On Wed, Dec 23, 2020 at 11:38:31PM +0100, Ard Biesheuvel wrote: > After applying my performance fixes for AES-NI in XTS mode, the only > remaining users of the x86 glue helper module are the niche algorithms > camellia, cast6, serpent and twofish. > > It is not clear from the history why all these different versions of these > algorithms in XTS and CTR modes were added in the first place: the only > in-kernel references that seem to exist are to cbc(serpent), cbc(camellia) > and cbc(twofish) in the IPsec stack. The XTS spec only mentions AES, and > CTR modes don't seem to be widely used either. > > Since the glue helper code relies heavily on indirect calls for small chunks > of in/output, it needs some work to recover from the performance hit caused > by the retpoline changes. However, it makes sense to only expend the effort > for algorithms that are being used in the first place, and this does not > seem to be the case for XTS and CTR. > > CTR mode can simply be removed: it is not used in the kernel, and it is > highly unlikely that it is being relied upon via algif_skcipher. And even > if it was, the generic CTR mode driver can still provide the CTR transforms > if necessary. > > XTS mode may actually be in use by dm-crypt users, so we cannot simply drop > this code entirely. However, as it turns out, the XTS template wrapped > around the ECB mode skciphers perform roughly on par *, and so there is no > need to retain all the complicated XTS helper logic. In the unlikely case > that dm-crypt users are relying on xts(camellia) or xts(serpent) in the > field, they should not be impacted by these changes at all. > > As a follow-up, it makes sense to rework the ECB and CBC mode implementations > to get rid of the indirect calls. Or perhaps we could drop [some of] these > algorithms entirely ... > > * tcrypt results for various XTS implementations below, captured on a > Intel(R) Core(TM) i7-8650U CPU @ 1.90GHz > > Cc: Megha Dey <megha.dey@xxxxxxxxx> > Cc: Eric Biggers <ebiggers@xxxxxxxxxx> > Cc: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> > Cc: Milan Broz <gmazyland@xxxxxxxxx> > Cc: Mike Snitzer <snitzer@xxxxxxxxxx> > > Ard Biesheuvel (10): > crypto: x86/camellia - switch to XTS template > crypto: x86/cast6 - switch to XTS template > crypto: x86/serpent- switch to XTS template > crypto: x86/twofish - switch to XTS template > crypto: x86/glue-helper - drop XTS helper routines > crypto: x86/camellia - drop CTR mode implementation > crypto: x86/cast6 - drop CTR mode implementation > crypto: x86/serpent - drop CTR mode implementation > crypto: x86/twofish - drop CTR mode implementation > crypto: x86/glue-helper - drop CTR helper routines Acked-by: Eric Biggers <ebiggers@xxxxxxxxxx> - Eric