[PATCH] crypto: riscv/aes - Implement scalar Zkn version for RV32
Herbert Xu
herbert at gondor.apana.org.au
Fri Aug 4 01:21:34 PDT 2023
On Wed, Jul 26, 2023 at 07:29:58PM +0200, Ard Biesheuvel wrote:
> The generic AES implementation we rely on if no architecture specific
> one is available relies on lookup tables that are relatively large with
> respect to the typical L1 D-cache size, which not only affects
> performance, it may also result in timing variances that correlate with
> the encryption keys.
>
> So we tend to avoid the generic code if we can, usually by using a
> driver that makes use of special AES instructions which supplant most of
> the logic of the table based implementation the AES algorithm.
>
> The Zkn RISC-V extension provides another interesting take on this: it
> defines instructions operating on scalar registers that implement the
> table lookups without relying on tables in memory. Those tables carry
> 32-bit quantities, making them a natural fit for a 32-bit architecture.
> And given the use of scalars, we don't have to rely in in-kernel SIMD,
> which is a bonus.
>
> So let's use the instructions to implement the core AES cipher for RV32.
>
> Cc: Paul Walmsley <paul.walmsley at sifive.com>
> Cc: Palmer Dabbelt <palmer at dabbelt.com>
> Cc: Albert Ou <aou at eecs.berkeley.edu>
> Cc: Christoph Müllner <christoph.muellner at vrull.eu>
> Cc: Heiko Stuebner <heiko.stuebner at vrull.eu>
> Signed-off-by: Ard Biesheuvel <ardb at kernel.org>
> ---
> arch/riscv/crypto/Kconfig | 12 ++
> arch/riscv/crypto/Makefile | 3 +
> arch/riscv/crypto/aes-riscv32-glue.c | 75 ++++++++++++
> arch/riscv/crypto/aes-riscv32-zkned.S | 119 ++++++++++++++++++++
> 4 files changed, 209 insertions(+)
Hi Ard:
Any chance you could postpone this til after I've finished removing
crypto_cipher?
Thanks,
--
Email: Herbert Xu <herbert at gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
More information about the linux-riscv
mailing list