Development tree for the kernel CSPRNG https://git.zx2c4.com/linux-rng/atom/crypto/Makefile?h=master 2025-11-11T19:03:38Z 2025-11-11T19:03:38Z Eric Biggers ebiggers@kernel.org 2025-11-09T23:47:22Z urn:sha1:fd36de5749244c66f55eb943a5bbedbd9d6dd385 Remove polyval support from crypto_shash. It no longer has any user now that the HCTR2 code uses the POLYVAL library instead. Reviewed-by: Ard Biesheuvel <ardb@kernel.org> Link: https://lore.kernel.org/r/20251109234726.638437-8-ebiggers@kernel.org Signed-off-by: Eric Biggers <ebiggers@kernel.org> 2025-11-06T04:30:51Z Eric Biggers ebiggers@kernel.org 2025-10-26T05:50:31Z urn:sha1:f1799d17285ca99243328cd92133a9f84ee3a593 Replace sha3_generic.c with a new file sha3.c which implements the SHA-3 crypto_shash algorithms on top of the SHA-3 library API. Change the driver name suffix from "-generic" to "-lib" to reflect that these algorithms now just use the (possibly arch-optimized) library. This closely mirrors crypto/{md5,sha1,sha256,sha512,blake2b}.c. Implement export_core and import_core, since crypto/hmac.c expects these to be present. (Note that there is no security purpose in wrapping SHA-3 with HMAC. HMAC was designed for older algorithms that don't resist length extension attacks. But since someone could be using "hmac(sha3-*)" via crypto_shash anyway, keep supporting it for now.) Reviewed-by: Ard Biesheuvel <ardb@kernel.org> Tested-by: Harald Freudenberger <freude@linux.ibm.com> Link: https://lore.kernel.org/r/20251026055032.1413733-15-ebiggers@kernel.org Signed-off-by: Eric Biggers <ebiggers@kernel.org> 2025-10-30T05:04:24Z Eric Biggers ebiggers@kernel.org 2025-10-18T04:31:05Z urn:sha1:fa3ca9bfe3f001ed306cb3ce9761dacffbe143f8 Replace blake2b_generic.c with a new file blake2b.c which implements the BLAKE2b crypto_shash algorithms on top of the BLAKE2b library API. Change the driver name suffix from "-generic" to "-lib" to reflect that these algorithms now just use the (possibly arch-optimized) library. This closely mirrors crypto/{md5,sha1,sha256,sha512}.c. Remove include/crypto/internal/blake2b.h since it is no longer used. Likewise, remove struct blake2b_state from include/crypto/blake2b.h. Omit support for import_core and export_core, since there are no legacy drivers that need these for these algorithms. Reviewed-by: Ard Biesheuvel <ardb@kernel.org> Link: https://lore.kernel.org/r/20251018043106.375964-10-ebiggers@kernel.org Signed-off-by: Eric Biggers <ebiggers@kernel.org> 2025-09-06T21:45:49Z Eric Biggers ebiggers@kernel.org 2025-09-06T21:35:17Z urn:sha1:09e7652ddb688488a2954f1168b7f40e037694a4 Curve25519 has both a library API and a crypto_kpp API. However, the crypto_kpp API for Curve25519 had no users outside crypto/testmgr.c. I.e., no non-test code ever passed "curve25519" to crypto_alloc_kpp(). Remove this unused code. We'll instead focus on the Curve25519 library API (<crypto/curve25519.h>), which is a simpler and easier-to-use API and is the API that is actually being used. Acked-by: Geert Uytterhoeven <geert@linux-m68k.org> # m68k Link: https://lore.kernel.org/r/20250906213523.84915-7-ebiggers@kernel.org Signed-off-by: Eric Biggers <ebiggers@kernel.org> 2025-07-29T00:58:52Z Linus Torvalds torvalds@linux-foundation.org 2025-07-29T00:58:52Z urn:sha1:13150742b09e720fdf021de14cd2b98b37415a89 Pull crypto library updates from Eric Biggers: "This is the main crypto library pull request for 6.17. The main focus this cycle is on reorganizing the SHA-1 and SHA-2 code, providing high-quality library APIs for SHA-1 and SHA-2 including HMAC support, and establishing conventions for lib/crypto/ going forward: - Migrate the SHA-1 and SHA-512 code (and also SHA-384 which shares most of the SHA-512 code) into lib/crypto/. This includes both the generic and architecture-optimized code. Greatly simplify how the architecture-optimized code is integrated. Add an easy-to-use library API for each SHA variant, including HMAC support. Finally, reimplement the crypto_shash support on top of the library API. - Apply the same reorganization to the SHA-256 code (and also SHA-224 which shares most of the SHA-256 code). This is a somewhat smaller change, due to my earlier work on SHA-256. But this brings in all the same additional improvements that I made for SHA-1 and SHA-512. There are also some smaller changes: - Move the architecture-optimized ChaCha, Poly1305, and BLAKE2s code from arch/$(SRCARCH)/lib/crypto/ to lib/crypto/$(SRCARCH)/. For these algorithms it's just a move, not a full reorganization yet. - Fix the MIPS chacha-core.S to build with the clang assembler. - Fix the Poly1305 functions to work in all contexts. - Fix a performance regression in the x86_64 Poly1305 code. - Clean up the x86_64 SHA-NI optimized SHA-1 assembly code. Note that since the new organization of the SHA code is much simpler, the diffstat of this pull request is negative, despite the addition of new fully-documented library APIs for multiple SHA and HMAC-SHA variants. These APIs will allow further simplifications across the kernel as users start using them instead of the old-school crypto API. (I've already written a lot of such conversion patches, removing over 1000 more lines of code. But most of those will target 6.18 or later)" * tag 'libcrypto-updates-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/linux: (67 commits) lib/crypto: arm64/sha512-ce: Drop compatibility macros for older binutils lib/crypto: x86/sha1-ni: Convert to use rounds macros lib/crypto: x86/sha1-ni: Minor optimizations and cleanup crypto: sha1 - Remove sha1_base.h lib/crypto: x86/sha1: Migrate optimized code into library lib/crypto: sparc/sha1: Migrate optimized code into library lib/crypto: s390/sha1: Migrate optimized code into library lib/crypto: powerpc/sha1: Migrate optimized code into library lib/crypto: mips/sha1: Migrate optimized code into library lib/crypto: arm64/sha1: Migrate optimized code into library lib/crypto: arm/sha1: Migrate optimized code into library crypto: sha1 - Use same state format as legacy drivers crypto: sha1 - Wrap library and add HMAC support lib/crypto: sha1: Add HMAC support lib/crypto: sha1: Add SHA-1 library functions lib/crypto: sha1: Rename sha1_init() to sha1_init_raw() crypto: x86/sha1 - Rename conflicting symbol lib/crypto: sha2: Add hmac_sha*_init_usingrawkey() lib/crypto: arm/poly1305: Remove unneeded empty weak function lib/crypto: x86/poly1305: Fix performance regression on short messages ... 2025-07-14T15:59:20Z Eric Biggers ebiggers@kernel.org 2025-07-12T23:22:56Z urn:sha1:8bc79ab67d78e2991b9d6cf0b63789189212375a Like I did for crypto/sha512.c, rework crypto/sha1_generic.c (renamed to crypto/sha1.c) to simply wrap the normal library functions instead of accessing the low-level block function directly. Also add support for HMAC-SHA1, again just wrapping the library functions. Since the replacement crypto_shash algorithms are implemented using the (potentially arch-optimized) library functions, give them driver names ending with "-lib" rather than "-generic". Update crypto/testmgr.c and an odd driver to take this change in driver name into account. Note: to see the diff from crypto/sha1_generic.c to crypto/sha1.c, view this commit with 'git show -M10'. Reviewed-by: Ard Biesheuvel <ardb@kernel.org> Link: https://lore.kernel.org/r/20250712232329.818226-6-ebiggers@kernel.org Signed-off-by: Eric Biggers <ebiggers@kernel.org> 2025-07-08T19:03:44Z Eric Biggers ebiggers@kernel.org 2025-06-30T17:22:23Z urn:sha1:aacb37f597d0b50800a233ab2c29c195a1595147 crypto/hash_info.c just contains a couple of arrays that map HASH_ALGO_* algorithm IDs to properties of those algorithms. It is compiled only when CRYPTO_HASH_INFO=y, but currently CRYPTO_HASH_INFO depends on CRYPTO. Since this can be useful without the old-school crypto API, move it into lib/crypto/ so that it no longer depends on CRYPTO. This eliminates the need for FS_VERITY to select CRYPTO after it's been converted to use lib/crypto/. Acked-by: Ard Biesheuvel <ardb@kernel.org> Link: https://lore.kernel.org/r/20250630172224.46909-2-ebiggers@kernel.org Signed-off-by: Eric Biggers <ebiggers@kernel.org> 2025-07-04T17:23:11Z Eric Biggers ebiggers@kernel.org 2025-06-30T16:06:40Z urn:sha1:e0cd3716910385ba1ccbd433c860516cf806fc71 Like I did for crypto/sha512.c, rework crypto/sha256.c to simply wrap the normal library functions instead of accessing the low-level arch- optimized and generic block functions directly. Also add support for HMAC-SHA224 and HMAC-SHA256, again just wrapping the library functions. Since the replacement crypto_shash algorithms are implemented using the (potentially arch-optimized) library functions, give them driver names ending with "-lib" rather than "-generic". Update crypto/testmgr.c and a couple odd drivers to take this change in driver name into account. Besides the above cases which are accounted for, there are no known cases where the driver names were being depended on. There is potential for confusion for people manually checking /proc/crypto (e.g. https://lore.kernel.org/r/9e33c893-2466-4d4e-afb1-966334e451a2@linux.ibm.com/), but really people just need to get used to the driver name not being meaningful for the software algorithms. Historically, the optimized code was disabled by default, so there was some purpose to checking whether it was enabled or not. However, this is now fixed for all SHA-2 algorithms, and the library code just always does the right thing. E.g. if the CPU supports SHA-256 instructions, they are used. This change does also mean that the generic partial block handling code in crypto/shash.c, which got added in 6.16, no longer gets used. But that's fine; the library has to implement the partial block handling anyway, and it's better to do it in the library since the block size and other properties of the algorithm are all fixed at compile time there, resulting in more streamlined code. Acked-by: Ard Biesheuvel <ardb@kernel.org> Link: https://lore.kernel.org/r/20250630160645.3198-10-ebiggers@kernel.org Signed-off-by: Eric Biggers <ebiggers@kernel.org> 2025-06-30T16:31:56Z Eric Biggers ebiggers@kernel.org 2025-06-13T18:37:53Z urn:sha1:b0e04dde8e78fd0f08210c594ab29cbbcd841b73 For the "crc32" and "crc32c" shash algorithms, instead of registering "*-generic" drivers as well as conditionally registering "*-$(ARCH)" drivers, instead just register "*-lib" drivers. These just use the regular library functions crc32_le() and crc32c(), so they just do the right thing and are fully accelerated when supported by the CPU. This eliminates the need for the CRC library to export crc32_le_base() and crc32c_base(). Separate commits make those static functions. Since this commit removes the "crc32-generic" and "crc32c-generic" driver names which crypto/testmgr.c expects to exist, update testmgr.c accordingly. This does mean that testmgr.c will no longer fuzz-test the "generic" implementation against the "arch" implementation for crc32 and crc32c, but this was redundant with crc_kunit anyway. Besides the above, and btrfs_init_csum_hash() which the previous commit fixed, no code appears to have been relying on the "crc32-generic" or "crc32c-generic" driver names specifically. btrfs does export the checksum name and checksum driver name in /sys/fs/btrfs/$uuid/checksum. This commit makes the driver name portion of that file contain "crc32c-lib" instead of "crc32c-generic" or "crc32c-$(ARCH)". This should be fine, since in practice the purpose of the driver name portion of this file seems to have been just to allow users to manually check whether they needed to enable the optimized CRC32C code. This was needed only because of the bug in old kernels where the optimized CRC32C code defaulted to off and even needed to be explicitly added to the ramdisk to be used. Now that it just works in Linux 6.14 and later, there's no need for users to take any action and the driver name portion of this is basically obsolete. (Also, note that the crc32c driver name already changed in 6.14.) Acked-by: David Sterba <dsterba@suse.com> Link: https://lore.kernel.org/r/20250613183753.31864-3-ebiggers@kernel.org Signed-off-by: Eric Biggers <ebiggers@kernel.org> 2025-06-30T16:26:19Z Eric Biggers ebiggers@kernel.org 2025-06-30T16:03:09Z urn:sha1:469acaa12502e05eefd439693361fe4b851a4fd5 Delete crypto/sha512_generic.c, which provided "generic" SHA-384 and SHA-512 crypto_shash algorithms. Replace it with crypto/sha512.c which provides SHA-384, SHA-512, HMAC-SHA384, and HMAC-SHA512 crypto_shash algorithms using the corresponding library functions. This is a prerequisite for migrating all the arch-optimized SHA-512 code (which is almost 3000 lines) to lib/crypto/ rather than duplicating it. Since the replacement crypto_shash algorithms are implemented using the (potentially arch-optimized) library functions, give them cra_driver_names ending with "-lib" rather than "-generic". Update crypto/testmgr.c and one odd driver to take this change in driver name into account. Besides these cases which are accounted for, there are no known cases where the cra_driver_name was being depended on. This change does mean that the abstract partial block handling code in crypto/shash.c, which got added in 6.16, no longer gets used. But that's fine; the library has to implement the partial block handling anyway, and it's better to do it in the library since the block size and other properties of the algorithm are all fixed at compile time there, resulting in more streamlined code. Acked-by: Ard Biesheuvel <ardb@kernel.org> Link: https://lore.kernel.org/r/20250630160320.2888-6-ebiggers@kernel.org Signed-off-by: Eric Biggers <ebiggers@kernel.org>