@@ -66,7 +66,9 @@ config CRYPTO_AES_ARM
select CRYPTO_ALGAPI
select CRYPTO_AES_GENERIC
help
- Use optimized AES assembler routines for ARM platforms.
+ Use optimized AES assembler routines for ARM platforms. This
+ implementation is table based, and thus not time invariant.
+ It reuses the tables exposed by the generic AES driver.
config CRYPTO_AES_ARM_BS
tristate "Bit sliced AES using NEON instructions"
@@ -44,11 +44,18 @@ config CRYPTO_CRC32_ARM64_CE
config CRYPTO_AES_ARM64
tristate "AES core cipher using scalar instructions"
select CRYPTO_AES_GENERIC
+ help
+ Use optimized AES assembler routines for ARM platforms. This
+ implementation is table based, and thus not time invariant.
+ It reuses the tables exposed by the generic AES driver.
config CRYPTO_AES_ARM64_CE
tristate "AES core cipher using ARMv8 Crypto Extensions"
depends on ARM64 && KERNEL_MODE_NEON
select CRYPTO_ALGAPI
+ help
+ Assembler implementation for arm64 of AES using special dedicated
+ instructions. This implementation is time invariant.
config CRYPTO_AES_ARM64_CE_CCM
tristate "AES in CCM mode using ARMv8 Crypto Extensions"
@@ -906,21 +906,10 @@ config CRYPTO_AES_GENERIC
select CRYPTO_ALGAPI
select CRYPTO_AES_CORE
help
- AES cipher algorithms (FIPS-197). AES uses the Rijndael
- algorithm.
-
- Rijndael appears to be consistently a very good performer in
- both hardware and software across a wide range of computing
- environments regardless of its use in feedback or non-feedback
- modes. Its key setup time is excellent, and its key agility is
- good. Rijndael's very low memory requirements make it very well
- suited for restricted-space environments, in which it also
- demonstrates excellent performance. Rijndael's operations are
- among the easiest to defend against power and timing attacks.
-
- The AES specifies three key sizes: 128, 192 and 256 bits
-
- See <http://csrc.nist.gov/CryptoToolkit/aes/> for more information.
+ Generic table based implementation of AES. This is the fastest
+ implementation in C, but may be susceptible to known plaintext
+ attacks on the key due to the correlation between the processing
+ time and the input of the first round.
config CRYPTO_AES_TI
tristate "Fixed time AES cipher"
@@ -946,44 +935,18 @@ config CRYPTO_AES_586
select CRYPTO_ALGAPI
select CRYPTO_AES_GENERIC
help
- AES cipher algorithms (FIPS-197). AES uses the Rijndael
+ Assembler implementation for 32-bit x86 of the table based AES
algorithm.
- Rijndael appears to be consistently a very good performer in
- both hardware and software across a wide range of computing
- environments regardless of its use in feedback or non-feedback
- modes. Its key setup time is excellent, and its key agility is
- good. Rijndael's very low memory requirements make it very well
- suited for restricted-space environments, in which it also
- demonstrates excellent performance. Rijndael's operations are
- among the easiest to defend against power and timing attacks.
-
- The AES specifies three key sizes: 128, 192 and 256 bits
-
- See <http://csrc.nist.gov/encryption/aes/> for more information.
-
config CRYPTO_AES_X86_64
tristate "AES cipher algorithms (x86_64)"
depends on (X86 || UML_X86) && 64BIT
select CRYPTO_ALGAPI
select CRYPTO_AES_GENERIC
help
- AES cipher algorithms (FIPS-197). AES uses the Rijndael
+ Assembler implementation for 64-bit x86 of the table based AES
algorithm.
- Rijndael appears to be consistently a very good performer in
- both hardware and software across a wide range of computing
- environments regardless of its use in feedback or non-feedback
- modes. Its key setup time is excellent, and its key agility is
- good. Rijndael's very low memory requirements make it very well
- suited for restricted-space environments, in which it also
- demonstrates excellent performance. Rijndael's operations are
- among the easiest to defend against power and timing attacks.
-
- The AES specifies three key sizes: 128, 192 and 256 bits
-
- See <http://csrc.nist.gov/encryption/aes/> for more information.
-
config CRYPTO_AES_NI_INTEL
tristate "AES cipher algorithms (AES-NI)"
depends on X86
@@ -994,23 +957,8 @@ config CRYPTO_AES_NI_INTEL
select CRYPTO_GLUE_HELPER_X86 if 64BIT
select CRYPTO_SIMD
help
- Use Intel AES-NI instructions for AES algorithm.
-
- AES cipher algorithms (FIPS-197). AES uses the Rijndael
- algorithm.
-
- Rijndael appears to be consistently a very good performer in
- both hardware and software across a wide range of computing
- environments regardless of its use in feedback or non-feedback
- modes. Its key setup time is excellent, and its key agility is
- good. Rijndael's very low memory requirements make it very well
- suited for restricted-space environments, in which it also
- demonstrates excellent performance. Rijndael's operations are
- among the easiest to defend against power and timing attacks.
-
- The AES specifies three key sizes: 128, 192 and 256 bits
-
- See <http://csrc.nist.gov/encryption/aes/> for more information.
+ Assembler implementation for x86 of AES using special dedicated
+ instructions. This implementation is time invariant.
In addition to AES cipher algorithm support, the acceleration
for some popular block cipher mode is supported too, including
Remove the duplicated boilerplate help text and add a bit of explanation about the nature of the various AES implementations that exist for ARM and x86. Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> --- arch/arm/crypto/Kconfig | 4 +- arch/arm64/crypto/Kconfig | 7 ++ crypto/Kconfig | 68 +++----------------- 3 files changed, 18 insertions(+), 61 deletions(-) -- 2.7.4