Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp5111463pxj; Wed, 26 May 2021 03:08:35 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxR2UfBiYBbMCqDcTHv611IQ6nw8QT6JtywRYift7aADPHN343BGa3IwGtZl0cCw7/y/8gT X-Received: by 2002:a05:6e02:504:: with SMTP id d4mr27662764ils.178.1622023715371; Wed, 26 May 2021 03:08:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1622023715; cv=none; d=google.com; s=arc-20160816; b=0AINLQIvV4uNjpKFyF6F8lM0D/6NqvxTGzmYoEhie+gh6Uy4CmYs9sdtFmUSW004pO lTRU2tjwvtNOnoctC7EqdwlQFyxSeP+5ROzKe+R8dOPy/3mEncmYPctwhbYEOyEmL3B6 5rYoIBDloSIkN/rbf2zURfr6XC6TPkBMDElBxdJdXJYQ4QzCA1CuZGX+gsvIiXqxmbRA 2jlHrYsqCCmn3MPvRJPYFz7N4bN9ENNs27n4A0PiMBE4ARhL9W6V0bB7VOsNjQDw7mXI U6RR/PHs9B9xcEgH8GotRUjFZXqx5FxncPAfzYn1VFDKa4WKRwPbcSsHj3b37ZmQo12I G98g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=13iWdl/lCs3heEOZTcecK+nW60HuivWXTN4YsWNk+zg=; b=CErzzemhiZEXFalJ4W0hJbpLgw6w1AlcXvpm7LQsnLk9IcYcKqTdnJNqEmA40VgqDy 1ddJesMw0JXIz8zStFvpu01r81VK1DCNC1t7owU08Rw6p9tuBgkBJsrFYseEstyvFqXc u+tM8kVpdhKgJGqiVe1ecC1G2JTLtP3XDxGjhB82ifTzJky3fwEcC6ibAUbkk25+f6D1 0h9GovWXXQfDkkkx9w0LbJhmNMtbppiT06Tf7AFOCWZlUlvT9StkS4s4kmvDfvgd0q36 xQQDZKAdYq4QZ2v3xMimZxcVBDayA2X0NHX2TlRdKvV+FQMT8DE1D7He68swN9FQZyhB lQbQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=PlI5ORgc; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id t8si17896480ioh.32.2021.05.26.03.08.21; Wed, 26 May 2021 03:08:35 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=PlI5ORgc; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233808AbhEZKJR (ORCPT + 99 others); Wed, 26 May 2021 06:09:17 -0400 Received: from mail.kernel.org ([198.145.29.99]:39880 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233637AbhEZKJP (ORCPT ); Wed, 26 May 2021 06:09:15 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 094026124C; Wed, 26 May 2021 10:07:42 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1622023664; bh=HsvXG+ZM+XANF/anZq9LUpKWJ+Zp18U0r3Smfr15vkQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=PlI5ORgcOVkQ0vapVvcC/X8x4PWyvM5yjxICIeg5Uz/pNFpTKyeRGIZeDuVAcGeY3 eU5TSFHG6N299iqcejEReB5pnZs0P8zjQpjUbK3JVm6HzoQGCyrOdCbyTTxbs78E4m 43OjvEhp4/BxayJWljy3eNt8jYbw6/IJ+5ojjqvMMHiHm1b7MXy3D/LeWkAaNbrcDJ tnTKvcwmjd+PH15AAnCb72zRRmmHuY5YcCJLmJ21/IrvggJoJBMWxmD/XjOvo9cDm+ rrwFdOTNot5Fpf9V1EDJN4xc100FB45xMznVFjqm8vReIB5amikVRVGyQZw039tjLZ m1JWw6pu8N4mQ== From: Ard Biesheuvel To: linux-crypto@vger.kernel.org Cc: linux-arm-kernel@lists.infradead.org, ebiggers@kernel.org, herbert@gondor.apana.org.au, will@kernel.org, kernel-team@android.com, Ard Biesheuvel Subject: [PATCH v6 5/6] crypto: arm64/aes-ccm - reduce NEON begin/end calls for common case Date: Wed, 26 May 2021 12:07:28 +0200 Message-Id: <20210526100729.12939-6-ardb@kernel.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20210526100729.12939-1-ardb@kernel.org> References: <20210526100729.12939-1-ardb@kernel.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org AES-CCM (as used in WPA2 CCMP, for instance) typically involves authenticate-only data, and operates on a single network packet, and so the common case is for the authenticate, en/decrypt and finalize SIMD helpers to all be called exactly once in sequence. Since kernel_neon_end() now involves manipulation of the preemption state as well as the softirq mask state, let's reduce the number of times we are forced to call it to only once if we are handling this common case. Signed-off-by: Ard Biesheuvel --- arch/arm64/crypto/aes-ce-ccm-core.S | 1 + arch/arm64/crypto/aes-ce-ccm-glue.c | 74 +++++++++++--------- 2 files changed, 43 insertions(+), 32 deletions(-) diff --git a/arch/arm64/crypto/aes-ce-ccm-core.S b/arch/arm64/crypto/aes-ce-ccm-core.S index 99a028e298ed..8adff299fcd3 100644 --- a/arch/arm64/crypto/aes-ce-ccm-core.S +++ b/arch/arm64/crypto/aes-ce-ccm-core.S @@ -124,6 +124,7 @@ SYM_FUNC_START(ce_aes_ccm_final) SYM_FUNC_END(ce_aes_ccm_final) .macro aes_ccm_do_crypt,enc + cbz x2, 5f ldr x8, [x6, #8] /* load lower ctr */ ld1 {v0.16b}, [x5] /* load mac */ CPU_LE( rev x8, x8 ) /* keep swabbed ctr in reg */ diff --git a/arch/arm64/crypto/aes-ce-ccm-glue.c b/arch/arm64/crypto/aes-ce-ccm-glue.c index 54bd2494a000..98159f2c49ae 100644 --- a/arch/arm64/crypto/aes-ce-ccm-glue.c +++ b/arch/arm64/crypto/aes-ce-ccm-glue.c @@ -97,10 +97,8 @@ static int ccm_init_mac(struct aead_request *req, u8 maciv[], u32 msglen) static void ccm_update_mac(struct crypto_aes_ctx *key, u8 mac[], u8 const in[], u32 abytes, u32 *macp) { - kernel_neon_begin(); ce_aes_ccm_auth_data(mac, in, abytes, macp, key->key_enc, num_rounds(key)); - kernel_neon_end(); } static void ccm_calculate_auth_mac(struct aead_request *req, u8 mac[]) @@ -157,35 +155,41 @@ static int ccm_encrypt(struct aead_request *req) if (err) return err; - if (req->assoclen) - ccm_calculate_auth_mac(req, mac); - /* preserve the original iv for the final round */ memcpy(buf, req->iv, AES_BLOCK_SIZE); err = skcipher_walk_aead_encrypt(&walk, req, false); + if (unlikely(err)) + return err; - while (walk.nbytes) { + kernel_neon_begin(); + + if (req->assoclen) + ccm_calculate_auth_mac(req, mac); + + do { u32 tail = walk.nbytes % AES_BLOCK_SIZE; if (walk.nbytes == walk.total) tail = 0; - kernel_neon_begin(); ce_aes_ccm_encrypt(walk.dst.virt.addr, walk.src.virt.addr, walk.nbytes - tail, ctx->key_enc, num_rounds(ctx), mac, walk.iv); - kernel_neon_end(); - err = skcipher_walk_done(&walk, tail); - } - if (!err) { - kernel_neon_begin(); - ce_aes_ccm_final(mac, buf, ctx->key_enc, num_rounds(ctx)); + if (walk.nbytes == walk.total) + ce_aes_ccm_final(mac, buf, ctx->key_enc, num_rounds(ctx)); + kernel_neon_end(); - } - if (err) - return err; + + if (walk.nbytes) { + err = skcipher_walk_done(&walk, tail); + if (unlikely(err)) + return err; + if (unlikely(walk.nbytes)) + kernel_neon_begin(); + } + } while (walk.nbytes); /* copy authtag to end of dst */ scatterwalk_map_and_copy(mac, req->dst, req->assoclen + req->cryptlen, @@ -209,35 +213,41 @@ static int ccm_decrypt(struct aead_request *req) if (err) return err; - if (req->assoclen) - ccm_calculate_auth_mac(req, mac); - /* preserve the original iv for the final round */ memcpy(buf, req->iv, AES_BLOCK_SIZE); err = skcipher_walk_aead_decrypt(&walk, req, false); + if (unlikely(err)) + return err; + + kernel_neon_begin(); - while (walk.nbytes) { + if (req->assoclen) + ccm_calculate_auth_mac(req, mac); + + do { u32 tail = walk.nbytes % AES_BLOCK_SIZE; if (walk.nbytes == walk.total) tail = 0; - kernel_neon_begin(); ce_aes_ccm_decrypt(walk.dst.virt.addr, walk.src.virt.addr, - walk.nbytes - tail, ctx->key_enc, - num_rounds(ctx), mac, walk.iv); - kernel_neon_end(); + walk.nbytes - tail, ctx->key_enc, + num_rounds(ctx), mac, walk.iv); + + if (walk.nbytes == walk.total) + ce_aes_ccm_final(mac, buf, ctx->key_enc, num_rounds(ctx)); - err = skcipher_walk_done(&walk, tail); - } - if (!err) { - kernel_neon_begin(); - ce_aes_ccm_final(mac, buf, ctx->key_enc, num_rounds(ctx)); kernel_neon_end(); - } - if (err) - return err; + + if (walk.nbytes) { + err = skcipher_walk_done(&walk, tail); + if (unlikely(err)) + return err; + if (unlikely(walk.nbytes)) + kernel_neon_begin(); + } + } while (walk.nbytes); /* compare calculated auth tag with the stored one */ scatterwalk_map_and_copy(buf, req->src, -- 2.20.1