)]}' { "commit": "55db667c62b224ab393ce95ae8d99e5fe81c163a", "tree": "7f70b3eb8acc979c4f15fc3cc3866c4e737337a3", "parents": [ "b1b4ff93ca267ecabd3090a5475d59686e717e5d" ], "author": { "name": "David Benjamin", "email": "davidben@google.com", "time": "Mon Feb 25 15:47:51 2019 -0600" }, "committer": { "name": "CQ bot account: commit-bot@chromium.org", "email": "commit-bot@chromium.org", "time": "Mon Mar 04 20:31:39 2019 +0000" }, "message": "Enable vpaes for aarch64, with CTR optimizations.\n\nThis patches vpaes-armv8.pl to add vpaes_ctr32_encrypt_blocks. CTR mode\nis by far the most important mode these days. It should have access to\n_vpaes_encrypt_2x, which gives a considerable speed boost. Also exclude\nvpaes_ecb_* as they\u0027re not even used.\n\nFor iOS, this change is completely a no-op. iOS ARMv8 always has crypto\nextensions, and we already statically drop all other AES\nimplementations.\n\nAndroid ARMv8 is *not* required to have crypto extensions, but every\nARMv8 device I\u0027ve seen has them. For those, it is a no-op\nperformance-wise and a win on size. vpaes appears to be about 5.6KiB\nsmaller than the tables. ARMv8 always makes SIMD (NEON) available, so we\ncan statically drop aes_nohw.\n\nIn theory, however, crypto-less Android ARMv8 is possible. Today such\nchips get a variable-time AES. This CL fixes this, but the performance\nstory is complex.\n\nThe Raspberry Pi 3 is not Android but has a Cortex-A53 chip\nwithout crypto extensions. (But the official images are 32-bit, so even\nthis is slightly artificial...) There, vpaes is a performance win.\n\nRaspberry Pi 3, Model B+, Cortex-A53\nBefore:\nDid 265000 AES-128-GCM (16 bytes) seal operations in 1003312us (264125.2 ops/sec): 4.2 MB/s\nDid 44000 AES-128-GCM (256 bytes) seal operations in 1002141us (43906.0 ops/sec): 11.2 MB/s\nDid 9394 AES-128-GCM (1350 bytes) seal operations in 1032104us (9101.8 ops/sec): 12.3 MB/s\nDid 1562 AES-128-GCM (8192 bytes) seal operations in 1008982us (1548.1 ops/sec): 12.7 MB/s\nAfter:\nDid 277000 AES-128-GCM (16 bytes) seal operations in 1001884us (276479.1 ops/sec): 4.4 MB/s\nDid 52000 AES-128-GCM (256 bytes) seal operations in 1001480us (51923.2 ops/sec): 13.3 MB/s\nDid 11000 AES-128-GCM (1350 bytes) seal operations in 1007979us (10912.9 ops/sec): 14.7 MB/s\nDid 2013 AES-128-GCM (8192 bytes) seal operations in 1085545us (1854.4 ops/sec): 15.2 MB/s\n\nThe Pixel 3 has a Cortex-A75 with crypto extensions, so it would never\nrun this code. However, artificially ignoring them gives another data\npoint (ARM documentation[*] suggests the extensions are still optional\non a Cortex-A75.) Sadly, vpaes no longer wins on perf over aes_nohw.\nBut, it is constant-time:\n\nPixel 3, AES/PMULL extensions ignored, Cortex-A75:\nBefore:\nDid 2102000 AES-128-GCM (16 bytes) seal operations in 1000378us (2101205.7 ops/sec): 33.6 MB/s\nDid 358000 AES-128-GCM (256 bytes) seal operations in 1002658us (357051.0 ops/sec): 91.4 MB/s\nDid 75000 AES-128-GCM (1350 bytes) seal operations in 1012830us (74049.9 ops/sec): 100.0 MB/s\nDid 13000 AES-128-GCM (8192 bytes) seal operations in 1036524us (12541.9 ops/sec): 102.7 MB/s\nAfter:\nDid 1453000 AES-128-GCM (16 bytes) seal operations in 1000213us (1452690.6 ops/sec): 23.2 MB/s\nDid 285000 AES-128-GCM (256 bytes) seal operations in 1002227us (284366.7 ops/sec): 72.8 MB/s\nDid 60000 AES-128-GCM (1350 bytes) seal operations in 1016106us (59049.0 ops/sec): 79.7 MB/s\nDid 11000 AES-128-GCM (8192 bytes) seal operations in 1094184us (10053.2 ops/sec): 82.4 MB/s\n\nNote the numbers above run with PMULL off, so the slow GHASH is\ndampening the regression. If we test aes_nohw and vpaes paired with\nPMULL on, the 20% perf hit becomes a 31% hit. The PMULL-less variant is\nmore likely to represent a real chip.\n\nThis is consistent with upstream\u0027s note in the comment, though it is\nunclear if 20% is the right order of magnitude: \"these results are worse\nthan scalar compiler-generated code, but it\u0027s constant-time and\ntherefore preferred\".\n\n[*] http://infocenter.arm.com/help/index.jsp?topic\u003d/com.arm.doc.100458_0301_00_en/lau1442495529696.html\n\nBug: 246\nChange-Id: If1dc87f5131fce742052498295476fbae4628dbf\nReviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/35026\nCommit-Queue: David Benjamin \u003cdavidben@google.com\u003e\nReviewed-by: Adam Langley \u003cagl@google.com\u003e\n", "tree_diff": [ { "type": "modify", "old_id": "04b2ffb29779666d96998a4b376cfb14765015b8", "old_mode": 33188, "old_path": "crypto/fipsmodule/CMakeLists.txt", "new_id": "09d210bfbd6990fc6daad3c32a7929796f6eabac", "new_mode": 33188, "new_path": "crypto/fipsmodule/CMakeLists.txt" }, { "type": "modify", "old_id": "a0c94114e3fbd752381e14e494369f7db2e6a931", "old_mode": 33188, "old_path": "crypto/fipsmodule/aes/aes_test.cc", "new_id": "2222b63d72fa2dd8878efbf8136ddaceede0f04d", "new_mode": 33188, "new_path": "crypto/fipsmodule/aes/aes_test.cc" }, { "type": "modify", "old_id": "5131e13a09a29523d3c8c92ae5ecafa679304968", "old_mode": 33261, "old_path": "crypto/fipsmodule/aes/asm/vpaes-armv8.pl", "new_id": "49eaf0d30fb49e6656212bb7200bf749d2a8b232", "new_mode": 33261, "new_path": "crypto/fipsmodule/aes/asm/vpaes-armv8.pl" }, { "type": "modify", "old_id": "0df30d9f390f4f76d76df30103a4be88c1b32256", "old_mode": 33188, "old_path": "crypto/fipsmodule/aes/internal.h", "new_id": "a05abcbfeaae388c964433038cf25a146e50bb73", "new_mode": 33188, "new_path": "crypto/fipsmodule/aes/internal.h" }, { "type": "modify", "old_id": "460deedd18dbb886fb8ec20225bc786abaf280e8", "old_mode": 33188, "old_path": "crypto/fipsmodule/cipher/e_aes.c", "new_id": "51a1fb1c6f27445f0657ae19df14e222e8794ca3", "new_mode": 33188, "new_path": "crypto/fipsmodule/cipher/e_aes.c" } ] }