From patchwork Fri Aug 2 15:15:08 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ard Biesheuvel X-Patchwork-Id: 170435 Delivered-To: patch@linaro.org Received: by 2002:ac9:2daa:0:0:0:0:0 with SMTP id g42csp1020980oce; Fri, 2 Aug 2019 08:15:38 -0700 (PDT) X-Google-Smtp-Source: APXvYqw/qC0keU+W5IMmvFFPOyfu4uVjYcwlhL+/oG8fYeH31eKdhZ1VZ2m5CSnkgtAeXZrXFVxK X-Received: by 2002:a17:90a:9f0b:: with SMTP id n11mr4700129pjp.98.1564758938118; Fri, 02 Aug 2019 08:15:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1564758938; cv=none; d=google.com; s=arc-20160816; b=CV0yFBSaJ33QD5l3AZqaYNqrE0BIrshNeRJvwGF2rfsEpmgm3LC03dYHAKRKgj3WFI Dyk6uHJX2uWkuu49Q++vLQZs7vTnrMuBcbGsFaVmuyEyzPoJDT+E9cHsmT6Coei0Bqpt qmVxl5M4OmIqs2DG2jbHa1tDr9/xbUF6sEtM3tGsbBgrs/XI16D7g1LfpER7Uwbt1wMq LOlfH4hyk8JmwusWsWl/OvuFeF01F/pCCfOCzFXVUJVyMIt69pqW8t9N7FHXcQW1FoFU 6rt+aDQpuSlYJzyY+nsJtV3MM9GtqTE/oy1j6vxqIWSGympc8YTKmJsGLKU2CxysA0Vm 8hmA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature; bh=WBpXCKjdfq1yPU+OJBvQfW6gPuB8RZ7Tc8kFP902ZIM=; b=MAxrPp+tLnXCzGG2nxb+wtnge7y+0KTwqouuedZSBR5cLRFXavUeJbViR03pgoMIHB Ieuw7a97o7chme/7yQiTg30ebySKW+K84Rcepg2IWfkHqJMVJcmHEKKQkhkmXmMiugO4 6B1ya0M31RGjvZaETCwNrZGw8F63pNrE7dOsGRp9yQ1JcLaNn/vurkeeqhRc8mr8qYb5 7InUlPx3MuUfYy68gXzgbtoLUNKgyokhK+17VzHYp9+DmoFE9ZQcVKveXJZw06qlEupi 7Zu/YlCWeLTzZiAAS36bR5vduxwOAVbEAWVSdqohvEpT3Q2EtFi+84cH9SzPoCzl82TJ xHZg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=xAV1eWOX; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x126si66222262pgx.356.2019.08.02.08.15.37; Fri, 02 Aug 2019 08:15:38 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=xAV1eWOX; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726043AbfHBPPh (ORCPT + 3 others); Fri, 2 Aug 2019 11:15:37 -0400 Received: from mail-wr1-f65.google.com ([209.85.221.65]:39972 "EHLO mail-wr1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728719AbfHBPPg (ORCPT ); Fri, 2 Aug 2019 11:15:36 -0400 Received: by mail-wr1-f65.google.com with SMTP id r1so77523917wrl.7 for ; Fri, 02 Aug 2019 08:15:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=WBpXCKjdfq1yPU+OJBvQfW6gPuB8RZ7Tc8kFP902ZIM=; b=xAV1eWOXnKSlyjUUvRgQczTqwhWrBaoCDZpN2QvpQFkUN5fWbg0w46FwfkU4HxyzWJ Its1EPcaWIbX23Dw7v9IphRu1JxcNgVEsDjjOc5F9C8EPW/HLBZAk+vMQvaMqiG79tJ/ FjfAtHvxSr8y4AJE321zj8RzdXGeqLF1Jju1UW0epWiHjo32SIAezDBQs8wA37ffThoH XXtqhONDI8bgRvzrRJNypLOQQUolWdYQdkwNJ6dn1YtM92t/fvz9qmBaFy2RFnKg6q+Q ggYy5epCLi3BG4/INN0u/4fAYr0hasfZlpM0vBXfIc26aL6/H03EgxavxHzh/N6zdVl8 6xUQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=WBpXCKjdfq1yPU+OJBvQfW6gPuB8RZ7Tc8kFP902ZIM=; b=jWqk3bNNAJcWTR2qLDE+zZHYMYuYeM6vtDsBE7iWJbDKF/+Skp+jBLltOHBDQ+9vfu m6bhsmIvGrj7AMMNlXmrKySTxaEg9/9s4sIGux11qAQ26OaVYVTNlL+v0MnPEYdGjZ5k tlySbJ5gkE4lYmiK7VhzH6bz+dTH7guOoYKdaGPEui1FQhdQ2i5tlM983hxVO9QiRGH3 N4rZ3uqKKEgPW9qdOmyVEqi6pvvw2mkR9qeQidw5ROKA69VC41Aej4SjJtkEWnWE++nA TRTqqCWO1+eWtPACgg9QIEXqhvxjcgo7XdwAryrgBJChOHsuBsxxssk5qZMRaj5X9dg6 i4ng== X-Gm-Message-State: APjAAAXsszRF+Iek+jsFwcM8YkIXmNJFIFd+3dvB8z589fS+ZuVcUSWK Jqym1jKsvrI6+T+dFU36E6BilHoeBrvRsg== X-Received: by 2002:a5d:668e:: with SMTP id l14mr89119870wru.156.1564758934848; Fri, 02 Aug 2019 08:15:34 -0700 (PDT) Received: from localhost.localdomain ([2a02:587:a424:b400:cc84:8d83:a434:dd7]) by smtp.gmail.com with ESMTPSA id o3sm63294321wrs.59.2019.08.02.08.15.33 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 02 Aug 2019 08:15:34 -0700 (PDT) From: Ard Biesheuvel To: linux-crypto@vger.kernel.org Cc: herbert@gondor.apana.org.au, ebiggers@kernel.org, Ard Biesheuvel Subject: [PATCH resend 1/3] crypto: aegis128 - add support for SIMD acceleration Date: Fri, 2 Aug 2019 18:15:08 +0300 Message-Id: <20190802151510.17074-2-ard.biesheuvel@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20190802151510.17074-1-ard.biesheuvel@linaro.org> References: <20190802151510.17074-1-ard.biesheuvel@linaro.org> Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Add some plumbing to allow the AEGIS128 code to be built with SIMD routines for acceleration. Reviewed-by: Ondrej Mosnacek Signed-off-by: Ard Biesheuvel Signed-off-by: Herbert Xu --- crypto/Makefile | 1 + crypto/{aegis128.c => aegis128-core.c} | 52 ++++++++++++++++++-- 2 files changed, 49 insertions(+), 4 deletions(-) -- 2.17.1 diff --git a/crypto/Makefile b/crypto/Makefile index cfcc954e59f9..92e985714ff6 100644 --- a/crypto/Makefile +++ b/crypto/Makefile @@ -90,6 +90,7 @@ obj-$(CONFIG_CRYPTO_GCM) += gcm.o obj-$(CONFIG_CRYPTO_CCM) += ccm.o obj-$(CONFIG_CRYPTO_CHACHA20POLY1305) += chacha20poly1305.o obj-$(CONFIG_CRYPTO_AEGIS128) += aegis128.o +aegis128-y := aegis128-core.o obj-$(CONFIG_CRYPTO_PCRYPT) += pcrypt.o obj-$(CONFIG_CRYPTO_CRYPTD) += cryptd.o obj-$(CONFIG_CRYPTO_DES) += des_generic.o diff --git a/crypto/aegis128.c b/crypto/aegis128-core.c similarity index 89% rename from crypto/aegis128.c rename to crypto/aegis128-core.c index 32840d5e7f65..fa69e99968e2 100644 --- a/crypto/aegis128.c +++ b/crypto/aegis128-core.c @@ -8,6 +8,7 @@ #include #include +#include #include #include #include @@ -16,6 +17,8 @@ #include #include +#include + #include "aegis.h" #define AEGIS128_NONCE_SIZE 16 @@ -40,6 +43,24 @@ struct aegis128_ops { const u8 *src, unsigned int size); }; +static bool have_simd; + +static bool aegis128_do_simd(void) +{ +#ifdef CONFIG_CRYPTO_AEGIS128_SIMD + if (have_simd) + return crypto_simd_usable(); +#endif + return false; +} + +bool crypto_aegis128_have_simd(void); +void crypto_aegis128_update_simd(struct aegis_state *state, const void *msg); +void crypto_aegis128_encrypt_chunk_simd(struct aegis_state *state, u8 *dst, + const u8 *src, unsigned int size); +void crypto_aegis128_decrypt_chunk_simd(struct aegis_state *state, u8 *dst, + const u8 *src, unsigned int size); + static void crypto_aegis128_update(struct aegis_state *state) { union aegis_block tmp; @@ -55,12 +76,22 @@ static void crypto_aegis128_update(struct aegis_state *state) static void crypto_aegis128_update_a(struct aegis_state *state, const union aegis_block *msg) { + if (aegis128_do_simd()) { + crypto_aegis128_update_simd(state, msg); + return; + } + crypto_aegis128_update(state); crypto_aegis_block_xor(&state->blocks[0], msg); } static void crypto_aegis128_update_u(struct aegis_state *state, const void *msg) { + if (aegis128_do_simd()) { + crypto_aegis128_update_simd(state, msg); + return; + } + crypto_aegis128_update(state); crypto_xor(state->blocks[0].bytes, msg, AEGIS_BLOCK_SIZE); } @@ -365,7 +396,7 @@ static void crypto_aegis128_crypt(struct aead_request *req, static int crypto_aegis128_encrypt(struct aead_request *req) { - static const struct aegis128_ops ops = { + const struct aegis128_ops *ops = &(struct aegis128_ops){ .skcipher_walk_init = skcipher_walk_aead_encrypt, .crypt_chunk = crypto_aegis128_encrypt_chunk, }; @@ -375,7 +406,12 @@ static int crypto_aegis128_encrypt(struct aead_request *req) unsigned int authsize = crypto_aead_authsize(tfm); unsigned int cryptlen = req->cryptlen; - crypto_aegis128_crypt(req, &tag, cryptlen, &ops); + if (aegis128_do_simd()) + ops = &(struct aegis128_ops){ + .skcipher_walk_init = skcipher_walk_aead_encrypt, + .crypt_chunk = crypto_aegis128_encrypt_chunk_simd }; + + crypto_aegis128_crypt(req, &tag, cryptlen, ops); scatterwalk_map_and_copy(tag.bytes, req->dst, req->assoclen + cryptlen, authsize, 1); @@ -384,7 +420,7 @@ static int crypto_aegis128_encrypt(struct aead_request *req) static int crypto_aegis128_decrypt(struct aead_request *req) { - static const struct aegis128_ops ops = { + const struct aegis128_ops *ops = &(struct aegis128_ops){ .skcipher_walk_init = skcipher_walk_aead_decrypt, .crypt_chunk = crypto_aegis128_decrypt_chunk, }; @@ -398,7 +434,12 @@ static int crypto_aegis128_decrypt(struct aead_request *req) scatterwalk_map_and_copy(tag.bytes, req->src, req->assoclen + cryptlen, authsize, 0); - crypto_aegis128_crypt(req, &tag, cryptlen, &ops); + if (aegis128_do_simd()) + ops = &(struct aegis128_ops){ + .skcipher_walk_init = skcipher_walk_aead_decrypt, + .crypt_chunk = crypto_aegis128_decrypt_chunk_simd }; + + crypto_aegis128_crypt(req, &tag, cryptlen, ops); return crypto_memneq(tag.bytes, zeros, authsize) ? -EBADMSG : 0; } @@ -429,6 +470,9 @@ static struct aead_alg crypto_aegis128_alg = { static int __init crypto_aegis128_module_init(void) { + if (IS_ENABLED(CONFIG_CRYPTO_AEGIS128_SIMD)) + have_simd = crypto_aegis128_have_simd(); + return crypto_register_aead(&crypto_aegis128_alg); } From patchwork Fri Aug 2 15:15:09 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ard Biesheuvel X-Patchwork-Id: 170436 Delivered-To: patch@linaro.org Received: by 2002:ac9:2daa:0:0:0:0:0 with SMTP id g42csp1021003oce; Fri, 2 Aug 2019 08:15:39 -0700 (PDT) X-Google-Smtp-Source: APXvYqz08R8f6mkZPIyPH2DxQQxMTTLVAIZjJ4pM5yA5VCB3z/pivFegbq0eY3IOVe9AOQFUG4pn X-Received: by 2002:aa7:9819:: with SMTP id e25mr58491969pfl.47.1564758939314; Fri, 02 Aug 2019 08:15:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1564758939; cv=none; d=google.com; s=arc-20160816; b=sAKlm7UN3sNZk7Aii50ApLb04QJFZjZVbejdTmRECXeQUzrvbpvJIvaWAQrCJ81hGW BUwMuQqlrH2kAHgxQmSpjxCM1ZQvstx2X01hU74AibzefUHu9dxS/bd/mQQyoxVjcrXQ N7QOJ98v7rdfC0NCgIQrd+b4906712A5y/3YzYCtA0RL66TqUftp91ZQcOJgnclswwKg yf5TDH+7bjcDM6YNtWLHF08PgeQEvQ76QEe19dy5P4/Jo7U9z7KVyuBGWBBNrA8embKy HaffbFByNahAqg/lWWxoJuqV4kVcr/UkXkSf6GPmIgRM19Fv93Vc8WVALenWhoqPJfTQ TYuQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature; bh=6MjRlqrn3P70hh91PKjMhPGxJWADii10UYJ6g7r4VNA=; b=DGjb01r61BPKLu3yyXUKC4MpP5LOcQcYGs+KR3cga97NIw0Pq9ExyMG6kekpoY47AM leNpwNZw7iTAOZ38dJxCsKilEJFY1jxDTLI85pG8wLwW3dyzA0LXQgRRUcAPw7BWawHa KQt5nu1dQxA7PpOdz3yT1TQjjdqSneus6g2IwH2N3O5VzyYzFJhYXwB+6v6pC5TqhSFK gfRx0E7PwXbx+dhPmGNrhK7b4BdZjnDo+gj8L6PwopwsKl2uyjN+dIq55WpSg0jy0jU0 5kMb7rEh3FkTuPw2bODzUuavNERxp7uLQLAEkH+7xWdUyf0alOTnhYr1PH4UGLFPWSY5 ATxg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=N5USse0H; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x126si66222262pgx.356.2019.08.02.08.15.39; Fri, 02 Aug 2019 08:15:39 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=N5USse0H; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728719AbfHBPPi (ORCPT + 3 others); Fri, 2 Aug 2019 11:15:38 -0400 Received: from mail-wr1-f65.google.com ([209.85.221.65]:39120 "EHLO mail-wr1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730768AbfHBPPi (ORCPT ); Fri, 2 Aug 2019 11:15:38 -0400 Received: by mail-wr1-f65.google.com with SMTP id x4so24395781wrt.6 for ; Fri, 02 Aug 2019 08:15:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=6MjRlqrn3P70hh91PKjMhPGxJWADii10UYJ6g7r4VNA=; b=N5USse0HRfJTt0ebwWGUI/Lsy8ERDEI0nT4jTq0pGIIjjCHj4UIEzEXjzwp5m90fbl hJH+sMLLCkwvbTCLdODZn6+l8Qoyg7nmsz2PCZD7JeZnOE56wgNiil4LqC8EhajmDt0q l3l9KHjBNxylCG7Pz3o09sp0G26f7XH1fn5+kdXuEyjLeBzliQltFc6QHO0AIwnaVWBm G5Q7QlbLQOzhjOSzrOv302Z5C7lbbJBMOPQv/87XmNKDoIWxv2otEy2k2VHysCZnaax2 IMZLaI/MJBj7lQEHPR0aRoNiOQ6pEjBaWr15SUUe8kcW5KQ/HFCbLiPIyUDdcBPzmrKX gCEQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=6MjRlqrn3P70hh91PKjMhPGxJWADii10UYJ6g7r4VNA=; b=b02/ycXf+l/71m56safKY2O4QF15KX+w8C0s7tIrV+D+aZHS32cIXg5+NOVV91It3m aShjG7iFCGPbOi5+PECaufLv1AkCzAecStp3iH6ecnx6FxSI0y3+dLtmve2blNgLB7Bw 04YK7GrrauZXV4urMpVhg8LieJTt5X9d+/errkhtP3jfngmnGTdQihEwd/XIWe++XKvz 0El19azprqDORM5JiR2zt4FHBgmlkuLsLHW9fQoCOhyuxAtKwBvBJx1WOnk6LKEOKU0X zbf6xNPo6uIcXMA9qkkN2b0mh9OvnHrqSFL2zGLMDm3e3/3r0x5xUwiQTQQ/pu3IdcDm 38qw== X-Gm-Message-State: APjAAAWzxL8EStsF1Kk+0OjtOau00aXse+FWzBE8lKVcIJJdZAu2D8A4 hAQYV6BzXXBxXblemX34AKFfGqS1oIF+kw== X-Received: by 2002:adf:f186:: with SMTP id h6mr19463533wro.274.1564758936393; Fri, 02 Aug 2019 08:15:36 -0700 (PDT) Received: from localhost.localdomain ([2a02:587:a424:b400:cc84:8d83:a434:dd7]) by smtp.gmail.com with ESMTPSA id o3sm63294321wrs.59.2019.08.02.08.15.35 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 02 Aug 2019 08:15:35 -0700 (PDT) From: Ard Biesheuvel To: linux-crypto@vger.kernel.org Cc: herbert@gondor.apana.org.au, ebiggers@kernel.org, Ard Biesheuvel Subject: [PATCH resend 2/3] crypto: aegis128 - provide a SIMD implementation based on NEON intrinsics Date: Fri, 2 Aug 2019 18:15:09 +0300 Message-Id: <20190802151510.17074-3-ard.biesheuvel@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20190802151510.17074-1-ard.biesheuvel@linaro.org> References: <20190802151510.17074-1-ard.biesheuvel@linaro.org> Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Provide an accelerated implementation of aegis128 by wiring up the SIMD hooks in the generic driver to an implementation based on NEON intrinsics, which can be compiled to both ARM and arm64 code. This results in a performance of 2.2 cycles per byte on Cortex-A53, which is a performance increase of ~11x compared to the generic code. Reviewed-by: Ondrej Mosnacek Signed-off-by: Ard Biesheuvel Signed-off-by: Herbert Xu --- crypto/Kconfig | 5 + crypto/Makefile | 12 ++ crypto/aegis128-neon-inner.c | 151 ++++++++++++++++++++ crypto/aegis128-neon.c | 43 ++++++ 4 files changed, 211 insertions(+) -- 2.17.1 diff --git a/crypto/Kconfig b/crypto/Kconfig index 8880c1fc51d8..455a3354e291 100644 --- a/crypto/Kconfig +++ b/crypto/Kconfig @@ -306,6 +306,11 @@ config CRYPTO_AEGIS128 help Support for the AEGIS-128 dedicated AEAD algorithm. +config CRYPTO_AEGIS128_SIMD + bool "Support SIMD acceleration for AEGIS-128" + depends on CRYPTO_AEGIS128 && ((ARM || ARM64) && KERNEL_MODE_NEON) + default y + config CRYPTO_AEGIS128_AESNI_SSE2 tristate "AEGIS-128 AEAD algorithm (x86_64 AESNI+SSE2 implementation)" depends on X86 && 64BIT diff --git a/crypto/Makefile b/crypto/Makefile index 92e985714ff6..99a9fa9087d1 100644 --- a/crypto/Makefile +++ b/crypto/Makefile @@ -91,6 +91,18 @@ obj-$(CONFIG_CRYPTO_CCM) += ccm.o obj-$(CONFIG_CRYPTO_CHACHA20POLY1305) += chacha20poly1305.o obj-$(CONFIG_CRYPTO_AEGIS128) += aegis128.o aegis128-y := aegis128-core.o + +ifeq ($(ARCH),arm) +CFLAGS_aegis128-neon-inner.o += -ffreestanding -march=armv7-a -mfloat-abi=softfp +CFLAGS_aegis128-neon-inner.o += -mfpu=crypto-neon-fp-armv8 +aegis128-$(CONFIG_CRYPTO_AEGIS128_SIMD) += aegis128-neon.o aegis128-neon-inner.o +endif +ifeq ($(ARCH),arm64) +CFLAGS_aegis128-neon-inner.o += -ffreestanding -mcpu=generic+crypto +CFLAGS_REMOVE_aegis128-neon-inner.o += -mgeneral-regs-only +aegis128-$(CONFIG_CRYPTO_AEGIS128_SIMD) += aegis128-neon.o aegis128-neon-inner.o +endif + obj-$(CONFIG_CRYPTO_PCRYPT) += pcrypt.o