NetBSD/sys/crypto/aes/aes_bear.h

/*	$NetBSD: aes_bear.h,v 1.2 2020/06/29 23:36:59 riastradh Exp $	*/

/*-
 * Copyright (c) 2020 The NetBSD Foundation, Inc.
 * All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
 * POSSIBILITY OF SUCH DAMAGE.
 */

#ifndef	_CRYPTO_AES_AES_BEAR_H
#define	_CRYPTO_AES_AES_BEAR_H

#include <sys/types.h>
#include <sys/endian.h>

#include <crypto/aes/aes.h>

#define	br_dec32le	le32dec
#define	br_enc32le	le32enc

void	br_aes_ct_bitslice_Sbox(uint32_t *);
void	br_aes_ct_bitslice_invSbox(uint32_t *);
void	br_aes_ct_ortho(uint32_t *);
u_int	br_aes_ct_keysched(uint32_t *, const void *, size_t);
void	br_aes_ct_skey_expand(uint32_t *, unsigned, const uint32_t *);
void	br_aes_ct_bitslice_encrypt(unsigned, const uint32_t *, uint32_t *);
void	br_aes_ct_bitslice_decrypt(unsigned, const uint32_t *, uint32_t *);

/* NetBSD additions */

void	br_aes_ct_inv_mix_columns(uint32_t *);
u_int	br_aes_ct_keysched_stdenc(uint32_t *, const void *, size_t);
u_int	br_aes_ct_keysched_stddec(uint32_t *, const void *, size_t);

extern struct aes_impl	aes_bear_impl;

#endif	/* _CRYPTO_AES_AES_BEAR_H */
Provide the standard AES key schedule. Different AES implementations prefer different variations on it, but some of them -- notably VIA -- require the standard key schedule to be available and don't provide hardware support for computing it themselves. So adapt BearSSL's logic to generate the standard key schedule (and decryption keys, with InvMixColumns), rather than the bitsliced key schedule that BearSSL uses natively. 2020-06-30 02:36:59 +03:00			`/* $NetBSD: aes_bear.h,v 1.2 2020/06/29 23:36:59 riastradh Exp $ */`
Rework AES in kernel to finally address CVE-2005-1797. 1. Rip out old variable-time reference implementation. 2. Replace it by BearSSL's constant-time 32-bit logic. => Obtained from commit dda1f8a0c46e15b4a235163470ff700b2f13dcc5. => We could conditionally adopt the 64-bit logic too, which would likely give a modest performance boost on 64-bit platforms without AES-NI, but that's a bit more trouble. 3. Select the AES implementation at boot-time; allow an MD override. => Use self-tests to verify basic correctness at boot. => The implementation selection policy is rather rudimentary at the moment but it is isolated to one place so it's easy to change later on. This (a) plugs a host of timing attacks on, e.g., cgd, and (b) paves the way to take advantage of CPU support for AES -- both things we should've done a decade ago. Downside: Computing AES takes 2-3x the CPU time. But that's what hardware support will be coming for. Rudimentary measurement of performance impact done by: mount -t tmpfs tmpfs /tmp dd if=/dev/zero of=/tmp/disk bs=1m count=512 vnconfig -cv vnd0 /tmp/disk cgdconfig -s cgd0 /dev/vnd0 aes-cbc 256 < /dev/zero dd if=/dev/rcgd0d of=/dev/null bs=64k dd if=/dev/zero of=/dev/rcgd0d bs=64k The AES-CBC encryption performance impact is closer to 3x because it is inherently sequential; the AES-CBC decryption impact is closer to 2x because the bitsliced AES logic can process two blocks at once. Discussed on tech-kern: https://mail-index.NetBSD.org/tech-kern/2020/06/18/msg026505.html 2020-06-30 02:27:52 +03:00
			`/*-`
			`* Copyright (c) 2020 The NetBSD Foundation, Inc.`
			`* All rights reserved.`
			`*`
			`* Redistribution and use in source and binary forms, with or without`
			`* modification, are permitted provided that the following conditions`
			`* are met:`
			`* 1. Redistributions of source code must retain the above copyright`
			`* notice, this list of conditions and the following disclaimer.`
			`* 2. Redistributions in binary form must reproduce the above copyright`
			`* notice, this list of conditions and the following disclaimer in the`
			`* documentation and/or other materials provided with the distribution.`
			`*`
			`* THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS`
			* ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
			`* TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR`
			`* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS`
			`* BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR`
			`* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF`
			`* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS`
			`* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN`
			`* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)`
			`* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE`
			`* POSSIBILITY OF SUCH DAMAGE.`
			`*/`

			`#ifndef _CRYPTO_AES_AES_BEAR_H`
			`#define _CRYPTO_AES_AES_BEAR_H`

			`#include <sys/types.h>`
			`#include <sys/endian.h>`

			`#include <crypto/aes/aes.h>`

			`#define br_dec32le le32dec`
			`#define br_enc32le le32enc`

			`void br_aes_ct_bitslice_Sbox(uint32_t *);`
			`void br_aes_ct_bitslice_invSbox(uint32_t *);`
			`void br_aes_ct_ortho(uint32_t *);`
			`u_int br_aes_ct_keysched(uint32_t , const void , size_t);`
			`void br_aes_ct_skey_expand(uint32_t , unsigned, const uint32_t );`
			`void br_aes_ct_bitslice_encrypt(unsigned, const uint32_t , uint32_t );`
			`void br_aes_ct_bitslice_decrypt(unsigned, const uint32_t , uint32_t );`

Provide the standard AES key schedule. Different AES implementations prefer different variations on it, but some of them -- notably VIA -- require the standard key schedule to be available and don't provide hardware support for computing it themselves. So adapt BearSSL's logic to generate the standard key schedule (and decryption keys, with InvMixColumns), rather than the bitsliced key schedule that BearSSL uses natively. 2020-06-30 02:36:59 +03:00			`/* NetBSD additions */`

			`void br_aes_ct_inv_mix_columns(uint32_t *);`
			`u_int br_aes_ct_keysched_stdenc(uint32_t , const void , size_t);`
			`u_int br_aes_ct_keysched_stddec(uint32_t , const void , size_t);`

Rework AES in kernel to finally address CVE-2005-1797. 1. Rip out old variable-time reference implementation. 2. Replace it by BearSSL's constant-time 32-bit logic. => Obtained from commit dda1f8a0c46e15b4a235163470ff700b2f13dcc5. => We could conditionally adopt the 64-bit logic too, which would likely give a modest performance boost on 64-bit platforms without AES-NI, but that's a bit more trouble. 3. Select the AES implementation at boot-time; allow an MD override. => Use self-tests to verify basic correctness at boot. => The implementation selection policy is rather rudimentary at the moment but it is isolated to one place so it's easy to change later on. This (a) plugs a host of timing attacks on, e.g., cgd, and (b) paves the way to take advantage of CPU support for AES -- both things we should've done a decade ago. Downside: Computing AES takes 2-3x the CPU time. But that's what hardware support will be coming for. Rudimentary measurement of performance impact done by: mount -t tmpfs tmpfs /tmp dd if=/dev/zero of=/tmp/disk bs=1m count=512 vnconfig -cv vnd0 /tmp/disk cgdconfig -s cgd0 /dev/vnd0 aes-cbc 256 < /dev/zero dd if=/dev/rcgd0d of=/dev/null bs=64k dd if=/dev/zero of=/dev/rcgd0d bs=64k The AES-CBC encryption performance impact is closer to 3x because it is inherently sequential; the AES-CBC decryption impact is closer to 2x because the bitsliced AES logic can process two blocks at once. Discussed on tech-kern: https://mail-index.NetBSD.org/tech-kern/2020/06/18/msg026505.html 2020-06-30 02:27:52 +03:00			`extern struct aes_impl aes_bear_impl;`

			`#endif /* _CRYPTO_AES_AES_BEAR_H */`