Commit 641e7056 authored Jan 12, 2026 by Eric Biggers

crypto: aes - Remove aes-fixed-time / CONFIG_CRYPTO_AES_TI



Remove aes-fixed-time, i.e. CONFIG_CRYPTO_AES_TI.  This was a wrapper
around the 256-byte-table-based AES implementation in lib/crypto/aes.c,
with extra code to enable and disable IRQs for constant-time hardening.

While nice in theory, in practice this had the following issues:

- For bulk en/decryption it was 2-4 times slower than aes-generic.  This
  resulted in aes-generic still being needed, creating fragmentation.

- Having both aes-generic and aes-fixed-time punted an AES
  implementation decision to distros and users who are generally
  unprepared to handle it.  In practice, whether aes-fixed-time gets
  used tends to be incidental and not match an explicit distro or user
  intent.  (While aes-fixed-time has a higher priority than aes-generic,
  whether it actually gets enabled, loaded, and used depends on the
  kconfig and whether a modprobe of "aes" happens to be done.  It also
  has a lower priority than aes-arm and aes-arm64.)

- My changes to the generic AES code (in other commits) significantly
  close the gap with aes-fixed-time anyway.  The table size is reduced
  from 8192 bytes to 1024 bytes, and prefetching is added.

- While AES code *should* be constant-time, the real solutions for that
  are AES instructions (which most CPUs have now) or bit-slicing.  arm
  and arm64 already have bit-sliced AES code for many modes; generic
  bit-sliced code could be written but would be very slow for single
  blocks.  Overall, I suggest that trying to write constant-time
  table-based AES code is a bit futile anyway, and in the rare cases
  where a proper AES implementation is still unavailable it's reasonable
  to compromise with an implementation that simply prefetches the table.

Thus, this commit removes aes-fixed-time and CONFIG_CRYPTO_AES_TI.  The
replacement is just the existing CONFIG_CRYPTO_AES, which for now maps
to the existing aes-generic code, but I'll soon be changing to use the
improved AES library code instead.

Acked-by: Ard Biesheuvel <ardb@kernel.org>
Link: https://lore.kernel.org/r/20260112192035.10427-9-ebiggers@kernel.org


Signed-off-by: Eric Biggers <ebiggers@kernel.org>

parent 637e73ef

arch/m68k/configs/amiga_defconfig

+0 −1

Original line number	Diff line number	Diff line
		@@ -555,7 +555,6 @@ CONFIG_CRYPTO_ECDH=m
		CONFIG_CRYPTO_ECDSA=m
		CONFIG_CRYPTO_ECRDSA=m
		CONFIG_CRYPTO_AES=y
		CONFIG_CRYPTO_AES_TI=m
		CONFIG_CRYPTO_ANUBIS=m
		CONFIG_CRYPTO_ARIA=m
		CONFIG_CRYPTO_BLOWFISH=m

arch/m68k/configs/apollo_defconfig

+0 −1

Original line number	Diff line number	Diff line
		@@ -512,7 +512,6 @@ CONFIG_CRYPTO_ECDH=m
		CONFIG_CRYPTO_ECDSA=m
		CONFIG_CRYPTO_ECRDSA=m
		CONFIG_CRYPTO_AES=y
		CONFIG_CRYPTO_AES_TI=m
		CONFIG_CRYPTO_ANUBIS=m
		CONFIG_CRYPTO_ARIA=m
		CONFIG_CRYPTO_BLOWFISH=m

arch/m68k/configs/atari_defconfig

+0 −1

Original line number	Diff line number	Diff line
		@@ -532,7 +532,6 @@ CONFIG_CRYPTO_ECDH=m
		CONFIG_CRYPTO_ECDSA=m
		CONFIG_CRYPTO_ECRDSA=m
		CONFIG_CRYPTO_AES=y
		CONFIG_CRYPTO_AES_TI=m
		CONFIG_CRYPTO_ANUBIS=m
		CONFIG_CRYPTO_ARIA=m
		CONFIG_CRYPTO_BLOWFISH=m

arch/m68k/configs/bvme6000_defconfig

+0 −1

Original line number	Diff line number	Diff line
		@@ -504,7 +504,6 @@ CONFIG_CRYPTO_ECDH=m
		CONFIG_CRYPTO_ECDSA=m
		CONFIG_CRYPTO_ECRDSA=m
		CONFIG_CRYPTO_AES=y
		CONFIG_CRYPTO_AES_TI=m
		CONFIG_CRYPTO_ANUBIS=m
		CONFIG_CRYPTO_ARIA=m
		CONFIG_CRYPTO_BLOWFISH=m

arch/m68k/configs/hp300_defconfig

+0 −1

Original line number	Diff line number	Diff line
		@@ -514,7 +514,6 @@ CONFIG_CRYPTO_ECDH=m
		CONFIG_CRYPTO_ECDSA=m
		CONFIG_CRYPTO_ECRDSA=m
		CONFIG_CRYPTO_AES=y
		CONFIG_CRYPTO_AES_TI=m
		CONFIG_CRYPTO_ANUBIS=m
		CONFIG_CRYPTO_ARIA=m
		CONFIG_CRYPTO_BLOWFISH=m