obj-$(CONFIG_CRYPTO_CRYPTD) += cryptd.o obj-$(CONFIG_CRYPTO_DES) += des_generic.o diff --git a/crypto/aegis128-neon-inner.c b/crypto/aegis128-neon-inner.c new file mode 100644 index 000000000000..6aca2f425b6d --- /dev/null +++ b/crypto/aegis128-neon-inner.c @@ -0,0 +1,151 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Copyright (C) 2019 Linaro, Ltd. + */ + +#ifdef CONFIG_ARM64 +#include + +#define AES_ROUND "aese %0.16b, %1.16b \n\t aesmc %0.16b, %0.16b" +#else +#include + +#define AES_ROUND "aese.8 %q0, %q1 \n\t aesmc.8 %q0, %q0" +#endif + +#define AEGIS_BLOCK_SIZE 16 + +#include + +void *memcpy(void *dest, const void *src, size_t n); +void *memset(void *s, int c, size_t n); + +struct aegis128_state { + uint8x16_t v[5]; +}; + +static struct aegis128_state aegis128_load_state_neon(const void *state) +{ + return (struct aegis128_state){ { + vld1q_u8(state), + vld1q_u8(state + 16), + vld1q_u8(state + 32), + vld1q_u8(state + 48), + vld1q_u8(state + 64) + } }; +} + +static void aegis128_save_state_neon(struct aegis128_state st, void *state) +{ + vst1q_u8(state, st.v[0]); + vst1q_u8(state + 16, st.v[1]); + vst1q_u8(state + 32, st.v[2]); + vst1q_u8(state + 48, st.v[3]); + vst1q_u8(state + 64, st.v[4]); +} + +static inline __attribute__((always_inline)) +uint8x16_t aegis_aes_round(uint8x16_t w) +{ + uint8x16_t z = {}; + + /* + * We use inline asm here instead of the vaeseq_u8/vaesmcq_u8 intrinsics + * to force the compiler to issue the aese/aesmc instructions in pairs. + * This is much faster on many cores, where the instruction pair can + * execute in a single cycle. + */ + asm(AES_ROUND : "+w"(w) : "w"(z)); + return w; +} + +static inline __attribute__((always_inline)) +struct aegis128_state aegis128_update_neon(struct aegis128_state st, + uint8x16_t m) +{ + uint8x16_t t; + + t = aegis_aes_round(st.v[3]); + st.v[3] ^= aegis_aes_round(st.v[2]); + st.v[2] ^= aegis_aes_round(st.v[1]); + st.v[1] ^= aegis_aes_round(st.v[0]); + st.v[0] ^= aegis_aes_round(st.v[4]) ^ m; + st.v[4] ^= t; + + return st; +} + +void crypto_aegis128_update_neon(void *state, const void *msg) +{ + struct aegis128_state st = aegis128_load_state_neon(state); + + st = aegis128_update_neon(st, vld1q_u8(msg)); + + aegis128_save_state_neon(st, state); +} + +void crypto_aegis128_encrypt_chunk_neon(void *state, void *dst, const void *src, + unsigned int size) +{ + struct aegis128_state st = aegis128_load_state_neon(state); + uint8x16_t tmp; + + while (size >= AEGIS_BLOCK_SIZE) { + uint8x16_t s = vld1q_u8(src); + + tmp = s ^ st.v[1] ^ (st.v[2] & st.v[3]) ^ st.v[4]; + st = aegis128_update_neon(st, s); + vst1q_u8(dst, tmp); + + size -= AEGIS_BLOCK_SIZE; + src += AEGIS_BLOCK_SIZE; + dst += AEGIS_BLOCK_SIZE; + } + + if (size > 0) { + uint8_t buf[AEGIS_BLOCK_SIZE] = {}; + uint8x16_t msg; + + memcpy(buf, src, size); + msg = vld1q_u8(buf); + tmp = msg ^ st.v[1] ^ (st.v[2] & st.v[3]) ^ st.v[4]; + st = aegis128_update_neon(st, msg); + vst1q_u8(buf, tmp); + memcpy(dst, buf, size); + } + + aegis128_save_state_neon(st, state); +} + +void crypto_aegis128_decrypt_chunk_neon(void *state, void *dst, const void *src, + unsigned int size) +{ + struct aegis128_state st = aegis128_load_state_neon(state); + uint8x16_t tmp; + + while (size >= AEGIS_BLOCK_SIZE) { + tmp = vld1q_u8(src) ^ st.v[1] ^ (st.v[2] & st.v[3]) ^ st.v[4]; + st = aegis128_update_neon(st, tmp); + vst1q_u8(dst, tmp); + + size -= AEGIS_BLOCK_SIZE; + src += AEGIS_BLOCK_SIZE; + dst += AEGIS_BLOCK_SIZE; + } + + if (size > 0) { + uint8_t buf[AEGIS_BLOCK_SIZE] = {}; + uint8x16_t msg; + + memcpy(buf, src, size); + msg = vld1q_u8(buf) ^ st.v[1] ^ (st.v[2] & st.v[3]) ^ st.v[4]; + vst1q_u8(buf, msg); + memcpy(dst, buf, size); + + memset(buf + size, 0, AEGIS_BLOCK_SIZE - size); + msg = vld1q_u8(buf); + st = aegis128_update_neon(st, msg); + } + + aegis128_save_state_neon(st, state); +} diff --git a/crypto/aegis128-neon.c b/crypto/aegis128-neon.c new file mode 100644 index 000000000000..c1c0a1686f67 --- /dev/null +++ b/crypto/aegis128-neon.c @@ -0,0 +1,43 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +/* + * Copyright (C) 2019 Linaro Ltd + */ + +#include +#include + +#include "aegis.h" + +void crypto_aegis128_update_neon(void *state, const void *msg); +void crypto_aegis128_encrypt_chunk_neon(void *state, void *dst, const void *src, + unsigned int size); +void crypto_aegis128_decrypt_chunk_neon(void *state, void *dst, const void *src, + unsigned int size); + +bool crypto_aegis128_have_simd(void) +{ + return cpu_have_feature(cpu_feature(AES)); +} + +void crypto_aegis128_update_simd(union aegis_block *state, const void *msg) +{ + kernel_neon_begin(); + crypto_aegis128_update_neon(state, msg); + kernel_neon_end(); +} + +void crypto_aegis128_encrypt_chunk_simd(union aegis_block *state, u8 *dst, + const u8 *src, unsigned int size) +{ + kernel_neon_begin(); + crypto_aegis128_encrypt_chunk_neon(state, dst, src, size); + kernel_neon_end(); +} + +void crypto_aegis128_decrypt_chunk_simd(union aegis_block *state, u8 *dst, + const u8 *src, unsigned int size) +{ + kernel_neon_begin(); + crypto_aegis128_decrypt_chunk_neon(state, dst, src, size); + kernel_neon_end(); +} From patchwork Fri Aug 2 15:15:10 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ard Biesheuvel X-Patchwork-Id: 170437 Delivered-To: patch@linaro.org Received: by 2002:ac9:2daa:0:0:0:0:0 with SMTP id g42csp1021643oce; Fri, 2 Aug 2019 08:16:10 -0700 (PDT) X-Google-Smtp-Source: APXvYqzcUagDkanWWJuvR/xyIQsidfiJxgwxOaZBQw3OCNhNWI8friayYFSl9/i6xKDfoTCnphOe X-Received: by 2002:a65:584f:: with SMTP id s15mr107714211pgr.175.1564758970437; Fri, 02 Aug 2019 08:16:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1564758970; cv=none; d=google.com; s=arc-20160816; b=vYCZfHsGg74MxHEVZC1vJN7+heM7IPvuZRNFRSkiMqPFFYdSErQhikdNcK0rzm+SNM F6I/raveho3ftdV8YLe0wtvAbZaReO60jx6B/GRb8xjzkSTMIyKEAlxj9zd9YWhyiC6B mzESTv8GoXnYjKxBMuF90QCDGxATAPczE5daXfrrS8JiyXwjhKK9II/on0w2nE54Ge8l YAJgywUyzH46bHy7woDepFxU6HCexkvQX51k6Etgj6/EkAayzXFTTjgXsM0fNdWURDGi 69GiplPdpQSJ8iAdbDI7o96M9vkPioH78VnpaD1NKg38x1y8TwRTBW3YOHszR6Mk1Rsp rgdw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature; bh=TlVvhVRKhldZAjA+dsxP3GAvHSktet3CoiBjkDLc8JY=; b=WHbhTmZqQ/NBWSwfb8xfpJgbdLGIbUIkF9TSN/RFQE6DFXPQkeHtSaG175RoqnCHo8 MLf4fG2Sgq5++wFifKxWdZeltkKTxi0faqS+I6+3Vq3awpdVgwL2qVUrpOHSWew7BlBY XR1uoBs0v8HnxX/8nO5igqodBLVSM9XTtveSi95VsyG5P1trz+LZiCpMwr2g+xTf5jLp EAMWT5/wka/90C/pa/Cl/YZIPBXEI8keTYXxAUHNx10rHR5urqjADnJJSBRBsfvjNvbr c9yCYhCrcjX/RkuRs5pzyL3LwvWBUsXZKf0KJD0jgZCmdREaDRZlwwYsy2I5QJRx5giK 2Xhw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=zo26S0Go; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x13si36691079plr.111.2019.08.02.08.16.10; Fri, 02 Aug 2019 08:16:10 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@linaro.org header.s=google header.b=zo26S0Go; spf=pass (google.com: best guess record for domain of linux-crypto-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2392898AbfHBPQJ (ORCPT + 3 others); Fri, 2 Aug 2019 11:16:09 -0400 Received: from mail-wr1-f66.google.com ([209.85.221.66]:43394 "EHLO mail-wr1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730768AbfHBPPk (ORCPT ); Fri, 2 Aug 2019 11:15:40 -0400 Received: by mail-wr1-f66.google.com with SMTP id p13so3009125wru.10 for ; Fri, 02 Aug 2019 08:15:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=TlVvhVRKhldZAjA+dsxP3GAvHSktet3CoiBjkDLc8JY=; b=zo26S0Go0qqUPlu9DsiOLCEiDOQMgUYzLWsC0x4LLrnJxvx/UTxGD6euyFhCIFdEoo 2pnZfDCr9CqM3wzeP7SoHt2wgki6Rxt2VuYTk8GKXE4Qo2tsiHW0xVKiGQvqEU7YqfxP g+KU7N2YkulYt/eQrYQldeIM0JoluwGpm43QDiz7b1Lv4lZrDvLiX1oQSEmuUrqotlR+ Ke1RTDdvSceeRPUT3dBuka3mJxYCi/+v1X2Ew/Y+PryKb8q1u/YsFMfCb6uMf/vC03fL bxbPQ07D/XOXTKjaDwb8izOVyeZ8ZA9hwsWtLvZo9KN01o2QMmqPzdKrErOduepcvsgY 07Ww== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=TlVvhVRKhldZAjA+dsxP3GAvHSktet3CoiBjkDLc8JY=; b=WuB9ArhyZscfo/sSHbB2I2nIB22Bqx2McA3Oe/hBjROIgQr1h3hq6dbRb1xyxstjMB fPRSh7i6pjvil5v0zEo14l+yCz6cNURl/VRwmmIlYKLAczKN3qMI2EcowDboRHlT4O3h DFcyrbgiMUz3Gt0c73PUTyWYVFo98hkxay5tLiNXh50sUiMsjurB/HF7AbCp0pVUvtw3 nb1uDZoGj2xJHIh2HYEOUsk06/pdIRsG2cnxesi6q3a7qOHCufDsk98WRfau08526iQQ tmaJZuYwYAtuWOahyu8ybXwcv/PBTbUyzBd0zaCmSO3sgBOl8o5M9goTV38i/6ip5kyP /RQg== X-Gm-Message-State: APjAAAVB9MzSrf2DcwSLZvBu5dehYJMidYOHbqJMO9Kipd7IOSTuR9Td L5hhwE7laqleWE56YCHux1AGzoVkSRsBBA== X-Received: by 2002:a5d:46cf:: with SMTP id g15mr10403366wrs.93.1564758937944; Fri, 02 Aug 2019 08:15:37 -0700 (PDT) Received: from localhost.localdomain ([2a02:587:a424:b400:cc84:8d83:a434:dd7]) by smtp.gmail.com with ESMTPSA id o3sm63294321wrs.59.2019.08.02.08.15.36 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 02 Aug 2019 08:15:37 -0700 (PDT) From: Ard Biesheuvel To: linux-crypto@vger.kernel.org Cc: herbert@gondor.apana.org.au, ebiggers@kernel.org, Ard Biesheuvel , Nick Desaulniers Subject: [PATCH RFC 3/3] crypto: arm64/aegis128 - implement plain NEON version Date: Fri, 2 Aug 2019 18:15:10 +0300 Message-Id: <20190802151510.17074-4-ard.biesheuvel@linaro.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20190802151510.17074-1-ard.biesheuvel@linaro.org> References: <20190802151510.17074-1-ard.biesheuvel@linaro.org> Sender: linux-crypto-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Provide a version of the core AES transform to the aegis128 SIMD code that does not rely on the special AES instructions, but uses plain NEON instructions instead. This allows the SIMD version of the aegis128 driver to be used on arm64 systems that do not implement those instructions (which are not mandatory in the architecture), such as the Raspberry Pi 3. Cc: Nick Desaulniers Signed-off-by: Ard Biesheuvel --- crypto/Makefile | 5 ++ crypto/aegis128-neon-inner.c | 53 ++++++++++++++++++++ crypto/aegis128-neon.c | 16 +++++- 3 files changed, 73 insertions(+), 1 deletion(-) -- 2.17.1 diff --git a/crypto/Makefile b/crypto/Makefile index 99a9fa9087d1..c3760c7616ac 100644 --- a/crypto/Makefile +++ b/crypto/Makefile @@ -99,6 +99,11 @@ aegis128-$(CONFIG_CRYPTO_AEGIS128_SIMD) += aegis128-neon.o aegis128-neon-inner.o endif ifeq ($(ARCH),arm64) CFLAGS_aegis128-neon-inner.o += -ffreestanding -mcpu=generic+crypto +CFLAGS_aegis128-neon-inner.o += -ffixed-q14 -ffixed-q15 +CFLAGS_aegis128-neon-inner.o += -ffixed-q16 -ffixed-q17 -ffixed-q18 -ffixed-q19 +CFLAGS_aegis128-neon-inner.o += -ffixed-q20 -ffixed-q21 -ffixed-q22 -ffixed-q23 +CFLAGS_aegis128-neon-inner.o += -ffixed-q24 -ffixed-q25 -ffixed-q26 -ffixed-q27 +CFLAGS_aegis128-neon-inner.o += -ffixed-q28 -ffixed-q29 -ffixed-q30 -ffixed-q31 CFLAGS_REMOVE_aegis128-neon-inner.o += -mgeneral-regs-only aegis128-$(CONFIG_CRYPTO_AEGIS128_SIMD) += aegis128-neon.o aegis128-neon-inner.o endif diff --git a/crypto/aegis128-neon-inner.c b/crypto/aegis128-neon-inner.c index 6aca2f425b6d..7aa4cef3c2de 100644 --- a/crypto/aegis128-neon-inner.c +++ b/crypto/aegis128-neon-inner.c @@ -17,6 +17,8 @@ #include +extern int aegis128_have_aes_insn; + void *memcpy(void *dest, const void *src, size_t n); void *memset(void *s, int c, size_t n); @@ -49,6 +51,32 @@ uint8x16_t aegis_aes_round(uint8x16_t w) { uint8x16_t z = {}; +#ifdef CONFIG_ARM64 + if (!__builtin_expect(aegis128_have_aes_insn, 1)) { + uint8x16_t v; + + // shift rows + asm("tbl %0.16b, {%0.16b}, v14.16b" : "+w"(w)); + + // sub bytes + asm("tbl %0.16b, {v16.16b-v19.16b}, %1.16b" : "=w"(v) : "w"(w)); + w -= 0x40; + asm("tbx %0.16b, {v20.16b-v23.16b}, %1.16b" : "+w"(v) : "w"(w)); + w -= 0x40; + asm("tbx %0.16b, {v24.16b-v27.16b}, %1.16b" : "+w"(v) : "w"(w)); + w -= 0x40; + asm("tbx %0.16b, {v28.16b-v31.16b}, %1.16b" : "+w"(v) : "w"(w)); + + // mix columns + w = (v << 1) ^ (uint8x16_t)(((int8x16_t)v >> 7) & 0x1b); + w ^= (uint8x16_t)vrev32q_u16((uint16x8_t)v); + asm("tbl %0.16b, {%1.16b}, v15.16b" : "=w"(v) : "w"(v ^ w)); + w ^= v; + + return w; + } +#endif + /* * We use inline asm here instead of the vaeseq_u8/vaesmcq_u8 intrinsics * to force the compiler to issue the aese/aesmc instructions in pairs. @@ -149,3 +177,28 @@ void crypto_aegis128_decrypt_chunk_neon(void *state, void *dst, const void *src, aegis128_save_state_neon(st, state); } + +#ifdef CONFIG_ARM64 +void crypto_aegis128_init_neon(void) +{ + u64 tmp; + + asm volatile( + "adrp %0, crypto_aes_sbox \n\t" + "add %0, %0, :lo12:crypto_aes_sbox \n\t" + "mov v14.16b, %1.16b \n\t" + "mov v15.16b, %2.16b \n\t" + "ld1 {v16.16b-v19.16b}, [%0], #64 \n\t" + "ld1 {v20.16b-v23.16b}, [%0], #64 \n\t" + "ld1 {v24.16b-v27.16b}, [%0], #64 \n\t" + "ld1 {v28.16b-v31.16b}, [%0] \n\t" + : "=&r"(tmp) + : "w"((uint8x16_t){ // shift rows permutation vector + 0x0, 0x5, 0xa, 0xf, 0x4, 0x9, 0xe, 0x3, + 0x8, 0xd, 0x2, 0x7, 0xc, 0x1, 0x6, 0xb, }), + "w"((uint8x16_t){ // ror32 permutation vector + 0x1, 0x2, 0x3, 0x0, 0x5, 0x6, 0x7, 0x4, + 0x9, 0xa, 0xb, 0x8, 0xd, 0xe, 0xf, 0xc, }) + ); +} +#endif diff --git a/crypto/aegis128-neon.c b/crypto/aegis128-neon.c index c1c0a1686f67..72f9d48e4963 100644 --- a/crypto/aegis128-neon.c +++ b/crypto/aegis128-neon.c @@ -14,14 +14,24 @@ void crypto_aegis128_encrypt_chunk_neon(void *state, void *dst, const void *src, void crypto_aegis128_decrypt_chunk_neon(void *state, void *dst, const void *src, unsigned int size); +void crypto_aegis128_init_neon(void); + +int aegis128_have_aes_insn __ro_after_init; + bool crypto_aegis128_have_simd(void) { - return cpu_have_feature(cpu_feature(AES)); + if (cpu_have_feature(cpu_feature(AES))) { + aegis128_have_aes_insn = 1; + return true; + } + return IS_ENABLED(CONFIG_ARM64); } void crypto_aegis128_update_simd(union aegis_block *state, const void *msg) { kernel_neon_begin(); + if (IS_ENABLED(CONFIG_ARM64) && !aegis128_have_aes_insn) + crypto_aegis128_init_neon(); crypto_aegis128_update_neon(state, msg); kernel_neon_end(); } @@ -30,6 +40,8 @@ void crypto_aegis128_encrypt_chunk_simd(union aegis_block *state, u8 *dst, const u8 *src, unsigned int size) { kernel_neon_begin(); + if (IS_ENABLED(CONFIG_ARM64) && !aegis128_have_aes_insn) + crypto_aegis128_init_neon(); crypto_aegis128_encrypt_chunk_neon(state, dst, src, size); kernel_neon_end(); } @@ -38,6 +50,8 @@ void crypto_aegis128_decrypt_chunk_simd(union aegis_block *state, u8 *dst, const u8 *src, unsigned int size) { kernel_neon_begin(); + if (IS_ENABLED(CONFIG_ARM64) && !aegis128_have_aes_insn) + crypto_aegis128_init_neon(); crypto_aegis128_decrypt_chunk_neon(state, dst, src, size); kernel_neon_end(); }