From: Eric Biggers <ebiggers@kernel.org>
To: linux-crypto@vger.kernel.org
Cc: linux-kernel@vger.kernel.org, Ard Biesheuvel <ardb@kernel.org>,
"Jason A . Donenfeld" <Jason@zx2c4.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
linux-arm-kernel@lists.infradead.org,
linuxppc-dev@lists.ozlabs.org, linux-riscv@lists.infradead.org,
linux-s390@vger.kernel.org, sparclinux@vger.kernel.org,
x86@kernel.org, Holger Dengler <dengler@linux.ibm.com>,
Harald Freudenberger <freude@linux.ibm.com>,
Eric Biggers <ebiggers@kernel.org>
Subject: [PATCH v2 29/35] crypto: drbg - Use new AES library API
Date: Mon, 12 Jan 2026 11:20:27 -0800 [thread overview]
Message-ID: <20260112192035.10427-30-ebiggers@kernel.org> (raw)
In-Reply-To: <20260112192035.10427-1-ebiggers@kernel.org>
Switch from the old AES library functions (which use struct
crypto_aes_ctx) to the new ones (which use struct aes_enckey). This
eliminates the unnecessary computation and caching of the decryption
round keys. The new AES en/decryption functions are also much faster
and use AES instructions when supported by the CPU.
Note that in addition to the change in the key preparation function and
the key struct type itself, the change in the type of the key struct
results in aes_encrypt() (which is temporarily a type-generic macro)
calling the new encryption function rather than the old one.
Acked-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
---
crypto/df_sp80090a.c | 30 ++++++++++-------------------
crypto/drbg.c | 12 ++++++------
drivers/crypto/xilinx/xilinx-trng.c | 8 ++++----
include/crypto/df_sp80090a.h | 2 +-
4 files changed, 21 insertions(+), 31 deletions(-)
diff --git a/crypto/df_sp80090a.c b/crypto/df_sp80090a.c
index dc63b31a93fc..b8134be6f7ad 100644
--- a/crypto/df_sp80090a.c
+++ b/crypto/df_sp80090a.c
@@ -12,31 +12,21 @@
#include <linux/string.h>
#include <crypto/aes.h>
#include <crypto/df_sp80090a.h>
#include <crypto/internal/drbg.h>
-static void drbg_kcapi_symsetkey(struct crypto_aes_ctx *aesctx,
- const unsigned char *key,
- u8 keylen);
-static void drbg_kcapi_symsetkey(struct crypto_aes_ctx *aesctx,
- const unsigned char *key, u8 keylen)
-{
- aes_expandkey(aesctx, key, keylen);
-}
-
-static void drbg_kcapi_sym(struct crypto_aes_ctx *aesctx,
- unsigned char *outval,
+static void drbg_kcapi_sym(struct aes_enckey *aeskey, unsigned char *outval,
const struct drbg_string *in, u8 blocklen_bytes)
{
/* there is only component in *in */
BUG_ON(in->len < blocklen_bytes);
- aes_encrypt(aesctx, outval, in->buf);
+ aes_encrypt(aeskey, outval, in->buf);
}
/* BCC function for CTR DRBG as defined in 10.4.3 */
-static void drbg_ctr_bcc(struct crypto_aes_ctx *aesctx,
+static void drbg_ctr_bcc(struct aes_enckey *aeskey,
unsigned char *out, const unsigned char *key,
struct list_head *in,
u8 blocklen_bytes,
u8 keylen)
{
@@ -45,30 +35,30 @@ static void drbg_ctr_bcc(struct crypto_aes_ctx *aesctx,
short cnt = 0;
drbg_string_fill(&data, out, blocklen_bytes);
/* 10.4.3 step 2 / 4 */
- drbg_kcapi_symsetkey(aesctx, key, keylen);
+ aes_prepareenckey(aeskey, key, keylen);
list_for_each_entry(curr, in, list) {
const unsigned char *pos = curr->buf;
size_t len = curr->len;
/* 10.4.3 step 4.1 */
while (len) {
/* 10.4.3 step 4.2 */
if (blocklen_bytes == cnt) {
cnt = 0;
- drbg_kcapi_sym(aesctx, out, &data, blocklen_bytes);
+ drbg_kcapi_sym(aeskey, out, &data, blocklen_bytes);
}
out[cnt] ^= *pos;
pos++;
cnt++;
len--;
}
}
/* 10.4.3 step 4.2 for last block */
if (cnt)
- drbg_kcapi_sym(aesctx, out, &data, blocklen_bytes);
+ drbg_kcapi_sym(aeskey, out, &data, blocklen_bytes);
}
/*
* scratchpad usage: drbg_ctr_update is interlinked with crypto_drbg_ctr_df
* (and drbg_ctr_bcc, but this function does not need any temporary buffers),
@@ -108,11 +98,11 @@ static void drbg_ctr_bcc(struct crypto_aes_ctx *aesctx,
* possibilities.
* refer to crypto_drbg_ctr_df_datalen() to get required length
*/
/* Derivation Function for CTR DRBG as defined in 10.4.2 */
-int crypto_drbg_ctr_df(struct crypto_aes_ctx *aesctx,
+int crypto_drbg_ctr_df(struct aes_enckey *aeskey,
unsigned char *df_data, size_t bytes_to_return,
struct list_head *seedlist,
u8 blocklen_bytes,
u8 statelen)
{
@@ -185,11 +175,11 @@ int crypto_drbg_ctr_df(struct crypto_aes_ctx *aesctx,
* holds zeros after allocation -- even the increment of i
* is irrelevant as the increment remains within length of i
*/
drbg_cpu_to_be32(i, iv);
/* 10.4.2 step 9.2 -- BCC and concatenation with temp */
- drbg_ctr_bcc(aesctx, temp + templen, K, &bcc_list,
+ drbg_ctr_bcc(aeskey, temp + templen, K, &bcc_list,
blocklen_bytes, keylen);
/* 10.4.2 step 9.3 */
i++;
templen += blocklen_bytes;
}
@@ -199,19 +189,19 @@ int crypto_drbg_ctr_df(struct crypto_aes_ctx *aesctx,
drbg_string_fill(&cipherin, X, blocklen_bytes);
/* 10.4.2 step 12: overwriting of outval is implemented in next step */
/* 10.4.2 step 13 */
- drbg_kcapi_symsetkey(aesctx, temp, keylen);
+ aes_prepareenckey(aeskey, temp, keylen);
while (generated_len < bytes_to_return) {
short blocklen = 0;
/*
* 10.4.2 step 13.1: the truncation of the key length is
* implicit as the key is only drbg_blocklen in size based on
* the implementation of the cipher function callback
*/
- drbg_kcapi_sym(aesctx, X, &cipherin, blocklen_bytes);
+ drbg_kcapi_sym(aeskey, X, &cipherin, blocklen_bytes);
blocklen = (blocklen_bytes <
(bytes_to_return - generated_len)) ?
blocklen_bytes :
(bytes_to_return - generated_len);
/* 10.4.2 step 13.2 and 14 */
diff --git a/crypto/drbg.c b/crypto/drbg.c
index 1d433dae9955..85cc4549bd58 100644
--- a/crypto/drbg.c
+++ b/crypto/drbg.c
@@ -1503,13 +1503,13 @@ static int drbg_kcapi_hash(struct drbg_state *drbg, unsigned char *outval,
#endif /* (CONFIG_CRYPTO_DRBG_HASH || CONFIG_CRYPTO_DRBG_HMAC) */
#ifdef CONFIG_CRYPTO_DRBG_CTR
static int drbg_fini_sym_kernel(struct drbg_state *drbg)
{
- struct crypto_aes_ctx *aesctx = (struct crypto_aes_ctx *)drbg->priv_data;
+ struct aes_enckey *aeskey = drbg->priv_data;
- kfree(aesctx);
+ kfree(aeskey);
drbg->priv_data = NULL;
if (drbg->ctr_handle)
crypto_free_skcipher(drbg->ctr_handle);
drbg->ctr_handle = NULL;
@@ -1524,20 +1524,20 @@ static int drbg_fini_sym_kernel(struct drbg_state *drbg)
return 0;
}
static int drbg_init_sym_kernel(struct drbg_state *drbg)
{
- struct crypto_aes_ctx *aesctx;
+ struct aes_enckey *aeskey;
struct crypto_skcipher *sk_tfm;
struct skcipher_request *req;
unsigned int alignmask;
char ctr_name[CRYPTO_MAX_ALG_NAME];
- aesctx = kzalloc(sizeof(*aesctx), GFP_KERNEL);
- if (!aesctx)
+ aeskey = kzalloc(sizeof(*aeskey), GFP_KERNEL);
+ if (!aeskey)
return -ENOMEM;
- drbg->priv_data = aesctx;
+ drbg->priv_data = aeskey;
if (snprintf(ctr_name, CRYPTO_MAX_ALG_NAME, "ctr(%s)",
drbg->core->backend_cra_name) >= CRYPTO_MAX_ALG_NAME) {
drbg_fini_sym_kernel(drbg);
return -EINVAL;
diff --git a/drivers/crypto/xilinx/xilinx-trng.c b/drivers/crypto/xilinx/xilinx-trng.c
index db0fbb28ff32..5276ac2d82bb 100644
--- a/drivers/crypto/xilinx/xilinx-trng.c
+++ b/drivers/crypto/xilinx/xilinx-trng.c
@@ -58,11 +58,11 @@
struct xilinx_rng {
void __iomem *rng_base;
struct device *dev;
unsigned char *scratchpadbuf;
- struct crypto_aes_ctx *aesctx;
+ struct aes_enckey *aeskey;
struct mutex lock; /* Protect access to TRNG device */
struct hwrng trng;
};
struct xilinx_rng_ctx {
@@ -196,11 +196,11 @@ static int xtrng_reseed_internal(struct xilinx_rng *rng)
/* collect random data to use it as entropy (input for DF) */
ret = xtrng_collect_random_data(rng, entropy, TRNG_SEED_LEN_BYTES, true);
if (ret != TRNG_SEED_LEN_BYTES)
return -EINVAL;
- ret = crypto_drbg_ctr_df(rng->aesctx, rng->scratchpadbuf,
+ ret = crypto_drbg_ctr_df(rng->aeskey, rng->scratchpadbuf,
TRNG_SEED_LEN_BYTES, &seedlist, AES_BLOCK_SIZE,
TRNG_SEED_LEN_BYTES);
if (ret)
return ret;
@@ -347,12 +347,12 @@ static int xtrng_probe(struct platform_device *pdev)
if (IS_ERR(rng->rng_base)) {
dev_err(&pdev->dev, "Failed to map resource %pe\n", rng->rng_base);
return PTR_ERR(rng->rng_base);
}
- rng->aesctx = devm_kzalloc(&pdev->dev, sizeof(*rng->aesctx), GFP_KERNEL);
- if (!rng->aesctx)
+ rng->aeskey = devm_kzalloc(&pdev->dev, sizeof(*rng->aeskey), GFP_KERNEL);
+ if (!rng->aeskey)
return -ENOMEM;
sb_size = crypto_drbg_ctr_df_datalen(TRNG_SEED_LEN_BYTES, AES_BLOCK_SIZE);
rng->scratchpadbuf = devm_kzalloc(&pdev->dev, sb_size, GFP_KERNEL);
if (!rng->scratchpadbuf) {
diff --git a/include/crypto/df_sp80090a.h b/include/crypto/df_sp80090a.h
index 6b25305fe611..cb5d6fe15d40 100644
--- a/include/crypto/df_sp80090a.h
+++ b/include/crypto/df_sp80090a.h
@@ -16,11 +16,11 @@ static inline int crypto_drbg_ctr_df_datalen(u8 statelen, u8 blocklen)
blocklen + /* pad */
blocklen + /* iv */
statelen + blocklen; /* temp */
}
-int crypto_drbg_ctr_df(struct crypto_aes_ctx *aes,
+int crypto_drbg_ctr_df(struct aes_enckey *aes,
unsigned char *df_data,
size_t bytes_to_return,
struct list_head *seedlist,
u8 blocklen_bytes,
u8 statelen);
--
2.52.0
next prev parent reply other threads:[~2026-01-12 19:23 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-12 19:19 [PATCH v2 00/35] AES library improvements Eric Biggers
2026-01-12 19:19 ` [PATCH v2 01/35] crypto: powerpc/aes - Rename struct aes_key Eric Biggers
2026-01-12 19:20 ` [PATCH v2 02/35] lib/crypto: aes: Introduce improved AES library Eric Biggers
2026-01-12 19:20 ` [PATCH v2 03/35] crypto: arm/aes-neonbs - Use AES library for single blocks Eric Biggers
2026-01-12 19:20 ` [PATCH v2 04/35] crypto: arm/aes - Switch to aes_enc_tab[] and aes_dec_tab[] Eric Biggers
2026-01-12 19:20 ` [PATCH v2 05/35] crypto: arm64/aes " Eric Biggers
2026-01-12 19:20 ` [PATCH v2 06/35] crypto: arm64/aes - Select CRYPTO_LIB_SHA256 from correct places Eric Biggers
2026-01-12 19:20 ` [PATCH v2 07/35] crypto: aegis - Switch from crypto_ft_tab[] to aes_enc_tab[] Eric Biggers
2026-01-12 19:20 ` [PATCH v2 08/35] crypto: aes - Remove aes-fixed-time / CONFIG_CRYPTO_AES_TI Eric Biggers
