On Wed, 12 Jun 2019 at 16:00, Ard Biesheuvel <ard.biesheuvel@xxxxxxxxxx> wrote: > > On Wed, 12 Jun 2019 at 15:58, Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> wrote: > > > > On Wed, Jun 12, 2019 at 02:48:18PM +0200, Ard Biesheuvel wrote: > > > > > > All the patches leading up to that are cleanups for the AES code, to reduce > > > the dependency on the generic table based AES code, or in some cases, hardcoded > > > dependencies on the scalar arm64 asm code which suffers from the same problem. > > > It also removes redundant key expansion routines, and gets rid of the x86 > > > scalar asm code, which is a maintenance burden and is not actually faster than > > > the generic code built with a modern compiler. > > > > Nice, I like this a lot. > > > > I presume you'll be converting the AES cipher users throughout > > the kernel (such as net/ipv4/tcp_fastopen) at some point, right? > > > > Yes. I am currently surveying which users need to switch to a proper > mode, and which ones can just use the unoptimized library version > (such as tcp_fastopen). Would anyone mind if I switch the TCP fastopen code to SipHash instead of AES? I can see in the archives that Dave wasn't a fan at the time, but for a MAC over ~16 bytes of input, it is actually a much more better choice than what we have now. And calling into the AES cipher twice, as we do for IPv6 connections, is even worse, since you take the hit of invoking a SIMD cipher twice in cases where the cipher is provided by a SIMD based implementation.