Received: by 2002:ab2:6c55:0:b0:1fd:c486:4f03 with SMTP id v21csp26198lqp; Tue, 11 Jun 2024 13:19:08 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCUkriD5LVFQjDbSV49LeHcTeqLOcTqBjN+D1ASNvBRPVXuS5TXhz2TIfnVWcvOMz6IkVE0aA6AiRpRHUX/ROOMtkF1sQQV8DaFM63Tw/A== X-Google-Smtp-Source: AGHT+IE+H1dBwx/7YDa8Y5ovB7JYd1M5XjQbaBhlKb1mCappw2nmx6U11O1zyYih7npX4rXMjmcV X-Received: by 2002:a17:906:c196:b0:a6f:1254:2cbe with SMTP id a640c23a62f3a-a6f34c5755amr265269366b.3.1718137148090; Tue, 11 Jun 2024 13:19:08 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1718137148; cv=pass; d=google.com; s=arc-20160816; b=fmyVnwBXNisT2TBhTjvOhjPBAoTYDy8rewygpvv/F524w6uzHINuAoqk+DXeBUOYWj qdqxNBtY/LbquM7R8+MFUsT3pgRJquWet3JySru5xDomPRMq+oft5J6yFdCzCrR3jGIe ojIrTuEpe7sxC6WpYLUGL6hX5kYavjjVvbMPIWo7WqfLLz249pui8XFpvUJ+cN7ZRLva ma9EQ8XKr/XBF3dKlRaAlIpCNuFCImlQidzj8eE6/Fkyt4L6g2FFtsXDBufo8bqzel7o VikpitFKHJGVzV7m7OToScx0uMpjCY1SovTUYgdO9BJLVoQZktYnZz/IDtzG09x9/vTN /kBQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date:dkim-signature; bh=2dRPSCtDL4x6ugmBX20ku+4A8lZWr67P4sg3s+GA17o=; fh=WX5sgR3VQpLR5g6z+9pfvt88hmxQBAkmun/QVKBzADs=; b=L4w3WqdeF+DlCslvNsnbBfWXlXy29aQ2ayHLqLtm9tFWtDzQ07kn9NRDMPADut3d3Q 9SYY3Ap+yhjqnVstkTTiYMYwzyGMxEubLtyFSH8gFs2iaykRzU1iUOuaqbkg5VT70VuN frIlIM4s4RT1WCLfiwAHc9kN8p3l5hcwZdcmlkZn/Sg4qfU3/yWpVlJza2mguwZnAf1K pxKUiHDRQfIWZgCYbvMddnwYodpGx0GhJiUTCm5ShsvEFwyAqTAAMyK7ANKapp6YY5it zR/a5LtU87j3n1m2+qpJ5hl7dJV8SqHyS4D/EdcXTx/80AN7Ar1EJJm3FTnRkeEmOKfW FVmw==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=Tg4w6+Jd; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-crypto+bounces-4903-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-crypto+bounces-4903-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id a640c23a62f3a-a6f10364267si347323766b.594.2024.06.11.13.19.08 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 11 Jun 2024 13:19:08 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto+bounces-4903-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=Tg4w6+Jd; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-crypto+bounces-4903-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-crypto+bounces-4903-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id CDA461F23F77 for ; Tue, 11 Jun 2024 20:19:07 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 9834113D615; Tue, 11 Jun 2024 20:19:01 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="Tg4w6+Jd" X-Original-To: linux-crypto@vger.kernel.org Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 48EFF12E61; Tue, 11 Jun 2024 20:19:00 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1718137141; cv=none; b=Dc3Ipx4aAB8RtTRoq+agM0Rq3pjM8PQfmAt3y9x7Hbl0yDRm5Y9rCtzWopCksAHfA+sAvC3M6u7WANsuCAw5g7ZB9HR7Q3ciZGbXupZfv2Ed+S2MN1vIWBy9zNRwInISnY7Njx+xsSP6BdW4BQO5/bQOJ6zBI3lJVlfOfMBq/cU= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1718137141; c=relaxed/simple; bh=gtTMkJYRvzc11WF2seK68wjURAdaNya0C5PddHKpdUM=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=j4pjcRsxja/dpEZIlpe8F9dCEVRpXHB7ATRTXFge6iKFemz+HKQF3xTD6WLj1DQQnBT42pe8gujseZNYM+Bw8ZquS1BUemu77NNnxoBITlOMIpjeWEh/1jSitG5nQUkI/a+lr4pB4SCBd+CzTpdYfywiurcFTVCg0X2y5GqMyEs= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=Tg4w6+Jd; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id 4F4D4C2BD10; Tue, 11 Jun 2024 20:19:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1718137140; bh=gtTMkJYRvzc11WF2seK68wjURAdaNya0C5PddHKpdUM=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=Tg4w6+JdHhFxJdi4TnsqqM/VB92iMDH+/U5LYjnE2oucxYyHNoYL6hd/t2ucaGpqi MoMgRkjwlMDaMU/QbFTds8e7j2TTxvqa7GWcWpN0QZuhI4R7S15A4YpMi+GXeIkju8 ONuWoutk4kJTocbsp41zeLdPmpRfeldqNLgZ6RNufQ6kcR6Jo2FCvN2+7f0gd2ZktV a+mLDeyfRdQtGhbuQI1i7YJoVZ38wME27wLvflfJjcFKA3eMCh/QrUUjWcRoymhZ4a tPfpBeKRwt8nI9jOk4zvQl9T9nTOUaAl+M4rkU88SYx6HpP/b0s79oC+teD4onsnwP xzSfHlcvR7rIw== Date: Tue, 11 Jun 2024 13:18:58 -0700 From: Eric Biggers To: Herbert Xu Cc: Ard Biesheuvel , Steffen Klassert , netdev@vger.kernel.org, linux-crypto@vger.kernel.org, fsverity@lists.linux.dev, dm-devel@lists.linux.dev, x86@kernel.org, linux-arm-kernel@lists.infradead.org, Sami Tolvanen , Bart Van Assche , Tim Chen Subject: Re: [PATCH v4 6/8] fsverity: improve performance by using multibuffer hashing Message-ID: <20240611201858.GA128642@sol.localdomain> References: <20240606052801.GA324380@sol.localdomain> <20240610164258.GA3269@sol.localdomain> Precedence: bulk X-Mailing-List: linux-crypto@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: On Tue, Jun 11, 2024 at 11:21:43PM +0800, Herbert Xu wrote: > > BTW, I found an old Intel paper that claims through their multi- > buffer strategy they were able to make AES-CBC-XCBC beat AES-GCM. > I wonder if we could still replicate this today: > > https://github.com/intel/intel-ipsec-mb/wiki/doc/fast-multi-buffer-ipsec-implementations-ia-processors-paper.pdf No, not even close. Even assuming that the lack of parallelizability in AES-CBC and AES-XCBC can be entirely compensated for via multibuffer crypto (which really it can't -- consider single packets, for example), doing AES twice is much more expensive than doing AES and GHASH. GHASH is a universal hash function, and computing a universal hash function is inherently cheaper than computing a cryptographic hash function. But also modern Intel CPUs have very fast carryless multiplication, and it uses a different execution port from what AES uses. So the overhead of AES + GHASH over AES alone is very small. By doing AES twice, you'd be entirely bottlenecked by the ports that can execute the AES instructions, while the other ports go nearly unused. So it would probably be approaching twice as slow as AES-GCM. Westmere (2010) through Ivy Bridge (2012) are the only Intel CPUs where multibuffer AES-CBC-XCBC could plausibly be faster than AES-GCM (given a sufficiently large number of messages at once), due to the very slow pclmulqdq instruction on those CPUs. This is long since fixed, as pclmulqdq became much faster in Haswell (2013), and faster still in Broadwell. This is exactly what that Intel paper shows; they show AES-GCM becoming fastest in "Gen 4", i.e. Haswell. The paper is from 2012, so of course they don't show anything after that. But AES-GCM has only pulled ahead even more since then. In theory something like AES-CBC + SHA-256 could be slightly more competitive than AES-CBC + AES-XCBC. But it would still be worse than simply doing AES-GCM -- which again, doesn't need multibuffer, and my recent patches have already fully optimized for recent x86_64 CPUs. - Eric