diff options
| author | Ard Biesheuvel <ard.biesheuvel@linaro.org> | 2013-09-16 12:31:38 -0400 |
|---|---|---|
| committer | Ard Biesheuvel <ard.biesheuvel@linaro.org> | 2013-10-04 14:48:38 -0400 |
| commit | e4e7f10bfc4069925e99cc4b428c3434e30b6c3f (patch) | |
| tree | 0b8d5b71df8cf0493741877065bdf3b1cf677984 /crypto/Kconfig | |
| parent | 5ce26f3b5ae8fafdd28375a004f7b8e924e9bacb (diff) | |
ARM: add support for bit sliced AES using NEON instructions
Bit sliced AES gives around 45% speedup on Cortex-A15 for encryption
and around 25% for decryption. This implementation of the AES algorithm
does not rely on any lookup tables so it is believed to be invulnerable
to cache timing attacks.
This algorithm processes up to 8 blocks in parallel in constant time. This
means that it is not usable by chaining modes that are strictly sequential
in nature, such as CBC encryption. CBC decryption, however, can benefit from
this implementation and runs about 25% faster. The other chaining modes
implemented in this module, XTS and CTR, can execute fully in parallel in
both directions.
The core code has been adopted from the OpenSSL project (in collaboration
with the original author, on cc). For ease of maintenance, this version is
identical to the upstream OpenSSL code, i.e., all modifications that were
required to make it suitable for inclusion into the kernel have been made
upstream. The original can be found here:
http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=6f6a6130
Note to integrators:
While this implementation is significantly faster than the existing table
based ones (generic or ARM asm), especially in CTR mode, the effects on
power efficiency are unclear as of yet. This code does fundamentally more
work, by calculating values that the table based code obtains by a simple
lookup; only by doing all of that work in a SIMD fashion, it manages to
perform better.
Cc: Andy Polyakov <appro@openssl.org>
Acked-by: Nicolas Pitre <nico@linaro.org>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Diffstat (limited to 'crypto/Kconfig')
| -rw-r--r-- | crypto/Kconfig | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/crypto/Kconfig b/crypto/Kconfig index 69ce573f1224..71f337aefa39 100644 --- a/crypto/Kconfig +++ b/crypto/Kconfig | |||
| @@ -776,6 +776,22 @@ config CRYPTO_AES_ARM | |||
| 776 | 776 | ||
| 777 | See <http://csrc.nist.gov/encryption/aes/> for more information. | 777 | See <http://csrc.nist.gov/encryption/aes/> for more information. |
| 778 | 778 | ||
| 779 | config CRYPTO_AES_ARM_BS | ||
| 780 | tristate "Bit sliced AES using NEON instructions" | ||
| 781 | depends on ARM && KERNEL_MODE_NEON | ||
| 782 | select CRYPTO_ALGAPI | ||
| 783 | select CRYPTO_AES_ARM | ||
| 784 | select CRYPTO_ABLK_HELPER | ||
| 785 | help | ||
| 786 | Use a faster and more secure NEON based implementation of AES in CBC, | ||
| 787 | CTR and XTS modes | ||
| 788 | |||
| 789 | Bit sliced AES gives around 45% speedup on Cortex-A15 for CTR mode | ||
| 790 | and for XTS mode encryption, CBC and XTS mode decryption speedup is | ||
| 791 | around 25%. (CBC encryption speed is not affected by this driver.) | ||
| 792 | This implementation does not rely on any lookup tables so it is | ||
| 793 | believed to be invulnerable to cache timing attacks. | ||
| 794 | |||
| 779 | config CRYPTO_ANUBIS | 795 | config CRYPTO_ANUBIS |
| 780 | tristate "Anubis cipher algorithm" | 796 | tristate "Anubis cipher algorithm" |
| 781 | select CRYPTO_ALGAPI | 797 | select CRYPTO_ALGAPI |