On Tue, 30 May 2023 at 18:45, Peter Maydell <[email protected]> wrote: > > On Tue, 30 May 2023 at 14:52, Ard Biesheuvel <[email protected]> wrote: > > > > ARM intrinsics for AES deviate from the x86 ones in the way they cover > > the different stages of each round, and so mapping one to the other is > > not entirely straight-forward. However, with a bit of care, we can still > > use the x86 ones to emulate the ARM ones, which makes them constant time > > (which is an important property in crypto) and substantially more > > efficient. > > Do you have examples of workloads and speedups obtained, > by the way? >
I don't have any actual numbers to share, unfortunately. I implemented this when i was experimenting with TPM based measured boot and disk encryption in the guest. I'd say that running an OS under emulation that uses disk encryption would be the most relevant use case here. Accelerated AES is typically at least an order of magnitude faster than a table based C implementation, and does not stress the D-cache as much (the tables involved are not tiny).
