From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id F2050C10F1E for ; Tue, 20 Dec 2022 05:42:05 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 362FB8E0006; Tue, 20 Dec 2022 00:42:04 -0500 (EST) Received: by kanga.kvack.org (Postfix, from userid 40) id 2E7928E0001; Tue, 20 Dec 2022 00:42:04 -0500 (EST) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 188798E0006; Tue, 20 Dec 2022 00:42:04 -0500 (EST) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0014.hostedemail.com [216.40.44.14]) by kanga.kvack.org (Postfix) with ESMTP id 0218B8E0001 for ; Tue, 20 Dec 2022 00:42:04 -0500 (EST) Received: from smtpin05.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay09.hostedemail.com (Postfix) with ESMTP id C08B580316 for ; Tue, 20 Dec 2022 05:42:03 +0000 (UTC) X-FDA: 80261588526.05.AC96FD6 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by imf29.hostedemail.com (Postfix) with ESMTP id 0C5D1120009 for ; Tue, 20 Dec 2022 05:42:01 +0000 (UTC) Authentication-Results: imf29.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=jYOojsuB; spf=pass (imf29.hostedemail.com: domain of ebiggers@kernel.org designates 145.40.68.75 as permitted sender) smtp.mailfrom=ebiggers@kernel.org; dmarc=pass (policy=none) header.from=kernel.org ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1671514922; a=rsa-sha256; cv=none; b=8Kzx3mf3Oy0BgtU4WFaz0QaUKYPjCgICoASvlVTqp4jJJvOtjgs66a+iHJwBIPaJ9ZmQAy bjvVA5hue2Z8WnH8Yjxvtd8BPiaWZYMlrPtq3FK5FBijCgQZ+/WQdbg+sETt6dlw6yTx0F JVLBH01QZZqj2VPbXRGoMUJojtcjefc= ARC-Authentication-Results: i=1; imf29.hostedemail.com; dkim=pass header.d=kernel.org header.s=k20201202 header.b=jYOojsuB; spf=pass (imf29.hostedemail.com: domain of ebiggers@kernel.org designates 145.40.68.75 as permitted sender) smtp.mailfrom=ebiggers@kernel.org; dmarc=pass (policy=none) header.from=kernel.org ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1671514922; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=nOYXpDiFyQEKhsLgatHAwSyheaaratVquM7fRx8vRaI=; b=pcCLxUWyRxPDBQsEVsw7EIfPTuLCo3JDozjn3qKc3K85Y2KoOXUvuuB3HAMjq1HG0Neg77 VR9LHO9ZtrmEU/+0gz93RWcE1Nnbf3SXlrqp/XnjJoEqYQWqfWGBTZz8t6f/hLVUim1RBP lu6ycZ62C/NOaQSEFJVXV+oRIqFSKc8= Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id B0934B811AF; Tue, 20 Dec 2022 05:42:00 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3059AC433A0; Tue, 20 Dec 2022 05:41:59 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1671514920; bh=dsBT80rMbHb7evBtDRzv5PT3ZA7g7MTpg/OO26ExzF0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=jYOojsuBCSLHGr8TW6ECUwgWw+LEvw+PHi3nql2vBWzBzEq7MyKtVOLJ/b2Kiu4gS oMG/dlg3OnMmVJmrdSv2oL97DF/CUUglF7nDPoQjrR1EUjWMzPIKMXZdHUPv8l8Sjd UXS+WUfMJ0NGEcylNFSYCWZt2yo1UQq4aV3vPbfVoQuD+Qp8TbeWtUxBsxReFPOxlA zfs32JevZlz+K+Uv5duClJslwi2mYsu29ttlLiM4znIDXOp4GXmEIq6usK1oiCT/rX LwdwbARx6KolYJUmb/r6mqXzDaBmbWq87tBtJKhhILBQJc9wo5CJtT/46YobC23TXN w7YoOtqqwQbVA== From: Eric Biggers To: linux-crypto@vger.kernel.org Cc: Peter Zijlstra , corbet@lwn.net, will@kernel.org, boqun.feng@gmail.com, mark.rutland@arm.com, catalin.marinas@arm.com, dennis@kernel.org, tj@kernel.org, cl@linux.com, hca@linux.ibm.com, gor@linux.ibm.com, agordeev@linux.ibm.com, borntraeger@linux.ibm.com, svens@linux.ibm.com, Herbert Xu , davem@davemloft.net, tglx@linutronix.de, mingo@redhat.com, bp@alien8.de, dave.hansen@linux.intel.com, x86@kernel.org, hpa@zytor.com, joro@8bytes.org, suravee.suthikulpanit@amd.com, robin.murphy@arm.com, dwmw2@infradead.org, baolu.lu@linux.intel.com, Arnd Bergmann , penberg@kernel.org, rientjes@google.com, iamjoonsoo.kim@lge.com, Andrew Morton , vbabka@suse.cz, roman.gushchin@linux.dev, 42.hyeyoo@gmail.com, linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-mm@kvack.org, linux-s390@vger.kernel.org, iommu@lists.linux.dev, linux-arch@vger.kernel.org Subject: [PATCH 3/3] crypto: x86/ghash - add comment and fix broken link Date: Mon, 19 Dec 2022 21:40:42 -0800 Message-Id: <20221220054042.188537-4-ebiggers@kernel.org> X-Mailer: git-send-email 2.39.0 In-Reply-To: <20221220054042.188537-1-ebiggers@kernel.org> References: <20221220054042.188537-1-ebiggers@kernel.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Rspam-User: X-Rspamd-Queue-Id: 0C5D1120009 X-Rspamd-Server: rspam01 X-Stat-Signature: nos71t6mkzsscrkpjntz97o8tmbd4hmu X-HE-Tag: 1671514921-493362 X-HE-Meta: U2FsdGVkX1/bDv+2ElGHaLsgswQudgur9T46DTVuGxNELQA0Wfp+osNo8qlAkGahsa2yq6yAmXu0NXO4tvQh00/04fgUVaKcIxqWsiT+vC/j116bPzb7H/30JumC3oimEwaxxzXobX9SezjZJnMlSqZ6kxCF8WHsBPx+isrBgJNxtdMVkBwuZNyq9+nCESDdkxn4zO8B151Zciw8PalElBDTov1VOXHHC4KFBNXwTHgBeedqAbBfHwJ8OFKFq1HYjsS8CXKk8WwkDt9MLnDxRiZgsHTRsOQKfHQjI1ZKVAWZ25meAQv91i5AVTk85p/Crvt0zfg/IpGUAizZBjU5+nScKyiTuDfxq38D6r3Fon3m7BA8r/RFDrPhl6d/brE+Zsmv+LI1CAxsMi/MaDf/fe5uXB7Ap49o+IndGmoVrnILZxX8De48AlkFNyg+8F6nxe9SREB/JDC7Fi0UbymmMbpo12WT+gBA+7mCgTg8aki+Vf9Y3uin00D8YWgXov8IVmGEpTdzUc02EJXgA1aOo4bFKXL/5kCFaOpZbWRAfPjvLZFA7a03bh56ul8VecCfABlhoA8gW2UqHEvBWfG9678qU8Bw0RmCqVDZPlr6koxTb7GInm3WRTkJGCyXWQUiZ2rb+QEv03Pvu60gKh55BKrM5H/R6bG7C93ecUvB5N3VruVl8btX2fWgY8O9RMs/wINncQo0OMYSHyvfR/aifylbdGm1QkJphaRX/BOhJwyQFLNm05+3wj4EousPU7gLbItZhe/NkETdioTf8UkiN2U+iCp56c0FSz7emKhbBBtugoA5MJQBtG0577ijcdZPmTtCdZGqkS2PezVe4Gz4R6tSqti3da3pC/GX3iIwK2bKNpntxCl5WhRktLcRrXNTgKCBbIJA8ML+WVcDJshd0XtsumYSY0Vk+z2elWV6yEJPhk7BXUY52wH7Rw0+qsyzE/t5MG78jz+kSBzeskA TgVKkZkx MUL3C4rtS8+2AZck2m2O6bW/LA8BQK+k3FOyHU/tLohP/gF3Abh+5vuTGzxATJZKe1wKQe7JtJAUprEk2x4p5VHpK8WLpQpbLetPYKq4SjVP+4RbZSwSZAGaP6Hs8L1pFO7tLBj4TgzBAS3Y= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: From: Eric Biggers Add a comment that explains what ghash_setkey() is doing, as it's hard to understand otherwise. Also fix a broken hyperlink. Signed-off-by: Eric Biggers --- arch/x86/crypto/ghash-clmulni-intel_asm.S | 2 +- arch/x86/crypto/ghash-clmulni-intel_glue.c | 27 ++++++++++++++++++---- 2 files changed, 24 insertions(+), 5 deletions(-) diff --git a/arch/x86/crypto/ghash-clmulni-intel_asm.S b/arch/x86/crypto/ghash-clmulni-intel_asm.S index 9dfeb4d31b92..257ed9446f3e 100644 --- a/arch/x86/crypto/ghash-clmulni-intel_asm.S +++ b/arch/x86/crypto/ghash-clmulni-intel_asm.S @@ -4,7 +4,7 @@ * instructions. This file contains accelerated part of ghash * implementation. More information about PCLMULQDQ can be found at: * - * http://software.intel.com/en-us/articles/carry-less-multiplication-and-its-usage-for-computing-the-gcm-mode/ + * https://www.intel.com/content/dam/develop/external/us/en/documents/clmul-wp-rev-2-02-2014-04-20.pdf * * Copyright (c) 2009 Intel Corp. * Author: Huang Ying diff --git a/arch/x86/crypto/ghash-clmulni-intel_glue.c b/arch/x86/crypto/ghash-clmulni-intel_glue.c index 9453b094bb3b..700ecaee9a08 100644 --- a/arch/x86/crypto/ghash-clmulni-intel_glue.c +++ b/arch/x86/crypto/ghash-clmulni-intel_glue.c @@ -60,16 +60,35 @@ static int ghash_setkey(struct crypto_shash *tfm, if (keylen != GHASH_BLOCK_SIZE) return -EINVAL; - /* perform multiplication by 'x' in GF(2^128) */ + /* + * GHASH maps bits to polynomial coefficients backwards, which makes it + * hard to implement. But it can be shown that the GHASH multiplication + * + * D * K (mod x^128 + x^7 + x^2 + x + 1) + * + * (where D is a data block and K is the key) is equivalent to: + * + * bitreflect(D) * bitreflect(K) * x^(-127) + * (mod x^128 + x^127 + x^126 + x^121 + 1) + * + * So, the code below precomputes: + * + * bitreflect(K) * x^(-127) (mod x^128 + x^127 + x^126 + x^121 + 1) + * + * ... but in Montgomery form (so that Montgomery multiplication can be + * used), i.e. with an extra x^128 factor, which means actually: + * + * bitreflect(K) * x (mod x^128 + x^127 + x^126 + x^121 + 1) + * + * The within-a-byte part of bitreflect() cancels out GHASH's built-in + * reflection, and thus bitreflect() is actually a byteswap. + */ a = get_unaligned_be64(key); b = get_unaligned_be64(key + 8); - ctx->shash.a = cpu_to_le64((a << 1) | (b >> 63)); ctx->shash.b = cpu_to_le64((b << 1) | (a >> 63)); - if (a >> 63) ctx->shash.a ^= cpu_to_le64((u64)0xc2 << 56); - return 0; } -- 2.39.0