From patchwork Mon Jul 30 21:06:39 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ard Biesheuvel X-Patchwork-Id: 143169 Delivered-To: patch@linaro.org Received: by 2002:a2e:9754:0:0:0:0:0 with SMTP id f20-v6csp4526114ljj; Mon, 30 Jul 2018 14:06:51 -0700 (PDT) X-Google-Smtp-Source: AAOMgpfqOesYV5lY6tw1OFb6kU03gQkxW0wfEZxWsj1VKjPfazYJsBeGAngdpvWa9LA/P5Os3l7h X-Received: by 2002:a63:9902:: with SMTP id d2-v6mr17743484pge.343.1532984811726; Mon, 30 Jul 2018 14:06:51 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1532984811; cv=none; d=google.com; s=arc-20160816; b=DdWt4RxMaGY1h1MpCE46DW5NSBlW3JvQHnEDoRx7ogN8OZzyQhvfr976Ng9j1oXsDF g68/jNBjKc3ryjrBPKEzSuY6z6LE016rnS/cKm6c4I42h5MhChoNm9yrmZ4gGAl23YD5 5qNG/jfGGt4K36xgTKrsRHdESGrbjtZsbS/oN1pbI0wvjpieK1mD9dIRS3qqcHXl0LQc 1zL4hrEp1r7PvsAzy8DU7pe9AI5774ls+CSX6XnCixhYiz0VyAj5yzEl320T7S6P71YP n8qMGlI9NF5AcmDxsTDHPE4NXBLWKYGUpTiPYlez+pd8Px2yiw/5itbJsOLz9pLhefGJ 2Nww== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature:arc-authentication-results; bh=fgw9xJLL92zSX1g4sgcUxD0Mjk3GPFGkJl4WXygG2OI=; b=s1jb0fwtGLjMLc1EUdldn2QoVM3WojVvTaVeiFwcSdyC0wFU61pyq+4ZRyGy1OlbgQ WCYRqsy1jMlGLYaSLUyXocb0YAkSm677nBKDjqgyfKuX16cRGzqI1Em/m8MikYlgfdQt oifR++JuXG+hAL3q0poGmsqCxtL80KHS6xAAXpuKooIuTWbykuRVKbaUjaz3o6Xo6yA9 MiMT+Zm03iheZumyegZjHW2xEcoX5WOwcSFMcWlUNGr72jluVonI9Qig8qV2oACLjIHB AoycT9rm9/E9udSdwtQDPy8MrqwT1ZmSt/pI1Ewc9EVj+vDE6PRe8RcS9t/fA0XrZ7E3 +fmg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=UuK0ONAo; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d23-v6si12014849pfl.122.2018.07.30.14.06.50; Mon, 30 Jul 2018 14:06:51 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=UuK0ONAo; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728768AbeG3Wni (ORCPT + 1 other); Mon, 30 Jul 2018 18:43:38 -0400 Received: from mail-ed1-f66.google.com ([209.85.208.66]:33295 "EHLO mail-ed1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728746AbeG3Wni (ORCPT ); Mon, 30 Jul 2018 18:43:38 -0400 Received: by mail-ed1-f66.google.com with SMTP id x5-v6so4681936edr.0 for ; Mon, 30 Jul 2018 14:06:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id; bh=fgw9xJLL92zSX1g4sgcUxD0Mjk3GPFGkJl4WXygG2OI=; b=UuK0ONAovgzQSSRiW+1l1wMDxgUMWvI9Os4GU7qIjYBIytYl9hvu4oe3MH8Hz1o6hu jULPr7wM5rh9PWd3fxPWkAMBktqxTsvwMoreGpoaxYUCd1qlRRpIvYuieM8w/fWxJP26 zM2Ft9GyVvnWpp9+ZIi/lAbn4AOnFKedvra/c= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=fgw9xJLL92zSX1g4sgcUxD0Mjk3GPFGkJl4WXygG2OI=; b=EXUU9AbPrv9WnnsBgvQL5sUfNM7PBvunhF5+mhgmMWhnrfs7oWpdj73uCjkuqulEHd XhkR8Rjr8KixwujhU/l+xEDdH/mIutT7/FfQIBc4CGLO9dgPtuJLXbNiAKShWNG0olID tzlHImXoI0jioFWH86n58LayY4S/xrC0NK+OXz0oX0gkeWI4UMGAKZHIyGI/qhiVL/6D yhz2Pf8cBkY8NG3AsPeSk6jH8QmxetlvOxKKlCjrecbeBBETeR2yAHyIQjkgNQVhF2Gr AfPVqHwfaTRICgltKDxooCq3e8iQ8jGPHB7/9ssIaH4uza0V/0i82d4SwRCfiLFZp5pf eE4w== X-Gm-Message-State: AOUpUlH+o4i2I/y/IyLIkB2hTvf/56AVnGQgCqIfP76BLUKvXcv2lOrb 9gxj7VwVhZjg0BWYODm5GnW4MmGF9XU= X-Received: by 2002:a50:aa3b:: with SMTP id o56-v6mr9634620edc.23.1532984807957; Mon, 30 Jul 2018 14:06:47 -0700 (PDT) Received: from rev02.home (b80182.upc-b.chello.nl. [212.83.80.182]) by smtp.gmail.com with ESMTPSA id g6-v6sm2677328edn.28.2018.07.30.14.06.46 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 30 Jul 2018 14:06:47 -0700 (PDT) From: Ard Biesheuvel To: linux-crypto@vger.kernel.org Cc: herbert@gondor.apana.org.au, vakul.garg@nxp.com, Ard Biesheuvel Subject: [PATCH v2 0/3] crypto/arm64: aes-ce-gcm - switch to 2-way aggregation Date: Mon, 30 Jul 2018 23:06:39 +0200 Message-Id: <20180730210642.25180-1-ard.biesheuvel@linaro.org> X-Mailer: git-send-email 2.18.0 Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Update the combined AES-GCM AEAD implementation to process two blocks at a time, allowing us to switch to a faster version of the GHASH implementation. Note that this does not update the core GHASH transform, only the combined AES-GCM AEAD mode. GHASH is mostly used with AES anyway, and the ARMv8 architecture mandates support for AES instructions if 64-bit polynomial multiplication instructions are implemented. This means that mosts users of the pmull.p64 based GHASH routines are better off using the combined AES-GCM code anyway. Users of the pmull.p8 based GHASH implementation are unlikely to benefit substantially from aggregation, given that the multiplication phase is much more dominant in this case (and it is only the reduction phase that is amortized over multiple blocks) Performance numbers for Cortex-A53 can be found after patches #2 and #3. Changes since v1: - rebase to take the changes in patch 'crypto: arm64 - revert NEON yield for fast AEAD implementations' which I sent out on July 29th - add a patch to reduce the number of invocations of kernel_neon_begin() and kernel_neon_end() on the common path Ard Biesheuvel (3): crypto/arm64: aes-ce-gcm - operate on two input blocks at a time crypto/arm64: aes-ce-gcm - implement 2-way aggregation crypto: arm64/aes-ce-gcm - don't reload key schedule if avoidable arch/arm64/crypto/ghash-ce-core.S | 136 +++++++++------ arch/arm64/crypto/ghash-ce-glue.c | 176 ++++++++++++-------- 2 files changed, 198 insertions(+), 114 deletions(-) -- 2.18.0