The Linux Kernel Mailing List
 help / color / mirror / Atom feed
From: Eric Biggers <ebiggers@kernel.org>
To: Alexandre Knecht <knecht.alexandre@gmail.com>
Cc: herbert@gondor.apana.org.au,
	"David S . Miller" <davem@davemloft.net>,
	linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org,
	bpf@vger.kernel.org
Subject: Re: [PATCH] crypto: ctr - Convert from skcipher to lskcipher
Date: Mon, 6 Jul 2026 22:57:30 -0700	[thread overview]
Message-ID: <20260707055730.GB1791@sol> (raw)
In-Reply-To: <20260511001935.GC60510@quark>

On Sun, May 10, 2026 at 05:19:35PM -0700, Eric Biggers wrote:
> On Mon, May 11, 2026 at 02:02:22AM +0200, Alexandre Knecht wrote:
> > Le lun. 11 mai 2026 à 01:44, Eric Biggers <ebiggers@kernel.org> a écrit :
> > > Also note that lskcipher doesn't provide access to the accelerated AES
> > > mode implementations.  Indeed, almost nothing is supported by lskcipher.
> > > The fact that you found something to be missing isn't surprising.
> > >
> > > I think "lskcipher" is kind of a dead end, to be honest.  It's not clear
> > > why it got added.  The path forwards is to get the AES encryption modes
> > > added to lib/crypto/ and to just use that instead.
> > >
> > > - Eric
> > 
> > Hi Eric,
> > 
> > Thanks for the review — you're asking the right questions.
> > 
> > I'm developing a VXLAN/EVPN-based CNI for Kubernetes (releasing in the
> > coming months), and the goal is to implement datapath encryption for
> > overlay traffic in a zero-trust datacenter model. The encryption
> > happens in BPF programs attached via TC on the VXLAN device (encrypt
> > inner frames on egress, decrypt on ingress).
> > 
> > The algorithm I actually need is AES-GCM (authenticated encryption of
> > VXLAN inner frames, with the outer headers as AAD). When I looked at
> > bpf_crypto, I found that:
> > 
> > 1. Only lskcipher ("skcipher" type) was implemented
> > 2. ecb(aes) was the only usable algorithm
> > 3. AEAD support was designed for (authsize field exists in
> >  bpf_crypto_params, setauthsize in bpf_crypto_type) but never
> >  implemented
> > 4. ctr(aes) wasn't available as lskcipher either
> > 
> > I looked at Herbert's history converting ECB and CBC to lskcipher and
> > assumed that was the path forward for CTR. But you're right, the
> > real goal is AEAD, not CTR. CTR alone doesn't give me integrity.
> > 
> > Your point about lib/crypto/ is interesting. If there's a path to
> > expose AES-GCM (or the building blocks) as direct library calls that
> > BPF programs in TC/XDP could use (avoiding the template/instance
> > machinery and getting hardware acceleration) that would be ideal for
> > this use case.
> > 
> > What would that look like? Is there existing lib/crypto/ work for
> > AES-GCM that could be wired up to BPF, or would that need to be
> > built?
> 
> Sure, it makes sense that AES-GCM is what you actually need.  There's
> actually a lot of demand for AES-GCM in lib/crypto/, and I've been
> working on it.
> 
> There's already an existing AES-GCM lib/crypto/ API (see
> include/crypto/gcm.h), and I optimized it a bit in 7.0 and 7.1.  For
> example, it now uses the architecture-optimized single-block AES code.
> 
> You might be able to go ahead and use that right now.
> 
> However, it currently supports only one-shot computation, and it doesn't
> yet take advantage of the fully optimized AES-GCM assembly code that
> interleaves the AES and GHASH computations.  I'm planning to address
> both of those limitations soon.
> 
> Anyway, that seems like the clear way forward.  The lskcipher thing
> seems like a dead end to me.

FYI, the following series adds new library APIs for AES-GCM and other
AES modes:
https://lore.kernel.org/linux-crypto/20260707053503.209874-1-ebiggers@kernel.org/

It also includes proof-of-concept patches to convert BPF crypto to use
the AES-ECB and AES-CBC library APIs, then add AES-GCM support.

I think that is roughly what you're looking for, and also what should
have been implemented in "BPF crypto" in the first place.  (Minus
AES-ECB, which is silly and should never have been supported in BPF
crypto.  And maybe minus AES-CBC too.)  But let me know what you think.

(I didn't Cc that series to everyone just for the proof-of-concept
patches, as I wrote them for lots of kernel subsystems.  For now they're
mainly for informing the API design and preparing for later.)

- Eric

      reply	other threads:[~2026-07-07  5:59 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-05-10 23:09 [PATCH] crypto: ctr - Convert from skcipher to lskcipher Alexandre Knecht
2026-05-10 23:32 ` Eric Biggers
2026-05-10 23:44   ` Eric Biggers
2026-05-11  0:02     ` Alexandre Knecht
2026-05-11  0:19       ` Eric Biggers
2026-07-07  5:57         ` Eric Biggers [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260707055730.GB1791@sol \
    --to=ebiggers@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=davem@davemloft.net \
    --cc=herbert@gondor.apana.org.au \
    --cc=knecht.alexandre@gmail.com \
    --cc=linux-crypto@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox