From: Eric Biggers <ebiggers@kernel.org>
To: Jerry Shih <jerry.shih@sifive.com>
Cc: paul.walmsley@sifive.com, palmer@dabbelt.com,
aou@eecs.berkeley.edu, herbert@gondor.apana.org.au,
davem@davemloft.net, andy.chiu@sifive.com,
greentime.hu@sifive.com, conor.dooley@microchip.com,
guoren@kernel.org, bjorn@rivosinc.com, heiko@sntech.de,
ardb@kernel.org, phoebe.chen@sifive.com, hongrong.hsu@sifive.com,
linux-riscv@lists.infradead.org, linux-kernel@vger.kernel.org,
linux-crypto@vger.kernel.org
Subject: Re: [PATCH 06/12] RISC-V: crypto: add accelerated AES-CBC/CTR/ECB/XTS implementations
Date: Wed, 1 Nov 2023 22:16:39 -0700 [thread overview]
Message-ID: <20231102051639.GF1498@sol.localdomain> (raw)
In-Reply-To: <20231025183644.8735-7-jerry.shih@sifive.com>
On Thu, Oct 26, 2023 at 02:36:38AM +0800, Jerry Shih wrote:
> +config CRYPTO_AES_BLOCK_RISCV64
> + default y if RISCV_ISA_V
> + tristate "Ciphers: AES, modes: ECB/CBC/CTR/XTS"
> + depends on 64BIT && RISCV_ISA_V
> + select CRYPTO_AES_RISCV64
> + select CRYPTO_SKCIPHER
> + help
> + Length-preserving ciphers: AES cipher algorithms (FIPS-197)
> + with block cipher modes:
> + - ECB (Electronic Codebook) mode (NIST SP 800-38A)
> + - CBC (Cipher Block Chaining) mode (NIST SP 800-38A)
> + - CTR (Counter) mode (NIST SP 800-38A)
> + - XTS (XOR Encrypt XOR Tweakable Block Cipher with Ciphertext
> + Stealing) mode (NIST SP 800-38E and IEEE 1619)
> +
> + Architecture: riscv64 using:
> + - Zvbb vector extension (XTS)
> + - Zvkb vector crypto extension (CTR/XTS)
> + - Zvkg vector crypto extension (XTS)
> + - Zvkned vector crypto extension
Maybe list Zvkned first since it's the most important one in this context.
> +#define AES_BLOCK_VALID_SIZE_MASK (~(AES_BLOCK_SIZE - 1))
> +#define AES_BLOCK_REMAINING_SIZE_MASK (AES_BLOCK_SIZE - 1)
I think it would be easier to read if these values were just used directly.
> +static int ecb_encrypt(struct skcipher_request *req)
> +{
> + struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
> + const struct riscv64_aes_ctx *ctx = crypto_skcipher_ctx(tfm);
> + struct skcipher_walk walk;
> + unsigned int nbytes;
> + int err;
> +
> + /* If we have error here, the `nbytes` will be zero. */
> + err = skcipher_walk_virt(&walk, req, false);
> + while ((nbytes = walk.nbytes)) {
> + kernel_vector_begin();
> + rv64i_zvkned_ecb_encrypt(walk.src.virt.addr, walk.dst.virt.addr,
> + nbytes & AES_BLOCK_VALID_SIZE_MASK,
> + &ctx->key);
> + kernel_vector_end();
> + err = skcipher_walk_done(
> + &walk, nbytes & AES_BLOCK_REMAINING_SIZE_MASK);
> + }
> +
> + return err;
> +}
There's no fallback for !crypto_simd_usable() here. I really like it this way.
However, for it to work (for skciphers and aeads), RISC-V needs to allow the
vector registers to be used in softirq context. Is that already the case?
> +/* ctr */
> +static int ctr_encrypt(struct skcipher_request *req)
> +{
> + struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
> + const struct riscv64_aes_ctx *ctx = crypto_skcipher_ctx(tfm);
> + struct skcipher_walk walk;
> + unsigned int ctr32;
> + unsigned int nbytes;
> + unsigned int blocks;
> + unsigned int current_blocks;
> + unsigned int current_length;
> + int err;
> +
> + /* the ctr iv uses big endian */
> + ctr32 = get_unaligned_be32(req->iv + 12);
> + err = skcipher_walk_virt(&walk, req, false);
> + while ((nbytes = walk.nbytes)) {
> + if (nbytes != walk.total) {
> + nbytes &= AES_BLOCK_VALID_SIZE_MASK;
> + blocks = nbytes / AES_BLOCK_SIZE;
> + } else {
> + /* This is the last walk. We should handle the tail data. */
> + blocks = (nbytes + (AES_BLOCK_SIZE - 1)) /
> + AES_BLOCK_SIZE;
'(nbytes + (AES_BLOCK_SIZE - 1)) / AES_BLOCK_SIZE' can be replaced with
'DIV_ROUND_UP(nbytes, AES_BLOCK_SIZE)'
> +static int xts_crypt(struct skcipher_request *req, aes_xts_func func)
> +{
> + struct crypto_skcipher *tfm = crypto_skcipher_reqtfm(req);
> + const struct riscv64_aes_xts_ctx *ctx = crypto_skcipher_ctx(tfm);
> + struct skcipher_request sub_req;
> + struct scatterlist sg_src[2], sg_dst[2];
> + struct scatterlist *src, *dst;
> + struct skcipher_walk walk;
> + unsigned int walk_size = crypto_skcipher_walksize(tfm);
> + unsigned int tail_bytes;
> + unsigned int head_bytes;
> + unsigned int nbytes;
> + unsigned int update_iv = 1;
> + int err;
> +
> + /* xts input size should be bigger than AES_BLOCK_SIZE */
> + if (req->cryptlen < AES_BLOCK_SIZE)
> + return -EINVAL;
> +
> + /*
> + * The tail size should be small than walk_size. Thus, we could make sure the
> + * walk size for tail elements could be bigger than AES_BLOCK_SIZE.
> + */
> + if (req->cryptlen <= walk_size) {
> + tail_bytes = req->cryptlen;
> + head_bytes = 0;
> + } else {
> + if (req->cryptlen & AES_BLOCK_REMAINING_SIZE_MASK) {
> + tail_bytes = req->cryptlen &
> + AES_BLOCK_REMAINING_SIZE_MASK;
> + tail_bytes = walk_size + tail_bytes - AES_BLOCK_SIZE;
> + head_bytes = req->cryptlen - tail_bytes;
> + } else {
> + tail_bytes = 0;
> + head_bytes = req->cryptlen;
> + }
> + }
> +
> + riscv64_aes_encrypt_zvkned(&ctx->ctx2, req->iv, req->iv);
> +
> + if (head_bytes && tail_bytes) {
> + skcipher_request_set_tfm(&sub_req, tfm);
> + skcipher_request_set_callback(
> + &sub_req, skcipher_request_flags(req), NULL, NULL);
> + skcipher_request_set_crypt(&sub_req, req->src, req->dst,
> + head_bytes, req->iv);
> + req = &sub_req;
> + }
> +
> + if (head_bytes) {
> + err = skcipher_walk_virt(&walk, req, false);
> + while ((nbytes = walk.nbytes)) {
> + if (nbytes == walk.total)
> + update_iv = (tail_bytes > 0);
> +
> + nbytes &= AES_BLOCK_VALID_SIZE_MASK;
> + kernel_vector_begin();
> + func(walk.src.virt.addr, walk.dst.virt.addr, nbytes,
> + &ctx->ctx1.key, req->iv, update_iv);
> + kernel_vector_end();
> +
> + err = skcipher_walk_done(&walk, walk.nbytes - nbytes);
> + }
> + if (err || !tail_bytes)
> + return err;
> +
> + dst = src = scatterwalk_next(sg_src, &walk.in);
> + if (req->dst != req->src)
> + dst = scatterwalk_next(sg_dst, &walk.out);
> + skcipher_request_set_crypt(req, src, dst, tail_bytes, req->iv);
> + }
> +
> + /* tail */
> + err = skcipher_walk_virt(&walk, req, false);
> + if (err)
> + return err;
> + if (walk.nbytes != tail_bytes)
> + return -EINVAL;
> + kernel_vector_begin();
> + func(walk.src.virt.addr, walk.dst.virt.addr, walk.nbytes,
> + &ctx->ctx1.key, req->iv, 0);
> + kernel_vector_end();
> +
> + return skcipher_walk_done(&walk, 0);
> +}
This function looks a bit weird. I see it's also the only caller of the
scatterwalk_next() function that you're adding. I haven't looked at this super
closely, but I expect that there's a cleaner way of handling the "tail" than
this -- maybe use scatterwalk_map_and_copy() to copy from/to a stack buffer?
