Received: by 2002:a05:6a10:7420:0:0:0:0 with SMTP id hk32csp3247520pxb; Sun, 20 Feb 2022 13:54:47 -0800 (PST) X-Google-Smtp-Source: ABdhPJzmN1YIRVUC0c+fFzUHc5UL2PhY8p6MM5G2ktIp7PNff/T2XK6ifMb5ieKixnuPIuAu4MlE X-Received: by 2002:a17:906:2718:b0:6ce:29fb:8819 with SMTP id z24-20020a170906271800b006ce29fb8819mr13610743ejc.144.1645394086806; Sun, 20 Feb 2022 13:54:46 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1645394086; cv=none; d=google.com; s=arc-20160816; b=KK4/R5kiTub9vixAA/I+BOY8JRhN7/srLKnXdjMMTL2YvuueEXsNgvH4KCEL0ES9YF vy0QsNYAHmiWFO8fobvQPi1doJtagDoN8S0bZA7c6/gZ6nDrmlVftFCHxxt5QuS5nfhd 8YwiSjB+0+Fcj8D9w2TrrOA7aeEfRyKUYyoCrXV8/fK/C/xPN+edxS25qJ2M16/8n5CI KXQ6vquC9Jjt9PRiqcKglutSJ89goS2L+yu6R11WCeri5Cei144XRg9DA/nc5DHBFQgv AmqYIuT169bEW/I7x/DTp5Dh4U7vyisuv/uARU9huPrdfnYPVvaqDzOTXLl7B2DCsjCs HgiA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=jSMVAb+U6QlFO0gJpwM8R/cSnUUxn8YxaUy/13legWk=; b=WFD7BlA0/TYk/JJGUXMqpcoH1DSniVLFiUZBq2bxihvt2CG881W31A4JSqMNhJ9aw5 jvKacrDXyvL0hm7a8XphL6fs8P9lRjZhdIOIICWiB+UKyR0f6VZuRUzWaX5IzVCVItey Evi+8pu7/8z1Y37X49wsOrcMYDyIdQ1lFx/MUFwLZIA4xLnzWtblm/ujIoO57i9oBN9j 6Bv4VaGTnGV7RDJt8ZKdNHKGqkQUZZJDc9WM3ZPN7SZ3cNzx+Kve7sUkixm61Yav7waN DvI4DRBe9qAsQ9fHHm9eoWeWW81c2xDa3NjLgaAMqXZ6uUkcwtZeKsjQ8+wGUFtv4tv4 rdGQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=INOT5CJi; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id gv38si6034753ejc.512.2022.02.20.13.54.06; Sun, 20 Feb 2022 13:54:46 -0800 (PST) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=INOT5CJi; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240864AbiBSBVj (ORCPT + 99 others); Fri, 18 Feb 2022 20:21:39 -0500 Received: from mxb-00190b01.gslb.pphosted.com ([23.128.96.19]:55356 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S240701AbiBSBVi (ORCPT ); Fri, 18 Feb 2022 20:21:38 -0500 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id A0B8618406E for ; Fri, 18 Feb 2022 17:21:20 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 466F762018 for ; Sat, 19 Feb 2022 01:21:20 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 67D7AC340E9; Sat, 19 Feb 2022 01:21:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1645233679; bh=0yZROx1zfBGesuvOmp4yoXRqrpLpABCEUu2sb63C8RY=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=INOT5CJig3IlpxmWZiE9M616AaKXVeyseAlLvygBfVKSHaFWNHylh8R3YCwV5EyZf tH1/UAKQ0QIa6agDDQ8osx75LCDGvBVlrd/CE1TfNLnH2QPxUFFDsbfOmIYyEbfD9K 1y3uCorvlsG3kzN4B5bd9felDv4VBJt1JZFAB31uQFY6HH551jPFCrIgsreebAXTpx Ogxhg3AAf3pvnBFxJoQs3jpvPAVoBRhQngF6WTga+Roj+Jm86pcU1lk3gNKGvRZuMr fh+gIDv0QZfPk4HLcsKjYdm9LxXczaCnZ6ovlFbFGAdQ8r4yorj4AeznvMawauSX6D i+e6144L5FlmQ== Date: Fri, 18 Feb 2022 17:21:17 -0800 From: Eric Biggers To: Nathan Huckleberry Cc: linux-crypto@vger.kernel.org, Herbert Xu , "David S. Miller" , linux-arm-kernel@lists.infradead.org, Paul Crowley , Sami Tolvanen , Ard Biesheuvel Subject: Re: [RFC PATCH v2 7/7] crypto: arm64/polyval: Add PMULL accelerated implementation of POLYVAL Message-ID: References: <20220210232812.798387-1-nhuck@google.com> <20220210232812.798387-8-nhuck@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20220210232812.798387-8-nhuck@google.com> X-Spam-Status: No, score=-7.2 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org A lot of the comments I made on the x86_64 version apply to the arm64 version, but a few more comments below: On Thu, Feb 10, 2022 at 11:28:12PM +0000, Nathan Huckleberry wrote: > Add hardware accelerated version of POLYVAL for ARM64 CPUs with > Crypto Extension support. Nit: It's "Crypto Extensions", not "Crypto Extension". > +config CRYPTO_POLYVAL_ARM64_CE > + tristate "POLYVAL using ARMv8 Crypto Extensions (for HCTR2)" > + depends on KERNEL_MODE_NEON > + select CRYPTO_CRYPTD > + select CRYPTO_HASH > + select CRYPTO_POLYVAL CRYPTO_POLYVAL selects CRYPTO_HASH already, so there's no need to select it here. > /* > * Handle any extra blocks before > * full_stride loop. > */ > .macro partial_stride > eor LO.16b, LO.16b, LO.16b > eor MI.16b, MI.16b, MI.16b > eor HI.16b, HI.16b, HI.16b > add KEY_START, x1, #(NUM_PRECOMPUTE_POWERS << 4) > sub KEY_START, KEY_START, PARTIAL_LEFT, lsl #4 > ld1 {v0.16b}, [KEY_START] > mov v1.16b, SUM.16b > karatsuba1 v0 v1 > karatsuba2 > montgomery_reduction > mov SUM.16b, PH.16b > eor LO.16b, LO.16b, LO.16b > eor MI.16b, MI.16b, MI.16b > eor HI.16b, HI.16b, HI.16b > mov IND, XZR > .LloopPartial: > cmp IND, PARTIAL_LEFT > bge .LloopExitPartial > > sub TMP, IND, PARTIAL_LEFT > > cmp TMP, #-4 > bgt .Lgt4Partial > ld1 {M0.16b, M1.16b, M2.16b, M3.16b}, [x0], #64 > // Clobber key registers > ld1 {KEY8.16b, KEY7.16b, KEY6.16b, KEY5.16b}, [KEY_START], #64 > karatsuba1 M0 KEY8 > karatsuba1 M1 KEY7 > karatsuba1 M2 KEY6 > karatsuba1 M3 KEY5 > add IND, IND, #4 > b .LoutPartial > > .Lgt4Partial: > cmp TMP, #-3 > bgt .Lgt3Partial > ld1 {M0.16b, M1.16b, M2.16b}, [x0], #48 > // Clobber key registers > ld1 {KEY8.16b, KEY7.16b, KEY6.16b}, [KEY_START], #48 > karatsuba1 M0 KEY8 > karatsuba1 M1 KEY7 > karatsuba1 M2 KEY6 > add IND, IND, #3 > b .LoutPartial > > .Lgt3Partial: > cmp TMP, #-2 > bgt .Lgt2Partial > ld1 {M0.16b, M1.16b}, [x0], #32 > // Clobber key registers > ld1 {KEY8.16b, KEY7.16b}, [KEY_START], #32 > karatsuba1 M0 KEY8 > karatsuba1 M1 KEY7 > add IND, IND, #2 > b .LoutPartial > > .Lgt2Partial: > ld1 {M0.16b}, [x0], #16 > // Clobber key registers > ld1 {KEY8.16b}, [KEY_START], #16 > karatsuba1 M0 KEY8 > add IND, IND, #1 > .LoutPartial: > b .LloopPartial > .LloopExitPartial: > karatsuba2 > montgomery_reduction > eor SUM.16b, SUM.16b, PH.16b > .endm This sort of logic for handling different message lengths is necessary, but it's partly why I think that testing different message lengths is so important -- there could be bugs that are specific to particular message lengths. With CONFIG_CRYPTO_MANAGER_EXTRA_TESTS=y, we do get test coverage from the fuzz tests that compare implementations to the corresponding generic implementation. But, it's preferable to not rely on that and have good default test vectors too. It looks like you already do a relatively good job with the message lengths in the polyval test vectors. But it might be worth adding a test vector where the length mod 128 is 112, so that the case where partial_stride processes 7 blocks is tested. Also one where the message length is greater than 128 (or even 256) bytes but isn't a multiple of 128, so that the case where *both* partial_stride and full_stride are executed is tested. - Eric