linux/crypto
Arnd Bergmann 148b974dee crypto: aes-generic - build with -Os on gcc-7+
While testing other changes, I discovered that gcc-7.2.1 produces badly
optimized code for aes_encrypt/aes_decrypt. This is especially true when
CONFIG_UBSAN_SANITIZE_ALL is enabled, where it leads to extremely
large stack usage that in turn might cause kernel stack overflows:

crypto/aes_generic.c: In function 'aes_encrypt':
crypto/aes_generic.c:1371:1: warning: the frame size of 4880 bytes is larger than 2048 bytes [-Wframe-larger-than=]
crypto/aes_generic.c: In function 'aes_decrypt':
crypto/aes_generic.c:1441:1: warning: the frame size of 4864 bytes is larger than 2048 bytes [-Wframe-larger-than=]

I verified that this problem exists on all architectures that are
supported by gcc-7.2, though arm64 in particular is less affected than
the others. I also found that gcc-7.1 and gcc-8 do not show the extreme
stack usage but still produce worse code than earlier versions for this
file, apparently because of optimization passes that generally provide
a substantial improvement in object code quality but understandably fail
to find any shortcuts in the AES algorithm.

Possible workarounds include

a) disabling -ftree-pre and -ftree-sra optimizations, this was an earlier
   patch I tried, which reliably fixed the stack usage, but caused a
   serious performance regression in some versions, as later testing
   found.

b) disabling UBSAN on this file or all ciphers, as suggested by Ard
   Biesheuvel. This would lead to massively better crypto performance in
   UBSAN-enabled kernels and avoid the stack usage, but there is a concern
   over whether we should exclude arbitrary files from UBSAN at all.

c) Forcing the optimization level in a different way. Similar to a),
   but rather than deselecting specific optimization stages,
   this now uses "gcc -Os" for this file, regardless of the
   CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE/SIZE option. This is a reliable
   workaround for the stack consumption on all architecture, and I've
   retested the performance results now on x86, cycles/byte (lower is
   better) for cbc(aes-generic) with 256 bit keys:

			-O2     -Os
	gcc-6.3.1	14.9	15.1
	gcc-7.0.1	14.7	15.3
	gcc-7.1.1	15.3	14.7
	gcc-7.2.1	16.8	15.9
	gcc-8.0.0	15.5	15.6

This implements the option c) by enabling forcing -Os on all compiler
versions starting with gcc-7.1. As a workaround for PR83356, it would
only be needed for gcc-7.2+ with UBSAN enabled, but since it also shows
better performance on gcc-7.1 without UBSAN, it seems appropriate to
use the faster version here as well.

Side note: during testing, I also played with the AES code in libressl,
which had a similar performance regression from gcc-6 to gcc-7.2,
but was three times slower overall. It might be interesting to
investigate that further and possibly port the Linux implementation
into that.

Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=83356
Link: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=83651
Cc: Richard Biener <rguenther@suse.de>
Cc: Jakub Jelinek <jakub@gcc.gnu.org>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2018-01-12 23:03:40 +11:00
..
asymmetric_keys X.509: fix comparisons of ->pkey_algo 2017-12-08 15:13:29 +00:00
async_tx License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
.gitignore crypto: rsa - add .gitignore for crypto/*.-asn1.[ch] files 2015-06-25 23:29:24 +08:00
842.c crypto: acomp - add support for 842 via scomp 2016-10-25 11:08:33 +08:00
ablk_helper.c crypto: remove unused hardirq.h 2017-11-29 17:33:29 +11:00
ablkcipher.c crypto: Replaced gcc specific attributes with macros from compiler.h 2017-01-13 00:24:39 +08:00
acompress.c crypto: acomp - allow registration of multiple acomps 2017-04-21 20:30:50 +08:00
aead.c crypto: aead - prevent using AEADs without setting key 2018-01-12 23:03:39 +11:00
aes_generic.c crypto: aes-generic - drop alignment requirement 2017-02-11 17:50:43 +08:00
aes_ti.c crypto: aes_ti - fix comment for MixColumns step 2017-06-19 14:11:53 +08:00
af_alg.c crypto: af_alg - whitelist mask and type 2018-01-12 23:03:05 +11:00
ahash.c crypto: hash - prevent using keyed hashes without setting key 2018-01-12 23:03:37 +11:00
akcipher.c crypto: Replaced gcc specific attributes with macros from compiler.h 2017-01-13 00:24:39 +08:00
algapi.c crypto: algapi - remove unused notifications 2018-01-05 18:43:10 +11:00
algboss.c crypto: algboss - remove redundant setting of len to zero 2017-10-07 12:10:34 +08:00
algif_aead.c crypto: aead - prevent using AEADs without setting key 2018-01-12 23:03:39 +11:00
algif_hash.c crypto: hash - prevent using keyed hashes without setting key 2018-01-12 23:03:37 +11:00
algif_rng.c crypto: algif_rng - Remove obsolete const-removal cast 2015-04-22 09:30:21 +08:00
algif_skcipher.c crypto: skcipher - prevent using skciphers without setting key 2018-01-12 23:03:39 +11:00
ansi_cprng.c crypto: ansi_cprng - Convert to new rng interface 2015-04-22 09:30:18 +08:00
anubis.c crypto: prefix module autoloading with "crypto-" 2014-11-24 22:43:57 +08:00
api.c crypto: algapi - convert cra_refcnt to refcount_t 2018-01-05 18:43:09 +11:00
arc4.c crypto: prefix module autoloading with "crypto-" 2014-11-24 22:43:57 +08:00
authenc.c crypto: null - Get rid of crypto_{get,put}_default_null_skcipher2() 2017-12-22 19:29:08 +11:00
authencesn.c crypto: null - Get rid of crypto_{get,put}_default_null_skcipher2() 2017-12-22 19:29:08 +11:00
blkcipher.c crypto: remove unused hardirq.h 2017-11-29 17:33:29 +11:00
blowfish_common.c
blowfish_generic.c crypto: add missing crypto module aliases 2015-01-13 22:29:11 +11:00
camellia_generic.c crypto: replace FSF address with web source in license notices 2017-11-29 17:33:25 +11:00
cast5_generic.c crypto: replace FSF address with web source in license notices 2017-11-29 17:33:25 +11:00
cast6_generic.c crypto: replace FSF address with web source in license notices 2017-11-29 17:33:25 +11:00
cast_common.c
cbc.c crypto: cbc - Propagate NEED_FALLBACK bit 2017-03-09 18:34:39 +08:00
ccm.c crypto: ccm - preserve the IV buffer 2017-11-03 21:35:35 +08:00
chacha20_generic.c crypto: chacha20 - Fix keystream alignment for chacha20_block() 2017-11-29 17:33:33 +11:00
chacha20poly1305.c crypto: chacha20poly1305 - validate the digest size 2017-12-22 19:02:33 +11:00
cipher.c crypto: api - Remove no-op exit_ops code 2016-10-21 11:03:42 +08:00
cmac.c crypto: algapi - make crypto_xor() and crypto_inc() alignment agnostic 2017-02-11 17:52:28 +08:00
compress.c crypto: api - Remove no-op exit_ops code 2016-10-21 11:03:42 +08:00
crc32_generic.c crypto: hash - annotate algorithms taking optional key 2018-01-12 23:03:35 +11:00
crc32c_generic.c crypto: hash - annotate algorithms taking optional key 2018-01-12 23:03:35 +11:00
crct10dif_common.c
crct10dif_generic.c crypto: squash lines for simple wrapper functions 2016-09-13 20:27:26 +08:00
cryptd.c crypto: hash - annotate algorithms taking optional key 2018-01-12 23:03:35 +11:00
crypto_engine.c crypto: engine - replace pr_xxx by dev_xxx 2017-06-19 14:19:54 +08:00
crypto_null.c crypto: null - Remove default null blkcipher 2016-07-18 17:35:44 +08:00
crypto_user.c crypto: algapi - convert cra_refcnt to refcount_t 2018-01-05 18:43:09 +11:00
crypto_wq.c crypto: crypto_wq - Fix late crypto work queue initialization 2014-03-21 21:54:28 +08:00
ctr.c crypto: algapi - make crypto_xor() take separate dst and src arguments 2017-08-04 09:27:15 +08:00
cts.c crypto: remove redundant backlog checks on EBUSY 2017-11-03 22:11:17 +08:00
deflate.c crypto: scomp - add support for deflate rfc1950 (zlib) 2017-04-24 18:11:08 +08:00
des_generic.c crypto: add missing crypto module aliases 2015-01-13 22:29:11 +11:00
dh_helper.c crypto: dh - Don't permit 'key' or 'g' size longer than 'p' 2017-11-10 19:20:17 +08:00
dh.c crypto: dh - Remove pointless checks for NULL 'p' and 'g' 2017-11-10 19:20:22 +08:00
drbg.c crypto: drbg - move to generic async completion 2017-11-03 22:11:19 +08:00
ecb.c crypto: include crypto- module prefix in template 2014-11-26 20:06:30 +08:00
ecc_curve_defs.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
ecc.c crypto: ecc - Fix NULL pointer deref. on no default_rng 2017-11-29 17:33:24 +11:00
ecc.h crypto: ecdh - add privkey generation support 2017-06-10 12:04:35 +08:00
ecdh_helper.c crypto: ecdh - return unsigned value for crypto_ecdh_key_len() 2017-10-12 22:55:00 +08:00
ecdh.c crypto: ecdh - remove empty exit() 2017-11-06 14:45:04 +08:00
echainiv.c crypto: echainiv - Remove unused alg/spawn variable 2017-12-22 19:52:45 +11:00
fcrypt.c crypto: prefix module autoloading with "crypto-" 2014-11-24 22:43:57 +08:00
fips.c crypto: fips - Move fips_enabled sysctl into fips.c 2015-04-23 14:18:09 +08:00
gcm.c crypto: null - Get rid of crypto_{get,put}_default_null_skcipher2() 2017-12-22 19:29:08 +11:00
gf128mul.c crypto: gf128mul - remove incorrect comment 2017-12-22 19:52:40 +11:00
ghash-generic.c crypto: ghash - remove checks for key being set 2018-01-12 23:03:38 +11:00
hash_info.c keys, trusted: select hash algorithm for TPM2 chips 2015-12-20 15:27:12 +02:00
hmac.c crypto: hmac - require that the underlying hash algorithm is unkeyed 2017-11-29 13:39:15 +11:00
internal.h crypto: algapi - remove unused notifications 2018-01-05 18:43:10 +11:00
jitterentropy-kcapi.c crypto: jitterentropy - drop duplicate header module.h 2016-11-17 23:34:52 +08:00
jitterentropy.c crypto: jitterentropy - Delete unnecessary checks before the function call "kzfree" 2015-06-25 23:18:33 +08:00
Kconfig crypto: ecdh - fix typo in KPP dependency of CRYPTO_ECDH 2017-12-11 22:36:56 +11:00
keywrap.c crypto: keywrap - Add missing ULL suffixes for 64-bit constants 2017-11-29 17:33:26 +11:00
khazad.c crypto: prefix module autoloading with "crypto-" 2014-11-24 22:43:57 +08:00
kpp.c crypto: Replaced gcc specific attributes with macros from compiler.h 2017-01-13 00:24:39 +08:00
lrw.c crypto: remove redundant backlog checks on EBUSY 2017-11-03 22:11:17 +08:00
lz4.c crypto: lz4 - fixed decompress function to return error code 2017-04-10 19:17:27 +08:00
lz4hc.c crypto: lz4 - fixed decompress function to return error code 2017-04-10 19:17:27 +08:00
lzo.c treewide: use kv[mz]alloc* rather than opencoded variants 2017-05-08 17:15:13 -07:00
Makefile crypto: aes-generic - build with -Os on gcc-7+ 2018-01-12 23:03:40 +11:00
mcryptd.c crypto: hash - annotate algorithms taking optional key 2018-01-12 23:03:35 +11:00
md4.c crypto: prefix module autoloading with "crypto-" 2014-11-24 22:43:57 +08:00
md5.c md5: remove from lib and only live in crypto 2017-03-24 22:02:56 +08:00
memneq.c crypto: memneq - fix for archs without efficient unaligned access 2013-12-09 20:09:12 +08:00
michael_mic.c crypto: prefix module autoloading with "crypto-" 2014-11-24 22:43:57 +08:00
pcbc.c crypto: algapi - make crypto_xor() take separate dst and src arguments 2017-08-04 09:27:15 +08:00
pcrypt.c crypto: pcrypt - fix freeing pcrypt instances 2017-12-22 19:02:47 +11:00
poly1305_generic.c crypto: poly1305 - remove ->setkey() method 2018-01-12 23:03:14 +11:00
proc.c crypto: algapi - convert cra_refcnt to refcount_t 2018-01-05 18:43:09 +11:00
ripemd.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
rmd128.c crypto: drop unnecessary return statements 2017-09-22 17:43:28 +08:00
rmd160.c crypto: drop unnecessary return statements 2017-09-22 17:43:28 +08:00
rmd256.c crypto: drop unnecessary return statements 2017-09-22 17:43:28 +08:00
rmd320.c crypto: drop unnecessary return statements 2017-09-22 17:43:28 +08:00
rng.c crypto: rng - ensure that the RNG is ready before using 2017-07-28 17:56:00 +08:00
rsa_helper.c crypto: rsa - fix buffer overread when stripping leading zeroes 2017-11-29 13:39:14 +11:00
rsa-pkcs1pad.c crypto: remove redundant backlog checks on EBUSY 2017-11-03 22:11:17 +08:00
rsa.c crypto: rsa - comply with crypto_akcipher_maxsize() 2017-06-10 12:04:30 +08:00
rsaprivkey.asn1 crypto: rsa - Store rest of the private key components 2016-07-05 23:05:26 +08:00
rsapubkey.asn1 crypto: akcipher - Changes to asymmetric key API 2015-10-14 22:23:16 +08:00
salsa20_generic.c crypto: salsa20 - fix blkcipher_walk API usage 2017-11-29 16:25:58 +11:00
scatterwalk.c crypto: scatterwalk - Remove unnecessary aliasing check in map_and_copy 2016-11-22 15:02:25 +08:00
scompress.c crypto: scompress - defer allocation of scratch buffer to first use 2017-08-03 13:52:44 +08:00
seed.c crypto: prefix module autoloading with "crypto-" 2014-11-24 22:43:57 +08:00
seqiv.c crypto: seqiv - Remove unused alg/spawn variable 2017-12-22 19:52:45 +11:00
serpent_generic.c crypto: serpent - improve __serpent_setkey with UBSAN 2017-08-09 20:17:54 +08:00
sha1_generic.c crypto: hash - add zero length message hash for shax and md5 2015-12-22 20:43:35 +08:00
sha3_generic.c crypto: sha3 - Add missing ULL suffixes for 64-bit constants 2016-08-08 23:43:46 +08:00
sha256_generic.c crypto: hash - add zero length message hash for shax and md5 2015-12-22 20:43:35 +08:00
sha512_generic.c crypto: sha512-generic - move to generic glue implementation 2015-04-10 21:39:41 +08:00
shash.c crypto: hash - prevent using keyed hashes without setting key 2018-01-12 23:03:37 +11:00
simd.c crypto: replace FSF address with web source in license notices 2017-11-29 17:33:25 +11:00
skcipher.c crypto: skcipher - prevent using skciphers without setting key 2018-01-12 23:03:39 +11:00
sm3_generic.c crypto: sm3 - add OSCCA SM3 secure hash 2017-09-22 17:43:07 +08:00
tcrypt.c crypto: tcrypt - free xoutbuf instead of axbuf 2018-01-12 23:03:07 +11:00
tcrypt.h crypto: tcrypt - Add ChaCha20/Poly1305 speed tests 2015-07-17 21:20:20 +08:00
tea.c crypto: add missing crypto module aliases 2015-01-13 22:29:11 +11:00
testmgr.c crypto: testmgr - change guard to unsigned char 2018-01-12 23:03:05 +11:00
testmgr.h crypto: sm3 - add SM3 test vectors 2017-09-22 17:43:08 +08:00
tgr192.c crypto: add missing crypto module aliases 2015-01-13 22:29:11 +11:00
twofish_common.c crypto: replace FSF address with web source in license notices 2017-11-29 17:33:25 +11:00
twofish_generic.c crypto: replace FSF address with web source in license notices 2017-11-29 17:33:25 +11:00
vmac.c crypto: include crypto- module prefix in template 2014-11-26 20:06:30 +08:00
wp512.c crypto: add missing crypto module aliases 2015-01-13 22:29:11 +11:00
xcbc.c crypto: replace FSF address with web source in license notices 2017-11-29 17:33:25 +11:00
xor.c kmemcheck: stop using GFP_NOTRACK and SLAB_NOTRACK 2017-11-15 18:21:04 -08:00
xts.c Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 2017-11-14 10:52:09 -08:00