[0/5] crypto: Accelerated Chacha20/Poly1305 implementation

Message ID	20230424184726.2091-1-dtsen@linux.ibm.com
Headers	show Return-Path: <linux-crypto-owner@vger.kernel.org> From: Danny Tsen <dtsen@linux.ibm.com> To: linux-crypto@vger.kernel.org Cc: herbert@gondor.apana.org.au, leitao@debian.org, nayna@linux.ibm.com, appro@cryptogams.org, linux-kernel@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, mpe@ellerman.id.au, ltcgcw@linux.vnet.ibm.com, dtsen@us.ibm.com, Danny Tsen <dtsen@linux.ibm.com> Subject: [PATCH 0/5] crypto: Accelerated Chacha20/Poly1305 implementation Date: Mon, 24 Apr 2023 14:47:21 -0400 Message-Id: <20230424184726.2091-1-dtsen@linux.ibm.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	crypto: Accelerated Chacha20/Poly1305 implementation \| expand [0/5] crypto: Accelerated Chacha20/Poly1305 implementation [1/5] An optimized Chacha20 implementation with 8-way unrolling for ppc64le. [2/5] Glue code for optmized Chacha20 implementation for ppc64le. [3/5] An optimized Poly1305 implementation with 4-way unrolling for ppc64le. [4/5] Glue code for optmized Poly1305 implementation for ppc64le. [5/5] Update Kconfig and Makefile.

Danny Tsen April 24, 2023, 6:47 p.m. UTC

This patch series provide an accelerated/optimized Chacha20 and Poly1305
implementation for Power10 or later CPU (ppc64le).  This module
implements algorithm specified in RFC7539.  The implementation
provides 3.5X better performance than the baseline for Chacha20 and
Poly1305 individually and 1.5X improvement for Chacha20/Poly1305
operation.

This patch has been tested with the kernel crypto module tcrypt.ko and
has passed the selftest.  The patch is also tested with
CONFIG_CRYPTO_MANAGER_EXTRA_TESTS enabled.


Danny Tsen (5):
  An optimized Chacha20 implementation with 8-way unrolling for ppc64le.
  Glue code for optmized Chacha20 implementation for ppc64le.
  An optimized Poly1305 implementation with 4-way unrolling for ppc64le.
  Glue code for optmized Poly1305 implementation for ppc64le.
  Update Kconfig and Makefile.

 arch/powerpc/crypto/Kconfig             |   26 +
 arch/powerpc/crypto/Makefile            |    4 +
 arch/powerpc/crypto/chacha-p10-glue.c   |  223 +++++
 arch/powerpc/crypto/chacha-p10le-8x.S   |  842 ++++++++++++++++++
 arch/powerpc/crypto/poly1305-p10-glue.c |  186 ++++
 arch/powerpc/crypto/poly1305-p10le_64.S | 1075 +++++++++++++++++++++++
 6 files changed, 2356 insertions(+)
 create mode 100644 arch/powerpc/crypto/chacha-p10-glue.c
 create mode 100644 arch/powerpc/crypto/chacha-p10le-8x.S
 create mode 100644 arch/powerpc/crypto/poly1305-p10-glue.c
 create mode 100644 arch/powerpc/crypto/poly1305-p10le_64.S

Elliott, Robert (Servers) April 24, 2023, 8:40 p.m. UTC | #1

> +# Copyright 2023- IBM Inc. All rights reserved

I don't think any such entity exists - you probably mean IBM Corporation.

Herbert Xu April 25, 2023, 5:37 a.m. UTC | #2

On Mon, Apr 24, 2023 at 02:47:23PM -0400, Danny Tsen wrote:
>
> +static int __init chacha_p10_init(void)
> +{
> +	static_branch_enable(&have_p10);
> +
> +	return IS_REACHABLE(CONFIG_CRYPTO_SKCIPHER) ?
> +		crypto_register_skciphers(algs, ARRAY_SIZE(algs)) : 0;

What is this for? The usual way is to select CRYPTO_SKCIPHER
rather than have a mysterious failure at run-time.

Thanks,

Herbert Xu April 25, 2023, 5:41 a.m. UTC | #3

On Mon, Apr 24, 2023 at 02:47:23PM -0400, Danny Tsen wrote:
>
> +static int chacha_p10_stream_xor(struct skcipher_request *req,
> +				 const struct chacha_ctx *ctx, const u8 *iv)
> +{
> +	struct skcipher_walk walk;
> +	u32 state[16];
> +	int err;
> +
> +	err = skcipher_walk_virt(&walk, req, false);
> +	if (err)
> +		return err;
> +
> +	chacha_init_generic(state, ctx->key, iv);
> +
> +	while (walk.nbytes > 0) {
> +		unsigned int nbytes = walk.nbytes;
> +
> +		if (nbytes < walk.total)
> +			nbytes = rounddown(nbytes, walk.stride);
> +
> +		if (!static_branch_likely(&have_p10) ||

You don't need the static branch in the Crypto API code since
the registration is already conditional.

Cheers,

Danny Tsen April 25, 2023, 11:53 a.m. UTC | #4

Got it.  Will fix it.

Thanks.

-Danny


On 4/25/23 12:41 AM, Herbert Xu wrote:
> On Mon, Apr 24, 2023 at 02:47:23PM -0400, Danny Tsen wrote:
>> +static int chacha_p10_stream_xor(struct skcipher_request *req,
>> +				 const struct chacha_ctx *ctx, const u8 *iv)
>> +{
>> +	struct skcipher_walk walk;
>> +	u32 state[16];
>> +	int err;
>> +
>> +	err = skcipher_walk_virt(&walk, req, false);
>> +	if (err)
>> +		return err;
>> +
>> +	chacha_init_generic(state, ctx->key, iv);
>> +
>> +	while (walk.nbytes > 0) {
>> +		unsigned int nbytes = walk.nbytes;
>> +
>> +		if (nbytes < walk.total)
>> +			nbytes = rounddown(nbytes, walk.stride);
>> +
>> +		if (!static_branch_likely(&have_p10) ||
> You don't need the static branch in the Crypto API code since
> the registration is already conditional.
>
> Cheers,

Michael Ellerman April 25, 2023, 12:02 p.m. UTC | #5

Danny Tsen <dtsen@linux.ibm.com> writes:
> This is recommended template to use for IBM copyright.

According to who?

The documentation I've seen specifies "IBM Corp." or "IBM Corporation".

cheers

Danny Tsen April 25, 2023, 12:08 p.m. UTC | #6

Hi Michael,

It's in IBM repo.

Thanks.

-Danny

On 4/25/23 7:02 AM, Michael Ellerman wrote:
> Danny Tsen <dtsen@linux.ibm.com> writes:
>> This is recommended template to use for IBM copyright.
> According to who?
>
> The documentation I've seen specifies "IBM Corp." or "IBM Corporation".
>
> cheers

[0/5] crypto: Accelerated Chacha20/Poly1305 implementation

Message

Comments