From: "Heiko Stübner" <heiko@sntech.de>
To: Nathan Huckleberry <nhuck@google.com>
Cc: palmer@dabbelt.com, paul.walmsley@sifive.com,
aou@eecs.berkeley.edu, herbert@gondor.apana.org.au,
davem@davemloft.net, conor.dooley@microchip.com,
linux-riscv@lists.infradead.org, linux-kernel@vger.kernel.org,
linux-crypto@vger.kernel.org, christoph.muellner@vrull.eu
Subject: Re: [PATCH v4 4/4] RISC-V: crypto: add accelerated GCM GHASH implementation
Date: Thu, 11 May 2023 12:30:41 +0200 [thread overview]
Message-ID: <3540048.LM0AJKV5NW@diego> (raw)
In-Reply-To: <CAJkfWY63E7x-OQ2yTKJ03Sd7P2AuLruan_41EXzYcTZpNnLPzw@mail.gmail.com>
Hi Nathan,
Am Dienstag, 11. April 2023, 17:00:00 CEST schrieb Nathan Huckleberry:
> On Wed, Mar 29, 2023 at 7:08 AM Heiko Stuebner <heiko@sntech.de> wrote:
> > +struct riscv64_ghash_ctx {
> > + void (*ghash_func)(u64 Xi[2], const u128 Htable[16],
> > + const u8 *inp, size_t len);
> > +
> > + /* key used by vector asm */
> > + u128 htable[16];
>
> This field looks too big. The assembly only loads the first 128-byte
> value from this table.
OpenSSL defines the Htable field handed to the init- and the other
functions as this "u128 Htable[16]" [0] . As I really like the concept
of keeping in sync with openSSL, I guess I'd rather not change that.
[0] https://github.com/openssl/openssl/blob/master/crypto/modes/gcm128.c#L88
> Is this copied from another implementation? There's an optimization
> where you precompute the first N powers of H so that you can perform 1
> finite field reduction for every N multiplications, but it doesn't
> look like that's being used here.
The whole crypto-specific code comes from openSSL itself, so for now I
guess I'd like to try keeping things the same.
> > +#define RISCV64_ZBC_SETKEY(VARIANT, GHASH) \
> > +void gcm_init_rv64i_ ## VARIANT(u128 Htable[16], const u64 Xi[2]); \
> > +static int riscv64_zbc_ghash_setkey_ ## VARIANT(struct crypto_shash *tfm, \
> > + const u8 *key, \
> > + unsigned int keylen) \
> > +{ \
> > + struct riscv64_ghash_ctx *ctx = crypto_tfm_ctx(crypto_shash_tfm(tfm)); \
> > + const u64 k[2] = { cpu_to_be64(((const u64 *)key)[0]), \
> > + cpu_to_be64(((const u64 *)key)[1]) }; \
> > + \
> > + if (keylen != GHASH_BLOCK_SIZE) \
> > + return -EINVAL; \
> > + \
> > + memcpy(&ctx->key, key, GHASH_BLOCK_SIZE); \
> > + gcm_init_rv64i_ ## VARIANT(ctx->htable, k); \
> > + \
> > + ctx->ghash_func = gcm_ghash_rv64i_ ## GHASH; \
> > + \
> > + return 0; \
> > +}
>
> I'd prefer three identical functions over a macro here. Code searching
> tools and compiler warnings are significantly worse with macros.
done :-)
> > +
> > +static int riscv64_zbc_ghash_update(struct shash_desc *desc,
> > + const u8 *src, unsigned int srclen)
> > +{
> > + unsigned int len;
> > + struct riscv64_ghash_ctx *ctx = crypto_tfm_ctx(crypto_shash_tfm(desc->tfm));
> > + struct riscv64_ghash_desc_ctx *dctx = shash_desc_ctx(desc);
> > +
> > + if (dctx->bytes) {
> > + if (dctx->bytes + srclen < GHASH_DIGEST_SIZE) {
> > + memcpy(dctx->buffer + dctx->bytes, src,
> > + srclen);
> > + dctx->bytes += srclen;
> > + return 0;
> > + }
> > + memcpy(dctx->buffer + dctx->bytes, src,
> > + GHASH_DIGEST_SIZE - dctx->bytes);
> > +
> > + ctx->ghash_func(dctx->shash, ctx->htable,
> > + dctx->buffer, GHASH_DIGEST_SIZE);
> > +
> > + src += GHASH_DIGEST_SIZE - dctx->bytes;
> > + srclen -= GHASH_DIGEST_SIZE - dctx->bytes;
> > + dctx->bytes = 0;
> > + }
> > + len = srclen & ~(GHASH_DIGEST_SIZE - 1);
> > +
> > + if (len) {
> > + gcm_ghash_rv64i_zbc(dctx->shash, ctx->htable,
> > + src, len);
> > + src += len;
> > + srclen -= len;
> > + }
> > +
> > + if (srclen) {
> > + memcpy(dctx->buffer, src, srclen);
> > + dctx->bytes = srclen;
> > + }
> > + return 0;
> > +}
> > +
> > +static int riscv64_zbc_ghash_final(struct shash_desc *desc, u8 *out)
> > +{
> > + int i;
> > + struct riscv64_ghash_ctx *ctx = crypto_tfm_ctx(crypto_shash_tfm(desc->tfm));
> > + struct riscv64_ghash_desc_ctx *dctx = shash_desc_ctx(desc);
> > +
> > + if (dctx->bytes) {
> > + for (i = dctx->bytes; i < GHASH_DIGEST_SIZE; i++)
> > + dctx->buffer[i] = 0;
> > + ctx->ghash_func(dctx->shash, ctx->htable,
> > + dctx->buffer, GHASH_DIGEST_SIZE);
>
> Can we do this without an indirect call?
hmm, the indirect call is in both riscv64_zbc_ghash_update() and
riscv64_zbc_ghash_final() . And I found a missing one at the bottom
of riscv64_zbc_ghash_update(), where gcm_ghash_rv64i_zbc() is
called right now.
Getting rid of the indirect call would mean duplicating both of these
functions for all instances. Especially with the slightly higher
complexity of the update this somehow seems not the best way to go.
Thanks for your pointers
Heiko
_______________________________________________
linux-riscv mailing list
linux-riscv@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/linux-riscv
next prev parent reply other threads:[~2023-05-11 10:30 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-29 14:06 [PATCH v4 0/4] Implement GCM ghash using Zbc and Zbkb extensions Heiko Stuebner
2023-03-29 14:06 ` [PATCH v4 1/4] RISC-V: add Zbc extension detection Heiko Stuebner
2023-03-29 14:06 ` [PATCH v4 2/4] RISC-V: add Zbkb " Heiko Stuebner
2023-03-29 14:06 ` [PATCH v4 3/4] RISC-V: hook new crypto subdir into build-system Heiko Stuebner
2023-03-29 14:06 ` [PATCH v4 4/4] RISC-V: crypto: add accelerated GCM GHASH implementation Heiko Stuebner
2023-03-29 18:37 ` Eric Biggers
2023-03-29 19:20 ` Heiko Stübner
2023-04-05 15:04 ` Heiko Stübner
2023-06-12 14:45 ` Heiko Stübner
2023-04-11 15:00 ` Nathan Huckleberry
2023-05-11 10:30 ` Heiko Stübner [this message]
2023-05-11 19:02 ` Nathan Huckleberry
2023-03-29 18:43 ` [PATCH v4 0/4] Implement GCM ghash using Zbc and Zbkb extensions Eric Biggers
2023-04-26 22:55 ` Eric Biggers
2023-04-26 23:20 ` Heiko Stübner
2023-04-26 23:23 ` Eric Biggers
2023-04-26 23:28 ` Heiko Stübner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3540048.LM0AJKV5NW@diego \
--to=heiko@sntech.de \
--cc=aou@eecs.berkeley.edu \
--cc=christoph.muellner@vrull.eu \
--cc=conor.dooley@microchip.com \
--cc=davem@davemloft.net \
--cc=herbert@gondor.apana.org.au \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-riscv@lists.infradead.org \
--cc=nhuck@google.com \
--cc=palmer@dabbelt.com \
--cc=paul.walmsley@sifive.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).