crypto: arm64 - Drop asm fallback macros for older binutils

Message ID	20250515142702.2592942-2-ardb+git@google.com
State	New
Headers	show Received: from mail-wm1-f73.google.com (mail-wm1-f73.google.com [209.85.128.73]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9D73A153800 for <linux-crypto@vger.kernel.org>; Thu, 15 May 2025 14:27:18 +0000 (UTC) Date: Thu, 15 May 2025 16:27:03 +0200 Precedence: bulk Mime-Version: 1.0 Message-ID: <20250515142702.2592942-2-ardb+git@google.com> Subject: [PATCH] crypto: arm64 - Drop asm fallback macros for older binutils From: Ard Biesheuvel <ardb+git@google.com> To: linux-crypto@vger.kernel.org Cc: linux-arm-kernel@lists.infradead.org, ebiggers@kernel.org, herbert@gondor.apana.org.au, Ard Biesheuvel <ardb@kernel.org> Content-Type: text/plain; charset="UTF-8"
Series	crypto: arm64 - Drop asm fallback macros for older binutils \| expand crypto: arm64 - Drop asm fallback macros for older binutils

Message ID

20250515142702.2592942-2-ardb+git@google.com

State

New

Headers

Date: Thu, 15 May 2025 16:27:03 +0200
Precedence: bulk
Mime-Version: 1.0
Message-ID: <20250515142702.2592942-2-ardb+git@google.com>
Subject: [PATCH] crypto: arm64 - Drop asm fallback macros for older binutils
From: Ard Biesheuvel <ardb+git@google.com>
To: linux-crypto@vger.kernel.org
Cc: linux-arm-kernel@lists.infradead.org, ebiggers@kernel.org,
	herbert@gondor.apana.org.au, Ard Biesheuvel <ardb@kernel.org>
Content-Type: text/plain; charset="UTF-8"

Series

crypto: arm64 - Drop asm fallback macros for older binutils | expand

Commit Message

Ard Biesheuvel May 15, 2025, 2:27 p.m. UTC

From: Ard Biesheuvel <ardb@kernel.org>

Now that the oldest supported binutils version is 2.30, the asm macros
to implement the various crypto opcodes for SHA-512, SHA-3, SM-3 and
SM-4 are no longer needed. So drop them.

Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
---
The binutils version bump is queued up in -next, so I suppose this could
be queued up for the next cycle too.

 arch/arm64/crypto/sha3-ce-core.S    | 24 +------------
 arch/arm64/crypto/sha512-ce-core.S  | 21 +-----------
 arch/arm64/crypto/sm3-ce-core.S     | 36 ++------------------
 arch/arm64/crypto/sm4-ce-ccm-core.S | 10 +-----
 arch/arm64/crypto/sm4-ce-core.S     | 15 +-------
 arch/arm64/crypto/sm4-ce-gcm-core.S | 10 +-----
 6 files changed, 8 insertions(+), 108 deletions(-)

Comments

Eric Biggers May 15, 2025, 6:52 p.m. UTC | #1

On Thu, May 15, 2025 at 04:27:03PM +0200, Ard Biesheuvel wrote:
> diff --git a/arch/arm64/crypto/sha512-ce-core.S b/arch/arm64/crypto/sha512-ce-core.S
> index 91ef68b15fcc..deb2469ab631 100644
> --- a/arch/arm64/crypto/sha512-ce-core.S
> +++ b/arch/arm64/crypto/sha512-ce-core.S
> @@ -12,26 +12,7 @@
>  #include <linux/linkage.h>
>  #include <asm/assembler.h>
>  
> -	.irp		b,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19
> -	.set		.Lq\b, \b
> -	.set		.Lv\b\().2d, \b
> -	.endr
> -
> -	.macro		sha512h, rd, rn, rm
> -	.inst		0xce608000 | .L\rd | (.L\rn << 5) | (.L\rm << 16)
> -	.endm
> -
> -	.macro		sha512h2, rd, rn, rm
> -	.inst		0xce608400 | .L\rd | (.L\rn << 5) | (.L\rm << 16)
> -	.endm
> -
> -	.macro		sha512su0, rd, rn
> -	.inst		0xcec08000 | .L\rd | (.L\rn << 5)
> -	.endm
> -
> -	.macro		sha512su1, rd, rn, rm
> -	.inst		0xce608800 | .L\rd | (.L\rn << 5) | (.L\rm << 16)
> -	.endm
> +	.arch	armv8-a+sha3

This looked like a mistake: SHA-512 is part of SHA-2, not SHA-3.  However, the
current versions of binutils and clang do indeed put it under sha3.  There
should be a comment that mentions this unfortunate quirk.

