mirror of
https://github.com/openwrt/openwrt.git
synced 2025-01-12 16:03:13 +00:00
13b8404b1e
This backports commits from master that fix AES ciphers when using the qce driver: - A couple of simple fixes for CTR and XTS modes used with AES: * 041-crypto-qce-fix-ctr-aes-qce-block-chunk-sizes.patch * 042-crypto-qce-fix-xts-aes-qce-key-sizes.patch - A fix for a bug that affected cases when there were more entries in the input sg list than necessary to actually encrypt, resulting in failure in gcm, where the authentication tag is present after the encryption data: * 043-crypto-qce-save-a-sg-table-slot-for-result-buf.patch - A fix to update the IV buffer passed to the driver from the kernel: * 044-crypto-qce-update-the-skcipher-IV.patch - A patch that reduces memory footprint and driver initialization by only initializing the fallback mechanism where it is actually used: * 046-crypto-qce-initialize-fallback-only-for-AES.patch - Three patches that make gcm and xts modes work with the qce driver, and improve performance with small blocks: * 047-crypto-qce-use-cryptlen-when-adding-extra-sgl.patch * 048-crypto-qce-use-AES-fallback-for-small-requests.patch * 049-crypto-qce-handle-AES-XTS-cases-that-qce-fails.patch - A patch that allows the hashes/ciphers to be built individually. * 051-crypto-qce-allow-building-only-hashes-ciphers.patch Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com> [renumbered patches, added patches from dropped commit, refreshed, 5.4] Signed-off-by: Christian Lamparter <chunkeey@gmail.com>
123 lines
4.5 KiB
Diff
123 lines
4.5 KiB
Diff
From 2d3b6fae7d1a2ad821769440daa91d7eec5c8250 Mon Sep 17 00:00:00 2001
|
|
From: Eneas U de Queiroz <cotequeiroz@gmail.com>
|
|
Date: Fri, 20 Dec 2019 09:41:44 -0300
|
|
Subject: [PATCH] crypto: qce - use AES fallback for small requests
|
|
|
|
Process small blocks using the fallback cipher, as a workaround for an
|
|
observed failure (DMA-related, apparently) when computing the GCM ghash
|
|
key. This brings a speed gain as well, since it avoids the latency of
|
|
using the hardware engine to process small blocks.
|
|
|
|
Using software for all 16-byte requests would be enough to make GCM
|
|
work, but to increase performance, a larger threshold would be better.
|
|
Measuring the performance of supported ciphers with openssl speed,
|
|
software matches hardware at around 768-1024 bytes.
|
|
|
|
Considering the 256-bit ciphers, software is 2-3 times faster than qce
|
|
at 256-bytes, 30% faster at 512, and about even at 768-bytes. With
|
|
128-bit keys, the break-even point would be around 1024-bytes.
|
|
|
|
This adds the 'aes_sw_max_len' parameter, to set the largest request
|
|
length processed by the software fallback. Its default is being set to
|
|
512 bytes, a little lower than the break-even point, to balance the cost
|
|
in CPU usage.
|
|
|
|
Signed-off-by: Eneas U de Queiroz <cotequeiroz@gmail.com>
|
|
|
|
--- a/drivers/crypto/Kconfig
|
|
+++ b/drivers/crypto/Kconfig
|
|
@@ -585,6 +585,29 @@ config CRYPTO_DEV_QCE
|
|
hardware. To compile this driver as a module, choose M here. The
|
|
module will be called qcrypto.
|
|
|
|
+config CRYPTO_DEV_QCE_SW_MAX_LEN
|
|
+ int "Default maximum request size to use software for AES"
|
|
+ depends on CRYPTO_DEV_QCE && CRYPTO_DEV_QCE_SKCIPHER
|
|
+ default 512
|
|
+ help
|
|
+ This sets the default maximum request size to perform AES requests
|
|
+ using software instead of the crypto engine. It can be changed by
|
|
+ setting the aes_sw_max_len parameter.
|
|
+
|
|
+ Small blocks are processed faster in software than hardware.
|
|
+ Considering the 256-bit ciphers, software is 2-3 times faster than
|
|
+ qce at 256-bytes, 30% faster at 512, and about even at 768-bytes.
|
|
+ With 128-bit keys, the break-even point would be around 1024-bytes.
|
|
+
|
|
+ The default is set a little lower, to 512 bytes, to balance the
|
|
+ cost in CPU usage. The minimum recommended setting is 16-bytes
|
|
+ (1 AES block), since AES-GCM will fail if you set it lower.
|
|
+ Setting this to zero will send all requests to the hardware.
|
|
+
|
|
+ Note that 192-bit keys are not supported by the hardware and are
|
|
+ always processed by the software fallback, and all DES requests
|
|
+ are done by the hardware.
|
|
+
|
|
config CRYPTO_DEV_QCOM_RNG
|
|
tristate "Qualcomm Random Number Generator Driver"
|
|
depends on ARCH_QCOM || COMPILE_TEST
|
|
--- a/drivers/crypto/qce/skcipher.c
|
|
+++ b/drivers/crypto/qce/skcipher.c
|
|
@@ -13,6 +13,7 @@
|
|
|
|
#include <linux/device.h>
|
|
#include <linux/interrupt.h>
|
|
+#include <linux/moduleparam.h>
|
|
#include <linux/types.h>
|
|
#include <crypto/aes.h>
|
|
#include <crypto/des.h>
|
|
@@ -20,6 +21,13 @@
|
|
|
|
#include "cipher.h"
|
|
|
|
+static unsigned int aes_sw_max_len = CONFIG_CRYPTO_DEV_QCE_SW_MAX_LEN;
|
|
+module_param(aes_sw_max_len, uint, 0644);
|
|
+MODULE_PARM_DESC(aes_sw_max_len,
|
|
+ "Only use hardware for AES requests larger than this "
|
|
+ "[0=always use hardware; anything <16 breaks AES-GCM; default="
|
|
+ __stringify(CONFIG_CRYPTO_DEV_QCE_SOFT_THRESHOLD)"]");
|
|
+
|
|
static LIST_HEAD(skcipher_algs);
|
|
|
|
static void qce_skcipher_done(void *data)
|
|
@@ -170,15 +178,7 @@ static int qce_skcipher_setkey(struct cr
|
|
if (!key || !keylen)
|
|
return -EINVAL;
|
|
|
|
- if (IS_AES(flags)) {
|
|
- switch (IS_XTS(flags) ? keylen >> 1 : keylen) {
|
|
- case AES_KEYSIZE_128:
|
|
- case AES_KEYSIZE_256:
|
|
- break;
|
|
- default:
|
|
- goto fallback;
|
|
- }
|
|
- } else if (IS_DES(flags)) {
|
|
+ if (IS_DES(flags)) {
|
|
u32 tmp[DES_EXPKEY_WORDS];
|
|
|
|
ret = des_ekey(tmp, key);
|
|
@@ -189,8 +189,8 @@ static int qce_skcipher_setkey(struct cr
|
|
|
|
ctx->enc_keylen = keylen;
|
|
memcpy(ctx->enc_key, key, keylen);
|
|
- return 0;
|
|
-fallback:
|
|
+ if (!IS_AES(flags))
|
|
+ return 0;
|
|
ret = crypto_skcipher_setkey(ctx->fallback, key, keylen);
|
|
if (!ret)
|
|
ctx->enc_keylen = keylen;
|
|
@@ -213,8 +213,9 @@ static int qce_skcipher_crypt(struct skc
|
|
rctx->flags |= encrypt ? QCE_ENCRYPT : QCE_DECRYPT;
|
|
keylen = IS_XTS(rctx->flags) ? ctx->enc_keylen >> 1 : ctx->enc_keylen;
|
|
|
|
- if (IS_AES(rctx->flags) && keylen != AES_KEYSIZE_128 &&
|
|
- keylen != AES_KEYSIZE_256) {
|
|
+ if (IS_AES(rctx->flags) &&
|
|
+ ((keylen != AES_KEYSIZE_128 && keylen != AES_KEYSIZE_256) ||
|
|
+ req->cryptlen <= aes_sw_max_len)) {
|
|
SKCIPHER_REQUEST_ON_STACK(subreq, ctx->fallback);
|
|
|
|
skcipher_request_set_tfm(subreq, ctx->fallback);
|