summaryrefslogtreecommitdiff
path: root/crypto/Kconfig
diff options
context:
space:
mode:
authorEric Biggers <ebiggers@google.com>2018-05-26 00:08:58 -0700
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2018-07-17 11:39:31 +0200
commit19f39eff68b40746703285ee55209041fedca6b3 (patch)
tree5c363096d5b8aea26528736cf344ebfea0952cf6 /crypto/Kconfig
parent2a017ea2ea1448d8d9505f7589a537c2eed64f31 (diff)
downloadlinux-exynos-19f39eff68b40746703285ee55209041fedca6b3.tar.gz
linux-exynos-19f39eff68b40746703285ee55209041fedca6b3.tar.bz2
linux-exynos-19f39eff68b40746703285ee55209041fedca6b3.zip
crypto: x86/salsa20 - remove x86 salsa20 implementations
commit b7b73cd5d74694ed59abcdb4974dacb4ff8b2a2a upstream. The x86 assembly implementations of Salsa20 use the frame base pointer register (%ebp or %rbp), which breaks frame pointer convention and breaks stack traces when unwinding from an interrupt in the crypto code. Recent (v4.10+) kernels will warn about this, e.g. WARNING: kernel stack regs at 00000000a8291e69 in syzkaller047086:4677 has bad 'bp' value 000000001077994c [...] But after looking into it, I believe there's very little reason to still retain the x86 Salsa20 code. First, these are *not* vectorized (SSE2/SSSE3/AVX2) implementations, which would be needed to get anywhere close to the best Salsa20 performance on any remotely modern x86 processor; they're just regular x86 assembly. Second, it's still unclear that anyone is actually using the kernel's Salsa20 at all, especially given that now ChaCha20 is supported too, and with much more efficient SSSE3 and AVX2 implementations. Finally, in benchmarks I did on both Intel and AMD processors with both gcc 8.1.0 and gcc 4.9.4, the x86_64 salsa20-asm is actually slightly *slower* than salsa20-generic (~3% slower on Skylake, ~10% slower on Zen), while the i686 salsa20-asm is only slightly faster than salsa20-generic (~15% faster on Skylake, ~20% faster on Zen). The gcc version made little difference. So, the x86_64 salsa20-asm is pretty clearly useless. That leaves just the i686 salsa20-asm, which based on my tests provides a 15-20% speed boost. But that's without updating the code to not use %ebp. And given the maintenance cost, the small speed difference vs. salsa20-generic, the fact that few people still use i686 kernels, the doubt that anyone is even using the kernel's Salsa20 at all, and the fact that a SSE2 implementation would almost certainly be much faster on any remotely modern x86 processor yet no one has cared enough to add one yet, I don't think it's worthwhile to keep. Thus, just remove both the x86_64 and i686 salsa20-asm implementations. Reported-by: syzbot+ffa3a158337bbc01ff09@syzkaller.appspotmail.com Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'crypto/Kconfig')
-rw-r--r--crypto/Kconfig26
1 files changed, 0 insertions, 26 deletions
diff --git a/crypto/Kconfig b/crypto/Kconfig
index 42212b60a0ee..5579eb88d460 100644
--- a/crypto/Kconfig
+++ b/crypto/Kconfig
@@ -1324,32 +1324,6 @@ config CRYPTO_SALSA20
The Salsa20 stream cipher algorithm is designed by Daniel J.
Bernstein <djb@cr.yp.to>. See <http://cr.yp.to/snuffle.html>
-config CRYPTO_SALSA20_586
- tristate "Salsa20 stream cipher algorithm (i586)"
- depends on (X86 || UML_X86) && !64BIT
- select CRYPTO_BLKCIPHER
- help
- Salsa20 stream cipher algorithm.
-
- Salsa20 is a stream cipher submitted to eSTREAM, the ECRYPT
- Stream Cipher Project. See <http://www.ecrypt.eu.org/stream/>
-
- The Salsa20 stream cipher algorithm is designed by Daniel J.
- Bernstein <djb@cr.yp.to>. See <http://cr.yp.to/snuffle.html>
-
-config CRYPTO_SALSA20_X86_64
- tristate "Salsa20 stream cipher algorithm (x86_64)"
- depends on (X86 || UML_X86) && 64BIT
- select CRYPTO_BLKCIPHER
- help
- Salsa20 stream cipher algorithm.
-
- Salsa20 is a stream cipher submitted to eSTREAM, the ECRYPT
- Stream Cipher Project. See <http://www.ecrypt.eu.org/stream/>
-
- The Salsa20 stream cipher algorithm is designed by Daniel J.
- Bernstein <djb@cr.yp.to>. See <http://cr.yp.to/snuffle.html>
-
config CRYPTO_CHACHA20
tristate "ChaCha20 cipher algorithm"
select CRYPTO_BLKCIPHER