2012-09-07 04:17:02 +08:00
|
|
|
#
|
|
|
|
# Arch-specific CryptoAPI modules.
|
|
|
|
#
|
|
|
|
|
|
|
|
obj-$(CONFIG_CRYPTO_AES_ARM) += aes-arm.o
|
ARM: add support for bit sliced AES using NEON instructions
Bit sliced AES gives around 45% speedup on Cortex-A15 for encryption
and around 25% for decryption. This implementation of the AES algorithm
does not rely on any lookup tables so it is believed to be invulnerable
to cache timing attacks.
This algorithm processes up to 8 blocks in parallel in constant time. This
means that it is not usable by chaining modes that are strictly sequential
in nature, such as CBC encryption. CBC decryption, however, can benefit from
this implementation and runs about 25% faster. The other chaining modes
implemented in this module, XTS and CTR, can execute fully in parallel in
both directions.
The core code has been adopted from the OpenSSL project (in collaboration
with the original author, on cc). For ease of maintenance, this version is
identical to the upstream OpenSSL code, i.e., all modifications that were
required to make it suitable for inclusion into the kernel have been made
upstream. The original can be found here:
http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=6f6a6130
Note to integrators:
While this implementation is significantly faster than the existing table
based ones (generic or ARM asm), especially in CTR mode, the effects on
power efficiency are unclear as of yet. This code does fundamentally more
work, by calculating values that the table based code obtains by a simple
lookup; only by doing all of that work in a SIMD fashion, it manages to
perform better.
Cc: Andy Polyakov <appro@openssl.org>
Acked-by: Nicolas Pitre <nico@linaro.org>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
2013-09-17 00:31:38 +08:00
|
|
|
obj-$(CONFIG_CRYPTO_AES_ARM_BS) += aes-arm-bs.o
|
2012-09-07 04:17:02 +08:00
|
|
|
obj-$(CONFIG_CRYPTO_SHA1_ARM) += sha1-arm.o
|
2014-07-30 00:14:14 +08:00
|
|
|
obj-$(CONFIG_CRYPTO_SHA1_ARM_NEON) += sha1-arm-neon.o
|
2015-04-03 18:03:40 +08:00
|
|
|
obj-$(CONFIG_CRYPTO_SHA256_ARM) += sha256-arm.o
|
2015-05-08 16:46:21 +08:00
|
|
|
obj-$(CONFIG_CRYPTO_SHA512_ARM) += sha512-arm.o
|
2017-01-12 00:41:50 +08:00
|
|
|
obj-$(CONFIG_CRYPTO_CHACHA20_NEON) += chacha20-neon.o
|
crypto: arm - workaround for building with old binutils
Old versions of binutils (before 2.23) do not yet understand the
crypto-neon-fp-armv8 fpu instructions, and an attempt to build these
files results in a build failure:
arch/arm/crypto/aes-ce-core.S:133: Error: selected processor does not support ARM mode `vld1.8 {q10-q11},[ip]!'
arch/arm/crypto/aes-ce-core.S:133: Error: bad instruction `aese.8 q0,q8'
arch/arm/crypto/aes-ce-core.S:133: Error: bad instruction `aesmc.8 q0,q0'
arch/arm/crypto/aes-ce-core.S:133: Error: bad instruction `aese.8 q0,q9'
arch/arm/crypto/aes-ce-core.S:133: Error: bad instruction `aesmc.8 q0,q0'
Since the affected versions are still in widespread use, and this breaks
'allmodconfig' builds, we should try to at least get a successful kernel
build. Unfortunately, I could not come up with a way to make the Kconfig
symbol depend on the binutils version, which would be the nicest solution.
