[PATCH net-next] octeontx2-pf: macsec: Use AES library instead of ecb(aes) skcipher

public inbox for netdev@vger.kernel.org
 help / color / mirror / Atom feed

* [PATCH net-next] octeontx2-pf: macsec: Use AES library instead of ecb(aes) skcipher
@ 2026-03-21 22:52 Eric Biggers
  2026-03-23  7:02 ` Subbaraya Sundeep
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Eric Biggers @ 2026-03-21 22:52 UTC (permalink / raw)
  To: netdev
  Cc: Andrew Lunn, David S . Miller, Eric Dumazet, Jakub Kicinski,
	Paolo Abeni, Sunil Goutham, Geetha sowjanya, Subbaraya Sundeep,
	hariprasad, Bharat Bhushan, Sabrina Dubroca, Eric Biggers,
	linux-crypto, linux-kernel

cn10k_ecb_aes_encrypt() just encrypts a single block with AES.  That is
much more easily and efficiently done with the AES library than
crypto_skcipher.  Use the AES library instead.

Signed-off-by: Eric Biggers <ebiggers@kernel.org>
---
 .../net/ethernet/marvell/octeontx2/Kconfig    |  1 +
 .../marvell/octeontx2/nic/cn10k_macsec.c      | 53 +++++--------------
 2 files changed, 13 insertions(+), 41 deletions(-)

diff --git a/drivers/net/ethernet/marvell/octeontx2/Kconfig b/drivers/net/ethernet/marvell/octeontx2/Kconfig
index 35c4f5f64f58..47e549c581f0 100644
--- a/drivers/net/ethernet/marvell/octeontx2/Kconfig
+++ b/drivers/net/ethernet/marvell/octeontx2/Kconfig
@@ -31,10 +31,11 @@ config NDC_DIS_DYNAMIC_CACHING
 config OCTEONTX2_PF
 	tristate "Marvell OcteonTX2 NIC Physical Function driver"
 	select OCTEONTX2_MBOX
 	select NET_DEVLINK
 	select PAGE_POOL
+	select CRYPTO_LIB_AES if MACSEC
 	depends on (64BIT && COMPILE_TEST) || ARM64
 	select DIMLIB
 	depends on PCI
 	depends on PTP_1588_CLOCK_OPTIONAL
 	depends on MACSEC || !MACSEC
diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c b/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c
index 4649996dc7da..2cc1bdfd9b2e 100644
--- a/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c
+++ b/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c
@@ -2,11 +2,11 @@
 /* Marvell MACSEC hardware offload driver
  *
  * Copyright (C) 2022 Marvell.
  */
 
-#include <crypto/skcipher.h>
+#include <crypto/aes.h>
 #include <linux/rtnetlink.h>
 #include <linux/bitfield.h>
 #include "otx2_common.h"
 
 #define MCS_TCAM0_MAC_DA_MASK		GENMASK_ULL(47, 0)
@@ -44,55 +44,26 @@
 #define MCS_TCI_C			0x04 /* changed text */
 
 #define CN10K_MAX_HASH_LEN		16
 #define CN10K_MAX_SAK_LEN		32
 
-static int cn10k_ecb_aes_encrypt(struct otx2_nic *pfvf, u8 *sak,
-				 u16 sak_len, u8 *hash)
+static int cn10k_ecb_aes_encrypt(struct otx2_nic *pfvf, const u8 *sak,
+				 u16 sak_len, u8 hash[CN10K_MAX_HASH_LEN])
 {
-	u8 data[CN10K_MAX_HASH_LEN] = { 0 };
-	struct skcipher_request *req = NULL;
-	struct scatterlist sg_src, sg_dst;
-	struct crypto_skcipher *tfm;
-	DECLARE_CRYPTO_WAIT(wait);
-	int err;
-
-	tfm = crypto_alloc_skcipher("ecb(aes)", 0, 0);
-	if (IS_ERR(tfm)) {
-		dev_err(pfvf->dev, "failed to allocate transform for ecb-aes\n");
-		return PTR_ERR(tfm);
-	}
-
-	req = skcipher_request_alloc(tfm, GFP_KERNEL);
-	if (!req) {
-		dev_err(pfvf->dev, "failed to allocate request for skcipher\n");
-		err = -ENOMEM;
-		goto free_tfm;
-	}
+	static const u8 zeroes[CN10K_MAX_HASH_LEN];
+	struct aes_enckey aes;
 
