crypto: lib - implement library version of AES in CFB mode

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Implement AES in CFB mode using the existing, mostly constant-time
generic AES library implementation. This will be used by the TPM code
to encrypt communications with TPM hardware, which is often a discrete
component connected using sniffable wires or traces.

While a CFB template does exist, using a skcipher is a major pain for
non-performance critical synchronous crypto where the algorithm is known
at compile time and the data is in contiguous buffers with valid kernel
virtual addresses.

Tested-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Reviewed-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Link: https://lore.kernel.org/all/20230216201410.15010-1-James.Bottomley@HansenPartnership.com/
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: James Bottomley <James.Bottomley@HansenPartnership.com>
Tested-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>

authored by

Ard Biesheuvel and committed by

Jarkko Sakkinen 2 years ago f1354404 40813f18

+270

4 changed files

expand all

include

crypto

aes.h

lib

crypto

Kconfig

Makefile

aescfb.c

include/crypto/aes.h

··· 87 87 extern const u8 crypto_aes_sbox[]; 88 88 extern const u8 crypto_aes_inv_sbox[]; 89 89 90 + void aescfb_encrypt(const struct crypto_aes_ctx *ctx, u8 *dst, const u8 *src, 91 + int len, const u8 iv[AES_BLOCK_SIZE]); 92 + void aescfb_decrypt(const struct crypto_aes_ctx *ctx, u8 *dst, const u8 *src, 93 + int len, const u8 iv[AES_BLOCK_SIZE]); 94 + 90 95 #endif

lib/crypto/Kconfig

··· 8 8 config CRYPTO_LIB_AES 9 9 tristate 10 10 11 + config CRYPTO_LIB_AESCFB 12 + tristate 13 + select CRYPTO_LIB_AES 14 + select CRYPTO_LIB_UTILS 15 + 11 16 config CRYPTO_LIB_AESGCM 12 17 tristate 13 18 select CRYPTO_LIB_AES

lib/crypto/Makefile

··· 10 10 obj-$(CONFIG_CRYPTO_LIB_AES) += libaes.o 11 11 libaes-y := aes.o 12 12 13 + obj-$(CONFIG_CRYPTO_LIB_AESCFB) += libaescfb.o 14 + libaescfb-y := aescfb.o 15 + 13 16 obj-$(CONFIG_CRYPTO_LIB_AESGCM) += libaesgcm.o 14 17 libaesgcm-y := aesgcm.o 15 18

+257

lib/crypto/aescfb.c

··· 1 + // SPDX-License-Identifier: GPL-2.0 2 + /* 3 + * Minimal library implementation of AES in CFB mode 4 + * 5 + * Copyright 2023 Google LLC 6 + */ 7 + 8 + #include <linux/module.h> 9 + 10 + #include <crypto/algapi.h> 11 + #include <crypto/aes.h> 12 + 13 + #include <asm/irqflags.h> 14 + 15 + static void aescfb_encrypt_block(const struct crypto_aes_ctx *ctx, void *dst, 16 + const void *src) 17 + { 18 + unsigned long flags; 19 + 20 + /* 21 + * In AES-CFB, the AES encryption operates on known 'plaintext' (the IV 22 + * and ciphertext), making it susceptible to timing attacks on the 23 + * encryption key. The AES library already mitigates this risk to some 24 + * extent by pulling the entire S-box into the caches before doing any 25 + * substitutions, but this strategy is more effective when running with 26 + * interrupts disabled. 27 + */ 28 + local_irq_save(flags); 29 + aes_encrypt(ctx, dst, src); 30 + local_irq_restore(flags); 31 + } 32 + 33 + /** 34 + * aescfb_encrypt - Perform AES-CFB encryption on a block of data 35 + * 36 + * @ctx: The AES-CFB key schedule 37 + * @dst: Pointer to the ciphertext output buffer 38 + * @src: Pointer the plaintext (may equal @dst for encryption in place) 39 + * @len: The size in bytes of the plaintext and ciphertext. 40 + * @iv: The initialization vector (IV) to use for this block of data 41 + */ 42 + void aescfb_encrypt(const struct crypto_aes_ctx *ctx, u8 *dst, const u8 *src, 43 + int len, const u8 iv[AES_BLOCK_SIZE]) 44 + { 45 + u8 ks[AES_BLOCK_SIZE]; 46 + const u8 *v = iv; 47 + 48 + while (len > 0) { 49 + aescfb_encrypt_block(ctx, ks, v); 50 + crypto_xor_cpy(dst, src, ks, min(len, AES_BLOCK_SIZE)); 51 + v = dst; 52 + 53 + dst += AES_BLOCK_SIZE; 54 + src += AES_BLOCK_SIZE; 55 + len -= AES_BLOCK_SIZE; 56 + } 57 + 58 + memzero_explicit(ks, sizeof(ks)); 59 + } 60 + EXPORT_SYMBOL(aescfb_encrypt); 61 + 62 + /** 63 + * aescfb_decrypt - Perform AES-CFB decryption on a block of data 64 + * 65 + * @ctx: The AES-CFB key schedule 66 + * @dst: Pointer to the plaintext output buffer 67 + * @src: Pointer the ciphertext (may equal @dst for decryption in place) 68 + * @len: The size in bytes of the plaintext and ciphertext. 69 + * @iv: The initialization vector (IV) to use for this block of data 70 + */ 71 + void aescfb_decrypt(const struct crypto_aes_ctx *ctx, u8 *dst, const u8 *src, 72 + int len, const u8 iv[AES_BLOCK_SIZE]) 73 + { 74 + u8 ks[2][AES_BLOCK_SIZE]; 75 + 76 + aescfb_encrypt_block(ctx, ks[0], iv); 77 + 78 + for (int i = 0; len > 0; i ^= 1) { 79 + if (len > AES_BLOCK_SIZE) 80 + /* 81 + * Generate the keystream for the next block before 82 + * performing the XOR, as that may update in place and 83 + * overwrite the ciphertext. 