Hello, the VIA Padlock engine comes without native XTS-AES support, thus compared to CBC-AES or ECB-AES XTS-AES performs quite bad on VIA CPUs because it calls the Padlock ACE for each single AESenc() operation. Using the Padlock's ECB-AES saves calls to the Padlock ACE and improves the XTS-AES performance by 30% and more even in a naive proof-of-concept implementation. The idea comes from DiskCryptor which does this since v0.9.583.106. Here are some performance measues for my VIA Nano U2250 done with dm-crypt aes-xts-plain on top of a 1GB tmpfs-backed loop-device. The table shows MB/s measured by dd. The first column shows the creation of the loop-image in tmpfs, i.e. memory-bandwidth. The next 10 columns show 10 write runs on top of the dm-crypt device. The last column shows a read run on a 10GB dm-crypt'ed disk-partition (read speed on the plain partition is ~94MB/s). For the last column I also measured DiskCryptor's read performance. xts orig 325 | 38.1 38.4 38.4 38.4 38.4 38.4 38.4 38.4 38.4 38.4 | 34.2 xts PoC 322 | 48.6 49.1 49.1 49.1 49.1 49.2 49.2 49.2 49.2 49.2 | 49.2 DC 65.1 My proof-of-concept comes not even close to DiskCryptor at the moment but already improves dm-crypt performance significant. I attached 4 patches with the proof-of-concept code. They need to be applied one after the other. The code is really just ugly-hacked proof-of-concept (except the first patch maybe) with incomplete error-handling and hardcoded ECB-AES usage. Even though it seems to encode and decode correctly, I strongly recommend to avoid using it to handle real data. Utilizing ECB-AES required to unfold and duplicate the scatterlist-walk. This does also duplicate the GF-Multiplications, which could probably be avoided by using an internal buffer. I have no idea where this should finally be implemented, since it slows down XTS on non-accelerated CPUs. Maybe a seperate xts-aes-padlock driver would make sense depending on how specific this is to VIA Padlock, i.e. how it performs on other non-XTS-capable accelerators. Please CC: me in replies, I'm not a member of the list. Mail-F'up2 should be set correctly. regards Mario -- File names are infinite in length where infinity is set to 255 characters. -- Peter Collinson, "The Unix File System"
Attachment:
xts-01-eliminate-goto.patch.gz
Description: Binary data
Attachment:
xts-02-resolve-xts_round.patch.gz
Description: Binary data
Attachment:
xts-03-unfold-loop.patch.gz
Description: Binary data
Attachment:
xts-04-utilize-ecb.patch.gz
Description: Binary data
Attachment:
signature.asc
Description: Digital signature