Improve bignum speed on ARM with DSP instructions

[aurel32]

Description

These two patches improve the bignum code (used in particular for RSA computation) on ARM CPU which have the DSP extension, that is the ARMv7E-M like the Cortex M4 and Cortex M7, or the ARMv7-A, like the Cortex A series. It has been originally developed for a Cortex M4 application, but I have done all the tests on a Cortex A8.

Status

READY

Requires Backporting

NO (enhancement)

Migrations

If there is any API change, what's the incentive and logic for it.

NO (this is just a different code path on supported CPU)

[RonEld]

@aurel32 Thank you for your contribution!

Out of curiosity, do you have information on the performance improvements this PR adds?

n addition, unfortunately our policy is to not accept contributions, without a Contributor’s Licence Agreement (CLA) signed or authorised by yourself or your employer.
If this is a personal contribution, the easiest way to do this is if you create an mbed account and accept this click through agreement. Alternatively, you can find a slightly different agreement to sign here, which can be signed and returned to us, and is applicable if you don't want to create an mbed account or alternatively if this is a corporate contribution.
Thanks for your understanding and again, thanks for the contribution!

[aurel32]

Out of curiosity, do you have information on the performance improvements this PR adds?

The speed-up are given in the description of each individual commit, this gives a total of +27% for the whole PR, but on a very specific case (RSA signing operation). I have tried to use the testsuite, and most notably test_suite_rsa, but I have found there is too much variability from one run to another (up to a factor 3). Any suggestion to test the performances is welcome.

In addition, unfortunately our policy is to not accept contributions, without a Contributor’s Licence Agreement (CLA) signed or authorised by yourself or your employer.

I have accepted the CLA on os.mbed.com just before sending this pull request.

[RonEld]

@aurel32 Thank you for your information, and for signing the CLA!
Have you tried ECC operations as well?

[aurel32]

Sorry about the delay. I took time to rework the patches and to setup a test environment testing ECC signing, RSA signing, RSA encryption and RSA decryption on a Cortex M4 (my original target), a Cortex M7 and a Cortex A8. I have just pushed the new version.

I removed the second patch defining MULADDC_HUIT, as I realized it was giving a small performance penalty for ECC signing. Instead I reworked the ASM constraints and value passing to remove even more instructions.

@RonEld, the ECC signing test shows a small improvement compared to the RSA one. I have included the performance results in the commit message.

The improvements are much higher on the Cortex M than on the Cortex A, likely because there are less memory access penalty. This is especially true on the Cortex M7 as I put the mbedtls heap in TCM memory.

[aurel32]

Any news on that? Do you need me to provide more details?

[Patater]

The assembly changes look good to me. I had one question about the pre-processor define used.

[yanesca]

Looks good to me!

[aurel32]

@Patater, @yanesca, thanks for the review. I have just pushed a new version fixing the check for ARM DSP support as pointed by @Patater.

[Patater]

retest

[aurel32]

I have seen that both the mbed TLS build & test and the mbed-ci-generic have failed. Unfortunately I am not able to get the details. Would it be possible to get them, so that I can try to provide a fix to the issues found?

[RonEld]

The mbed TLS build & test failed on a timing test, which is a known issue in the test.
I will run the tests again

[RonEld]

retest

[simonbutcher]

retest

[simonbutcher]

retest

[simonbutcher]

Jenkins passes, approved by @Patater, so ready for merge!

[simonbutcher]

Needs Changelog entry to be added at time of merge.

[zv-io]

After these changes I am having difficulty building it with -mcpu=arm10e on the following targets:

• arm-linux-musleabihf
• armeb-linux-musleabihf
• armel-linux-musleabihf
• armv5l-linux-musleabihf
• armv7l-linux-musleabihf
• armv7r-linux-musleabihf

which are all -mcpu=arm10e -mfloat-abi=hard -mtls-dialect=gnu -marm -march=armv5te+fp

whereas these do work:

• arm-linux-musleabi
• armeb-linux-musleabi
• armel-linux-musleabi
• armv7m-linux-musleabi

which are all -mcpu=arm10tdmi -mtls-dialect=gnu -marm -march=armv5t.

In particular, -mcpu=arm10tdmi conflicts with -march=armv5te switch and this processor (-mcpu=arm10tdmi) lacks an FPU, so hard-float configurations are seemingly impossible to use now?

The specific error is:

Error: selected processor does not support `umaal r1,ip,r3,r0' in ARM mode

Some reference materials [PDF]: https://www.digchip.com/datasheets/download_datasheet.php?id=154499&part-number=ARM10200

[aurel32]

Hi @zv-io, sorry for breaking the build on those targets. The intention of the new code was to optimize the muladd macro with DSP instructions when they are available, and leave the old code unchanged when they are not available. I guarded the code with __ARM_FEATURE_DSP, but it happens it's not enough. In your case the ARMv5TE has DSP instructions (that's the meaning of the E), but only in Thumb mode and not in ARM mode. So the issue arise when both -marm and -march=armv5te are used together. The DSP instructions are available in both ARM and Thumb mode in ARMv6 and ARMv7.

I believe it's enough to just disable the use of DSP instructions on ARMv5. I guess the following patch should be enough:

diff --git a/include/mbedtls/bn_mul.h b/include/mbedtls/bn_mul.h
index 0af694c7c..85d1e7172 100644
--- a/include/mbedtls/bn_mul.h
+++ b/include/mbedtls/bn_mul.h
@@ -636,7 +636,7 @@
            "r6", "r7", "r8", "r9", "cc"         \
          );
 
-#elif defined (__ARM_FEATURE_DSP) && (__ARM_FEATURE_DSP == 1)
+#elif (__ARM_ARCH >= 6) && defined (__ARM_FEATURE_DSP) && (__ARM_FEATURE_DSP == 1)
 
 #define MULADDC_INIT                            \
     asm(

Can you please give it a try? If it works, I'll open a pull request.

[zv-io]

That looks OK. These are from the arm-linux-musleabihf toolchain. I have not yet tested the remaining hard-float ones above but suspect they'll also work.

#define __ARM_ARCH_ISA_ARM 1
#define __ARM_ARCH_5TE__ 1
#define __ARM_ARCH_ISA_THUMB 1
#define __ARM_ARCH 5
...
#define __ARM_FEATURE_QBIT 1
#define __ARM_FEATURE_CLZ 1
#define __ARM_FEATURE_COPROC 7
#define __ARM_FEATURE_DSP 1

With the patch it builds. I'm not too familiar with all of the intricacies/features of ARM processors (specifically w.r.t. what is compatible and not), so I'd definitely recommend making sure you (and ideally others) review whether that patch is sufficient to prevent any regression from targets that may work but haven't been tested.