From patchwork Wed Dec 6 19:43:28 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ard Biesheuvel X-Patchwork-Id: 120885 Delivered-To: patch@linaro.org Received: by 10.140.22.227 with SMTP id 90csp7468429qgn; Wed, 6 Dec 2017 11:44:05 -0800 (PST) X-Google-Smtp-Source: AGs4zMYkKVjMM0AWtjQgkgjMOMDj2AY+58I7Vbp4pWyj1y1eRoyBXwXMw5ruPy6L7tdyabf1Ruit X-Received: by 10.84.137.129 with SMTP id 1mr23676068pln.169.1512589445129; Wed, 06 Dec 2017 11:44:05 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1512589445; cv=none; d=google.com; s=arc-20160816; b=kdSzsyJFlyi7grco2co6Kt7ZT0VoQIKoaFG3D8zQIg6D+OmlA/gUe9xHfbs5GGxKK9 XJv+26S9Mb/I2L4uHYNLF2haC2VRhXxH1+pYRKgvJFCO3aRFPv5iXeLnL7LOQwkhdKfk cCC+MyHpJqnAuXh8Z9Y6zEsO4DewHs5beIePxfjL5WdfmKOInoi/KmnOkvWooxNHDDe2 9AcTqCsPH9cCSmxjrNhT7Vx7Xxw7ShAKp8H5TMcWayZwHI3/Yperx8SQRl2Lxwbid0SJ p04pPuJenBeOa6KFhPOwjwRgsjK95WBhK+7qtmAcE0Oh+OI8fGJiu3psWgZ2wTVvHjx3 o+GA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=LihVXBSIHLub8TadiGHOcXJbFC4M3p/6b/xh6SsRLz4=; b=orplhWVU4wuU3ikXJ3KVMwpomqsFD20/a8xkzRbxGzulPV9mfrCh8dc/JzETiVKvtD 1BgPzJgJnb7urH23OpSMIuEeBAjpdAY5luFC6knC1Ma+yQoh8J2iF2kh6jHXbYYWPBdU h+FYBhVkh/Vca7K3rqbYZ2q0WSwf5T/d1pUXLUkwDqnPhKu56q5/ZqeOu3x5WRXI5cu5 oJfuMEBVG64aVLRq9L0+jhXsQQlCJqHlRfdZZcisXNzULMhOw6eHO4X+bDD8O2iI39iw kQIpFF3/yvSftDcagiI5PXzDScjYU6ciI1PDkpj34LyujV9mRcVgKZibgLhVVqT3O769 4yVA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=EwgEL2CI; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 31si2517485plz.160.2017.12.06.11.44.04; Wed, 06 Dec 2017 11:44:05 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=EwgEL2CI; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752034AbdLFToC (ORCPT + 1 other); Wed, 6 Dec 2017 14:44:02 -0500 Received: from mail-wm0-f66.google.com ([74.125.82.66]:38453 "EHLO mail-wm0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751718AbdLFToA (ORCPT ); Wed, 6 Dec 2017 14:44:00 -0500 Received: by mail-wm0-f66.google.com with SMTP id 64so9076569wme.3 for ; Wed, 06 Dec 2017 11:44:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=LihVXBSIHLub8TadiGHOcXJbFC4M3p/6b/xh6SsRLz4=; b=EwgEL2CI96sQSEb3dva1pqFjHxBL8CW4DLJl5vkDrs/BMP1RW5U9ro/8I7oTaKYNMF 7t8Oa2uEYNCiG4L8Hc/T2WsSuwTPz7dgAtXHfi1OcPbH7AF13GQQejmORV9wyWO+JfsP 5wQ36ADgD9UrXX9PlRZ2GRy00D/BklS7CUIu4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=LihVXBSIHLub8TadiGHOcXJbFC4M3p/6b/xh6SsRLz4=; b=RBb6Tt9mMf8u3QwIvDSEHsUBWQGBS0x1Q8KYgDUvBWdl8o7j8rBPQPB1JIOuyOCyah yStkenemrJ6Slv16op3I2Sv2mtMp5iLEy9U3ipvU/s+KvJhkw+PD3XFVTOq+xmYp5OKR TCAwephTlRsGAidMBmJD+Gihrm+Gsv//GfViF0ZTeNqS1LwZx82CfiR3qW1BSgvi9Kpn SncuJxwYKpLRIiXLD9JXWMKmarygb5N/W0Bz0QEkyzkLmGA0tz6drHtFNl+PU7ZBIdrA 7vK2SLUeWAoMfyC8XFt1xifjc5av6+Ii4YmKXz7pXOZF93qDksVQRGgvyDPj14XnY+i1 4euQ== X-Gm-Message-State: AKGB3mIVeazVg4Loo8oDmCOKgHSjRKrQH1tSwI4tBJU1ZF5ris2NjYd6 d/+9g7ItQC+LvBtJaMEXLJZNwQInjlo= X-Received: by 10.28.212.137 with SMTP id l131mr8548865wmg.32.1512589439392; Wed, 06 Dec 2017 11:43:59 -0800 (PST) Received: from localhost.localdomain ([105.150.171.234]) by smtp.gmail.com with ESMTPSA id b66sm3596594wmh.32.2017.12.06.11.43.56 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 06 Dec 2017 11:43:58 -0800 (PST) From: Ard Biesheuvel To: linux-crypto@vger.kernel.org Cc: herbert@gondor.apana.org.au, linux-arm-kernel@lists.infradead.org, Ard Biesheuvel , Dave Martin , Russell King - ARM Linux , Sebastian Andrzej Siewior , Mark Rutland , linux-rt-users@vger.kernel.org, Peter Zijlstra , Catalin Marinas , Will Deacon , Steven Rostedt , Thomas Gleixner Subject: [PATCH v3 02/20] crypto: arm64/aes-ce-ccm - move kernel mode neon en/disable into loop Date: Wed, 6 Dec 2017 19:43:28 +0000 Message-Id: <20171206194346.24393-3-ard.biesheuvel@linaro.org> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20171206194346.24393-1-ard.biesheuvel@linaro.org> References: <20171206194346.24393-1-ard.biesheuvel@linaro.org> Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org When kernel mode NEON was first introduced on arm64, the preserve and restore of the userland NEON state was completely unoptimized, and involved saving all registers on each call to kernel_neon_begin(), and restoring them on each call to kernel_neon_end(). For this reason, the NEON crypto code that was introduced at the time keeps the NEON enabled throughout the execution of the crypto API methods, which may include calls back into the crypto API that could result in memory allocation or other actions that we should avoid when running with preemption disabled. Since then, we have optimized the kernel mode NEON handling, which now restores lazily (upon return to userland), and so the preserve action is only costly the first time it is called after entering the kernel. So let's put the kernel_neon_begin() and kernel_neon_end() calls around the actual invocations of the NEON crypto code, and run the remainder of the code with kernel mode NEON disabled (and preemption enabled) Signed-off-by: Ard Biesheuvel --- arch/arm64/crypto/aes-ce-ccm-glue.c | 47 ++++++++++---------- 1 file changed, 23 insertions(+), 24 deletions(-) -- 2.11.0 diff --git a/arch/arm64/crypto/aes-ce-ccm-glue.c b/arch/arm64/crypto/aes-ce-ccm-glue.c index a1254036f2b1..68b11aa690e4 100644 --- a/arch/arm64/crypto/aes-ce-ccm-glue.c +++ b/arch/arm64/crypto/aes-ce-ccm-glue.c @@ -107,11 +107,13 @@ static int ccm_init_mac(struct aead_request *req, u8 maciv[], u32 msglen) } static void ccm_update_mac(struct crypto_aes_ctx *key, u8 mac[], u8 const in[], - u32 abytes, u32 *macp, bool use_neon) + u32 abytes, u32 *macp) { - if (likely(use_neon)) { + if (may_use_simd()) { + kernel_neon_begin(); ce_aes_ccm_auth_data(mac, in, abytes, macp, key->key_enc, num_rounds(key)); + kernel_neon_end(); } else { if (*macp > 0 && *macp < AES_BLOCK_SIZE) { int added = min(abytes, AES_BLOCK_SIZE - *macp); @@ -143,8 +145,7 @@ static void ccm_update_mac(struct crypto_aes_ctx *key, u8 mac[], u8 const in[], } } -static void ccm_calculate_auth_mac(struct aead_request *req, u8 mac[], - bool use_neon) +static void ccm_calculate_auth_mac(struct aead_request *req, u8 mac[]) { struct crypto_aead *aead = crypto_aead_reqtfm(req); struct crypto_aes_ctx *ctx = crypto_aead_ctx(aead); @@ -163,7 +164,7 @@ static void ccm_calculate_auth_mac(struct aead_request *req, u8 mac[], ltag.len = 6; } - ccm_update_mac(ctx, mac, (u8 *)<ag, ltag.len, &macp, use_neon); + ccm_update_mac(ctx, mac, (u8 *)<ag, ltag.len, &macp); scatterwalk_start(&walk, req->src); do { @@ -175,7 +176,7 @@ static void ccm_calculate_auth_mac(struct aead_request *req, u8 mac[], n = scatterwalk_clamp(&walk, len); } p = scatterwalk_map(&walk); - ccm_update_mac(ctx, mac, p, n, &macp, use_neon); + ccm_update_mac(ctx, mac, p, n, &macp); len -= n; scatterwalk_unmap(p); @@ -242,43 +243,42 @@ static int ccm_encrypt(struct aead_request *req) u8 __aligned(8) mac[AES_BLOCK_SIZE]; u8 buf[AES_BLOCK_SIZE]; u32 len = req->cryptlen; - bool use_neon = may_use_simd(); int err; err = ccm_init_mac(req, mac, len); if (err) return err; - if (likely(use_neon)) - kernel_neon_begin(); - if (req->assoclen) - ccm_calculate_auth_mac(req, mac, use_neon); + ccm_calculate_auth_mac(req, mac); /* preserve the original iv for the final round */ memcpy(buf, req->iv, AES_BLOCK_SIZE); err = skcipher_walk_aead_encrypt(&walk, req, true); - if (likely(use_neon)) { + if (may_use_simd()) { while (walk.nbytes) { u32 tail = walk.nbytes % AES_BLOCK_SIZE; if (walk.nbytes == walk.total) tail = 0; + kernel_neon_begin(); ce_aes_ccm_encrypt(walk.dst.virt.addr, walk.src.virt.addr, walk.nbytes - tail, ctx->key_enc, num_rounds(ctx), mac, walk.iv); + kernel_neon_end(); err = skcipher_walk_done(&walk, tail); } - if (!err) + if (!err) { + kernel_neon_begin(); ce_aes_ccm_final(mac, buf, ctx->key_enc, num_rounds(ctx)); - - kernel_neon_end(); + kernel_neon_end(); + } } else { err = ccm_crypt_fallback(&walk, mac, buf, ctx, true); } @@ -301,43 +301,42 @@ static int ccm_decrypt(struct aead_request *req) u8 __aligned(8) mac[AES_BLOCK_SIZE]; u8 buf[AES_BLOCK_SIZE]; u32 len = req->cryptlen - authsize; - bool use_neon = may_use_simd(); int err; err = ccm_init_mac(req, mac, len); if (err) return err; - if (likely(use_neon)) - kernel_neon_begin(); - if (req->assoclen) - ccm_calculate_auth_mac(req, mac, use_neon); + ccm_calculate_auth_mac(req, mac); /* preserve the original iv for the final round */ memcpy(buf, req->iv, AES_BLOCK_SIZE); err = skcipher_walk_aead_decrypt(&walk, req, true); - if (likely(use_neon)) { + if (may_use_simd()) { while (walk.nbytes) { u32 tail = walk.nbytes % AES_BLOCK_SIZE; if (walk.nbytes == walk.total) tail = 0; + kernel_neon_begin(); ce_aes_ccm_decrypt(walk.dst.virt.addr, walk.src.virt.addr, walk.nbytes - tail, ctx->key_enc, num_rounds(ctx), mac, walk.iv); + kernel_neon_end(); err = skcipher_walk_done(&walk, tail); } - if (!err) + if (!err) { + kernel_neon_begin(); ce_aes_ccm_final(mac, buf, ctx->key_enc, num_rounds(ctx)); - - kernel_neon_end(); + kernel_neon_end(); + } } else { err = ccm_crypt_fallback(&walk, mac, buf, ctx, false); }