-	err = crypto_skcipher_setkey(tfm, sak, sak_len);
-	if (err) {
-		dev_err(pfvf->dev, "failed to set key for skcipher\n");
-		goto free_req;
+	if (aes_prepareenckey(&aes, sak, sak_len) != 0) {
+		dev_err(pfvf->dev, "invalid AES key length: %d\n", sak_len);
+		return -EINVAL;
 	}
 
-	/* build sg list */
-	sg_init_one(&sg_src, data, CN10K_MAX_HASH_LEN);
-	sg_init_one(&sg_dst, hash, CN10K_MAX_HASH_LEN);
-
-	skcipher_request_set_callback(req, 0, crypto_req_done, &wait);
-	skcipher_request_set_crypt(req, &sg_src, &sg_dst,
-				   CN10K_MAX_HASH_LEN, NULL);
+	static_assert(CN10K_MAX_HASH_LEN == AES_BLOCK_SIZE);
+	aes_encrypt(&aes, hash, zeroes);
 
-	err = crypto_skcipher_encrypt(req);
-	err = crypto_wait_req(err, &wait);
-
-free_req:
-	skcipher_request_free(req);
-free_tfm:
-	crypto_free_skcipher(tfm);
-	return err;
+	memzero_explicit(&aes, sizeof(aes));
+	return 0;
 }
 
 static struct cn10k_mcs_txsc *cn10k_mcs_get_txsc(struct cn10k_mcs_cfg *cfg,
 						 struct macsec_secy *secy)
 {

base-commit: fb78a629b4f0eb399b413f6c093a3da177b3a4eb
-- 
2.53.0


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH net-next] octeontx2-pf: macsec: Use AES library instead of ecb(aes) skcipher
  2026-03-21 22:52 [PATCH net-next] octeontx2-pf: macsec: Use AES library instead of ecb(aes) skcipher Eric Biggers
@ 2026-03-23  7:02 ` Subbaraya Sundeep
  2026-03-25 18:08 ` Subbaraya Sundeep
  2026-03-26 10:50 ` patchwork-bot+netdevbpf
  2 siblings, 0 replies; 4+ messages in thread
From: Subbaraya Sundeep @ 2026-03-23  7:02 UTC (permalink / raw)
  To: Eric Biggers
  Cc: netdev, Andrew Lunn, David S . Miller, Eric Dumazet,
	Jakub Kicinski, Paolo Abeni, Sunil Goutham, Geetha sowjanya,
	hariprasad, Bharat Bhushan, Sabrina Dubroca, linux-crypto,
	linux-kernel

Hi,

On 2026-03-22 at 04:22:08, Eric Biggers (ebiggers@kernel.org) wrote:
> cn10k_ecb_aes_encrypt() just encrypts a single block with AES.  That is
> much more easily and efficiently done with the AES library than
> crypto_skcipher.  Use the AES library instead.
> 
Thanks for the patch. Give me couple of days, I will test and
ack.

Sundeep

> Signed-off-by: Eric Biggers <ebiggers@kernel.org>
> ---
>  .../net/ethernet/marvell/octeontx2/Kconfig    |  1 +
>  .../marvell/octeontx2/nic/cn10k_macsec.c      | 53 +++++--------------
>  2 files changed, 13 insertions(+), 41 deletions(-)
> 
> diff --git a/drivers/net/ethernet/marvell/octeontx2/Kconfig b/drivers/net/ethernet/marvell/octeontx2/Kconfig
> index 35c4f5f64f58..47e549c581f0 100644
> --- a/drivers/net/ethernet/marvell/octeontx2/Kconfig
> +++ b/drivers/net/ethernet/marvell/octeontx2/Kconfig
> @@ -31,10 +31,11 @@ config NDC_DIS_DYNAMIC_CACHING
>  config OCTEONTX2_PF
>  	tristate "Marvell OcteonTX2 NIC Physical Function driver"
>  	select OCTEONTX2_MBOX
>  	select NET_DEVLINK
>  	select PAGE_POOL
> +	select CRYPTO_LIB_AES if MACSEC
>  	depends on (64BIT && COMPILE_TEST) || ARM64
>  	select DIMLIB
>  	depends on PCI
>  	depends on PTP_1588_CLOCK_OPTIONAL
>  	depends on MACSEC || !MACSEC
> diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c b/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c
> index 4649996dc7da..2cc1bdfd9b2e 100644
> --- a/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c
> +++ b/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c
> @@ -2,11 +2,11 @@
>  /* Marvell MACSEC hardware offload driver
>   *
>   * Copyright (C) 2022 Marvell.
>   */
>  
> -#include <crypto/skcipher.h>
> +#include <crypto/aes.h>
>  #include <linux/rtnetlink.h>
>  #include <linux/bitfield.h>
>  #include "otx2_common.h"
>  
>  #define MCS_TCAM0_MAC_DA_MASK		GENMASK_ULL(47, 0)
> @@ -44,55 +44,26 @@
>  #define MCS_TCI_C			0x04 /* changed text */
>  
>  #define CN10K_MAX_HASH_LEN		16
>  #define CN10K_MAX_SAK_LEN		32
>  
> -static int cn10k_ecb_aes_encrypt(struct otx2_nic *pfvf, u8 *sak,
> -				 u16 sak_len, u8 *hash)
> +static int cn10k_ecb_aes_encrypt(struct otx2_nic *pfvf, const u8 *sak,
> +				 u16 sak_len, u8 hash[CN10K_MAX_HASH_LEN])
>  {
> -	u8 data[CN10K_MAX_HASH_LEN] = { 0 };
> -	struct skcipher_request *req = NULL;
> -	struct scatterlist sg_src, sg_dst;
> -	struct crypto_skcipher *tfm;
> -	DECLARE_CRYPTO_WAIT(wait);
> -	int err;
> -
> -	tfm = crypto_alloc_skcipher("ecb(aes)", 0, 0);
> -	if (IS_ERR(tfm)) {
> -		dev_err(pfvf->dev, "failed to allocate transform for ecb-aes\n");
> -		return PTR_ERR(tfm);
> -	}
> -
> -	req = skcipher_request_alloc(tfm, GFP_KERNEL);
> -	if (!req) {
> -		dev_err(pfvf->dev, "failed to allocate request for skcipher\n");
> -		err = -ENOMEM;
> -		goto free_tfm;
> -	}
> +	static const u8 zeroes[CN10K_MAX_HASH_LEN];
> +	struct aes_enckey aes;
>  
> -	err = crypto_skcipher_setkey(tfm, sak, sak_len);
> -	if (err) {
> -		dev_err(pfvf->dev, "failed to set key for skcipher\n");
> -		goto free_req;
> +	if (aes_prepareenckey(&aes, sak, sak_len) != 0) {
> +		dev_err(pfvf->dev, "invalid AES key length: %d\n", sak_len);
> +		return -EINVAL;
>  	}
>  
> -	/* build sg list */
> -	sg_init_one(&sg_src, data, CN10K_MAX_HASH_LEN);
> -	sg_init_one(&sg_dst, hash, CN10K_MAX_HASH_LEN);
> -
> -	skcipher_request_set_callback(req, 0, crypto_req_done, &wait);
> -	skcipher_request_set_crypt(req, &sg_src, &sg_dst,
> -				   CN10K_MAX_HASH_LEN, NULL);
> +	static_assert(CN10K_MAX_HASH_LEN == AES_BLOCK_SIZE);
> +	aes_encrypt(&aes, hash, zeroes);
>  
> -	err = crypto_skcipher_encrypt(req);
> -	err = crypto_wait_req(err, &wait);
> -
> -free_req:
> -	skcipher_request_free(req);
> -free_tfm:
> -	crypto_free_skcipher(tfm);
> -	return err;
> +	memzero_explicit(&aes, sizeof(aes));
> +	return 0;
>  }
>  
>  static struct cn10k_mcs_txsc *cn10k_mcs_get_txsc(struct cn10k_mcs_cfg *cfg,
>  						 struct macsec_secy *secy)
>  {
> 
> base-commit: fb78a629b4f0eb399b413f6c093a3da177b3a4eb
> -- 
> 2.53.0
> 

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH net-next] octeontx2-pf: macsec: Use AES library instead of ecb(aes) skcipher
  2026-03-21 22:52 [PATCH net-next] octeontx2-pf: macsec: Use AES library instead of ecb(aes) skcipher Eric Biggers
  2026-03-23  7:02 ` Subbaraya Sundeep
@ 2026-03-25 18:08 ` Subbaraya Sundeep
  2026-03-26 10:50 ` patchwork-bot+netdevbpf
  2 siblings, 0 replies; 4+ messages in thread
From: Subbaraya Sundeep @ 2026-03-25 18:08 UTC (permalink / raw)
  To: Eric Biggers
  Cc: netdev, Andrew Lunn, David S . Miller, Eric Dumazet,
	Jakub Kicinski, Paolo Abeni, Sunil Goutham, Geetha sowjanya,
	hariprasad, Bharat Bhushan, Sabrina Dubroca, linux-crypto,
	linux-kernel

On 2026-03-22 at 04:22:08, Eric Biggers (ebiggers@kernel.org) wrote:
> cn10k_ecb_aes_encrypt() just encrypts a single block with AES.  That is
> much more easily and efficiently done with the AES library than
> crypto_skcipher.  Use the AES library instead.
> 
> Signed-off-by: Eric Biggers <ebiggers@kernel.org>

Reviewed-by: Subbaraya Sundeep <sbhatta@marvell.com>

Thanks,
Sundeep

> ---
>  .../net/ethernet/marvell/octeontx2/Kconfig    |  1 +
>  .../marvell/octeontx2/nic/cn10k_macsec.c      | 53 +++++--------------
>  2 files changed, 13 insertions(+), 41 deletions(-)
> 
> diff --git a/drivers/net/ethernet/marvell/octeontx2/Kconfig b/drivers/net/ethernet/marvell/octeontx2/Kconfig
> index 35c4f5f64f58..47e549c581f0 100644
> --- a/drivers/net/ethernet/marvell/octeontx2/Kconfig
> +++ b/drivers/net/ethernet/marvell/octeontx2/Kconfig
> @@ -31,10 +31,11 @@ config NDC_DIS_DYNAMIC_CACHING
>  config OCTEONTX2_PF
>  	tristate "Marvell OcteonTX2 NIC Physical Function driver"
>  	select OCTEONTX2_MBOX
>  	select NET_DEVLINK
>  	select PAGE_POOL
> +	select CRYPTO_LIB_AES if MACSEC
>  	depends on (64BIT && COMPILE_TEST) || ARM64
>  	select DIMLIB
>  	depends on PCI
>  	depends on PTP_1588_CLOCK_OPTIONAL
>  	depends on MACSEC || !MACSEC
> diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c b/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c
> index 4649996dc7da..2cc1bdfd9b2e 100644
> --- a/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c
> +++ b/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c
> @@ -2,11 +2,11 @@
>  /* Marvell MACSEC hardware offload driver
>   *
>   * Copyright (C) 2022 Marvell.
>   */
>  
> -#include <crypto/skcipher.h>
> +#include <crypto/aes.h>
>  #include <linux/rtnetlink.h>
>  #include <linux/bitfield.h>
>  #include "otx2_common.h"
>  
>  #define MCS_TCAM0_MAC_DA_MASK		GENMASK_ULL(47, 0)
> @@ -44,55 +44,26 @@
>  #define MCS_TCI_C			0x04 /* changed text */
>  
>  #define CN10K_MAX_HASH_LEN		16
>  #define CN10K_MAX_SAK_LEN		32
>  
> -static int cn10k_ecb_aes_encrypt(struct otx2_nic *pfvf, u8 *sak,
> -				 u16 sak_len, u8 *hash)
> +static int cn10k_ecb_aes_encrypt(struct otx2_nic *pfvf, const u8 *sak,
> +				 u16 sak_len, u8 hash[CN10K_MAX_HASH_LEN])
>  {
> -	u8 data[CN10K_MAX_HASH_LEN] = { 0 };
> -	struct skcipher_request *req = NULL;
> -	struct scatterlist sg_src, sg_dst;
> -	struct crypto_skcipher *tfm;
> -	DECLARE_CRYPTO_WAIT(wait);
> -	int err;
> -
> -	tfm = crypto_alloc_skcipher("ecb(aes)", 0, 0);
> -	if (IS_ERR(tfm)) {
> -		dev_err(pfvf->dev, "failed to allocate transform for ecb-aes\n");
> -		return PTR_ERR(tfm);
> -	}
> -
> -	req = skcipher_request_alloc(tfm, GFP_KERNEL);
> -	if (!req) {
> -		dev_err(pfvf->dev, "failed to allocate request for skcipher\n");
> -		err = -ENOMEM;
> -		goto free_tfm;
> -	}
> +	static const u8 zeroes[CN10K_MAX_HASH_LEN];
> +	struct aes_enckey aes;
>  
> -	err = crypto_skcipher_setkey(tfm, sak, sak_len);
> -	if (err) {
> -		dev_err(pfvf->dev, "failed to set key for skcipher\n");
> -		goto free_req;
> +	if (aes_prepareenckey(&aes, sak, sak_len) != 0) {
> +		dev_err(pfvf->dev, "invalid AES key length: %d\n", sak_len);
> +		return -EINVAL;
>  	}
>  
> -	/* build sg list */
> -	sg_init_one(&sg_src, data, CN10K_MAX_HASH_LEN);
> -	sg_init_one(&sg_dst, hash, CN10K_MAX_HASH_LEN);
> -
> -	skcipher_request_set_callback(req, 0, crypto_req_done, &wait);
> -	skcipher_request_set_crypt(req, &sg_src, &sg_dst,
> -				   CN10K_MAX_HASH_LEN, NULL);
> +	static_assert(CN10K_MAX_HASH_LEN == AES_BLOCK_SIZE);
> +	aes_encrypt(&aes, hash, zeroes);
>  
> -	err = crypto_skcipher_encrypt(req);
> -	err = crypto_wait_req(err, &wait);
> -
> -free_req:
> -	skcipher_request_free(req);
> -free_tfm:
> -	crypto_free_skcipher(tfm);
> -	return err;
> +	memzero_explicit(&aes, sizeof(aes));
> +	return 0;
>  }
>  
>  static struct cn10k_mcs_txsc *cn10k_mcs_get_txsc(struct cn10k_mcs_cfg *cfg,
>  						 struct macsec_secy *secy)
>  {
> 
> base-commit: fb78a629b4f0eb399b413f6c093a3da177b3a4eb
> -- 
> 2.53.0
> 

