Re: [PATCH 2/2] crypto: DRBG - use caller buffer if suitable

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Am Donnerstag, 19. Juli 2018, 11:34:33 CEST schrieb Herbert Xu:

Hi Herbert,

> I think this is an abuse of virt_addr_valid.  It's meant to catch
> bogus uses of SG lists, it's not meant to be a guarantee that an
> address can be used on an SG list.

Thanks for your insights.
> 
> A better solution would be either an SG-list interface for rng,
> or alternatively a virtual address interface for sync skcipher.

My goal is to implement an in-place cipher operation drbg_kcapi_sym_ctr 
operating directly on the output buffer if possible. Without knowing whether 
the output buffer is valid for SGLs, I would need to use the scratchpad buffer 
as input/output buffer. That means that the data must be memcpy'ed from the 
scratchpad buffer to the output buffer.

To provide the fastest DRBG implementation, we should eliminate the memcpy in 
drbg_kcapi_sym_ctr and with it the restriction of generating 
DRBG_OUTSCRATCHLEN with one cipher invocation.

I.e. the ultimate goal is to operate directly on the output buffer if at all 
possible.

So far, all RNGs generate data for one buffer only. Thus, I would consider 
converting the RNG interface to use SGLs as overkill. Furthermore, if the RNG 
uses the SHASH ciphers (like the DRBG use case), the input data is expected to 
be a straight buffer.

Also, even the caller of the RNG may not know whether the destination buffer 
is valid for an SGL in case it is an intermediate layer.

Therefore, I am not sure that either having an SGL interface for the RNG API 
or a virtual address interface for the sync skcipher would be helpful.

Is there no way of identifying whether a buffer is valid for SGL operation?

PS: I experimented with the in-place cipher operation in drbg_kcapi_sym_ctr 
while operating directly on the output buffer. The result was a more than 3-
times increase in performance.

Current implementation:

      16 bytes|           12.267661 MB/s|    61338304 bytes |  5000000213 ns
      32 bytes|           23.603770 MB/s|   118018848 bytes |  5000000073 ns
      64 bytes|           46.732262 MB/s|   233661312 bytes |  5000000241 ns
     128 bytes|           90.038042 MB/s|   450190208 bytes |  5000000244 ns
     256 bytes|          160.399616 MB/s|   801998080 bytes |  5000000393 ns
     512 bytes|          259.878400 MB/s|  1299392000 bytes |  5000001675 ns
    1024 bytes|          386.050662 MB/s|  1930253312 bytes |  5000001661 ns
    2048 bytes|          493.641728 MB/s|  2468208640 bytes |  5000001598 ns
    4096 bytes|          581.835981 MB/s|  2909179904 bytes |  5000003426 ns

In-place cipher operation directly on output buffer:

      16 bytes|           16.017830 MB/s|    80089152 bytes |  5000000752 ns
      32 bytes|           30.775686 MB/s|   153878432 bytes |  5000000701 ns
      64 bytes|           58.299430 MB/s|   291497152 bytes |  5000000466 ns
     128 bytes|          114.847462 MB/s|   574237312 bytes |  5000000385 ns
     256 bytes|          218.359859 MB/s|  1091799296 bytes |  5000000476 ns
     512 bytes|          416.003379 MB/s|  2080016896 bytes |  5000001105 ns
    1024 bytes|          714.792346 MB/s|  3573961728 bytes |  5000718637 ns
    2048 bytes|            1.143480 GB/s|  5717401600 bytes |  5000000094 ns
    4096 bytes|            1.609953 GB/s|  8049766400 bytes |  5000001687 ns

Ciao
Stephan





[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]

  Powered by Linux