This is the mail archive of the
mailing list for the GCC project.
Re: Power 8 in-core crypto not working as expected
- From: R0b0t1 <r030t1 at gmail dot com>
- To: David Edelsohn <dje dot gcc at gmail dot com>
- Cc: noloader at gmail dot com, GCC Development <gcc at gcc dot gnu dot org>
- Date: Thu, 7 Sep 2017 02:25:29 -0500
- Subject: Re: Power 8 in-core crypto not working as expected
- Authentication-results: sourceware.org; auth=none
- References: <CAH8yC8nw20DXRW6RtDsLQEh6YeLjbHCLv43Ub+843Off=jFZiQ@mail.gmail.com> <CAAD4mYhmJkp5XGw5GGgLNm=2QMTotaj2E6=4SV35Ctpm1UAU3w@mail.gmail.com> <CAGWvny=OG8jdQ7D9+ucbmRVN61g-wk=iO6Fb4OcaG9qYJGiv=Q@mail.gmail.com>
On Thu, Sep 7, 2017 at 1:10 AM, Jeffrey Walton <email@example.com> wrote:
> On Thu, Sep 7, 2017 at 1:39 AM, R0b0t1 <firstname.lastname@example.org> wrote:
>> On Wed, Sep 6, 2017 at 11:37 PM, Jeffrey Walton <email@example.com> wrote:
>>> Hi Everyone,
>>> I'm on gcc rather than gcc-help because we need to talk with some GCC
>>> devs who can help take this further.
>>> I have implementation for AES on Power 8 using GCC's built-ins. Its
>>> available for inspection and download at
>>> https://github.com/noloader/AES-Power8. The problem is, it does not
>>> arrive at the correct results on GCC112 (ppc64-le) or GCC119 (AIX, big
>>> The source file is the reduced, minimal test case. It uses
>>> pre-caclulated subkeys so we've removed that variable from the
>>> equation. It also uses the null vector (string of 0's) as the message,
>>> so that variable has been removed from the equation too.
>>> About all we are left with is loading a subkey, calling vcipher to
>>> perform a single round of encryption, and assigning the result back to
>>> a variable. Lather, rinse, repeat.
>>> For the crypto side of things I've consulted with Andy Polyakov of the
>>> OpenSSL project. I believe we are doing everything we should be as far
>>> as the crypto goes, including the subkey byte-swaps on LE machines.
>>> Our subkey table is exactly the same as the one OpenSSL arrives at on
>>> both LE and BE machines.
>>> Would someone familiar with the processor and knowledge of GCC
>>> built-in's please take a look at things. Suggestions for our next
>>> steps would be greatly appreciated.
>> Have you inspected the generated assembly listing and machine
>> instructions to be sure that they are correct?
> Unfortunately, I don't read PPC asm. It could be dead wrong and I
> could not spot it.
Learning to read the assembly for your processor and having a copy of
the ISA manual handy is a good idea when doing things at the level you
>> You can refer to the source for vmx-crypto
>> (https://github.com/torvalds/linux/tree/master/drivers/crypto/vmx) in
>> addition to that of OpenSSL. Are you trying to do a cleanroom
>> implementation of this software?
> Yeah, Andy's code in used for both OpenSSL and the Linux kernel. I've
> spent the last two days trying to connect the dots between our code
> and Andy's code. I've also been talking with Andy offline.
> I'm pretty sure it is mostly apples and oranges. Andy's code is highly
> optimized hand tuned assembly. Its just does not lineup well with
> C/C++ based code.
I did glance over it and was kind of sad to see it is pure assembly
(in a Perl file...?). It looks like there is some memory movement and
looping logic but you might be able to figure out the proper way to
call the AES instructions or at least compare that code to what GCC
Based on the quick look I gave the instructions you are using they are
being used properly. That makes me think the assembly or machine
instructions are not being generated correctly which is unfortunately
something I can't check easily. If OpenSSL also uses handwritten
assembly then you may be the first person to use these POWER8
Intrinsics like you are using almost always correspond 1 to 1 with
machine instructions. It is very helpful to be able to use them from
assembly because in some cases the compiler will not support the
instructions you are interested in (usually the case for embedded
It looks like I can't help directly so I'll try to avoid commenting
anymore, but I'm interested in what is wrong.
> I'll hit your other point privately.
On Thu, Sep 7, 2017 at 2:14 AM, David Edelsohn <firstname.lastname@example.org> wrote:
> On Thu, Sep 7, 2017 at 7:40 AM, R0b0t1 <email@example.com> wrote:
>> Full disclosure: despite my interest in the architecture I have not
>> been able to get access to a POWER8 machine. A server costs about as
>> much as a new car. Any account reseller recommendations or any other
>> options you can think of? If you don't mind responding feel free to do
>> it privately so it doesn't clutter this thread.
> Two of the systems in the GNU Compile Farm are POWER8 and the person
> is reporting about his tests on those systems. Why are you reporting
> that you don't have access to Power8 systems?
I didn't gather that from his message because I wasn't aware the
compile farm existed. He sent me instructions on how to apply for an
account. Also, despite my presence on this list, I am not a developer.
I am not a very smart man and I can only hope to try to understand the
great things that others have made.