Instead, this patch uses the 'as-instr' Kbuild macro to find out whether
the support is present in the assembler, and otherwise emits a non-fatal
warning indicating which selected modules could not be built.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Link: http://storage.kernelci.org/next/next-20150410/arm-allmodconfig/build.log
Fixes: 864cbeed4ab22d ("crypto: arm - add support for SHA1 using ARMv8 Crypto Instructions")
[ard.biesheuvel:
- omit modules entirely instead of building empty ones if binutils is too old
- update commit log accordingly]
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-04-11 21:32:34 +08:00
|
|
|
|
|
|
|
ce-obj-$(CONFIG_CRYPTO_AES_ARM_CE) += aes-arm-ce.o
|
|
|
|
ce-obj-$(CONFIG_CRYPTO_SHA1_ARM_CE) += sha1-arm-ce.o
|
|
|
|
ce-obj-$(CONFIG_CRYPTO_SHA2_ARM_CE) += sha2-arm-ce.o
|
|
|
|
ce-obj-$(CONFIG_CRYPTO_GHASH_ARM_CE) += ghash-arm-ce.o
|
2016-12-06 02:42:26 +08:00
|
|
|
ce-obj-$(CONFIG_CRYPTO_CRCT10DIF_ARM_CE) += crct10dif-arm-ce.o
|
2017-02-28 22:36:57 +08:00
|
|
|
crc-obj-$(CONFIG_CRYPTO_CRC32_ARM_CE) += crc32-arm-ce.o
|
|
|
|
|
|
|
|
ifneq ($(crc-obj-y)$(crc-obj-m),)
|
|
|
|
ifeq ($(call as-instr,.arch armv8-a\n.arch_extension crc,y,n),y)
|
|
|
|
ce-obj-y += $(crc-obj-y)
|
|
|
|
ce-obj-m += $(crc-obj-m)
|
|
|
|
else
|
|
|
|
$(warning These CRC Extensions modules need binutils 2.23 or higher)
|
|
|
|
$(warning $(crc-obj-y) $(crc-obj-m))
|
|
|
|
endif
|
|
|
|
endif
|
crypto: arm - workaround for building with old binutils
Old versions of binutils (before 2.23) do not yet understand the
crypto-neon-fp-armv8 fpu instructions, and an attempt to build these
files results in a build failure:
arch/arm/crypto/aes-ce-core.S:133: Error: selected processor does not support ARM mode `vld1.8 {q10-q11},[ip]!'
arch/arm/crypto/aes-ce-core.S:133: Error: bad instruction `aese.8 q0,q8'
arch/arm/crypto/aes-ce-core.S:133: Error: bad instruction `aesmc.8 q0,q0'
arch/arm/crypto/aes-ce-core.S:133: Error: bad instruction `aese.8 q0,q9'
arch/arm/crypto/aes-ce-core.S:133: Error: bad instruction `aesmc.8 q0,q0'
Since the affected versions are still in widespread use, and this breaks
'allmodconfig' builds, we should try to at least get a successful kernel
build. Unfortunately, I could not come up with a way to make the Kconfig
symbol depend on the binutils version, which would be the nicest solution.
Instead, this patch uses the 'as-instr' Kbuild macro to find out whether
the support is present in the assembler, and otherwise emits a non-fatal
warning indicating which selected modules could not be built.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Link: http://storage.kernelci.org/next/next-20150410/arm-allmodconfig/build.log
Fixes: 864cbeed4ab22d ("crypto: arm - add support for SHA1 using ARMv8 Crypto Instructions")
[ard.biesheuvel:
- omit modules entirely instead of building empty ones if binutils is too old
- update commit log accordingly]
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2015-04-11 21:32:34 +08:00
|
|
|
|
|
|
|
ifneq ($(ce-obj-y)$(ce-obj-m),)
|
|
|
|
ifeq ($(call as-instr,.fpu crypto-neon-fp-armv8,y,n),y)
|
|
|
|
obj-y += $(ce-obj-y)
|
|
|
|
obj-m += $(ce-obj-m)
|
|
|
|
else
|
|
|
|
$(warning These ARMv8 Crypto Extensions modules need binutils 2.23 or higher)
|
|
|
|
$(warning $(ce-obj-y) $(ce-obj-m))
|
|
|
|
endif
|
|
|
|
endif
|
2012-09-07 04:17:02 +08:00
|
|
|
|
2017-01-12 00:41:53 +08:00
|
|
|
aes-arm-y := aes-cipher-core.o aes-cipher-glue.o
|
2017-01-12 00:41:54 +08:00
|
|
|
aes-arm-bs-y := aes-neonbs-core.o aes-neonbs-glue.o
|
ARM: add support for bit sliced AES using NEON instructions
Bit sliced AES gives around 45% speedup on Cortex-A15 for encryption
and around 25% for decryption. This implementation of the AES algorithm
does not rely on any lookup tables so it is believed to be invulnerable
to cache timing attacks.
This algorithm processes up to 8 blocks in parallel in constant time. This
means that it is not usable by chaining modes that are strictly sequential
in nature, such as CBC encryption. CBC decryption, however, can benefit from
this implementation and runs about 25% faster. The other chaining modes
implemented in this module, XTS and CTR, can execute fully in parallel in
both directions.