- Eric
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
next prev parent reply other threads:[~2023-11-02 5:17 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-25 18:36 [PATCH 00/12] RISC-V: provide some accelerated cryptography implementations using vector extensions Jerry Shih
2023-10-25 18:36 ` [PATCH 01/12] RISC-V: add helper function to read the vector VLEN Jerry Shih
2023-10-25 18:36 ` [PATCH 02/12] RISC-V: hook new crypto subdir into build-system Jerry Shih
2023-10-25 18:36 ` [PATCH 03/12] RISC-V: crypto: add OpenSSL perl module for vector instructions Jerry Shih
2023-10-25 18:36 ` [PATCH 04/12] RISC-V: crypto: add Zvkned accelerated AES implementation Jerry Shih
2023-11-02 4:51 ` Eric Biggers
2023-11-20 2:53 ` Jerry Shih
2023-10-25 18:36 ` [PATCH 05/12] crypto: scatterwalk - Add scatterwalk_next() to get the next scatterlist in scatter_walk Jerry Shih
2023-10-25 18:36 ` [PATCH 06/12] RISC-V: crypto: add accelerated AES-CBC/CTR/ECB/XTS implementations Jerry Shih
2023-11-02 5:16 ` Eric Biggers [this message]
2023-11-07 8:53 ` Jerry Shih
2023-11-09 7:16 ` Eric Biggers
2023-11-10 3:58 ` Jerry Shih
2023-11-10 4:34 ` Eric Biggers
2023-11-10 4:58 ` Andy Chiu
2023-11-10 5:44 ` Eric Biggers
2023-11-11 11:08 ` Ard Biesheuvel
2023-11-11 17:52 ` Eric Biggers
2023-11-20 2:47 ` Jerry Shih
2023-11-20 19:28 ` Eric Biggers
2023-11-22 1:14 ` Eric Biggers
2023-11-27 2:52 ` Jerry Shih
2023-11-09 8:05 ` Eric Biggers
2023-11-10 4:06 ` Jerry Shih
2023-11-20 2:36 ` Jerry Shih
2023-10-25 18:36 ` [PATCH 07/12] RISC-V: crypto: add Zvkg accelerated GCM GHASH implementation Jerry Shih
2023-11-22 1:42 ` Eric Biggers
2023-11-27 2:49 ` Jerry Shih
2023-10-25 18:36 ` [PATCH 08/12] RISC-V: crypto: add Zvknha/b accelerated SHA224/256 implementations Jerry Shih
2023-10-25 18:36 ` [PATCH 09/12] RISC-V: crypto: add Zvknhb accelerated SHA384/512 implementations Jerry Shih
2023-11-22 1:32 ` Eric Biggers
2023-11-27 2:50 ` Jerry Shih
2023-10-25 18:36 ` [PATCH 10/12] RISC-V: crypto: add Zvksed accelerated SM4 implementation Jerry Shih
2023-11-02 5:58 ` Eric Biggers
2023-11-20 2:55 ` Jerry Shih
2023-10-25 18:36 ` [PATCH 11/12] RISC-V: crypto: add Zvksh accelerated SM3 implementation Jerry Shih
2023-10-25 18:36 ` [PATCH 12/12] RISC-V: crypto: add Zvkb accelerated ChaCha20 implementation Jerry Shih
2023-11-02 5:43 ` Eric Biggers
2023-11-20 2:55 ` Jerry Shih
2023-11-20 19:18 ` Eric Biggers
2023-11-21 10:55 ` Jerry Shih
2023-11-21 13:14 ` Conor Dooley
2023-11-21 23:37 ` Eric Biggers
2023-11-22 0:39 ` Conor Dooley
2023-11-22 17:37 ` Jerry Shih
2023-11-22 18:05 ` Palmer Dabbelt
2023-11-22 18:20 ` Conor Dooley
2023-11-22 19:05 ` Jerry Shih
2023-11-22 1:29 ` Eric Biggers
2023-11-27 2:14 ` Jerry Shih
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231102051639.GF1498@sol.localdomain \
--to=ebiggers@kernel.org \
--cc=andy.chiu@sifive.com \
--cc=aou@eecs.berkeley.edu \
--cc=ardb@kernel.org \
--cc=bjorn@rivosinc.com \
--cc=conor.dooley@microchip.com \
--cc=davem@davemloft.net \
--cc=greentime.hu@sifive.com \
--cc=guoren@kernel.org \
--cc=heiko@sntech.de \
--cc=herbert@gondor.apana.org.au \
--cc=hongrong.hsu@sifive.com \
--cc=jerry.shih@sifive.com \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-riscv@lists.infradead.org \
--cc=palmer@dabbelt.com \
--cc=paul.walmsley@sifive.com \
--cc=phoebe.chen@sifive.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox