All of lore.kernel.org
 help / color / mirror / Atom feed
From: David Laight <david.laight.linux@gmail.com>
To: Thomas Huth <thuth@redhat.com>
Cc: Eric Biggers <ebiggers@kernel.org>,
	linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 04/33] lib/crypto: aes: Add CTR and XCTR support
Date: Tue, 14 Jul 2026 08:58:04 +0100	[thread overview]
Message-ID: <20260714085804.189692f8@pumpkin> (raw)
In-Reply-To: <34db35e3-7d6e-4ce2-bd3c-cbe74b321bc4@redhat.com>

On Tue, 14 Jul 2026 06:53:32 +0200
Thomas Huth <thuth@redhat.com> wrote:

> On 14/07/2026 01.54, Eric Biggers wrote:
> > On Mon, Jul 13, 2026 at 10:39:53AM +0200, Thomas Huth wrote:  
> >>> diff --git a/Documentation/crypto/libcrypto-unauth-encryption.rst b/Documentation/crypto/libcrypto-unauth-encryption.rst
> >>> index fb8106034089..6aca01d715da 100644
> >>> --- a/Documentation/crypto/libcrypto-unauth-encryption.rst
> >>> +++ b/Documentation/crypto/libcrypto-unauth-encryption.rst
> >>> @@ -27,6 +27,13 @@ Support for AES in the CBC and CBC-CTS modes of operation.
> >>>    .. kernel-doc:: include/crypto/aes-cbc.h
> >>> +AES-CTR and AES-XCTR
> >>> +--------------------
> >>> +
> >>> +Support for AES in the CTR and XCTR modes of operation.  
> >>
> >> I guess you already have this on your radar, but just in case: It would be
> >> nice to turn this into a full sentence, too.  
> > 
> > Yes, I'm making all of them full sentences.
> >   
> >>> +/**
> >>> + * aes_ctr() - AES-CTR en/decryption
> >>> + * @dst: The destination buffer.  Can be in-place or out-of-place.  For other
> >>> + *	 overlaps the behavior is unspecified.
> >>> + * @src: The source data
> >>> + * @len: Number of bytes to en/decrypt
> >>> + * @ctr: The counter.  It will be incremented by ceil(@len / AES_BLOCK_SIZE).
> >>> + * @key: The key
> >>> + *
> >>> + * This implements AES in counter mode with a 128-bit big endian counter.
> >>> + *
> >>> + * This supports incremental en/decryption.  The length of each non-final chunk
> >>> + * must be a multiple of AES_BLOCK_SIZE, and the updated @ctr must be passed in
> >>> + * each time.  
> >>
> >> Maybe add some wording that ctr ideally should not be 0 for the first call,
> >> i.e. a "nonce" value?  
> > 
> > It depends on the usage.  If a distinct key is used for each message for
> > example, always starting at 0 is perfectly fine.
> > 
> > I'm not sure how far we should go to document the proper use of each
> > algorithm.  Really the AES-CTR support is just for internal use by
> > AES-GCM and AES-CCM, and a few odd users that implement specific other
> > protocols that need AES-CTR.  It's not intended to be a place to go to
> > receive an introduction to CTR mode.
> >   
> >>> +static __always_inline void inc_be128_ctr(u8 ctr[AES_BLOCK_SIZE])
> >>> +{
> >>> +	/* Casts to u8 are needed because of the implicit integer promotion. */
> >>> +	if (((u8)++ctr[AES_BLOCK_SIZE - 1]) != 0)
> >>> +		return;  
> >>
> >> Why do you handle the first value separately here? The code could be
> >> simplified to start with "int i = AES_BLOCK_SIZE -1" in the for-loop
> >> instead?  
> > 
> > Just a trick to optimize performance by unrolling the first iteration,
> > since 255 times out of 256 the first iteration is enough.  
> Ok, but then maybe add a comment here. Otherwise people will wonder why it 
> has been done like this when reading the code later.
> 
> FWIW, I doubt that this really makes a big difference here. Looking at a 
> function that contains your code, the disassembly currently looks like this 
> (with -O2):
> 
> 0000000000000000 <inc_be128_ctr>:
>     0:   80 47 0f 01             addb   $0x1,0xf(%rdi)
>     4:   48 8d 57 0e             lea    0xe(%rdi),%rdx
Those two run in the same clock.
>     8:   74 0a                   je     14 <inc_be128_ctr+0x14>
Depends on the 'addb', hopefully/likely predicted non-taken.
>     a:   c3                      ret
Predicted taken using the RSB.
Execution continues speculatively after the call even before the memory read
for 0xf(%rdi) has completed.
>     b:   0f 1f 44 00 00          nopl   0x0(%rax,%rax,1)
>    10:   48 83 ea 01             sub    $0x1,%rdx
>    14:   80 02 01                addb   $0x1,(%rdx)
>    17:   75 05                   jne    1e <inc_be128_ctr+0x1e>
>    19:   48 39 d7                cmp    %rdx,%rdi
>    1c:   75 f2                   jne    10 <inc_be128_ctr+0x10>
>    1e:   c3                      ret
> 
> So that's 3 assembly instructions 'til you reach the "ret".
> 
> When you drop the optimization, it looks like this:
> 
> 0000000000000000 <inc_be128_ctr>:
>     0:   48 8d 57 0f             lea    0xf(%rdi),%rdx
>     4:   eb 0e                   jmp    14 <inc_be128_ctr+0x14>
>     6:   66 2e 0f 1f 84 00 00    cs nopw 0x0(%rax,%rax,1)
>     d:   00 00 00
>    10:   48 83 ea 01             sub    $0x1,%rdx
>    14:   80 02 01                addb   $0x1,(%rdx)
That depends on the 'sub'
>    17:   75 05                   jne    1e <inc_be128_ctr+0x1e>
That is likely predicted not taken - so you get a misprediction penalty
>    19:   48 39 d7                cmp    %rdx,%rdi
>    1c:   75 f2                   jne    10 <inc_be128_ctr+0x10>
>    1e:   c3                      ret
> 
> That's 4 assembly instructions 'til you reach the "ret". Not such a big 
> difference...?

There is an extra 'jmp' - that will cost in the fetch-decode part.
The alignment pad (not there in the kernel) might also force another
i-cache line be accessed.
The first conditional branch is mispredicted - say 20 clocks. 

In any case the instruction count doesn't really matter.
What matters is the length of the register dependency chain and how
the branches get predicted.
I've gone back and annotated the asm.

> 
> And with -O3, both variants end up with the same code.

No one sane would compile the kernel (or much else) with -O3.
It bloats things too much.
gcc isn't that good at optimising loops for modern cpu. 

-- David

> 
>   Thomas
> 
> 


  reply	other threads:[~2026-07-14  7:58 UTC|newest]

Thread overview: 56+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-07  5:34 [PATCH 00/33] Library APIs for AES encryption modes Eric Biggers
2026-07-07  5:34 ` [PATCH 01/33] crypto: xts - Split out __xts_verify_key() helper Eric Biggers
2026-07-07 13:20   ` Thomas Huth
2026-07-07  5:34 ` [PATCH 02/33] lib/crypto: aes: Add ECB support Eric Biggers
2026-07-07 13:59   ` Thomas Huth
2026-07-07 19:22     ` Eric Biggers
2026-07-08  5:29       ` Thomas Huth
2026-07-07  5:34 ` [PATCH 03/33] lib/crypto: aes: Add CBC and CBC-CTS support Eric Biggers
2026-07-09 13:06   ` Thomas Huth
2026-07-13 23:37     ` Eric Biggers
2026-07-14  8:02   ` David Laight
2026-07-07  5:34 ` [PATCH 04/33] lib/crypto: aes: Add CTR and XCTR support Eric Biggers
2026-07-13  8:39   ` Thomas Huth
2026-07-13 23:54     ` Eric Biggers
2026-07-14  4:53       ` Thomas Huth
2026-07-14  7:58         ` David Laight [this message]
2026-07-07  5:34 ` [PATCH 05/33] lib/crypto: aes: Add XTS support Eric Biggers
2026-07-13 12:15   ` Thomas Huth
2026-07-14  0:23     ` Eric Biggers
2026-07-07  5:34 ` [PATCH 06/33] lib/crypto: aes: Add GCM support Eric Biggers
2026-07-07  5:34 ` [PATCH 07/33] lib/crypto: aes: Add CCM support Eric Biggers
2026-07-07  5:34 ` [PATCH 08/33] crypto: aes - Add ECB support using library Eric Biggers
2026-07-07  5:34 ` [PATCH 09/33] crypto: aes - Add CBC and CBC-CTS " Eric Biggers
2026-07-07  5:34 ` [PATCH 10/33] crypto: aes - Add CTR and XCTR " Eric Biggers
2026-07-07  5:34 ` [PATCH 11/33] crypto: aes - Add XTS " Eric Biggers
2026-07-07  5:34 ` [PATCH 12/33] crypto: aes - Add GCM " Eric Biggers
2026-07-07  5:34 ` [PATCH 13/33] crypto: aes - Add CCM " Eric Biggers
2026-07-07  5:34 ` [PATCH 14/33] x86/sev: Use new AES-GCM library Eric Biggers
2026-07-07  5:34 ` [PATCH 15/33] lib/crypto: aesgcm: Remove old " Eric Biggers
2026-07-07  5:34 ` [PATCH 16/33] crypto: aes - Remove AES-CBC-MAC support Eric Biggers
2026-07-07  5:34 ` [PATCH 17/33] lib/crypto: aes: Remove aes_cbcmac_* functions Eric Biggers
2026-07-07  5:34 ` [PATCH 18/33] fscrypt: Use aes_ecb_encrypt() for v1 key derivation Eric Biggers
2026-07-07  5:34 ` [PATCH 19/33] KEYS: encrypted: Use AES-CBC library instead of crypto_skcipher Eric Biggers
2026-07-07  5:34 ` [PATCH 20/33] KEYS: trusted: dcp: Use AES-GCM library instead of crypto_aead Eric Biggers
2026-07-07  5:34 ` [PATCH 21/33] libceph: Use AES-CBC library in ceph_aes_crypt() Eric Biggers
2026-07-07  5:34 ` [PATCH 22/33] libceph: Reimplement messenger v2 encryption using AES-GCM library Eric Biggers
2026-07-07  5:34 ` [PATCH 23/33] wifi: mac80211: Use AES-CTR library in fils_aead.c Eric Biggers
2026-07-07  5:34 ` [PATCH 24/33] wifi: mac80211: Use AES-GCM library for GMAC suite Eric Biggers
2026-07-07  5:34 ` [PATCH 25/33] wifi: mac80211: Use crypto libraries for GCMP and CCMP suites Eric Biggers
2026-07-07  5:34 ` [PATCH 26/33] macsec: Use AES-GCM library instead of crypto_aead Eric Biggers
2026-07-07  5:34 ` [PATCH 27/33] wifi: ipw2x00: Use AES-CCM library Eric Biggers
2026-07-07  5:34 ` [PATCH 28/33] mac802154: Use AES-CCM and AES-CTR libraries Eric Biggers
2026-07-07  5:34 ` [PATCH 29/33] bpf: crypto: Use AES-CBC and AES-ECB libraries Eric Biggers
2026-07-07 15:01   ` Vadim Fedorenko
2026-07-07 18:20     ` Eric Biggers
2026-07-07 22:50       ` Vadim Fedorenko
2026-07-07 23:16         ` Eric Biggers
2026-07-08 11:47           ` Vadim Fedorenko
2026-07-09 15:47             ` Eric Biggers
2026-07-09 16:46               ` Vadim Fedorenko
2026-07-07  5:35 ` [PATCH 30/33] bpf: crypto: Add AES-GCM support Eric Biggers
2026-07-07 15:02   ` Vadim Fedorenko
2026-07-07  5:35 ` [PATCH 31/33] smb: client: Use AES-GCM and AES-CCM libraries Eric Biggers
2026-07-07  5:35 ` [PATCH 32/33] ksmbd: " Eric Biggers
2026-07-07 10:51   ` Namjae Jeon
2026-07-07  5:35 ` [PATCH 33/33] net: tipc: Use AES-GCM library instead of crypto_aead Eric Biggers

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20260714085804.189692f8@pumpkin \
    --to=david.laight.linux@gmail.com \
    --cc=ebiggers@kernel.org \
    --cc=linux-crypto@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=thuth@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.