The core code has been adopted from the OpenSSL project (in collaboration
with the original author, on cc). For ease of maintenance, this version is
identical to the upstream OpenSSL code, i.e., all modifications that were
required to make it suitable for inclusion into the kernel have been made
upstream. The original can be found here:
http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=6f6a6130
Note to integrators:
While this implementation is significantly faster than the existing table
based ones (generic or ARM asm), especially in CTR mode, the effects on
power efficiency are unclear as of yet. This code does fundamentally more
work, by calculating values that the table based code obtains by a simple
lookup; only by doing all of that work in a SIMD fashion, it manages to
perform better.
Cc: Andy Polyakov <appro@openssl.org>
Acked-by: Nicolas Pitre <nico@linaro.org>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
2013-09-17 00:31:38 +08:00
|
|
|
sha1-arm-y := sha1-armv4-large.o sha1_glue.o
|
2014-07-30 00:14:14 +08:00
|
|
|
sha1-arm-neon-y := sha1-armv7-neon.o sha1_neon_glue.o
|
2015-04-03 18:03:40 +08:00
|
|
|
sha256-arm-neon-$(CONFIG_KERNEL_MODE_NEON) := sha256_neon_glue.o
|
|
|
|
sha256-arm-y := sha256-core.o sha256_glue.o $(sha256-arm-neon-y)
|
2015-05-08 16:46:21 +08:00
|
|
|
sha512-arm-neon-$(CONFIG_KERNEL_MODE_NEON) := sha512-neon-glue.o
|
|
|
|
sha512-arm-y := sha512-core.o sha512-glue.o $(sha512-arm-neon-y)
|
2015-03-10 16:47:45 +08:00
|
|
|
sha1-arm-ce-y := sha1-ce-core.o sha1-ce-glue.o
|
2015-03-10 16:47:46 +08:00
|
|
|
sha2-arm-ce-y := sha2-ce-core.o sha2-ce-glue.o
|
2015-03-10 16:47:47 +08:00
|
|
|
aes-arm-ce-y := aes-ce-core.o aes-ce-glue.o
|
2015-03-10 16:47:48 +08:00
|
|
|
ghash-arm-ce-y := ghash-ce-core.o ghash-ce-glue.o
|
2016-12-06 02:42:26 +08:00
|
|
|
crct10dif-arm-ce-y := crct10dif-ce-core.o crct10dif-ce-glue.o
|
2016-12-06 02:42:28 +08:00
|
|
|
crc32-arm-ce-y:= crc32-ce-core.o crc32-ce-glue.o
|
2017-01-12 00:41:50 +08:00
|
|
|
chacha20-neon-y := chacha20-neon-core.o chacha20-neon-glue.o
|
ARM: add support for bit sliced AES using NEON instructions
Bit sliced AES gives around 45% speedup on Cortex-A15 for encryption
and around 25% for decryption. This implementation of the AES algorithm
does not rely on any lookup tables so it is believed to be invulnerable
to cache timing attacks.
This algorithm processes up to 8 blocks in parallel in constant time. This
means that it is not usable by chaining modes that are strictly sequential
in nature, such as CBC encryption. CBC decryption, however, can benefit from
this implementation and runs about 25% faster. The other chaining modes
implemented in this module, XTS and CTR, can execute fully in parallel in
both directions.
The core code has been adopted from the OpenSSL project (in collaboration
with the original author, on cc). For ease of maintenance, this version is
identical to the upstream OpenSSL code, i.e., all modifications that were
required to make it suitable for inclusion into the kernel have been made
upstream. The original can be found here:
http://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=6f6a6130
Note to integrators:
While this implementation is significantly faster than the existing table
based ones (generic or ARM asm), especially in CTR mode, the effects on
power efficiency are unclear as of yet. This code does fundamentally more
work, by calculating values that the table based code obtains by a simple
lookup; only by doing all of that work in a SIMD fashion, it manages to
perform better.
Cc: Andy Polyakov <appro@openssl.org>
Acked-by: Nicolas Pitre <nico@linaro.org>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
2013-09-17 00:31:38 +08:00
|
|
|
|
|
|
|
quiet_cmd_perl = PERL $@
|
|
|
|
cmd_perl = $(PERL) $(<) > $(@)
|
|
|
|
|
2015-04-03 18:03:40 +08:00
|
|
|
$(src)/sha256-core.S_shipped: $(src)/sha256-armv4.pl
|
|
|
|
$(call cmd,perl)
|
|
|
|
|
2015-05-08 16:46:21 +08:00
|
|
|
$(src)/sha512-core.S_shipped: $(src)/sha512-armv4.pl
|
|
|
|
$(call cmd,perl)
|
|
|
|
|
2017-01-12 00:41:54 +08:00
|
|
|
.PRECIOUS: $(obj)/sha256-core.S $(obj)/sha512-core.S
|