core: crypto: fix internal AES-GCM counter implementation

We have several AES-GCM implementations in crypto libraries and
internal. The internal implementation comes in two flavours, with Arm
crypto

core: crypto: fix internal AES-GCM counter implementation

We have several AES-GCM implementations in crypto libraries and
internal. The internal implementation comes in two flavours, with Arm
crypto extensions (CFG_CRYPTO_WITH_CE=y) and a pure software
implementation.

Each block to be encrypted is xored with an encrypted counter block of
equal size (16 bytes). For each block the counter is increased.

Prior to this patch the entire counter block was increased as a 128-bit
integer, but that's not how AES-GCM is defined. In AES-GCM only the
least significant 32 bits of the counter block are increased, leaving
the rest untouched. The difference is only noticeable when the 32 bits
has reached 0xffffffff and wraps to 0x00000000 on next increment. With a
128-bit integer this would propagate into other parts of the block.

Fix this by only incrementing the last 32-bit word in the counter block,
both in the pure software implementation and when using Arm crypto
extensions.

Link: https://github.com/OP-TEE/optee_os/issues/6659
Fixes: 1fca7e269b13 ("core: crypto: add new AES-GCM implementation")
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Etienne Carriere <etienne.carriere@foss.st.com>

show more ...

Generate ELF Note for BTI in all arm64 asm files

Add program property note section in the assembly files to
ensure that when linking them, program property note section
is generated in the final ELF

Generate ELF Note for BTI in all arm64 asm files

Add program property note section in the assembly files to
ensure that when linking them, program property note section
is generated in the final ELF.

Signed-off-by: Ruchika Gupta <ruchika.gupta@linaro.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: update AArch64 GHASH acceleration routines

Update AArch64 GHASH acceleration routines for improved performance.

The core parts of assembly and wrapper updates are written by
Ard Biesheuvel <a

core: update AArch64 GHASH acceleration routines

Update AArch64 GHASH acceleration routines for improved performance.

The core parts of assembly and wrapper updates are written by
Ard Biesheuvel <ard.biesheuvel@linaro.org>, see [1].

Link: [1] https://github.com/torvalds/linux/commit/22240df7ac6d76a271197571a7be45addef2ba15
Acked-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm: pmull_ghash_update_*() accepts unaligned payload

Updates the relevant ld1 and vld1 instructions for AArch64 and AArch32
respectively to allow unaligned src and head parameters.

Reviewed-

core: arm: pmull_ghash_update_*() accepts unaligned payload

Updates the relevant ld1 and vld1 instructions for AArch64 and AArch32
respectively to allow unaligned src and head parameters.

Reviewed-by: Jerome Forissier <jerome@forissier.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Remove '.section .text.<name>' and use function macros instead

Assembler functions are normally defined using the FUNC/LOCAL_FUNC
macros from <asm.S>. The macros takes care of several things, includ

Remove '.section .text.<name>' and use function macros instead

Assembler functions are normally defined using the FUNC/LOCAL_FUNC
macros from <asm.S>. The macros takes care of several things, including
putting the function in a specific section for later garbage collection
by the linker (--gc-sections).

A few files do not follow this convention, let's fix them. Two
functions in ghash-ce-core_a64.S (pmull_gcm_load_round_keys() and
pmull_gcm_aes_sub()) totally lack a .section directive, which I think
is a mistake. Fix them at the same time.

No functional change is expected.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Reviewed-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: ltc: force alignment of A32 assembler functions to 4 bytes

The Clang assembler will not align all the functions containing A32
code (as opposed to thumb) on 4-byte boundaries, contrary to GCC.

core: ltc: force alignment of A32 assembler functions to 4 bytes

The Clang assembler will not align all the functions containing A32
code (as opposed to thumb) on 4-byte boundaries, contrary to GCC.
This can cause a runtime exception (undef-abort).

Add a ".balign 4" to the ENTRY macro to fix that.

See also commit ff7c2da6d14b ("Force alignment of assembler functions
(FUNC and LOCAL_FUNC) to 4 bytes") [1].

Link: [1] https://github.com/OP-TEE/optee_os/commit/ff7c2da6d14b
Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm64: crypto: AES-GCM: fix incorrect assembly syntax

"umov w0, v0.4s[0]" is not valid UAL syntax; the 4 should not be here.
GCC accepts it fine but Clang does not. Fix it.

Signed-off-by: Jer

core: arm64: crypto: AES-GCM: fix incorrect assembly syntax

"umov w0, v0.4s[0]" is not valid UAL syntax; the 4 should not be here.
GCC accepts it fine but Clang does not. Fix it.

Signed-off-by: Jerome Forissier <jerome@forissier.org>
Acked-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

Reformat copyright/license header in files with an SPDX ID

Some files were committed with an SPDX license identifier before the
rules were defined [1]. Reformat them accordingly.

[1] documentation/

Reformat copyright/license header in files with an SPDX ID

Some files were committed with an SPDX license identifier before the
rules were defined [1]. Reformat them accordingly.

[1] documentation/copyright_and_license_headers.rst

Signed-off-by: Jerome Forissier <jerome.forissier@linaro.org>
Acked-by: Joakim Bech <joakim.bech@linaro.org>

show more ...

core: arm64: crypto: AES-GCM: add internal key expansion

Adds internal encryption key expansion when internal AES-GCM uses AES
crypto extensions. This avoids a dependency on the crypto library to us

core: arm64: crypto: AES-GCM: add internal key expansion

Adds internal encryption key expansion when internal AES-GCM uses AES
crypto extensions. This avoids a dependency on the crypto library to use
the same endian on the expanded encryption key.

Copies code from core/lib/libtomcrypt/src/ciphers/ aes_armv8a_ce.c and
aes_modes_armv8a_ce_a64.S and makes some small changes to make it fit
in the new place.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: arm: crypto: fix AES-GCM counter increase

In pmull_gcm_encrypt() and pmull_gcm_decrypt() it was assumed that it's
enough to only increase the least significant 64-bits of the counter fed
to th

core: arm: crypto: fix AES-GCM counter increase

In pmull_gcm_encrypt() and pmull_gcm_decrypt() it was assumed that it's
enough to only increase the least significant 64-bits of the counter fed
to the block cipher. This can hold for 96-bit IVs, but not for IVs of
any other length as the number stored in the least significant 64-bits
of the counter can't be easily predicted.

In this patch pmull_gcm_encrypt() and pmull_gcm_decrypt() are updated to
increase the entire counter, at the same time is the interface changed
to accept the counter in little endian format instead.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Tested-by: Jens Wiklander <jens.wiklander@linaro.org> (QEMU, Hikey)
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...

core: import GHASH acceleration routines

Imports assembly code for accelerated GHASH computations and provides an
interface for using these low level functions.

The assembly code relies on features

core: import GHASH acceleration routines

Imports assembly code for accelerated GHASH computations and provides an
interface for using these low level functions.

The assembly code relies on features now available in all ARM cores. No
assembly code is enabled at all unless CFG_CRYPTO_WITH_CE = y. Code
using the PMULL/PMULL2 instruction is enabled with CFG_HWSUPP_PMULL = y.

The assembly code is written by Ard Biesheuvel
<ard.biesheuvel@linaro.org> and modified slightly here to fit better
into OP-TEE.

Acked-by: Jerome Forissier <jerome.forissier@linaro.org>
Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>

show more ...