GET

Patch Detail

get:
Show a patch.

patch:
Update a patch.

put:
Update a patch.

GET /api/patches/2183233/?format=api
HTTP 200 OK
Allow: GET, PUT, PATCH, HEAD, OPTIONS
Content-Type: application/json
Vary: Accept

{
    "id": 2183233,
    "url": "http://patchwork.ozlabs.org/api/patches/2183233/?format=api",
    "web_url": "http://patchwork.ozlabs.org/project/linuxppc-dev/patch/20260112192035.10427-26-ebiggers@kernel.org/",
    "project": {
        "id": 2,
        "url": "http://patchwork.ozlabs.org/api/projects/2/?format=api",
        "name": "Linux PPC development",
        "link_name": "linuxppc-dev",
        "list_id": "linuxppc-dev.lists.ozlabs.org",
        "list_email": "linuxppc-dev@lists.ozlabs.org",
        "web_url": "https://github.com/linuxppc/wiki/wiki",
        "scm_url": "https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux.git",
        "webscm_url": "https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux.git/",
        "list_archive_url": "https://lore.kernel.org/linuxppc-dev/",
        "list_archive_url_format": "https://lore.kernel.org/linuxppc-dev/{}/",
        "commit_url_format": "https://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux.git/commit/?id={}"
    },
    "msgid": "<20260112192035.10427-26-ebiggers@kernel.org>",
    "list_archive_url": "https://lore.kernel.org/linuxppc-dev/20260112192035.10427-26-ebiggers@kernel.org/",
    "date": "2026-01-12T19:20:23",
    "name": "[v2,25/35] crypto: x86/aes-gcm - Use new AES library API",
    "commit_ref": null,
    "pull_url": null,
    "state": "handled-elsewhere",
    "archived": false,
    "hash": "0c2b053b6d8663e0f77c401f6e68ca36d14ca1ec",
    "submitter": {
        "id": 74690,
        "url": "http://patchwork.ozlabs.org/api/people/74690/?format=api",
        "name": "Eric Biggers",
        "email": "ebiggers@kernel.org"
    },
    "delegate": null,
    "mbox": "http://patchwork.ozlabs.org/project/linuxppc-dev/patch/20260112192035.10427-26-ebiggers@kernel.org/mbox/",
    "series": [
        {
            "id": 488089,
            "url": "http://patchwork.ozlabs.org/api/series/488089/?format=api",
            "web_url": "http://patchwork.ozlabs.org/project/linuxppc-dev/list/?series=488089",
            "date": "2026-01-12T19:19:58",
            "name": "AES library improvements",
            "version": 2,
            "mbox": "http://patchwork.ozlabs.org/series/488089/mbox/"
        }
    ],
    "comments": "http://patchwork.ozlabs.org/api/patches/2183233/comments/",
    "check": "pending",
    "checks": "http://patchwork.ozlabs.org/api/patches/2183233/checks/",
    "tags": {},
    "related": [],
    "headers": {
        "Return-Path": "\n <linuxppc-dev+bounces-15588-incoming=patchwork.ozlabs.org@lists.ozlabs.org>",
        "X-Original-To": [
            "incoming@patchwork.ozlabs.org",
            "linuxppc-dev@lists.ozlabs.org"
        ],
        "Delivered-To": "patchwork-incoming@legolas.ozlabs.org",
        "Authentication-Results": [
            "legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=kernel.org header.i=@kernel.org header.a=rsa-sha256\n header.s=k20201202 header.b=f1ZEk5w+;\n\tdkim-atps=neutral",
            "legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=lists.ozlabs.org\n (client-ip=2404:9400:21b9:f100::1; helo=lists.ozlabs.org;\n envelope-from=linuxppc-dev+bounces-15588-incoming=patchwork.ozlabs.org@lists.ozlabs.org;\n receiver=patchwork.ozlabs.org)",
            "lists.ozlabs.org;\n arc=none smtp.remote-ip=172.234.252.31",
            "lists.ozlabs.org;\n dmarc=pass (p=quarantine dis=none) header.from=kernel.org",
            "lists.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=kernel.org header.i=@kernel.org header.a=rsa-sha256\n header.s=k20201202 header.b=f1ZEk5w+;\n\tdkim-atps=neutral",
            "lists.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=kernel.org\n (client-ip=172.234.252.31; helo=sea.source.kernel.org;\n envelope-from=ebiggers@kernel.org; receiver=lists.ozlabs.org)"
        ],
        "Received": [
            "from lists.ozlabs.org (lists.ozlabs.org\n [IPv6:2404:9400:21b9:f100::1])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4dqj8B1WjCz1xpY\n\tfor <incoming@patchwork.ozlabs.org>; Tue, 13 Jan 2026 06:27:54 +1100 (AEDT)",
            "from boromir.ozlabs.org (localhost [127.0.0.1])\n\tby lists.ozlabs.org (Postfix) with ESMTP id 4dqj3m5mKdz3cdy;\n\tTue, 13 Jan 2026 06:24:04 +1100 (AEDT)",
            "from sea.source.kernel.org (sea.source.kernel.org [172.234.252.31])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby lists.ozlabs.org (Postfix) with ESMTPS id 4dqj3l2skrz3cYb\n\tfor <linuxppc-dev@lists.ozlabs.org>; Tue, 13 Jan 2026 06:24:03 +1100 (AEDT)",
            "from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58])\n\tby sea.source.kernel.org (Postfix) with ESMTP id D22354426E;\n\tMon, 12 Jan 2026 19:23:31 +0000 (UTC)",
            "by smtp.kernel.org (Postfix) with ESMTPSA id 48A24C19425;\n\tMon, 12 Jan 2026 19:23:31 +0000 (UTC)"
        ],
        "ARC-Seal": "i=1; a=rsa-sha256; d=lists.ozlabs.org; s=201707; t=1768245844;\n\tcv=none;\n b=BassX7r7kPs7oP7rmLbf+TGYXr9tK8Bvz4JTsZL+tlN0yNJOOuM7X5+DOiF0NknZv9dre7NVlhnfo63n3di3cOJUQauUeCR3XNFaCEpgsPYwy+6t3MhO4Iu4LnGlVqVaHXEE94BAZlN/1IkyjCTJQRwzIELgaINZ+c3CXcDCIpnNZzirv5sE2dEOdjQN77dCGxyqg5/70Ukm18+LIqOCPgbjZcMgIo3EwHuI0VUt45nLgbU3PS266LpUntM14OKckaV48rpWHGcdQB2qbUy0M6DYofsnT47pzlkFTKN6id2S/XvhYZcMU3+HqWIbpIosAI9D3oHN9n3TXaqo1BxcTQ==",
        "ARC-Message-Signature": "i=1; a=rsa-sha256; d=lists.ozlabs.org; s=201707;\n\tt=1768245844; c=relaxed/relaxed;\n\tbh=5djnNqR9mAGGTmyuSWB/iuinQG5VStfmD+eHGjn+2xE=;\n\th=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:\n\t MIME-Version;\n b=V045HYKQF9dpC/PXzdRaoh89KEg/5C5Ud1MKNCN/3dY82awxSWbRWqJTYSSdetXGmmvAtCPDL88zSiAxbGl9el2RsvwIioAxcMIrgufDPAxjROcbzNC3Rx0eDzS6p0k99Hn9/wpsMn+cEYKWTLEGV5YXs+0/xL4F9viMbk5jBTHsvyieGHP0OssQFLa+s/qCYUUL2rns75X7o3cV2AUrCcRWllXqIaa3VX4R5LIAuPHfdpPIPdJrKXj+naIZ/HxChABfF8Ae0ZuWE1fFxujCLYGJ2IWTDUlyH6Zpob8Da/w75P2EG164j1m5tOX3n4q+7QEgwTfEh0+9JIYiYeXj8g==",
        "ARC-Authentication-Results": "i=1; lists.ozlabs.org;\n dmarc=pass (p=quarantine dis=none) header.from=kernel.org;\n dkim=pass (2048-bit key;\n unprotected) header.d=kernel.org header.i=@kernel.org header.a=rsa-sha256\n header.s=k20201202 header.b=f1ZEk5w+; dkim-atps=neutral;\n spf=pass (client-ip=172.234.252.31; helo=sea.source.kernel.org;\n envelope-from=ebiggers@kernel.org;\n receiver=lists.ozlabs.org) smtp.mailfrom=kernel.org",
        "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;\n\ts=k20201202; t=1768245811;\n\tbh=DiZRFCuoZEbDmo8HTN6yQ9s1ZZanJqRCY5hLsI1JYkg=;\n\th=From:To:Cc:Subject:Date:In-Reply-To:References:From;\n\tb=f1ZEk5w+IIz3l2jxL4TbT/+wqxFESp7WOApxHSh1yfq2ClhrqTipgK8Kl1D/VDlj3\n\t gOvZp+olVJPGzjxeEWDyjXMG/rqXyj7UxgXx7SM5D8Xqvzt8bpLy6tc0yn7l7Nco2f\n\t mqzGsWceQ+aBGFPEPCnszH0qKOXIsquOhvtquv60h94bZ6dsdoynRnAkviLKg6FiHK\n\t buh+mIgJsYnjf4ijImB5CZtIrp8Dkfcv59PjfHgMBZ3Rx0Yd6xGxjSeHfNeUJnaUvf\n\t G+bobJee6RA74/qKXOApg9u/DYwOkofTekgzvZg9uvfK7XRzA0DcKQ5ValNinStCOe\n\t rTMBFc/GVAbww==",
        "From": "Eric Biggers <ebiggers@kernel.org>",
        "To": "linux-crypto@vger.kernel.org",
        "Cc": "linux-kernel@vger.kernel.org,\n\tArd Biesheuvel <ardb@kernel.org>,\n\t\"Jason A . Donenfeld\" <Jason@zx2c4.com>,\n\tHerbert Xu <herbert@gondor.apana.org.au>,\n\tlinux-arm-kernel@lists.infradead.org,\n\tlinuxppc-dev@lists.ozlabs.org,\n\tlinux-riscv@lists.infradead.org,\n\tlinux-s390@vger.kernel.org,\n\tsparclinux@vger.kernel.org,\n\tx86@kernel.org,\n\tHolger Dengler <dengler@linux.ibm.com>,\n\tHarald Freudenberger <freude@linux.ibm.com>,\n\tEric Biggers <ebiggers@kernel.org>",
        "Subject": "[PATCH v2 25/35] crypto: x86/aes-gcm - Use new AES library API",
        "Date": "Mon, 12 Jan 2026 11:20:23 -0800",
        "Message-ID": "<20260112192035.10427-26-ebiggers@kernel.org>",
        "X-Mailer": "git-send-email 2.52.0",
        "In-Reply-To": "<20260112192035.10427-1-ebiggers@kernel.org>",
        "References": "<20260112192035.10427-1-ebiggers@kernel.org>",
        "X-Mailing-List": "linuxppc-dev@lists.ozlabs.org",
        "List-Id": "<linuxppc-dev.lists.ozlabs.org>",
        "List-Help": "<mailto:linuxppc-dev+help@lists.ozlabs.org>",
        "List-Owner": "<mailto:linuxppc-dev+owner@lists.ozlabs.org>",
        "List-Post": "<mailto:linuxppc-dev@lists.ozlabs.org>",
        "List-Archive": "<https://lore.kernel.org/linuxppc-dev/>,\n  <https://lists.ozlabs.org/pipermail/linuxppc-dev/>",
        "List-Subscribe": "<mailto:linuxppc-dev+subscribe@lists.ozlabs.org>,\n  <mailto:linuxppc-dev+subscribe-digest@lists.ozlabs.org>,\n  <mailto:linuxppc-dev+subscribe-nomail@lists.ozlabs.org>",
        "List-Unsubscribe": "<mailto:linuxppc-dev+unsubscribe@lists.ozlabs.org>",
        "Precedence": "list",
        "MIME-Version": "1.0",
        "Content-Transfer-Encoding": "8bit",
        "X-Spam-Status": "No, score=-0.2 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED,\n\tDKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS\n\tautolearn=disabled version=4.0.1 OzLabs 8",
        "X-Spam-Checker-Version": "SpamAssassin 4.0.1 (2024-03-25) on lists.ozlabs.org"
    },
    "content": "Switch from the old AES library functions (which use struct\ncrypto_aes_ctx) to the new ones (which use struct aes_enckey).  This\neliminates the unnecessary computation and caching of the decryption\nround keys.  The new AES en/decryption functions are also much faster\nand use AES instructions when supported by the CPU.\n\nSince this changes the format of the AES-GCM key structures that are\nused by the AES-GCM assembly code, the offsets in the assembly code had\nto be updated to match.  Note that the new key structures are smaller,\nsince the decryption round keys are no longer unnecessarily included.\n\nAcked-by: Ard Biesheuvel <ardb@kernel.org>\nSigned-off-by: Eric Biggers <ebiggers@kernel.org>\n---\n arch/x86/crypto/aes-gcm-aesni-x86_64.S | 33 +++++++--------\n arch/x86/crypto/aes-gcm-vaes-avx2.S    | 21 +++++-----\n arch/x86/crypto/aes-gcm-vaes-avx512.S  | 25 ++++++-----\n arch/x86/crypto/aesni-intel_glue.c     | 57 +++++++++++---------------\n 4 files changed, 67 insertions(+), 69 deletions(-)",
    "diff": "diff --git a/arch/x86/crypto/aes-gcm-aesni-x86_64.S b/arch/x86/crypto/aes-gcm-aesni-x86_64.S\nindex 7c8a8a32bd3c..6b2abb76827e 100644\n--- a/arch/x86/crypto/aes-gcm-aesni-x86_64.S\n+++ b/arch/x86/crypto/aes-gcm-aesni-x86_64.S\n@@ -141,14 +141,15 @@\n .Lzeropad_mask:\n \t.octa\t0xffffffffffffffffffffffffffffffff\n \t.octa\t0\n \n // Offsets in struct aes_gcm_key_aesni\n-#define OFFSETOF_AESKEYLEN\t480\n-#define OFFSETOF_H_POWERS\t496\n-#define OFFSETOF_H_POWERS_XORED\t624\n-#define OFFSETOF_H_TIMES_X64\t688\n+#define OFFSETOF_AESKEYLEN\t0\n+#define OFFSETOF_AESROUNDKEYS\t16\n+#define OFFSETOF_H_POWERS\t272\n+#define OFFSETOF_H_POWERS_XORED\t400\n+#define OFFSETOF_H_TIMES_X64\t464\n \n .text\n \n // Do a vpclmulqdq, or fall back to a movdqa and a pclmulqdq.  The fallback\n // assumes that all operands are distinct and that any mem operand is aligned.\n@@ -503,13 +504,13 @@\n \t.set\tH_POW1_X64,\t%xmm4\t// H^1 * x^64\n \t.set\tGFPOLY,\t\t%xmm5\n \n \t// Encrypt an all-zeroes block to get the raw hash subkey.\n \tmovl\t\tOFFSETOF_AESKEYLEN(KEY), %eax\n-\tlea\t\t6*16(KEY,%rax,4), RNDKEYLAST_PTR\n-\tmovdqa\t\t(KEY), H_POW1  // Zero-th round key XOR all-zeroes block\n-\tlea\t\t16(KEY), %rax\n+\tlea\t\tOFFSETOF_AESROUNDKEYS+6*16(KEY,%rax,4), RNDKEYLAST_PTR\n+\tmovdqa\t\tOFFSETOF_AESROUNDKEYS(KEY), H_POW1\n+\tlea\t\tOFFSETOF_AESROUNDKEYS+16(KEY), %rax\n 1:\n \taesenc\t\t(%rax), H_POW1\n \tadd\t\t$16, %rax\n \tcmp\t\t%rax, RNDKEYLAST_PTR\n \tjne\t\t1b\n@@ -622,11 +623,11 @@\n // Increment LE_CTR eight times to generate eight little-endian counter blocks,\n // swap each to big-endian, and store them in AESDATA[0-7].  Also XOR them with\n // the zero-th AES round key.  Clobbers TMP0 and TMP1.\n .macro\t_ctr_begin_8x\n \tmovq\t\t.Lone(%rip), TMP0\n-\tmovdqa\t\t(KEY), TMP1\t\t// zero-th round key\n+\tmovdqa\t\tOFFSETOF_AESROUNDKEYS(KEY), TMP1 // zero-th round key\n .irp i, 0,1,2,3,4,5,6,7\n \t_vpshufb\tBSWAP_MASK, LE_CTR, AESDATA\\i\n \tpxor\t\tTMP1, AESDATA\\i\n \tpaddd\t\tTMP0, LE_CTR\n .endr\n@@ -724,11 +725,11 @@\n \tmovdqa\t\t.Lbswap_mask(%rip), BSWAP_MASK\n \tmovdqu\t\t(GHASH_ACC_PTR), GHASH_ACC\n \tmovdqu\t\t(LE_CTR_PTR), LE_CTR\n \n \tmovl\t\tOFFSETOF_AESKEYLEN(KEY), AESKEYLEN\n-\tlea\t\t6*16(KEY,AESKEYLEN64,4), RNDKEYLAST_PTR\n+\tlea\t\tOFFSETOF_AESROUNDKEYS+6*16(KEY,AESKEYLEN64,4), RNDKEYLAST_PTR\n \n \t// If there are at least 8*16 bytes of data, then continue into the main\n \t// loop, which processes 8*16 bytes of data per iteration.\n \t//\n \t// The main loop interleaves AES and GHASH to improve performance on\n@@ -743,11 +744,11 @@\n \tadd\t\t$-8*16, DATALEN\n \tjl\t\t.Lcrypt_loop_8x_done\\@\n .if \\enc\n \t// Encrypt the first 8 plaintext blocks.\n \t_ctr_begin_8x\n-\tlea\t\t16(KEY), %rsi\n+\tlea\t\tOFFSETOF_AESROUNDKEYS+16(KEY), %rsi\n \t.p2align 4\n 1:\n \tmovdqa\t\t(%rsi), TMP0\n \t_aesenc_8x\tTMP0\n \tadd\t\t$16, %rsi\n@@ -765,11 +766,11 @@\n \t.p2align 4\n .Lcrypt_loop_8x\\@:\n \n \t// Generate the next set of 8 counter blocks and start encrypting them.\n \t_ctr_begin_8x\n-\tlea\t\t16(KEY), %rsi\n+\tlea\t\tOFFSETOF_AESROUNDKEYS+16(KEY), %rsi\n \n \t// Do a round of AES, and start the GHASH update of 8 ciphertext blocks\n \t// by doing the unreduced multiplication for the first ciphertext block.\n \tmovdqa\t\t(%rsi), TMP0\n \tadd\t\t$16, %rsi\n@@ -867,11 +868,11 @@\n .Lcrypt_loop_1x\\@:\n \n \t// Encrypt the next counter block.\n \t_vpshufb\tBSWAP_MASK, LE_CTR, TMP0\n \tpaddd\t\tONE, LE_CTR\n-\tpxor\t\t(KEY), TMP0\n+\tpxor\t\tOFFSETOF_AESROUNDKEYS(KEY), TMP0\n \tlea\t\t-6*16(RNDKEYLAST_PTR), %rsi\t// Reduce code size\n \tcmp\t\t$24, AESKEYLEN\n \tjl\t\t128f\t// AES-128?\n \tje\t\t192f\t// AES-192?\n \t// AES-256\n@@ -924,12 +925,12 @@\n \n \t// Process a partial block of length 1 <= DATALEN <= 15.\n \n \t// Encrypt a counter block for the last time.\n \tpshufb\t\tBSWAP_MASK, LE_CTR\n-\tpxor\t\t(KEY), LE_CTR\n-\tlea\t\t16(KEY), %rsi\n+\tpxor\t\tOFFSETOF_AESROUNDKEYS(KEY), LE_CTR\n+\tlea\t\tOFFSETOF_AESROUNDKEYS+16(KEY), %rsi\n 1:\n \taesenc\t\t(%rsi), LE_CTR\n \tadd\t\t$16, %rsi\n \tcmp\t\t%rsi, RNDKEYLAST_PTR\n \tjne\t\t1b\n@@ -1036,16 +1037,16 @@\n \tmovdqa\t\tOFFSETOF_H_TIMES_X64(KEY), H_POW1_X64\n \tmovq\t\t.Lgfpoly(%rip), GFPOLY\n \n \t// Make %rax point to the 6th from last AES round key.  (Using signed\n \t// byte offsets -7*16 through 6*16 decreases code size.)\n-\tlea\t\t(KEY,AESKEYLEN64,4), %rax\n+\tlea\t\tOFFSETOF_AESROUNDKEYS(KEY,AESKEYLEN64,4), %rax\n \n \t// AES-encrypt the counter block and also multiply GHASH_ACC by H^1.\n \t// Interleave the AES and GHASH instructions to improve performance.\n \tpshufb\t\tBSWAP_MASK, %xmm0\n-\tpxor\t\t(KEY), %xmm0\n+\tpxor\t\tOFFSETOF_AESROUNDKEYS(KEY), %xmm0\n \tcmp\t\t$24, AESKEYLEN\n \tjl\t\t128f\t// AES-128?\n \tje\t\t192f\t// AES-192?\n \t// AES-256\n \taesenc\t\t-7*16(%rax), %xmm0\ndiff --git a/arch/x86/crypto/aes-gcm-vaes-avx2.S b/arch/x86/crypto/aes-gcm-vaes-avx2.S\nindex 93c9504a488f..9cc387957fa9 100644\n--- a/arch/x86/crypto/aes-gcm-vaes-avx2.S\n+++ b/arch/x86/crypto/aes-gcm-vaes-avx2.S\n@@ -120,12 +120,13 @@\n \t// The number of AES blocks per vector, as a 128-bit value.\n .Linc_2blocks:\n \t.octa\t2\n \n // Offsets in struct aes_gcm_key_vaes_avx2\n-#define OFFSETOF_AESKEYLEN\t480\n-#define OFFSETOF_H_POWERS\t512\n+#define OFFSETOF_AESKEYLEN\t0\n+#define OFFSETOF_AESROUNDKEYS\t16\n+#define OFFSETOF_H_POWERS\t288\n #define NUM_H_POWERS\t\t8\n #define OFFSETOFEND_H_POWERS    (OFFSETOF_H_POWERS + (NUM_H_POWERS * 16))\n #define OFFSETOF_H_POWERS_XORED\tOFFSETOFEND_H_POWERS\n \n .text\n@@ -238,13 +239,13 @@ SYM_FUNC_START(aes_gcm_precompute_vaes_avx2)\n \t.set\tGFPOLY,\t\t%ymm6\n \t.set\tGFPOLY_XMM,\t%xmm6\n \n \t// Encrypt an all-zeroes block to get the raw hash subkey.\n \tmovl\t\tOFFSETOF_AESKEYLEN(KEY), %eax\n-\tlea\t\t6*16(KEY,%rax,4), RNDKEYLAST_PTR\n-\tvmovdqu\t\t(KEY), H_CUR_XMM  // Zero-th round key XOR all-zeroes block\n-\tlea\t\t16(KEY), %rax\n+\tlea\t\tOFFSETOF_AESROUNDKEYS+6*16(KEY,%rax,4), RNDKEYLAST_PTR\n+\tvmovdqu\t\tOFFSETOF_AESROUNDKEYS(KEY), H_CUR_XMM\n+\tlea\t\tOFFSETOF_AESROUNDKEYS+16(KEY), %rax\n 1:\n \tvaesenc\t\t(%rax), H_CUR_XMM, H_CUR_XMM\n \tadd\t\t$16, %rax\n \tcmp\t\t%rax, RNDKEYLAST_PTR\n \tjne\t\t1b\n@@ -633,11 +634,11 @@ SYM_FUNC_END(aes_gcm_aad_update_vaes_avx2)\n \n // Generate and encrypt counter blocks in the given AESDATA vectors, excluding\n // the last AES round.  Clobbers %rax and TMP0.\n .macro\t_aesenc_loop\tvecs:vararg\n \t_ctr_begin\t\\vecs\n-\tlea\t\t16(KEY), %rax\n+\tlea\t\tOFFSETOF_AESROUNDKEYS+16(KEY), %rax\n .Laesenc_loop\\@:\n \tvbroadcasti128\t(%rax), TMP0\n \t_vaesenc\tTMP0, \\vecs\n \tadd\t\t$16, %rax\n \tcmp\t\t%rax, RNDKEYLAST_PTR\n@@ -766,12 +767,12 @@ SYM_FUNC_END(aes_gcm_aad_update_vaes_avx2)\n \tmovl\t\tOFFSETOF_AESKEYLEN(KEY), AESKEYLEN\n \n \t// Make RNDKEYLAST_PTR point to the last AES round key.  This is the\n \t// round key with index 10, 12, or 14 for AES-128, AES-192, or AES-256\n \t// respectively.  Then load the zero-th and last round keys.\n-\tlea\t\t6*16(KEY,AESKEYLEN64,4), RNDKEYLAST_PTR\n-\tvbroadcasti128\t(KEY), RNDKEY0\n+\tlea\t\tOFFSETOF_AESROUNDKEYS+6*16(KEY,AESKEYLEN64,4), RNDKEYLAST_PTR\n+\tvbroadcasti128\tOFFSETOF_AESROUNDKEYS(KEY), RNDKEY0\n \tvbroadcasti128\t(RNDKEYLAST_PTR), RNDKEYLAST\n \n \t// Finish initializing LE_CTR by adding 1 to the second block.\n \tvpaddd\t\t.Lctr_pattern(%rip), LE_CTR, LE_CTR\n \n@@ -1067,16 +1068,16 @@ SYM_FUNC_END(aes_gcm_aad_update_vaes_avx2)\n .if !\\enc\n \tmovl\t\t8(%rsp), TAGLEN\n .endif\n \n \t// Make %rax point to the last AES round key for the chosen AES variant.\n-\tlea\t\t6*16(KEY,AESKEYLEN64,4), %rax\n+\tlea\t\tOFFSETOF_AESROUNDKEYS+6*16(KEY,AESKEYLEN64,4), %rax\n \n \t// Start the AES encryption of the counter block by swapping the counter\n \t// block to big-endian and XOR-ing it with the zero-th AES round key.\n \tvpshufb\t\tBSWAP_MASK, LE_CTR, %xmm0\n-\tvpxor\t\t(KEY), %xmm0, %xmm0\n+\tvpxor\t\tOFFSETOF_AESROUNDKEYS(KEY), %xmm0, %xmm0\n \n \t// Complete the AES encryption and multiply GHASH_ACC by H^1.\n \t// Interleave the AES and GHASH instructions to improve performance.\n \tcmp\t\t$24, AESKEYLEN\n \tjl\t\t128f\t// AES-128?\ndiff --git a/arch/x86/crypto/aes-gcm-vaes-avx512.S b/arch/x86/crypto/aes-gcm-vaes-avx512.S\nindex 06b71314d65c..516747db4659 100644\n--- a/arch/x86/crypto/aes-gcm-vaes-avx512.S\n+++ b/arch/x86/crypto/aes-gcm-vaes-avx512.S\n@@ -84,14 +84,17 @@\n // Number of powers of the hash key stored in the key struct.  The powers are\n // stored from highest (H^NUM_H_POWERS) to lowest (H^1).\n #define NUM_H_POWERS\t\t16\n \n // Offset to AES key length (in bytes) in the key struct\n-#define OFFSETOF_AESKEYLEN\t480\n+#define OFFSETOF_AESKEYLEN\t0\n+\n+// Offset to AES round keys in the key struct\n+#define OFFSETOF_AESROUNDKEYS\t16\n \n // Offset to start of hash key powers array in the key struct\n-#define OFFSETOF_H_POWERS\t512\n+#define OFFSETOF_H_POWERS\t320\n \n // Offset to end of hash key powers array in the key struct.\n //\n // This is immediately followed by three zeroized padding blocks, which are\n // included so that partial vectors can be handled more easily.  E.g. if two\n@@ -299,13 +302,13 @@ SYM_FUNC_START(aes_gcm_precompute_vaes_avx512)\n \t// Get pointer to lowest set of key powers (located at end of array).\n \tlea\t\tOFFSETOFEND_H_POWERS-64(KEY), POWERS_PTR\n \n \t// Encrypt an all-zeroes block to get the raw hash subkey.\n \tmovl\t\tOFFSETOF_AESKEYLEN(KEY), %eax\n-\tlea\t\t6*16(KEY,%rax,4), RNDKEYLAST_PTR\n-\tvmovdqu\t\t(KEY), %xmm0  // Zero-th round key XOR all-zeroes block\n-\tadd\t\t$16, KEY\n+\tlea\t\tOFFSETOF_AESROUNDKEYS+6*16(KEY,%rax,4), RNDKEYLAST_PTR\n+\tvmovdqu\t\tOFFSETOF_AESROUNDKEYS(KEY), %xmm0\n+\tadd\t\t$OFFSETOF_AESROUNDKEYS+16, KEY\n 1:\n \tvaesenc\t\t(KEY), %xmm0, %xmm0\n \tadd\t\t$16, KEY\n \tcmp\t\tKEY, RNDKEYLAST_PTR\n \tjne\t\t1b\n@@ -788,12 +791,12 @@ SYM_FUNC_END(aes_gcm_aad_update_vaes_avx512)\n \tmovl\t\tOFFSETOF_AESKEYLEN(KEY), AESKEYLEN\n \n \t// Make RNDKEYLAST_PTR point to the last AES round key.  This is the\n \t// round key with index 10, 12, or 14 for AES-128, AES-192, or AES-256\n \t// respectively.  Then load the zero-th and last round keys.\n-\tlea\t\t6*16(KEY,AESKEYLEN64,4), RNDKEYLAST_PTR\n-\tvbroadcasti32x4\t(KEY), RNDKEY0\n+\tlea\t\tOFFSETOF_AESROUNDKEYS+6*16(KEY,AESKEYLEN64,4), RNDKEYLAST_PTR\n+\tvbroadcasti32x4\tOFFSETOF_AESROUNDKEYS(KEY), RNDKEY0\n \tvbroadcasti32x4\t(RNDKEYLAST_PTR), RNDKEYLAST\n \n \t// Finish initializing LE_CTR by adding [0, 1, ...] to its low words.\n \tvpaddd\t\t.Lctr_pattern(%rip), LE_CTR, LE_CTR\n \n@@ -832,11 +835,11 @@ SYM_FUNC_END(aes_gcm_aad_update_vaes_avx512)\n \n .if \\enc\n \t// Encrypt the first 4 vectors of plaintext blocks.  Leave the resulting\n \t// ciphertext in GHASHDATA[0-3] for GHASH.\n \t_ctr_begin_4x\n-\tlea\t\t16(KEY), %rax\n+\tlea\t\tOFFSETOF_AESROUNDKEYS+16(KEY), %rax\n 1:\n \tvbroadcasti32x4\t(%rax), RNDKEY\n \t_vaesenc_4x\tRNDKEY\n \tadd\t\t$16, %rax\n \tcmp\t\t%rax, RNDKEYLAST_PTR\n@@ -955,11 +958,11 @@ SYM_FUNC_END(aes_gcm_aad_update_vaes_avx512)\n \n \t// Encrypt a vector of counter blocks.  This does not need to be masked.\n \tvpshufb\t\tBSWAP_MASK, LE_CTR, %zmm0\n \tvpaddd\t\tLE_CTR_INC, LE_CTR, LE_CTR\n \tvpxord\t\tRNDKEY0, %zmm0, %zmm0\n-\tlea\t\t16(KEY), %rax\n+\tlea\t\tOFFSETOF_AESROUNDKEYS+16(KEY), %rax\n 1:\n \tvbroadcasti32x4\t(%rax), RNDKEY\n \tvaesenc\t\tRNDKEY, %zmm0, %zmm0\n \tadd\t\t$16, %rax\n \tcmp\t\t%rax, RNDKEYLAST_PTR\n@@ -1085,16 +1088,16 @@ SYM_FUNC_END(aes_gcm_aad_update_vaes_avx512)\n \tbzhi\t\tTAGLEN, %eax, %eax\n \tkmovd\t\t%eax, %k1\n .endif\n \n \t// Make %rax point to the last AES round key for the chosen AES variant.\n-\tlea\t\t6*16(KEY,AESKEYLEN64,4), %rax\n+\tlea\t\tOFFSETOF_AESROUNDKEYS+6*16(KEY,AESKEYLEN64,4), %rax\n \n \t// Start the AES encryption of the counter block by swapping the counter\n \t// block to big-endian and XOR-ing it with the zero-th AES round key.\n \tvpshufb\t\tBSWAP_MASK, LE_CTR, %xmm0\n-\tvpxor\t\t(KEY), %xmm0, %xmm0\n+\tvpxor\t\tOFFSETOF_AESROUNDKEYS(KEY), %xmm0, %xmm0\n \n \t// Complete the AES encryption and multiply GHASH_ACC by H^1.\n \t// Interleave the AES and GHASH instructions to improve performance.\n \tcmp\t\t$24, AESKEYLEN\n \tjl\t\t128f\t// AES-128?\ndiff --git a/arch/x86/crypto/aesni-intel_glue.c b/arch/x86/crypto/aesni-intel_glue.c\nindex 453e0e890041..e6c38d1d8a92 100644\n--- a/arch/x86/crypto/aesni-intel_glue.c\n+++ b/arch/x86/crypto/aesni-intel_glue.c\n@@ -778,24 +778,23 @@ DEFINE_AVX_SKCIPHER_ALGS(vaes_avx2, \"vaes-avx2\", 600);\n DEFINE_AVX_SKCIPHER_ALGS(vaes_avx512, \"vaes-avx512\", 800);\n \n /* The common part of the x86_64 AES-GCM key struct */\n struct aes_gcm_key {\n \t/* Expanded AES key and the AES key length in bytes */\n-\tstruct crypto_aes_ctx aes_key;\n+\tstruct aes_enckey aes_key;\n \n \t/* RFC4106 nonce (used only by the rfc4106 algorithms) */\n \tu32 rfc4106_nonce;\n };\n \n /* Key struct used by the AES-NI implementations of AES-GCM */\n struct aes_gcm_key_aesni {\n \t/*\n-\t * Common part of the key.  The assembly code requires 16-byte alignment\n-\t * for the round keys; we get this by them being located at the start of\n-\t * the struct and the whole struct being 16-byte aligned.\n+\t * Common part of the key.  16-byte alignment is required by the\n+\t * assembly code.\n \t */\n-\tstruct aes_gcm_key base;\n+\tstruct aes_gcm_key base __aligned(16);\n \n \t/*\n \t * Powers of the hash key H^8 through H^1.  These are 128-bit values.\n \t * They all have an extra factor of x^-1 and are byte-reversed.  16-byte\n \t * alignment is required by the assembly code.\n@@ -822,14 +821,13 @@ struct aes_gcm_key_aesni {\n \n /* Key struct used by the VAES + AVX2 implementation of AES-GCM */\n struct aes_gcm_key_vaes_avx2 {\n \t/*\n \t * Common part of the key.  The assembly code prefers 16-byte alignment\n-\t * for the round keys; we get this by them being located at the start of\n-\t * the struct and the whole struct being 32-byte aligned.\n+\t * for this.\n \t */\n-\tstruct aes_gcm_key base;\n+\tstruct aes_gcm_key base __aligned(16);\n \n \t/*\n \t * Powers of the hash key H^8 through H^1.  These are 128-bit values.\n \t * They all have an extra factor of x^-1 and are byte-reversed.\n \t * The assembly code prefers 32-byte alignment for this.\n@@ -852,14 +850,13 @@ struct aes_gcm_key_vaes_avx2 {\n \n /* Key struct used by the VAES + AVX512 implementation of AES-GCM */\n struct aes_gcm_key_vaes_avx512 {\n \t/*\n \t * Common part of the key.  The assembly code prefers 16-byte alignment\n-\t * for the round keys; we get this by them being located at the start of\n-\t * the struct and the whole struct being 64-byte aligned.\n+\t * for this.\n \t */\n-\tstruct aes_gcm_key base;\n+\tstruct aes_gcm_key base __aligned(16);\n \n \t/*\n \t * Powers of the hash key H^16 through H^1.  These are 128-bit values.\n \t * They all have an extra factor of x^-1 and are byte-reversed.  This\n \t * array is aligned to a 64-byte boundary to make it naturally aligned\n@@ -1180,30 +1177,30 @@ static int gcm_setkey(struct crypto_aead *tfm, const u8 *raw_key,\n \t\tkeylen -= 4;\n \t\tkey->rfc4106_nonce = get_unaligned_be32(raw_key + keylen);\n \t}\n \n \t/* The assembly code assumes the following offsets. */\n-\tBUILD_BUG_ON(offsetof(struct aes_gcm_key_aesni, base.aes_key.key_enc) != 0);\n-\tBUILD_BUG_ON(offsetof(struct aes_gcm_key_aesni, base.aes_key.key_length) != 480);\n-\tBUILD_BUG_ON(offsetof(struct aes_gcm_key_aesni, h_powers) != 496);\n-\tBUILD_BUG_ON(offsetof(struct aes_gcm_key_aesni, h_powers_xored) != 624);\n-\tBUILD_BUG_ON(offsetof(struct aes_gcm_key_aesni, h_times_x64) != 688);\n-\tBUILD_BUG_ON(offsetof(struct aes_gcm_key_vaes_avx2, base.aes_key.key_enc) != 0);\n-\tBUILD_BUG_ON(offsetof(struct aes_gcm_key_vaes_avx2, base.aes_key.key_length) != 480);\n-\tBUILD_BUG_ON(offsetof(struct aes_gcm_key_vaes_avx2, h_powers) != 512);\n-\tBUILD_BUG_ON(offsetof(struct aes_gcm_key_vaes_avx2, h_powers_xored) != 640);\n-\tBUILD_BUG_ON(offsetof(struct aes_gcm_key_vaes_avx512, base.aes_key.key_enc) != 0);\n-\tBUILD_BUG_ON(offsetof(struct aes_gcm_key_vaes_avx512, base.aes_key.key_length) != 480);\n-\tBUILD_BUG_ON(offsetof(struct aes_gcm_key_vaes_avx512, h_powers) != 512);\n-\tBUILD_BUG_ON(offsetof(struct aes_gcm_key_vaes_avx512, padding) != 768);\n+\tstatic_assert(offsetof(struct aes_gcm_key_aesni, base.aes_key.len) == 0);\n+\tstatic_assert(offsetof(struct aes_gcm_key_aesni, base.aes_key.k.rndkeys) == 16);\n+\tstatic_assert(offsetof(struct aes_gcm_key_aesni, h_powers) == 272);\n+\tstatic_assert(offsetof(struct aes_gcm_key_aesni, h_powers_xored) == 400);\n+\tstatic_assert(offsetof(struct aes_gcm_key_aesni, h_times_x64) == 464);\n+\tstatic_assert(offsetof(struct aes_gcm_key_vaes_avx2, base.aes_key.len) == 0);\n+\tstatic_assert(offsetof(struct aes_gcm_key_vaes_avx2, base.aes_key.k.rndkeys) == 16);\n+\tstatic_assert(offsetof(struct aes_gcm_key_vaes_avx2, h_powers) == 288);\n+\tstatic_assert(offsetof(struct aes_gcm_key_vaes_avx2, h_powers_xored) == 416);\n+\tstatic_assert(offsetof(struct aes_gcm_key_vaes_avx512, base.aes_key.len) == 0);\n+\tstatic_assert(offsetof(struct aes_gcm_key_vaes_avx512, base.aes_key.k.rndkeys) == 16);\n+\tstatic_assert(offsetof(struct aes_gcm_key_vaes_avx512, h_powers) == 320);\n+\tstatic_assert(offsetof(struct aes_gcm_key_vaes_avx512, padding) == 576);\n+\n+\terr = aes_prepareenckey(&key->aes_key, raw_key, keylen);\n+\tif (err)\n+\t\treturn err;\n \n \tif (likely(crypto_simd_usable())) {\n-\t\terr = aes_check_keylen(keylen);\n-\t\tif (err)\n-\t\t\treturn err;\n \t\tkernel_fpu_begin();\n-\t\taesni_set_key(&key->aes_key, raw_key, keylen);\n \t\taes_gcm_precompute(key, flags);\n \t\tkernel_fpu_end();\n \t} else {\n \t\tstatic const u8 x_to_the_minus1[16] __aligned(__alignof__(be128)) = {\n \t\t\t[0] = 0xc2, [15] = 1\n@@ -1213,14 +1210,10 @@ static int gcm_setkey(struct crypto_aead *tfm, const u8 *raw_key,\n \t\t};\n \t\tbe128 h1 = {};\n \t\tbe128 h;\n \t\tint i;\n \n-\t\terr = aes_expandkey(&key->aes_key, raw_key, keylen);\n-\t\tif (err)\n-\t\t\treturn err;\n-\n \t\t/* Encrypt the all-zeroes block to get the hash key H^1 */\n \t\taes_encrypt(&key->aes_key, (u8 *)&h1, (u8 *)&h1);\n \n \t\t/* Compute H^1 * x^-1 */\n \t\th = h1;\n",
    "prefixes": [
        "v2",
        "25/35"
    ]
}