[PATCH v4 6/8] crypto: x86/polyval: Add PCLMULQDQ accelerated implementation of POLYVAL
Eric Biggers
ebiggers at kernel.org
Mon Apr 18 14:36:56 PDT 2022
A few more comments:
On Tue, Apr 12, 2022 at 05:28:14PM +0000, Nathan Huckleberry wrote:
> +/*
> + * Computes the 256-bit polynomial represented by LO, HI, MI. Stores
> + * the result in PL, PH.
> + * [PH :: PL] = [HI_1 : HI_0 + MI_1 :: LO_1 + MI_0 : LO_0]
> + */
It is unclear what the double colon means. Maybe you meant for it to indicate
128-bit boundaries, as opposed to 64-bit boundaries? It is not used
consistently, though.
> +/*
> + * Computes the 128-bit reduction of PL : PH. Stores the result in dest.
This should use the order "PH : PL", to be consistent with the notation
elsewhere.
> diff --git a/arch/x86/crypto/polyval-clmulni_glue.c b/arch/x86/crypto/polyval-clmulni_glue.c
[...]
> +struct polyval_ctx {
> + /*
> + * These powers must be in the order h^8, ..., h^1.
> + */
> + u8 key_powers[NUM_PRECOMPUTE_POWERS][POLYVAL_BLOCK_SIZE];
> +};
> +
> +struct polyval_desc_ctx {
> + u8 buffer[POLYVAL_BLOCK_SIZE];
> + u32 bytes;
> +};
As I've mentioned elsewhere, it is confusing to have both ctx and desc_ctx. The
former should be called polyval_tfm_ctx, like it is in polyval-generic.c.
> +asmlinkage void clmul_polyval_update(const u8 *in, struct polyval_ctx *keys,
> + size_t nblocks, u8 *accumulator);
The argument order here is a bit weird. It would be more logical to have it be
(keys, in, nblocks, accumulator), similar to crypto_shash_digest().
Also, 'keys' should be const.
- Eric
More information about the linux-arm-kernel
mailing list