Quantcast

SSSE3 problems on Nehalem?

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

SSSE3 problems on Nehalem?

Werner Koch
Hi!

Due to hardware failures on our old Jenkins server, we switched to an
E5520 box.  Although this box is older than the former Intel pre-release
Clarkdale box it is with its 8 cores more powerful and thus anyway
better for our purposes.

Now, here is the problem: We do not have AES-NI anymore and thus the
SSSE3 optimized AES implementation is used - which fails in the CTR mode
selftest.

I was not able to replicate this failure on other machines even when
forcing the use of SSSE3 for example by using

  tests/basic --disable-hwf intel-fast-shld:intel-pclmul:intel-aesni:intel-avx

(this works for master; you may need to use several --disable-hwf).

Disabling intel-ssse3 on the E5520 is possible (/etc/gcrypt/hwf.deny)
but not a proper fix.

The selftest should yield these values for rijndail.c:selftest_ctr_128
around line 487 in _gcry_selftest_helper_ctr (with diff==0):

iv   : 00000800000000000000000000000008
plain: 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f \
       202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f \
       404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f \
       606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f \
       808182838485868788898a8b8c8d8e8f
ciphr: eadf062f4bc843fe7662191a78dccd8011bea2ba43937fc63b66ddfaf902eb23 \
       4585dcf111ea27c00ade03493a89ed6880a4bdc12f3ac0df9493db796266b611 \
       e51cdbf3bb9be44981c2d4e6b7b34dd326d8676d1dd19949a848ba72343611fa \
       6f636ddd8db82f0c17ed1bab5bfc1912082c87ff588404305ce8908d32f380c8 \
       875ee5d348b357227991bf5f5d8f7186
plain: 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f \
       202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f \
       404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f \
       606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f \
       808182838485868788898a8b8c8d8e8f

All fine.  But on the E5520 I get this back after decryption:

plain: 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f \
       e5a9525c2fcb886698104111a6edaeb407f3b66338c43f35621b5e1bc4c33b9b \
       ad1c9778f4694da7cbe11352030b156d99a857fc80e124250a358009af6b7ef8 \
       5f6fc100ac3276af2d9670709718b43c96a62959bb48d623d21d1dedf32fcf0f \
       da6405a4ba56eeb8e05e623acb304391

Thus _gcry_aes_ssse3_ctr_enc fails after one block (128 bits).

Has anyone with an E5520 or another Nehalem CPU the same problem?


Shalom-Salam,

   Werner


--
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

_______________________________________________
Gcrypt-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gcrypt-devel

attachment0 (233 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SSSE3 problems on Nehalem?

Jussi Kivilinna-2
Hello,

On 03.01.2017 21:57, Werner Koch wrote:

>
> The selftest should yield these values for rijndail.c:selftest_ctr_128
> around line 487 in _gcry_selftest_helper_ctr (with diff==0):
>
> iv   : 00000800000000000000000000000008
> plain: 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f \
>        202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f \
>        404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f \
>        606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f \
>        808182838485868788898a8b8c8d8e8f
> ciphr: eadf062f4bc843fe7662191a78dccd8011bea2ba43937fc63b66ddfaf902eb23 \
>        4585dcf111ea27c00ade03493a89ed6880a4bdc12f3ac0df9493db796266b611 \
>        e51cdbf3bb9be44981c2d4e6b7b34dd326d8676d1dd19949a848ba72343611fa \
>        6f636ddd8db82f0c17ed1bab5bfc1912082c87ff588404305ce8908d32f380c8 \
>        875ee5d348b357227991bf5f5d8f7186
> plain: 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f \
>        202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f \
>        404142434445464748494a4b4c4d4e4f505152535455565758595a5b5c5d5e5f \
>        606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f \
>        808182838485868788898a8b8c8d8e8f
>
> All fine.  But on the E5520 I get this back after decryption:
>
> plain: 000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f \
>        e5a9525c2fcb886698104111a6edaeb407f3b66338c43f35621b5e1bc4c33b9b \
>        ad1c9778f4694da7cbe11352030b156d99a857fc80e124250a358009af6b7ef8 \
>        5f6fc100ac3276af2d9670709718b43c96a62959bb48d623d21d1dedf32fcf0f \
>        da6405a4ba56eeb8e05e623acb304391
>
> Thus _gcry_aes_ssse3_ctr_enc fails after one block (128 bits).
Bug is in _gcry_aes_ssse3_ctr_enc. 'ctrlow' is passed to assembly block
as read-only register when it should be read/write as assembly block does
64-bit increment on it. Whatever this ends up breaking depends on compiler
register allocation (thus version & flags).

So, on that machine, compiler passes 'ctrlow' to temporary register
before assembly and assembly part increments that register and
calculation is lost.

I'll push fix for this soon. Diff for rinjdael-ssse3 attached below.

-Jussi

---

diff --git a/cipher/rijndael-ssse3-amd64.c b/cipher/rijndael-ssse3-amd64.c
index a8e89d4..2adb73f 100644
--- a/cipher/rijndael-ssse3-amd64.c
+++ b/cipher/rijndael-ssse3-amd64.c
@@ -387,8 +387,8 @@ _gcry_aes_ssse3_ctr_enc (RIJNDAEL_context *ctx, unsigned char *outbuf,
                     ".Lno_carry%=:\n\t"
 
                     "pshufb %%xmm6, %%xmm7\n\t"
-                    :
-                    : [ctr] "r" (ctr), [ctrlow] "r" (ctrlow)
+                    : [ctrlow] "+r" (ctrlow)
+                    : [ctr] "r" (ctr)
                     : "cc", "memory");
 
       do_vpaes_ssse3_enc (ctx, nrounds, aes_const_ptr);



_______________________________________________
Gcrypt-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gcrypt-devel

signature.asc (281 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SSSE3 problems on Nehalem?

Werner Koch
On Wed,  4 Jan 2017 11:01, [hidden email] said:

> Bug is in _gcry_aes_ssse3_ctr_enc. 'ctrlow' is passed to assembly block
> as read-only register when it should be read/write as assembly block does
> 64-bit increment on it. Whatever this ends up breaking depends on compiler
> register allocation (thus version & flags).

Hmmm, we have exactly the same compiler version on both machines:

  gcc (Debian 6.2.1-5) 6.2.1 20161124

but I just noticed that for whatever reason on the the Jenkins we use
-fPIC.

> I'll push fix for this soon. Diff for rinjdael-ssse3 attached below.

Thanks.  I can confirm that it works.


Shalom-Salam,

   Werner

--
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

_______________________________________________
Gcrypt-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gcrypt-devel

attachment0 (233 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SSSE3 problems on Nehalem?

Andreas Metzler-3
In reply to this post by Jussi Kivilinna-2
[repost, gmane -> list swallowed first try]
Jussi Kivilinna <[hidden email]> wrote:
> On 03.01.2017 21:57, Werner Koch wrote:
[...]
>> Thus _gcry_aes_ssse3_ctr_enc fails after one block (128 bits).

> Bug is in _gcry_aes_ssse3_ctr_enc. 'ctrlow' is passed to assembly block
> as read-only register when it should be read/write as assembly block does
> 64-bit increment on it. Whatever this ends up breaking depends on compiler
> register allocation (thus version & flags).

> So, on that machine, compiler passes 'ctrlow' to temporary register
> before assembly and assembly part increments that register and
> calculation is lost.

> I'll push fix for this soon. Diff for rinjdael-ssse3 attached below.

Hello,

should I cherrypick this patch for Debian's 1.7 packages?

Is there anything else that should go into soon-to-be-frozen next Debian
release?

Thanks, cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'


--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

_______________________________________________
Gcrypt-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gcrypt-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SSSE3 problems on Nehalem?

Werner Koch
On Wed, 11 Jan 2017 18:59, [hidden email] said:

> should I cherrypick this patch for Debian's 1.7 packages?

Yes, please.  As an alternative I could do another 1.7 release on
Monday.


Salam-Shalom,

   Werner

--
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.

_______________________________________________
Gcrypt-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gcrypt-devel

attachment0 (233 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SSSE3 problems on Nehalem?

Kristian Fiskerstrand-6
On 01/13/2017 04:58 PM, Werner Koch wrote:
> On Wed, 11 Jan 2017 18:59, [hidden email] said:
>
>> should I cherrypick this patch for Debian's 1.7 packages?
>
> Yes, please.  As an alternative I could do another 1.7 release on
> Monday.
>

I'd support a release so that it reaches other distros as well (then
I'll hold off until new release in Gentoo as well)


--
----------------------------
Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
----------------------------
Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
----------------------------
"History doesn't repeat itself, but it does rhyme."
(Mark Twain)


_______________________________________________
Gcrypt-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gcrypt-devel

signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SSSE3 problems on Nehalem?

Andreas Metzler-3
In reply to this post by Werner Koch
On 2017-01-13 Werner Koch <[hidden email]> wrote:
> On Wed, 11 Jan 2017 18:59, [hidden email] said:
>> should I cherrypick this patch for Debian's 1.7 packages?

> Yes, please.  As an alternative I could do another 1.7 release on
> Monday.

Hello,

I do not mind cherry-picking a single patch that applies without fuzz.

Perhaps you could publish it on LIBGCRYPT-1-7-BRANCH and integrate it in
the next 1.7 release whenever that is needed?

thanks, cu Andreas
--
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.'
`I sew his ears on from time to time, sure'

_______________________________________________
Gcrypt-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gcrypt-devel
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: SSSE3 problems on Nehalem?

Andreas Metzler-3
On 2017-01-13 Andreas Metzler <[hidden email]> wrote:
> On 2017-01-13 Werner Koch <[hidden email]> wrote:
> > On Wed, 11 Jan 2017 18:59, [hidden email] said:
> >> should I cherrypick this patch for Debian's 1.7 packages?

>> Yes, please.  As an alternative I could do another 1.7 release on
>> Monday.

> Hello,

> I do not mind cherry-picking a single patch that applies without fuzz.

[x] Uploaded.

_______________________________________________
Gcrypt-devel mailing list
[hidden email]
http://lists.gnupg.org/mailman/listinfo/gcrypt-devel
Loading...