diff mbox series

crypto: geode-aes - switch to skcipher for cbc(aes) fallback

Message ID 20191003133921.29344-1-ard.biesheuvel@linaro.org
State Superseded
Headers show
Series crypto: geode-aes - switch to skcipher for cbc(aes) fallback | expand

Commit Message

Ard Biesheuvel Oct. 3, 2019, 1:39 p.m. UTC
Commit 79c65d179a40e145 ("crypto: cbc - Convert to skcipher") updated
the generic CBC template wrapper from a blkcipher to a skcipher algo,
to get away from the deprecated blkcipher interface. However, as a side
effect, drivers that instantiate CBC transforms using the blkcipher as
a fallback no longer work, since skciphers can wrap blkciphers but not
the other way around. This broke the geode-aes driver.

So let's fix it by moving to the sync skcipher interface when allocating
the fallback.

Cc: Gert Robben <t2@gert.gr>
Cc: Jelle de Jong <jelledejong@powercraft.nl>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>

---
Gert, Jelle,

If you can, please try this patch and report back to the list if it solves
the Geode issue for you.

-- 
Ard.

 drivers/crypto/geode-aes.c | 45 +++++++++-----------
 drivers/crypto/geode-aes.h |  2 +-
 2 files changed, 22 insertions(+), 25 deletions(-)

-- 
2.20.1

Comments

Gert Robben Oct. 3, 2019, 9:26 p.m. UTC | #1
Op 03-10-2019 om 15:39 schreef Ard Biesheuvel:
> Commit 79c65d179a40e145 ("crypto: cbc - Convert to skcipher") updated

> the generic CBC template wrapper from a blkcipher to a skcipher algo,

> to get away from the deprecated blkcipher interface. However, as a side

> effect, drivers that instantiate CBC transforms using the blkcipher as

> a fallback no longer work, since skciphers can wrap blkciphers but not

> the other way around. This broke the geode-aes driver.

> 

> So let's fix it by moving to the sync skcipher interface when allocating

> the fallback.

> 

> Cc: Gert Robben <t2@gert.gr>

> Cc: Jelle de Jong <jelledejong@powercraft.nl>

> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>

> ---

> Gert, Jelle,

> 

> If you can, please try this patch and report back to the list if it solves

> the Geode issue for you.


Thanks for the patch!
I tried it on Alix 2C2 / Geode LX800 with Linux 5.4-rc1 (also 5.1-5.3 fwiw).

At least now openssl doesn't give those errors anymore.
(openssl speed -evp aes-128-cbc -elapsed -engine afalg)
But looking at the results (<6MB/s), apparently it's not using geode-aes 
(>30MB/s?).
In dmesg can be seen:

alg: skcipher: ecb-aes-geode encryption test failed (wrong result) on 
test vector 1, cfg="out-of-place"
alg: skcipher: cbc-aes-geode encryption test failed (wrong result) on 
test vector 2, cfg="out-of-place"
Geode LX AES 0000:00:01.2: GEODE AES engine enabled.

In /proc/crypto, drivers cbc-aes-geode/ecb-aes-geode are listed with 
"selftest: unknown". Driver "geode-aes" has "selftest: passed".

I'm happy to test other patches.
Regards, Gert
Ard Biesheuvel Oct. 4, 2019, 6:16 a.m. UTC | #2
On Thu, 3 Oct 2019 at 23:26, Gert Robben <t2@gert.gr> wrote:
>

> Op 03-10-2019 om 15:39 schreef Ard Biesheuvel:

> > Commit 79c65d179a40e145 ("crypto: cbc - Convert to skcipher") updated

> > the generic CBC template wrapper from a blkcipher to a skcipher algo,

> > to get away from the deprecated blkcipher interface. However, as a side

> > effect, drivers that instantiate CBC transforms using the blkcipher as

> > a fallback no longer work, since skciphers can wrap blkciphers but not

> > the other way around. This broke the geode-aes driver.

> >

> > So let's fix it by moving to the sync skcipher interface when allocating

> > the fallback.

> >

> > Cc: Gert Robben <t2@gert.gr>

> > Cc: Jelle de Jong <jelledejong@powercraft.nl>

> > Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>

> > ---

> > Gert, Jelle,

> >

> > If you can, please try this patch and report back to the list if it solves

> > the Geode issue for you.

>

> Thanks for the patch!

> I tried it on Alix 2C2 / Geode LX800 with Linux 5.4-rc1 (also 5.1-5.3 fwiw).

>

> At least now openssl doesn't give those errors anymore.

> (openssl speed -evp aes-128-cbc -elapsed -engine afalg)

> But looking at the results (<6MB/s), apparently it's not using geode-aes

> (>30MB/s?).

> In dmesg can be seen:

>

> alg: skcipher: ecb-aes-geode encryption test failed (wrong result) on

> test vector 1, cfg="out-of-place"

> alg: skcipher: cbc-aes-geode encryption test failed (wrong result) on

> test vector 2, cfg="out-of-place"

> Geode LX AES 0000:00:01.2: GEODE AES engine enabled.

>

> In /proc/crypto, drivers cbc-aes-geode/ecb-aes-geode are listed with

> "selftest: unknown". Driver "geode-aes" has "selftest: passed".

>

> I'm happy to test other patches.


Oops, mistake there on my part

Can you replace the two instances of

skcipher_request_set_crypt(req, dst, src, nbytes, desc->info);

with

skcipher_request_set_crypt(req, src, dst, nbytes, desc->info);

please?
Florian Bezdeka Oct. 4, 2019, 10:21 a.m. UTC | #3
I'm facing the same problem on one of my VPN gateways.

I updated the affected system from Debian Stretch to Buster.
Therefore the kernel was updated from 4.9.x to 4.19.x

The supplied patch uses some symbols / functions that were introduced 
with 4.19 (like crypto_sync_skcipher_clear_flags()) so some additional work
has to be done for older LTS kernels.

Any chance to get a patch working with 4.19?
I would be happy to test it.

Best regards,
  Florian

> On Thu, 3 Oct 2019 at 23:26, Gert Robben <t2@gert.gr> wrote:

>>

>> Op 03-10-2019 om 15:39 schreef Ard Biesheuvel:

>>> Commit 79c65d179a40e145 ("crypto: cbc - Convert to skcipher") updated

>>> the generic CBC template wrapper from a blkcipher to a skcipher algo,

>>> to get away from the deprecated blkcipher interface. However, as a side

>>> effect, drivers that instantiate CBC transforms using the blkcipher as

>>> a fallback no longer work, since skciphers can wrap blkciphers but not

>>> the other way around. This broke the geode-aes driver.

>>>

>>> So let's fix it by moving to the sync skcipher interface when allocating

>>> the fallback.

>>>

>>> Cc: Gert Robben <t2@gert.gr>

>>> Cc: Jelle de Jong <jelledejong@powercraft.nl>

>>> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>

>>> ---

>>> Gert, Jelle,

>>>

>>> If you can, please try this patch and report back to the list if it solves

>>> the Geode issue for you.

>>

>> Thanks for the patch!

>> I tried it on Alix 2C2 / Geode LX800 with Linux 5.4-rc1 (also 5.1-5.3 fwiw).

>>

>> At least now openssl doesn't give those errors anymore.

>> (openssl speed -evp aes-128-cbc -elapsed -engine afalg)

>> But looking at the results (<6MB/s), apparently it's not using geode-aes

>> (>30MB/s?).

>> In dmesg can be seen:

>>

>> alg: skcipher: ecb-aes-geode encryption test failed (wrong result) on

>> test vector 1, cfg="out-of-place"

>> alg: skcipher: cbc-aes-geode encryption test failed (wrong result) on

>> test vector 2, cfg="out-of-place"

>> Geode LX AES 0000:00:01.2: GEODE AES engine enabled.