84 + */ 85 + aescfb_encrypt_block(ctx, ks[!i], src); 86 + 87 + crypto_xor_cpy(dst, src, ks[i], min(len, AES_BLOCK_SIZE)); 88 + 89 + dst += AES_BLOCK_SIZE; 90 + src += AES_BLOCK_SIZE; 91 + len -= AES_BLOCK_SIZE; 92 + } 93 + 94 + memzero_explicit(ks, sizeof(ks)); 95 + } 96 + EXPORT_SYMBOL(aescfb_decrypt); 97 + 98 + MODULE_DESCRIPTION("Generic AES-CFB library"); 99 + MODULE_AUTHOR("Ard Biesheuvel <ardb@kernel.org>"); 100 + MODULE_LICENSE("GPL"); 101 + 102 + #ifndef CONFIG_CRYPTO_MANAGER_DISABLE_TESTS 103 + 104 + /* 105 + * Test code below. Vectors taken from crypto/testmgr.h 106 + */ 107 + 108 + static struct { 109 + u8 ptext[64]; 110 + u8 ctext[64]; 111 + 112 + u8 key[AES_MAX_KEY_SIZE]; 113 + u8 iv[AES_BLOCK_SIZE]; 114 + 115 + int klen; 116 + int len; 117 + } const aescfb_tv[] __initconst = { 118 + { /* From NIST SP800-38A */ 119 + .key = "\x2b\x7e\x15\x16\x28\xae\xd2\xa6" 120 + "\xab\xf7\x15\x88\x09\xcf\x4f\x3c", 121 + .klen = 16, 122 + .iv = "\x00\x01\x02\x03\x04\x05\x06\x07" 123 + "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f", 124 + .ptext = "\x6b\xc1\xbe\xe2\x2e\x40\x9f\x96" 125 + "\xe9\x3d\x7e\x11\x73\x93\x17\x2a" 126 + "\xae\x2d\x8a\x57\x1e\x03\xac\x9c" 127 + "\x9e\xb7\x6f\xac\x45\xaf\x8e\x51" 128 + "\x30\xc8\x1c\x46\xa3\x5c\xe4\x11" 129 + "\xe5\xfb\xc1\x19\x1a\x0a\x52\xef" 130 + "\xf6\x9f\x24\x45\xdf\x4f\x9b\x17" 131 + "\xad\x2b\x41\x7b\xe6\x6c\x37\x10", 132 + .ctext = "\x3b\x3f\xd9\x2e\xb7\x2d\xad\x20" 133 + "\x33\x34\x49\xf8\xe8\x3c\xfb\x4a" 134 + "\xc8\xa6\x45\x37\xa0\xb3\xa9\x3f" 135 + "\xcd\xe3\xcd\xad\x9f\x1c\xe5\x8b" 136 + "\x26\x75\x1f\x67\xa3\xcb\xb1\x40" 137 + "\xb1\x80\x8c\xf1\x87\xa4\xf4\xdf" 138 + "\xc0\x4b\x05\x35\x7c\x5d\x1c\x0e" 139 + "\xea\xc4\xc6\x6f\x9f\xf7\xf2\xe6", 140 + .len = 64, 141 + }, { 142 + .key = "\x8e\x73\xb0\xf7\xda\x0e\x64\x52" 143 + "\xc8\x10\xf3\x2b\x80\x90\x79\xe5" 144 + "\x62\xf8\xea\xd2\x52\x2c\x6b\x7b", 145 + .klen = 24, 146 + .iv = "\x00\x01\x02\x03\x04\x05\x06\x07" 147 + "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f", 148 + .ptext = "\x6b\xc1\xbe\xe2\x2e\x40\x9f\x96" 149 + "\xe9\x3d\x7e\x11\x73\x93\x17\x2a" 150 + "\xae\x2d\x8a\x57\x1e\x03\xac\x9c" 151 + "\x9e\xb7\x6f\xac\x45\xaf\x8e\x51" 152 + "\x30\xc8\x1c\x46\xa3\x5c\xe4\x11" 153 + "\xe5\xfb\xc1\x19\x1a\x0a\x52\xef" 154 + "\xf6\x9f\x24\x45\xdf\x4f\x9b\x17" 155 + "\xad\x2b\x41\x7b\xe6\x6c\x37\x10", 156 + .ctext = "\xcd\xc8\x0d\x6f\xdd\xf1\x8c\xab" 157 + "\x34\xc2\x59\x09\xc9\x9a\x41\x74" 158 + "\x67\xce\x7f\x7f\x81\x17\x36\x21" 159 + "\x96\x1a\x2b\x70\x17\x1d\x3d\x7a" 160 + "\x2e\x1e\x8a\x1d\xd5\x9b\x88\xb1" 161 + "\xc8\xe6\x0f\xed\x1e\xfa\xc4\xc9" 162 + "\xc0\x5f\x9f\x9c\xa9\x83\x4f\xa0" 163 + "\x42\xae\x8f\xba\x58\x4b\x09\xff", 164 + .len = 64, 165 + }, { 166 + .key = "\x60\x3d\xeb\x10\x15\xca\x71\xbe" 167 + "\x2b\x73\xae\xf0\x85\x7d\x77\x81" 168 + "\x1f\x35\x2c\x07\x3b\x61\x08\xd7" 169 + "\x2d\x98\x10\xa3\x09\x14\xdf\xf4", 170 + .klen = 32, 171 + .iv = "\x00\x01\x02\x03\x04\x05\x06\x07" 172 + "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f", 173 + .ptext = "\x6b\xc1\xbe\xe2\x2e\x40\x9f\x96" 174 + "\xe9\x3d\x7e\x11\x73\x93\x17\x2a" 175 + "\xae\x2d\x8a\x57\x1e\x03\xac\x9c" 176 + "\x9e\xb7\x6f\xac\x45\xaf\x8e\x51" 177 + "\x30\xc8\x1c\x46\xa3\x5c\xe4\x11" 178 + "\xe5\xfb\xc1\x19\x1a\x0a\x52\xef" 179 + "\xf6\x9f\x24\x45\xdf\x4f\x9b\x17" 180 + "\xad\x2b\x41\x7b\xe6\x6c\x37\x10", 181 + .ctext = "\xdc\x7e\x84\xbf\xda\x79\x16\x4b" 182 + "\x7e\xcd\x84\x86\x98\x5d\x38\x60" 183 + "\x39\xff\xed\x14\x3b\x28\xb1\xc8" 184 + "\x32\x11\x3c\x63\x31\xe5\x40\x7b" 185 + "\xdf\x10\x13\x24\x15\xe5\x4b\x92" 186 + "\xa1\x3e\xd0\xa8\x26\x7a\xe2\xf9" 187 + "\x75\xa3\x85\x74\x1a\xb9\xce\xf8" 188 + "\x20\x31\x62\x3d\x55\xb1\xe4\x71", 189 + .len = 64, 190 + }, { /* > 16 bytes, not a multiple of 16 bytes */ 191 + .key = "\x2b\x7e\x15\x16\x28\xae\xd2\xa6" 192 + "\xab\xf7\x15\x88\x09\xcf\x4f\x3c", 193 + .klen = 16, 194 + .iv = "\x00\x01\x02\x03\x04\x05\x06\x07" 195 + "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f", 196 + .ptext = "\x6b\xc1\xbe\xe2\x2e\x40\x9f\x96" 197 + "\xe9\x3d\x7e\x11\x73\x93\x17\x2a" 198 + "\xae", 199 + .ctext = "\x3b\x3f\xd9\x2e\xb7\x2d\xad\x20" 200 + "\x33\x34\x49\xf8\xe8\x3c\xfb\x4a" 201 + "\xc8", 202 + .len = 17, 203 + }, { /* < 16 bytes */ 204 + .key = "\x2b\x7e\x15\x16\x28\xae\xd2\xa6" 205 + "\xab\xf7\x15\x88\x09\xcf\x4f\x3c", 206 + .klen = 16, 207 + .iv = "\x00\x01\x02\x03\x04\x05\x06\x07" 208 + "\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f", 209 + .ptext = "\x6b\xc1\xbe\xe2\x2e\x40\x9f", 210 + .ctext = "\x3b\x3f\xd9\x2e\xb7\x2d\xad", 211 + .len = 7, 212 + }, 213 + }; 214 + 215 + static int __init libaescfb_init(void) 216 + { 217 + for (int i = 0; i < ARRAY_SIZE(aescfb_tv); i++) { 218 + struct crypto_aes_ctx ctx; 219 + u8 buf[64]; 220 + 221 + if (aes_expandkey(&ctx, aescfb_tv[i].key, aescfb_tv[i].klen)) { 222 + pr_err("aes_expandkey() failed on vector %d\n", i); 223 + return -ENODEV; 224 + } 225 + 226 + aescfb_encrypt(&ctx, buf, aescfb_tv[i].ptext, aescfb_tv[i].len, 227 + aescfb_tv[i].iv); 228 + if (memcmp(buf, aescfb_tv[i].ctext, aescfb_tv[i].len)) { 229 + pr_err("aescfb_encrypt() #1 failed on vector %d\n", i); 230 + return -ENODEV; 231 + } 232 + 233 + /* decrypt in place */ 234 + aescfb_decrypt(&ctx, buf, buf, aescfb_tv[i].len, aescfb_tv[i].iv); 235 + if (memcmp(buf, aescfb_tv[i].ptext, aescfb_tv[i].len)) { 236 + pr_err("aescfb_decrypt() failed on vector %d\n", i); 237 + return -ENODEV; 238 + } 239 + 240 + /* encrypt in place */ 241 + aescfb_encrypt(&ctx, buf, buf, aescfb_tv[i].len, aescfb_tv[i].iv); 242 + if (memcmp(buf, aescfb_tv[i].ctext, aescfb_tv[i].len)) { 243 + pr_err("aescfb_encrypt() #2 failed on vector %d\n", i); 244 + 245 + return -ENODEV; 246 + } 247 + 248 + } 249 + return 0; 250 + } 251 + module_init(libaescfb_init); 252 + 253 + static void __exit libaescfb_exit(void) 254 + { 255 + } 256 + module_exit(libaescfb_exit); 257 + #endif