lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <20221116041342.3841-1-elliott@hpe.com>
Date:   Tue, 15 Nov 2022 22:13:18 -0600
From:   Robert Elliott <elliott@....com>
To:     herbert@...dor.apana.org.au, davem@...emloft.net,
        tim.c.chen@...ux.intel.com, ap420073@...il.com, ardb@...nel.org,
        Jason@...c4.com, David.Laight@...LAB.COM, ebiggers@...nel.org,
        linux-crypto@...r.kernel.org, linux-kernel@...r.kernel.org
Cc:     Robert Elliott <elliott@....com>
Subject: [PATCH v4 00/24] crypto: fix RCU stalls

This series fixes the RCU stalls triggered by the x86 crypto
modules discussed in
https://lore.kernel.org/all/MW5PR84MB18426EBBA3303770A8BC0BDFAB759@MW5PR84MB1842.NAMPRD84.PROD.OUTLOOK.COM/

Two root causes were:
- too much data processed between kernel_fpu_begin and
  kernel_fpu_end calls (which are heavily used by the x86
  optimized drivers)
- tcrypt not calling cond_resched during speed test loops

These problems have always been lurking, but improving the
loading of the x86/sha512 module led to it happening a lot
during boot when using SHA-512 for module signature checking.

Fixing these problems makes it safer to improve loading
the rest of the x86 modules like the sha512 module.

This series only handles the x86 modules.

Version 4 tackles lingering comments from version 2.

1. Unlike the hash functions, skcipher and aead functions
accept pointers to scatter-gather lists, and the helper
functions that walk through those lists limit processing
to a page size at a time.

The aegis module did everything inside one pair of
kernel_fpu_begin() and kernel_fpu_end() calls including
walking through the sglist, so it could preempt the CPU
without constraint.

The aesni aead functions for gcm process the additional
data (data that is included in the authentication tag
calculation but not encrypted) in one FPU context, so
that can be a problem. This will require some asm changes
to fix. However, I don't think that is a typical use case,
so this series defers fixing that.

The series adds device table matching for all the x86
crypto modules.

2. I replaced all the positive and negative prints with
module parameters, including enough clues in modinfo
descriptions that a user can determine what is
working and not working.


Robert Elliott (24):
  crypto: tcrypt - test crc32
  crypto: tcrypt - test nhpoly1305
  crypto: tcrypt - reschedule during cycles speed tests
  crypto: x86/sha - limit FPU preemption
  crypto: x86/crc - limit FPU preemption
  crypto: x86/sm3 - limit FPU preemption
  crypto: x86/ghash - use u8 rather than char
  crypto: x86/ghash - restructure FPU context saving
  crypto: x86/ghash - limit FPU preemption
  crypto: x86/poly - limit FPU preemption
  crypto: x86/aegis - limit FPU preemption
  crypto: x86/sha - register all variations
  crypto: x86/sha - minimize time in FPU context
  crypto: x86/sha - load based on CPU features
  crypto: x86/crc - load based on CPU features
  crypto: x86/sm3 - load based on CPU features
  crypto: x86/poly - load based on CPU features
  crypto: x86/ghash - load based on CPU features
  crypto: x86/aesni - avoid type conversions
  crypto: x86/ciphers - load based on CPU features
  crypto: x86 - report used CPU features via module parameters
  crypto: x86 - report missing CPU features via module parameters
  crypto: x86 - report suboptimal CPUs via module parameters
  crypto: x86 - standarize module descriptions

 arch/x86/crypto/aegis128-aesni-glue.c      |  66 +++--
 arch/x86/crypto/aesni-intel_glue.c         |  45 ++--
 arch/x86/crypto/aria_aesni_avx_glue.c      |  43 ++-
 arch/x86/crypto/blake2s-glue.c             |  18 +-
 arch/x86/crypto/blowfish_glue.c            |  39 ++-
 arch/x86/crypto/camellia_aesni_avx2_glue.c |  40 ++-
 arch/x86/crypto/camellia_aesni_avx_glue.c  |  38 ++-
 arch/x86/crypto/camellia_glue.c            |  37 ++-
 arch/x86/crypto/cast5_avx_glue.c           |  30 ++-
 arch/x86/crypto/cast6_avx_glue.c           |  30 ++-
 arch/x86/crypto/chacha_glue.c              |  18 +-
 arch/x86/crypto/crc32-pclmul_asm.S         |   6 +-
 arch/x86/crypto/crc32-pclmul_glue.c        |  39 ++-
 arch/x86/crypto/crc32c-intel_glue.c        |  66 +++--
 arch/x86/crypto/crct10dif-pclmul_glue.c    |  56 ++--
 arch/x86/crypto/curve25519-x86_64.c        |  29 +-
 arch/x86/crypto/des3_ede_glue.c            |  36 ++-
 arch/x86/crypto/ghash-clmulni-intel_asm.S  |   4 +-
 arch/x86/crypto/ghash-clmulni-intel_glue.c |  45 ++--
 arch/x86/crypto/nhpoly1305-avx2-glue.c     |  36 ++-
 arch/x86/crypto/nhpoly1305-sse2-glue.c     |  22 +-
 arch/x86/crypto/poly1305_glue.c            |  56 +++-
 arch/x86/crypto/polyval-clmulni_glue.c     |  31 ++-
 arch/x86/crypto/serpent_avx2_glue.c        |  36 ++-
 arch/x86/crypto/serpent_avx_glue.c         |  31 ++-
 arch/x86/crypto/serpent_sse2_glue.c        |  13 +-
 arch/x86/crypto/sha1_ssse3_glue.c          | 298 ++++++++++++++-------
 arch/x86/crypto/sha256_ssse3_glue.c        | 294 +++++++++++++-------
 arch/x86/crypto/sha512_ssse3_glue.c        | 205 +++++++++-----
 arch/x86/crypto/sm3_avx_glue.c             |  70 +++--
 arch/x86/crypto/sm4_aesni_avx2_glue.c      |  37 ++-
 arch/x86/crypto/sm4_aesni_avx_glue.c       |  39 ++-
 arch/x86/crypto/twofish_avx_glue.c         |  29 +-
 arch/x86/crypto/twofish_glue.c             |  12 +-
 arch/x86/crypto/twofish_glue_3way.c        |  36 ++-
 crypto/aes_ti.c                            |   2 +-
 crypto/blake2b_generic.c                   |   2 +-
 crypto/blowfish_common.c                   |   2 +-
 crypto/crct10dif_generic.c                 |   2 +-
 crypto/curve25519-generic.c                |   1 +
 crypto/sha256_generic.c                    |   2 +-
 crypto/sha512_generic.c                    |   2 +-
 crypto/sm3.c                               |   2 +-
 crypto/sm4.c                               |   2 +-
 crypto/tcrypt.c                            |  56 ++--
 crypto/twofish_common.c                    |   2 +-
 crypto/twofish_generic.c                   |   2 +-
 47 files changed, 1377 insertions(+), 630 deletions(-)

-- 
2.38.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