[PATCH -stable] arm: crypto: reduce priority of bit-sliced AES cipher

[PATCH -stable] arm: crypto: reduce priority of bit-sliced AES cipher

[Eric Biggers]

Hi,

I'd like the following patch to be applied to stable for versions
between 4.1 and 4.10 (inclusively).

This is a minimal fix for a bug where arm32 kernels can use a much
slower implementation of AES than is actually available, potentially
forcing vendors to disable encryption on their devices.

Min version is 4.1 because that was the first version to include the
aes-ce algorithms.

Max version is 4.10 because in 4.11, this bug was fixed incidentally as
part of a complete rewrite of the bit-sliced AES implementation.

---8<---

All the aes-bs (bit-sliced) and aes-ce (cryptographic extensions)
algorithms had a priority of 300.  This is undesirable because it means
an aes-bs algorithm may be used when an aes-ce algorithm is available.
The aes-ce algorithms have much better performance (up to 10x faster).

Fix it by decreasing the priority of the aes-bs algorithms to 250.

This was fixed upstream by commit cc477bf64573 ("crypto: arm/aes -
replace bit-sliced OpenSSL NEON code"), but it was just a small part of
a complete rewrite.  This patch just fixes the priority bug for older
kernels.

Signed-off-by: Eric Biggers <ebiggers@google.com>
---
 arch/arm/crypto/aesbs-glue.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/arch/arm/crypto/aesbs-glue.c b/arch/arm/crypto/aesbs-glue.c
index 0511a6cafe24..5d934a0039d7 100644
--- a/arch/arm/crypto/aesbs-glue.c
+++ b/arch/arm/crypto/aesbs-glue.c
@@ -363,7 +363,7 @@ static struct crypto_alg aesbs_algs[] = { {
 }, {
 	.cra_name		= "cbc(aes)",
 	.cra_driver_name	= "cbc-aes-neonbs",
-	.cra_priority		= 300,
+	.cra_priority		= 250,
 	.cra_flags		= CRYPTO_ALG_TYPE_ABLKCIPHER|CRYPTO_ALG_ASYNC,
 	.cra_blocksize		= AES_BLOCK_SIZE,
 	.cra_ctxsize		= sizeof(struct async_helper_ctx),
@@ -383,7 +383,7 @@ static struct crypto_alg aesbs_algs[] = { {
 }, {
 	.cra_name		= "ctr(aes)",
 	.cra_driver_name	= "ctr-aes-neonbs",
-	.cra_priority		= 300,
+	.cra_priority		= 250,
 	.cra_flags		= CRYPTO_ALG_TYPE_ABLKCIPHER|CRYPTO_ALG_ASYNC,
 	.cra_blocksize		= 1,
 	.cra_ctxsize		= sizeof(struct async_helper_ctx),
@@ -403,7 +403,7 @@ static struct crypto_alg aesbs_algs[] = { {
 }, {
 	.cra_name		= "xts(aes)",
 	.cra_driver_name	= "xts-aes-neonbs",
-	.cra_priority		= 300,
+	.cra_priority		= 250,
 	.cra_flags		= CRYPTO_ALG_TYPE_ABLKCIPHER|CRYPTO_ALG_ASYNC,
 	.cra_blocksize		= AES_BLOCK_SIZE,
 	.cra_ctxsize		= sizeof(struct async_helper_ctx),
-- 
2.15.0.448.gf294e3d99a-goog

Re: [PATCH -stable] arm: crypto: reduce priority of bit-sliced AES cipher

[Ard Biesheuvel]

On 17 November 2017 at 19:50, Eric Biggers <ebiggers@google.com> wrote:
> Hi,
>
> I'd like the following patch to be applied to stable for versions
> between 4.1 and 4.10 (inclusively).
>
> This is a minimal fix for a bug where arm32 kernels can use a much
> slower implementation of AES than is actually available, potentially
> forcing vendors to disable encryption on their devices.
>
> Min version is 4.1 because that was the first version to include the
> aes-ce algorithms.
>
> Max version is 4.10 because in 4.11, this bug was fixed incidentally as
> part of a complete rewrite of the bit-sliced AES implementation.
>
> ---8<---
>
> All the aes-bs (bit-sliced) and aes-ce (cryptographic extensions)
> algorithms had a priority of 300.  This is undesirable because it means
> an aes-bs algorithm may be used when an aes-ce algorithm is available.
> The aes-ce algorithms have much better performance (up to 10x faster).
>

I'd say up to 20x is more accurate.

> Fix it by decreasing the priority of the aes-bs algorithms to 250.
>
> This was fixed upstream by commit cc477bf64573 ("crypto: arm/aes -
> replace bit-sliced OpenSSL NEON code"), but it was just a small part of
> a complete rewrite.  This patch just fixes the priority bug for older
> kernels.
>
> Signed-off-by: Eric Biggers <ebiggers@google.com>

Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>

> ---
>  arch/arm/crypto/aesbs-glue.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/arch/arm/crypto/aesbs-glue.c b/arch/arm/crypto/aesbs-glue.c
> index 0511a6cafe24..5d934a0039d7 100644
> --- a/arch/arm/crypto/aesbs-glue.c
> +++ b/arch/arm/crypto/aesbs-glue.c
> @@ -363,7 +363,7 @@ static struct crypto_alg aesbs_algs[] = { {
>  }, {
>         .cra_name               = "cbc(aes)",
>         .cra_driver_name        = "cbc-aes-neonbs",
> -       .cra_priority           = 300,
> +       .cra_priority           = 250,
>         .cra_flags              = CRYPTO_ALG_TYPE_ABLKCIPHER|CRYPTO_ALG_ASYNC,
>         .cra_blocksize          = AES_BLOCK_SIZE,
>         .cra_ctxsize            = sizeof(struct async_helper_ctx),
> @@ -383,7 +383,7 @@ static struct crypto_alg aesbs_algs[] = { {
>  }, {
>         .cra_name               = "ctr(aes)",
>         .cra_driver_name        = "ctr-aes-neonbs",
> -       .cra_priority           = 300,
> +       .cra_priority           = 250,
>         .cra_flags              = CRYPTO_ALG_TYPE_ABLKCIPHER|CRYPTO_ALG_ASYNC,
>         .cra_blocksize          = 1,
>         .cra_ctxsize            = sizeof(struct async_helper_ctx),
> @@ -403,7 +403,7 @@ static struct crypto_alg aesbs_algs[] = { {
>  }, {
>         .cra_name               = "xts(aes)",
>         .cra_driver_name        = "xts-aes-neonbs",
> -       .cra_priority           = 300,
> +       .cra_priority           = 250,
>         .cra_flags              = CRYPTO_ALG_TYPE_ABLKCIPHER|CRYPTO_ALG_ASYNC,
>         .cra_blocksize          = AES_BLOCK_SIZE,
>         .cra_ctxsize            = sizeof(struct async_helper_ctx),
> --
> 2.15.0.448.gf294e3d99a-goog
>

Re: [PATCH -stable] arm: crypto: reduce priority of bit-sliced AES cipher

[Greg KH]

On Fri, Nov 17, 2017 at 11:50:27AM -0800, Eric Biggers wrote:
> Hi,
> 
> I'd like the following patch to be applied to stable for versions
> between 4.1 and 4.10 (inclusively).
> 
> This is a minimal fix for a bug where arm32 kernels can use a much
> slower implementation of AES than is actually available, potentially
> forcing vendors to disable encryption on their devices.
> 
> Min version is 4.1 because that was the first version to include the
> aes-ce algorithms.
> 
> Max version is 4.10 because in 4.11, this bug was fixed incidentally as
> part of a complete rewrite of the bit-sliced AES implementation.

Thanks for the patch, now queued up.

greg k-h

Patch "[PATCH -stable] arm: crypto: reduce priority of bit-sliced AES cipher" has been added to the 4.9-stable tree

[gregkh]

This is a note to let you know that I've just added the patch titled

    [PATCH -stable] arm: crypto: reduce priority of bit-sliced AES cipher

to the 4.9-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     arm-crypto-reduce-priority-of-bit-sliced-aes-cipher.patch
and it can be found in the queue-4.9 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From ebiggers@google.com  Sun Nov 19 11:20:08 2017
From: Eric Biggers <ebiggers@google.com>
Date: Fri, 17 Nov 2017 11:50:27 -0800
Subject: [PATCH -stable] arm: crypto: reduce priority of bit-sliced AES cipher
To: stable@vger.kernel.org
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>, linux-crypto@vger.kernel.org, Eric Biggers <ebiggers@google.com>
Message-ID: <20171117195027.88288-1-ebiggers@google.com>

From: Eric Biggers <ebiggers@google.com>

[ Not upstream because this is a minimal fix for a bug where arm32
  kernels can use a much slower implementation of AES than is actually
  available, potentially forcing vendors to disable encryption on their
  devices.]

All the aes-bs (bit-sliced) and aes-ce (cryptographic extensions)
algorithms had a priority of 300.  This is undesirable because it means
an aes-bs algorithm may be used when an aes-ce algorithm is available.
The aes-ce algorithms have much better performance (up to 10x faster).

Fix it by decreasing the priority of the aes-bs algorithms to 250.

This was fixed upstream by commit cc477bf64573 ("crypto: arm/aes -
replace bit-sliced OpenSSL NEON code"), but it was just a small part of
a complete rewrite.  This patch just fixes the priority bug for older
kernels.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
---
 arch/arm/crypto/aesbs-glue.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/arch/arm/crypto/aesbs-glue.c
+++ b/arch/arm/crypto/aesbs-glue.c
@@ -363,7 +363,7 @@ static struct crypto_alg aesbs_algs[] =
 }, {
 	.cra_name		= "cbc(aes)",
 	.cra_driver_name	= "cbc-aes-neonbs",
-	.cra_priority		= 300,
+	.cra_priority		= 250,
 	.cra_flags		= CRYPTO_ALG_TYPE_ABLKCIPHER|CRYPTO_ALG_ASYNC,
 	.cra_blocksize		= AES_BLOCK_SIZE,
 	.cra_ctxsize		= sizeof(struct async_helper_ctx),
@@ -383,7 +383,7 @@ static struct crypto_alg aesbs_algs[] =
 }, {
 	.cra_name		= "ctr(aes)",
 	.cra_driver_name	= "ctr-aes-neonbs",
-	.cra_priority		= 300,
+	.cra_priority		= 250,
 	.cra_flags		= CRYPTO_ALG_TYPE_ABLKCIPHER|CRYPTO_ALG_ASYNC,
 	.cra_blocksize		= 1,
 	.cra_ctxsize		= sizeof(struct async_helper_ctx),
@@ -403,7 +403,7 @@ static struct crypto_alg aesbs_algs[] =
 }, {
 	.cra_name		= "xts(aes)",
 	.cra_driver_name	= "xts-aes-neonbs",
-	.cra_priority		= 300,
+	.cra_priority		= 250,
 	.cra_flags		= CRYPTO_ALG_TYPE_ABLKCIPHER|CRYPTO_ALG_ASYNC,
 	.cra_blocksize		= AES_BLOCK_SIZE,
 	.cra_ctxsize		= sizeof(struct async_helper_ctx),


Patches currently in stable-queue which might be from ebiggers@google.com are

queue-4.9/arm-crypto-reduce-priority-of-bit-sliced-aes-cipher.patch

Patch "[PATCH -stable] arm: crypto: reduce priority of bit-sliced AES cipher" has been added to the 4.4-stable tree

[gregkh]

This is a note to let you know that I've just added the patch titled

    [PATCH -stable] arm: crypto: reduce priority of bit-sliced AES cipher

to the 4.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     arm-crypto-reduce-priority-of-bit-sliced-aes-cipher.patch
and it can be found in the queue-4.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From ebiggers@google.com  Sun Nov 19 11:20:08 2017
From: Eric Biggers <ebiggers@google.com>
Date: Fri, 17 Nov 2017 11:50:27 -0800
Subject: [PATCH -stable] arm: crypto: reduce priority of bit-sliced AES cipher
To: stable@vger.kernel.org
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>, linux-crypto@vger.kernel.org, Eric Biggers <ebiggers@google.com>
Message-ID: <20171117195027.88288-1-ebiggers@google.com>

From: Eric Biggers <ebiggers@google.com>

[ Not upstream because this is a minimal fix for a bug where arm32
  kernels can use a much slower implementation of AES than is actually
  available, potentially forcing vendors to disable encryption on their
  devices.]

All the aes-bs (bit-sliced) and aes-ce (cryptographic extensions)
algorithms had a priority of 300.  This is undesirable because it means
an aes-bs algorithm may be used when an aes-ce algorithm is available.
The aes-ce algorithms have much better performance (up to 10x faster).

Fix it by decreasing the priority of the aes-bs algorithms to 250.

This was fixed upstream by commit cc477bf64573 ("crypto: arm/aes -
replace bit-sliced OpenSSL NEON code"), but it was just a small part of
a complete rewrite.  This patch just fixes the priority bug for older
kernels.

Signed-off-by: Eric Biggers <ebiggers@google.com>
Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
---
 arch/arm/crypto/aesbs-glue.c |    6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

--- a/arch/arm/crypto/aesbs-glue.c
+++ b/arch/arm/crypto/aesbs-glue.c
@@ -357,7 +357,7 @@ static struct crypto_alg aesbs_algs[] =
 }, {
 	.cra_name		= "cbc(aes)",
 	.cra_driver_name	= "cbc-aes-neonbs",
-	.cra_priority		= 300,
+	.cra_priority		= 250,
 	.cra_flags		= CRYPTO_ALG_TYPE_ABLKCIPHER|CRYPTO_ALG_ASYNC,
 	.cra_blocksize		= AES_BLOCK_SIZE,
 	.cra_ctxsize		= sizeof(struct async_helper_ctx),
@@ -377,7 +377,7 @@ static struct crypto_alg aesbs_algs[] =
 }, {
 	.cra_name		= "ctr(aes)",
 	.cra_driver_name	= "ctr-aes-neonbs",
-	.cra_priority		= 300,
+	.cra_priority		= 250,
 	.cra_flags		= CRYPTO_ALG_TYPE_ABLKCIPHER|CRYPTO_ALG_ASYNC,
 	.cra_blocksize		= 1,
 	.cra_ctxsize		= sizeof(struct async_helper_ctx),
@@ -397,7 +397,7 @@ static struct crypto_alg aesbs_algs[] =
 }, {
 	.cra_name		= "xts(aes)",
 	.cra_driver_name	= "xts-aes-neonbs",
-	.cra_priority		= 300,
+	.cra_priority		= 250,
 	.cra_flags		= CRYPTO_ALG_TYPE_ABLKCIPHER|CRYPTO_ALG_ASYNC,
 	.cra_blocksize		= AES_BLOCK_SIZE,
 	.cra_ctxsize		= sizeof(struct async_helper_ctx),


Patches currently in stable-queue which might be from ebiggers@google.com are

queue-4.4/arm-crypto-reduce-priority-of-bit-sliced-aes-cipher.patch