Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp1045154pxa;
        Thu, 20 Aug 2020 00:34:25 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyL95VUD2riYjAk/ayZJbwvSfXNnUhUQEL/lWtEx+bO5BCrEcUYuNgNnjHFgPlaTL6qnE+A
X-Received: by 2002:aa7:cd04:: with SMTP id b4mr1610403edw.254.1597908864999;
        Thu, 20 Aug 2020 00:34:24 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1597908864; cv=none;
        d=google.com; s=arc-20160816;
        b=zYc4hrsnvYMvqIbEWoL2XsPDtkrWB16prjMSzuTO0Y02bSjyV2bYKRCjgRZM6KxTH9
         /pNbNVSLrUd1KKJx7/k34zKpLus9FQlurl3f3Q/9v/7ne23i5q4UKbnQjBKaQLu8RI3C
         oGscqEH+WDHyXsZlIJvwM4I3VByM74hMTGnbHOoT7RO5z3Byx6zEG4dWjH0jMEoeM4KD
         VJ5Td9mBJUuKjUk/mNBBSbhGQ3u1VHQ8XMTGiOMnYndlw+5MrV1ohCGv+uwAfJ9mreWS
         Lgbrubj9dBXKQq396vzZd0EGD19k9MER64vDSjk1zhFz0KjILVTyabNG8v7ZYIBIMi+Q
         mAOQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=arwpJaRYnvTQPs0GxpxNmd0cRS5HtLHFvrvWqJf9LoM=;
        b=G0C01yMmwB/HBj6K4VCUuHzWRB7Kl82/6HLb0O9ox86OO4UnOBOMMVIZZ9BphSNXvV
         bFBdcEGdMk+j7M7pmwbWhGlSldeAQ/gVJOahj2fve4egm3pN4i+VF96tioza3PEB+0CZ
         uLa8p20fYZxn4mXyFhpEhmhKTL96E5Uw6hMmWahA6cl6z0LMnOzn14d+s+TJHvNE/oVU
         U/2NVrBfuJtKD1qaxctbIr8quMaatAgfsanpfJ1fQ6/ZK8dR5AbGiZ2Tyq2OX7eTRj5T
         xETJh9Qi1QokqtYk3fH1SPNZIjYYdzV3kc/YWokP+4RflTWyOCRPFO52TTeE6CXJq+2n
         FgcQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=Zu2V6Ko8;
       spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-crypto-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id ly18si734908ejb.247.2020.08.20.00.34.00;
        Thu, 20 Aug 2020 00:34:24 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=Zu2V6Ko8;
       spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1725885AbgHTHdf (ORCPT <rfc822;rajesh.android@gmail.com>
        + 99 others); Thu, 20 Aug 2020 03:33:35 -0400
Received: from mail.kernel.org ([198.145.29.99]:54454 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1725778AbgHTHde (ORCPT <rfc822;linux-crypto@vger.kernel.org>);
        Thu, 20 Aug 2020 03:33:34 -0400
Received: from mail-oi1-f170.google.com (mail-oi1-f170.google.com [209.85.167.170])
        (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id ACFB1208B3
        for <linux-crypto@vger.kernel.org>; Thu, 20 Aug 2020 07:33:33 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1597908813;
        bh=XqKBxGqhMX950fOm0Qaum51sMZGfoL9cxLC2217zNFo=;
        h=References:In-Reply-To:From:Date:Subject:To:Cc:From;
        b=Zu2V6Ko8ixvMDG4KQa8DxlLqnjmr/fBbgGBquu+mlfuWf04U17emPf0A9awfsFtbK
         I0Oel7psXkcB4kLklQIw55I4ocVEjpHmGU5D/B4TlBzWTkrwJdRLziWrTSTq9pNEC6
         TOBJgLWrc9q/B/pOQ6wHV+twlqCgvoAPswMDJ4e4=
Received: by mail-oi1-f170.google.com with SMTP id h3so1104717oie.11
        for <linux-crypto@vger.kernel.org>; Thu, 20 Aug 2020 00:33:33 -0700 (PDT)
X-Gm-Message-State: AOAM531rit0FMwLYyTmyD9/cBYiUbgHs4u7VePCuYj6S7K9K5bfaEb02
        lrLuI8iSIqyk/Alzh8uispX38tRz3YIxeYVavzw=
X-Received: by 2002:aca:d8c5:: with SMTP id p188mr950442oig.47.1597908813077;
 Thu, 20 Aug 2020 00:33:33 -0700 (PDT)
MIME-Version: 1.0
References: <20200818221550.GA27421@gondor.apana.org.au> <20200818222719.GA27622@gondor.apana.org.au>
 <bee1a9ce-25d1-2520-5f6a-3966bfa501d2@candelatech.com> <20200818223359.GA27712@gondor.apana.org.au>
 <8b248ef3-d4c7-43fd-6ae4-1c3381597579@candelatech.com> <CAMj1kXFaQsCw_7x8NKNHfMfEC=NdWCxd7V6S3VnAFdOg+-Letg@mail.gmail.com>
 <20200820070142.GA21343@gondor.apana.org.au> <CAMj1kXEdkQUZ_d33N5T5_ELyqRomBKF8Nn+gquo7nrVBMMP-gA@mail.gmail.com>
 <20200820070645.GA21395@gondor.apana.org.au> <CAMj1kXE6QDxjNKSpzTrxe+QU0DF9CYp-W7bGe1AyFzYHOJQ41Q@mail.gmail.com>
 <20200820072910.GA21631@gondor.apana.org.au>
In-Reply-To: <20200820072910.GA21631@gondor.apana.org.au>
From:   Ard Biesheuvel <ardb@kernel.org>
Date:   Thu, 20 Aug 2020 09:33:21 +0200
X-Gmail-Original-Message-ID: <CAMj1kXFR2SSdE7oi6YKsWG1OvpXpo+584XSiMCSL0V-ysOMc5A@mail.gmail.com>
Message-ID: <CAMj1kXFR2SSdE7oi6YKsWG1OvpXpo+584XSiMCSL0V-ysOMc5A@mail.gmail.com>
Subject: Re: [PATCH 0/5] crypto: Implement cmac based on cbc skcipher
To:     Herbert Xu <herbert@gondor.apana.org.au>
Cc:     Ben Greear <greearb@candelatech.com>,
        Linux Crypto Mailing List <linux-crypto@vger.kernel.org>,
        Eric Biggers <ebiggers@kernel.org>
Content-Type: text/plain; charset="UTF-8"
Sender: linux-crypto-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-crypto.vger.kernel.org>
X-Mailing-List: linux-crypto@vger.kernel.org

On Thu, 20 Aug 2020 at 09:29, Herbert Xu <herbert@gondor.apana.org.au> wrote:
>
> On Thu, Aug 20, 2020 at 09:19:16AM +0200, Ard Biesheuvel wrote:
> >
> > Actually, I'm not so sure that they will be so much worse. The
> > expensive FPU preserve/restore occurs for every 16 bytes of data
> > processed by the AES cipher, which I'd estimate to take ~10 cycles per
> > byte for an unaccelerated implementation. But table based AES should
> > be avoided, especially for MAC algorithms where the plaintext may be
> > known to an attacker who is after the key.
>
> On my machine the performance difference on a 1472-byte request
> between SIMD and generic is 2161 vs. 7558 (cycles).

Sure. But your machine does not have the pathological FPU
preserve/restore performance.

> >
> > However, the CCMP handling is invoked from softirq context or from
> > task context, and so SIMD is generally available unless the softirq
> > happens to be taken over the back of a hardirq that interrupted a task
> > running in the kernel that was using the SIMD already. IOW, this
> > happens so rarely in practice that I would not expect it to be
> > noticeable in the performance stats.
>
> What if the same machine was doing TLS/IPsec sends at full throttle?
> That would be exactly the wrong time to slow down softirqs four-fold,
> no?
>

Fair point.

> > My v2 attempt at cbcmac(aesni) implements an ahash, but a synchronous
> > one. This means we can amortize the FPU preserve/restore over the
> > entire scatterlist, instead of relying on the ahash walk to present
> > the data in virtually mapped chunks.
> >
> > I'd still like to explore this approach, but I simply haven't had the
> > spare cycles to spend on this.
>
> I don't have an issue your patch per se.  But please make it so that
> it has the async path like everything else.  Also wireless uses shash
> so it can't use an ahash anyway even if it is sync.
>

The mac80211 CCMP code uses a synchronous ccm aead, which gets backed
by a skcipher+ahash combo by the ccm template. So a synchronous ahash
is fine for this particular case.