• Ard Biesheuvel's avatar
    crypto: arm64/gcm - implement native driver using v8 Crypto Extensions · 537c1445
    Ard Biesheuvel authored
    Currently, the AES-GCM implementation for arm64 systems that support the
    ARMv8 Crypto Extensions is based on the generic GCM module, which combines
    the AES-CTR implementation using AES instructions with the PMULL based
    GHASH driver. This is suboptimal, given the fact that the input data needs
    to be loaded twice, once for the encryption and again for the MAC
    calculation.
    
    On Cortex-A57 (r1p2) and other recent cores that implement micro-op fusing
    for the AES instructions, AES executes at less than 1 cycle per byte, which
    means that any cycles wasted on loading the data twice hurt even more.
    
    So implement a new GCM driver that combines the AES and PMULL instructions
    at the block level. This improves performance on Cortex-A57 by ~37% (from
    3.5 cpb to 2.6 cpb)
    Signed-off-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
    Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
    537c1445
ghash-ce-core.S 5.13 KB