routine accordingly. These initialization routines may depend on other cryptographic components or other kernel subsystems, so their invocation follows a well-defined execution order to ensure they are initialized before their first use.
```
kernel starts → cryptography subsystem initialization → cryptography subsystem available → other components use cryptography
```
**With Standalone Cryptography Module:**
At the start of kernel boot, compared to a regular kernel, the first major change introduced by this feature is that no cryptography services are initially available — since the entire cryptography subsystem has been decoupled from the main kernel.
To ensure that the cryptography subsystem becomes available early enough (before the first kernel component that requires cryptography services), the standalone cryptography kernel module must be loaded at a very early stage, even before the filesystem becomes available.
However, the regular module loading mechanism relies on placing kernel modules in the filesystem and loading them from there, which creates a chicken-and-egg problem — the cryptography module cannot be loaded until the filesystem is ready, yet some kernel components may require cryptography services even before that point.
To address this, the second change introduced by this feature is that the cryptography kernel module is loaded directly from memory, leveraging the earlier compilation changes that embed the module binary into the main kernel image. Afterward, the feature includes a “plug-in” mechanism that connects the decoupled cryptography subsystem back to the main kernel, ensuring that kernel cryptography users can correctly locate and invoke the cryptography routine entry points.
Finally, to ensure proper initialization, the feature guarantees that all cryptography algorithms and the cryptography management infra execute their initialization routines in the exact same order as they would if they were built-in.
The process described above is illustrated below.
```
kernel starts → no cryptography available → load fips140.ko from memory → plug cryptography back to kernel → module initialization → cryptographic services available → other components use cryptography
```
## 4. Design Implementation Details
While the earlier sections provide a holistic view of how this feature shapes the kernel, this section provides deeper design details on how these functionalities are realized. There are three key design components:
1. A specialized compile rule that automatically compiles and collects all built-in cryptographic algorithm object files to generate the final module binary under arbitrary kernel configurations, and then embeds the generated binary into the main kernel image for early loading.
2. A mechanism to convert interactions between the cryptography subsystem and the main kernel into a pluggable interface.
3. A module loading and initialization process that ensures the cryptography subsystem is properly initialized as if it were built-in.
### 4.1. Specialized Compilation System
**Automatic Collection and Linking of Built-in Cryptographic Algorithm Objects:**
The first step in generating the `fips140.ko` module is to compile and collect built-in cryptographic components (i.e., those specified by `CONFIG_CRYPTO_*=y`).
Traditionally, the existing module build process requires all module components (e.g., source files) to reside in a single directory. However, this approach is not suitable for our case, where hundreds of cryptographic algorithm source files are scattered across multiple directories.
A naïve approach would be to create a separate Makefile that duplicates the original build rules with adjusted paths.
However, this method is not scalable due to the large number of cryptographic build rules, many of which are highly customized and can vary under different Kconfig settings, making such a separate Makefile even more complex.
Moreover, this approach cannot ensure that built-in cryptographic algorithms are completely removed from the main kernel, which would result in redundant cryptographic code being included in both the kernel and the module.
To tackle this challenge, we automated the object collection and linking process by introducing special build logic for the kernel cryptography subsystem.
Specifically, to automatically collect cryptography object files while preserving their original compilation settings (such as flags, headers, and paths), we introduced a new compilation rule:
```
crypto-objs-y += *.o
```
This replaces the original `obj-y += *.o` rule in cryptography Makefiles later, for example:
```
// in crypto/asymmetric_keys/Makefile
- obj-$(CONFIG_ASYMMETRIC_KEY_TYPE) += asymmetric_keys.o
+ crypto-objs-$(CONFIG_ASYMMETRIC_KEY_TYPE) += asymmetric_keys.o
asymmetric_keys-y := \ asymmetric_type.o \ restrict.o \ signature.o
```
in the cryptography subsystem Makefiles, allowing most of the existing Makefile logic to be reused.
As a result, when the standalone cryptography module feature is enabled, any cryptographic algorithm configured as built-in (for example, `crypto-objs-$(CONFIG_ASYMMETRIC_KEY_TYPE) += asymmetric_keys.o` where `CONFIG_ASYMMETRIC_KEY_TYPE=y`) will be automatically collected and linked into a single final object binary, `fips140.o`.
During this process, a special compilation flag (`-DFIPS_MODULE=1`) is applied to instruct each object file to be compiled in a module-specific manner. This flag will later be used to generate the pluggable interface on both the main kernel side and the module side from the same source code.
The implementation details are as follows: it follows a similar methodology used by the `obj-y` collection process for building `vmlinux.o`. The `crypto-objs-y` rule is placed in `scripts/Makefile.build`, which is executed by each directory Makefile to collect the corresponding crypto object files. Each directory then creates a `crypto-module.a` archive that contains all `crypto-objs-y += <object>.o` files under that directory. In the parent directories, these `crypto-module.a` archives are recursively included into the parent’s own `crypto-module.a`, and this process continues upward until the final `fips140.o` is generated.
**A Separate Module Generation Pipeline for Building the Final Kernel Module from Linked Cryptographic Algorithm Object:**
With the linked cryptographic algorithm object (i.e., `fips140.o`), the next step is to generate the final kernel module, `fips140.ko`.
A direct approach would be to inject the `fips140.ko` module build into the existing modules generation pipeline (i.e., `make modules`) by providing our pre-generated `fips140.o`. However, we choose not to do this because it would create a circular make rule dependency (which is invalid in Makefiles and causes build failures), resulting in mutual dependencies between the modules and vmlinux targets (i.e., `modules:vmlinux` and `vmlinux:modules` at the same time).
This happens for the following reasons:
1. Since we will later embed `fips140.ko` into the final kernel image (as described in the next section), we must make vmlinux depend on `fips140.ko`. In other words: `vmlinux: fips140.ko`.
2. When the kernel is built with `CONFIG_DEBUG_INFO_BTF_MODULES=y`, it requires: modules: vmlinux. This is because `CONFIG_DEBUG_INFO_BTF_MODULES=y` takes vmlinux as input to generate BTF info for the module, and inserts such info into the `.ko` module by default.
3. If we choose to inject `fips140.ko` into make modules, this would create a make rule dependency: `fips140.ko: modules`. Combined with items 1 and 2, this eventually creates an invalid circular dependency between vmlinux and modules.
Due to these reasons, the design choice is to use a separate make pipeline (defined as `fips140-ready` in the Makefile). This new pipeline reuses the same module generation scripts used by make modules but adds additional logic in `scripts/Makefile.{modfinal|modinst|modpost}` and `scripts/mod/modpost.c` to handle module symbol generation and verification correctly.
**A Seamless Process That Embeds the Generated Binary Into the Main Kernel Image for Early Loading:**
As mentioned earlier, in order to load the standalone cryptography module early in the boot process—before the filesystem is ready—the module binary must be embedded into the final kernel image (i.e., vmlinux) so that it can be loaded directly from memory.
We intend for this embedding process to be completely seamless and automatically triggered whenever vmlinux is built (i.e., during `make vmlinux`).
To achieve this, the feature adds a Make dependency rule so that vmlinux depends on `fips140.ko`.
It also modifies the vmlinux link rules (i.e., `arch/<arch>/kernel/vmlinux.lds.S`, `scripts/Makefile.vmlinux`, and `scripts/link-vmlinux.sh`) so that the generated module binary is finally combined with `vmlinux.o`.
In addition, we allow multiple cryptography module binary versions (for example, a certified cryptography binary and a latest, up-to-date but uncertified one) to be embedded into the main kernel image to serve different user needs. This design allows regular (non-FIPS) users to benefit from the latest cryptographic updates, while FIPS-mode users continue to use the certified cryptography module.
To support this, we introduce an optional configuration, `CONFIG_CRYPTO_FIPS140_DUAL_VERSION`. When enabled, this option allows two cryptography module versions to be embedded within a single kernel build and ensures that the appropriate module is selected and loaded at boot time based on the system’s FIPS mode status.
### 4.2. Pluggable Interface Between the Built-in Cryptography Subsystem and the Main Kernel
Although the module binary (`fips140.ko`) has been embedded into the final kernel image (`vmlinux`) as described in the previous section, it is not linked to the kernel in any way. This is because `fips140.ko` is embedded in a data-only manner, so the main kernel cannot directly call any functions or access any data defined in the module binary.
Even worse, simply removing the built-in cryptographic algorithms without additional handling would cause the kernel to fail to compile, because traditionally, built-in cryptographic algorithms and the main kernel can interact only through functions and variables whose addresses they assume to know. As a result, even if they have been removed, kernel cryptography users still expect the symbol addresses of cryptographic routines and data to be available at compile time.
To address this, we introduce a pluggable interface between built-in cryptographic functions and variables by placing **address placeholders**. During runtime, once the cryptography kernel module is loaded, these placeholders are updated to the correct addresses. In the rest of this section, we first introduce this pluggable interface mechanism, and then explain how to apply it to the built-in cryptographic algorithms.
**The Pluggable Interface Mechanism:**
There are two types of address holders used to achieve this pluggable interface:
- Function addresses: We use the “static call” mechanism. Static calls are a Linux mechanism that converts an “indirect call” into something with performance equivalent to a “direct call,” while avoiding the introduction of additional security concerns, such as control-flow–hijacking attack gadgets. We implement this function-address placeholder as the `DECLARE_STATIC_CALL()` and `DEFINE_CRYPTO_API_STUB()` wrappers.
- Variable addresses (the remaining smaller portion): For these, we use a pointer of the corresponding data type. We implement this address placeholder as the `DECLARE_CRYPTO_VAR()` and `DEFINE_CRYPTO_API_STUB()` wrappers:
These wrappers are applied to each symbol-exported (i.e., `EXPORT_SYMBOL()`) cryptographic function and variable (details on how to apply them are described later). Once applied, the wrappers are compiled differently for the main kernel and for the built-in cryptographic algorithm source code—acting as the “outlet” and the “plug,” respectively—using different compilation flags (`-DFIPS_MODULE`) introduced by our customized build rules described earlier.
As a result, the kernel can successfully compile even when the built-in cryptographic algorithms are removed, thanks to these address placeholders. At boot time, the placeholders initially hold NULL, but since no cryptography users exist at that stage, the kernel can still start booting correctly. After the cryptography module is loaded, the placeholders are dynamically updated to the correct addresses later (by `do_crypto_api()` and `do_crypto_var()`, described in later section).
In addition to these address placeholders, there is another important interaction point between the cryptography subsystem and the main kernel—the cryptographic initialization routines. Therefore, we also add a mechanism to collect all cryptographic initialization functions (e.g., those defined using `module_init()`) into a dedicated ELF section. This serves as preparation for the later module and cryptography-subsystem initialization steps described in subsequent sections.
**Applying the Pluggable Interface Mechanism to Cryptographic Algorithms:**
To apply these pluggable interface wrappers to a cryptographic algorithm and make them take effect, we follow the steps below (using `crypto/asymmetric_keys/asymmetric_type.c` as an example):
1. **Apply `crypto-objs-y` compile rule to the cryptographic algorithm:**
```
// in crypto/asymmetric_keys/Makefile
- obj-$(CONFIG_ASYMMETRIC_KEY_TYPE) += asymmetric_keys.o
+ crypto-objs-$(CONFIG_ASYMMETRIC_KEY_TYPE) += asymmetric_keys.o
asymmetric_keys-y := \ asymmetric_type.o \ restrict.o \ signature.o
```
2. **Locate the communication point between the cryptographic algorithm and the main kernel:**
The cryptography subsystem is designed such that most interactions between the main kernel and cryptographic algorithms occur through exported symbols using `EXPORT_SYMBOL()` wrappers.
This kernel design exists because most cryptographic algorithm implementations must support both built-in and modular modes.
Consequently, the cryptographic functions and variables exported by `EXPORT_SYMBOL()` are a well-defined and identifiable interface between the cryptography subsystem and the main kernel:
```
// in crypto/asymmetric_keys/asymmetric_type.c
//Exported cryptographic function:
bool asymmetric_key_id_same(const struct asymmetric_key_id *kid1,
const struct asymmetric_key_id *kid2) {...}
EXPORT_SYMBOL_GPL(asymmetric_key_id_same);
//Exported cryptographic variable:
struct key_type key_type_asymmetric = {...};
EXPORT_SYMBOL_GPL(key_type_asymmetric);
```
3. **Replace their declarations in the header file with the address-placeholder declaration wrappers:**
```
// in include/keys/asymmetric-type.h
// for exported cryptographic function:
- bool asymmetric_key_id_same const struct asymmetric_key_id *kid1, const struct asymmetric_key_id *kid2);
+ DECLARE_CRYPTO_API(CONFIG_ASYMMETRIC_KEY_TYPE, asymmetric_key_id_same, bool,
(const struct asymmetric_key_id *kid1, const struct asymmetric_key_id *kid2),
(kid1, kid2));
// for exported cryptographic variables:
- struct key_type key_type_asymmetric;
+ DECLARE_CRYPTO_VAR(CONFIG_ASYMMETRIC_KEY_TYPE, key_type_asymmetric, struct key_type, );
+ #if defined(CONFIG_CRYPTO_FIPS140_EXTMOD) && !defined(FIPS_MODULE) && IS_BUILTIN(CONFIG_ASYMMETRIC_KEY_TYPE)
+ #define key_type_asymmetric (*((struct key_type*)CRYPTO_VAR_NAME(key_type_asymmetric)))
+ #endif
```
By replacing the original declarations with the address-placeholder declaration wrappers, we can automatically force all cryptography users to go through the placeholders, because those users already include the same header file.
The wrapper also takes the cryptographic algorithm Kconfig symbol as a parameter, so that when a cryptographic algorithm is built as a module (for example, `CONFIG_ASYMMETRIC_KEY_TYPE=m`), the original function declarations remain unchanged and are not affected.
