WireGuard kernel module backport for Linux 3.10 - 5.5 https://git.zx2c4.com/wireguard-linux-compat/atom/src/crypto?h=master 2021-12-13T16:25:37Z 2021-12-13T16:25:37Z Jason A. Donenfeld Jason@zx2c4.com 2021-12-13T16:25:37Z urn:sha1:273018b7eaccf2f8d146c00f21db7dbd9678bd43 Rather than passing all variables as modified, pass ones that are only read into that parameter. This helps with old gcc versions when alternatives are additionally used, and lets gcc's codegen be a little bit more efficient. This also syncs up with the latest Vale/EverCrypt output. This also forward ports 3c9f3b6 ("crypto: curve25519-x86_64: solve register constraints with reserved registers"). Cc: Aymeric Fromherz <aymeric.fromherz@inria.fr> Cc: Mathias Krause <minipli@grsecurity.net> Link: https://lore.kernel.org/wireguard/1554725710.1290070.1639240504281.JavaMail.zimbra@inria.fr/ Link: https://github.com/project-everest/hacl-star/pull/501 Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> 2021-12-06T21:47:01Z Mathias Krause minipli@grsecurity.net 2021-07-06T13:27:14Z urn:sha1:3c9f3b6997fe8cbb5e7b80ea5d622b5d0e827003 The register constraints for the inline assembly in fsqr() and fsqr2() are pretty tight on what the compiler may assign to the remaining three register variables. The clobber list only allows the following to be used: RDI, RSI, RBP and R12. With RAP reserving R12 and a kernel having CONFIG_FRAME_POINTER=y, claiming RBP, there are only two registers left so the compiler rightfully complains about impossible constraints. Provide alternatives that'll allow a memory reference for 'out' to solve the allocation constraint dilemma for this configuration. Also make 'out' an input-only operand as it is only used as such. This not only allows gcc to optimize its usage further, but also works around older gcc versions, apparently failing to handle multiple alternatives correctly, as in failing to initialize the 'out' operand with its input value. Signed-off-by: Mathias Krause <minipli@grsecurity.net> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> 2021-02-07T15:11:33Z Jason A. Donenfeld Jason@zx2c4.com 2021-02-07T15:11:19Z urn:sha1:897b4b9152d3680da1db4c380aaa48a52313c680 We don't need this in all files, and it just complicates things. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> 2020-04-15T04:18:27Z Jason A. Donenfeld Jason@zx2c4.com 2020-04-15T04:18:27Z urn:sha1:52978fcc265c472773b0b334d31705573ae8cb98 Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> 2020-02-19T20:48:13Z Jason A. Donenfeld Jason@zx2c4.com 2018-08-06T22:31:24Z urn:sha1:118398c1c6540d44a070266cf3a39c5077775c8e This causes problems with RAP and KERNEXEC for PaX, as r12 is a reserved register. It also leads to a more compact instruction encoding, saving about 100 cycles. Suggested-by: PaX Team <pageexec@freemail.hu> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> 2020-02-06T11:45:34Z Jason A. Donenfeld Jason@zx2c4.com 2020-02-06T11:45:34Z urn:sha1:a7e4885d83a33ad1f857df1b9d68abafe49378f3 Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> 2020-01-21T15:07:52Z Jason A. Donenfeld Jason@zx2c4.com 2020-01-21T15:07:52Z urn:sha1:55df79c6c08e31f24370f3ddc69e37729b4c5676 This comes from INRIA's HACL*/Vale. It implements the same algorithm and implementation strategy as the code it replaces, only this code has been formally verified, sans the base point multiplication, which uses code similar to prior, only it uses the formally verified field arithmetic alongside reproducable ladder generation steps. This doesn't have a pure-bmi2 version, which means haswell no longer benefits, but the increased (doubled) code complexity is not worth it for a single generation of chips that's already old. Performance-wise, this is around 1% slower on older microarchitectures, and slightly faster on newer microarchitectures, mainly 10nm ones or backports of 10nm to 14nm. This implementation is "everest" below: Xeon E5-2680 v4 (Broadwell) armfazh: 133340 cycles per call everest: 133436 cycles per call Xeon Gold 5120 (Sky Lake Server) armfazh: 112636 cycles per call everest: 113906 cycles per call Core i5-6300U (Sky Lake Client) armfazh: 116810 cycles per call everest: 117916 cycles per call Core i7-7600U (Kaby Lake) armfazh: 119523 cycles per call everest: 119040 cycles per call Core i7-8750H (Coffee Lake) armfazh: 113914 cycles per call everest: 113650 cycles per call Core i9-9880H (Coffee Lake Refresh) armfazh: 112616 cycles per call everest: 114082 cycles per call Core i3-8121U (Cannon Lake) armfazh: 113202 cycles per call everest: 111382 cycles per call Core i7-8265U (Whiskey Lake) armfazh: 127307 cycles per call everest: 127697 cycles per call Core i7-8550U (Kaby Lake Refresh) armfazh: 127522 cycles per call everest: 127083 cycles per call Xeon Platinum 8275CL (Cascade Lake) armfazh: 114380 cycles per call everest: 114656 cycles per call Achieving these kind of results with formally verified code is quite remarkable, especialy considering that performance is favorable for newer chips. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> 2019-12-12T11:24:05Z Josh Soref jsoref@gmail.com 2019-12-10T16:22:58Z urn:sha1:11a71b7d6971750a8892e1b18eb8688d91e48fe8 Signed-off-by: Josh Soref <jsoref@gmail.com> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> 2019-12-06T17:03:23Z Jason A. Donenfeld Jason@zx2c4.com 2019-12-06T17:03:23Z urn:sha1:9a0ace85312fc8c4b69e98c00552839b2756c77b Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> 2019-12-05T14:27:37Z Jason A. Donenfeld Jason@zx2c4.com 2019-12-05T14:27:37Z urn:sha1:6d9a9aa29b77a22f4de2e56b815639e06a876b48 Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>