crypto: arm64/ghash - Use new AES library API

Switch from the old AES library functions (which use struct
crypto_aes_ctx) to the new ones (which use struct aes_enckey).  This
eliminates the unnecessary computation and caching of the decryption
round keys.  The new AES en/decryption functions are also much faster
and use AES instructions when supported by the CPU.

Note that in addition to the change in the key preparation function and
the key struct type itself, the change in the type of the key struct
results in aes_encrypt() (which is temporarily a type-generic macro)
calling the new encryption function rather than the old one.

Acked-by: Ard Biesheuvel <ardb@kernel.org>
Link: https://lore.kernel.org/r/20260112192035.10427-25-ebiggers@kernel.org
Signed-off-by: Eric Biggers <ebiggers@kernel.org>

diff --git a/arch/arm64/crypto/ghash-ce-glue.c b/arch/arm64/crypto/ghash-ce-glue.c
index ef249d06c92cc4a9c6b478ff132f7afb33be09ae..63bb9e06225112d53fa7414a832c6032c2147ecb 100644 (file)
--- a/arch/arm64/crypto/ghash-ce-glue.c
+++ b/arch/arm64/crypto/ghash-ce-glue.c
@@ -40,7 +40,7 @@ struct arm_ghash_desc_ctx {
 };
 
 struct gcm_aes_ctx {
-       struct crypto_aes_ctx   aes_key;
+       struct aes_enckey       aes_key;
        u8                      nonce[RFC4106_NONCE_SIZE];
        struct ghash_key        ghash_key;
 };
@@ -186,18 +186,6 @@ static struct shash_alg ghash_alg = {
        .statesize              = sizeof(struct ghash_desc_ctx),
 };
 
-static int num_rounds(struct crypto_aes_ctx *ctx)
-{
-       /*
-        * # of rounds specified by AES:
-        * 128 bit key          10 rounds
-        * 192 bit key          12 rounds
-        * 256 bit key          14 rounds
-        * => n byte key        => 6 + (n/4) rounds
-        */
-       return 6 + ctx->key_length / 4;
-}
-
 static int gcm_aes_setkey(struct crypto_aead *tfm, const u8 *inkey,
                          unsigned int keylen)
 {
@@ -206,7 +194,7 @@ static int gcm_aes_setkey(struct crypto_aead *tfm, const u8 *inkey,
        be128 h;
        int ret;
 
-       ret = aes_expandkey(&ctx->aes_key, inkey, keylen);
+       ret = aes_prepareenckey(&ctx->aes_key, inkey, keylen);
        if (ret)
                return -EINVAL;
 
@@ -296,7 +284,6 @@ static int gcm_encrypt(struct aead_request *req, char *iv, int assoclen)
 {
        struct crypto_aead *aead = crypto_aead_reqtfm(req);
        struct gcm_aes_ctx *ctx = crypto_aead_ctx(aead);
-       int nrounds = num_rounds(&ctx->aes_key);
        struct skcipher_walk walk;
        u8 buf[AES_BLOCK_SIZE];
        u64 dg[2] = {};
@@ -331,8 +318,8 @@ static int gcm_encrypt(struct aead_request *req, char *iv, int assoclen)
 
                scoped_ksimd()
                        pmull_gcm_encrypt(nbytes, dst, src, ctx->ghash_key.h,
-                                         dg, iv, ctx->aes_key.key_enc, nrounds,
-                                         tag);
+                                         dg, iv, ctx->aes_key.k.rndkeys,
+                                         ctx->aes_key.nrounds, tag);
 
                if (unlikely(!nbytes))
                        break;
@@ -359,7 +346,6 @@ static int gcm_decrypt(struct aead_request *req, char *iv, int assoclen)
        struct crypto_aead *aead = crypto_aead_reqtfm(req);
        struct gcm_aes_ctx *ctx = crypto_aead_ctx(aead);
        unsigned int authsize = crypto_aead_authsize(aead);
-       int nrounds = num_rounds(&ctx->aes_key);
        struct skcipher_walk walk;
        u8 otag[AES_BLOCK_SIZE];
        u8 buf[AES_BLOCK_SIZE];
@@ -401,8 +387,9 @@ static int gcm_decrypt(struct aead_request *req, char *iv, int assoclen)
                scoped_ksimd()
                        ret = pmull_gcm_decrypt(nbytes, dst, src,
                                                ctx->ghash_key.h,
-                                               dg, iv, ctx->aes_key.key_enc,
-                                               nrounds, tag, otag, authsize);
+                                               dg, iv, ctx->aes_key.k.rndkeys,
+                                               ctx->aes_key.nrounds, tag, otag,
+                                               authsize);
 
                if (unlikely(!nbytes))
                        break;