Received: by 2002:a05:6358:9144:b0:117:f937:c515 with SMTP id r4csp8591231rwr; Thu, 11 May 2023 03:38:28 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ7IO8TrIiBWFb+qCOTah0DqYkbEwTHXVczs8kkHSYnP9VG6Fc1rvi2C3tRUQAGgpo8V5u6N X-Received: by 2002:a17:902:f552:b0:1ac:a058:555e with SMTP id h18-20020a170902f55200b001aca058555emr10808919plf.8.1683801507906; Thu, 11 May 2023 03:38:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1683801507; cv=none; d=google.com; s=arc-20160816; b=EVqC/omulDWoAr9psIkXQ3LiB5KVld/qoWoUw0+28W8ukBOz/2/9NYVu8qj30Fzrgw PJ2YiXhttldS9j8PJ2bGDHXDHOCS3IwpNagvvAhpPhyp/5DMGE5NJ3AQ44uW6m8nk4Z9 v7cxInsCNSsBVH2wRBoZvHSgtESnG2fODUBsBhSmunsZAsvVbI08XELVKQY87n5XXkoQ 0zwbo112Ynj9r4LAw9ikLdZ5VgzvAy30Zx8jjyqIRPSvwwkNU0/Ka4dJ6oCL/YIz4KsN Fs46LNhkm4of/BEesMfJFWJHzDXedbR/RZg5wg85i2tS4/ujh+8iLqnim7sw57EdAk+w WraA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=egXy+xMOVCrh/QaGE2RIRmpAVsynwvpJ3mAReMeudJg=; b=riS+5UBZTrP6UniK7EMb2ikzr6PoFimHen0PBBc3CZC6TcoSCO+BNrxMbsDrTRZrf1 E3LTXuFTfrZJBi+Nxvnr7x2Dd3KO2Nb3PjZSkC6irehJEq6g9ptyDsnjaVwhknE8j8+i 1JDGBacUDBAQX3dm2OlGZBCEHBebyre6zhyeEY/kzIbR8rJL0pHeeriGOOdVkLrqLqGY 2wkQFrxxahZ91deUKLHjtICIIbwT06CYBUchOvlbfkNq0Z3BSkFMM1RgDEu7SwFigRBW DxmaMMoAHPclpxKVXcEXLy8L/l6RrWvsJaOHxA8FDze4uKLy9AStFV3RyucuIegx7FYL Y+Dg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=sntech.de Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id 5-20020a170902ee4500b001ac6a9353ffsi6144284plo.116.2023.05.11.03.38.09; Thu, 11 May 2023 03:38:27 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=sntech.de Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237826AbjEKKbn convert rfc822-to-8bit (ORCPT + 99 others); Thu, 11 May 2023 06:31:43 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:32970 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237909AbjEKKbR (ORCPT ); Thu, 11 May 2023 06:31:17 -0400 Received: from gloria.sntech.de (gloria.sntech.de [185.11.138.130]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C571BAD34; Thu, 11 May 2023 03:30:54 -0700 (PDT) Received: from ip5b412278.dynamic.kabel-deutschland.de ([91.65.34.120] helo=diego.localnet) by gloria.sntech.de with esmtpsa (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1px3ZJ-0004sW-Uy; Thu, 11 May 2023 12:30:41 +0200 From: Heiko =?ISO-8859-1?Q?St=FCbner?= To: Nathan Huckleberry Cc: palmer@dabbelt.com, paul.walmsley@sifive.com, aou@eecs.berkeley.edu, herbert@gondor.apana.org.au, davem@davemloft.net, conor.dooley@microchip.com, linux-riscv@lists.infradead.org, linux-kernel@vger.kernel.org, linux-crypto@vger.kernel.org, christoph.muellner@vrull.eu Subject: Re: [PATCH v4 4/4] RISC-V: crypto: add accelerated GCM GHASH implementation Date: Thu, 11 May 2023 12:30:41 +0200 Message-ID: <3540048.LM0AJKV5NW@diego> In-Reply-To: References: <20230329140642.2186644-1-heiko.stuebner@vrull.eu> <20230329140642.2186644-5-heiko.stuebner@vrull.eu> MIME-Version: 1.0 Content-Transfer-Encoding: 8BIT Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_PASS, T_SCC_BODY_TEXT_LINE,T_SPF_HELO_TEMPERROR autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Hi Nathan, Am Dienstag, 11. April 2023, 17:00:00 CEST schrieb Nathan Huckleberry: > On Wed, Mar 29, 2023 at 7:08 AM Heiko Stuebner wrote: > > +struct riscv64_ghash_ctx { > > + void (*ghash_func)(u64 Xi[2], const u128 Htable[16], > > + const u8 *inp, size_t len); > > + > > + /* key used by vector asm */ > > + u128 htable[16]; > > This field looks too big. The assembly only loads the first 128-byte > value from this table. OpenSSL defines the Htable field