From: Eric Biggers <ebiggers@kernel.org>
To: Holger Dengler <dengler@linux.ibm.com>
Cc: Ard Biesheuvel <ardb@kernel.org>,
"Jason A . Donenfeld" <Jason@zx2c4.com>,
Herbert Xu <herbert@gondor.apana.org.au>,
Harald Freudenberger <freude@linux.ibm.com>,
linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org
Subject: Re: [RFC PATCH 1/1] lib/crypto: tests: Add KUnit tests for AES
Date: Wed, 14 Jan 2026 23:04:30 +0000 [thread overview]
Message-ID: <20260114230430.GB1449008@google.com> (raw)
In-Reply-To: <20260114153138.4896-2-dengler@linux.ibm.com>
Thanks for writing this!
On Wed, Jan 14, 2026 at 04:31:38PM +0100, Holger Dengler wrote:
> diff --git a/lib/crypto/tests/Kconfig b/lib/crypto/tests/Kconfig
> index 4970463ea0aa..f34e79093275 100644
> --- a/lib/crypto/tests/Kconfig
> +++ b/lib/crypto/tests/Kconfig
> @@ -118,6 +118,18 @@ config CRYPTO_LIB_SHA3_KUNIT_TEST
> including SHA3-224, SHA3-256, SHA3-384, SHA3-512, SHAKE128 and
> SHAKE256.
>
> +config CRYPTO_LIB_AES_KUNIT_TEST
> + tristate "KUnit tests for AES" if !KUNIT_ALL_TESTS
> + depends on KUNIT
> + default KUNIT_ALL_TESTS || CRYPTO_SELFTESTS
> + select CRYPTO_LIB_BENCHMARK_VISIBLE
> + select CRYPTO_LIB_AES
> + help
> + KUnit tests for the AES library functions, including known answer
> + tests and benchmarks for encrypt/decrypt with all key sizes. The
> + test suite does not contain any key generation test, nor any error
> + cases.
It should go first in the file, to maintain the existing alphabetical
order.
> diff --git a/lib/crypto/tests/Makefile b/lib/crypto/tests/Makefile
> index f4262379f56c..72234e965cdc 100644
> --- a/lib/crypto/tests/Makefile
> +++ b/lib/crypto/tests/Makefile
> @@ -12,3 +12,4 @@ obj-$(CONFIG_CRYPTO_LIB_SHA1_KUNIT_TEST) += sha1_kunit.o
> obj-$(CONFIG_CRYPTO_LIB_SHA256_KUNIT_TEST) += sha224_kunit.o sha256_kunit.o
> obj-$(CONFIG_CRYPTO_LIB_SHA512_KUNIT_TEST) += sha384_kunit.o sha512_kunit.o
> obj-$(CONFIG_CRYPTO_LIB_SHA3_KUNIT_TEST) += sha3_kunit.o
> +obj-$(CONFIG_CRYPTO_LIB_AES_KUNIT_TEST) += aes_kunit.o
Likewise in the Makefile.
> diff --git a/lib/crypto/tests/aes_kunit.c b/lib/crypto/tests/aes_kunit.c
> new file mode 100644
> index 000000000000..057ddc3a1b1f
> --- /dev/null
> +++ b/lib/crypto/tests/aes_kunit.c
> @@ -0,0 +1,115 @@
> +// SPDX-License-Identifier: GPL-2.0
> +#include <kunit/test.h>
> +
> +#include "aes-testvecs.h"
> +
> +#define AES_KAT(bits, func, from, to) \
> +static void aes##bits##_kat_##func(struct kunit *test) \
> +{ \
> + const u8 *in = AES##bits##_KAT.from; \
> + u8 out[AES_BLOCK_SIZE]; \
> + struct aes_key aes_key; \
> + \
> + if (aes_preparekey(&aes_key, AES##bits##_KAT.key.b, \
> + AES##bits##_KAT.key.len)) \
> + kunit_skip(test, "no key"); \
Skipping on failure seems wrong.
> +#define KB (1024)
> +#define MB (KB * KB)
> +#define NS_PER_SEC (1000000000ULL)
If you'd like to use named constants for these, note that the kernel
headers already have constants SZ_1K, SZ_1M, and NSEC_PER_SEC. So these
local definitions aren't needed.
> +
> +#define AES_BENCHMARK(bits) \
> +static void aes##bits##_benchmark(struct kunit *test) \
> +{ \
> + const size_t num_iters = 10000000; \
> + const u8 *cipher = AES##bits##_KAT.cipher; \
> + const u8 *plain = AES##bits##_KAT.plain; \
> + u8 out[AES_BLOCK_SIZE]; \
> + struct aes_key aes_key; \
> + u64 t_enc, t_dec; \
> + \
> + if (!IS_ENABLED(CONFIG_CRYPTO_LIB_BENCHMARK)) \
> + kunit_skip(test, "not enabled"); \
> + \
> + if (aes_preparekey(&aes_key, AES##bits##_KAT.key.b, \
> + AES##bits##_KAT.key.len)) \
> + kunit_skip(test, "no key"); \
> + \
> + /* warm-up enc */ \
> + for (size_t i = 0; i < 1000; i++) \
> + aes_encrypt(&aes_key, out, plain); \
> + \
> + preempt_disable(); \
> + t_enc = ktime_get_ns(); \
> + \
> + for (size_t i = 0; i < num_iters; i++) \
> + aes_encrypt(&aes_key, out, plain); \
> + \
> + t_enc = ktime_get_ns() - t_enc; \
> + preempt_enable(); \
> + \
> + /* warm-up dec */ \
> + for (size_t i = 0; i < 1000; i++) \
> + aes_decrypt(&aes_key, out, cipher); \
> + \
> + preempt_disable(); \
> + t_dec = ktime_get_ns(); \
> + \
> + for (size_t i = 0; i < num_iters; i++) \
> + aes_decrypt(&aes_key, out, cipher); \
> + \
> + t_dec = ktime_get_ns() - t_dec; \
> + preempt_enable(); \
> + \
> + kunit_info(test, "enc (iter. %zu, duration %lluns)", \
> + num_iters, t_enc); \
> + kunit_info(test, "enc (len=%zu): %llu MB/s", \
> + (size_t)AES_BLOCK_SIZE, \
> + div64_u64((u64)AES_BLOCK_SIZE * num_iters * NS_PER_SEC, \
> + (t_enc ?: 1) * MB)); \
> + \
> + kunit_info(test, "dec (iter. %zu, duration %lluns)", \
> + num_iters, t_dec); \
> + kunit_info(test, "dec (len=%zu): %llu MB/s", \
> + (size_t)AES_BLOCK_SIZE, \
> + div64_u64((u64)AES_BLOCK_SIZE * num_iters * NS_PER_SEC, \
> + (t_dec ?: 1) * MB)); \
> +}
> +
> +AES_KAT(128, encrypt, plain, cipher);
> +AES_KAT(192, encrypt, plain, cipher);
> +AES_KAT(256, encrypt, plain, cipher);
> +AES_KAT(128, decrypt, cipher, plain);
> +AES_KAT(192, decrypt, cipher, plain);
> +AES_KAT(256, decrypt, cipher, plain);
> +AES_BENCHMARK(128);
> +AES_BENCHMARK(192);
> +AES_BENCHMARK(256);
The heavy use of macros doesn't seem that helpful here. The API is
already unified, where we have aes_preparekey(), aes_encrypt(), and
aes_decrypt() that handle all of AES-128, AES-192, and AES-256. So we
don't need entirely different code to test each variant.
We could just write helper functions, e.g. aes_test() and
aes_benchmark(). They would take in a pointer to a test vector, and the
individual KUnit case functions would call them.
See lib/crypto/tests/mldsa_kunit.c which does something similar.
- Eric
next prev parent reply other threads:[~2026-01-14 23:04 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-01-12 19:19 [PATCH v2 00/35] AES library improvements Eric Biggers
2026-01-12 19:19 ` [PATCH v2 01/35] crypto: powerpc/aes - Rename struct aes_key Eric Biggers
2026-01-12 19:20 ` [PATCH v2 02/35] lib/crypto: aes: Introduce improved AES library Eric Biggers
2026-01-12 19:20 ` [PATCH v2 03/35] crypto: arm/aes-neonbs - Use AES library for single blocks Eric Biggers
2026-01-12 19:20 ` [PATCH v2 04/35] crypto: arm/aes - Switch to aes_enc_tab[] and aes_dec_tab[] Eric Biggers
2026-01-12 19:20 ` [PATCH v2 05/35] crypto: arm64/aes " Eric Biggers
2026-01-12 19:20 ` [PATCH v2 06/35] crypto: arm64/aes - Select CRYPTO_LIB_SHA256 from correct places Eric Biggers
2026-01-12 19:20 ` [PATCH v2 07/35] crypto: aegis - Switch from crypto_ft_tab[] to aes_enc_tab[] Eric Biggers
2026-01-12 19:20 ` [PATCH v2 08/35] crypto: aes - Remove aes-fixed-time / CONFIG_CRYPTO_AES_TI Eric Biggers
2026-01-12 19:20 ` [PATCH v2 09/35] crypto: aes - Replace aes-generic with wrapper around lib Eric Biggers
2026-01-12 19:20 ` [PATCH v2 10/35] lib/crypto: arm/aes: Migrate optimized code into library Eric Biggers
2026-01-12 19:20 ` [PATCH v2 11/35] lib/crypto: arm64/aes: " Eric Biggers
2026-01-12 19:20 ` [PATCH v2 12/35] lib/crypto: powerpc/aes: Migrate SPE " Eric Biggers
2026-01-12 19:20 ` [PATCH v2 13/35] lib/crypto: powerpc/aes: Migrate POWER8 " Eric Biggers
2026-01-12 19:20 ` [PATCH v2 14/35] lib/crypto: riscv/aes: Migrate " Eric Biggers
2026-01-12 19:20 ` [PATCH v2 15/35] lib/crypto: s390/aes: " Eric Biggers
2026-01-15 22:00 ` Holger Dengler
2026-01-12 19:20 ` [PATCH v2 16/35] lib/crypto: sparc/aes: " Eric Biggers
2026-01-12 19:20 ` [PATCH v2 17/35] lib/crypto: x86/aes: Add AES-NI optimization Eric Biggers
2026-01-12 19:20 ` [PATCH v2 18/35] crypto: x86/aes - Remove the superseded AES-NI crypto_cipher Eric Biggers
2026-01-12 19:20 ` [PATCH v2 19/35] Bluetooth: SMP: Use new AES library API Eric Biggers
2026-01-12 19:20 ` [PATCH v2 20/35] chelsio: " Eric Biggers
2026-01-12 19:20 ` [PATCH v2 21/35] net: phy: mscc: macsec: " Eric Biggers
2026-01-12 19:20 ` [PATCH v2 22/35] staging: rtl8723bs: core: " Eric Biggers
2026-01-12 19:20 ` [PATCH v2 23/35] crypto: arm/ghash - " Eric Biggers
2026-01-12 19:20 ` [PATCH v2 24/35] crypto: arm64/ghash " Eric Biggers
2026-01-12 19:20 ` [PATCH v2 25/35] crypto: x86/aes-gcm " Eric Biggers
2026-01-12 19:20 ` [PATCH v2 26/35] crypto: ccp " Eric Biggers
2026-01-12 19:20 ` [PATCH v2 27/35] crypto: chelsio " Eric Biggers
2026-01-12 19:20 ` [PATCH v2 28/35] crypto: crypto4xx " Eric Biggers
2026-01-12 19:20 ` [PATCH v2 29/35] crypto: drbg " Eric Biggers
2026-01-12 19:20 ` [PATCH v2 30/35] crypto: inside-secure " Eric Biggers
2026-01-12 19:20 ` [PATCH v2 31/35] crypto: omap " Eric Biggers
2026-01-12 19:20 ` [PATCH v2 32/35] lib/crypto: aescfb: " Eric Biggers
2026-01-12 19:20 ` [PATCH v2 33/35] lib/crypto: aesgcm: " Eric Biggers
2026-01-12 19:20 ` [PATCH v2 34/35] lib/crypto: aes: Remove old AES en/decryption functions Eric Biggers
2026-01-14 15:31 ` [RFC PATCH 0/1] lib/crypto: tests: KUnit test-suite for AES Holger Dengler
2026-01-14 15:31 ` [RFC PATCH 1/1] lib/crypto: tests: Add KUnit tests " Holger Dengler
2026-01-14 23:04 ` Eric Biggers [this message]
2026-01-15 18:13 ` Holger Dengler
2026-01-12 19:20 ` [PATCH v2 35/35] lib/crypto: aes: Drop 'volatile' from aes_sbox and aes_inv_sbox Eric Biggers
2026-01-15 20:45 ` [PATCH v2 00/35] AES library improvements Eric Biggers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260114230430.GB1449008@google.com \
--to=ebiggers@kernel.org \
--cc=Jason@zx2c4.com \
--cc=ardb@kernel.org \
--cc=dengler@linux.ibm.com \
--cc=freude@linux.ibm.com \
--cc=herbert@gondor.apana.org.au \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox