From patchwork Mon Jun 24 07:38:12 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ard Biesheuvel <ard.biesheuvel@linaro.org>
X-Patchwork-Id: 167550
Delivered-To: patch@linaro.org
Received: by 2002:a92:4782:0:0:0:0:0 with SMTP id e2csp3866900ilk;
 Mon, 24 Jun 2019 00:38:31 -0700 (PDT)
X-Google-Smtp-Source: APXvYqxLWcMuk1ozY8qnB9jB201JrvlwXYkRH0ZTLFlwu5zCs8VkVC5V+vl5nds+G1VC+3Eaby39
X-Received: by 2002:a17:90a:32e4:: with SMTP id
 l91mr1306953pjb.17.1561361911714; 
 Mon, 24 Jun 2019 00:38:31 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1561361911; cv=none;
 d=google.com; s=arc-20160816;
 b=KH5j0IkzKU6nRYwMhaQ0vhCNFhZ5e7c0aqWCQvILDhqj7i1uXzkihb9ScnFcuEc3po
 hvXIHxGYp09d8ZVCdou0zdqo/K5oji1JcR2WvECdPRGCCkFFvGJSixddlaKnCX5aIRaG
 oCDIxeDb7WgsneSR2yTZSx53MtlVgkjiFNfNCmaquxI/UOBOEVT+w8iF/urZ5QO27Gfa
 Y5H3yoJeb24eNJfg/ViRqcn/7FS/UYYQ54ov+jht8nc2ZCjKUwLQOCZDu8Bz3yFPLKiv
 rzxS6z7BFEdbZHqrzFIxCQxilkGDWdz6JDvwkn5gXGdm6OeiubWAJ95KzaiDKjUUh3hW
 KbKw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816; 
 h=list-id:precedence:sender:content-transfer-encoding:mime-version
 :message-id:date:subject:cc:to:from:dkim-signature;
 bh=mXpydhn3h8+bwzi+XRJ+smOVOxIlaYlB/CCvwP4+MC0=;
 b=0odWv0ZYSijOjLdQyNKFZzjBJKOkfjK27+ig8F1RylH5zMz7JNo2Svz7y3/Z4x75eU
 C7HwHv3lUj+Gm8+6fw0a8BCbQe8xSjZKFZxLsYigZfJJWLe8cMD/kx8NUsoYOJd7JQSw
 InqTPNAlH+Poq1vqDVfC8vBsojBcLmFyrk2ugf3tpRKfm+VgpI6Vw9yPwsL4FQeFKUPA
 +2Y9Xx8ur+MwIvoJE6wCsK+lpsz/SqVTsP5tYxfe9Gg8LrxXsRiR2ZMXp0maLCeskAgM
 ErSCyANhDLeEROqNh4w5+EpCrwgnqrJKBuWBJCJORIz448nV5NOWDtWIwdBrf0vb4gd0
 tkNw==
ARC-Authentication-Results: i=1; mx.google.com;
 dkim=pass header.i=@linaro.org header.s=google header.b=EFUddc5Z;
 spf=pass (google.com: best guess record for domain of
 linux-crypto-owner@vger.kernel.org designates 209.132.180.67
 as permitted sender)
 smtp.mailfrom=linux-crypto-owner@vger.kernel.org; 
 dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Return-Path: <linux-crypto-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
 by mx.google.com with ESMTP id h5si9375669pgd.419.2019.06.24.00.38.31;
 Mon, 24 Jun 2019 00:38:31 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of
 linux-crypto-owner@vger.kernel.org designates 209.132.180.67
 as permitted sender) client-ip=209.132.180.67; 
Authentication-Results: mx.google.com;
 dkim=pass header.i=@linaro.org header.s=google header.b=EFUddc5Z;
 spf=pass (google.com: best guess record for domain of
 linux-crypto-owner@vger.kernel.org designates 209.132.180.67
 as permitted sender)
 smtp.mailfrom=linux-crypto-owner@vger.kernel.org; 
 dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S1726223AbfFXHia (ORCPT <rfc822;sumit.garg@linaro.org>
 + 3 others); Mon, 24 Jun 2019 03:38:30 -0400
Received: from mail-wr1-f66.google.com ([209.85.221.66]:36584 "EHLO
 mail-wr1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
 with ESMTP id S1726077AbfFXHia (ORCPT
 <rfc822;linux-crypto@vger.kernel.org>);
 Mon, 24 Jun 2019 03:38:30 -0400
Received: by mail-wr1-f66.google.com with SMTP id n4so11516756wrs.3
 for <linux-crypto@vger.kernel.org>;
 Mon, 24 Jun 2019 00:38:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; 
 h=from:to:cc:subject:date:message-id:mime-version
 :content-transfer-encoding;
 bh=mXpydhn3h8+bwzi+XRJ+smOVOxIlaYlB/CCvwP4+MC0=;
 b=EFUddc5ZhmYskuZkgdXO8fVeBRbsHkwxsuCWTy9nTMFiqHeoeKYmQ8UKTeARs/Ufi0
 AGSAGAyxxey9pENHwuPySrCsOagS0TuUhMdPRGkpbum/kNByuTEOIPnGvLn7MylZ8XQY
 zIMjaMmbzwtPwHqZF5VbI6y+sOSVj6g92/Ihem13G6RH/z/RcABIPO+vK1nLUIoWbIXG
 w5WcIGGvh0yfhxM/QY/kHR0ZHNg5R6QLYs0kcR1cLqFb2uc9kKTFc1Q9bvbX8jmNLiID
 YwQg++0PAd0hxvoklpata8ZfVeTv98YqXEOE5brwnTEzTKtVo/7RFSxFKfrOf46mdvep
 xQtQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
 :content-transfer-encoding;
 bh=mXpydhn3h8+bwzi+XRJ+smOVOxIlaYlB/CCvwP4+MC0=;
 b=dKVCUC9JwO1afMyZnN/k1BPLd3PxoHihoy9SBDERJgn1JOX9DNdljTe+duSn5qSkeF
 iuONpJarzZY9NzFLiLbnxOOzW5wyWXXBJvGs/rNtXhJWnD9FQglZAUspaNuE7I3ew/oG
 Svm0F2jYLcZJgofGaRKNB5uYnsny3vzNJr/5Q4FhuDWKojEuZItDI3cEmsX9xWy/qlTp
 aLVRB3NriScLnpM9YSbJl+ldflQXVc2u/5RJGfxIywM+W9DtOuzLhkONm+A43UDgRQ0b
 yF5I81q/KK2a4rNXyoeeUcPv0RBRDoVxAAgQvwwARo4UDnV4X2d5mEd8p8eiIHFlF9XL
 waJg==
X-Gm-Message-State: APjAAAXZx2/IbBRE2rCkSR9vjwBJC3UaFnLIwX8SQ3Wh5nmRaAmMGrIb
 iQAGbcf6v9rvWThPEc7mdma+QzHiQ4Sa1w==
X-Received: by 2002:adf:fbd0:: with SMTP id
 d16mr23209832wrs.341.1561361908966; 
 Mon, 24 Jun 2019 00:38:28 -0700 (PDT)
Received: from sudo.home ([2a01:cb1d:112:6f00:4866:7cdc:a930:8455])
 by smtp.gmail.com with ESMTPSA id
 203sm7419280wmc.30.2019.06.24.00.38.27
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Mon, 24 Jun 2019 00:38:28 -0700 (PDT)
From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
To: linux-crypto@vger.kernel.org
Cc: linux-arm-kernel@lists.infradead.org,
 Ard Biesheuvel <ard.biesheuvel@linaro.org>,
 Eric Biggers <ebiggers@google.com>, Ondrej Mosnacek <omosnace@redhat.com>,
 Herbert Xu <herbert@gondor.apana.org.au>,
 Steve Capper <steve.capper@arm.com>
Subject: [PATCH 0/6] crypto: aegis128 - add NEON intrinsics version for
 ARM/arm64
Date: Mon, 24 Jun 2019 09:38:12 +0200
Message-Id: <20190624073818.29296-1-ard.biesheuvel@linaro.org>
X-Mailer: git-send-email 2.20.1
MIME-Version: 1.0
Sender: linux-crypto-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-crypto.vger.kernel.org>
X-Mailing-List: linux-crypto@vger.kernel.org

Now that aegis128 has been announced as one of the winners of the CAESAR
competition, it's time to provide some better support for it on arm64 (and
32-bit ARM *)

This time, instead of cloning the generic driver twice and rewriting half
of it in arm64 and ARM assembly, add hooks for an accelerated SIMD path to
the generic driver, and populate it with a C version using NEON intrinsics
that can be built for both ARM and arm64. This results in a speedup of ~11x,
resulting in a performance of 2.2 cycles per byte on Cortex-A53.

Patches #1 .. #3 are some fixes/improvements for the generic code. Patch #4
adds the plumbing for using a SIMD accelerated implementation. Patch #5
adds the ARM and arm64 code, and patch #6 adds a speed test.

Note that aegis128l and aegis256 were not selected, and nor where any of the
morus contestants, and so we should probably consider dropping those drivers
again.

* 32-bit ARM today rarely provides the special AES instruction that the
  implementation in this series relies on, but this may change in the future,
  and the NEON intrinsics code can be compiled for both ISAs.

Cc: Eric Biggers <ebiggers@google.com>
Cc: Ondrej Mosnacek <omosnace@redhat.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Steve Capper <steve.capper@arm.com>

Ard Biesheuvel (6):
  crypto: aegis128 - use unaliged helper in unaligned decrypt path
  crypto: aegis - drop empty TFM init/exit routines
  crypto: aegis - avoid prerotated AES tables
  crypto: aegis128 - add support for SIMD acceleration
  crypto: aegis128 - provide a SIMD implementation based on NEON
    intrinsics
  crypto: tcrypt - add a speed test for AEGIS128

 crypto/Kconfig               |   5 +
 crypto/Makefile              |  12 ++
 crypto/aegis.h               |  28 ++--
 crypto/aegis128-neon-inner.c | 142 ++++++++++++++++++++
 crypto/aegis128-neon.c       |  43 ++++++
 crypto/aegis128.c            |  55 +++++---
 crypto/aegis128l.c           |  11 --
 crypto/aegis256.c            |  11 --
 crypto/tcrypt.c              |   7 +
 9 files changed, 261 insertions(+), 53 deletions(-)
 create mode 100644 crypto/aegis128-neon-inner.c
 create mode 100644 crypto/aegis128-neon.c

-- 
2.20.1