* [PATCH] lib/crypto: arm64/sha512-ce: Drop compatibility macros for older binutils @ 2025-07-18 22:07 Eric Biggers 2025-07-21 3:31 ` Ard Biesheuvel 0 siblings, 1 reply; 4+ messages in thread From: Eric Biggers @ 2025-07-18 22:07 UTC (permalink / raw) To: linux-crypto Cc: linux-arm-kernel, linux-kernel, Ard Biesheuvel, Jason A . Donenfeld, Eric Biggers Now that the oldest supported binutils version is 2.30, the macros that emit the SHA-512 instructions as '.inst' words are no longer needed. So drop them. No change in the generated machine code. Changed from the original patch by Ard Biesheuvel: (https://lore.kernel.org/r/20250515142702.2592942-2-ardb+git@google.com): - Reduced scope to just SHA-512 - Added comment that explains why "sha3" is used instead of "sha2" Signed-off-by: Eric Biggers <ebiggers@kernel.org> --- This patch is targeting libcrypto-next lib/crypto/arm64/sha512-ce-core.S | 27 +++++++-------------------- 1 file changed, 7 insertions(+), 20 deletions(-) diff --git a/lib/crypto/arm64/sha512-ce-core.S b/lib/crypto/arm64/sha512-ce-core.S index 7d870a435ea38..eaa485244af52 100644 --- a/lib/crypto/arm64/sha512-ce-core.S +++ b/lib/crypto/arm64/sha512-ce-core.S @@ -10,30 +10,17 @@ */ #include <linux/linkage.h> #include <asm/assembler.h> - .irp b,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19 - .set .Lq\b, \b - .set .Lv\b\().2d, \b - .endr - - .macro sha512h, rd, rn, rm - .inst 0xce608000 | .L\rd | (.L\rn << 5) | (.L\rm << 16) - .endm - - .macro sha512h2, rd, rn, rm - .inst 0xce608400 | .L\rd | (.L\rn << 5) | (.L\rm << 16) - .endm - - .macro sha512su0, rd, rn - .inst 0xcec08000 | .L\rd | (.L\rn << 5) - .endm - - .macro sha512su1, rd, rn, rm - .inst 0xce608800 | .L\rd | (.L\rn << 5) | (.L\rm << 16) - .endm + /* + * While SHA-512 is part of the SHA-2 family of algorithms, the + * corresponding arm64 instructions are actually part of the "sha3" CPU + * feature. (Except in binutils 2.30 through 2.42, which used "sha2". + * But "sha3" implies "sha2", so "sha3" still works in those versions.) + */ + .arch armv8-a+sha3 /* * The SHA-512 round constants */ .section ".rodata", "a" base-commit: 66be847cc4c2e82fb50190b52b05b3bb0ef57999 -- 2.50.1 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] lib/crypto: arm64/sha512-ce: Drop compatibility macros for older binutils 2025-07-18 22:07 [PATCH] lib/crypto: arm64/sha512-ce: Drop compatibility macros for older binutils Eric Biggers @ 2025-07-21 3:31 ` Ard Biesheuvel 2025-07-21 4:17 ` Eric Biggers 0 siblings, 1 reply; 4+ messages in thread From: Ard Biesheuvel @ 2025-07-21 3:31 UTC (permalink / raw) To: Eric Biggers Cc: linux-crypto, linux-arm-kernel, linux-kernel, Jason A . Donenfeld On Sat, 19 Jul 2025 at 08:07, Eric Biggers <ebiggers@kernel.org> wrote: > > Now that the oldest supported binutils version is 2.30, the macros that > emit the SHA-512 instructions as '.inst' words are no longer needed. So > drop them. No change in the generated machine code. > > Changed from the original patch by Ard Biesheuvel: > (https://lore.kernel.org/r/20250515142702.2592942-2-ardb+git@google.com): > - Reduced scope to just SHA-512 > - Added comment that explains why "sha3" is used instead of "sha2" > > Signed-off-by: Eric Biggers <ebiggers@kernel.org> Acked-by: Ard Biesheuvel <ardb@kernel.org> Nit below > --- > > This patch is targeting libcrypto-next > > lib/crypto/arm64/sha512-ce-core.S | 27 +++++++-------------------- > 1 file changed, 7 insertions(+), 20 deletions(-) > > diff --git a/lib/crypto/arm64/sha512-ce-core.S b/lib/crypto/arm64/sha512-ce-core.S > index 7d870a435ea38..eaa485244af52 100644 > --- a/lib/crypto/arm64/sha512-ce-core.S > +++ b/lib/crypto/arm64/sha512-ce-core.S > @@ -10,30 +10,17 @@ > */ > > #include <linux/linkage.h> > #include <asm/assembler.h> > > - .irp b,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19 > - .set .Lq\b, \b > - .set .Lv\b\().2d, \b > - .endr > - > - .macro sha512h, rd, rn, rm > - .inst 0xce608000 | .L\rd | (.L\rn << 5) | (.L\rm << 16) > - .endm > - > - .macro sha512h2, rd, rn, rm > - .inst 0xce608400 | .L\rd | (.L\rn << 5) | (.L\rm << 16) > - .endm > - > - .macro sha512su0, rd, rn > - .inst 0xcec08000 | .L\rd | (.L\rn << 5) > - .endm > - > - .macro sha512su1, rd, rn, rm > - .inst 0xce608800 | .L\rd | (.L\rn << 5) | (.L\rm << 16) > - .endm > + /* > + * While SHA-512 is part of the SHA-2 family of algorithms, the > + * corresponding arm64 instructions are actually part of the "sha3" CPU > + * feature. (Except in binutils 2.30 through 2.42, which used "sha2". Nit: the ARM ARM describes these features as FEAT_SHA256, FEAT_SHA512 and FEAT_SHA3, and the latter two happen to have appeared in the same architecture revision. So this is likely just the GCC/binutils devs getting confused, and assuming a) that SHA-3 implies SHA-2 (which is silly if you know the difference) and b) SHA512 has anything to do with SHA-3. > + * But "sha3" implies "sha2", so "sha3" still works in those versions.) > + */ > + .arch armv8-a+sha3 > > /* > * The SHA-512 round constants > */ > .section ".rodata", "a" > > base-commit: 66be847cc4c2e82fb50190b52b05b3bb0ef57999 > -- > 2.50.1 > ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] lib/crypto: arm64/sha512-ce: Drop compatibility macros for older binutils 2025-07-21 3:31 ` Ard Biesheuvel @ 2025-07-21 4:17 ` Eric Biggers 2025-07-21 4:27 ` Ard Biesheuvel 0 siblings, 1 reply; 4+ messages in thread From: Eric Biggers @ 2025-07-21 4:17 UTC (permalink / raw) To: Ard Biesheuvel Cc: linux-crypto, linux-arm-kernel, linux-kernel, Jason A . Donenfeld On Mon, Jul 21, 2025 at 01:31:47PM +1000, Ard Biesheuvel wrote: > On Sat, 19 Jul 2025 at 08:07, Eric Biggers <ebiggers@kernel.org> wrote: > > > > Now that the oldest supported binutils version is 2.30, the macros that > > emit the SHA-512 instructions as '.inst' words are no longer needed. So > > drop them. No change in the generated machine code. > > > > Changed from the original patch by Ard Biesheuvel: > > (https://lore.kernel.org/r/20250515142702.2592942-2-ardb+git@google.com): > > - Reduced scope to just SHA-512 > > - Added comment that explains why "sha3" is used instead of "sha2" > > > > Signed-off-by: Eric Biggers <ebiggers@kernel.org> > > Acked-by: Ard Biesheuvel <ardb@kernel.org> > > Nit below > > > --- > > > > This patch is targeting libcrypto-next > > > > lib/crypto/arm64/sha512-ce-core.S | 27 +++++++-------------------- > > 1 file changed, 7 insertions(+), 20 deletions(-) > > > > diff --git a/lib/crypto/arm64/sha512-ce-core.S b/lib/crypto/arm64/sha512-ce-core.S > > index 7d870a435ea38..eaa485244af52 100644 > > --- a/lib/crypto/arm64/sha512-ce-core.S > > +++ b/lib/crypto/arm64/sha512-ce-core.S > > @@ -10,30 +10,17 @@ > > */ > > > > #include <linux/linkage.h> > > #include <asm/assembler.h> > > > > - .irp b,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19 > > - .set .Lq\b, \b > > - .set .Lv\b\().2d, \b > > - .endr > > - > > - .macro sha512h, rd, rn, rm > > - .inst 0xce608000 | .L\rd | (.L\rn << 5) | (.L\rm << 16) > > - .endm > > - > > - .macro sha512h2, rd, rn, rm > > - .inst 0xce608400 | .L\rd | (.L\rn << 5) | (.L\rm << 16) > > - .endm > > - > > - .macro sha512su0, rd, rn > > - .inst 0xcec08000 | .L\rd | (.L\rn << 5) > > - .endm > > - > > - .macro sha512su1, rd, rn, rm > > - .inst 0xce608800 | .L\rd | (.L\rn << 5) | (.L\rm << 16) > > - .endm > > + /* > > + * While SHA-512 is part of the SHA-2 family of algorithms, the > > + * corresponding arm64 instructions are actually part of the "sha3" CPU > > + * feature. (Except in binutils 2.30 through 2.42, which used "sha2". > > Nit: the ARM ARM describes these features as FEAT_SHA256, FEAT_SHA512 > and FEAT_SHA3, and the latter two happen to have appeared in the same > architecture revision. So this is likely just the GCC/binutils devs > getting confused, and assuming a) that SHA-3 implies SHA-2 (which is > silly if you know the difference) and b) SHA512 has anything to do > with SHA-3. How does the following look? /* * We have to specify the "sha3" feature here, since the GNU and clang * assemblers both consider the SHA-512 instructions to be part of the * "sha3" feature. (Except binutils 2.30 through 2.42, which used * "sha2". But "sha3" implies "sha2", so "sha3" still works in those * versions.) "sha3" doesn't make a lot of sense, since SHA-512 is part * of the SHA-2 family of algorithms, and also the Arm Architecture * Reference Manual defines FEAT_SHA512 and FEAT_SHA3 separately. * Regardless, we must use "sha3" to be compatible with the assemblers. */ By the way, the ARM ARM does actually have the following: If FEAT_SHA256 is implemented, then FEAT_SHA1 is implemented. If FEAT_SHA512 is implemented, then FEAT_SHA256 and FEAT_SHA1 are implemented. If FEAT_SHA3 is implemented, then FEAT_SHA256 and FEAT_SHA1 are implemented. So some of the SHAs do imply other ones. But notably absent is FEAT_SHA3 implying FEAT_SHA512... - Eric ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] lib/crypto: arm64/sha512-ce: Drop compatibility macros for older binutils 2025-07-21 4:17 ` Eric Biggers @ 2025-07-21 4:27 ` Ard Biesheuvel 0 siblings, 0 replies; 4+ messages in thread From: Ard Biesheuvel @ 2025-07-21 4:27 UTC (permalink / raw) To: Eric Biggers Cc: linux-crypto, linux-arm-kernel, linux-kernel, Jason A . Donenfeld On Mon, 21 Jul 2025 at 14:18, Eric Biggers <ebiggers@kernel.org> wrote: > > On Mon, Jul 21, 2025 at 01:31:47PM +1000, Ard Biesheuvel wrote: > > On Sat, 19 Jul 2025 at 08:07, Eric Biggers <ebiggers@kernel.org> wrote: > > > > > > Now that the oldest supported binutils version is 2.30, the macros that > > > emit the SHA-512 instructions as '.inst' words are no longer needed. So > > > drop them. No change in the generated machine code. > > > > > > Changed from the original patch by Ard Biesheuvel: > > > (https://lore.kernel.org/r/20250515142702.2592942-2-ardb+git@google.com): > > > - Reduced scope to just SHA-512 > > > - Added comment that explains why "sha3" is used instead of "sha2" > > > > > > Signed-off-by: Eric Biggers <ebiggers@kernel.org> > > > > Acked-by: Ard Biesheuvel <ardb@kernel.org> > > > > Nit below > > > > > --- > > > > > > This patch is targeting libcrypto-next > > > > > > lib/crypto/arm64/sha512-ce-core.S | 27 +++++++-------------------- > > > 1 file changed, 7 insertions(+), 20 deletions(-) > > > > > > diff --git a/lib/crypto/arm64/sha512-ce-core.S b/lib/crypto/arm64/sha512-ce-core.S > > > index 7d870a435ea38..eaa485244af52 100644 > > > --- a/lib/crypto/arm64/sha512-ce-core.S > > > +++ b/lib/crypto/arm64/sha512-ce-core.S > > > @@ -10,30 +10,17 @@ > > > */ > > > > > > #include <linux/linkage.h> > > > #include <asm/assembler.h> > > > > > > - .irp b,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19 > > > - .set .Lq\b, \b > > > - .set .Lv\b\().2d, \b > > > - .endr > > > - > > > - .macro sha512h, rd, rn, rm > > > - .inst 0xce608000 | .L\rd | (.L\rn << 5) | (.L\rm << 16) > > > - .endm > > > - > > > - .macro sha512h2, rd, rn, rm > > > - .inst 0xce608400 | .L\rd | (.L\rn << 5) | (.L\rm << 16) > > > - .endm > > > - > > > - .macro sha512su0, rd, rn > > > - .inst 0xcec08000 | .L\rd | (.L\rn << 5) > > > - .endm > > > - > > > - .macro sha512su1, rd, rn, rm > > > - .inst 0xce608800 | .L\rd | (.L\rn << 5) | (.L\rm << 16) > > > - .endm > > > + /* > > > + * While SHA-512 is part of the SHA-2 family of algorithms, the > > > + * corresponding arm64 instructions are actually part of the "sha3" CPU > > > + * feature. (Except in binutils 2.30 through 2.42, which used "sha2". > > > > Nit: the ARM ARM describes these features as FEAT_SHA256, FEAT_SHA512 > > and FEAT_SHA3, and the latter two happen to have appeared in the same > > architecture revision. So this is likely just the GCC/binutils devs > > getting confused, and assuming a) that SHA-3 implies SHA-2 (which is > > silly if you know the difference) and b) SHA512 has anything to do > > with SHA-3. > > How does the following look? > > /* > * We have to specify the "sha3" feature here, since the GNU and clang > * assemblers both consider the SHA-512 instructions to be part of the > * "sha3" feature. (Except binutils 2.30 through 2.42, which used > * "sha2". But "sha3" implies "sha2", so "sha3" still works in those > * versions.) "sha3" doesn't make a lot of sense, since SHA-512 is part > * of the SHA-2 family of algorithms, and also the Arm Architecture > * Reference Manual defines FEAT_SHA512 and FEAT_SHA3 separately. > * Regardless, we must use "sha3" to be compatible with the assemblers. > */ > LGTM > By the way, the ARM ARM does actually have the following: > > If FEAT_SHA256 is implemented, then FEAT_SHA1 is implemented. > If FEAT_SHA512 is implemented, then FEAT_SHA256 and FEAT_SHA1 are implemented. > If FEAT_SHA3 is implemented, then FEAT_SHA256 and FEAT_SHA1 are implemented. > > So some of the SHAs do imply other ones. But notably absent is > FEAT_SHA3 implying FEAT_SHA512... Yeah, and such policies usually evaporate into thin air as soon as Apple decides to implement something different, so they tend to be rather meaningless. (E.g, FEAT_SME used to imply FEAT_SVE but it no longer does) ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2025-07-21 4:30 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2025-07-18 22:07 [PATCH] lib/crypto: arm64/sha512-ce: Drop compatibility macros for older binutils Eric Biggers 2025-07-21 3:31 ` Ard Biesheuvel 2025-07-21 4:17 ` Eric Biggers 2025-07-21 4:27 ` Ard Biesheuvel
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.