>>

>> In /proc/crypto, drivers cbc-aes-geode/ecb-aes-geode are listed with

>> "selftest: unknown". Driver "geode-aes" has "selftest: passed".

>>

>> I'm happy to test other patches.

> 

> Oops, mistake there on my part

> 

> Can you replace the two instances of

> 

> skcipher_request_set_crypt(req, dst, src, nbytes, desc->info);

> 

> with

> 

> skcipher_request_set_crypt(req, src, dst, nbytes, desc->info);

> 

> please?

> 

>
Ard Biesheuvel Oct. 4, 2019, 12:08 p.m. UTC | #4
On Fri, 4 Oct 2019 at 12:21, Florian Bezdeka <florian@bezdeka.de> wrote:
>

> I'm facing the same problem on one of my VPN gateways.

>

> I updated the affected system from Debian Stretch to Buster.

> Therefore the kernel was updated from 4.9.x to 4.19.x

>

> The supplied patch uses some symbols / functions that were introduced

> with 4.19 (like crypto_sync_skcipher_clear_flags()) so some additional work

> has to be done for older LTS kernels.

>

> Any chance to get a patch working with 4.19?

> I would be happy to test it.

>


Just replace all occurrences of *sync_skcipher* with *skcipher*
(including upper case ones), and pass 'CRYPTO_ALG_ASYNC |
CRYPTO_ALG_NEED_FALLBACK' as the third parameter to
crypto_alloc_skcipher, then the patch should work with v4.19 as well.
Gert Robben Oct. 4, 2019, 1:29 p.m. UTC | #5
Op 04-10-2019 om 08:16 schreef Ard Biesheuvel:
> On Thu, 3 Oct 2019 at 23:26, Gert Robben <t2@gert.gr> wrote:

>> Op 03-10-2019 om 15:39 schreef Ard Biesheuvel:

>>> Commit 79c65d179a40e145 ("crypto: cbc - Convert to skcipher") updated

>>> the generic CBC template wrapper from a blkcipher to a skcipher algo,

>>> to get away from the deprecated blkcipher interface. However, as a side

>>> effect, drivers that instantiate CBC transforms using the blkcipher as

>>> a fallback no longer work, since skciphers can wrap blkciphers but not

>>> the other way around. This broke the geode-aes driver.

>>>

>>> So let's fix it by moving to the sync skcipher interface when allocating

>>> the fallback.

>>>

>>> Cc: Gert Robben <t2@gert.gr>

>>> Cc: Jelle de Jong <jelledejong@powercraft.nl>

>>> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>

>>> ---

>>> Gert, Jelle,

>>>

>>> If you can, please try this patch and report back to the list if it solves

>>> the Geode issue for you.

>>

>> Thanks for the patch!

>> I tried it on Alix 2C2 / Geode LX800 with Linux 5.4-rc1 (also 5.1-5.3 fwiw).

>>

>> At least now openssl doesn't give those errors anymore.

>> (openssl speed -evp aes-128-cbc -elapsed -engine afalg)

>> But looking at the results (<6MB/s), apparently it's not using geode-aes

>> (>30MB/s?).

>> In dmesg can be seen:

>>

>> alg: skcipher: ecb-aes-geode encryption test failed (wrong result) on

>> test vector 1, cfg="out-of-place"

>> alg: skcipher: cbc-aes-geode encryption test failed (wrong result) on

>> test vector 2, cfg="out-of-place"

>> Geode LX AES 0000:00:01.2: GEODE AES engine enabled.

>>

>> In /proc/crypto, drivers cbc-aes-geode/ecb-aes-geode are listed with

>> "selftest: unknown". Driver "geode-aes" has "selftest: passed".

>>

>> I'm happy to test other patches.

> 

> Oops, mistake there on my part

> 

> Can you replace the two instances of

> 

> skcipher_request_set_crypt(req, dst, src, nbytes, desc->info);

> 

> with

> 

> skcipher_request_set_crypt(req, src, dst, nbytes, desc->info);

> 

> please?


Yes, with that change, now it works in 5.4-rc1:

# openssl speed -evp aes-128-cbc -elapsed -engine afalg
- - - 8< - - -
The 'numbers' are in 1000s of bytes per second processed.
type             16 bytes     64 bytes    256 bytes   1024 bytes   8192 
bytes  16384 bytes
aes-128-cbc        125.63k      499.39k     1858.18k     6377.00k 
25753.93k    31167.08k

I also quickly tried nginx https, that seems to transfer a file correctly.
And a bit faster, but not by this much, I have to look into that further.
For now I assume the kernel part seems to be working fine.

Thanks, much appreciated!
Gert
Eric Biggers Oct. 4, 2019, 7:37 p.m. UTC | #6
On Fri, Oct 04, 2019 at 03:29:33PM +0200, Gert Robben wrote:
> Op 04-10-2019 om 08:16 schreef Ard Biesheuvel:

> > On Thu, 3 Oct 2019 at 23:26, Gert Robben <t2@gert.gr> wrote:

> > > Op 03-10-2019 om 15:39 schreef Ard Biesheuvel:

> > > > Commit 79c65d179a40e145 ("crypto: cbc - Convert to skcipher") updated

> > > > the generic CBC template wrapper from a blkcipher to a skcipher algo,

> > > > to get away from the deprecated blkcipher interface. However, as a side

> > > > effect, drivers that instantiate CBC transforms using the blkcipher as

> > > > a fallback no longer work, since skciphers can wrap blkciphers but not

> > > > the other way around. This broke the geode-aes driver.

> > > > 

> > > > So let's fix it by moving to the sync skcipher interface when allocating

> > > > the fallback.

> > > > 

> > > > Cc: Gert Robben <t2@gert.gr>

> > > > Cc: Jelle de Jong <jelledejong@powercraft.nl>

> > > > Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>

> > > > ---

> > > > Gert, Jelle,

> > > > 

> > > > If you can, please try this patch and report back to the list if it solves

> > > > the Geode issue for you.

> > > 

> > > Thanks for the patch!

> > > I tried it on Alix 2C2 / Geode LX800 with Linux 5.4-rc1 (also 5.1-5.3 fwiw).

> > > 

> > > At least now openssl doesn't give those errors anymore.

> > > (openssl speed -evp aes-128-cbc -elapsed -engine afalg)

> > > But looking at the results (<6MB/s), apparently it's not using geode-aes

> > > (>30MB/s?).

> > > In dmesg can be seen:

> > > 

> > > alg: skcipher: ecb-aes-geode encryption test failed (wrong result) on

> > > test vector 1, cfg="out-of-place"

> > > alg: skcipher: cbc-aes-geode encryption test failed (wrong result) on

> > > test vector 2, cfg="out-of-place"

> > > Geode LX AES 0000:00:01.2: GEODE AES engine enabled.

> > > 

> > > In /proc/crypto, drivers cbc-aes-geode/ecb-aes-geode are listed with

> > > "selftest: unknown". Driver "geode-aes" has "selftest: passed".

> > > 

> > > I'm happy to test other patches.

> > 

> > Oops, mistake there on my part

> > 

> > Can you replace the two instances of

> > 

> > skcipher_request_set_crypt(req, dst, src, nbytes, desc->info);

> > 

> > with

> > 

> > skcipher_request_set_crypt(req, src, dst, nbytes, desc->info);

> > 

> > please?

> 

> Yes, with that change, now it works in 5.4-rc1:

> 

> # openssl speed -evp aes-128-cbc -elapsed -engine afalg

> - - - 8< - - -

> The 'numbers' are in 1000s of bytes per second processed.

> type             16 bytes     64 bytes    256 bytes   1024 bytes   8192

> bytes  16384 bytes

> aes-128-cbc        125.63k      499.39k     1858.18k     6377.00k 25753.93k

> 31167.08k

> 

> I also quickly tried nginx https, that seems to transfer a file correctly.

> And a bit faster, but not by this much, I have to look into that further.

> For now I assume the kernel part seems to be working fine.

> 

> Thanks, much appreciated!

> Gert



Can you check whether it passes the extra self-tests too?  I.e. enable
CONFIG_CRYPTO_MANAGER_EXTRA_TESTS.

- Eric
Gert Robben Oct. 4, 2019, 8:27 p.m. UTC | #7
Op 04-10-2019 om 21:37 schreef Eric Biggers:
> On Fri, Oct 04, 2019 at 03:29:33PM +0200, Gert Robben wrote:

>> Op 04-10-2019 om 08:16 schreef Ard Biesheuvel:

>>> On Thu, 3 Oct 2019 at 23:26, Gert Robben <t2@gert.gr> wrote:

>>>> Op 03-10-2019 om 15:39 schreef Ard Biesheuvel:

>>>>> Commit 79c65d179a40e145 ("crypto: cbc - Convert to skcipher") updated

>>>>> the generic CBC template wrapper from a blkcipher to a skcipher algo,

>>>>> to get away from the deprecated blkcipher interface. However, as a side

>>>>> effect, drivers that instantiate CBC transforms using the blkcipher as

>>>>> a fallback no longer work, since skciphers can wrap blkciphers but not

>>>>> the other way around. This broke the geode-aes driver.

>>>>>

>>>>> So let's fix it by moving to the sync skcipher interface when allocating

>>>>> the fallback.

>>>>>

>>>>> Cc: Gert Robben <t2@gert.gr>

>>>>> Cc: Jelle de Jong <jelledejong@powercraft.nl>

>>>>> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>

>>>>> ---

>>>>> Gert, Jelle,

>>>>>

>>>>> If you can, please try this patch and report back to the list if it solves

>>>>> the Geode issue for you.

>>>>

>>>> Thanks for the patch!

>>>> I tried it on Alix 2C2 / Geode LX800 with Linux 5.4-rc1 (also 5.1-5.3 fwiw).

>>>>

>>>> At least now openssl doesn't give those errors anymore.

>>>> (openssl speed -evp aes-128-cbc -elapsed -engine afalg)

>>>> But looking at the results (<6MB/s), apparently it's not using geode-aes

>>>> (>30MB/s?).

>>>> In dmesg can be seen:

>>>>

>>>> alg: skcipher: ecb-aes-geode encryption test failed (wrong result) on

>>>> test vector 1, cfg="out-of-place"

>>>> alg: skcipher: cbc-aes-geode encryption test failed (wrong result) on

>>>> test vector 2, cfg="out-of-place"

>>>> Geode LX AES 0000:00:01.2: GEODE AES engine enabled.

>>>>

>>>> In /proc/crypto, drivers cbc-aes-geode/ecb-aes-geode are listed with

>>>> "selftest: unknown". Driver "geode-aes" has "selftest: passed".

>>>>

>>>> I'm happy to test other patches.

>>>

>>> Oops, mistake there on my part

>>>

>>> Can you replace the two instances of

>>>

>>> skcipher_request_set_crypt(req, dst, src, nbytes, desc->info);

>>>

>>> with

>>>

>>> skcipher_request_set_crypt(req, src, dst, nbytes, desc->info);

>>>

>>> please?

>>

>> Yes, with that change, now it works in 5.4-rc1:

>>

>> # openssl speed -evp aes-128-cbc -elapsed -engine afalg

>> - - - 8< - - -

>> The 'numbers' are in 1000s of bytes per second processed.

>> type             16 bytes     64 bytes    256 bytes   1024 bytes   8192

>> bytes  16384 bytes

>> aes-128-cbc        125.63k      499.39k     1858.18k     6377.00k 25753.93k

>> 31167.08k

>>

>> I also quickly tried nginx https, that seems to transfer a file correctly.

>> And a bit faster, but not by this much, I have to look into that further.

>> For now I assume the kernel part seems to be working fine.

>>

>> Thanks, much appreciated!

>> Gert

> 

> 

> Can you check whether it passes the extra self-tests too?  I.e. enable

> CONFIG_CRYPTO_MANAGER_EXTRA_TESTS.


Yes, with that option dmesg says additionally (I did several reboots):

alg: skcipher: ecb-aes-geode encryption unexpectedly succeeded on test 
vector "random: len=24 klen=16"; expected_error=-22, cfg="random: 
inplace use_finup src_divs=[18.14%@alignmask+19, 81.86%@+25] iv_offset=22"

alg: skcipher: ecb-aes-geode encryption unexpectedly succeeded on test 
vector "random: len=148 klen=16"; expected_error=-22, cfg="random: 
inplace use_digest nosimd src_divs=[100.0%@+22] iv_offset=50"

alg: skcipher: ecb-aes-geode encryption unexpectedly succeeded on test 
vector "random: len=168 klen=16"; expected_error=-22, cfg="random: 
use_digest nosimd src_divs=[76.11%@alignmask+18, 13.8%@+4056, 
4.57%@+3984, 5.36%@+506, 0.68%@+3989, 0.17%@+1620, 0.3%@+4025] iv_offset=27"

alg: skcipher: ecb-aes-geode encryption unexpectedly succeeded on test 
vector "random: len=33 klen=16"; expected_error=-22, cfg="random: 
may_sleep use_digest src_divs=[97.79%@+20, 2.21%@+4016] iv_offset=38"

alg: skcipher: ecb-aes-geode encryption unexpectedly succeeded on test 
vector "random: len=202 klen=16"; expected_error=-22, cfg="random: 
inplace use_final nosimd src_divs=[<reimport,nosimd>100.0%@+15] 
iv_offset=44"

alg: skcipher: ecb-aes-geode encryption unexpectedly succeeded on test 
vector "random: len=60 klen=16"; expected_error=-22, cfg="random: 
use_digest src_divs=[83.68%@+1899, 7.27%@alignmask+1670, 5.73%@+11, 
3.32%@+3985]"

Regards, Gert
diff mbox series

Patch

diff --git a/drivers/crypto/geode-aes.c b/drivers/crypto/geode-aes.c
index d81a1297cb9e..b6c47bbc2c49 100644
--- a/drivers/crypto/geode-aes.c
+++ b/drivers/crypto/geode-aes.c
@@ -10,6 +10,7 @@ 
 #include <linux/spinlock.h>
 #include <crypto/algapi.h>
 #include <crypto/aes.h>
+#include <crypto/skcipher.h>
 
 #include <linux/io.h>
 #include <linux/delay.h>
@@ -166,13 +167,15 @@  static int geode_setkey_blk(struct crypto_tfm *tfm, const u8 *key,
 	/*
 	 * The requested key size is not supported by HW, do a fallback
 	 */
-	op->fallback.blk->base.crt_flags &= ~CRYPTO_TFM_REQ_MASK;
-	op->fallback.blk->base.crt_flags |= (tfm->crt_flags & CRYPTO_TFM_REQ_MASK);
+	crypto_sync_skcipher_clear_flags(op->fallback.blk, CRYPTO_TFM_REQ_MASK);
+	crypto_sync_skcipher_set_flags(op->fallback.blk,
+				       tfm->crt_flags & CRYPTO_TFM_REQ_MASK);
 
