From: Eric Biggers <ebiggers@kernel.org>
Date: Sat, 21 Mar 2026 22:52:08 +0000 (-0700)
Subject: octeontx2-pf: macsec: Use AES library instead of ecb(aes) skcipher
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8f303194b241c2795bb9b79ee80bc93e7876879c;p=thirdparty%2Flinux.git

octeontx2-pf: macsec: Use AES library instead of ecb(aes) skcipher

cn10k_ecb_aes_encrypt() just encrypts a single block with AES.  That is
much more easily and efficiently done with the AES library than
crypto_skcipher.  Use the AES library instead.

Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Reviewed-by: Subbaraya Sundeep <sbhatta@marvell.com>
Link: https://patch.msgid.link/20260321225208.64508-1-ebiggers@kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
---

diff --git a/drivers/net/ethernet/marvell/octeontx2/Kconfig b/drivers/net/ethernet/marvell/octeontx2/Kconfig
index 35c4f5f64f58..47e549c581f0 100644
--- a/drivers/net/ethernet/marvell/octeontx2/Kconfig
+++ b/drivers/net/ethernet/marvell/octeontx2/Kconfig
@@ -33,6 +33,7 @@ config OCTEONTX2_PF
 	select OCTEONTX2_MBOX
 	select NET_DEVLINK
 	select PAGE_POOL
+	select CRYPTO_LIB_AES if MACSEC
 	depends on (64BIT && COMPILE_TEST) || ARM64
 	select DIMLIB
 	depends on PCI
diff --git a/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c b/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c
index 4649996dc7da..2cc1bdfd9b2e 100644
--- a/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c
+++ b/drivers/net/ethernet/marvell/octeontx2/nic/cn10k_macsec.c
@@ -4,7 +4,7 @@
  * Copyright (C) 2022 Marvell.
  */
 
-#include <crypto/skcipher.h>
+#include <crypto/aes.h>
 #include <linux/rtnetlink.h>
 #include <linux/bitfield.h>
 #include "otx2_common.h"
@@ -46,51 +46,22 @@
 #define CN10K_MAX_HASH_LEN		16
 #define CN10K_MAX_SAK_LEN		32
 
-static int cn10k_ecb_aes_encrypt(struct otx2_nic *pfvf, u8 *sak,
-				 u16 sak_len, u8 *hash)
+static int cn10k_ecb_aes_encrypt(struct otx2_nic *pfvf, const u8 *sak,
+				 u16 sak_len, u8 hash[CN10K_MAX_HASH_LEN])
 {
-	u8 data[CN10K_MAX_HASH_LEN] = { 0 };
-	struct skcipher_request *req = NULL;
-	struct scatterlist sg_src, sg_dst;
-	struct crypto_skcipher *tfm;
-	DECLARE_CRYPTO_WAIT(wait);
-	int err;
-
-	tfm = crypto_alloc_skcipher("ecb(aes)", 0, 0);
-	if (IS_ERR(tfm)) {
-		dev_err(pfvf->dev, "failed to allocate transform for ecb-aes\n");
-		return PTR_ERR(tfm);
-	}
-
-	req = skcipher_request_alloc(tfm, GFP_KERNEL);
-	if (!req) {
-		dev_err(pfvf->dev, "failed to allocate request for skcipher\n");
-		err = -ENOMEM;
-		goto free_tfm;
-	}
+	static const u8 zeroes[CN10K_MAX_HASH_LEN];
+	struct aes_enckey aes;
 
-	err = crypto_skcipher_setkey(tfm, sak, sak_len);
-	if (err) {
-		dev_err(pfvf->dev, "failed to set key for skcipher\n");
-		goto free_req;
+	if (aes_prepareenckey(&aes, sak, sak_len) != 0) {
+		dev_err(pfvf->dev, "invalid AES key length: %d\n", sak_len);
+		return -EINVAL;
 	}
 
-	/* build sg list */
-	sg_init_one(&sg_src, data, CN10K_MAX_HASH_LEN);
-	sg_init_one(&sg_dst, hash, CN10K_MAX_HASH_LEN);
-
-	skcipher_request_set_callback(req, 0, crypto_req_done, &wait);
-	skcipher_request_set_crypt(req, &sg_src, &sg_dst,
-				   CN10K_MAX_HASH_LEN, NULL);
+	static_assert(CN10K_MAX_HASH_LEN == AES_BLOCK_SIZE);
+	aes_encrypt(&aes, hash, zeroes);
 
-	err = crypto_skcipher_encrypt(req);
-	err = crypto_wait_req(err, &wait);
-
-free_req:
-	skcipher_request_free(req);
-free_tfm:
-	crypto_free_skcipher(tfm);
-	return err;
+	memzero_explicit(&aes, sizeof(aes));
+	return 0;
 }
 
 static struct cn10k_mcs_txsc *cn10k_mcs_get_txsc(struct cn10k_mcs_cfg *cfg,