Re: [PATCH 2/2] crypto: DRBG - use caller buffer if suitable
On Fri, Jul 20, 2018 at 07:09:05AM +0200, Stephan Mueller wrote: > > Maybe I have a different understanding of how such interface should look like. > > Can you give me some more detail on how you envision such virtual address > interface should work? It should look like shash. Cheers, -- Email: Herbert Xu Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
Re: [PATCH 2/2] crypto: DRBG - use caller buffer if suitable
On Fri, Jul 20, 2018 at 08:08:22AM +0200, Stephan Mueller wrote: > > - should it be synchronous like blkcipher? It should be synchronous. > - the TFMs (cipher Impls and templates) all operate on SGLs - should a virt > API simply convert a virt address into an SGL? If so, the problem that > triggered this thread is still not solved but only pushed to a different > layer. If it should not just be an SGL wrapper, should all TFMs be changed? Obviously if we're going to do this then we would be converting the underlying algorithms over to the virtual address-based interface just like shash. Cheers, -- Email: Herbert Xu Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
Re: [PATCH 2/2] crypto: DRBG - use caller buffer if suitable
>> On Fri, Jul 20, 2018 at 07:09:05AM +0200, Stephan Mueller wrote: >> >> Maybe I have a different understanding of how such interface should look >> like. >> >> Can you give me some more detail on how you envision such virtual address >> interface should work? > > It should look like shash. > Ok, but then: - should it be synchronous like blkcipher? - the TFMs (cipher Impls and templates) all operate on SGLs - should a virt API simply convert a virt address into an SGL? If so, the problem that triggered this thread is still not solved but only pushed to a different layer. If it should not just be an SGL wrapper, should all TFMs be changed? Thanks
Re: [PATCH 2/2] crypto: DRBG - use caller buffer if suitable
> Am 20.07.2018 um 05:54 schrieb Herbert Xu : > >> On Thu, Jul 19, 2018 at 10:57:16PM +0200, Stephan Müller wrote: >> >> Therefore, I am not sure that either having an SGL interface for the RNG API >> or a virtual address interface for the sync skcipher would be helpful. > > Could you please explain again why a virtual address interface to > sync skcipher algorithms won't be useful? It's something that others > have asked for in the past too. Maybe I have a different understanding of how such interface should look like. Can you give me some more detail on how you envision such virtual address interface should work? Thanks a lot Stephan
Re: [PATCH 2/2] crypto: DRBG - use caller buffer if suitable
On Thu, Jul 19, 2018 at 10:57:16PM +0200, Stephan Müller wrote: > > Therefore, I am not sure that either having an SGL interface for the RNG API > or a virtual address interface for the sync skcipher would be helpful. Could you please explain again why a virtual address interface to sync skcipher algorithms won't be useful? It's something that others have asked for in the past too. Thanks, -- Email: Herbert Xu Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
Re: [PATCH 2/2] crypto: DRBG - use caller buffer if suitable
Am Donnerstag, 19. Juli 2018, 11:34:33 CEST schrieb Herbert Xu: Hi Herbert, > I think this is an abuse of virt_addr_valid. It's meant to catch > bogus uses of SG lists, it's not meant to be a guarantee that an > address can be used on an SG list. Thanks for your insights. > > A better solution would be either an SG-list interface for rng, > or alternatively a virtual address interface for sync skcipher. My goal is to implement an in-place cipher operation drbg_kcapi_sym_ctr operating directly on the output buffer if possible. Without knowing whether the output buffer is valid for SGLs, I would need to use the scratchpad buffer as input/output buffer. That means that the data must be memcpy'ed from the scratchpad buffer to the output buffer. To provide the fastest DRBG implementation, we should eliminate the memcpy in drbg_kcapi_sym_ctr and with it the restriction of generating DRBG_OUTSCRATCHLEN with one cipher invocation. I.e. the ultimate goal is to operate directly on the output buffer if at all possible. So far, all RNGs generate data for one buffer only. Thus, I would consider converting the RNG interface to use SGLs as overkill. Furthermore, if the RNG uses the SHASH ciphers (like the DRBG use case), the input data is expected to be a straight buffer. Also, even the caller of the RNG may not know whether the destination buffer is valid for an SGL in case it is an intermediate layer. Therefore, I am not sure that either having an SGL interface for the RNG API or a virtual address interface for the sync skcipher would be helpful. Is there no way of identifying whether a buffer is valid for SGL operation? PS: I experimented with the in-place cipher operation in drbg_kcapi_sym_ctr while operating directly on the output buffer. The result was a more than 3- times increase in performance. Current implementation: 16 bytes| 12.267661 MB/s|61338304 bytes | 500213 ns 32 bytes| 23.603770 MB/s| 118018848 bytes | 500073 ns 64 bytes| 46.732262 MB/s| 233661312 bytes | 500241 ns 128 bytes| 90.038042 MB/s| 450190208 bytes | 500244 ns 256 bytes| 160.399616 MB/s| 801998080 bytes | 500393 ns 512 bytes| 259.878400 MB/s| 1299392000 bytes | 501675 ns 1024 bytes| 386.050662 MB/s| 1930253312 bytes | 501661 ns 2048 bytes| 493.641728 MB/s| 2468208640 bytes | 501598 ns 4096 bytes| 581.835981 MB/s| 2909179904 bytes | 503426 ns In-place cipher operation directly on output buffer: 16 bytes| 16.017830 MB/s|80089152 bytes | 500752 ns 32 bytes| 30.775686 MB/s| 153878432 bytes | 500701 ns 64 bytes| 58.299430 MB/s| 291497152 bytes | 500466 ns 128 bytes| 114.847462 MB/s| 574237312 bytes | 500385 ns 256 bytes| 218.359859 MB/s| 1091799296 bytes | 500476 ns 512 bytes| 416.003379 MB/s| 2080016896 bytes | 501105 ns 1024 bytes| 714.792346 MB/s| 3573961728 bytes | 5000718637 ns 2048 bytes|1.143480 GB/s| 5717401600 bytes | 500094 ns 4096 bytes|1.609953 GB/s| 8049766400 bytes | 501687 ns Ciao Stephan
Re: [PATCH 2/2] crypto: DRBG - use caller buffer if suitable
On Tue, Jul 10, 2018 at 05:57:00PM +0200, Stephan Müller wrote: > The SGL can directly operate caller-provided memory with the exception > of stack memory. The DRBG detects whether the caller provided > non-suitable memory and uses the scratchpad only on those circumstances. > > This patch increases the speed of the CTR DRBG by 1 to 3 percent > depending on the buffer size of the output buffer. > > Signed-off-by: Stephan Mueller I think this is an abuse of virt_addr_valid. It's meant to catch bogus uses of SG lists, it's not meant to be a guarantee that an address can be used on an SG list. A better solution would be either an SG-list interface for rng, or alternatively a virtual address interface for sync skcipher. Cheers, -- Email: Herbert Xu Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
