openwrt/target/linux/ipq40xx/patches-4.19/048-crypto-qce-use-AES-fallback-for-small-requests.patch

From 2d3b6fae7d1a2ad821769440daa91d7eec5c8250 Mon Sep 17 00:00:00 2001
From: Eneas U de Queiroz <cotequeiroz@gmail.com>
Date: Fri, 20 Dec 2019 09:41:44 -0300
Subject: [PATCH] crypto: qce - use AES fallback for small requests

Process small blocks using the fallback cipher, as a workaround for an
observed failure (DMA-related, apparently) when computing the GCM ghash
key.  This brings a speed gain as well, since it avoids the latency of
using the hardware engine to process small blocks.

Using software for all 16-byte requests would be enough to make GCM
work, but to increase performance, a larger threshold would be better.
Measuring the performance of supported ciphers with openssl speed,
software matches hardware at around 768-1024 bytes.

Considering the 256-bit ciphers, software is 2-3 times faster than qce
at 256-bytes, 30% faster at 512, and about even at 768-bytes.  With
128-bit keys, the break-even point would be around 1024-bytes.

This adds the 'aes_sw_max_len' parameter, to set the largest request
length processed by the software fallback.  Its default is being set to
512 bytes, a little lower than the break-even point, to balance the cost
in CPU usage.

Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>

--- a/drivers/crypto/Kconfig
+++ b/drivers/crypto/Kconfig
@@ -585,6 +585,29 @@ config CRYPTO_DEV_QCE
 	  hardware. To compile this driver as a module, choose M here. The
 	  module will be called qcrypto.
 
+config CRYPTO_DEV_QCE_SW_MAX_LEN
+	int "Default maximum request size to use software for AES"
+	depends on CRYPTO_DEV_QCE && CRYPTO_DEV_QCE_SKCIPHER
+	default 512
+	help
+	  This sets the default maximum request size to perform AES requests
+	  using software instead of the crypto engine.  It can be changed by
+	  setting the aes_sw_max_len parameter.
+
+	  Small blocks are processed faster in software than hardware.
+	  Considering the 256-bit ciphers, software is 2-3 times faster than
+	  qce at 256-bytes, 30% faster at 512, and about even at 768-bytes.
+	  With 128-bit keys, the break-even point would be around 1024-bytes.
+
+	  The default is set a little lower, to 512 bytes, to balance the
+	  cost in CPU usage.  The minimum recommended setting is 16-bytes
+	  (1 AES block), since AES-GCM will fail if you set it lower.
+	  Setting this to zero will send all requests to the hardware.
+
+	  Note that 192-bit keys are not supported by the hardware and are
+	  always processed by the software fallback, and all DES requests
+	  are done by the hardware.
+
 config CRYPTO_DEV_QCOM_RNG
 	tristate "Qualcomm Random Number Generator Driver"
 	depends on ARCH_QCOM || COMPILE_TEST
--- a/drivers/crypto/qce/skcipher.c
+++ b/drivers/crypto/qce/skcipher.c
@@ -13,6 +13,7 @@
 
 #include <linux/device.h>
 #include <linux/interrupt.h>
+#include <linux/moduleparam.h>
 #include <linux/types.h>
 #include <crypto/aes.h>
 #include <crypto/des.h>
@@ -20,6 +21,13 @@
 
 #include "cipher.h"
 
+static unsigned int aes_sw_max_len = CONFIG_CRYPTO_DEV_QCE_SW_MAX_LEN;
+module_param(aes_sw_max_len, uint, 0644);
+MODULE_PARM_DESC(aes_sw_max_len,
+		 "Only use hardware for AES requests larger than this "
+		 "[0=always use hardware; anything <16 breaks AES-GCM; default="
+		 __stringify(CONFIG_CRYPTO_DEV_QCE_SOFT_THRESHOLD)"]");
+
 static LIST_HEAD(skcipher_algs);
 
 static void qce_skcipher_done(void *data)
@@ -170,15 +178,7 @@ static int qce_skcipher_setkey(struct cr
 	if (!key || !keylen)
 		return -EINVAL;
 
-	if (IS_AES(flags)) {
-		switch (IS_XTS(flags) ? keylen >> 1 : keylen) {
-		case AES_KEYSIZE_128:
-		case AES_KEYSIZE_256:
-			break;
-		default:
-			goto fallback;
-		}
-	} else if (IS_DES(flags)) {
+	if (IS_DES(flags)) {
 		u32 tmp[DES_EXPKEY_WORDS];
 
 		ret = des_ekey(tmp, key);
@@ -189,8 +189,8 @@ static int qce_skcipher_setkey(struct cr
 
 	ctx->enc_keylen = keylen;
 	memcpy(ctx->enc_key, key, keylen);
-	return 0;
-fallback:
+	if (!IS_AES(flags))
+		return 0;
 	ret = crypto_skcipher_setkey(ctx->fallback, key, keylen);
 	if (!ret)
 		ctx->enc_keylen = keylen;
@@ -213,8 +213,9 @@ static int qce_skcipher_crypt(struct skc
 	rctx->flags |= encrypt ? QCE_ENCRYPT : QCE_DECRYPT;
 	keylen = IS_XTS(rctx->flags) ? ctx->enc_keylen >> 1 : ctx->enc_keylen;
 
-	if (IS_AES(rctx->flags) && keylen != AES_KEYSIZE_128 &&
-	    keylen != AES_KEYSIZE_256) {
+	if (IS_AES(rctx->flags) &&
+	    ((keylen != AES_KEYSIZE_128 && keylen != AES_KEYSIZE_256) ||
+	     req->cryptlen <= aes_sw_max_len)) {
 		SKCIPHER_REQUEST_ON_STACK(subreq, ctx->fallback);
 
 		skcipher_request_set_tfm(subreq, ctx->fallback);
ipq40xx: qce - add fixes for AES ciphers This backports commits from master that fix AES ciphers when using the qce driver: - A couple of simple fixes for CTR and XTS modes used with AES: * 041-crypto-qce-fix-ctr-aes-qce-block-chunk-sizes.patch * 042-crypto-qce-fix-xts-aes-qce-key-sizes.patch - A fix for a bug that affected cases when there were more entries in the input sg list than necessary to actually encrypt, resulting in failure in gcm, where the authentication tag is present after the encryption data: * 043-crypto-qce-save-a-sg-table-slot-for-result-buf.patch - A fix to update the IV buffer passed to the driver from the kernel: * 044-crypto-qce-update-the-skcipher-IV.patch - A patch that reduces memory footprint and driver initialization by only initializing the fallback mechanism where it is actually used: * 046-crypto-qce-initialize-fallback-only-for-AES.patch - Three patches that make gcm and xts modes work with the qce driver, and improve performance with small blocks: * 047-crypto-qce-use-cryptlen-when-adding-extra-sgl.patch * 048-crypto-qce-use-AES-fallback-for-small-requests.patch * 049-crypto-qce-handle-AES-XTS-cases-that-qce-fails.patch - A patch that allows the hashes/ciphers to be built individually. * 051-crypto-qce-allow-building-only-hashes-ciphers.patch Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> [renumbered patches, added patches from dropped commit, refreshed, 5.4] Signed-off-by: Christian Lamparter <chunkeey@gmail.com> 2019-12-20 13:52:17 +00:00			`From 2d3b6fae7d1a2ad821769440daa91d7eec5c8250 Mon Sep 17 00:00:00 2001`
			`From: Eneas U de Queiroz <cotequeiroz@gmail.com>`
			`Date: Fri, 20 Dec 2019 09:41:44 -0300`
			`Subject: [PATCH] crypto: qce - use AES fallback for small requests`

			`Process small blocks using the fallback cipher, as a workaround for an`
			`observed failure (DMA-related, apparently) when computing the GCM ghash`
			`key. This brings a speed gain as well, since it avoids the latency of`
			`using the hardware engine to process small blocks.`

			`Using software for all 16-byte requests would be enough to make GCM`
			`work, but to increase performance, a larger threshold would be better.`
			`Measuring the performance of supported ciphers with openssl speed,`
			`software matches hardware at around 768-1024 bytes.`

			`Considering the 256-bit ciphers, software is 2-3 times faster than qce`
			`at 256-bytes, 30% faster at 512, and about even at 768-bytes. With`
			`128-bit keys, the break-even point would be around 1024-bytes.`

			`This adds the 'aes_sw_max_len' parameter, to set the largest request`
			`length processed by the software fallback. Its default is being set to`
			`512 bytes, a little lower than the break-even point, to balance the cost`
			`in CPU usage.`

			`Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>`

			`--- a/drivers/crypto/Kconfig`
			`+++ b/drivers/crypto/Kconfig`
			`@@ -585,6 +585,29 @@ config CRYPTO_DEV_QCE`
			`hardware. To compile this driver as a module, choose M here. The`
			`module will be called qcrypto.`

			`+config CRYPTO_DEV_QCE_SW_MAX_LEN`
			`+ int "Default maximum request size to use software for AES"`
			`+ depends on CRYPTO_DEV_QCE && CRYPTO_DEV_QCE_SKCIPHER`
			`+ default 512`
			`+ help`
			`+ This sets the default maximum request size to perform AES requests`
			`+ using software instead of the crypto engine. It can be changed by`
			`+ setting the aes_sw_max_len parameter.`
			`+`
			`+ Small blocks are processed faster in software than hardware.`
			`+ Considering the 256-bit ciphers, software is 2-3 times faster than`
			`+ qce at 256-bytes, 30% faster at 512, and about even at 768-bytes.`
			`+ With 128-bit keys, the break-even point would be around 1024-bytes.`
			`+`
			`+ The default is set a little lower, to 512 bytes, to balance the`
			`+ cost in CPU usage. The minimum recommended setting is 16-bytes`
			`+ (1 AES block), since AES-GCM will fail if you set it lower.`
			`+ Setting this to zero will send all requests to the hardware.`
			`+`
			`+ Note that 192-bit keys are not supported by the hardware and are`
			`+ always processed by the software fallback, and all DES requests`
			`+ are done by the hardware.`
			`+`
			`config CRYPTO_DEV_QCOM_RNG`
			`tristate "Qualcomm Random Number Generator Driver"`
			`depends on ARCH_QCOM \|\| COMPILE_TEST`
			`--- a/drivers/crypto/qce/skcipher.c`
			`+++ b/drivers/crypto/qce/skcipher.c`
			`@@ -13,6 +13,7 @@`

			`#include <linux/device.h>`
			`#include <linux/interrupt.h>`
			`+#include <linux/moduleparam.h>`
			`#include <linux/types.h>`
			`#include <crypto/aes.h>`
			`#include <crypto/des.h>`
			`@@ -20,6 +21,13 @@`

			`#include "cipher.h"`

			`+static unsigned int aes_sw_max_len = CONFIG_CRYPTO_DEV_QCE_SW_MAX_LEN;`
			`+module_param(aes_sw_max_len, uint, 0644);`
			`+MODULE_PARM_DESC(aes_sw_max_len,`
			`+ "Only use hardware for AES requests larger than this "`
			`+ "[0=always use hardware; anything <16 breaks AES-GCM; default="`
			`+ __stringify(CONFIG_CRYPTO_DEV_QCE_SOFT_THRESHOLD)"]");`
			`+`
			`static LIST_HEAD(skcipher_algs);`

			`static void qce_skcipher_done(void *data)`
			`@@ -170,15 +178,7 @@ static int qce_skcipher_setkey(struct cr`
			`if (!key \|\| !keylen)`
			`return -EINVAL;`

			`- if (IS_AES(flags)) {`
			`- switch (IS_XTS(flags) ? keylen >> 1 : keylen) {`
			`- case AES_KEYSIZE_128:`
			`- case AES_KEYSIZE_256:`
			`- break;`
			`- default:`
			`- goto fallback;`
			`- }`
			`- } else if (IS_DES(flags)) {`
			`+ if (IS_DES(flags)) {`
			`u32 tmp[DES_EXPKEY_WORDS];`

			`ret = des_ekey(tmp, key);`
			`@@ -189,8 +189,8 @@ static int qce_skcipher_setkey(struct cr`

			`ctx->enc_keylen = keylen;`
			`memcpy(ctx->enc_key, key, keylen);`
			`- return 0;`
			`-fallback:`
			`+ if (!IS_AES(flags))`
			`+ return 0;`
			`ret = crypto_skcipher_setkey(ctx->fallback, key, keylen);`
			`if (!ret)`
			`ctx->enc_keylen = keylen;`
			`@@ -213,8 +213,9 @@ static int qce_skcipher_crypt(struct skc`
			`rctx->flags \|= encrypt ? QCE_ENCRYPT : QCE_DECRYPT;`
			`keylen = IS_XTS(rctx->flags) ? ctx->enc_keylen >> 1 : ctx->enc_keylen;`

			`- if (IS_AES(rctx->flags) && keylen != AES_KEYSIZE_128 &&`
			`- keylen != AES_KEYSIZE_256) {`
			`+ if (IS_AES(rctx->flags) &&`
			`+ ((keylen != AES_KEYSIZE_128 && keylen != AES_KEYSIZE_256) \|\|`
			`+ req->cryptlen <= aes_sw_max_len)) {`
			`SKCIPHER_REQUEST_ON_STACK(subreq, ctx->fallback);`

			`skcipher_request_set_tfm(subreq, ctx->fallback);`