4. **Add the address-placeholder definition wrappers into a dedicated file `fips140-api.c`:**
This file will be compiled separately and acts as both the “outlet” and the “plug” for the main kernel and the cryptography module, respectively:
```
// in crypto/fips140/fips140-api.c
+ #if IS_BUILTIN(CONFIG_ASYMMETRIC_KEY_TYPE)
+ #include <keys/asymmetric-type.h>
// for exported cryptographic function:
+ DEFINE_CRYPTO_API_STUB(asymmetric_key_id_same);
// for exported cryptographic variables:
+ #undef key_type_asymmetric
+ DEFINE_CRYPTO_VAR_STUB(key_type_asymmetric);
+ #endif
```
5. **Lastly, collect the cryptographic initialization routines for later module and cryptography-subsystem initialization by wrapping the original cryptographic initialization functions:**
```
// in crypto/asymmetric_keys/asymmetric_type.c
- module_init(asymmetric_key_init);
- module_exit(asymmetric_key_cleanup);
+ crypto_module_init(asymmetric_key_init);
+ crypto_module_exit(asymmetric_key_cleanup);
```
We apply the above steps to both architecture-independent and architecture-specific cryptographic algorithms.
### 4.3. Initialization Synchronization
To ensure the embedded `fips140.ko` module binary provides the same cryptography functionality as the regular kernel, the kernel needs:
1. A module loader to load the module binary directly from memory,
2. A mechanism to plug the module back into the kernel by updating the address placeholders, and
3. Correct cryptography subsystem initialization, as if the cryptographic algorithms were still built-in.
**Directly Load Module Binary from Memory:**
Regular modules are loaded from the filesystem and undergo signature verification on the module binary, which relies on cryptographic operations. However, since we have already fully decoupled the cryptography subsystem, we must skip this step for this `fips140.ko` module.
To achieve this, we add a new loader function `load_crypto_module_mem()` that can load the module binary directly from memory at the designed address without checking the signature. Since the module binary is embedded into main kernel in an ELF section, as specified in the linker script:
```
// in arch/<arch>/kernel/vmlinux.lds.S
.fips140_embedded : AT(ADDR(.fips140_embedded) - LOAD_OFFSET) {
. = ALIGN(8);
_binary_fips140_ko_start = .;
KEEP(*(.fips140_module_data))
_binary_fips140_ko_end = .;
}
```
Therefore, the runtime memory address of the module can be accessed directly by the module loader to invoke the new loader function `load_crypto_module_mem()`.
**Plug Back the Module by Updating Address Placeholder Values:**
To update the address placeholders in the main kernel to the correct addresses matching the loaded module, after compilation the placeholders are placed into dedicated ELF sections `_crypto_api_keys` and `_crypto_var_keys`.
This can be seen from the definition of the placeholder-declaration wrappers:
```
#define DEFINE_CRYPTO_API_STUB(name) \ static struct crypto_api_key __##name##_key \ __used \ __section("__crypto_api_keys") // Place in a dedicated ELF Section
__aligned(__alignof__(struct crypto_api_key)) = \ { \ .key = &STATIC_CALL_KEY(crypto_##name##_key), \ .tramp = STATIC_CALL_TRAMP_ADDR(crypto_##name##_key), \ .func = &name, \ };
#define DEFINE_CRYPTO_VAR_STUB(name) \ static struct crypto_var_key __crypto_##name##_var_key \ __used \ __section("__crypto_var_keys") // Place in a dedicated ELF Section
__aligned(__alignof__(struct crypto_var_key)) = \ { \ .ptr = &CRYPTO_VAR_NAME(name), \ .var = (void*)&name, \ };
```
The purpose of doing this is to allow the main kernel to quickly locate the placeholders and update them to the correct addresses. The update functions are defined as `do_crypto_var()` and `do_crypto_api()`, which are executed at module load.
As a result, all cryptography users in the main kernel can now call the cryptographic functions as if they were built-in.
**Initialize Cryptography Subsystem as if it Were Built-in:**
Cryptographic components must be properly initialized before use, and this initialization is typically achieved through dedicated initialization functions (e.g., `module_init(crypto_init_func)` or `late_initcall(crypto_init_func)`). These functions often have strict execution order requirements and must run during the appropriate boot phase.
Therefore, for our standalone cryptography module feature, we must ensure that these decoupled “built-in” cryptographic algorithms are properly initialized and that their initialization order is preserved as before because failure to follow the correct order can result in kernel panic.
To address this, we introduce a synchronization mechanism between the main kernel and the module to ensure all cryptographic algorithms are executed in the correct kernel boot phase. In more details, we spawn the module initialization process `fips_loader_init()` as an async thread `fips140_sync_thread()`, in which we call `run_initcalls()` to execute the initialization calls of each cryptographic algorithm.
Then, we introduce synchronization helpers such as `wait_until_fips140_level_sync(int level)` to ensure the initialization order of all cryptographic algorithms is synchronized with the main kernel.
## 5. Customization and Extension of Cryptography Module
This section describes how developers can customize which cryptographic algorithms are included in the standalone cryptography module, as well as extend this feature to other cryptographic algorithms or hardware architectures.
### 5.1. Cryptography Selection Mechanism
The feature automatically includes cryptographic algorithms that meet specific criteria:
1. **Built-in Configuration**: Only cryptographic algorithms configured as `CONFIG_CRYPTO_*=y` are candidates for inclusion
2. **Explicit Inclusion**: Cryptographic algorithms must be explicitly converted using the `crypto-objs-$(CONFIG__CRYPTO_*`) build rule
### 5.2. Extend Support to New Cryptographic Algorithms
To extend support to a new cryptographic algorithm in the standalone module, follow these steps:
**Step 1: Update the Makefile**
```
# in crypto/[algorithm]/Makefile
- obj-$(CONFIG_CRYPTO_ALGORITHM) += algorithm.o
+ crypto-objs-$(CONFIG_CRYPTO_ALGORITHM) += algorithm.o
```
For Architecture-Specific Cryptographic Algorithms:
- Apply the `crypto-objs-` rule in the appropriate `arch/*/crypto/Makefile`
**Step 2: Add Pluggable Interface Support**
If the cryptographic algorithm exports symbols via `EXPORT_SYMBOL()`, add the pluggable interface wrappers:
```
# Example: in include/crypto/algorithm.h
- extern int crypto_algorithm_transform(struct crypto_tfm *tfm, const u8 *src,
u8 *dst, unsigned int len, u32 flags);
+ DECLARE_CRYPTO_API(CONFIG_CRYPTO_ALGORITHM, crypto_algorithm_transform, int,
(struct crypto_tfm *tfm, const u8 *src, u8 *dst, unsigned int len, u32 flags),
(tfm, src, dst, len, flags));
```
Then, add the corresponding stubs in `crypto/fips140/fips140-api.c`:
```
#if IS_BUILTIN(CONFIG_CRYPTO_ALGORITHM)
#include <crypto/algorithm.h>
DEFINE_CRYPTO_API_STUB(crypto_algorithm_transform);
#endif
```
For Architecture-Specific Cryptographic Algorithms:
- Include architecture-specific stubs in `arch/*/crypto/fips140/fips140-api.c`:
```
# Example: in arch/arm64/crypto/fips140/fips140-api.c
#if IS_BUILTIN(CONFIG_CRYPTO_AES_ARM64_CE)
#include <arch/arm64/crypto/aes-ce-setkey.h>
DEFINE_CRYPTO_API_STUB(ce_aes_setkey);
DEFINE_CRYPTO_API_STUB(ce_aes_expandkey);
#endif
```
**Step 3: Update Initialization**
Replace module initialization calls:
```
# in crypto/algorithm/algorithm.c
- module_init(algorithm_init);
- module_exit(algorithm_exit);
+ crypto_module_init(algorithm_init);
+ crypto_module_exit(algorithm_exit);
```
### 5.3. Architecture-Specific Extensions
**Extending to New Architectures:**
Currently supported architectures are x86_64 and ARM64. To extend this feature to additional architectures:
1. **Update Linker Scripts**: Add ELF sections in `arch/[new-arch]/kernel/vmlinux.lds.S`:
```
.fips140_embedded : AT(ADDR(.fips140_embedded) - LOAD_OFFSET) {
. = ALIGN(8);
_binary_fips140_ko_start = .;
KEEP(*(.fips140_module_data))
_binary_fips140_ko_end = .;
}
```
2. **Create Architecture-Specific Files**: Set up `arch/[new-arch]/crypto/fips140/` directory with Makefile and `fips140-api.c` following the pattern used in x86_64 and ARM64.
