| Message ID | 20231127070703.1697-6-jerry.shih@sifive.com (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | RISC-V: provide some accelerated cryptography implementations using vector extensions | expand |
| Context | Check | Description |
|---|---|---|
| conchuod/vmtest-fixes-PR | fail | merge-conflict |
On Mon, Nov 27, 2023 at 03:06:55PM +0800, Jerry Shih wrote: > The `walksize` assignment is missed in simd skcipher. > > Signed-off-by: Jerry Shih <jerry.shih@sifive.com> > --- > crypto/cryptd.c | 1 + > crypto/simd.c | 1 + > 2 files changed, 2 insertions(+) > > diff --git a/crypto/cryptd.c b/crypto/cryptd.c > index bbcc368b6a55..253d13504ccb 100644 > --- a/crypto/cryptd.c > +++ b/crypto/cryptd.c > @@ -405,6 +405,7 @@ static int cryptd_create_skcipher(struct crypto_template *tmpl, > (alg->base.cra_flags & CRYPTO_ALG_INTERNAL); > inst->alg.ivsize = crypto_skcipher_alg_ivsize(alg); > inst->alg.chunksize = crypto_skcipher_alg_chunksize(alg); > + inst->alg.walksize = crypto_skcipher_alg_walksize(alg); > inst->alg.min_keysize = crypto_skcipher_alg_min_keysize(alg); > inst->alg.max_keysize = crypto_skcipher_alg_max_keysize(alg); > > diff --git a/crypto/simd.c b/crypto/simd.c > index edaa479a1ec5..ea0caabf90f1 100644 > --- a/crypto/simd.c > +++ b/crypto/simd.c > @@ -181,6 +181,7 @@ struct simd_skcipher_alg *simd_skcipher_create_compat(const char *algname, > > alg->ivsize = ialg->ivsize; > alg->chunksize = ialg->chunksize; > + alg->walksize = ialg->walksize; > alg->min_keysize = ialg->min_keysize; > alg->max_keysize = ialg->max_keysize; What are the consequences of this bug? I wonder if it actually matters? The "inner" algorithm is the one that actually gets used for the "walk", right? - Eric
On Nov 28, 2023, at 11:58, Eric Biggers <ebiggers@kernel.org> wrote: > On Mon, Nov 27, 2023 at 03:06:55PM +0800, Jerry Shih wrote: >> The `walksize` assignment is missed in simd skcipher. >> >> Signed-off-by: Jerry Shih <jerry.shih@sifive.com> >> --- >> crypto/cryptd.c | 1 + >> crypto/simd.c | 1 + >> 2 files changed, 2 insertions(+) >> >> diff --git a/crypto/cryptd.c b/crypto/cryptd.c >> index bbcc368b6a55..253d13504ccb 100644 >> --- a/crypto/cryptd.c >> +++ b/crypto/cryptd.c >> @@ -405,6 +405,7 @@ static int cryptd_create_skcipher(struct crypto_template *tmpl, >> (alg->base.cra_flags & CRYPTO_ALG_INTERNAL); >> inst->alg.ivsize = crypto_skcipher_alg_ivsize(alg); >> inst->alg.chunksize = crypto_skcipher_alg_chunksize(alg); >> + inst->alg.walksize = crypto_skcipher_alg_walksize(alg); >> inst->alg.min_keysize = crypto_skcipher_alg_min_keysize(alg); >> inst->alg.max_keysize = crypto_skcipher_alg_max_keysize(alg); >> >> diff --git a/crypto/simd.c b/crypto/simd.c >> index edaa479a1ec5..ea0caabf90f1 100644 >> --- a/crypto/simd.c >> +++ b/crypto/simd.c >> @@ -181,6 +181,7 @@ struct simd_skcipher_alg *simd_skcipher_create_compat(const char *algname, >> >> alg->ivsize = ialg->ivsize; >> alg->chunksize = ialg->chunksize; >> + alg->walksize = ialg->walksize; >> alg->min_keysize = ialg->min_keysize; >> alg->max_keysize = ialg->max_keysize; > > What are the consequences of this bug? I wonder if it actually matters? The > "inner" algorithm is the one that actually gets used for the "walk", right? > > - Eric Without this, we might still use chunksize or cra_blocksize as the walksize even though we setup with the larger walksize. Here is the code for the walksize default value: static int skcipher_prepare_alg(struct skcipher_alg *alg) { ... if (!alg->chunksize) alg->chunksize = base->cra_blocksize; if (!alg->walksize) alg->walksize = alg->chunksize; And we already have the bigger walksize for x86 aes-xts. .base = { .cra_name = "__xts(aes)", ... }, .walksize = 2 * AES_BLOCK_SIZE, The x86 aes-xts only uses one `walk` to handle the tail elements. It assumes that the walksize contains 2 aes blocks. If walksize is not set correctly, maybe some tail elements is not processed in simd-cipher mode for x86 aes-xts. -Jerry
On Tue, Nov 28, 2023 at 01:38:29PM +0800, Jerry Shih wrote: > On Nov 28, 2023, at 11:58, Eric Biggers <ebiggers@kernel.org> wrote: > > On Mon, Nov 27, 2023 at 03:06:55PM +0800, Jerry Shih wrote: > >> The `walksize` assignment is missed in simd skcipher. > >> > >> Signed-off-by: Jerry Shih <jerry.shih@sifive.com> > >> --- > >> crypto/cryptd.c | 1 + > >> crypto/simd.c | 1 + > >> 2 files changed, 2 insertions(+) > >> > >> diff --git a/crypto/cryptd.c b/crypto/cryptd.c > >> index bbcc368b6a55..253d13504ccb 100644 > >> --- a/crypto/cryptd.c > >> +++ b/crypto/cryptd.c > >> @@ -405,6 +405,7 @@ static int cryptd_create_skcipher(struct crypto_template *tmpl, > >> (alg->base.cra_flags & CRYPTO_ALG_INTERNAL); > >> inst->alg.ivsize = crypto_skcipher_alg_ivsize(alg); > >> inst->alg.chunksize = crypto_skcipher_alg_chunksize(alg); > >> + inst->alg.walksize = crypto_skcipher_alg_walksize(alg); > >> inst->alg.min_keysize = crypto_skcipher_alg_min_keysize(alg); > >> inst->alg.max_keysize = crypto_skcipher_alg_max_keysize(alg); > >> > >> diff --git a/crypto/simd.c b/crypto/simd.c > >> index edaa479a1ec5..ea0caabf90f1 100644 > >> --- a/crypto/simd.c > >> +++ b/crypto/simd.c > >> @@ -181,6 +181,7 @@ struct simd_skcipher_alg *simd_skcipher_create_compat(const char *algname, > >> > >> alg->ivsize = ialg->ivsize; > >> alg->chunksize = ialg->chunksize; > >> + alg->walksize = ialg->walksize; > >> alg->min_keysize = ialg->min_keysize; > >> alg->max_keysize = ialg->max_keysize; > > > > What are the consequences of this bug? I wonder if it actually matters? The > > "inner" algorithm is the one that actually gets used for the "walk", right? > > > > - Eric > > Without this, we might still use chunksize or cra_blocksize as the walksize > even though we setup with the larger walksize. > > Here is the code for the walksize default value: > static int skcipher_prepare_alg(struct skcipher_alg *alg) > { > ... > if (!alg->chunksize) > alg->chunksize = base->cra_blocksize; > if (!alg->walksize) > alg->walksize = alg->chunksize; > > And we already have the bigger walksize for x86 aes-xts. > .base = { > .cra_name = "__xts(aes)", > ... > }, > .walksize = 2 * AES_BLOCK_SIZE, > > The x86 aes-xts only uses one `walk` to handle the tail elements. It assumes > that the walksize contains 2 aes blocks. If walksize is not set correctly, maybe > some tail elements is not processed in simd-cipher mode for x86 aes-xts. With the SIMD helper there are three "algorithms": the underlying algorithm, the cryptd algorithm, and the simd algorithm. This patch makes the "walksize" property be propagated from the underlying algorithm to the cryptd and simd algorithms. I don't see how that actually makes a difference, since the only place the skcipher_walk happens is on the underlying algorithm. So it uses the "walksize" from the underlying algorithm, right? - Eric
On Nov 29, 2023, at 01:22, Eric Biggers <ebiggers@kernel.org> wrote: > On Tue, Nov 28, 2023 at 01:38:29PM +0800, Jerry Shih wrote: >> On Nov 28, 2023, at 11:58, Eric Biggers <ebiggers@kernel.org> wrote: >>> On Mon, Nov 27, 2023 at 03:06:55PM +0800, Jerry Shih wrote: >>>> The `walksize` assignment is missed in simd skcipher. >>>> >>>> Signed-off-by: Jerry Shih <jerry.shih@sifive.com> >>>> --- >>>> crypto/cryptd.c | 1 + >>>> crypto/simd.c | 1 + >>>> 2 files changed, 2 insertions(+) >>>> >>>> diff --git a/crypto/cryptd.c b/crypto/cryptd.c >>>> index bbcc368b6a55..253d13504ccb 100644 >>>> --- a/crypto/cryptd.c >>>> +++ b/crypto/cryptd.c >>>> @@ -405,6 +405,7 @@ static int cryptd_create_skcipher(struct crypto_template *tmpl, >>>> (alg->base.cra_flags & CRYPTO_ALG_INTERNAL); >>>> inst->alg.ivsize = crypto_skcipher_alg_ivsize(alg); >>>> inst->alg.chunksize = crypto_skcipher_alg_chunksize(alg); >>>> + inst->alg.walksize = crypto_skcipher_alg_walksize(alg); >>>> inst->alg.min_keysize = crypto_skcipher_alg_min_keysize(alg); >>>> inst->alg.max_keysize = crypto_skcipher_alg_max_keysize(alg); >>>> >>>> diff --git a/crypto/simd.c b/crypto/simd.c >>>> index edaa479a1ec5..ea0caabf90f1 100644 >>>> --- a/crypto/simd.c >>>> +++ b/crypto/simd.c >>>> @@ -181,6 +181,7 @@ struct simd_skcipher_alg *simd_skcipher_create_compat(const char *algname, >>>> >>>> alg->ivsize = ialg->ivsize; >>>> alg->chunksize = ialg->chunksize; >>>> + alg->walksize = ialg->walksize; >>>> alg->min_keysize = ialg->min_keysize; >>>> alg->max_keysize = ialg->max_keysize; >>> >>> What are the consequences of this bug? I wonder if it actually matters? The >>> "inner" algorithm is the one that actually gets used for the "walk", right? >>> >>> - Eric >> >> Without this, we might still use chunksize or cra_blocksize as the walksize >> even though we setup with the larger walksize. >> >> Here is the code for the walksize default value: >> static int skcipher_prepare_alg(struct skcipher_alg *alg) >> { >> ... >> if (!alg->chunksize) >> alg->chunksize = base->cra_blocksize; >> if (!alg->walksize) >> alg->walksize = alg->chunksize; >> >> And we already have the bigger walksize for x86 aes-xts. >> .base = { >> .cra_name = "__xts(aes)", >> ... >> }, >> .walksize = 2 * AES_BLOCK_SIZE, >> >> The x86 aes-xts only uses one `walk` to handle the tail elements. It assumes >> that the walksize contains 2 aes blocks. If walksize is not set correctly, maybe >> some tail elements is not processed in simd-cipher mode for x86 aes-xts. > > With the SIMD helper there are three "algorithms": the underlying algorithm, the > cryptd algorithm, and the simd algorithm. This patch makes the "walksize" > property be propagated from the underlying algorithm to the cryptd and simd > algorithms. I don't see how that actually makes a difference, since the only > place the skcipher_walk happens is on the underlying algorithm. So it uses the > "walksize" from the underlying algorithm, right? > > - Eric Yes, you are right. I re-check the cryptd and simd cipher flow. They use the underlying algorithms. So, the actual `walksize` in the underlying algorithm is set by the user in skcipher_alg def. The x86 aes-xts works correctly for both cryptd and simd-cipher case. This patch becomes fixing the `walksize` display error in `/proc/crypto`. The aes-xts skcipher_alg def: ... .ivsize = AES_BLOCK_SIZE, .chunksize = AES_BLOCK_SIZE, .walksize = AES_BLOCK_SIZE * 8, .base = { .cra_flags = CRYPTO_ALG_INTERNAL, .cra_name = "__xts(aes)", .cra_driver_name = "__xts-aes-riscv64-zvkned-zvbb-zvkg", ... }, Without patch: The original skcipher: name : __xts(aes) driver : __xts-aes-riscv64-zvkned-zvbb-zvkg internal : yes async : no ... walksize : 128 The async skcipher registered by simd_register_skciphers_compat: name : xts(aes) driver : xts-aes-riscv64-zvkned-zvbb-zvkg internal : no async : yes ... walksize : 16 ... name : __xts(aes) driver : cryptd(__xts-aes-riscv64-zvkned-zvbb-zvkg) internal : yes async : yes ... walksize : 16 With patch: name : xts(aes) driver : xts-aes-riscv64-zvkned-zvbb-zvkg internal : no async : yes ... walksize : 128 ... name : __xts(aes) driver : cryptd(__xts-aes-riscv64-zvkned-zvbb-zvkg) internal : yes async : yes ... walksize : 128
On Mon, Nov 27, 2023 at 03:06:55PM +0800, Jerry Shih wrote: > The `walksize` assignment is missed in simd skcipher. > > Signed-off-by: Jerry Shih <jerry.shih@sifive.com> > --- > crypto/cryptd.c | 1 + > crypto/simd.c | 1 + > 2 files changed, 2 insertions(+) > > diff --git a/crypto/cryptd.c b/crypto/cryptd.c > index bbcc368b6a55..253d13504ccb 100644 > --- a/crypto/cryptd.c > +++ b/crypto/cryptd.c > @@ -405,6 +405,7 @@ static int cryptd_create_skcipher(struct crypto_template *tmpl, > (alg->base.cra_flags & CRYPTO_ALG_INTERNAL); > inst->alg.ivsize = crypto_skcipher_alg_ivsize(alg); > inst->alg.chunksize = crypto_skcipher_alg_chunksize(alg); > + inst->alg.walksize = crypto_skcipher_alg_walksize(alg); > inst->alg.min_keysize = crypto_skcipher_alg_min_keysize(alg); > inst->alg.max_keysize = crypto_skcipher_alg_max_keysize(alg); Sorry but this patch doesn't apply any more now that we have lskcipher.
On Dec 8, 2023, at 12:05, Herbert Xu <herbert@gondor.apana.org.au> wrote: > On Mon, Nov 27, 2023 at 03:06:55PM +0800, Jerry Shih wrote: >> The `walksize` assignment is missed in simd skcipher. >> >> Signed-off-by: Jerry Shih <jerry.shih@sifive.com> >> --- >> crypto/cryptd.c | 1 + >> crypto/simd.c | 1 + >> 2 files changed, 2 insertions(+) >> >> diff --git a/crypto/cryptd.c b/crypto/cryptd.c >> index bbcc368b6a55..253d13504ccb 100644 >> --- a/crypto/cryptd.c >> +++ b/crypto/cryptd.c >> @@ -405,6 +405,7 @@ static int cryptd_create_skcipher(struct crypto_template *tmpl, >> (alg->base.cra_flags & CRYPTO_ALG_INTERNAL); >> inst->alg.ivsize = crypto_skcipher_alg_ivsize(alg); >> inst->alg.chunksize = crypto_skcipher_alg_chunksize(alg); >> + inst->alg.walksize = crypto_skcipher_alg_walksize(alg); >> inst->alg.min_keysize = crypto_skcipher_alg_min_keysize(alg); >> inst->alg.max_keysize = crypto_skcipher_alg_max_keysize(alg); > > Sorry but this patch doesn't apply any more now that we have > lskcipher. The lskcipher is merged in kernel `6.7`. I will rebase the v3 series to `6.7` later. Link: https://lore.kernel.org/all/20231205092801.1335-1-jerry.shih@sifive.com/ Some dependent patches are not applicable to `6.7` now. I will check the status for the dependent patches. -Jerry
diff --git a/crypto/cryptd.c b/crypto/cryptd.c index bbcc368b6a55..253d13504ccb 100644 --- a/crypto/cryptd.c +++ b/crypto/cryptd.c @@ -405,6 +405,7 @@ static int cryptd_create_skcipher(struct crypto_template *tmpl, (alg->base.cra_flags & CRYPTO_ALG_INTERNAL); inst->alg.ivsize = crypto_skcipher_alg_ivsize(alg); inst->alg.chunksize = crypto_skcipher_alg_chunksize(alg); + inst->alg.walksize = crypto_skcipher_alg_walksize(alg); inst->alg.min_keysize = crypto_skcipher_alg_min_keysize(alg); inst->alg.max_keysize = crypto_skcipher_alg_max_keysize(alg); diff --git a/crypto/simd.c b/crypto/simd.c index edaa479a1ec5..ea0caabf90f1 100644 --- a/crypto/simd.c +++ b/crypto/simd.c @@ -181,6 +181,7 @@ struct simd_skcipher_alg *simd_skcipher_create_compat(const char *algname, alg->ivsize = ialg->ivsize; alg->chunksize = ialg->chunksize; + alg->walksize = ialg->walksize; alg->min_keysize = ialg->min_keysize; alg->max_keysize = ialg->max_keysize;
The `walksize` assignment is missed in simd skcipher. Signed-off-by: Jerry Shih <jerry.shih@sifive.com> --- crypto/cryptd.c | 1 + crypto/simd.c | 1 + 2 files changed, 2 insertions(+)