On Wed, Jun 12, 2024 at 05:42:20PM +0800, Herbert Xu wrote: > On Mon, Jun 10, 2024 at 08:48:11PM -0700, Eric Biggers wrote: > > From: Eric Biggers <ebiggers@xxxxxxxxxx> > > > > Add an implementation of finup_mb to sha256-ni, using an interleaving > > factor of 2. It interleaves a finup operation for two equal-length > > messages that share a common prefix. dm-verity and fs-verity will take > > I think the limitation on equal length is artificial. There is > no reason why the code couldn't handle two messages with different > lengths. Simply execute in dual mode up until the shorter message > runs out. Then carry on as if you have a single message. Sure, as I mentioned the algorithm could fall back to single-buffer hashing once the messages get out of sync. This would actually have to be implemented and tested, of course, which gets especially tricky with your proposal to support arbitrary scatterlists. And there's no actual use case for adding that complexity yet. > In fact, there is no reason why the two hashes have to start from > the same initial state either. It has no bearing on the performance > of the actual hashing as far as I can see. The SHA-256 inner loop would indeed be the same, but the single state has several advantages: - The caller only needs to allocate and prepare a single state. This saves per-IO memory and reduces overhead. - The glue code doesn't need to check that the number of internally buffered bytes are synced up. - The assembly code only needs to load from the one state. All of this simplifies the code slightly and boosts performance slightly. These advantages aren't *too* large, of course, and if a use case for supporting update arose, then support for multiple states would be added. But it doesn't make sense to add this functionality prematurely before it actually has a user. - Eric