Linux cryptographic layer development
 help / color / mirror / Atom feed
From: Thomas Huth <thuth@redhat.com>
To: Eric Biggers <ebiggers@kernel.org>
Cc: linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 04/33] lib/crypto: aes: Add CTR and XCTR support
Date: Tue, 14 Jul 2026 06:53:32 +0200	[thread overview]
Message-ID: <34db35e3-7d6e-4ce2-bd3c-cbe74b321bc4@redhat.com> (raw)
In-Reply-To: <20260713235439.GB24654@quark>

On 14/07/2026 01.54, Eric Biggers wrote:
> On Mon, Jul 13, 2026 at 10:39:53AM +0200, Thomas Huth wrote:
>>> diff --git a/Documentation/crypto/libcrypto-unauth-encryption.rst b/Documentation/crypto/libcrypto-unauth-encryption.rst
>>> index fb8106034089..6aca01d715da 100644
>>> --- a/Documentation/crypto/libcrypto-unauth-encryption.rst
>>> +++ b/Documentation/crypto/libcrypto-unauth-encryption.rst
>>> @@ -27,6 +27,13 @@ Support for AES in the CBC and CBC-CTS modes of operation.
>>>    .. kernel-doc:: include/crypto/aes-cbc.h
>>> +AES-CTR and AES-XCTR
>>> +--------------------
>>> +
>>> +Support for AES in the CTR and XCTR modes of operation.
>>
>> I guess you already have this on your radar, but just in case: It would be
>> nice to turn this into a full sentence, too.
> 
> Yes, I'm making all of them full sentences.
> 
>>> +/**
>>> + * aes_ctr() - AES-CTR en/decryption
>>> + * @dst: The destination buffer.  Can be in-place or out-of-place.  For other
>>> + *	 overlaps the behavior is unspecified.
>>> + * @src: The source data
>>> + * @len: Number of bytes to en/decrypt
>>> + * @ctr: The counter.  It will be incremented by ceil(@len / AES_BLOCK_SIZE).
>>> + * @key: The key
>>> + *
>>> + * This implements AES in counter mode with a 128-bit big endian counter.
>>> + *
>>> + * This supports incremental en/decryption.  The length of each non-final chunk
>>> + * must be a multiple of AES_BLOCK_SIZE, and the updated @ctr must be passed in
>>> + * each time.
>>
>> Maybe add some wording that ctr ideally should not be 0 for the first call,
>> i.e. a "nonce" value?
> 
> It depends on the usage.  If a distinct key is used for each message for
> example, always starting at 0 is perfectly fine.
> 
> I'm not sure how far we should go to document the proper use of each
> algorithm.  Really the AES-CTR support is just for internal use by
> AES-GCM and AES-CCM, and a few odd users that implement specific other
> protocols that need AES-CTR.  It's not intended to be a place to go to
> receive an introduction to CTR mode.
> 
>>> +static __always_inline void inc_be128_ctr(u8 ctr[AES_BLOCK_SIZE])
>>> +{
>>> +	/* Casts to u8 are needed because of the implicit integer promotion. */
>>> +	if (((u8)++ctr[AES_BLOCK_SIZE - 1]) != 0)
>>> +		return;
>>
>> Why do you handle the first value separately here? The code could be
>> simplified to start with "int i = AES_BLOCK_SIZE -1" in the for-loop
>> instead?
> 
> Just a trick to optimize performance by unrolling the first iteration,
> since 255 times out of 256 the first iteration is enough.
Ok, but then maybe add a comment here. Otherwise people will wonder why it 
has been done like this when reading the code later.

FWIW, I doubt that this really makes a big difference here. Looking at a 
function that contains your code, the disassembly currently looks like this 
(with -O2):

0000000000000000 <inc_be128_ctr>:
    0:   80 47 0f 01             addb   $0x1,0xf(%rdi)
    4:   48 8d 57 0e             lea    0xe(%rdi),%rdx
    8:   74 0a                   je     14 <inc_be128_ctr+0x14>
    a:   c3                      ret
    b:   0f 1f 44 00 00          nopl   0x0(%rax,%rax,1)
   10:   48 83 ea 01             sub    $0x1,%rdx
   14:   80 02 01                addb   $0x1,(%rdx)
   17:   75 05                   jne    1e <inc_be128_ctr+0x1e>
   19:   48 39 d7                cmp    %rdx,%rdi
   1c:   75 f2                   jne    10 <inc_be128_ctr+0x10>
   1e:   c3                      ret

So that's 3 assembly instructions 'til you reach the "ret".

When you drop the optimization, it looks like this:

0000000000000000 <inc_be128_ctr>:
    0:   48 8d 57 0f             lea    0xf(%rdi),%rdx
    4:   eb 0e                   jmp    14 <inc_be128_ctr+0x14>
    6:   66 2e 0f 1f 84 00 00    cs nopw 0x0(%rax,%rax,1)
    d:   00 00 00
   10:   48 83 ea 01             sub    $0x1,%rdx
   14:   80 02 01                addb   $0x1,(%rdx)
   17:   75 05                   jne    1e <inc_be128_ctr+0x1e>
   19:   48 39 d7                cmp    %rdx,%rdi
   1c:   75 f2                   jne    10 <inc_be128_ctr+0x10>
   1e:   c3                      ret

That's 4 assembly instructions 'til you reach the "ret". Not such a big 
difference...?

And with -O3, both variants end up with the same code.

  Thomas


  reply	other threads:[~2026-07-14  4:53 UTC|newest]

Thread overview: 56+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-07  5:34 [PATCH 00/33] Library APIs for AES encryption modes Eric Biggers
2026-07-07  5:34 ` [PATCH 01/33] crypto: xts - Split out __xts_verify_key() helper Eric Biggers
2026-07-07 13:20   ` Thomas Huth
2026-07-07  5:34 ` [PATCH 02/33] lib/crypto: aes: Add ECB support Eric Biggers
2026-07-07 13:59   ` Thomas Huth
2026-07-07 19:22     ` Eric Biggers
2026-07-08  5:29       ` Thomas Huth
2026-07-07  5:34 ` [PATCH 03/33] lib/crypto: aes: Add CBC and CBC-CTS support Eric Biggers
2026-07-09 13:06   ` Thomas Huth
2026-07-13 23:37     ` Eric Biggers
2026-07-14  8:02   ` David Laight
2026-07-07  5:34 ` [PATCH 04/33] lib/crypto: aes: Add CTR and XCTR support Eric Biggers
2026-07-13  8:39   ` Thomas Huth
2026-07-13 23:54     ` Eric Biggers
2026-07-14  4:53       ` Thomas Huth [this message]
2026-07-14  7:58         ` David Laight
2026-07-07  5:34 ` [PATCH 05/33] lib/crypto: aes: Add XTS support Eric Biggers
2026-07-13 12:15   ` Thomas Huth
2026-07-14  0:23     ` Eric Biggers
2026-07-07  5:34 ` [PATCH 06/33] lib/crypto: aes: Add GCM support Eric Biggers
2026-07-07  5:34 ` [PATCH 07/33] lib/crypto: aes: Add CCM support Eric Biggers
2026-07-07  5:34 ` [PATCH 08/33] crypto: aes - Add ECB support using library Eric Biggers
2026-07-07  5:34 ` [PATCH 09/33] crypto: aes - Add CBC and CBC-CTS " Eric Biggers
2026-07-07  5:34 ` [PATCH 10/33] crypto: aes - Add CTR and XCTR " Eric Biggers
2026-07-07  5:34 ` [PATCH 11/33] crypto: aes - Add XTS " Eric Biggers
2026-07-07  5:34 ` [PATCH 12/33] crypto: aes - Add GCM " Eric Biggers
2026-07-07  5:34 ` [PATCH 13/33] crypto: aes - Add CCM " Eric Biggers
2026-07-07  5:34 ` [PATCH 14/33] x86/sev: Use new AES-GCM library Eric Biggers
2026-07-07  5:34 ` [PATCH 15/33] lib/crypto: aesgcm: Remove old " Eric Biggers
2026-07-07  5:34 ` [PATCH 16/33] crypto: aes - Remove AES-CBC-MAC support Eric Biggers
2026-07-07  5:34 ` [PATCH 17/33] lib/crypto: aes: Remove aes_cbcmac_* functions Eric Biggers
2026-07-07  5:34 ` [PATCH 18/33] fscrypt: Use aes_ecb_encrypt() for v1 key derivation Eric Biggers
2026-07-07  5:34 ` [PATCH 19/33] KEYS: encrypted: Use AES-CBC library instead of crypto_skcipher Eric Biggers
2026-07-07  5:34 ` [PATCH 20/33] KEYS: trusted: dcp: Use AES-GCM library instead of crypto_aead Eric Biggers
2026-07-07  5:34 ` [PATCH 21/33] libceph: Use AES-CBC library in ceph_aes_crypt() Eric Biggers
2026-07-07  5:34 ` [PATCH 22/33] libceph: Reimplement messenger v2 encryption using AES-GCM library Eric Biggers
2026-07-07  5:34 ` [PATCH 23/33] wifi: mac80211: Use AES-CTR library in fils_aead.c Eric Biggers
2026-07-07  5:34 ` [PATCH 24/33] wifi: mac80211: Use AES-GCM library for GMAC suite Eric Biggers
2026-07-07  5:34 ` [PATCH 25/33] wifi: mac80211: Use crypto libraries for GCMP and CCMP suites Eric Biggers
2026-07-07  5:34 ` [PATCH 26/33] macsec: Use AES-GCM library instead of crypto_aead Eric Biggers
2026-07-07  5:34 ` [PATCH 27/33] wifi: ipw2x00: Use AES-CCM library Eric Biggers
2026-07-07  5:34 ` [PATCH 28/33] mac802154: Use AES-CCM and AES-CTR libraries Eric Biggers
2026-07-07  5:34 ` [PATCH 29/33] bpf: crypto: Use AES-CBC and AES-ECB libraries Eric Biggers
2026-07-07 15:01   ` Vadim Fedorenko
2026-07-07 18:20     ` Eric Biggers
2026-07-07 22:50       ` Vadim Fedorenko
2026-07-07 23:16         ` Eric Biggers
2026-07-08 11:47           ` Vadim Fedorenko
2026-07-09 15:47             ` Eric Biggers
2026-07-09 16:46               ` Vadim Fedorenko
2026-07-07  5:35 ` [PATCH 30/33] bpf: crypto: Add AES-GCM support Eric Biggers
2026-07-07 15:02   ` Vadim Fedorenko
2026-07-07  5:35 ` [PATCH 31/33] smb: client: Use AES-GCM and AES-CCM libraries Eric Biggers
2026-07-07  5:35 ` [PATCH 32/33] ksmbd: " Eric Biggers
2026-07-07 10:51   ` Namjae Jeon
2026-07-07  5:35 ` [PATCH 33/33] net: tipc: Use AES-GCM library instead of crypto_aead Eric Biggers

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=34db35e3-7d6e-4ce2-bd3c-cbe74b321bc4@redhat.com \
    --to=thuth@redhat.com \
    --cc=ebiggers@kernel.org \
    --cc=linux-crypto@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox