On Wed, May 17, 2017 at 18:23 +0200, Stefan Sperling wrote:
> On Sun, May 07, 2017 at 08:06:56PM -0400, [email protected] wrote:
> > On 2017-05-07 19:30, Mike Belopuhov wrote:
> > > You observe a decrease in performance because we've switched to
> > > a constant time machine independent AES implementation which is
> > > inherently slower than the T-table version. Users with CPUs
> > > supporting AES-NI are not affected by this since the AES-NI
> > > driver provides it's own constant time implementation.
> > >
> > > Regards,
> > > Mike
> >
> > Hi Mike,
> >
> > Thanks for the info, and for your work on the AES implementation.
> > With that said, is there any chance that this issue could be solved
> > such that CPUs like mine (which lack AES-NI) won't become super slow?
> >
> > I can always stop using softraid crypto or buy a new CPU, but I'd
> > like to avoid that :)
>
> I also have some machines which are affected by this, and I am
> not sure what to about it. I cannot judge the advantages of
> either AES implementation.
>
> If this is how softraid crypto is going to be from now on,
> I am going to move my non-AES-NI machines off softraid crypto
> onto self-encrypting SSDs (which is good idea anyway for slow
> machines).
There are ways to improve perfomance but more work is required
to get there. In the meantime if the consensus is that XTS
performance is unacceptable we can roll it back to T-tables.
Please test the diff below.
diff --git regress/sys/crypto/aesxts/Makefile regress/sys/crypto/aesxts/Makefile
index 4c47348d9c8..5d7fea9f560 100644
--- regress/sys/crypto/aesxts/Makefile
+++ regress/sys/crypto/aesxts/Makefile
@@ -19,11 +19,11 @@ CDIAGFLAGS+= -Wshadow
REGRESS_TARGETS= run-regress-${PROG}
.PATH: ${DIR}/crypto
SRCS+= cast.c ecb_enc.c ecb3_enc.c gmac.c aes.c set_key.c
-SRCS+= chachapoly.c poly1305.c
+SRCS+= rijndael.c chachapoly.c poly1305.c
SRCS+= xform.c
run-regress-${PROG}: ${PROG}
./${PROG}
diff --git regress/sys/crypto/aesxts/aes_xts.c
regress/sys/crypto/aesxts/aes_xts.c
index 861d143bac6..c43b4f56ef6 100644
--- regress/sys/crypto/aesxts/aes_xts.c
+++ regress/sys/crypto/aesxts/aes_xts.c
@@ -24,23 +24,23 @@
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
#include <sys/types.h>
-#include <crypto/aes.h>
+#include <crypto/rijndael.h>
#include <err.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#define AES_XTS_BLOCKSIZE 16
struct aes_xts_ctx {
- AES_CTX key1;
- AES_CTX key2;
+ rijndael_ctx key1;
+ rijndael_ctx key2;
u_int8_t tweak[AES_XTS_BLOCKSIZE];
};
int aes_xts_setkey(void *, u_int8_t *, int);
void aes_xts_encrypt(caddr_t, u_int8_t *);
diff --git sys/crypto/aes.h sys/crypto/aes.h
index a670a2b522c..9718115fc65 100644
--- sys/crypto/aes.h
+++ sys/crypto/aes.h
@@ -24,11 +24,13 @@
*/
#ifndef _AES_H_
#define _AES_H_
+#ifndef AES_MAXROUNDS
#define AES_MAXROUNDS (14)
+#endif
typedef struct aes_ctx {
uint32_t sk[60];
uint32_t sk_exp[120];
diff --git sys/crypto/xform.c sys/crypto/xform.c
index 0579345f4f1..6955d1b0ad4 100644
--- sys/crypto/xform.c
+++ sys/crypto/xform.c
@@ -57,10 +57,11 @@
#include <crypto/sha1.h>
#include <crypto/sha2.h>
#include <crypto/rmd160.h>
#include <crypto/blf.h>
#include <crypto/cast.h>
+#include <crypto/rijndael.h>
#include <crypto/aes.h>
#include <crypto/cryptodev.h>
#include <crypto/xform.h>
#include <crypto/gmac.h>
#include <crypto/chachapoly.h>
@@ -119,12 +120,12 @@ struct aes_ctr_ctx {
#define AES_XTS_BLOCKSIZE 16
#define AES_XTS_IVSIZE 8
#define AES_XTS_ALPHA 0x87 /* GF(2^128) generator polynomial */
struct aes_xts_ctx {
- AES_CTX key1;
- AES_CTX key2;
+ rijndael_ctx key1;
+ rijndael_ctx key2;
u_int8_t tweak[AES_XTS_BLOCKSIZE];
};
/* Helper */
void aes_xts_crypt(struct aes_xts_ctx *, u_int8_t *, u_int);
@@ -494,11 +495,11 @@ aes_xts_reinit(caddr_t key, u_int8_t *iv)
blocknum >>= 8;
}
/* Last 64 bits of IV are always zero */
bzero(ctx->tweak + AES_XTS_IVSIZE, AES_XTS_IVSIZE);
- AES_Encrypt(&ctx->key2, ctx->tweak, ctx->tweak);
+ rijndael_encrypt(&ctx->key2, ctx->tweak, ctx->tweak);
}
void
aes_xts_crypt(struct aes_xts_ctx *ctx, u_int8_t *data, u_int do_encrypt)
{
@@ -507,13 +508,13 @@ aes_xts_crypt(struct aes_xts_ctx *ctx, u_int8_t *data,
u_int do_encrypt)
for (i = 0; i < AES_XTS_BLOCKSIZE; i++)
block[i] = data[i] ^ ctx->tweak[i];
if (do_encrypt)
- AES_Encrypt(&ctx->key1, block, data);
+ rijndael_encrypt(&ctx->key1, block, data);
else
- AES_Decrypt(&ctx->key1, block, data);
+ rijndael_decrypt(&ctx->key1, block, data);
for (i = 0; i < AES_XTS_BLOCKSIZE; i++)
data[i] ^= ctx->tweak[i];
/* Exponentiate tweak */
@@ -548,12 +549,12 @@ aes_xts_setkey(void *sched, u_int8_t *key, int len)
if (len != 32 && len != 64)
return -1;
ctx = (struct aes_xts_ctx *)sched;
- AES_Setkey(&ctx->key1, key, len / 2);
- AES_Setkey(&ctx->key2, key + (len / 2), len / 2);
+ rijndael_set_key(&ctx->key1, key, len * 4);
+ rijndael_set_key(&ctx->key2, key + (len / 2), len * 4);
return 0;
}
/*
