Re: [PATCH 2/2] crypto: x86/aes-ctr - remove non-AVX implementation of AES-CTR

[Eric Biggers <ebiggers@kernel.org>]

On Tue, Feb 04, 2025 at 07:50:26PM -0800, Eric Biggers wrote:
> From: Eric Biggers <ebiggers@google.com>
> 
> Nearly all x86_64 CPUs with AES-NI also support AVX.  The exceptions are
> Intel Westmere from 2010, and the low-power Intel CPU microarchitectures
> Silvermont, Goldmont, and Tremont from 2013 through 2020.  Tremont's
> successor, Gracemont (launched in 2021), supports AVX.  It is unlikely
> that any more non-AVX-capable x86_64 CPUs will be released.
> 
> Supporting non-AVX x86_64 SIMD assembly code is a major burden, given
> the differences between VEX and non-VEX code.  It is probably still
> worth doing for the most common algorithms like xts(aes) and gcm(aes).
> ctr(aes) seems unlikely to be one of these; it can be used in IPsec
> together with a standalone MAC if the better option of gcm(aes) is not
> being used, but it is not useful for much else in the kernel.
> 
> Therefore, let's drop the non-AVX implementation of ctr(aes).
> 
> Signed-off-by: Eric Biggers <ebiggers@google.com>

It was brought to my attention that the above does not list all the Intel CPUs
that have AES-NI without AVX.  The Pentiums and Celerons based on the Skylake,
Kaby Lake, Coffee Lake, and Comet Lake microarchitectures have AVX fused off.

I'm leaning towards dropping this patch, and keeping the AES-NI only AES-CTR
around for a couple years longer just in case.  This patch would just be
184 deletions, so not a huge amount anyway, and I think we do need to keep some
of the other modes in aesni-intel_asm.S like XTS anyway.

- Eric