However, there's also the following commit which went into binutils 2.43:

    commit 0aac62aa3256719c37be9e0ce6af8b190f45c928
    Author: Andrew Carlotti <andrew.carlotti@arm.com>
    Date:   Fri Jan 19 13:01:40 2024 +0000

        aarch64: move SHA512 instructions to +sha3

        SHA512 instructions were added to the architecture at the same time as SHA3
        instructions, but later than the SHA1 and SHA256 instructions.  Furthermore,
        implementations must support either both or neither of the SHA512 and SHA3
        instruction sets.  However, SHA512 instructions were originally (and
        incorrectly) added to Binutils under the +sha2 flag.

        This patch moves SHA512 instructions under the +sha3 flag, which matches the
        architecture constraints and existing GCC and LLVM behaviour.

So probably we need ".arch armv8-a+sha2+sha3" to support binutils 2.30 through
2.42, as well as clang and the latest version of binutils?  (I didn't test it
yet, but it seems likely...)

- Eric

diff --git a/arch/arm64/crypto/sha3-ce-core.S b/arch/arm64/crypto/sha3-ce-core.S
index 9c77313f5a60..61623c7ad3a1 100644
--- a/arch/arm64/crypto/sha3-ce-core.S
+++ b/arch/arm64/crypto/sha3-ce-core.S
@@ -12,29 +12,7 @@ 
 #include <linux/linkage.h>
 #include <asm/assembler.h>
 
-	.irp	b,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31
-	.set	.Lv\b\().2d, \b
-	.set	.Lv\b\().16b, \b
-	.endr
-
-	/*
-	 * ARMv8.2 Crypto Extensions instructions
-	 */
-	.macro	eor3, rd, rn, rm, ra
-	.inst	0xce000000 | .L\rd | (.L\rn << 5) | (.L\ra << 10) | (.L\rm << 16)
-	.endm
-
-	.macro	rax1, rd, rn, rm
-	.inst	0xce608c00 | .L\rd | (.L\rn << 5) | (.L\rm << 16)
-	.endm
-
-	.macro	bcax, rd, rn, rm, ra
-	.inst	0xce200000 | .L\rd | (.L\rn << 5) | (.L\ra << 10) | (.L\rm << 16)
-	.endm
-
-	.macro	xar, rd, rn, rm, imm6
-	.inst	0xce800000 | .L\rd | (.L\rn << 5) | ((\imm6) << 10) | (.L\rm << 16)
-	.endm
+	.arch	armv8-a+sha3
 
 	/*
 	 * int sha3_ce_transform(u64 *st, const u8 *data, int blocks, int dg_size)
diff --git a/arch/arm64/crypto/sha512-ce-core.S b/arch/arm64/crypto/sha512-ce-core.S
index 91ef68b15fcc..deb2469ab631 100644
--- a/arch/arm64/crypto/sha512-ce-core.S
+++ b/arch/arm64/crypto/sha512-ce-core.S
@@ -12,26 +12,7 @@ 
 #include <linux/linkage.h>
 #include <asm/assembler.h>
 
-	.irp		b,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19
-	.set		.Lq\b, \b
-	.set		.Lv\b\().2d, \b
-	.endr
-
-	.macro		sha512h, rd, rn, rm
-	.inst		0xce608000 | .L\rd | (.L\rn << 5) | (.L\rm << 16)
-	.endm
-
-	.macro		sha512h2, rd, rn, rm
-	.inst		0xce608400 | .L\rd | (.L\rn << 5) | (.L\rm << 16)
-	.endm
-
-	.macro		sha512su0, rd, rn
-	.inst		0xcec08000 | .L\rd | (.L\rn << 5)
-	.endm
-
-	.macro		sha512su1, rd, rn, rm
-	.inst		0xce608800 | .L\rd | (.L\rn << 5) | (.L\rm << 16)
-	.endm
+	.arch	armv8-a+sha3
 
 	/*
 	 * The SHA-512 round constants
diff --git a/arch/arm64/crypto/sm3-ce-core.S b/arch/arm64/crypto/sm3-ce-core.S
index ca70cfacd0d0..94a97ca367f0 100644
--- a/arch/arm64/crypto/sm3-ce-core.S
+++ b/arch/arm64/crypto/sm3-ce-core.S
@@ -9,44 +9,14 @@ 
 #include <linux/cfi_types.h>
 #include <asm/assembler.h>
 
-	.irp		b, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12
-	.set		.Lv\b\().4s, \b
-	.endr
-
-	.macro		sm3partw1, rd, rn, rm
-	.inst		0xce60c000 | .L\rd | (.L\rn << 5) | (.L\rm << 16)
-	.endm
-
-	.macro		sm3partw2, rd, rn, rm
-	.inst		0xce60c400 | .L\rd | (.L\rn << 5) | (.L\rm << 16)
-	.endm
-
-	.macro		sm3ss1, rd, rn, rm, ra
-	.inst		0xce400000 | .L\rd | (.L\rn << 5) | (.L\ra << 10) | (.L\rm << 16)
-	.endm
-
-	.macro		sm3tt1a, rd, rn, rm, imm2
-	.inst		0xce408000 | .L\rd | (.L\rn << 5) | ((\imm2) << 12) | (.L\rm << 16)
-	.endm
-
-	.macro		sm3tt1b, rd, rn, rm, imm2
-	.inst		0xce408400 | .L\rd | (.L\rn << 5) | ((\imm2) << 12) | (.L\rm << 16)
-	.endm
-
-	.macro		sm3tt2a, rd, rn, rm, imm2
-	.inst		0xce408800 | .L\rd | (.L\rn << 5) | ((\imm2) << 12) | (.L\rm << 16)
-	.endm
-
-	.macro		sm3tt2b, rd, rn, rm, imm2
-	.inst		0xce408c00 | .L\rd | (.L\rn << 5) | ((\imm2) << 12) | (.L\rm << 16)
-	.endm
+	.arch		armv8-a+sm4
 
 	.macro		round, ab, s0, t0, t1, i
 	sm3ss1		v5.4s, v8.4s, \t0\().4s, v9.4s
 	shl		\t1\().4s, \t0\().4s, #1
 	sri		\t1\().4s, \t0\().4s, #31
-	sm3tt1\ab	v8.4s, v5.4s, v10.4s, \i
-	sm3tt2\ab	v9.4s, v5.4s, \s0\().4s, \i
+	sm3tt1\ab	v8.4s, v5.4s, v10.s[\i]
+	sm3tt2\ab	v9.4s, v5.4s, \s0\().s[\i]
 	.endm
 
 	.macro		qround, ab, s0, s1, s2, s3, s4
diff --git a/arch/arm64/crypto/sm4-ce-ccm-core.S b/arch/arm64/crypto/sm4-ce-ccm-core.S
index fa85856f33ce..b658cf2577d1 100644
--- a/arch/arm64/crypto/sm4-ce-ccm-core.S
+++ b/arch/arm64/crypto/sm4-ce-ccm-core.S
@@ -12,15 +12,7 @@ 
 #include <asm/assembler.h>
 #include "sm4-ce-asm.h"
 
-.arch	armv8-a+crypto
-
-.irp b, 0, 1, 8, 9, 10, 11, 12, 13, 14, 15, 16, 24, 25, 26, 27, 28, 29, 30, 31
-	.set .Lv\b\().4s, \b
-.endr
-
-.macro sm4e, vd, vn
-	.inst 0xcec08400 | (.L\vn << 5) | .L\vd
-.endm
+.arch	armv8-a+sm4
 
 /* Register macros */
 
diff --git a/arch/arm64/crypto/sm4-ce-core.S b/arch/arm64/crypto/sm4-ce-core.S
index 1f3625c2c67e..dd4e86b0a526 100644
--- a/arch/arm64/crypto/sm4-ce-core.S
+++ b/arch/arm64/crypto/sm4-ce-core.S
@@ -12,20 +12,7 @@ 
 #include <asm/assembler.h>
 #include "sm4-ce-asm.h"
 
-.arch	armv8-a+crypto
-
-.irp b, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, \
-		20, 24, 25, 26, 27, 28, 29, 30, 31
-	.set .Lv\b\().4s, \b
-.endr
-
-.macro sm4e, vd, vn
-	.inst 0xcec08400 | (.L\vn << 5) | .L\vd
-.endm
-
-.macro sm4ekey, vd, vn, vm
-	.inst 0xce60c800 | (.L\vm << 16) | (.L\vn << 5) | .L\vd
-.endm
+.arch	armv8-a+sm4
 
 /* Register macros */
 
diff --git a/arch/arm64/crypto/sm4-ce-gcm-core.S b/arch/arm64/crypto/sm4-ce-gcm-core.S
index 347f25d75727..92d26d8a9254 100644
--- a/arch/arm64/crypto/sm4-ce-gcm-core.S
+++ b/arch/arm64/crypto/sm4-ce-gcm-core.S
@@ -13,15 +13,7 @@ 
 #include <asm/assembler.h>
 #include "sm4-ce-asm.h"
 
-.arch	armv8-a+crypto
-
-.irp b, 0, 1, 2, 3, 24, 25, 26, 27, 28, 29, 30, 31
-	.set .Lv\b\().4s, \b
-.endr
-
-.macro sm4e, vd, vn
-	.inst 0xcec08400 | (.L\vn << 5) | .L\vd
-.endm
+	.arch		armv8-a+sm4+aes
 
 /* Register macros */

crypto: arm64 - Drop asm fallback macros for older binutils

Commit Message

Comments

Patch