## 6. Related Work and Comparison
The idea of modularizing kernel cryptographic functionality has also attracted attention from other Linux distributions as well as Linux-kernel-based platforms that are not traditional distributions. Specifically, there are two related efforts: one from [Android's GKI kernel](https://source.android.com/docs/core/architecture/kernel/gki-fips140-module) and another from [Oracle Linux](https://git.kernel.org/pub/scm/linux/kernel/git/vegard/linux-fips140.git/log/?h=fips140). While Amazon Linux incorporated several valuable ideas from these efforts (and have acknowledged them in the patch commits—thank you again!), this section highlights the key differences between those approaches and this approach. The goal is to describe the trade-offs and design choices objectively, rather than to criticize other implementations.
### 6.1. Comparison with Android's GKI
Android's work is the earliest one on modularizing kernel cryptographic code, and it targets a non-intrusive approach to the core GKI kernel, with the goal of minimizing modifications to the kernel source. To achieve this, the crypto module relies on several interception or "hijacking" techniques that intervene in the core kernel execution path.
While this approach minimizes kernel code changes, we don't adopt such an approach for several reasons. First, these interception mechanisms tightly depend on internal kernel crypto subsystem behavior, making them fragile across major kernel updates thus less suitable to reuse the same module on newer major kernel versions. Second, this design requires substantial additional cryptographic code duplication, which impacts maintainability. Finally, the solution only supports a fixed set of cryptographic algorithms, making it non-general and difficult to extend.
In contrast, our design integrates directly into the Linux kernel source tree, avoids duplicated cryptographic implementations, supports arbitrary kernel configuration settings, and works with any chosen set of cryptographic algorithms.
### 6.2. Comparison with Oracle Linux
Oracle’s work was developed concurrently with this approach. The primary differences between Oracle’s approach and Amazon's lie in build integration, pluggable interface design, and module initialization.
**Build Integration:**
Oracle's module is implemented as an out-of-tree module with a separate Makefile. This introduces three major reasons we don't adopt such an approach:
*First*, the separate Makefile duplicates many kernel build rules, which increases maintenance cost, as upstream kernel build changes must be tracked and replicated. One concrete example can be seen below:
in Oracle's module makefile
```
fips140-y += crypto/skcipher.o
fips140-y += crypto/lskcipher.o
```
However, in upstream, the corresponding build logic is more complex and configuration-dependent:
```
crypto_skcipher-y += lskcipher.o
crypto_skcipher-y += skcipher.o
obj-$(CONFIG_CRYPTO_SKCIPHER2) += crypto_skcipher.o
ifeq ($(CONFIG_BPF_SYSCALL),y)
obj-$(CONFIG_CRYPTO_SKCIPHER2) += bpf_crypto_skcipher.o
endif
```
As shown above, when `CONFIG_BPF_SYSCALL` is enabled, `bpf_crypto_skcipher.o` must also be included. Tracking such dependencies is hard in the duplicated Makefile approach. In contrast, our approach integrates seamlessly into the kernel build system by introducing a customized build rule (`crypto-objs-*`) rather than relying on a duplicated Makefile, such that this is handled correctly by reusing the existing kernel build logic:
```
crypto_skcipher-y += lskcipher.o
crypto_skcipher-y += skcipher.o
- obj-$(CONFIG_CRYPTO_SKCIPHER2) += crypto_skcipher.o
+ crypto-objs-$(CONFIG_CRYPTO_SKCIPHER2) += crypto_skcipher.o
ifeq ($(CONFIG_BPF_SYSCALL),y)
- obj-$(CONFIG_CRYPTO_SKCIPHER2) += bpf_crypto_skcipher.o
+ crypto-objs-$(CONFIG_CRYPTO_SKCIPHER2) += bpf_crypto_skcipher.o
endif
```
As a result, such a Makefile-duplication approach does not scale well across all kernel configurations and does not easily support arbitrary sets of cryptographic algorithms.
*Second*, since the module is to be embedded as part of the kernel image (i.e., `vmlinux`) as described earlier, the module build must be triggered automatically as part of the `vmlinux` build process to achieve a seamless build workflow. However, Oracle's module build is not tightly integrated into the kernel build framework and requires special build commands (e.g., first do `make M=fips140/` specifically, then do some shell command and finally `make`).
In contrast, our approach improves this aspect by integrating the module build tightly into the regular kernel build, so the build process is seamless and automatic with regular build and packaging processes such as `make` or `make vmlinux` or `make install`.
**Pluggable Interface:**
There are several differences in the pluggable interface design.
*First*, we avoid duplicate crypto code so only keep one crypto code in kernel memory, while existing work keeps two crypto code even if these crypto code are from the same source code. This is due to the way Oracle defines pluggable interface macros in `crypto/api`, where its design requires some cryptographic code to remain compiled into the main kernel image in addition to the code inside the standalone cryptography module. Keeping two crypto code is ok if these code are different and designed to be used for different runtime modes (i.e., FIPS/non-FIPS mode), but will be unnecessary if both crypto code are the same.
In contrast, the approach we use can flexibly support both choices: keep one cryptography subsystem, or two different crypto subsystems. To do so, we introduce an option `CRYPTO_FIPS140_DUAL_VERSION` such that when it is disabled, we only keep one cryptographic subsystem in the cryptography module while completely removing it from the main kernel; and when it is enabled, we allow having two different modules carrying different cryptography for different kernel runtime modes (i.e., FIPS and non-FIPS mode).
