AES: Add accelerator only mode

[yuhaoth]

Description

Add new option(MBEDTLS_AES_USE_HARDWARE_ONLY ) to disable built-in AES implementation.

For time being, there are only two implementations in each known architecture. This PR just disable runtime detection to meet the requirement. When runtime detection was disabled and accelerator is enabled, built-in implementation become dead code, compiler will remove those dead code.

Fixes #7141

Gatekeeper checklist

• changelog present
• backport no, not in 2.28
• tests provided

Notes for the submitter

Please refer to the contributing guidelines, especially the
checklist for PR contributors.

[daverodgman]

I find the name of this option confusing. Maybe MBEDTLS_AES_CPU_ACCELERATION_NO_RUNTIME_DETECTION would be more clear. It's not a great suggestion though, maybe a second reviewer has a better idea.

[yuhaoth]

This name looks confuse you. This means no Pure-C code. ( platform independent code).
How about MBEDTLS_AES_HAS_NO_IND_ACCEL?

[yuhaoth]

I rename it to MBEDTLS_AES_HAS_NO_PLAIN_C , is it better?

[tom-cosgrove-arm]

The problem with HAS_ is that it sounds like a statement (of fact) rather than an imperative (instruction).

In SHA-2, we've used MBEDTLS_SHAxxx_USE_A64_CRYPTO_ONLY, so we could use something like MBEDTLS_AES_USE_HARDWARE_CRYPTO_ONLY or MBEDTLS_AES_DONT_USE_SOFTWARE_CRYPTO

[yuhaoth]

Renamed to MBEDTLS_AES_DONT_USE_SOFTWARE_CRYPTO .

[gilles-peskine-arm]

Having positive variables is easier for users. But it introduces a problem with backward compatibility: if someone has an existing mbedtls_config.h with just

#define MBEDTLS_AES_C
#define MBEDTLS_AESNI_C

then they should get the fallback. We can fiddle with options in build_info.h, but that means we'd have to automaticaly enable MBEDTLS_AES_PLAIN_C is MBEDTLS_AES_C is enabled. Then the user would have to #undef MBEDTLS_AES_PLAIN_C in their mbedtls_config.h if they don't want fallback. We currently have no pre-enabled configuration options, and I think it would be more confusing to start having one than it would be to have a negative option “no software AES”.

On naming: the suffix _C in Mbed TLS compile-time options means “a module providing a feature”. Please avoid option names where it doesn't mean that. Given the precedent of MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY and MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY, we should use similar names for AES. I suggest

MBEDTLS_AES_USE_HARDWARE_ONLY

(and really I'd suggest something similar for the SHA) since it makes perfect sense to enable both AESNI and AESCE if you want to deploy both on high-end x86 and high-end arm.

[yuhaoth]

I like @gilles-peskine-arm 's suggestion. And it should be negative option to avoid backward compatibility issue.

[daverodgman]

Agreed with @gilles-peskine-arm that we really have to keep it a negative option. But I don't really like "HARDWARE" in the name, because this is a software implementation (that happens to use some special CPU instructions).

So I'm back to MBEDTLS_AES_NO_PLAINC as my suggestion. @gilles-peskine-arm suggested (in slack) MBEDTLS_AES_USE_ACCELERATION_ONLY. I'm OK with either. @tom-cosgrove-arm WDYT?

[tom-cosgrove-arm]

Sorry, but after thinking about this for a while, I think it really is HARDWARE.

A software implementation of AES is where code (C, assembler, Rust, JavaScript, whatever) does the calculations using registers and memory on a general-purpose CPU.

Hardware-accelerated AES, like AES-NI and the AArch64 crypto extensions, is where hardware does those calculations - and the CPU is hardware. Yes, software has to set up the input data, but it has to do that when handing off to a separate crypto accelerator. i.e. the algorithm is implemented within the hardware of the CPU, not the software of the code running on the CPU.

Therefore I think few people would be confused if we used the term HARDWARE here, but I think some might get confused if we said NO_PLAINC (we're using intrinsics, called by C, so there's a lot riding on the interpretation of "PLAIN" here)

[daverodgman]

Ah, the problem is that the check is in aesce.c:

#if !defined(MBEDTLS_AESCE_C) && defined(MBEDTLS_AES_USE_HARDWARE_ONLY)
#error "MBEDTLS_AES_C defined, but not all prerequisites"
#endif

but... aes.c has the following:

#if defined(MBEDTLS_AESCE_C)
#include "aesce.h"
#endif

so the error will never trigger. Presumably the checks should move into aes.c.

[yuhaoth]

Last CI got a known failure in time test. That is discussing in #7419

[daverodgman]

Some more comments on naming, and a question about the checks that have been added.

[tom-cosgrove-arm]

Is travis-log-failure.sh needed? It says:

# Purpose
#
# List the server and client logs on failed ssl-opt.sh and compat.sh tests.

but we're only running selftest here

[tom-cosgrove-arm]

(v minor) it doesn't seem necessary to remove this blank line

[lpy4105]

LGTM, thanks!

[gilles-peskine-arm]

Disabling AESNI here is a test regression. It's apparently hiding a product regression. When tests fail, we shouldn't disable them, we should fix the bug!