From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from bombadil.infradead.org (bombadil.infradead.org [198.137.202.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 858A0C4345F for ; Fri, 19 Apr 2024 16:30:24 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:In-Reply-To:MIME-Version:References: Message-ID:Subject:Cc:To:From:Date:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=ZBVmVVJ2ByV+sJp6HbRQuhRpDghvjzMImv6faB/u1AY=; b=o4STfoynIBeSbT 6YfTfPSbUWPHAMRCmxIP0G0TB7LiWgnsWJtPiGTCuR7RJdrI1ffqHfV21PTcFMzwLSyRCKB8tMR80 f6qovbECe4WrXngkq3JqORidpwpDKTng0x5KZTjd/NastC56i1WwHPM5K72/uKomA5I+a17XGtHBn QnT5WPIikiByMrYarGsuW3ZLzHu+pDPgQeFnvS6IITNsYgyYE3bTOcSVON1SrsUKODU/c12/0E3MU UKhmaqJDwZtziE6NADNAnNo/Q4k6PRIneB2tX4CwXphNeToVyO8FaO9aTUyEMh1+k6YW18n4+yPC3 b3Ot50O6T6uDsbPz8kZg==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.97.1 #2 (Red Hat Linux)) id 1rxr7u-00000006MVo-1pvr; Fri, 19 Apr 2024 16:30:14 +0000 Received: from dfw.source.kernel.org ([2604:1380:4641:c500::1]) by bombadil.infradead.org with esmtps (Exim 4.97.1 #2 (Red Hat Linux)) id 1rxr7r-00000006MVI-30N6 for linux-arm-kernel@lists.infradead.org; Fri, 19 Apr 2024 16:30:13 +0000 Received: from smtp.kernel.org (transwarp.subspace.kernel.org [100.75.92.58]) by dfw.source.kernel.org (Postfix) with ESMTP id 1321B61A39; Fri, 19 Apr 2024 16:30:10 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6E3DCC072AA; Fri, 19 Apr 2024 16:30:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1713544209; bh=v5MMF4sIsyKZ3N8RRXo2tf2gqlanICtP5fvLTXeqLFg=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=B+i8an4+RHBaHIfqfGD8ealLtIAsz6St26O1nZM3C8ms4MqGT5QMufqZdXCVNumX9 TjJBPmZH2LgZU+ZDfkzMqqHNQ35hh/tfesz8qOSRVuMSPxG/TkHCwIbxJCHASIAvfe GqNpT8lFABWEIYat9LLuNF5jzLh5qtX+Rqs/zzLR4uBY/wBn0eO64l66wPcjknD5Tv fEOv96Uhh3vwI934AiyI1H2I2Rz3pMcSOrv3AQwH7O/f+x6rFSWEVJYXzs1BbfCm3T QB5Scu0tT2RCexliBsMnvcpxpyGI3IgYT64jZJkHwGdFIrg8sesOHDfy22tRYBwRsy EZnodEk1p9FlA== Date: Fri, 19 Apr 2024 09:30:07 -0700 From: Eric Biggers To: Herbert Xu Cc: linux-crypto@vger.kernel.org, fsverity@lists.linux.dev, dm-devel@lists.linux.dev, x86@kernel.org, linux-arm-kernel@lists.infradead.org, ardb@kernel.org, samitolvanen@google.com, bvanassche@acm.org Subject: Re: [RFC PATCH 1/8] crypto: shash - add support for finup2x Message-ID: <20240419163007.GA1131@sol.localdomain> References: <20240415213719.120673-2-ebiggers@kernel.org> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20240419_093011_904991_8FDC7BE4 X-CRM114-Status: GOOD ( 18.98 ) X-BeenThere: linux-arm-kernel@lists.infradead.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "linux-arm-kernel" Errors-To: linux-arm-kernel-bounces+linux-arm-kernel=archiver.kernel.org@lists.infradead.org On Fri, Apr 19, 2024 at 06:35:01PM +0800, Herbert Xu wrote: > Eric Biggers wrote: > > > > The new API is part of the "shash" algorithm type, as it does not make > > sense in "ahash". It does a "finup" operation rather than a "digest" > > operation in order to support the salt that is used by dm-verity and > > fs-verity. There is no fallback implementation that does two regular > > finups if the underlying algorithm doesn't support finup2x, since users > > probably will want to avoid the overhead of queueing up multiple hashes > > when multibuffer hashing won't actually be used anyway. > > For your intended users, will the SIMD fallback ever be invoked? > If you mean the fallback to scalar instructions when !crypto_simd_usable(), by default dm-verity and fs-verity do all hashing in process context, in which case the scalar fallback will never be used. dm-verity does support the 'try_verify_in_tasklet' option which makes hashing sometimes happen in softirq context, and x86 Linux has an edge case where if a softirq comes in while the kernel is in the middle of using SIMD instructions, SIMD instructions can't be used during that softirq. So in theory the !crypto_simd_usable() case could be reached then. Either way, I have the fallback implemented in the x86 and arm64 SHA-256 glue code for consistency with the rest of the crypto_shash API anyway. If you mean falling back to two crypto_shash_finup() when the algorithm doesn't support crypto_shash_finup2x(), my patches to dm-verity and fs-verity do that. Modern x86_64 and arm64 systems will use crypto_shash_finup2x(), but dm-verity and fs-verity need to work on all architectures and on older CPUs too. The alternative would be to put the fallback to two crypto_shash_finup() directly in crypto_shash_finup2x() and have the users call crypto_shash_finup2x() unconditionally (similar to how crypto_shash_digest() can be called even if the underlying shash_alg doesn't implement ->digest()). That would make for slightly simpler code, though it feels a bit awkward to queue up multiple blocks for multibuffer hashing when multibuffer hashing won't actually be used. Let me know if you have a preference about this. - Eric _______________________________________________ linux-arm-kernel mailing list linux-arm-kernel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/linux-arm-kernel