On Tue, Jan 11, 2022 at 11:05 PM Jason A. Donenfeld <[email protected]> wrote:
> Geert emailed me this afternoon concerned about blake2s codesize on m68k
> and other small systems. We identified two effective ways of chopping
> down the size. One of them moves some wireguard-specific things into
> wireguard proper. The other one adds a slower codepath for small
> machines to blake2s. This worked, and was v1 of this patchset, but I
> wasn't so much of a fan. Then someone pointed out that the generic C
> SHA-1 implementation is still unrolled, which is a *lot* of extra code.
> Simply rerolling that saves about as much as v1 did. So, we instead do
> that in this patchset. SHA-1 is being phased out, and soon it won't
> be included at all (hopefully). And nothing performance-oriented has
> anything to do with it anyway.
> The result of these two patches mitigates Geert's feared code size
> increase for 5.17.
> v3 improves on v2 by making the re-rolling of SHA-1 much simpler,
> resulting in even larger code size reduction and much better
> performance. The reason I'm sending yet a third version in such a short
> amount of time is because the trick here feels obvious and substantial
> enough that I'd hate for Geert to waste time measuring the impact of the
> previous commit.
> Jason A. Donenfeld (2):
> lib/crypto: blake2s: move hmac construction into wireguard
> lib/crypto: sha1: re-roll loops to reduce code size
Thanks for the series!
add/remove: 1/4 grow/shrink: 0/1 up/down: 4/-4232 (-4228)
Function old new delta
__ksymtab_blake2s256_hmac 12 - -12
blake2s_init.constprop 94 - -94
blake2s256_hmac 302 - -302
sha1_transform 4402 582 -3820
Total: Before=4230537, After=4226309, chg -0.10%
Tested-by: Geert Uytterhoeven <[email protected]>
Geert Uytterhoeven -- There's lots of Linux beyond ia32 -- [email protected]
In personal conversations with technical people, I call myself a hacker. But
when I'm talking to journalists I just say "programmer" or something like that.
-- Linus Torvalds
On Wed, Jan 12, 2022 at 12:00 PM Geert Uytterhoeven
<[email protected]> wrote:
> Thanks for the series!
> On m68k:
> add/remove: 1/4 grow/shrink: 0/1 up/down: 4/-4232 (-4228)
> Function old new delta
> __ksymtab_blake2s256_hmac 12 - -12
> blake2s_init.constprop 94 - -94
> blake2s256_hmac 302 - -302
> sha1_transform 4402 582 -3820
> Total: Before=4230537, After=4226309, chg -0.10%
> Tested-by: Geert Uytterhoeven <[email protected]>
Excellent, thanks for the breakdown. So this shaves off ~4k, which was
about what we were shooting for here, so I think indeed this series
accomplishes its goal of counteracting the addition of BLAKE2s.
Hopefully Herbert will apply this series for 5.17.
Jason A. Donenfeld <[email protected]> wrote:
> Excellent, thanks for the breakdown. So this shaves off ~4k, which was
> about what we were shooting for here, so I think indeed this series
> accomplishes its goal of counteracting the addition of BLAKE2s.
> Hopefully Herbert will apply this series for 5.17.
As the patches that triggered this weren't part of the crypto
tree, this will have to go through the random tree if you want
them for 5.17.
Otherwise if you're happy to wait then I can pull them through
Email: Herbert Xu <[email protected]>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt