When building for ARMv7-M, clang-9 or higher tries to unroll some loops,
which ends up confusing the register allocator to the point of generating
rather bad code and using more than the warning limit for stack frames:
warning: stack frame size of 1200 bytes in function 'blake2b_compress' [-Wframe-larger-than=]
Forcing it to not unroll the final loop avoids this problem.
Fixes: 91d689337fe8 ("crypto: blake2b - add blake2b generic implementation")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Reviewed-by: Nathan Chancellor <natechancellor@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
(cherry picked from commit 0c0408e86dbe8f44d4b27bf42130e8ac905361d6)
Bug: 178411248
Bug: 248322249
Change-Id: I71ee6df844bdbace9f06342a61322c7494533564
Signed-off-by: Eric Biggers <ebiggers@google.com>
The TFM context can be renamed to a more appropriate name and the local
varaibles as well, using 'tctx' which seems to be more common than
'mctx'.
The _setkey callback was the last one without the blake2b_ prefix,
rename that too.
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
(cherry picked from commit c433a1a8572eceb7c45dd85d93fec6946b71bb72)
Bug: 178411248
Bug: 248322249
Change-Id: I8b7dfa5779ee6f76bb7e21572d29df1310705485
Signed-off-by: Eric Biggers <ebiggers@google.com>
Now that there's only one call to blake2b_update, we can merge it to the
callback and simplify. The empty input check is split and the rest of
code un-indented.
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
(cherry picked from commit 0b4b5f10ac1ffb7f51db1832d189c33955c0d4c1)
Bug: 178411248
Bug: 248322249
Change-Id: Ic260edcee45116ac1a9f03f2792fe577a2c629c6
Signed-off-by: Eric Biggers <ebiggers@google.com>
The helper is trival and called once, inlining makes things simpler.
There's a comment to tie it back to the idea behind the code.
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
(cherry picked from commit a2e4bdce0f6e69c6cf9e460c4fe158bcc0db351f)
Bug: 178411248
Bug: 248322249
Change-Id: Iba1276dfcdb29240206f66bf98902d0e587a590f
Signed-off-by: Eric Biggers <ebiggers@google.com>
All the code for param block has been inlined, last_node and outlen from
the state are not used or have become redundant due to other code.
Remove it.
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
(cherry picked from commit d063d6327e7de18e16e4742579a0ff759c3889fb)
Bug: 178411248
Bug: 248322249
Change-Id: Ia7090fe3162495abae29b86f37e53ebf02414fe2
Signed-off-by: Eric Biggers <ebiggers@google.com>
The keyed init writes the key bytes to the input buffer and does an
update. We can do that in two ways: fill the buffer and update
immediatelly. This is what current blake2b_init_key does. Any other
following _update or _final will continue from the updated state.
The other way is to write the key and set the number of bytes to process
at the next _update or _final, lazy evaluation. Which leads to the the
simplified code in this patch.
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
(cherry picked from commit e87e484d60b0da8302b45f27fe32af1cea02c8d2)
Bug: 178411248
Bug: 248322249
Change-Id: I90652bb41d252af9503d5976ce32b93e2610debf
Signed-off-by: Eric Biggers <ebiggers@google.com>
The call chain from blake2b_init can be simplified because the param
block is effectively zeros, besides the key.
- blake2b_init0 zeroes state and sets IV
- blake2b_init sets up param block with defaults (key and some 1s)
- init with key, write it to the input buffer and recalculate state
So the compact way is to zero out the state and initialize index 0 of
the state directly with the non-zero values and the key.
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
(cherry picked from commit e374969565472824eba4669dea4a23ad2edb414f)
Bug: 178411248
Bug: 248322249
Change-Id: I797e941bf90262f6cf334c100a91e5b90dc00a2c
Signed-off-by: Eric Biggers <ebiggers@google.com>
blake2b_final is called only once, merge it to the crypto API callback
and simplify. This avoids the temporary buffer and swaps the bytes of
internal buffer.
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
(cherry picked from commit 086db43b5a2281f7ce7d8a67a171b91e1e8fe0ec)
Bug: 178411248
Bug: 248322249
Change-Id: I7c5e2d9d931d463ada7573e66268f7b93a2d40a4
Signed-off-by: Eric Biggers <ebiggers@google.com>
The patch brings support of several BLAKE2 variants (2b with various
digest lengths). The keyed digest is supported, using tfm->setkey call.
The in-tree user will be btrfs (for checksumming), we're going to use
the BLAKE2b-256 variant.
The code is reference implementation taken from the official sources and
modified in terms of kernel coding style (whitespace, comments, uintXX_t
-> uXX types, removed unused prototypes and #ifdefs, removed testing
code, changed secure_zero_memory -> memzero_explicit, used own helpers
for unaligned reads/writes and rotations).
Further changes removed sanity checks of key length or output size,
these values are verified in the crypto API callbacks or hardcoded in
shash_alg and not exposed to users.
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
(cherry picked from commit 91d689337fe8b7703608a2ec39aae700b99f3933)
Conflicts:
crypto/Kconfig
Bug: 178411248
Bug: 248322249
Change-Id: Ic4c2314b146434a5842facf56e58d3602bacc7d5
Signed-off-by: Eric Biggers <ebiggers@google.com>
