Page MenuHomeFreeBSD
Differential D25058

Various optimizations to software AES-CCM and AES-GCM.
ClosedPublic
Actions

Authored by jhb on May 29 2020, 11:28 PM.
Tags
None
Referenced Files
F103152056: D25058.id.diff
Thu, Nov 21, 4:08 PM
Unknown Object (File)
Wed, Nov 20, 9:03 PM
Unknown Object (File)
Tue, Nov 19, 2:15 PM
Unknown Object (File)
Sun, Nov 17, 12:21 PM
Unknown Object (File)
Fri, Nov 15, 2:17 PM
Unknown Object (File)
Fri, Nov 8, 5:35 AM
Unknown Object (File)
Oct 8 2024, 10:55 PM
Unknown Object (File)
Sep 29 2024, 11:04 PM
View All 52 Files
Subscribers
imp

Details

Reviewers
cem
jmg
Commits
rS362135: Various optimizations to software AES-CCM and AES-GCM.
Summary
  • Make use of cursors to avoid data copies for AES-CCM and AES-GCM.

    Pass pointers into the request's input and/or output buffers directly to the Update, encrypt, and decrypt hooks rather than always copying all data into a temporary block buffer on the stack.
  • Use encrypt/decrypt_last for partial blocks which avoids a memset to clear the rest of the block on the stack.
  • Shrink the on-stack buffers to assume AES block sizes and CCM/GCM tag lengths.
  • For AAD data, pass larger chunks to axf->Update. CCM can take each AAD segment in a single call. GMAC can take multiple blocks at a time.
Test Plan
  • cryptocheck and KTLS TX

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

jhb requested review of this revision.May 29 2020, 11:28 PM
jhb created this revision.
Harbormaster completed remote builds in B31382: Diff 72432.May 29 2020, 11:28 PM
jhb added a parent revision: D25057: Explicitly zero potentially sensitive data in software crypto and cxgbe..May 29 2020, 11:30 PM
jhb added a comment.May 29 2020, 11:34 PM

With this change, a simple KTLS TX benchmark using 100% of a 4x2 Haswell box went from ~3.04 Gbps to ~3.20 Gbps. Still paltry, but at least some improvement.

sys/opencrypto/cryptosoft.c
448 ↗(On Diff #72432)

One other thing I didn't mention in the message (should perhaps add it), is that in general I moved the special cases for a final partial block out of the main loop for both AAD and cipher/plain text to avoid conditional zeroing, etc. It also permitted using encrypt_last/decrypt_last and simplified the main loop bodies as they could assume a length of a block.

862 ↗(On Diff #72432)

Not sure if CCM uses "tag" like GCM or of it uses "digest" as the normal name for this. I think I found some other references (perhaps in cbc_mac.c) that made me use "digest" here.

jhb updated this revision to Diff 73046.Jun 12 2020, 10:28 PM
  • Rebase
  • Use 'tag' instead of 'digest' for CCM.
Harbormaster completed remote builds in B31672: Diff 73046.Jun 12 2020, 10:28 PM
jhb updated this revision to Diff 73047.Jun 12 2020, 11:01 PM
  • Rebase
  • Fixes after rebasing.
Harbormaster completed remote builds in B31673: Diff 73047.Jun 12 2020, 11:01 PM
This revision was not accepted when it landed; it landed in state Needs Review.Jun 12 2020, 11:10 PM
Closed by commit rS362135: Various optimizations to software AES-CCM and AES-GCM. (authored by jhb). · Explain Why
This revision was automatically updated to reflect the committed changes.
jhb added a commit: rS362135: Various optimizations to software AES-CCM and AES-GCM..
Herald added a reviewer: jmg. · View Herald TranscriptJun 12 2020, 11:10 PM
Herald added a subscriber: imp. · View Herald Transcript

Revision Contents
Changeset List

PathSize
head/
sys/
opencrypto/
323 lines

Diff 73048

View Options

head/sys/opencrypto/cryptosoft.c

Loading...