handed to the init- and the other functions as this "u128 Htable[16]" [0] . As I really like the concept of keeping in sync with openSSL, I guess I'd rather not change that. [0] https://github.com/openssl/openssl/blob/master/crypto/modes/gcm128.c#L88 > Is this copied from another implementation? There's an optimization > where you precompute the first N powers of H so that you can perform 1 > finite field reduction for every N multiplications, but it doesn't > look like that's being used here. The whole crypto-specific code comes from openSSL itself, so for now I guess I'd like to try keeping things the same. > > +#define RISCV64_ZBC_SETKEY(VARIANT, GHASH) \ > > +void gcm_init_rv64i_ ## VARIANT(u128 Htable[16], const u64 Xi[2]); \ > > +static int riscv64_zbc_ghash_setkey_ ## VARIANT(struct crypto_shash *tfm, \ > > + const u8 *key, \ > > + unsigned int keylen) \ > > +{ \ > > + struct riscv64_ghash_ctx *ctx = crypto_tfm_ctx(crypto_shash_tfm(tfm)); \ > > + const u64 k[2] = { cpu_to_be64(((const u64 *)key)[0]), \ > > + cpu_to_be64(((const u64 *)key)[1]) }; \ > > + \ > > + if (keylen != GHASH_BLOCK_SIZE) \ > > + return -EINVAL; \ > > + \ > > + memcpy(&ctx->key, key, GHASH_BLOCK_SIZE); \ > > + gcm_init_rv64i_ ## VARIANT(ctx->htable, k); \ > > + \ > > + ctx->ghash_func = gcm_ghash_rv64i_ ## GHASH; \ > > + \ > > + return 0; \ > > +} > > I'd prefer three identical functions over a macro here. Code searching > tools and compiler warnings are significantly worse with macros. done :-) > > + > > +static int riscv64_zbc_ghash_update(struct shash_desc *desc, > > + const u8 *src, unsigned int srclen) > > +{ > > + unsigned int len; > > + struct riscv64_ghash_ctx *ctx = crypto_tfm_ctx(crypto_shash_tfm(desc->tfm)); > > + struct riscv64_ghash_desc_ctx *dctx = shash_desc_ctx(desc); > > + > > + if (dctx->bytes) { > > + if (dctx->bytes + srclen < GHASH_DIGEST_SIZE) { > > + memcpy(dctx->buffer + dctx->bytes, src, > > + srclen); > > + dctx->bytes += srclen; > > + return 0; > > + } > > + memcpy(dctx->buffer + dctx->bytes, src, > > + GHASH_DIGEST_SIZE - dctx->bytes); > > + > > + ctx->ghash_func(dctx->shash, ctx->htable, > > + dctx->buffer, GHASH_DIGEST_SIZE); > > + > > + src += GHASH_DIGEST_SIZE - dctx->bytes; > > + srclen -= GHASH_DIGEST_SIZE - dctx->bytes; > > + dctx->bytes = 0; > > + } > > + len = srclen & ~(GHASH_DIGEST_SIZE - 1); > > + > > + if (len) { > > + gcm_ghash_rv64i_zbc(dctx->shash, ctx->htable, > > + src, len); > > + src += len; > > + srclen -= len; > > + } > > + > > + if (srclen) { > > + memcpy(dctx->buffer, src, srclen); > > + dctx->bytes = srclen; > > + } > > + return 0; > > +} > > + > > +static int riscv64_zbc_ghash_final(struct shash_desc *desc, u8 *out) > > +{ > > + int i; > > + struct riscv64_ghash_ctx *ctx = crypto_tfm_ctx(crypto_shash_tfm(desc->tfm)); > > + struct riscv64_ghash_desc_ctx *dctx = shash_desc_ctx(desc); > > + > > + if (dctx->bytes) { > > + for (i = dctx->bytes; i < GHASH_DIGEST_SIZE; i++) > > + dctx->buffer[i] = 0; > > + ctx->ghash_func(dctx->shash, ctx->htable, > > + dctx->buffer, GHASH_DIGEST_SIZE); > > Can we do this without an indirect call? hmm, the indirect call is in both riscv64_zbc_ghash_update() and riscv64_zbc_ghash_final() . And I found a missing one at the bottom of riscv64_zbc_ghash_update(), where gcm_ghash_rv64i_zbc() is called right now. Getting rid of the indirect call would mean duplicating both of these functions for all instances. Especially with the slightly higher complexity of the update this somehow seems not the best way to go. Thanks for your pointers Heiko