git.ipfire.org Git - thirdparty/linux.git/commit

author	Eric Biggers <ebiggers@kernel.org>
	Tue, 31 Mar 2026 02:44:14 +0000 (19:44 -0700)
committer	Eric Biggers <ebiggers@kernel.org>
	Wed, 1 Apr 2026 00:19:15 +0000 (17:19 -0700)
commit	1aa82df3eb4d1a28c02a9d0062c6ed0db1a59bac
tree	6114408eb0c802c18e663fcf1036829ac51312fd	tree \| snapshot
parent	d2a68aba8505ce88b39c34ecb3b707c776af79d4	commit \| diff

lib/crypto: aescfb: Don't disable IRQs during AES block encryption

aes_encrypt() now uses AES instructions when available instead of always
using table-based code.  AES instructions are constant-time and don't
benefit from disabling IRQs as a constant-time hardening measure.

In fact, on two architectures (arm and riscv) disabling IRQs is
counterproductive because it prevents the AES instructions from being
used.  (See the may_use_simd() implementation on those architectures.)

Therefore, let's remove the IRQ disabling/enabling and leave the choice
of constant-time hardening measures to the AES library code.

Note that currently the arm table-based AES code (which runs on arm
kernels that don't have ARMv8 CE) disables IRQs, while the generic
table-based AES code does not.  So this does technically regress in
constant-time hardening when that generic code is used.  But as
discussed in commit a22fd0e3c495 ("lib/crypto: aes: Introduce improved
AES library") I think just leaving IRQs enabled is the right choice.
Disabling them is slow and can cause problems, and AES instructions
(which modern CPUs have) solve the problem in a much better way anyway.

Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
Link: https://lore.kernel.org/r/20260331024414.51545-1-ebiggers@kernel.org
Signed-off-by: Eric Biggers <ebiggers@kernel.org>