2026-01-12 19:20 ` [PATCH v2 09/35] crypto: aes - Replace aes-generic with wrapper around lib Eric Biggers
2026-01-12 19:20 ` [PATCH v2 10/35] lib/crypto: arm/aes: Migrate optimized code into library Eric Biggers
2026-01-12 19:20 ` [PATCH v2 11/35] lib/crypto: arm64/aes: " Eric Biggers
2026-01-12 19:20 ` [PATCH v2 12/35] lib/crypto: powerpc/aes: Migrate SPE " Eric Biggers
2026-01-12 19:20 ` [PATCH v2 13/35] lib/crypto: powerpc/aes: Migrate POWER8 " Eric Biggers
2026-01-12 19:20 ` [PATCH v2 14/35] lib/crypto: riscv/aes: Migrate " Eric Biggers
2026-01-12 19:20 ` [PATCH v2 15/35] lib/crypto: s390/aes: " Eric Biggers
2026-01-15 22:00 ` Holger Dengler
2026-01-12 19:20 ` [PATCH v2 16/35] lib/crypto: sparc/aes: " Eric Biggers
2026-01-12 19:20 ` [PATCH v2 17/35] lib/crypto: x86/aes: Add AES-NI optimization Eric Biggers
2026-01-12 19:20 ` [PATCH v2 18/35] crypto: x86/aes - Remove the superseded AES-NI crypto_cipher Eric Biggers
2026-01-12 19:20 ` [PATCH v2 19/35] Bluetooth: SMP: Use new AES library API Eric Biggers
2026-01-12 19:20 ` [PATCH v2 20/35] chelsio: " Eric Biggers
2026-01-12 19:20 ` [PATCH v2 21/35] net: phy: mscc: macsec: " Eric Biggers
2026-01-12 19:20 ` [PATCH v2 22/35] staging: rtl8723bs: core: " Eric Biggers
2026-01-12 19:20 ` [PATCH v2 23/35] crypto: arm/ghash - " Eric Biggers
2026-01-12 19:20 ` [PATCH v2 24/35] crypto: arm64/ghash " Eric Biggers
2026-01-12 19:20 ` [PATCH v2 25/35] crypto: x86/aes-gcm " Eric Biggers
2026-01-12 19:20 ` [PATCH v2 26/35] crypto: ccp " Eric Biggers
2026-01-12 19:20 ` [PATCH v2 27/35] crypto: chelsio " Eric Biggers
2026-01-12 19:20 ` [PATCH v2 28/35] crypto: crypto4xx " Eric Biggers
2026-01-12 19:20 ` Eric Biggers [this message]
2026-01-12 19:20 ` [PATCH v2 30/35] crypto: inside-secure " Eric Biggers
2026-01-12 19:20 ` [PATCH v2 31/35] crypto: omap " Eric Biggers
2026-01-12 19:20 ` [PATCH v2 32/35] lib/crypto: aescfb: " Eric Biggers
2026-01-12 19:20 ` [PATCH v2 33/35] lib/crypto: aesgcm: " Eric Biggers
2026-01-12 19:20 ` [PATCH v2 34/35] lib/crypto: aes: Remove old AES en/decryption functions Eric Biggers
2026-01-14 15:31 ` [RFC PATCH 0/1] lib/crypto: tests: KUnit test-suite for AES Holger Dengler
2026-01-14 15:31 ` [RFC PATCH 1/1] lib/crypto: tests: Add KUnit tests " Holger Dengler
2026-01-14 23:04 ` Eric Biggers
2026-01-15 18:13 ` Holger Dengler
2026-01-12 19:20 ` [PATCH v2 35/35] lib/crypto: aes: Drop 'volatile' from aes_sbox and aes_inv_sbox Eric Biggers
2026-01-15 20:45 ` [PATCH v2 00/35] AES library improvements Eric Biggers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260112192035.10427-30-ebiggers@kernel.org \
--to=ebiggers@kernel.org \
--cc=Jason@zx2c4.com \
--cc=ardb@kernel.org \
--cc=dengler@linux.ibm.com \
--cc=freude@linux.ibm.com \
--cc=herbert@gondor.apana.org.au \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-riscv@lists.infradead.org \
--cc=linux-s390@vger.kernel.org \
--cc=linuxppc-dev@lists.ozlabs.org \
--cc=sparclinux@vger.kernel.org \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox