crypto: riscv/aes - Provide scalar implementation based on Zkn extension

The generic AES implementation that will be used if no architecture
specific one is available relies on lookup tables that are relatively
large with respect to the typical L1 D-cache size, which not only
affects performance, it may also result in timing variances that
make it susceptible to known-plaintext attacks on the encryption key.

So we tend to avoid the generic code if we can, typically by using a
driver that makes use of special AES instructions which incorporate all
or most of the operations involved in performing a single round of AES.

The Zkn RISC-V for RV32 extension provides another interesting take on
this: it defines instructions operating on scalar registers that can
replace the individual table lookups, eliminating the timing variances
due to caching.  Those tables carry 32-bit quantities, making them a
natural fit for a 32-bit architecture. And given the use of scalars, we
don't have to rely in in-kernel SIMD, which is a bonus.

For RV64, the instructions are more similar to SIMD AES instructions
that other architectures implement, except for the fact that they output
only half of the AES state, and therefore need to be issued as pairs.

Note that this implementation does not use the RV64 key schedule
generation instructions [yet]: for simplicity and symmetry with RV32
(which has no special instructions for this purpose), the existing AES
library code is used, which we need to carry in any case given that the
Zkn extension is optional.

Signed-off-by: Ard Biesheuvel <ardb@kernel.org>