Re: [PATCH 0/8] VAES+AVX2 optimized implementation of AES-GCM

[Eric Biggers <ebiggers@kernel.org>]

On Fri, Oct 17, 2025 at 10:44:37AM +0200, Ard Biesheuvel wrote:
> On Fri, 17 Oct 2025 at 10:25, Herbert Xu <herbert@gondor.apana.org.au> wrote:
> >
> > Eric Biggers <ebiggers@kernel.org> wrote:
> > > On Wed, Oct 01, 2025 at 07:31:09PM -0700, Eric Biggers wrote:
> > >> This patchset replaces the 256-bit vector implementation of AES-GCM for
> > >> x86_64 with one that requires AVX2 rather than AVX512.  This greatly
> > >> improves AES-GCM performance on CPUs that have VAES but not AVX512, for
> > >> example by up to 74% on AMD Zen 3.  For more details, see patch 1.
> > >>
> > >> This patchset also renames the 512-bit vector implementation of AES-GCM
> > >> for x86_64 to be named after AVX512 rather than AVX10/512, then adds
> > >> some additional optimizations to it.
> > >>
> > >> This patchset applies to next-20250929 and is targeting 6.19.  Herbert,
> > >> I'd prefer to just apply this myself.  But let me know if you'd prefer
> > >> to take it instead (considering that AES-GCM hasn't been librarified
> > >> yet).  Either way, there's no hurry, since this is targeting 6.19.
> > >>
> > >> Eric Biggers (8):
> > >>   crypto: x86/aes-gcm - add VAES+AVX2 optimized code
> > >>   crypto: x86/aes-gcm - remove VAES+AVX10/256 optimized code
> > >>   crypto: x86/aes-gcm - rename avx10 and avx10_512 to avx512
> > >>   crypto: x86/aes-gcm - clean up AVX512 code to assume 512-bit vectors
> > >>   crypto: x86/aes-gcm - reorder AVX512 precompute and aad_update
> > >>     functions
> > >>   crypto: x86/aes-gcm - revise some comments in AVX512 code
> > >>   crypto: x86/aes-gcm - optimize AVX512 precomputation of H^2 from H^1
> > >>   crypto: x86/aes-gcm - optimize long AAD processing with AVX512
> > >>
> > >>  arch/x86/crypto/Makefile                      |    5 +-
> > >>  arch/x86/crypto/aes-gcm-aesni-x86_64.S        |   12 +-
> > >>  arch/x86/crypto/aes-gcm-vaes-avx2.S           | 1150 +++++++++++++++++
> > >>  ...m-avx10-x86_64.S => aes-gcm-vaes-avx512.S} |  722 +++++------
> > >>  arch/x86/crypto/aesni-intel_glue.c            |  264 ++--
> > >>  5 files changed, 1667 insertions(+), 486 deletions(-)
> > >>  create mode 100644 arch/x86/crypto/aes-gcm-vaes-avx2.S
> > >>  rename arch/x86/crypto/{aes-gcm-avx10-x86_64.S => aes-gcm-vaes-avx512.S} (69%)
> > >>
> > >> base-commit: 3b9b1f8df454caa453c7fb07689064edb2eda90a
> > >
> > > Applied to https://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/linux.git/log/?h=libcrypto-next
> >
> > Oops, I didn't see this email until it was too late.  Since the
> > patches should be identical I don't think it matters.

Well, it seems you didn't read the patchset (even the cover letter) or
any of the replies to it.  So maybe I should just take it, as I already
said I preferred, and later did do since you hadn't said you wanted to
take it.  It would have been okay if you had volunteered to take this,
but you need to actually read the patches and replies.

As for the patches being identical, besides correctly applying Ard's
tags, I made a couple very minor changes that weren't worth sending a v2
for: clarifying one of the commit messages, and correcting two comments
and dropping some unused aliases from aes-gcm-vaes-avx2.S.

- Eric