From: Eric Biggers <ebiggers@kernel.org>
To: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Ard Biesheuvel <ardb@kernel.org>,
Steffen Klassert <steffen.klassert@secunet.com>,
netdev@vger.kernel.org, linux-crypto@vger.kernel.org,
fsverity@lists.linux.dev, dm-devel@lists.linux.dev,
x86@kernel.org, linux-arm-kernel@lists.infradead.org,
Sami Tolvanen <samitolvanen@google.com>,
Bart Van Assche <bvanassche@acm.org>,
Tim Chen <tim.c.chen@linux.intel.com>
Subject: Re: [PATCH v4 6/8] fsverity: improve performance by using multibuffer hashing
Date: Tue, 11 Jun 2024 13:18:58 -0700 [thread overview]
Message-ID: <20240611201858.GA128642@sol.localdomain> (raw)
In-Reply-To: <Zmhrh1nodUE-O6Jj@gondor.apana.org.au>
On Tue, Jun 11, 2024 at 11:21:43PM +0800, Herbert Xu wrote:
>
> BTW, I found an old Intel paper that claims through their multi-
> buffer strategy they were able to make AES-CBC-XCBC beat AES-GCM.
> I wonder if we could still replicate this today:
>
> https://github.com/intel/intel-ipsec-mb/wiki/doc/fast-multi-buffer-ipsec-implementations-ia-processors-paper.pdf
No, not even close. Even assuming that the lack of parallelizability in AES-CBC
and AES-XCBC can be entirely compensated for via multibuffer crypto (which
really it can't -- consider single packets, for example), doing AES twice is
much more expensive than doing AES and GHASH. GHASH is a universal hash
function, and computing a universal hash function is inherently cheaper than
computing a cryptographic hash function. But also modern Intel CPUs have very
fast carryless multiplication, and it uses a different execution port from what
AES uses. So the overhead of AES + GHASH over AES alone is very small. By
doing AES twice, you'd be entirely bottlenecked by the ports that can execute
the AES instructions, while the other ports go nearly unused. So it would
probably be approaching twice as slow as AES-GCM.
Westmere (2010) through Ivy Bridge (2012) are the only Intel CPUs where
multibuffer AES-CBC-XCBC could plausibly be faster than AES-GCM (given a
sufficiently large number of messages at once), due to the very slow pclmulqdq
instruction on those CPUs. This is long since fixed, as pclmulqdq became much
faster in Haswell (2013), and faster still in Broadwell. This is exactly what
that Intel paper shows; they show AES-GCM becoming fastest in "Gen 4", i.e.
Haswell. The paper is from 2012, so of course they don't show anything after
that. But AES-GCM has only pulled ahead even more since then.
In theory something like AES-CBC + SHA-256 could be slightly more competitive
than AES-CBC + AES-XCBC. But it would still be worse than simply doing AES-GCM
-- which again, doesn't need multibuffer, and my recent patches have already
fully optimized for recent x86_64 CPUs.
- Eric
next prev parent reply other threads:[~2024-06-11 20:19 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-06-03 18:37 [PATCH v4 0/8] Optimize dm-verity and fsverity using multibuffer hashing Eric Biggers
2024-06-03 18:37 ` [PATCH v4 1/8] crypto: shash - add support for finup_mb Eric Biggers
2024-06-04 18:55 ` Ard Biesheuvel
2024-06-04 19:25 ` Eric Biggers
2024-06-03 18:37 ` [PATCH v4 2/8] crypto: testmgr - generate power-of-2 lengths more often Eric Biggers
2024-06-03 18:37 ` [PATCH v4 3/8] crypto: testmgr - add tests for finup_mb Eric Biggers
2024-06-03 18:37 ` [PATCH v4 4/8] crypto: x86/sha256-ni - add support " Eric Biggers
2024-06-03 18:37 ` [PATCH v4 5/8] crypto: arm64/sha256-ce " Eric Biggers
2024-06-04 19:00 ` Ard Biesheuvel
2024-06-03 18:37 ` [PATCH v4 6/8] fsverity: improve performance by using multibuffer hashing Eric Biggers
2024-06-04 9:37 ` Herbert Xu
2024-06-04 18:42 ` Eric Biggers
2024-06-05 9:19 ` Herbert Xu
2024-06-05 9:22 ` Herbert Xu
2024-06-05 9:46 ` Herbert Xu
2024-06-05 19:14 ` Eric Biggers
2024-06-06 2:00 ` Herbert Xu
2024-06-06 5:28 ` Eric Biggers
2024-06-06 5:41 ` Herbert Xu
2024-06-06 6:58 ` Ard Biesheuvel
2024-06-06 7:34 ` Herbert Xu
2024-06-06 7:55 ` Ard Biesheuvel
2024-06-06 8:08 ` Herbert Xu
2024-06-06 8:33 ` Ard Biesheuvel
2024-06-06 9:15 ` Herbert Xu
2024-06-10 16:42 ` Eric Biggers
2024-06-11 15:21 ` Herbert Xu
2024-06-11 15:39 ` Herbert Xu
2024-06-11 20:32 ` Eric Biggers
2024-06-11 15:46 ` Ard Biesheuvel
2024-06-11 15:51 ` Herbert Xu
2024-06-11 20:18 ` Eric Biggers [this message]
2024-06-05 18:58 ` Eric Biggers
2024-06-03 18:37 ` [PATCH v4 7/8] dm-verity: hash blocks with shash import+finup when possible Eric Biggers
2024-06-03 18:37 ` [PATCH v4 8/8] dm-verity: improve performance by using multibuffer hashing Eric Biggers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240611201858.GA128642@sol.localdomain \
--to=ebiggers@kernel.org \
--cc=ardb@kernel.org \
--cc=bvanassche@acm.org \
--cc=dm-devel@lists.linux.dev \
--cc=fsverity@lists.linux.dev \
--cc=herbert@gondor.apana.org.au \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-crypto@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=samitolvanen@google.com \
--cc=steffen.klassert@secunet.com \
--cc=tim.c.chen@linux.intel.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).