Closed Bug 979703 Opened 11 years ago Closed 11 years ago

Implementation of AES in different modes of operation, using AES-NI and PCLMULQDQ-NI, for WIN32 and WIN64 platforms

Categories

(NSS :: Libraries, defect, P1)

Product:
NSS
Component:
Libraries
Platform:
x86_64
Windows 7
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
3.16.2

People

(Reporter: shay.gueron, Assigned: shay.gueron)

References

Details

Attachments

(8 files, 11 obsolete files)

Patch v4, by Shay Gueron
120.44 KB, patch
wtc
: review+
wtc
: checked-in+
Details | Diff | Splinter Review
Check for Visual C++ 2010 for Intel AES assembly code, v2
1.87 KB, patch
KaiE
: review+
KaiE
: checked-in+
Details | Diff | Splinter Review
Fix a bug in the gen_aes_cbc_dec_func macro in intel-aes-x64-masm.asm, by Shay Gueron
1.66 KB, patch
wtc
: review+
wtc
: checked-in+
Details | Diff | Splinter Review
Check for Visual C++ 2010 SP1 for the _xgetbv compiler intrinsic function, v2
3.92 KB, patch
KaiE
: review+
wtc
: checked-in+
Details | Diff | Splinter Review
Better error handling in intel_AES_GCM_DecryptUpdate, and coding style fixes suggested by Ryan, v3
16.10 KB, patch
wtc
: checked-in+
Details | Diff | Splinter Review
8412291: Avoid _xgetbv() for 32-bit x86 builds so that we can use the Intel AES assembly code with VC 2010 RTM, v1.1
1.89 KB, patch
cviecco
: review+
wtc
: checked-in+
Details | Diff | Splinter Review
Disable the Intel AES assembly code on Windows for NSS 3.16.1
2.56 KB, patch
KaiE
: review+
wtc
: checked-in+
Details | Diff | Splinter Review
Fix bugs in intel-gcm-x86-masm.asm and re-enable the Intel AES assembly code
5.82 KB, patch
wtc
: checked-in+
Details | Diff | Splinter Review
Hello everyone, This patch implements AES using AES-NI and PCLMULQDQ-NI, for WIN32 and WIN64 platforms (similarly to the Linux64 implementation). The code implements the following AES modes of operation: AES-ECB, AES-CBC, AES-CTR, AES-GCM. The performance achieved by this patch, in CPU Cycles/Byte is the following (the numbers in parentheses show the current performance): Win32 |ECB enc/dec| CBC enc | CBC dec |CTR enc/dec|GCM enc/dec -------------------------+-----------+-----------+-----------+------------ Core i5 2520M|0.81(18.42)|5.13(20.52)|0.86(22.05)|0.86(23.89)|3.00(101.90) -------------------------+-----------+-----------+-----------+------------ Core i7 4770K|0.63(15.24)|4.44(17.39)|0.63(17.68)|0.63(19.11)|1.32(109.97) Win64 |ECB enc/dec| CBC enc | CBC dec |CTR enc/dec|GCM enc/dec -------------------------+-----------+-----------+-----------+------------ Core i5 2520M|0.71(16.48)|5.10(19.09)|0.76(18.33)|0.81(19.71)|2.81(66.29) -------------------------+-----------+-----------+-----------+------------ Core i7 4770K|0.63(15.04)|4.44(17.39)|0.63(16.64)|0.63(18.02)|1.06(59.21) Note: This patch does not handle the bug that is patched in https://bugzilla.mozilla.org/show_bug.cgi?id=940794 and https://bugzilla.mozilla.org/show_bug.cgi?id=977829 (i.e., it does not check the OSXSAVE bit, because such a patch already exists, but is not yet part of the main NSS trunk yet). Developers and authors: ************************************************************************ Shay Gueron (1, 2), and Vlad Krasnov (1) (1) Intel Corporation, Israel Development Center, Haifa, Israel (2) University of Haifa, Israel ************************************************************************ Copyright(c) 2014, Intel Corp.
I applied Shay's patch (attachment 8385838 [details] [diff] [review]) to the NSS trunk and regenerated this patch. I can build NSS with the patch for both WIN32 and WIN64.
Attachment #8385838 - Attachment is obsolete: true
I updated Shay's patch to the current NSS trunk. Now it is necessary to define the macro INTEL_GCM to enable the Intel assembly code for GCM. This patch has bugs in 192-bit and 256-bit AES ECB and CBC decryption. The next patch fixes these bugs.
Attachment #8386536 - Attachment is obsolete: true
Attached patch Patch v2, by Shay Gueron (obsolete) — Splinter Review
Fixed the AES ECB and CBC decryption bugs for 192-bit and 256-bit keys, in 32-bit builds. The bugs were in the functions intel_aes_decrypt_init_192 and intel_aes_decrypt_init_256 in intel-aes-x86-masm.asm. By comparing the functions with the same functions in intel-aes-x64-masm.asm, it was not hard to spot the bugs.
Attachment #8403441 - Attachment is obsolete: true
Attached patch Patch v3, by Shay Gueron (obsolete) — Splinter Review
Fixed formatting issues.
Attachment #8403445 - Attachment is obsolete: true
Fixed more formatting issues, in particular in nss/lib/freebl/Makefile. Patch checked in: https://hg.mozilla.org/projects/nss/rev/281db105f1f7 I will monitor the NSS build bots tonight. If the Windows build fail, we just need to back out the change to nss/lib/freebl/Makefile.
Attachment #8403695 - Attachment is obsolete: true
Attachment #8403710 - Flags: review+
Attachment #8403710 - Flags: checked-in+
64-bit Windows builds also need the same change.
Attachment #8403765 - Attachment is obsolete: true
Attachment #8403765 - Flags: review?(kaie)
Attachment #8403771 - Flags: review?(kaie)
(In reply to Wan-Teh Chang from comment #5) > Patch checked in: https://hg.mozilla.org/projects/nss/rev/281db105f1f7 > > I will monitor the NSS build bots tonight. If the Windows build fail, > we just need to back out the change to nss/lib/freebl/Makefile. This change failed to build on Windows 2003 hg/nss/lib/freebl/rijndael.c(982) : error C4013: '_xgetbv' undefined; assuming extern returning int See line 982 here: https://hg.mozilla.org/projects/nss/file/281db105f1f7/lib/freebl/rijndael.c#l977
Kai: please review my patch in comment 7. It'll fix the compilation errors with Visual C++ 2008 and older. Thanks.
Comment on attachment 8403771 [details] [diff] [review] Check for Visual C++ 2010 for Intel AES assembly code, v2 let's try it, I'll check it in as a bustage fix r=kaie
Attachment #8403771 - Flags: review?(kaie) → review+
Comment on attachment 8403771 [details] [diff] [review] Check for Visual C++ 2010 for Intel AES assembly code, v2 https://hg.mozilla.org/projects/nss/rev/edaddc287517
Attachment #8403771 - Flags: checked-in+
the patch fixed the win 2003 issue other windows platforms still executing tests, but have succeeded building.
Shay sent me a patch to fix a bug in loop8 of the gen_aes_cbc_dec_func macro in intel-aes-x64-masm.asm. Every eighth block of the ciphertext is incorrect. Our current AES CBC test vectors are too short to catch this bug. I'm going to add some AES CBC test vectors that have plaintext and ciphertext longer than two blocks. This patch also contains a coding style cleanup in nss/lib/freebl/rijndael.c. Patch checked in: https://hg.mozilla.org/projects/nss/rev/1f11025a295a https://hg.mozilla.org/projects/nss/rev/a849a3461539
Attachment #8404165 - Flags: review+
Attachment #8404165 - Flags: checked-in+
Shay's code can also be reviewed at https://codereview.chromium.org/214183004/. Patch set 1 is roughly the original NSS 3.16 code. So you should review the delta from patch set 1.
Assignee: nobody → shay.gueron
Status: NEW → RESOLVED
Closed: 11 years ago
Priority: -- → P1
Resolution: --- → FIXED
Target Milestone: --- → 3.16.1
Comment on attachment 8403710 [details] [diff] [review] Patch v4, by Shay Gueron Review of attachment 8403710 [details] [diff] [review]: ----------------------------------------------------------------- ::: lib/freebl/ctr.c @@ +172,5 @@ > } > + > +#if defined(USE_HW_AES) && defined(_MSC_VER) > +SECStatus > +CTR_Update_HW_AES(CTRContext *ctr, unsigned char *outbuf, Shay: CTR_Update_HW_AES is the same as CTR_Update except for the few lines in the middle of the function. It would be nice to avoid the code duplication. Do you have any good idea?
On Windows, we are calling the _xgetbv compiler intrinsic function, which was added in Visual C++ 2010 SP1. I had assumed that Mozilla requires VC 2010 SP1, so I used a simpler compiler version check. But I found that Mozilla try servers are using Visual C++ 2010 RTM. In this patch I implemented an exact compiler version check. I also did some cleanups such as using the Visual C++ internal version 12 for VC 2013 and passing the -nologo option to the assembler.
Attachment #8411258 - Flags: review?(kaie)
Ryan: this patch makes the changes you suggested in https://codereview.chromium.org/214183004/#msg2.
Attachment #8411465 - Flags: review?(ryan.sleevi)
Updated the comments to describe exactly what requires VC10 SP1.
Attachment #8411258 - Attachment is obsolete: true
Attachment #8411258 - Flags: review?(kaie)
Attachment #8411473 - Flags: review?(kaie)
Attachment #8411465 - Attachment description: Coding style fixes suggested by Ryan → Better error handling in intel_AES_GCM_DecryptUpdate, and coding style fixes suggested by Ryan
I found that I can't assert tmp == blocksize after the ctr->cipher calls because none of the AES ECB encryption worker functions set the |outputLen| output argument. So I had to remove the three assertions. I also made two coding style fixes that Adam suggested.
Attachment #8411465 - Attachment is obsolete: true
Attachment #8411465 - Flags: review?(ryan.sleevi)
Attachment #8411488 - Flags: review?(ryan.sleevi)
Comment on attachment 8411488 [details] [diff] [review] Better error handling in intel_AES_GCM_DecryptUpdate, and coding style fixes suggested by Ryan, v2 Review of attachment 8411488 [details] [diff] [review]: ----------------------------------------------------------------- ::: lib/freebl/intel-gcm-wrap.c @@ +56,1 @@ > It looks like there is a variety of stray whitespace in this file (line 44, line 51, 56, 67, 103, 139, 154, 199, 210) if you want to fix up when patching. @@ +220,5 @@ > + if (maxout < inlen) { > + *outlen = inlen; > + PORT_SetError(SEC_ERROR_OUTPUT_LEN); > + return SECFailure; > + } Good catch!
Attachment #8411488 - Flags: review?(ryan.sleevi) → review+
Attachment #8411473 - Flags: review?(kaie) → review+
Comment on attachment 8411473 [details] [diff] [review] Check for Visual C++ 2010 SP1 for the _xgetbv compiler intrinsic function, v2 Patch checked in: https://hg.mozilla.org/projects/nss/rev/0abdafa757bb
Attachment #8411473 - Flags: checked-in+
Attachment #8411488 - Attachment is obsolete: true
The 64-bit x64 builds still require VC2010 SP1 for the Intel AES assembly code. Unfortunately inline assembly is only supported for 32-bit x86, so it is more work to fix 64-bit x64 builds. I'll deal with that later.
Attachment #8412291 - Flags: review?(kaie)
I removed the opcode for the xgetbv instruction from the comment. The opcode is not needed to understand the code.
Attachment #8412291 - Attachment is obsolete: true
Attachment #8412291 - Flags: review?(kaie)
Attachment #8413181 - Flags: superreview?(kaie)
Attachment #8413181 - Flags: review?(cviecco)
Comment on attachment 8413181 [details] [diff] [review] 8412291: Avoid _xgetbv() for 32-bit x86 builds so that we can use the Intel AES assembly code with VC 2010 RTM, v1.1 Review of attachment 8413181 [details] [diff] [review]: ----------------------------------------------------------------- ::: lib/freebl/rijndael.c @@ +982,5 @@ > PRUint32 xcr0; > #if defined(_MSC_VER) > +#if defined(_M_IX86) > + __asm { > + mov ecx, 0 I am assuming ecx is either stored somewhere or there is a guarantee that its contents are OK to be cleared.
Attachment #8413181 - Flags: review?(cviecco) → review+
Comment on attachment 8413181 [details] [diff] [review] 8412291: Avoid _xgetbv() for 32-bit x86 builds so that we can use the Intel AES assembly code with VC 2010 RTM, v1.1 Patch checked in: https://hg.mozilla.org/projects/nss/rev/7e8485a5ed49
Attachment #8413181 - Flags: checked-in+
Testing of the new assembly code uncovered bugs in intel-gcm-x86-masm.asm. We should disable the new assembly code on Windows for NSS 3.16.1 and target NSS 3.16.2.
Attachment #8414437 - Flags: review?(kaie)
Comment on attachment 8414437 [details] [diff] [review] Disable the Intel AES assembly code on Windows for NSS 3.16.1 r=kaie Should this bug be reopened?
Attachment #8414437 - Flags: review?(kaie) → review+
Comment on attachment 8414437 [details] [diff] [review] Disable the Intel AES assembly code on Windows for NSS 3.16.1 Review of attachment 8414437 [details] [diff] [review]: ----------------------------------------------------------------- Patch checked in: https://hg.mozilla.org/projects/nss/rev/0bef241d00cb
Attachment #8414437 - Flags: checked-in+
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Target Milestone: 3.16.1 → 3.16.2
Shay sent me this patch. He said: Changed the register from di do dl. I also explicitly added the asm directive BYTE PTR, to avoid similar mistake. The change is only in intel-gcm-x86-masm.asm. Both enc/dec.
Shay's first fix (attachment 8414506 [details] [diff] [review]) is incorrect because it clobbered the edx register, which is used by the code later. He and I independently wrote the correct fix. The fix was reviewed by Adam Langley at https://codereview.chromium.org/254213002 Patch checked in: https://hg.mozilla.org/projects/nss/rev/f7a4c771997e
Attachment #8414506 - Attachment is obsolete: true
Attachment #8419128 - Flags: checked-in+
Comment on attachment 8419128 [details] [diff] [review] Fix bugs in intel-gcm-x86-masm.asm and re-enable the Intel AES assembly code Patch pushed to mozilla-inbound as part of NSS_3_16_2_BETA1: https://hg.mozilla.org/integration/mozilla-inbound/rev/4da05df32a63
https://hg.mozilla.org/mozilla-central/rev/4da05df32a63
Status: REOPENED → RESOLVED
Closed: 11 years ago11 years ago
Resolution: --- → FIXED
See Also: → 1026830
Comment on attachment 8413181 [details] [diff] [review] 8412291: Avoid _xgetbv() for 32-bit x86 builds so that we can use the Intel AES assembly code with VC 2010 RTM, v1.1 clearing sr request, I cannot review it, I'm not an assembler programmer.
Attachment #8413181 - Flags: superreview?(kaie)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: