From patchwork Tue Dec 26 10:29:22 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Ard Biesheuvel <ard.biesheuvel@linaro.org>
X-Patchwork-Id: 122744
Delivered-To: patch@linaro.org
Received: by 10.140.22.227 with SMTP id 90csp783311qgn;
 Tue, 26 Dec 2017 02:35:38 -0800 (PST)
X-Google-Smtp-Source: ACJfBoumzBO8n9vaa4ywvgTqPrUFnoIAmhBqupL87EIFTZ04w0cJtcUMhtKZDjlDECmkKgwmwiik
X-Received: by 10.98.69.209 with SMTP id n78mr24804704pfi.28.1514284537922; 
 Tue, 26 Dec 2017 02:35:37 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1514284537; cv=none;
 d=google.com; s=arc-20160816;
 b=F6C9M0o89yWJvYmvJFFqk1QWe4ZE+CjrDoTSGNeJPHkYMEFTQ7Lbn1DxkN7B+GoOxU
 73Tv9FXnqFVzitmWY9FjbwhfI+/qLD7HvaN7ahlppx1JFLKWVh0HBL923nk6FAl7oGdq
 aPFcmhElCA6ZL+tmdybGHDjOfK1rapQPRBHrsLklJoFNvfkPyIwMtVzJzSDCZ3X+W6hn
 3FTuqkjsNnWQVfIflHnGhDS4UHO5GbLkR75nnhNaTtR2H0Fp1u2DCmFJR6Tr5cqLqKQG
 RJFaSdeFUyQlMwcKNHaalnHMZ93a5fJ+pFAJfffzIoEa798ubeHzxnMRGT4ckirtumxP
 zaCw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816; 
 h=list-id:precedence:sender:references:in-reply-to:message-id:date
 :subject:cc:to:from:dkim-signature:arc-authentication-results;
 bh=LihVXBSIHLub8TadiGHOcXJbFC4M3p/6b/xh6SsRLz4=;
 b=jAIwIfcudOa/3Hd6iroobZeISgcXHjqzy0JuL2pLXpwvt22vnzGz5kPby6PruzZPK1
 qajgM+0wL5MnrUBe7OvGNyikfpZODBoThvVSegwj7BeHrUFmCJ6gHmCqMAggsTska8fU
 69nGDSqT2nCtRHOigAbQMYJHuhwIrR9GgCnVpoFYTvI0jUnCg+/e7YXt7yt8nJou7ln8
 +YGdJjKue830kkQsdGnKpAmkwL0+1NrIYPoaItpm46NbEH5AgMI0DaV2A/EKYHW1cCaZ
 +aGFnehj8SZges8B3M6uPIZBr+F3+VH/b4tiTVlBjZx/eTkWlQJXmxw+9g3/ozWK9aT7
 bT6Q==
ARC-Authentication-Results: i=1; mx.google.com;
 dkim=pass header.i=@linaro.org header.s=google header.b=GTUypmNJ;
 spf=pass (google.com: best guess record for domain of
 linux-kernel-owner@vger.kernel.org designates 209.132.180.67
 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org; 
 dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
 by mx.google.com with ESMTP id o2si22844765pfj.12.2017.12.26.02.35.37;
 Tue, 26 Dec 2017 02:35:37 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of
 linux-kernel-owner@vger.kernel.org designates 209.132.180.67
 as permitted sender) client-ip=209.132.180.67; 
Authentication-Results: mx.google.com;
 dkim=pass header.i=@linaro.org header.s=google header.b=GTUypmNJ;
 spf=pass (google.com: best guess record for domain of
 linux-kernel-owner@vger.kernel.org designates 209.132.180.67
 as permitted sender)
 smtp.mailfrom=linux-kernel-owner@vger.kernel.org; 
 dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S1751522AbdLZKfe (ORCPT <rfc822; dan.rue@linaro.org> + 28 others); 
 Tue, 26 Dec 2017 05:35:34 -0500
Received: from mail-wm0-f67.google.com ([74.125.82.67]:36604 "EHLO
 mail-wm0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
 with ESMTP id S1750969AbdLZKap (ORCPT
 <rfc822;linux-kernel@vger.kernel.org>);
 Tue, 26 Dec 2017 05:30:45 -0500
Received: by mail-wm0-f67.google.com with SMTP id b76so34573131wmg.1
 for <linux-kernel@vger.kernel.org>;
 Tue, 26 Dec 2017 02:30:44 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linaro.org; s=google; 
 h=from:to:cc:subject:date:message-id:in-reply-to:references;
 bh=LihVXBSIHLub8TadiGHOcXJbFC4M3p/6b/xh6SsRLz4=;
 b=GTUypmNJEn6qKBdRZ8ThyCwAs13gyPvR6UGOG9UXqLNC5DZkBSOR6NOX73B2ae1cFh
 3DA4PF2jeMHJIe4pgV53WH1ioEvz2U0Lr9a1mKWb3xU1NAYnAPnvtHHzjki6qX+yxmRW
 Uc9a0Kj0/iI1qogsoynIjLyer2VH0zbMKgQhQ=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references;
 bh=LihVXBSIHLub8TadiGHOcXJbFC4M3p/6b/xh6SsRLz4=;
 b=Y9Tyo5JjkMuBhXaX+VSAlfxAAx8N3+zHNN6qvNadgq1ngfGkZifPPIMk1JuTYVJJxD
 6rwYn4gEJtiXDBOb5h7bTwsHdxwwP6r6ObOwpeBwAYf63I+V9IriPJ4S7I+lld4MTBCc
 c2CDquGVMHPCgJiIm6wHMEju/1CoTvvhi3tZRFK1oER2BiFS0+Bn5YBtdkXMj2bZECqL
 CVZztElHz/a5m9CQkY3ZiCI6oF28cvdw49D+xTBiFA09W3iFNMaUJrrq9h5kKFymRKxj
 gGVApvruP+oxvK3bmEHpnlnHumDy3QLEAM3AXIwAvH3KXQaVVZqO22kttGyp1t+gI+Ci
 PGIw==
X-Gm-Message-State: AKGB3mJDMwyrLE1oq5m+b0WvXnj8qjatTbaMuxCBhmTHlE/evbXj1Y5o
 gJUeGMDnndub7ir2q/rT3wupNaCUpbw=
X-Received: by 10.28.57.11 with SMTP id g11mr21674383wma.92.1514284243781;
 Tue, 26 Dec 2017 02:30:43 -0800 (PST)
Received: from localhost.localdomain ([160.171.216.245])
 by smtp.gmail.com with ESMTPSA id
 l142sm13974036wmb.43.2017.12.26.02.30.40
 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
 Tue, 26 Dec 2017 02:30:43 -0800 (PST)
From: Ard Biesheuvel <ard.biesheuvel@linaro.org>
To: linux-kernel@vger.kernel.org
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>,
 Dave Martin <Dave.Martin@arm.com>,
 Russell King - ARM Linux <linux@armlinux.org.uk>,
 Sebastian Andrzej Siewior <bigeasy@linutronix.de>,
 Mark Rutland <mark.rutland@arm.com>, linux-rt-users@vger.kernel.org,
 Peter Zijlstra <peterz@infradead.org>,
 Catalin Marinas <catalin.marinas@arm.com>,
 Will Deacon <will.deacon@arm.com>, Steven Rostedt <rostedt@goodmis.org>,
 Thomas Gleixner <tglx@linutronix.de>
Subject: [PATCH v4 02/20] crypto: arm64/aes-ce-ccm - move kernel mode neon
 en/disable into loop
Date: Tue, 26 Dec 2017 10:29:22 +0000
Message-Id: <20171226102940.26908-3-ard.biesheuvel@linaro.org>
X-Mailer: git-send-email 2.11.0
In-Reply-To: <20171226102940.26908-1-ard.biesheuvel@linaro.org>
References: <20171226102940.26908-1-ard.biesheuvel@linaro.org>
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

When kernel mode NEON was first introduced on arm64, the preserve and
restore of the userland NEON state was completely unoptimized, and
involved saving all registers on each call to kernel_neon_begin(),
and restoring them on each call to kernel_neon_end(). For this reason,
the NEON crypto code that was introduced at the time keeps the NEON
enabled throughout the execution of the crypto API methods, which may
include calls back into the crypto API that could result in memory
allocation or other actions that we should avoid when running with
preemption disabled.

Since then, we have optimized the kernel mode NEON handling, which now
restores lazily (upon return to userland), and so the preserve action
is only costly the first time it is called after entering the kernel.

So let's put the kernel_neon_begin() and kernel_neon_end() calls around
the actual invocations of the NEON crypto code, and run the remainder of
the code with kernel mode NEON disabled (and preemption enabled)

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
---
 arch/arm64/crypto/aes-ce-ccm-glue.c | 47 ++++++++++----------
 1 file changed, 23 insertions(+), 24 deletions(-)

-- 
2.11.0

diff --git a/arch/arm64/crypto/aes-ce-ccm-glue.c b/arch/arm64/crypto/aes-ce-ccm-glue.c
index a1254036f2b1..68b11aa690e4 100644
--- a/arch/arm64/crypto/aes-ce-ccm-glue.c
+++ b/arch/arm64/crypto/aes-ce-ccm-glue.c
@@ -107,11 +107,13 @@ static int ccm_init_mac(struct aead_request *req, u8 maciv[], u32 msglen)
 }
 
 static void ccm_update_mac(struct crypto_aes_ctx *key, u8 mac[], u8 const in[],
-			   u32 abytes, u32 *macp, bool use_neon)
+			   u32 abytes, u32 *macp)
 {
-	if (likely(use_neon)) {
+	if (may_use_simd()) {
+		kernel_neon_begin();
 		ce_aes_ccm_auth_data(mac, in, abytes, macp, key->key_enc,
 				     num_rounds(key));
+		kernel_neon_end();
 	} else {
 		if (*macp > 0 && *macp < AES_BLOCK_SIZE) {
 			int added = min(abytes, AES_BLOCK_SIZE - *macp);
@@ -143,8 +145,7 @@ static void ccm_update_mac(struct crypto_aes_ctx *key, u8 mac[], u8 const in[],
 	}
 }
 
-static void ccm_calculate_auth_mac(struct aead_request *req, u8 mac[],
-				   bool use_neon)
+static void ccm_calculate_auth_mac(struct aead_request *req, u8 mac[])
 {
 	struct crypto_aead *aead = crypto_aead_reqtfm(req);
 	struct crypto_aes_ctx *ctx = crypto_aead_ctx(aead);
@@ -163,7 +164,7 @@ static void ccm_calculate_auth_mac(struct aead_request *req, u8 mac[],
 		ltag.len = 6;
 	}
 
-	ccm_update_mac(ctx, mac, (u8 *)&ltag, ltag.len, &macp, use_neon);
+	ccm_update_mac(ctx, mac, (u8 *)&ltag, ltag.len, &macp);
 	scatterwalk_start(&walk, req->src);
 
 	do {
@@ -175,7 +176,7 @@ static void ccm_calculate_auth_mac(struct aead_request *req, u8 mac[],
 			n = scatterwalk_clamp(&walk, len);
 		}
 		p = scatterwalk_map(&walk);
-		ccm_update_mac(ctx, mac, p, n, &macp, use_neon);
+		ccm_update_mac(ctx, mac, p, n, &macp);
 		len -= n;
 
 		scatterwalk_unmap(p);
@@ -242,43 +243,42 @@ static int ccm_encrypt(struct aead_request *req)
 	u8 __aligned(8) mac[AES_BLOCK_SIZE];
 	u8 buf[AES_BLOCK_SIZE];
 	u32 len = req->cryptlen;
-	bool use_neon = may_use_simd();
 	int err;
 
 	err = ccm_init_mac(req, mac, len);
 	if (err)
 		return err;
 
-	if (likely(use_neon))
-		kernel_neon_begin();
-
 	if (req->assoclen)
-		ccm_calculate_auth_mac(req, mac, use_neon);
+		ccm_calculate_auth_mac(req, mac);
 
 	/* preserve the original iv for the final round */
 	memcpy(buf, req->iv, AES_BLOCK_SIZE);
 
 	err = skcipher_walk_aead_encrypt(&walk, req, true);
 
-	if (likely(use_neon)) {
+	if (may_use_simd()) {
 		while (walk.nbytes) {
 			u32 tail = walk.nbytes % AES_BLOCK_SIZE;
 
 			if (walk.nbytes == walk.total)
 				tail = 0;
 
+			kernel_neon_begin();
 			ce_aes_ccm_encrypt(walk.dst.virt.addr,
 					   walk.src.virt.addr,
 					   walk.nbytes - tail, ctx->key_enc,
 					   num_rounds(ctx), mac, walk.iv);
+			kernel_neon_end();
 
 			err = skcipher_walk_done(&walk, tail);
 		}
-		if (!err)
+		if (!err) {
+			kernel_neon_begin();
 			ce_aes_ccm_final(mac, buf, ctx->key_enc,
 					 num_rounds(ctx));
-
-		kernel_neon_end();
+			kernel_neon_end();
+		}
 	} else {
 		err = ccm_crypt_fallback(&walk, mac, buf, ctx, true);
 	}
@@ -301,43 +301,42 @@ static int ccm_decrypt(struct aead_request *req)
 	u8 __aligned(8) mac[AES_BLOCK_SIZE];
 	u8 buf[AES_BLOCK_SIZE];
 	u32 len = req->cryptlen - authsize;
-	bool use_neon = may_use_simd();
 	int err;
 
 	err = ccm_init_mac(req, mac, len);
 	if (err)
 		return err;
 
-	if (likely(use_neon))
-		kernel_neon_begin();
-
 	if (req->assoclen)
-		ccm_calculate_auth_mac(req, mac, use_neon);
+		ccm_calculate_auth_mac(req, mac);
 
 	/* preserve the original iv for the final round */
 	memcpy(buf, req->iv, AES_BLOCK_SIZE);
 
 	err = skcipher_walk_aead_decrypt(&walk, req, true);
 
-	if (likely(use_neon)) {
+	if (may_use_simd()) {
 		while (walk.nbytes) {
 			u32 tail = walk.nbytes % AES_BLOCK_SIZE;
 
 			if (walk.nbytes == walk.total)
 				tail = 0;
 
+			kernel_neon_begin();
 			ce_aes_ccm_decrypt(walk.dst.virt.addr,
 					   walk.src.virt.addr,
 					   walk.nbytes - tail, ctx->key_enc,
 					   num_rounds(ctx), mac, walk.iv);
+			kernel_neon_end();
 
 			err = skcipher_walk_done(&walk, tail);
 		}
-		if (!err)
+		if (!err) {
+			kernel_neon_begin();
 			ce_aes_ccm_final(mac, buf, ctx->key_enc,
 					 num_rounds(ctx));
-
-		kernel_neon_end();
+			kernel_neon_end();
+		}
 	} else {
 		err = ccm_crypt_fallback(&walk, mac, buf, ctx, false);
 	}