* [PATCH] lib/int_sqrt.c: optimize for small argument values @ 2017-10-19 20:31 Michael Davidson 2017-10-19 20:42 ` Kees Cook 2017-10-20 6:13 ` Joe Perches 0 siblings, 2 replies; 7+ messages in thread From: Michael Davidson @ 2017-10-19 20:31 UTC (permalink / raw) To: Andrew Morton, Ingo Molnar, David Miller, Matthew Wilcox, Kees Cook Cc: linux-kernel, Michael Davidson int_sqrt() currently takes approximately constant time regardless of the value of the argument. By using the magnitude of the operand to set the initial conditions for the calculation the cost becomes proportional to log2 of the argument with the worst case behavior not being measurably slower than it currently is. Signed-off-by: Michael Davidson <md@google.com> --- lib/int_sqrt.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/int_sqrt.c b/lib/int_sqrt.c index 1ef4cc344977..8394b0dcecd4 100644 --- a/lib/int_sqrt.c +++ b/lib/int_sqrt.c @@ -21,7 +21,7 @@ unsigned long int_sqrt(unsigned long x) if (x <= 1) return x; - m = 1UL << (BITS_PER_LONG - 2); + m = 1UL << (__fls(x) & ~1UL); while (m != 0) { b = y + m; y >>= 1; -- 2.15.0.rc1.287.g2b38de12cc-goog ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH] lib/int_sqrt.c: optimize for small argument values 2017-10-19 20:31 [PATCH] lib/int_sqrt.c: optimize for small argument values Michael Davidson @ 2017-10-19 20:42 ` Kees Cook 2017-10-19 20:56 ` Jason A. Donenfeld 2017-10-20 6:13 ` Joe Perches 1 sibling, 1 reply; 7+ messages in thread From: Kees Cook @ 2017-10-19 20:42 UTC (permalink / raw) To: Michael Davidson Cc: Andrew Morton, Ingo Molnar, David Miller, Matthew Wilcox, LKML, Jason A. Donenfeld On Thu, Oct 19, 2017 at 1:31 PM, Michael Davidson <md@google.com> wrote: > int_sqrt() currently takes approximately constant time > regardless of the value of the argument. By using the > magnitude of the operand to set the initial conditions > for the calculation the cost becomes proportional to > log2 of the argument with the worst case behavior not > being measurably slower than it currently is. Maybe a stupid question, but is this function ultimately used by any crypto that expects it to be constant-time for safety? Also, is there a specific workload that is meaningfully sped up by this change? -Kees > > Signed-off-by: Michael Davidson <md@google.com> > --- > lib/int_sqrt.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/lib/int_sqrt.c b/lib/int_sqrt.c > index 1ef4cc344977..8394b0dcecd4 100644 > --- a/lib/int_sqrt.c > +++ b/lib/int_sqrt.c > @@ -21,7 +21,7 @@ unsigned long int_sqrt(unsigned long x) > if (x <= 1) > return x; > > - m = 1UL << (BITS_PER_LONG - 2); > + m = 1UL << (__fls(x) & ~1UL); > while (m != 0) { > b = y + m; > y >>= 1; > -- > 2.15.0.rc1.287.g2b38de12cc-goog > -- Kees Cook Pixel Security ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] lib/int_sqrt.c: optimize for small argument values 2017-10-19 20:42 ` Kees Cook @ 2017-10-19 20:56 ` Jason A. Donenfeld 2017-10-19 21:04 ` Kees Cook 0 siblings, 1 reply; 7+ messages in thread From: Jason A. Donenfeld @ 2017-10-19 20:56 UTC (permalink / raw) To: Kees Cook Cc: Michael Davidson, Andrew Morton, Ingo Molnar, David Miller, Matthew Wilcox, LKML On Thu, Oct 19, 2017 at 10:42 PM, Kees Cook <keescook@chromium.org> wrote: > Maybe a stupid question, but is this function ultimately used by any > crypto that expects it to be constant-time for safety? Indeed constant time functions for crypto are important. But in this case, it's unlikely this function would ever be used for real crypto, which usually works over "bigints" -- integers that are much wider than a single unsigned long. The algorithm here is just for a single int. (By the way, if you're into fast integer arithmetic, check cut this amazing Quake-era inverse squareroot algorithm: https://en.wikipedia.org/wiki/Fast_inverse_square_root ) I haven't analyzed all the other call sites for side channel potentials, but a quick cursory look indicates it's pretty boring and likely uneventful. One use of int_sqrt that caught my eye was lib/prime_numbers.c, which itself exposes two functions -- is_prime_number, which is unused, and next_prime_number, which is only used by some selftests in the i915 drm stuff, but not any actual real kernel code. Talk about bloat. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] lib/int_sqrt.c: optimize for small argument values 2017-10-19 20:56 ` Jason A. Donenfeld @ 2017-10-19 21:04 ` Kees Cook 0 siblings, 0 replies; 7+ messages in thread From: Kees Cook @ 2017-10-19 21:04 UTC (permalink / raw) To: Jason A. Donenfeld Cc: Michael Davidson, Andrew Morton, Ingo Molnar, David Miller, Matthew Wilcox, LKML On Thu, Oct 19, 2017 at 1:56 PM, Jason A. Donenfeld <Jason@zx2c4.com> wrote: > On Thu, Oct 19, 2017 at 10:42 PM, Kees Cook <keescook@chromium.org> wrote: >> Maybe a stupid question, but is this function ultimately used by any >> crypto that expects it to be constant-time for safety? > > Indeed constant time functions for crypto are important. But in this > case, it's unlikely this function would ever be used for real crypto, > which usually works over "bigints" -- integers that are much wider > than a single unsigned long. The algorithm here is just for a single > int. (By the way, if you're into fast integer arithmetic, check cut > this amazing Quake-era inverse squareroot algorithm: > https://en.wikipedia.org/wiki/Fast_inverse_square_root ) Oh nice; that's a fun read. :) (And on a related note, hey everyone, go donate to Wikipedia!) > I haven't analyzed all the other call sites for side channel > potentials, but a quick cursory look indicates it's pretty boring and > likely uneventful. Okay, that was my quick assessment too. FWIW: Acked-by: Kees Cook <keescook@chromium.org> > One use of int_sqrt that caught my eye was lib/prime_numbers.c, which > itself exposes two functions -- is_prime_number, which is unused, and > next_prime_number, which is only used by some selftests in the i915 > drm stuff, but not any actual real kernel code. Talk about bloat. Heh. -Kees -- Kees Cook Pixel Security ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] lib/int_sqrt.c: optimize for small argument values 2017-10-19 20:31 [PATCH] lib/int_sqrt.c: optimize for small argument values Michael Davidson 2017-10-19 20:42 ` Kees Cook @ 2017-10-20 6:13 ` Joe Perches 2017-10-20 14:18 ` Kees Cook 1 sibling, 1 reply; 7+ messages in thread From: Joe Perches @ 2017-10-20 6:13 UTC (permalink / raw) To: Michael Davidson, Andrew Morton, Ingo Molnar, David Miller, Matthew Wilcox, Kees Cook Cc: linux-kernel On Thu, 2017-10-19 at 13:31 -0700, Michael Davidson wrote: > int_sqrt() currently takes approximately constant time > regardless of the value of the argument. By using the > magnitude of the operand to set the initial conditions > for the calculation the cost becomes proportional to > log2 of the argument with the worst case behavior not > being measurably slower than it currently is. https://lkml.org/lkml/2017/7/24/408 ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] lib/int_sqrt.c: optimize for small argument values 2017-10-20 6:13 ` Joe Perches @ 2017-10-20 14:18 ` Kees Cook 2017-10-20 16:22 ` Peter Zijlstra 0 siblings, 1 reply; 7+ messages in thread From: Kees Cook @ 2017-10-20 14:18 UTC (permalink / raw) To: Joe Perches, Peter Zijlstra Cc: Michael Davidson, Andrew Morton, Ingo Molnar, David Miller, Matthew Wilcox, LKML On Thu, Oct 19, 2017 at 11:13 PM, Joe Perches <joe@perches.com> wrote: > On Thu, 2017-10-19 at 13:31 -0700, Michael Davidson wrote: >> int_sqrt() currently takes approximately constant time >> regardless of the value of the argument. By using the >> magnitude of the operand to set the initial conditions >> for the calculation the cost becomes proportional to >> log2 of the argument with the worst case behavior not >> being measurably slower than it currently is. > > https://lkml.org/lkml/2017/7/24/408 Ah! Cool. I don't see this version queued up for -next. Where does Peter's version stand? -Kees -- Kees Cook Pixel Security ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] lib/int_sqrt.c: optimize for small argument values 2017-10-20 14:18 ` Kees Cook @ 2017-10-20 16:22 ` Peter Zijlstra 0 siblings, 0 replies; 7+ messages in thread From: Peter Zijlstra @ 2017-10-20 16:22 UTC (permalink / raw) To: Kees Cook Cc: Joe Perches, Michael Davidson, Andrew Morton, Ingo Molnar, David Miller, Matthew Wilcox, LKML On Fri, Oct 20, 2017 at 07:18:51AM -0700, Kees Cook wrote: > On Thu, Oct 19, 2017 at 11:13 PM, Joe Perches <joe@perches.com> wrote: > > On Thu, 2017-10-19 at 13:31 -0700, Michael Davidson wrote: > >> int_sqrt() currently takes approximately constant time > >> regardless of the value of the argument. By using the > >> magnitude of the operand to set the initial conditions > >> for the calculation the cost becomes proportional to > >> log2 of the argument with the worst case behavior not > >> being measurably slower than it currently is. > > > > https://lkml.org/lkml/2017/7/24/408 > > Ah! Cool. I don't see this version queued up for -next. Where does > Peter's version stand? Oh, crud, forgot all about it. I'd have to double check I addressed the concerns Linus had with my Changelogs, but other than that he seemed to be OK. ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2017-10-20 16:22 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2017-10-19 20:31 [PATCH] lib/int_sqrt.c: optimize for small argument values Michael Davidson 2017-10-19 20:42 ` Kees Cook 2017-10-19 20:56 ` Jason A. Donenfeld 2017-10-19 21:04 ` Kees Cook 2017-10-20 6:13 ` Joe Perches 2017-10-20 14:18 ` Kees Cook 2017-10-20 16:22 ` Peter Zijlstra
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.