From: Eric Biggers <ebiggers@kernel.org>
To: Herbert Xu <herbert@gondor.apana.org.au>
Cc: linux-crypto@vger.kernel.org, fsverity@lists.linux.dev,
dm-devel@lists.linux.dev, x86@kernel.org,
linux-arm-kernel@lists.infradead.org, ardb@kernel.org,
samitolvanen@google.com, bvanassche@acm.org
Subject: Re: [PATCH v2 1/8] crypto: shash - add support for finup2x
Date: Mon, 6 May 2024 17:33:09 -0700 [thread overview]
Message-ID: <20240507003309.GA192875@sol.localdomain> (raw)
In-Reply-To: <20240503152810.GA1132@sol.localdomain>
On Fri, May 03, 2024 at 08:28:10AM -0700, Eric Biggers wrote:
> On Fri, May 03, 2024 at 06:18:32PM +0800, Herbert Xu wrote:
> > Eric Biggers <ebiggers@kernel.org> wrote:
> > >
> > > For now the API only supports 2-way interleaving, as the usefulness and
> > > practicality seems to drop off dramatically after 2. The arm64 CPUs I
> > > tested don't support more than 2 concurrent SHA-256 hashes. On x86_64,
> > > AMD's Zen 4 can do 4 concurrent SHA-256 hashes (at least based on a
> > > microbenchmark of the sha256rnds2 instruction), and it's been reported
> > > that the highest SHA-256 throughput on Intel processors comes from using
> > > AVX512 to compute 16 hashes in parallel. However, higher interleaving
> > > factors would involve tradeoffs such as no longer being able to cache
> > > the round constants in registers, further increasing the code size (both
> > > source and binary), further increasing the amount of state that users
> > > need to keep track of, and causing there to be more "leftover" hashes.
> >
> > I think the lack of extensibility is the biggest problem with this
> > API. Now I confess I too have used the magic number 2 in the
> > lskcipher patch-set, but there I think at least it was more
> > justifiable based on the set of algorithms we currently support.
> >
> > Here I think the evidence for limiting this to 2 is weak. And the
> > amount of work to extend this beyond 2 would mean ripping this API
> > out again.
> >
> > So let's get this right from the start. Rather than shoehorning
> > this into shash, how about we add this to ahash instead where an
> > async return is a natural part of the API?
> >
> > In fact, if we do it there we don't need to make any major changes
> > to the API. You could simply add an optional flag that to the
> > request flags to indicate that more requests will be forthcoming
> > immediately.
> >
> > The algorithm could then either delay the current request if it
> > is supported, or process it immediately as is the case now.
> >
>
> The kernel already had ahash-based multibuffer hashing years ago. It failed
> spectacularly, as it was extremely complex, buggy, slow, and potentially
> insecure as it mixed requests from different contexts. Sure, it could have been
> improved slightly by adding flush support, but most issues would have remained.
>
> Synchronous hashing really is the right model here. One of the main performance
> issues we are having with dm-verity and fs-verity is the scheduling hops
> associated with the workqueues on which the dm-verity and fs-verity work runs.
> If there was another scheduling hop from the worker task to another task to do
> the actual hashing, that would be even worse and would defeat the point of doing
> multibuffer hashing. And with the ahash based API this would be difficult to
> avoid, as when an individual request gets submitted and put on a queue somewhere
> it would lose the information about the original submitter, so when it finally
> gets hashed it might be by another task (which the original task would then have
> to wait for). I guess the submitter could provide some sort of tag that makes
> the request be put on a dedicated queue that would eventually get processed only
> by the same task (which might also be needed for security reasons anyway, due to
> all the CPU side channels), but that would add lots of complexity to add tag
> support to the API and support an arbitrary number of queues.
>
> And then there's the issue of request lengths. With one at a time submission
> via 'ahash_request', each request would have its own length. Having to support
> multibuffer hashing of different length requests would add a massive amount of
> complexity and edge cases that are difficult to get correct, as was shown by the
> old ahash based code. This suggests that either the API needs to enforce that
> all the lengths are the same, or it needs to provide a clean API (my patch)
> where the caller just provides a single length that applies to all messages.
>
> So the synchronous API really seems like the right approach, whereas shoehorning
> it into the asynchronous hash API would result in something much more complex
> and not actually useful for the intended use cases.
>
> If you're concerned about the hardcoding to 2x specifically, how about the
> following API instead:
>
> int crypto_shash_finup_mb(struct shash_desc *desc,
> const u8 *datas[], unsigned int len,
> u8 *outs[], int num_msgs)
>
> This would allow extension to higher interleaving factors.
>
> I do suspect that anything higher than 2x isn't going to be very practical for
> in-kernel use cases, where code size, latency, and per-request memory usage tend
> to be very important. Regardless, this would make the API able to support
> higher interleaving factors.
I've sent out a new version that makes the change to crypto_shash_finup_mb().
- Eric
next prev parent reply other threads:[~2024-05-07 0:33 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-22 20:35 [PATCH v2 0/8] Optimize dm-verity and fsverity using multibuffer hashing Eric Biggers
2024-04-22 20:35 ` [PATCH v2 1/8] crypto: shash - add support for finup2x Eric Biggers
2024-05-03 10:18 ` Herbert Xu
2024-05-03 15:28 ` Eric Biggers
2024-05-07 0:33 ` Eric Biggers [this message]
2024-04-22 20:35 ` [PATCH v2 2/8] crypto: testmgr - generate power-of-2 lengths more often Eric Biggers
2024-04-22 20:35 ` [PATCH v2 3/8] crypto: testmgr - add tests for finup2x Eric Biggers
2024-04-22 20:35 ` [PATCH v2 4/8] crypto: x86/sha256-ni - add support " Eric Biggers
2024-04-22 20:35 ` [PATCH v2 5/8] crypto: arm64/sha256-ce " Eric Biggers
2024-04-22 20:35 ` [PATCH v2 6/8] fsverity: improve performance by using multibuffer hashing Eric Biggers
2024-04-22 20:35 ` [PATCH v2 7/8] dm-verity: hash blocks with shash import+finup when possible Eric Biggers
2024-04-22 20:35 ` [PATCH v2 8/8] dm-verity: improve performance by using multibuffer hashing Eric Biggers
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240507003309.GA192875@sol.localdomain \
--to=ebiggers@kernel.org \
--cc=ardb@kernel.org \
--cc=bvanassche@acm.org \
--cc=dm-devel@lists.linux.dev \
--cc=fsverity@lists.linux.dev \
--cc=herbert@gondor.apana.org.au \
--cc=linux-arm-kernel@lists.infradead.org \
--cc=linux-crypto@vger.kernel.org \
--cc=samitolvanen@google.com \
--cc=x86@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).