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH net-next] octeontx2-pf: macsec: Use AES library instead of ecb(aes) skcipher
  2026-03-21 22:52 [PATCH net-next] octeontx2-pf: macsec: Use AES library instead of ecb(aes) skcipher Eric Biggers
  2026-03-23  7:02 ` Subbaraya Sundeep
  2026-03-25 18:08 ` Subbaraya Sundeep
@ 2026-03-26 10:50 ` patchwork-bot+netdevbpf
  2 siblings, 0 replies; 4+ messages in thread
From: patchwork-bot+netdevbpf @ 2026-03-26 10:50 UTC (permalink / raw)
  To: Eric Biggers
  Cc: netdev, andrew+netdev, davem, edumazet, kuba, pabeni, sgoutham,
	gakula, sbhatta, hkelam, bbhushan2, sd, linux-crypto,
	linux-kernel

Hello:

This patch was applied to netdev/net-next.git (main)
by Paolo Abeni <pabeni@redhat.com>:

On Sat, 21 Mar 2026 15:52:08 -0700 you wrote:
> cn10k_ecb_aes_encrypt() just encrypts a single block with AES.  That is
> much more easily and efficiently done with the AES library than
> crypto_skcipher.  Use the AES library instead.
> 
> Signed-off-by: Eric Biggers <ebiggers@kernel.org>
> ---
>  .../net/ethernet/marvell/octeontx2/Kconfig    |  1 +
>  .../marvell/octeontx2/nic/cn10k_macsec.c      | 53 +++++--------------
>  2 files changed, 13 insertions(+), 41 deletions(-)
> 
> [...]

Here is the summary with links:
  - [net-next] octeontx2-pf: macsec: Use AES library instead of ecb(aes) skcipher
    https://git.kernel.org/netdev/net-next/c/8f303194b241

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2026-03-26 10:50 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-21 22:52 [PATCH net-next] octeontx2-pf: macsec: Use AES library instead of ecb(aes) skcipher Eric Biggers
2026-03-23  7:02 ` Subbaraya Sundeep
2026-03-25 18:08 ` Subbaraya Sundeep
2026-03-26 10:50 ` patchwork-bot+netdevbpf

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox