Received: by 2002:a05:6a10:9e8c:0:0:0:0 with SMTP id y12csp7659pxx; Mon, 26 Oct 2020 01:43:16 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz6SHb8xx+GNBIZjwAatGvsVa/MoERF9E7oDAOOUnJR6czFWK9sBQdn58nNzukk35PiGUBY X-Received: by 2002:a17:906:4ac2:: with SMTP id u2mr14360857ejt.224.1603701796288; Mon, 26 Oct 2020 01:43:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1603701796; cv=none; d=google.com; s=arc-20160816; b=XnRt8uUrNPcWrwpIXBERwLviPz4ZQIZC3I8uWG7SW5kMp/aa7afJOcvK6g17tXGPVS DWCiqx+xcXdbZ1/Oxly+Rn0V0I66G5mE9qjuMrevWfgqgEZpN27hzXoknjXE7XAP5goy yaPhpia0IhQKn3CBxXQfjXJu1Hwc9Gl47CwaM5Vzz8FiCBP/ZWWbwn8v7/FcsYfVnYj7 F1sfsPvQlsXah7AGGAFp1oeGHBha8YI4jG4nQQOE2rHssLnFqulQoLF01qiuDFG76mnY uZIB915UtT1101r3YLbnVwoXt7n/k6v4KWnHDYfIjWEx9kBMzTb/KCmd5PnAM5+1Ks8r a2QA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=tC4+gmah7DHtnqjPXShxtJ5iOUJ1JYNutZH8w4gcGc8=; b=CpaWsNE4SIqhx7MVJUPZ57wcKOPqRpA59CwoAlmsymhDghXcoAGMdPcn+qHSOx4d7u DHGstO+G5JIimcuMN9cijlpj1CdC0r7AUenare6WDkgwg90NvPT8LhsIzlvNdNUuEiuK wc3pMx+Tn9dFhpH3jI05TbjQo2z0GfXYX4Aww3gaZKVqNBjHW+73ZJZkVtcN+sC4RHgL n55GzIGOEol/9WTRnjTwsGJ+0Qf0kGzLykCrJ865jPANfEUbD63uyAmldppkAp2oEd84 dnOcUTP1Am/bGlerWenhGjWcPloMn03J4EO7VByJyhDpiPynLlptVXzGXM2aAKcFcr9L 9Qtg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=lmqZ4308; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id n9si6600759eja.354.2020.10.26.01.42.53; Mon, 26 Oct 2020 01:43:16 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=lmqZ4308; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1771111AbgJZIAk (ORCPT + 99 others); Mon, 26 Oct 2020 04:00:40 -0400 Received: from mail.kernel.org ([198.145.29.99]:32878 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1771106AbgJZIAj (ORCPT ); Mon, 26 Oct 2020 04:00:39 -0400 Received: from mail-ot1-f48.google.com (mail-ot1-f48.google.com [209.85.210.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id DFEEE223AE; Mon, 26 Oct 2020 08:00:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1603699239; bh=t8KqnohVc9KETZwMDwuv/xhlsN9Qpwoi50jSZCkMFN0=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=lmqZ4308gJshUYy5YYWOvPdo1y1JHt1eEuFj4V7dZgBobFeTSmJqpsd0rqsa+Gova VbKHgl9hKOU4QtiuRXTady9236RnBhg1/roU8354BHHoG31GzMir8p2OyrxWAhij8V Hsv4LU4KxYvb8aYoeUf+Jc4GRAjdoZ+K6lZ/LifQ= Received: by mail-ot1-f48.google.com with SMTP id n15so7199027otl.8; Mon, 26 Oct 2020 01:00:38 -0700 (PDT) X-Gm-Message-State: AOAM530g0G1+pKIdicNy3mbZzd3lFSwov4z4jv9B5X8w2LN5Ciw2ZPXR Oa0xdo8aVEgY9b9AiGVaT+Y9HcEo6du7NK/L76k= X-Received: by 2002:a9d:2daa:: with SMTP id g39mr13835036otb.77.1603699238188; Mon, 26 Oct 2020 01:00:38 -0700 (PDT) MIME-Version: 1.0 References: <20201025143119.1054168-1-nivedita@alum.mit.edu> <20201025143119.1054168-5-nivedita@alum.mit.edu> In-Reply-To: <20201025143119.1054168-5-nivedita@alum.mit.edu> From: Ard Biesheuvel Date: Mon, 26 Oct 2020 09:00:27 +0100 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH v4 4/6] crypto: lib/sha256 - Clear W[] in sha256_update() instead of sha256_transform() To: Arvind Sankar Cc: Herbert Xu , "David S. Miller" , "linux-crypto@vger.kernel.org" , Eric Biggers , David Laight , Linux Kernel Mailing List , Eric Biggers Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, 25 Oct 2020 at 15:31, Arvind Sankar wrote: > > The temporary W[] array is currently zeroed out once every call to > sha256_transform(), i.e. once every 64 bytes of input data. Moving it to > sha256_update() instead so that it is cleared only once per update can > save about 2-3% of the total time taken to compute the digest, with a > reasonable memset() implementation, and considerably more (~20%) with a > bad one (eg the x86 purgatory currently uses a memset() coded in C). > > Signed-off-by: Arvind Sankar > Reviewed-by: Eric Biggers Acked-by: Ard Biesheuvel > --- > lib/crypto/sha256.c | 11 +++++------ > 1 file changed, 5 insertions(+), 6 deletions(-) > > diff --git a/lib/crypto/sha256.c b/lib/crypto/sha256.c > index 099cd11f83c1..c6bfeacc5b81 100644 > --- a/lib/crypto/sha256.c > +++ b/lib/crypto/sha256.c > @@ -43,10 +43,9 @@ static inline void BLEND_OP(int I, u32 *W) > W[I] = s1(W[I-2]) + W[I-7] + s0(W[I-15]) + W[I-16]; > } > > -static void sha256_transform(u32 *state, const u8 *input) > +static void sha256_transform(u32 *state, const u8 *input, u32 *W) > { > u32 a, b, c, d, e, f, g, h, t1, t2; > - u32 W[64]; > int i; > > /* load the input */ > @@ -200,15 +199,13 @@ static void sha256_transform(u32 *state, const u8 *input) > > state[0] += a; state[1] += b; state[2] += c; state[3] += d; > state[4] += e; state[5] += f; state[6] += g; state[7] += h; > - > - /* clear any sensitive info... */ > - memzero_explicit(W, 64 * sizeof(u32)); > } > > void sha256_update(struct sha256_state *sctx, const u8 *data, unsigned int len) > { > unsigned int partial, done; > const u8 *src; > + u32 W[64]; > > partial = sctx->count & 0x3f; > sctx->count += len; > @@ -223,11 +220,13 @@ void sha256_update(struct sha256_state *sctx, const u8 *data, unsigned int len) > } > > do { > - sha256_transform(sctx->state, src); > + sha256_transform(sctx->state, src, W); > done += 64; > src = data + done; > } while (done + 63 < len); > > + memzero_explicit(W, sizeof(W)); > + > partial = 0; > } > memcpy(sctx->buf + partial, src, len - done); > -- > 2.26.2 >