• Ard Biesheuvel's avatar
    crypto: arm64/aes - replace scalar fallback with plain NEON fallback · 12fcd923
    Ard Biesheuvel authored
    The new bitsliced NEON implementation of AES uses a fallback in two
    places: CBC encryption (which is strictly sequential, whereas this
    driver can only operate efficiently on 8 blocks at a time), and the
    XTS tweak generation, which involves encrypting a single AES block
    with a different key schedule.
    
    The plain (i.e., non-bitsliced) NEON code is more suitable as a fallback,
    given that it is faster than scalar on low end cores (which is what
    the NEON implementations target, since high end cores have dedicated
    instructions for AES), and shows similar behavior in terms of D-cache
    footprint and sensitivity to cache timing attacks. So switch the fallback
    handling to the plain NEON driver.
    Signed-off-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
    Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
    12fcd923
aes-neonbs-glue.c 11.2 KB