*Second*, existing approach requires modifications to both the cryptographic implementation (.c) files and the declaration (.h) header files while our approach only requires modifying the header file, making the change less intrusive to the kernel codebase.
*Third*, prior approaches mainly support making cryptographic function calls pluggable, while our approach extends pluggability to cryptographic variables as well.
*Fourth*, prior approach requires all cryptographics that we care (for any purpose such as those within FIPS boundary) to be included within a single kernel module `fips140.ko` (e.g., when `CONFIG_CRYPTO_AES=m`, it cannot be `aes.ko` but must be within fips140.ko). However, this requirement limits the inherent benefit of a kernel module (i.e., on-demand loading for memory efficiency). In contrast, our approach allows the cryptographic we care remain its original modular if it is configured as being so (i.e., if `CONFIG_CRYPTO_AES=m`, the aes will still be as `aes.ko` but not forced to `fips140.ko`) up to the `.config` setting. One benefit of this design is that it does not impose strict requirements on `.config` setting (i.e., a cryptography `.config` can be set to both `=y|m` while existing work must be set as `=y`), preserving configuration flexibility.
To support so, for any cryptography within the interest (i.e., whose makerule has been replaced with `crypto-objs-*`) but configured as build-as-module (i.e., `CONFIG_CRYPTO_*=m`), its compiled `.ko` binary will be marked automatically, such that the loader will have a way to recognize to perform some interest-specific processing (e.g., registered as FIPS-required flag) if needed. And the pluggable interface can also adjust its coverage automatically based on different `CONFIG_CRYPTO_*=y|=m` settings. This is achieved by letting the pluggable interface macro to take `CONFIG_CRYPTO_*` option as a parameter to recognize the `.config` setting.
**Module Initialization:**
Oracle's initialization routine does not guarantee preservation of the original crypto initialization order (i.e., the order they should follow if they were originally built-in in the main kernel), which limits its ability to support arbitrary combinations of cryptographic algorithms. This is because the crypto initialization routine in the module is executed too early, such that all module crypto is initialized before the cryptography init in the main kernel. So if there is a crypto in the module (e.g., a crypto init defined as `late_init()`) that depends on a cryptography (whose init is defined as `module_init()`) in the main kernel, since the one in the main kernel should be executed earlier (but because the module init is too early, it makes the crypto in the main kernel executed too late), such a case will break the kernel boot process.
Our design, on the other hand, introduces explicit initialization synchronization mechanisms between cryptography's init routine in the module and in the main kernel that can preserve the original built-in initialization order. As a result, our module supports any chosen crypto set to be included in the module.
### 6.3. Comparison Summary
Overall, combined with differences in coding style and integration strategy, the proposed approach is more seamlessly integrated with the upstream Linux kernel, making it more generalizable across different kernel configuration settings, and the changed behavior more invisible to kernel users.
## 7. Summary
In this patch series, Amazon Linux proposes a new kernel feature that decouples the built-in crypto subsystem into a dedicated kernel module. To achieve this, several key mechanisms are designed, including specialized compile rules, a novel pluggable interface mechanism, and a module-loading initialization process. This feature is designed in an upstream-friendly manner so that it can support arbitrary kernel configuration settings and arbitrary chosen sets of cryptographic algorithms. It is planned to be officially launched with the Amazon Linux Kernel 6.18 and future kernels.
---
Written by Jay Wang <wanjay@amazon.com>, Amazon Linux
Jay Wang (21):
x86: crypto: convert exported crypto symbol into pluggable interface
for CONFIG_CRYPTO_CAST5_AVX_X86_64 and
CONFIG_CRYPTO_CAST6_AVX_X86_64 crypto
x86: crypto: convert exported crypto symbol into pluggable interface
for CONFIG_CRYPTO_TWOFISH_X86_64 crypto
x86: crypto: convert exported crypto symbol into pluggable interface
for CONFIG_CRYPTO_TWOFISH_X86_64_3WAY crypto
x86: crypto: convert exported crypto symbol into pluggable interface
for CONFIG_CRYPTO_TWOFISH_AVX_X86_64 crypto
x86: crypto: convert exported crypto symbol into pluggable interface
for CONFIG_CRYPTO_SERPENT_SSE2_X86_64 crypto
x86: crypto: convert exported crypto symbol into pluggable interface
for CONFIG_CRYPTO_SERPENT_AVX_X86_64 crypto
x86: crypto: convert exported crypto symbol into pluggable interface
for CONFIG_CRYPTO_SERPENT_AVX2_X86_64 crypto
x86: crypto: convert exported crypto symbol into pluggable interface
for CONFIG_CRYPTO_DES3_EDE_X86_64 crypto
x86: crypto: convert exported crypto symbol into pluggable interface
for CONFIG_CRYPTO_CAMELLIA_X86_64 crypto
x86: crypto: convert exported crypto symbol into pluggable interface
for CONFIG_CRYPTO_AES_NI_INTEL crypto
x86: crypto: convert exported crypto symbol into pluggable interface
for CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64 crypto
x86: crypto: convert exported crypto symbol into pluggable interface
for CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64 crypto
x86: crypto: convert exported crypto symbol into pluggable interface
for CONFIG_CRYPTO_BLOWFISH_X86_64 crypto
x86: crypto: convert exported crypto symbol into pluggable interface
for CONFIG_CRYPTO_AEGIS128_AESNI_SSE2 crypto
x86: crypto: convert exported crypto symbol into pluggable interface
for CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL crypto
x86: crypto: convert exported crypto symbol into pluggable interface
for CONFIG_CRYPTO_SM3_AVX_X86_64 crypto
x86: crypto: convert exported crypto symbol into pluggable interface
for CONFIG_CRYPTO_SM4_AESNI_AVX_X86_64 crypto
x86: crypto: convert exported crypto symbol into pluggable interface
for CONFIG_CRYPTO_SM4_AESNI_AVX2_X86_64 crypto
x86: crypto: convert exported crypto symbol into pluggable interface
for CONFIG_CRYPTO_ARIA_AESNI_AVX_X86_64 crypto
x86: crypto: convert exported crypto symbol into pluggable interface
for CONFIG_CRYPTO_ARIA_AESNI_AVX2_X86_64 crypto
x86: crypto: convert exported crypto symbol into pluggable interface
for CONFIG_CRYPTO_ARIA_GFNI_AVX512_X86_64 crypto
arch/x86/crypto/Makefile | 44 ++++----
arch/x86/crypto/aegis128-aesni-glue.c | 4 +-
arch/x86/crypto/aesni-intel_glue.c | 4 +-
arch/x86/crypto/aria-avx.h | 71 ++++++++-----
arch/x86/crypto/aria_aesni_avx2_glue.c | 4 +-
arch/x86/crypto/aria_aesni_avx_glue.c | 4 +-
arch/x86/crypto/aria_gfni_avx512_glue.c | 4 +-
arch/x86/crypto/blowfish_glue.c | 4 +-
arch/x86/crypto/camellia.h | 42 +++++---
arch/x86/crypto/camellia_aesni_avx2_glue.c | 4 +-
arch/x86/crypto/camellia_aesni_avx_glue.c | 4 +-
arch/x86/crypto/camellia_glue.c | 4 +-
arch/x86/crypto/cast5_avx_glue.c | 4 +-
arch/x86/crypto/cast6_avx_glue.c | 4 +-
arch/x86/crypto/des3_ede_glue.c | 4 +-
arch/x86/crypto/fips140/fips140-api.c | 117 +++++++++++++++++++++
arch/x86/crypto/ghash-clmulni-intel_glue.c | 4 +-
arch/x86/crypto/serpent-avx.h | 17 +--
arch/x86/crypto/serpent_avx2_glue.c | 4 +-
arch/x86/crypto/serpent_avx_glue.c | 4 +-
arch/x86/crypto/serpent_sse2_glue.c | 4 +-
arch/x86/crypto/sm3_avx_glue.c | 4 +-
arch/x86/crypto/sm4-avx.h | 26 +++--
arch/x86/crypto/sm4_aesni_avx2_glue.c | 4 +-
arch/x86/crypto/sm4_aesni_avx_glue.c | 4 +-
arch/x86/crypto/twofish.h | 22 ++--
arch/x86/crypto/twofish_avx_glue.c | 4 +-
arch/x86/crypto/twofish_glue.c | 4 +-
arch/x86/crypto/twofish_glue_3way.c | 4 +-
29 files changed, 296 insertions(+), 131 deletions(-)
--
2.47.3
^ permalink raw reply
* [PATCH 01/21] x86: crypto: convert exported crypto symbol into pluggable interface for CONFIG_CRYPTO_CAST5_AVX_X86_64 and CONFIG_CRYPTO_CAST6_AVX_X86_64 crypto
From: Jay Wang @ 2026-02-12 3:14 UTC (permalink / raw)
To: Herbert Xu, David S . Miller, linux-crypto
Cc: Jay Wang, Vegard Nossum, Nicolai Stange, Ilia Okomin,
Catalin Marinas, Will Deacon, Thomas Gleixner, Ingo Molnar,
Borislav Petkov, Luis Chamberlain, Petr Pavlu, Nathan Chancellor,
Nicolas Schier, linux-arm-kernel, x86, linux-kbuild,
linux-modules
In-Reply-To: <20260212031521.2124-1-wanjay@amazon.com>
Apply Crypto API wrappers to the exported crypto symbol in
CONFIG_CRYPTO_CAST5_AVX_X86_64- and CONFIG_CRYPTO_CAST6_AVX_X86_64-
related crypto to convert them into pluggable interface.
Signed-off-by: Jay Wang <wanjay@amazon.com>
---
arch/x86/crypto/Makefile | 4 ++--
arch/x86/crypto/cast5_avx_glue.c | 4 ++--
arch/x86/crypto/cast6_avx_glue.c | 4 ++--
3 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/arch/x86/crypto/Makefile b/arch/x86/crypto/Makefile
index ab248a1beb00..27010cb2326c 100644
--- a/arch/x86/crypto/Makefile
+++ b/arch/x86/crypto/Makefile
@@ -33,10 +33,10 @@ camellia-aesni-avx2-y := camellia-aesni-avx2-asm_64.o camellia_aesni_avx2_glue.o
obj-$(CONFIG_CRYPTO_BLOWFISH_X86_64) += blowfish-x86_64.o
blowfish-x86_64-y := blowfish-x86_64-asm_64.o blowfish_glue.o
-obj-$(CONFIG_CRYPTO_CAST5_AVX_X86_64) += cast5-avx-x86_64.o
+crypto-objs-$(CONFIG_CRYPTO_CAST5_AVX_X86_64) += cast5-avx-x86_64.o
cast5-avx-x86_64-y := cast5-avx-x86_64-asm_64.o cast5_avx_glue.o
-obj-$(CONFIG_CRYPTO_CAST6_AVX_X86_64) += cast6-avx-x86_64.o
+crypto-objs-$(CONFIG_CRYPTO_CAST6_AVX_X86_64) += cast6-avx-x86_64.o
cast6-avx-x86_64-y := cast6-avx-x86_64-asm_64.o cast6_avx_glue.o
obj-$(CONFIG_CRYPTO_AEGIS128_AESNI_SSE2) += aegis128-aesni.o
diff --git a/arch/x86/crypto/cast5_avx_glue.c b/arch/x86/crypto/cast5_avx_glue.c
index 3aca04d43b34..267fc2948288 100644
--- a/arch/x86/crypto/cast5_avx_glue.c
+++ b/arch/x86/crypto/cast5_avx_glue.c
@@ -109,8 +109,8 @@ static void __exit cast5_exit(void)
crypto_unregister_skciphers(cast5_algs, ARRAY_SIZE(cast5_algs));
}
-module_init(cast5_init);
-module_exit(cast5_exit);
+crypto_module_init(cast5_init);
+crypto_module_exit(cast5_exit);
MODULE_DESCRIPTION("Cast5 Cipher Algorithm, AVX optimized");
MODULE_LICENSE("GPL");
diff --git a/arch/x86/crypto/cast6_avx_glue.c b/arch/x86/crypto/cast6_avx_glue.c
index c4dd28c30303..5ab35cf5817a 100644
--- a/arch/x86/crypto/cast6_avx_glue.c
+++ b/arch/x86/crypto/cast6_avx_glue.c
@@ -108,8 +108,8 @@ static void __exit cast6_exit(void)
crypto_unregister_skciphers(cast6_algs, ARRAY_SIZE(cast6_algs));
}
-module_init(cast6_init);
-module_exit(cast6_exit);
+crypto_module_init(cast6_init);
+crypto_module_exit(cast6_exit);
MODULE_DESCRIPTION("Cast6 Cipher Algorithm, AVX optimized");
MODULE_LICENSE("GPL");
--
2.47.3
^ permalink raw reply related
* [PATCH 02/21] x86: crypto: convert exported crypto symbol into pluggable interface for CONFIG_CRYPTO_TWOFISH_X86_64 crypto
From: Jay Wang @ 2026-02-12 3:15 UTC (permalink / raw)
To: Herbert Xu, David S . Miller, linux-crypto
Cc: Jay Wang, Vegard Nossum, Nicolai Stange, Ilia Okomin,
Catalin Marinas, Will Deacon, Thomas Gleixner, Ingo Molnar,
Borislav Petkov, Luis Chamberlain, Petr Pavlu, Nathan Chancellor,
Nicolas Schier, linux-arm-kernel, x86, linux-kbuild,
linux-modules
In-Reply-To: <20260212031521.2124-1-wanjay@amazon.com>
Apply Crypto API wrappers to the exported crypto symbol in
CONFIG_CRYPTO_TWOFISH_X86_64-related crypto to convert them into pluggable
interface.
