From patchwork Fri Dec 1 21:19:23 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ard Biesheuvel X-Patchwork-Id: 120384 Delivered-To: patch@linaro.org Received: by 10.140.22.227 with SMTP id 90csp1655371qgn; Fri, 1 Dec 2017 13:26:01 -0800 (PST) X-Google-Smtp-Source: AGs4zMaGewPeBVmQLamPnhpsHJkdM4OBhHuR4+0tR3a6oZoygH/j7/bprfkoY4n889He1BCk6MM3 X-Received: by 10.84.128.106 with SMTP id 97mr7303246pla.250.1512163561807; Fri, 01 Dec 2017 13:26:01 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1512163561; cv=none; d=google.com; s=arc-20160816; b=xQNNcV9SqwCbi5bIjwMC/LeVF7K3upuzeQQMPI6mR5EwJ5YYXvpL0Ni/RwGpZsRPd1 bv7pMzIAgukqg9hiCn0WdugSky91q/CLuuVgVgNNqigsCE9dacd66eAd4Q7t4hWyOn/0 QNIuwcENvdt0iO/Deqa3cfdZZ++1WroFQTzCpmA2xKuSh3epQMwwMGKgM0N0LxfqX6uV oxVRe7ugl4sxYrMhCWKG7p3/sk/n1QKL5E8a7ncNAFeAYJzudZ1UzvozGmNLk1CnLnC9 dFlsNlmmvhYN2aPaZ+maGorMp6Dhh/ICssgC/yliPWtlB5o7jFGxaCPuCAtSgI2Q8GSs Q0zw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=LihVXBSIHLub8TadiGHOcXJbFC4M3p/6b/xh6SsRLz4=; b=Vc6oSw3ApNJrDmANN+39uLKRHJjDkBKivt5h+bXHBhGdqZFXwJVt+sKR1vyxOQXYz4 d81y2cTi97BovfA5rhtWp0SKwyeKkDLh9KCiBWWoxyJQsL2ISGzQROxDD4hRl6eGV4z3 4gez/9BUefrArLDoTlSP5pdUJm9ltArzqLRt+yLQZAeU9Gg7qeZX8LlGJBvLZ4nEPG8J HARUAJtOL+cKFJnR90Oj1uaPqXdw3vRfXGZQ+1GR2vjDeHQxz0Ltbl4rRN1/riCkiRkG fmpeC3nkrpobzoW2jjBwdIWYvX8lFG4AB0kUVT/Lb/D2vtjnse+Q1MtW0LYLFztwHizv 7Ivg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=fjU3ZhUZ; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 5si5602719plx.33.2017.12.01.13.26.01; Fri, 01 Dec 2017 13:26:01 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=fjU3ZhUZ; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751111AbdLAV0A (ORCPT + 1 other); Fri, 1 Dec 2017 16:26:00 -0500 Received: from mail-wr0-f196.google.com ([209.85.128.196]:42442 "EHLO mail-wr0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751066AbdLAVZ7 (ORCPT ); Fri, 1 Dec 2017 16:25:59 -0500 Received: by mail-wr0-f196.google.com with SMTP id s66so11439618wrc.9 for ; Fri, 01 Dec 2017 13:25:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=LihVXBSIHLub8TadiGHOcXJbFC4M3p/6b/xh6SsRLz4=; b=fjU3ZhUZKxvpQORsyuLVH7Hafq7NwfrNuoamJw0prOoBFNwEzBlO5bCPkAWJwxJefX 1QFwBKh5nGLcGyLz3roihEyendrNEeypeYCMev6+IaoVY+PFw1clMA6W3Stz1prqJ8g0 KrVSSVY2jEshRBdIJEFIcc83R51PWlKD0st38= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=LihVXBSIHLub8TadiGHOcXJbFC4M3p/6b/xh6SsRLz4=; b=Gb8l0p218/9XsK9EZImWSeSKLQloOD4pYJD3EmXFXjh4tCcgbpTwwNGIRfnKGt/qu+ oMfQpY3RQTOzfmzTgdFrtRkcU9PeKxl7xFc0r4qLAlcXoCmaRQhrTJ0y2dq+wB99G2g1 T85xblb4+cQnvDBciy8n0vDlmoZBtbpU2EODw85vsSr9DSrhG3tMfMw9fSsSoZItUDxG XQZoNaSRS/yZqaCz75vznVOHlWSugWbT6G0v244ePC6L5rJ3mWD56850A9zDjtSj8BmK zmDw4FsWi8XAEMak1TPocC2jzmwj5MwHsKo2JaK1ccHV0BsCNxWuCt4Cvw51O8wDNtxg dCxQ== X-Gm-Message-State: AJaThX4lHOeZOqZx7VSdaVLAEJ9AXQNqi53a59ohvJ6/mjounXvNzNrC Uq2Chy6pEJVRaJ4GEOSMRrDhfda8U74= X-Received: by 10.223.187.210 with SMTP id z18mr5924080wrg.117.1512163557702; Fri, 01 Dec 2017 13:25:57 -0800 (PST) Received: from localhost.localdomain ([105.150.171.234]) by smtp.gmail.com with ESMTPSA id p17sm2161682wma.23.2017.12.01.13.25.54 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 01 Dec 2017 13:25:56 -0800 (PST) From: Ard Biesheuvel To: linux-crypto@vger.kernel.org Cc: herbert@gondor.apana.org.au, linux-arm-kernel@lists.infradead.org, Ard Biesheuvel , Dave Martin , Russell King - ARM Linux , Sebastian Andrzej Siewior , Mark Rutland , linux-rt-users@vger.kernel.org, Peter Zijlstra , Catalin Marinas , Will Deacon , Steven Rostedt , Thomas Gleixner Subject: [PATCH 1/5] crypto: arm64/aes-ce-ccm - move kernel mode neon en/disable into loop Date: Fri, 1 Dec 2017 21:19:23 +0000 Message-Id: <20171201211927.24653-2-ard.biesheuvel@linaro.org> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20171201211927.24653-1-ard.biesheuvel@linaro.org> References: <20171201211927.24653-1-ard.biesheuvel@linaro.org> Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org When kernel mode NEON was first introduced on arm64, the preserve and restore of the userland NEON state was completely unoptimized, and involved saving all registers on each call to kernel_neon_begin(), and restoring them on each call to kernel_neon_end(). For this reason, the NEON crypto code that was introduced at the time keeps the NEON enabled throughout the execution of the crypto API methods, which may include calls back into the crypto API that could result in memory allocation or other actions that we should avoid when running with preemption disabled. Since then, we have optimized the kernel mode NEON handling, which now restores lazily (upon return to userland), and so the preserve action is only costly the first time it is called after entering the kernel. So let's put the kernel_neon_begin() and kernel_neon_end() calls around the actual invocations of the NEON crypto code, and run the remainder of the code with kernel mode NEON disabled (and preemption enabled) Signed-off-by: Ard Biesheuvel --- arch/arm64/crypto/aes-ce-ccm-glue.c | 47 ++++++++++---------- 1 file changed, 23 insertions(+), 24 deletions(-) -- 2.11.0 diff --git a/arch/arm64/crypto/aes-ce-ccm-glue.c b/arch/arm64/crypto/aes-ce-ccm-glue.c index a1254036f2b1..68b11aa690e4 100644 --- a/arch/arm64/crypto/aes-ce-ccm-glue.c +++ b/arch/arm64/crypto/aes-ce-ccm-glue.c @@ -107,11 +107,13 @@ static int ccm_init_mac(struct aead_request *req, u8 maciv[], u32 msglen) } static void ccm_update_mac(struct crypto_aes_ctx *key, u8 mac[], u8 const in[], - u32 abytes, u32 *macp, bool use_neon) + u32 abytes, u32 *macp) { - if (likely(use_neon)) { + if (may_use_simd()) { + kernel_neon_begin(); ce_aes_ccm_auth_data(mac, in, abytes, macp, key->key_enc, num_rounds(key)); + kernel_neon_end(); } else { if (*macp > 0 && *macp < AES_BLOCK_SIZE) { int added = min(abytes, AES_BLOCK_SIZE - *macp); @@ -143,8 +145,7 @@ static void ccm_update_mac(struct crypto_aes_ctx *key, u8 mac[], u8 const in[], } } -static void ccm_calculate_auth_mac(struct aead_request *req, u8 mac[], - bool use_neon) +static void ccm_calculate_auth_mac(struct aead_request *req, u8 mac[]) { struct crypto_aead *aead = crypto_aead_reqtfm(req); struct crypto_aes_ctx *ctx = crypto_aead_ctx(aead); @@ -163,7 +164,7 @@ static void ccm_calculate_auth_mac(struct aead_request *req, u8 mac[], ltag.len = 6; } - ccm_update_mac(ctx, mac, (u8 *)<ag, ltag.len, &macp, use_neon); + ccm_update_mac(ctx, mac, (u8 *)<ag, ltag.len, &macp); scatterwalk_start(&walk, req->src); do { @@ -175,7 +176,7 @@ static void ccm_calculate_auth_mac(struct aead_request *req, u8 mac[], n = scatterwalk_clamp(&walk, len); } p = scatterwalk_map(&walk); - ccm_update_mac(ctx, mac, p, n, &macp, use_neon); + ccm_update_mac(ctx, mac, p, n, &macp); len -= n; scatterwalk_unmap(p); @@ -242,43 +243,42 @@ static int ccm_encrypt(struct aead_request *req) u8 __aligned(8) mac[AES_BLOCK_SIZE]; u8 buf[AES_BLOCK_SIZE]; u32 len = req->cryptlen; - bool use_neon = may_use_simd(); int err; err = ccm_init_mac(req, mac, len); if (err) return err; - if (likely(use_neon)) - kernel_neon_begin(); - if (req->assoclen) - ccm_calculate_auth_mac(req, mac, use_neon); + ccm_calculate_auth_mac(req, mac); /* preserve the original iv for the final round */ memcpy(buf, req->iv, AES_BLOCK_SIZE); err = skcipher_walk_aead_encrypt(&walk, req, true); - if (likely(use_neon)) { + if (may_use_simd()) { while (walk.nbytes) { u32 tail = walk.nbytes % AES_BLOCK_SIZE; if (walk.nbytes == walk.total) tail = 0; + kernel_neon_begin(); ce_aes_ccm_encrypt(walk.dst.virt.addr, walk.src.virt.addr, walk.nbytes - tail, ctx->key_enc, num_rounds(ctx), mac, walk.iv); + kernel_neon_end(); err = skcipher_walk_done(&walk, tail); } - if (!err) + if (!err) { + kernel_neon_begin(); ce_aes_ccm_final(mac, buf, ctx->key_enc, num_rounds(ctx)); - - kernel_neon_end(); + kernel_neon_end(); + } } else { err = ccm_crypt_fallback(&walk, mac, buf, ctx, true); } @@ -301,43 +301,42 @@ static int ccm_decrypt(struct aead_request *req) u8 __aligned(8) mac[AES_BLOCK_SIZE]; u8 buf[AES_BLOCK_SIZE]; u32 len = req->cryptlen - authsize; - bool use_neon = may_use_simd(); int err; err = ccm_init_mac(req, mac, len); if (err) return err; - if (likely(use_neon)) - kernel_neon_begin(); - if (req->assoclen) - ccm_calculate_auth_mac(req, mac, use_neon); + ccm_calculate_auth_mac(req, mac); /* preserve the original iv for the final round */ memcpy(buf, req->iv, AES_BLOCK_SIZE); err = skcipher_walk_aead_decrypt(&walk, req, true); - if (likely(use_neon)) { + if (may_use_simd()) { while (walk.nbytes) { u32 tail = walk.nbytes % AES_BLOCK_SIZE; if (walk.nbytes == walk.total) tail = 0; + kernel_neon_begin(); ce_aes_ccm_decrypt(walk.dst.virt.addr, walk.src.virt.addr, walk.nbytes - tail, ctx->key_enc, num_rounds(ctx), mac, walk.iv); + kernel_neon_end(); err = skcipher_walk_done(&walk, tail); } - if (!err) + if (!err) { + kernel_neon_begin(); ce_aes_ccm_final(mac, buf, ctx->key_enc, num_rounds(ctx)); - - kernel_neon_end(); + kernel_neon_end(); + } } else { err = ccm_crypt_fallback(&walk, mac, buf, ctx, false); }