lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20260129011838.GG2024@quark>
Date: Wed, 28 Jan 2026 17:18:38 -0800
From: Eric Biggers <ebiggers@...nel.org>
To: Holger Dengler <dengler@...ux.ibm.com>
Cc: David Laight <david.laight.linux@...il.com>,
	Ard Biesheuvel <ardb@...nel.org>,
	"Jason A . Donenfeld" <Jason@...c4.com>,
	Herbert Xu <herbert@...dor.apana.org.au>,
	Harald Freudenberger <freude@...ux.ibm.com>,
	linux-kernel@...r.kernel.org, linux-crypto@...r.kernel.org
Subject: Re: [PATCH v2 1/1] lib/crypto: tests: Add KUnit tests for AES

On Mon, Jan 19, 2026 at 01:12:10PM +0100, Holger Dengler wrote:
> +static __always_inline u64 time_aes_op(bool encrypt, struct aes_key *aes_key,
> +				       u8 *out, const u8 *in)
> +{
> +	void (*aes_op)(const struct aes_key *key, u8 *out, const u8 *in);
> +	u64 t;
> +
> +	aes_op = encrypt ? &aes_encrypt : &aes_decrypt;
> +
> +	preempt_disable();
> +	t = ktime_get_ns();
> +	aes_op(aes_key, out, in);
> +	t = ktime_get_ns() - t;
> +	preempt_enable();
> +
> +	return t;
> +}
> +
> +static void benchmark_aes(struct kunit *test, const struct aes_testvector *tv)
> +{
> +	const size_t num_iters = 100;
> +	struct aes_key aes_key;
> +	u8 out[AES_BLOCK_SIZE];
> +	u64 t, t_enc, t_dec;
> +	int rc;
> +
> +	if (!IS_ENABLED(CONFIG_CRYPTO_LIB_BENCHMARK))
> +		kunit_skip(test, "not enabled");
> +
> +	rc = aes_preparekey(&aes_key, tv->key.b, tv->key.len);
> +	KUNIT_ASSERT_EQ(test, 0, rc);
> +
> +	/* warm-up */
> +	for (size_t i = 0; i < num_iters; i++) {
> +		aes_encrypt(&aes_key, out, tv->plain);
> +		aes_decrypt(&aes_key, out, tv->cipher);
> +	}
> +
> +	t_enc = NSEC_PER_SEC;
> +	t_dec = NSEC_PER_SEC;
> +	for (size_t i = 0; i < num_iters; i++) {
> +		t = time_aes_op(true, &aes_key, out, tv->plain);
> +		t_enc = MIN_T(u64, t, t_enc);
> +
> +		t = time_aes_op(false, &aes_key, out, tv->cipher);
> +		t_dec = MIN_T(u64, t, t_dec);
> +	}
> +
> +	kunit_info(test, "enc (len=%zu): %llu MB/s", (size_t)AES_BLOCK_SIZE,
> +		   div64_u64(AES_BLOCK_SIZE * NSEC_PER_SEC / 1000000,
> +			     (t_enc ?: 1)));
> +	kunit_info(test, "dec (len=%zu): %llu MB/s", (size_t)AES_BLOCK_SIZE,
> +		   div64_u64(AES_BLOCK_SIZE * NSEC_PER_SEC / 1000000,
> +			     (t_dec ?: 1)));
> +}

"AES_BLOCK_SIZE * NSEC_PER_SEC" is missing a cast to u64, as reported by
the kernel test robot.

But also as discussed in v1, using ktime_get_ns() to time one AES block
en/decryption at a time doesn't really work.  Even on x86 which has a
high precision timer, it's spending longer getting the time than doing
the actual AES en/decryption.

You may have meant to use get_cycles() instead, which has less overhead.

However, not all architectures have a cycle counter.

So I recommend we go with the simple strategy that I suggested, and
which v1 had.  Just the number of iterations in v1 was way too high.

- Eric

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