On Fri, 4 Oct 2019 at 16:38, Ard Biesheuvel <ard.biesheuvel@xxxxxxxxxx> wrote: > > On Fri, 4 Oct 2019 at 15:46, Jason A. Donenfeld <Jason@xxxxxxxxx> wrote: > > > > On Wed, Oct 02, 2019 at 04:16:58PM +0200, Ard Biesheuvel wrote: > > > This integrates the accelerated MIPS 32r2 implementation of ChaCha > > > into both the API and library interfaces of the kernel crypto stack. > > > > > > The significance of this is that, in addition to becoming available > > > as an accelerated library implementation, it can also be used by > > > existing crypto API code such as Adiantum (for block encryption on > > > ultra low performance cores) or IPsec using chacha20poly1305. These > > > are use cases that have already opted into using the abstract crypto > > > API. In order to support Adiantum, the core assembler routine has > > > been adapted to take the round count as a function argument rather > > > than hardcoding it to 20. > > > > Could you resubmit this with first my original commit and then with your > > changes on top? I'd like to see and be able to review exactly what's > > changed. If I recall correctly, René and I were really starved for > > registers and tried pretty hard to avoid spilling to the stack, so I'm > > interested to learn how you crammed a bit more sauce in there. > > > > The round count is passed via the fifth function parameter, so it is > already on the stack. Reloading it for every block doesn't sound like > a huge deal to me. > > > I also wonder if maybe it'd be better to just leave this as is with 20 > > rounds, which it was previously optimized for, and just not do > > accelerated Adiantum for MIPS. Android has long since given up on the > > ISA entirely. > > Adiantum does not depend on Android - anyone running linux on his MIPS > router can use it if they want encrypted storage. But to answer your first question: sure, i will split off the changes.