Re: [PATCH] crypto: arm64 - Drop asm fallback macros for older binutils

[Eric Biggers <ebiggers@kernel.org>]

On Thu, May 15, 2025 at 11:52:54AM -0700, Eric Biggers wrote:
> On Thu, May 15, 2025 at 04:27:03PM +0200, Ard Biesheuvel wrote:
> > diff --git a/arch/arm64/crypto/sha512-ce-core.S b/arch/arm64/crypto/sha512-ce-core.S
> > index 91ef68b15fcc..deb2469ab631 100644
> > --- a/arch/arm64/crypto/sha512-ce-core.S
> > +++ b/arch/arm64/crypto/sha512-ce-core.S
> > @@ -12,26 +12,7 @@
> >  #include <linux/linkage.h>
> >  #include <asm/assembler.h>
> >  
> > -	.irp		b,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19
> > -	.set		.Lq\b, \b
> > -	.set		.Lv\b\().2d, \b
> > -	.endr
> > -
> > -	.macro		sha512h, rd, rn, rm
> > -	.inst		0xce608000 | .L\rd | (.L\rn << 5) | (.L\rm << 16)
> > -	.endm
> > -
> > -	.macro		sha512h2, rd, rn, rm
> > -	.inst		0xce608400 | .L\rd | (.L\rn << 5) | (.L\rm << 16)
> > -	.endm
> > -
> > -	.macro		sha512su0, rd, rn
> > -	.inst		0xcec08000 | .L\rd | (.L\rn << 5)
> > -	.endm
> > -
> > -	.macro		sha512su1, rd, rn, rm
> > -	.inst		0xce608800 | .L\rd | (.L\rn << 5) | (.L\rm << 16)
> > -	.endm
> > +	.arch	armv8-a+sha3
> 
> This looked like a mistake: SHA-512 is part of SHA-2, not SHA-3.  However, the
> current versions of binutils and clang do indeed put it under sha3.  There
> should be a comment that mentions this unfortunate quirk.
> 
> However, there's also the following commit which went into binutils 2.43:
> 
>     commit 0aac62aa3256719c37be9e0ce6af8b190f45c928
>     Author: Andrew Carlotti <andrew.carlotti@arm.com>
>     Date:   Fri Jan 19 13:01:40 2024 +0000
> 
>         aarch64: move SHA512 instructions to +sha3
> 
>         SHA512 instructions were added to the architecture at the same time as SHA3
>         instructions, but later than the SHA1 and SHA256 instructions.  Furthermore,
>         implementations must support either both or neither of the SHA512 and SHA3
>         instruction sets.  However, SHA512 instructions were originally (and
>         incorrectly) added to Binutils under the +sha2 flag.
> 
>         This patch moves SHA512 instructions under the +sha3 flag, which matches the
>         architecture constraints and existing GCC and LLVM behaviour.
> 
> So probably we need ".arch armv8-a+sha2+sha3" to support binutils 2.30 through
> 2.42, as well as clang and the latest version of binutils?  (I didn't test it
> yet, but it seems likely...)

Actually "sha2" isn't required here, since "sha3" implies "sha2".

The kernel test robot did report a build error on this series.  But it
was with SHA-3, because in binutils 2.40 and earlier the SHA-3
instructions required both "sha3" and "armv8.2-a", not just "sha3" like
they do in clang and in binutils 2.41 and later.

For now, I split the SHA-512 part into a separate patch
https://lore.kernel.org/r/20250718220706.475240-1-ebiggers@kernel.org

- Eric