ossl: Add a VAES-based AES-GCM implementation for amd64
ClosedPublic
Actions

Authored by markj on Apr 24 2023, 9:54 PM.

Details

Reviewers

jhb
gallatin

Commits

rG9a3444d91c70: ossl: Add a VAES-based AES-GCM implementation for amd64

Summary

aes-gcm-avx512.S is generated from OpenSSL and implements AES-GCM.
ossl_x86.c detects whether the CPU implements the required AVX512
instructions; if not, the ossl(4) module does not provide an AES-GCM
implementation. The VAES implementation appears to increase throughput
for all buffer sizes in both directions, up to 2x for sufficiently large
buffers.

The "process" implementation is in two parts: a generic OCF layer in
ossl_aes.c that calls a set of MD functions to do the heavy lifting.
The intent there is to make it possible to add other implementations for
other platforms, e.g., to reduce the diff required for D37421.

I did not include a fallback to legacy AES-NI here. I did implement it
just for comparison purposes, but since we already have aesni(4) I don't
see a compelling reason to include it unless there's a notion of
switching to ossl(4) in the long term.

Sponsored by: Stormshield
Sponsored by: Klara, Inc.

Test Plan

I wrote a little kernel benchmark to compare aesni(4) and ossl(4)-acclerated
AES-GCM. The latter is better in most cases and roughly equal in the rest.
See: https://people.freebsd.org/~markj/kubench-aesni-vs-avx512.txt

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

markj created this revision.Apr 24 2023, 9:54 PM

Herald added a subscriber: imp. · View Herald TranscriptApr 24 2023, 9:54 PM

markj requested review of this revision.Apr 24 2023, 9:54 PM

Harbormaster completed remote builds in B51162: Diff 120960.Apr 24 2023, 9:54 PM

markj added a parent revision: D39782: ossl: Expose more CPUID bits in OPENSSL_ia32cap_P.Apr 24 2023, 9:55 PM

markj edited the test plan for this revision. (Show Details)Apr 24 2023, 9:56 PM

FWIW, I would prefer to use deprecate aesni(4) in favor of ossl(4) mostly because ossl(4) will be maintained in the future (e.g. the updates for AVX-512 as you are pulling in here). Unless aesni(4) outperforms ossl(4), I think we should move forward with deprecating aesni(4) and preferring ossl(4) instead. If I read the last part of your log correctly, it sounds like we probably should be moving to ossl(4) for AES-GCM in general on x86?

In D39783#906084, @jhb wrote:

FWIW, I would prefer to use deprecate aesni(4) in favor of ossl(4) mostly because ossl(4) will be maintained in the future (e.g. the updates for AVX-512 as you are pulling in here). Unless aesni(4) outperforms ossl(4), I think we should move forward with deprecating aesni(4) and preferring ossl(4) instead. If I read the last part of your log correctly, it sounds like we probably should be moving to ossl(4) for AES-GCM in general on x86?

Yes, I suspect we can add OpenSSL's AES-NI-based implementation without hurting anything. I omitted it here to avoid cluttering the diff more than necessary. I could bring it back and upload it as a separate patch on top of this one, but my main goal is to realize the throughput gains of the AVX512 implementation.

Adding in all the other variants of AES-GCM for x86 as a separate followup is fine with me. Hopefully it also makes it easier to do this for the armv7 review? I'd also like to move the AES-GCM bits using OpenSSL assembly out of armv8crypto and into ossl instead (it would be nice to retire armv8crypto and instead just use ossl similar to retiring aesni IMO)

This revision is now accepted and ready to land.May 1 2023, 6:28 PM

In D39783#908284, @jhb wrote:

Adding in all the other variants of AES-GCM for x86 as a separate followup is fine with me. Hopefully it also makes it easier to do this for the armv7 review?

Yes, this will make the diff smaller, though it'll require a bit of work to update the existing diff to use a ossl_aes_gcm_ops table.

I'd also like to move the AES-GCM bits using OpenSSL assembly out of armv8crypto and into ossl instead (it would be nice to retire armv8crypto and instead just use ossl similar to retiring aesni IMO)

I'll take a quick look at this, I hadn't realized that armv8crypto was using OpenSSL routines.

Closed by commit rG9a3444d91c70: ossl: Add a VAES-based AES-GCM implementation for amd64 (authored by markj). · Explain WhyJun 4 2023, 1:48 AM

This revision was automatically updated to reflect the committed changes.

markj added a commit: rG9a3444d91c70: ossl: Add a VAES-based AES-GCM implementation for amd64.