-	ret = crypto_blkcipher_setkey(op->fallback.blk, key, len);
+	ret = crypto_sync_skcipher_setkey(op->fallback.blk, key, len);
 	if (ret) {
 		tfm->crt_flags &= ~CRYPTO_TFM_RES_MASK;
-		tfm->crt_flags |= (op->fallback.blk->base.crt_flags & CRYPTO_TFM_RES_MASK);
+		tfm->crt_flags |= crypto_sync_skcipher_get_flags(op->fallback.blk) &
+				  CRYPTO_TFM_RES_MASK;
 	}
 	return ret;
 }
@@ -181,33 +184,28 @@  static int fallback_blk_dec(struct blkcipher_desc *desc,
 		struct scatterlist *dst, struct scatterlist *src,
 		unsigned int nbytes)
 {
-	unsigned int ret;
-	struct crypto_blkcipher *tfm;
 	struct geode_aes_op *op = crypto_blkcipher_ctx(desc->tfm);
+	SYNC_SKCIPHER_REQUEST_ON_STACK(req, op->fallback.blk);
 
-	tfm = desc->tfm;
-	desc->tfm = op->fallback.blk;
-
-	ret = crypto_blkcipher_decrypt_iv(desc, dst, src, nbytes);
+	skcipher_request_set_sync_tfm(req, op->fallback.blk);
+	skcipher_request_set_callback(req, 0, NULL, NULL);
+	skcipher_request_set_crypt(req, dst, src, nbytes, desc->info);
 
-	desc->tfm = tfm;
-	return ret;
+	return crypto_skcipher_decrypt(req);
 }
+
 static int fallback_blk_enc(struct blkcipher_desc *desc,
 		struct scatterlist *dst, struct scatterlist *src,
 		unsigned int nbytes)
 {
-	unsigned int ret;
-	struct crypto_blkcipher *tfm;
 	struct geode_aes_op *op = crypto_blkcipher_ctx(desc->tfm);
+	SYNC_SKCIPHER_REQUEST_ON_STACK(req, op->fallback.blk);
 
-	tfm = desc->tfm;
-	desc->tfm = op->fallback.blk;
-
-	ret = crypto_blkcipher_encrypt_iv(desc, dst, src, nbytes);
+	skcipher_request_set_sync_tfm(req, op->fallback.blk);
+	skcipher_request_set_callback(req, 0, NULL, NULL);
+	skcipher_request_set_crypt(req, dst, src, nbytes, desc->info);
 
-	desc->tfm = tfm;
-	return ret;
+	return crypto_skcipher_encrypt(req);
 }
 
 static void
@@ -366,9 +364,8 @@  static int fallback_init_blk(struct crypto_tfm *tfm)
 	const char *name = crypto_tfm_alg_name(tfm);
 	struct geode_aes_op *op = crypto_tfm_ctx(tfm);
 
-	op->fallback.blk = crypto_alloc_blkcipher(name, 0,
-			CRYPTO_ALG_ASYNC | CRYPTO_ALG_NEED_FALLBACK);
-
+	op->fallback.blk = crypto_alloc_sync_skcipher(name, 0,
+						      CRYPTO_ALG_NEED_FALLBACK);
 	if (IS_ERR(op->fallback.blk)) {
 		printk(KERN_ERR "Error allocating fallback algo %s\n", name);
 		return PTR_ERR(op->fallback.blk);
@@ -381,7 +378,7 @@  static void fallback_exit_blk(struct crypto_tfm *tfm)
 {
 	struct geode_aes_op *op = crypto_tfm_ctx(tfm);
 
-	crypto_free_blkcipher(op->fallback.blk);
+	crypto_free_sync_skcipher(op->fallback.blk);
 	op->fallback.blk = NULL;
 }
 
diff --git a/drivers/crypto/geode-aes.h b/drivers/crypto/geode-aes.h
index 5c6e131a8f9d..f8a86898ac22 100644
--- a/drivers/crypto/geode-aes.h
+++ b/drivers/crypto/geode-aes.h
@@ -60,7 +60,7 @@  struct geode_aes_op {
 	u8 *iv;
 
 	union {
-		struct crypto_blkcipher *blk;
+		struct crypto_sync_skcipher *blk;
 		struct crypto_cipher *cip;
 	} fallback;
 	u32 keylen;