On Tue, Feb 13, 2024 at 05:04:25PM +0800, Herbert Xu wrote:
> [PATCH 00/15] crypto: Add twopass lskcipher for adiantum
Thanks. Can you include an explanation of the high-level context and goals for
this work? It's still not clear to me. I'm guessing that the main goal is to
get rid of the vaddr => scatterlist => vaddr round trip for software
encryption/decryption, which hopefully will improve performance and make the API
easier to use? And to do that, all software algorithms need to be converted to
"lskcipher"? Will skcipher API users actually be able to convert to lskcipher,
or will they be blocked by people expecting to be able to use hardware crypto
accelerators? Would you accept lskcipher being used alongside skcipher?
Previously you had said you don't want shash being used alongside ahash.
I'd prefer there was a clear plan before merging a bunch of patches that leave
everything in a half-finished state.
By the way, note that hctr2 requires two passes too, as it's an SPRP like
Adiantum. Also note that SPRPs in general may require more than two passes,
though Adiantum and HCTR2 were designed to only need two (technically they have
three passes, but two are combinable). It's fine to support only two passes if
that's what's needed now; I just thought I'd mention that there's no guarantee
that two passes will be enough forever.
> In addition to converting adiantum, the underlying chacha algorithm
> is also converted over to lskcipher.
>
> The algorithms cts + xts have been converted too to ensure that the
> tailsize mechanism works properly for them. While doing this the
> parameters for cts + xts have been modified so that blocksize is now
> 1. This entails changing the paramters of all drivers that support
> cts and/or xts.
cts and xts have nothing to do with adiantum. So this further indicates that
the scope of this work is broader than just "crypto: Add twopass lskcipher for
adiantum" as suggested by the title.
It would be good to have a sense for the direction of this work. What will be
coming next?
- Eric