Signed-off-by: Jay Wang <wanjay@amazon.com>
---
arch/x86/crypto/Makefile | 2 +-
arch/x86/crypto/fips140/fips140-api.c | 11 +++++++++++
arch/x86/crypto/twofish.h | 9 +++++++--
arch/x86/crypto/twofish_glue.c | 4 ++--
4 files changed, 21 insertions(+), 5 deletions(-)
diff --git a/arch/x86/crypto/Makefile b/arch/x86/crypto/Makefile
index 27010cb2326c..ed8958bffbc9 100644
--- a/arch/x86/crypto/Makefile
+++ b/arch/x86/crypto/Makefile
@@ -4,7 +4,7 @@
obj-$(CONFIG_CRYPTO_TWOFISH_586) += twofish-i586.o
twofish-i586-y := twofish-i586-asm_32.o twofish_glue.o
-obj-$(CONFIG_CRYPTO_TWOFISH_X86_64) += twofish-x86_64.o
+crypto-objs-$(CONFIG_CRYPTO_TWOFISH_X86_64) += twofish-x86_64.o
twofish-x86_64-y := twofish-x86_64-asm_64.o twofish_glue.o
obj-$(CONFIG_CRYPTO_TWOFISH_X86_64_3WAY) += twofish-x86_64-3way.o
twofish-x86_64-3way-y := twofish-x86_64-asm_64-3way.o twofish_glue_3way.o
diff --git a/arch/x86/crypto/fips140/fips140-api.c b/arch/x86/crypto/fips140/fips140-api.c
index e69de29bb2d1..bb8ca949caef 100644
--- a/arch/x86/crypto/fips140/fips140-api.c
+++ b/arch/x86/crypto/fips140/fips140-api.c
@@ -0,0 +1,11 @@
+/*
+ * arch/x86/crypto/twofish_glue.c
+ */
+#if IS_BUILTIN(CONFIG_CRYPTO_TWOFISH_X86_64)
+
+#include <arch/x86/crypto/twofish.h>
+
+DEFINE_CRYPTO_API_STUB(twofish_enc_blk);
+DEFINE_CRYPTO_API_STUB(twofish_dec_blk);
+
+#endif
\ No newline at end of file
diff --git a/arch/x86/crypto/twofish.h b/arch/x86/crypto/twofish.h
index 12df400e6d53..c44d2f53ee11 100644
--- a/arch/x86/crypto/twofish.h
+++ b/arch/x86/crypto/twofish.h
@@ -2,13 +2,18 @@
#ifndef ASM_X86_TWOFISH_H
#define ASM_X86_TWOFISH_H
+#include <crypto/api.h>
#include <linux/crypto.h>
#include <crypto/twofish.h>
#include <crypto/b128ops.h>
/* regular block cipher functions from twofish_x86_64 module */
-asmlinkage void twofish_enc_blk(const void *ctx, u8 *dst, const u8 *src);
-asmlinkage void twofish_dec_blk(const void *ctx, u8 *dst, const u8 *src);
+DECLARE_CRYPTO_API(CONFIG_CRYPTO_TWOFISH_X86_64, twofish_enc_blk, asmlinkage void,
+ (const void *ctx, u8 *dst, const u8 *src),
+ (ctx, dst, src));
+DECLARE_CRYPTO_API(CONFIG_CRYPTO_TWOFISH_X86_64, twofish_dec_blk, asmlinkage void,
+ (const void *ctx, u8 *dst, const u8 *src),
+ (ctx, dst, src));
/* 3-way parallel cipher functions */
asmlinkage void __twofish_enc_blk_3way(const void *ctx, u8 *dst, const u8 *src,
diff --git a/arch/x86/crypto/twofish_glue.c b/arch/x86/crypto/twofish_glue.c
index 8e9906d36902..8787a1d2cec4 100644
--- a/arch/x86/crypto/twofish_glue.c
+++ b/arch/x86/crypto/twofish_glue.c
@@ -91,8 +91,8 @@ static void __exit twofish_glue_fini(void)
crypto_unregister_alg(&alg);
}
-module_init(twofish_glue_init);
-module_exit(twofish_glue_fini);
+crypto_module_init(twofish_glue_init);
+crypto_module_exit(twofish_glue_fini);
MODULE_LICENSE("GPL");
MODULE_DESCRIPTION ("Twofish Cipher Algorithm, asm optimized");
--
2.47.3
^ permalink raw reply related
* [PATCH 03/21] x86: crypto: convert exported crypto symbol into pluggable interface for CONFIG_CRYPTO_TWOFISH_X86_64_3WAY crypto
From: Jay Wang @ 2026-02-12 3:15 UTC (permalink / raw)
To: Herbert Xu, David S . Miller, linux-crypto
Cc: Jay Wang, Vegard Nossum, Nicolai Stange, Ilia Okomin,
Catalin Marinas, Will Deacon, Thomas Gleixner, Ingo Molnar,
Borislav Petkov, Luis Chamberlain, Petr Pavlu, Nathan Chancellor,
Nicolas Schier, linux-arm-kernel, x86, linux-kbuild,
linux-modules
In-Reply-To: <20260212031521.2124-1-wanjay@amazon.com>
Apply Crypto API wrappers to the exported crypto symbol in
CONFIG_CRYPTO_TWOFISH_X86_64_3WAY-related crypto to convert them into pluggable
interface.
Signed-off-by: Jay Wang <wanjay@amazon.com>
---
arch/x86/crypto/Makefile | 2 +-
arch/x86/crypto/fips140/fips140-api.c | 13 +++++++++++++
arch/x86/crypto/twofish.h | 13 +++++++++----
arch/x86/crypto/twofish_glue_3way.c | 4 ++--
4 files changed, 25 insertions(+), 7 deletions(-)
diff --git a/arch/x86/crypto/Makefile b/arch/x86/crypto/Makefile
index ed8958bffbc9..f224f5206bbb 100644
--- a/arch/x86/crypto/Makefile
+++ b/arch/x86/crypto/Makefile
@@ -6,7 +6,7 @@ obj-$(CONFIG_CRYPTO_TWOFISH_586) += twofish-i586.o
twofish-i586-y := twofish-i586-asm_32.o twofish_glue.o
crypto-objs-$(CONFIG_CRYPTO_TWOFISH_X86_64) += twofish-x86_64.o
twofish-x86_64-y := twofish-x86_64-asm_64.o twofish_glue.o
-obj-$(CONFIG_CRYPTO_TWOFISH_X86_64_3WAY) += twofish-x86_64-3way.o
+crypto-objs-$(CONFIG_CRYPTO_TWOFISH_X86_64_3WAY) += twofish-x86_64-3way.o
twofish-x86_64-3way-y := twofish-x86_64-asm_64-3way.o twofish_glue_3way.o
obj-$(CONFIG_CRYPTO_TWOFISH_AVX_X86_64) += twofish-avx-x86_64.o
twofish-avx-x86_64-y := twofish-avx-x86_64-asm_64.o twofish_avx_glue.o
diff --git a/arch/x86/crypto/fips140/fips140-api.c b/arch/x86/crypto/fips140/fips140-api.c
index bb8ca949caef..a1a207fa34cd 100644
--- a/arch/x86/crypto/fips140/fips140-api.c
+++ b/arch/x86/crypto/fips140/fips140-api.c
@@ -8,4 +8,17 @@
DEFINE_CRYPTO_API_STUB(twofish_enc_blk);
DEFINE_CRYPTO_API_STUB(twofish_dec_blk);
+#endif
+
+/*
+ * arch/x86/crypto/twofish_glue_3way.c
+ */
+#if IS_BUILTIN(CONFIG_CRYPTO_TWOFISH_X86_64_3WAY)
+
+#include <arch/x86/crypto/twofish.h>
+
+DEFINE_CRYPTO_API_STUB(__twofish_enc_blk_3way);
+DEFINE_CRYPTO_API_STUB(twofish_dec_blk_3way);
+DEFINE_CRYPTO_API_STUB(twofish_dec_blk_cbc_3way);
+
#endif
\ No newline at end of file
diff --git a/arch/x86/crypto/twofish.h b/arch/x86/crypto/twofish.h
index c44d2f53ee11..3ee4caa05428 100644
--- a/arch/x86/crypto/twofish.h
+++ b/arch/x86/crypto/twofish.h
@@ -16,11 +16,16 @@ DECLARE_CRYPTO_API(CONFIG_CRYPTO_TWOFISH_X86_64, twofish_dec_blk, asmlinkage voi
(ctx, dst, src));
/* 3-way parallel cipher functions */
-asmlinkage void __twofish_enc_blk_3way(const void *ctx, u8 *dst, const u8 *src,
- bool xor);
-asmlinkage void twofish_dec_blk_3way(const void *ctx, u8 *dst, const u8 *src);
+DECLARE_CRYPTO_API(CONFIG_CRYPTO_TWOFISH_X86_64_3WAY, __twofish_enc_blk_3way, asmlinkage void,
+ (const void *ctx, u8 *dst, const u8 *src, bool xor),
+ (ctx, dst, src, xor));
+DECLARE_CRYPTO_API(CONFIG_CRYPTO_TWOFISH_X86_64_3WAY, twofish_dec_blk_3way, asmlinkage void,
+ (const void *ctx, u8 *dst, const u8 *src),
+ (ctx, dst, src));
/* helpers from twofish_x86_64-3way module */
-extern void twofish_dec_blk_cbc_3way(const void *ctx, u8 *dst, const u8 *src);
+DECLARE_CRYPTO_API(CONFIG_CRYPTO_TWOFISH_X86_64_3WAY, twofish_dec_blk_cbc_3way, void,
+ (const void *ctx, u8 *dst, const u8 *src),
+ (ctx, dst, src));
#endif /* ASM_X86_TWOFISH_H */
diff --git a/arch/x86/crypto/twofish_glue_3way.c b/arch/x86/crypto/twofish_glue_3way.c
index 8ad77725bf60..996753732402 100644
--- a/arch/x86/crypto/twofish_glue_3way.c
+++ b/arch/x86/crypto/twofish_glue_3way.c
@@ -161,8 +161,8 @@ static void __exit twofish_3way_fini(void)
crypto_unregister_skciphers(tf_skciphers, ARRAY_SIZE(tf_skciphers));
}
-module_init(twofish_3way_init);
-module_exit(twofish_3way_fini);
+crypto_module_init(twofish_3way_init);
+crypto_module_exit(twofish_3way_fini);
MODULE_LICENSE("GPL");
MODULE_DESCRIPTION("Twofish Cipher Algorithm, 3-way parallel asm optimized");
--
2.47.3
^ permalink raw reply related
* [PATCH 04/21] x86: crypto: convert exported crypto symbol into pluggable interface for CONFIG_CRYPTO_TWOFISH_AVX_X86_64 crypto
From: Jay Wang @ 2026-02-12 3:15 UTC (permalink / raw)
To: Herbert Xu, David S . Miller, linux-crypto
Cc: Jay Wang, Vegard Nossum, Nicolai Stange, Ilia Okomin,
Catalin Marinas, Will Deacon, Thomas Gleixner, Ingo Molnar,
Borislav Petkov, Luis Chamberlain, Petr Pavlu, Nathan Chancellor,
Nicolas Schier, linux-arm-kernel, x86, linux-kbuild,
linux-modules
In-Reply-To: <20260212031521.2124-1-wanjay@amazon.com>
Apply Crypto API wrappers to the exported crypto symbol in
CONFIG_CRYPTO_TWOFISH_AVX_X86_64-related crypto to convert them into pluggable
interface.
Signed-off-by: Jay Wang <wanjay@amazon.com>
---
arch/x86/crypto/Makefile | 2 +-
arch/x86/crypto/twofish_avx_glue.c | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/arch/x86/crypto/Makefile b/arch/x86/crypto/Makefile
index f224f5206bbb..c1236012784d 100644
--- a/arch/x86/crypto/Makefile
+++ b/arch/x86/crypto/Makefile
@@ -8,7 +8,7 @@ crypto-objs-$(CONFIG_CRYPTO_TWOFISH_X86_64) += twofish-x86_64.o
twofish-x86_64-y := twofish-x86_64-asm_64.o twofish_glue.o
crypto-objs-$(CONFIG_CRYPTO_TWOFISH_X86_64_3WAY) += twofish-x86_64-3way.o
twofish-x86_64-3way-y := twofish-x86_64-asm_64-3way.o twofish_glue_3way.o
-obj-$(CONFIG_CRYPTO_TWOFISH_AVX_X86_64) += twofish-avx-x86_64.o
+crypto-objs-$(CONFIG_CRYPTO_TWOFISH_AVX_X86_64) += twofish-avx-x86_64.o
twofish-avx-x86_64-y := twofish-avx-x86_64-asm_64.o twofish_avx_glue.o
obj-$(CONFIG_CRYPTO_SERPENT_SSE2_586) += serpent-sse2-i586.o
diff --git a/arch/x86/crypto/twofish_avx_glue.c b/arch/x86/crypto/twofish_avx_glue.c
index 9e20db013750..0446ce446634 100644
--- a/arch/x86/crypto/twofish_avx_glue.c
+++ b/arch/x86/crypto/twofish_avx_glue.c
@@ -118,8 +118,8 @@ static void __exit twofish_exit(void)
crypto_unregister_skciphers(twofish_algs, ARRAY_SIZE(twofish_algs));
}
-module_init(twofish_init);
-module_exit(twofish_exit);
+crypto_module_init(twofish_init);
+crypto_module_exit(twofish_exit);
MODULE_DESCRIPTION("Twofish Cipher Algorithm, AVX optimized");
MODULE_LICENSE("GPL");
--
2.47.3
^ permalink raw reply related
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox