From patchwork Wed Dec 6 19:43:30 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ard Biesheuvel X-Patchwork-Id: 120887 Delivered-To: patch@linaro.org Received: by 10.140.22.227 with SMTP id 90csp7468516qgn; Wed, 6 Dec 2017 11:44:11 -0800 (PST) X-Google-Smtp-Source: AGs4zMbM2k2+Y8TzZv5k62NqaYdylXq/5kPb+8WSnoHfAFj4yfCg7WImWwU8mbiqb7wzIGcEa0bA X-Received: by 10.159.204.148 with SMTP id t20mr23082132plo.433.1512589450999; Wed, 06 Dec 2017 11:44:10 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1512589450; cv=none; d=google.com; s=arc-20160816; b=khljpgCb9IqEJ1jt2dAq1vsoY8bFu84+oGDHmr/czr6lCEOX5fbK4B1WTlCX3qr4xS zxp6R4pYBFMeSspAE2/beTE+z2nWSGtB4EjQHdFY60QKRhLo19P0DGqI9kZvmEPIFTMe 5++yEFI30qacD1ZsO/sQ5QQnv6VszjTus4Cl34PWcuwNp7ljAXLd2o6cRylgc55qUTyk 0f8MjOjwF6+nvaEmLnIgKJ8/IJX5d2iK8BhZB+skY4UM8CsCHheSfxp2MVunw4ztfrlQ cLpYkgUyZKBfqckhVUQ5EB+LEEKm9G3okZJ2IF7c83iiQxhvIC+hRsrx5SBu/lHO73CX ezGQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=siDqjuKDSU5MVSI0X6LMwRScVHyvLRBVTI5yU5S7QOs=; b=EyB7PaXK9Vho0Ht38fFwNcptH485D9w4GySwulYSjR23oqflv6cTWI2U5RbpU3g23+ udhSPstIGE6yT1/xNqReP1nkGfiet7NDxS9E3nKvyF5MOPC4C2rfLMImGzfavQOiLFwe HDjB/CXyjbCk6yP4XgTvAtyw/WZs9qP25Anqz2PKOfjQQHidL23cIKKq1hBvrAxMGAMi SRDGfwXy64MCjoUbyZxU68rYu0bFPBVQdZ2/zoICUwRtQq+qrHyhBRBXqfdZyWPJFbnh qCErobzPz7XZQefkQRDrvie8WwF6q7CNo9/HoNy86WD0MWea9cOYzHo5iFDAyetvq44M y+oQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=S2QaAuwe; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i16si2382524pgv.496.2017.12.06.11.44.10; Wed, 06 Dec 2017 11:44:10 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=S2QaAuwe; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752050AbdLFToJ (ORCPT + 1 other); Wed, 6 Dec 2017 14:44:09 -0500 Received: from mail-wr0-f193.google.com ([209.85.128.193]:46897 "EHLO mail-wr0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752119AbdLFToH (ORCPT ); Wed, 6 Dec 2017 14:44:07 -0500 Received: by mail-wr0-f193.google.com with SMTP id x49so5090772wrb.13 for ; Wed, 06 Dec 2017 11:44:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=siDqjuKDSU5MVSI0X6LMwRScVHyvLRBVTI5yU5S7QOs=; b=S2QaAuweBd+cSO3Xh3zeavmwPelMzFmQgvhtK5UL+NLTdAz3wb5GSNGfLukH6sbU9p oflZAR5ldhJLUK6XD0AUusmIHVcr/YNq9ZSB0qaJNVFRw+SH9OGiCMFtkVadGy7qcX8O m5Wt5PsbA/phivAG729ap4EjBeprqA2Zv0mfM= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=siDqjuKDSU5MVSI0X6LMwRScVHyvLRBVTI5yU5S7QOs=; b=IprD7t/YSAwUAEYabfatv5Yts7mXumyTp9qmGpofBzG3G3TKRQdKa3SZwHjgoRLqEl DbwpiMTSHh+2zkz393L9YATVXp4T/f6gSEZeLFLr1pZ1UfWrNfOq4Yj0B+aFWfwZa6s/ UifyYrQnQZYLZB2QeT3pjSi5paF+LgaGbzQ6lzSRNKHWLQUu4uXTjVQ9ChjAZ9y6tHsh u/kpkR6j1XEVAc3id5smRADs1aoruYJydVaczoxpvSg0d4QdpsbqsaOZU2zqDE1SRPnn vwepXzWUZc5X5vQYIpZcFC1HqpUh0LRfMaRcF8mJ7mkDM3qb+GJeJb79VJyn9aqK9Zrr xYqg== X-Gm-Message-State: AJaThX6jgb1UjjlVol2PAFe3dBWVYwqTeP9mQ2ESOqDbC+hX3CGIxph+ f1tCrv3tEYmp2lXtTT16QvusdmDlnY8= X-Received: by 10.223.178.87 with SMTP id y23mr19221326wra.3.1512589445993; Wed, 06 Dec 2017 11:44:05 -0800 (PST) Received: from localhost.localdomain ([105.150.171.234]) by smtp.gmail.com with ESMTPSA id b66sm3596594wmh.32.2017.12.06.11.44.02 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 06 Dec 2017 11:44:05 -0800 (PST) From: Ard Biesheuvel To: linux-crypto@vger.kernel.org Cc: herbert@gondor.apana.org.au, linux-arm-kernel@lists.infradead.org, Ard Biesheuvel , Dave Martin , Russell King - ARM Linux , Sebastian Andrzej Siewior , Mark Rutland , linux-rt-users@vger.kernel.org, Peter Zijlstra , Catalin Marinas , Will Deacon , Steven Rostedt , Thomas Gleixner Subject: [PATCH v3 04/20] crypto: arm64/aes-bs - move kernel mode neon en/disable into loop Date: Wed, 6 Dec 2017 19:43:30 +0000 Message-Id: <20171206194346.24393-5-ard.biesheuvel@linaro.org> X-Mailer: git-send-email 2.11.0 In-Reply-To: <20171206194346.24393-1-ard.biesheuvel@linaro.org> References: <20171206194346.24393-1-ard.biesheuvel@linaro.org> Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org When kernel mode NEON was first introduced on arm64, the preserve and restore of the userland NEON state was completely unoptimized, and involved saving all registers on each call to kernel_neon_begin(), and restoring them on each call to kernel_neon_end(). For this reason, the NEON crypto code that was introduced at the time keeps the NEON enabled throughout the execution of the crypto API methods, which may include calls back into the crypto API that could result in memory allocation or other actions that we should avoid when running with preemption disabled. Since then, we have optimized the kernel mode NEON handling, which now restores lazily (upon return to userland), and so the preserve action is only costly the first time it is called after entering the kernel. So let's put the kernel_neon_begin() and kernel_neon_end() calls around the actual invocations of the NEON crypto code, and run the remainder of the code with kernel mode NEON disabled (and preemption enabled) Signed-off-by: Ard Biesheuvel --- arch/arm64/crypto/aes-neonbs-glue.c | 36 +++++++++----------- 1 file changed, 17 insertions(+), 19 deletions(-) -- 2.11.0 diff --git a/arch/arm64/crypto/aes-neonbs-glue.c b/arch/arm64/crypto/aes-neonbs-glue.c index 9d823c77ec84..e7a95a566462 100644 --- a/arch/arm64/crypto/aes-neonbs-glue.c +++ b/arch/arm64/crypto/aes-neonbs-glue.c @@ -99,9 +99,8 @@ static int __ecb_crypt(struct skcipher_request *req, struct skcipher_walk walk; int err; - err = skcipher_walk_virt(&walk, req, true); + err = skcipher_walk_virt(&walk, req, false); - kernel_neon_begin(); while (walk.nbytes >= AES_BLOCK_SIZE) { unsigned int blocks = walk.nbytes / AES_BLOCK_SIZE; @@ -109,12 +108,13 @@ static int __ecb_crypt(struct skcipher_request *req, blocks = round_down(blocks, walk.stride / AES_BLOCK_SIZE); + kernel_neon_begin(); fn(walk.dst.virt.addr, walk.src.virt.addr, ctx->rk, ctx->rounds, blocks); + kernel_neon_end(); err = skcipher_walk_done(&walk, walk.nbytes - blocks * AES_BLOCK_SIZE); } - kernel_neon_end(); return err; } @@ -158,19 +158,19 @@ static int cbc_encrypt(struct skcipher_request *req) struct skcipher_walk walk; int err; - err = skcipher_walk_virt(&walk, req, true); + err = skcipher_walk_virt(&walk, req, false); - kernel_neon_begin(); while (walk.nbytes >= AES_BLOCK_SIZE) { unsigned int blocks = walk.nbytes / AES_BLOCK_SIZE; /* fall back to the non-bitsliced NEON implementation */ + kernel_neon_begin(); neon_aes_cbc_encrypt(walk.dst.virt.addr, walk.src.virt.addr, ctx->enc, ctx->key.rounds, blocks, walk.iv); + kernel_neon_end(); err = skcipher_walk_done(&walk, walk.nbytes % AES_BLOCK_SIZE); } - kernel_neon_end(); return err; } @@ -181,9 +181,8 @@ static int cbc_decrypt(struct skcipher_request *req) struct skcipher_walk walk; int err; - err = skcipher_walk_virt(&walk, req, true); + err = skcipher_walk_virt(&walk, req, false); - kernel_neon_begin(); while (walk.nbytes >= AES_BLOCK_SIZE) { unsigned int blocks = walk.nbytes / AES_BLOCK_SIZE; @@ -191,13 +190,14 @@ static int cbc_decrypt(struct skcipher_request *req) blocks = round_down(blocks, walk.stride / AES_BLOCK_SIZE); + kernel_neon_begin(); aesbs_cbc_decrypt(walk.dst.virt.addr, walk.src.virt.addr, ctx->key.rk, ctx->key.rounds, blocks, walk.iv); + kernel_neon_end(); err = skcipher_walk_done(&walk, walk.nbytes - blocks * AES_BLOCK_SIZE); } - kernel_neon_end(); return err; } @@ -229,9 +229,8 @@ static int ctr_encrypt(struct skcipher_request *req) u8 buf[AES_BLOCK_SIZE]; int err; - err = skcipher_walk_virt(&walk, req, true); + err = skcipher_walk_virt(&walk, req, false); - kernel_neon_begin(); while (walk.nbytes > 0) { unsigned int blocks = walk.nbytes / AES_BLOCK_SIZE; u8 *final = (walk.total % AES_BLOCK_SIZE) ? buf : NULL; @@ -242,8 +241,10 @@ static int ctr_encrypt(struct skcipher_request *req) final = NULL; } + kernel_neon_begin(); aesbs_ctr_encrypt(walk.dst.virt.addr, walk.src.virt.addr, ctx->rk, ctx->rounds, blocks, walk.iv, final); + kernel_neon_end(); if (final) { u8 *dst = walk.dst.virt.addr + blocks * AES_BLOCK_SIZE; @@ -258,8 +259,6 @@ static int ctr_encrypt(struct skcipher_request *req) err = skcipher_walk_done(&walk, walk.nbytes - blocks * AES_BLOCK_SIZE); } - kernel_neon_end(); - return err; } @@ -304,12 +303,11 @@ static int __xts_crypt(struct skcipher_request *req, struct skcipher_walk walk; int err; - err = skcipher_walk_virt(&walk, req, true); + err = skcipher_walk_virt(&walk, req, false); kernel_neon_begin(); - - neon_aes_ecb_encrypt(walk.iv, walk.iv, ctx->twkey, - ctx->key.rounds, 1); + neon_aes_ecb_encrypt(walk.iv, walk.iv, ctx->twkey, ctx->key.rounds, 1); + kernel_neon_end(); while (walk.nbytes >= AES_BLOCK_SIZE) { unsigned int blocks = walk.nbytes / AES_BLOCK_SIZE; @@ -318,13 +316,13 @@ static int __xts_crypt(struct skcipher_request *req, blocks = round_down(blocks, walk.stride / AES_BLOCK_SIZE); + kernel_neon_begin(); fn(walk.dst.virt.addr, walk.src.virt.addr, ctx->key.rk, ctx->key.rounds, blocks, walk.iv); + kernel_neon_end(); err = skcipher_walk_done(&walk, walk.nbytes - blocks * AES_BLOCK_SIZE); } - kernel_neon_end(); - return err; }