mbox series

[v2,0/3] crypto: aegis128 followup

Message ID 20190811225912.19412-1-ard.biesheuvel@linaro.org (mailing list archive)
Headers show
Series crypto: aegis128 followup | expand

Message

Ard Biesheuvel Aug. 11, 2019, 10:59 p.m. UTC
This series resubmits the aegis128 SIMD patches that were reverted due to
the fact that the compiler's optimization behavior wrt variables with static
linkage does not turn out to guarantee that function calls that are
conditional on the value of such a variable are optimized away if the value
is a compile time constant and the condition evaluates to false at compile
time as well.

Changes since v1:
- minor tweaks to #2 to drop a memset() invocation from the decrypt path,
  and some temp vars in various places
- update the NEON code in #3 so it builds with Clang as well as GCC (and
  drop the RFC annotation)

Patch #1 reintroduces the changes to the generic code to permit SIMD
routines to be attached to the aegis128 driver. This time, the conditional
check is pulled into a helper function which collapses to 'return false'
if the CONFIG_CRYPTO_AEGIS128_SIMD Kconfig symbol is not set. (This has
been confirmed by one of the reporters of the original issue as sufficient
to address the problem).

Patch #2 is mostly unchanged wrt the version that got reverted, only some
inline annotations were added back.

Patch #3 is new and implements the SIMD routines for arm64 without using
the optional AES instructions, but using plain SIMD arithmetic instead.
This is much slower than AES instructions, but still substantially more
efficient than table based scalar AES on systems where memory accesses are
expensive, such as the Raspberry Pi 3 (which does not implement the AES
instructions)

Ard Biesheuvel (3):
  crypto: aegis128 - add support for SIMD acceleration
  crypto: aegis128 - provide a SIMD implementation based on NEON
    intrinsics
  crypto: arm64/aegis128 - implement plain NEON version

 crypto/Kconfig                         |   5 +
 crypto/Makefile                        |  20 ++
 crypto/{aegis128.c => aegis128-core.c} |  52 ++++-
 crypto/aegis128-neon-inner.c           | 212 ++++++++++++++++++++
 crypto/aegis128-neon.c                 |  49 +++++
 5 files changed, 334 insertions(+), 4 deletions(-)
 rename crypto/{aegis128.c => aegis128-core.c} (89%)
 create mode 100644 crypto/aegis128-neon-inner.c
 create mode 100644 crypto/aegis128-neon.c

Comments

Herbert Xu Aug. 15, 2019, 12:08 p.m. UTC | #1
On Mon, Aug 12, 2019 at 01:59:09AM +0300, Ard Biesheuvel wrote:
> This series resubmits the aegis128 SIMD patches that were reverted due to
> the fact that the compiler's optimization behavior wrt variables with static
> linkage does not turn out to guarantee that function calls that are
> conditional on the value of such a variable are optimized away if the value
> is a compile time constant and the condition evaluates to false at compile
> time as well.
> 
> Changes since v1:
> - minor tweaks to #2 to drop a memset() invocation from the decrypt path,
>   and some temp vars in various places
> - update the NEON code in #3 so it builds with Clang as well as GCC (and
>   drop the RFC annotation)
> 
> Patch #1 reintroduces the changes to the generic code to permit SIMD
> routines to be attached to the aegis128 driver. This time, the conditional
> check is pulled into a helper function which collapses to 'return false'
> if the CONFIG_CRYPTO_AEGIS128_SIMD Kconfig symbol is not set. (This has
> been confirmed by one of the reporters of the original issue as sufficient
> to address the problem).
> 
> Patch #2 is mostly unchanged wrt the version that got reverted, only some
> inline annotations were added back.
> 
> Patch #3 is new and implements the SIMD routines for arm64 without using
> the optional AES instructions, but using plain SIMD arithmetic instead.
> This is much slower than AES instructions, but still substantially more
> efficient than table based scalar AES on systems where memory accesses are
> expensive, such as the Raspberry Pi 3 (which does not implement the AES
> instructions)
> 
> Ard Biesheuvel (3):
>   crypto: aegis128 - add support for SIMD acceleration
>   crypto: aegis128 - provide a SIMD implementation based on NEON
>     intrinsics
>   crypto: arm64/aegis128 - implement plain NEON version
> 
>  crypto/Kconfig                         |   5 +
>  crypto/Makefile                        |  20 ++
>  crypto/{aegis128.c => aegis128-core.c} |  52 ++++-
>  crypto/aegis128-neon-inner.c           | 212 ++++++++++++++++++++
>  crypto/aegis128-neon.c                 |  49 +++++
>  5 files changed, 334 insertions(+), 4 deletions(-)
>  rename crypto/{aegis128.c => aegis128-core.c} (89%)
>  create mode 100644 crypto/aegis128-neon-inner.c
>  create mode 100644 crypto/aegis128-neon.c

All applied.  Thanks.