Re: [PATCH v2 00/15] SHA-3 library

[Harald Freudenberger <freude@linux.ibm.com>]

On 2025-10-26 06:50, Eric Biggers wrote:
> This series is targeting libcrypto-next.  It can also be retrieved 
> from:
> 
>     git fetch
> https://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/linux.git
> sha3-lib-v2
> 
> This series adds SHA-3 support to lib/crypto/.  This includes support
> for the digest algorithms SHA3-224, SHA3-256, SHA3-384, and SHA3-512,
> and also support for the extendable-output functions SHAKE128 and
> SHAKE256.  The SHAKE128 and SHAKE256 support will be needed by ML-DSA.
> 
> The architecture-optimized SHA-3 code for arm64 and s390 is migrated
> into lib/crypto/.  (The existing s390 code couldn't really be reused, 
> so
> really I rewrote it from scratch.)  This makes the SHA-3 library
> functions be accelerated on these architectures.
> 
> Finally, the sha3-224, sha3-256, sha3-384, and sha3-512 crypto_shash
> algorithms are reimplemented on top of the library API.
> 
> If the s390 folks could re-test the s390 optimized SHA-3 code (by
> enabling CRYPTO_LIB_SHA3_KUNIT_TEST and CRYPTO_LIB_BENCHMARK), that
> would be helpful.  QEMU doesn't support the instructions it uses.  
> Also,
> it would be helpful to provide the benchmark output from just before
> "lib/crypto: s390/sha3: Add optimized Keccak function", just after it,
> and after "lib/crypto: s390/sha3: Add optimized one-shot SHA-3 digest
> functions".  Then we can verify that each change is useful.
> 
> Changed in v2:
>   - Added missing selection of CRYPTO_LIB_SHA3 from CRYPTO_SHA3.
>   - Fixed a bug where incorrect SHAKE output was produced if a
>     zero-length squeeze was followed by a nonzero-length squeeze.
>   - Improved the SHAKE tests.
>   - Utilized the one-shot SHA-3 digest instructions on s390.
>   - Split the s390 changes into several patches.
>   - Folded some of my patches into David's.
>   - Dropped some unnecessary changes from the first 2 patches.
>   - Lots more cleanups, mainly to "lib/crypto: sha3: Add SHA-3 
> support".
> 
> Changed in v1 (vs. first 5 patches of David's v6 patchset):
>   - Migrated the arm64 and s390 code into lib/crypto/
>   - Simplified the library API
>   - Added FIPS test
>   - Many other fixes and improvements
> 
> The first 5 patches are derived from David's v6 patchset
> (https://lore.kernel.org/linux-crypto/20251017144311.817771-1-dhowells@redhat.com/).
> Earlier changelogs can be found there.
> 
> David Howells (5):
>   crypto: s390/sha3 - Rename conflicting functions
>   crypto: arm64/sha3 - Rename conflicting function
>   lib/crypto: sha3: Add SHA-3 support
>   lib/crypto: sha3: Move SHA3 Iota step mapping into round function
>   lib/crypto: tests: Add SHA3 kunit tests
> 
> Eric Biggers (10):
>   lib/crypto: tests: Add additional SHAKE tests
>   lib/crypto: sha3: Add FIPS cryptographic algorithm self-test
>   crypto: arm64/sha3 - Update sha3_ce_transform() to prepare for 
> library
>   lib/crypto: arm64/sha3: Migrate optimized code into library
>   lib/crypto: s390/sha3: Add optimized Keccak functions
>   lib/crypto: sha3: Support arch overrides of one-shot digest functions
>   lib/crypto: s390/sha3: Add optimized one-shot SHA-3 digest functions
>   crypto: jitterentropy - Use default sha3 implementation
>   crypto: sha3 - Reimplement using library API
>   crypto: s390/sha3 - Remove superseded SHA-3 code
> 
>  Documentation/crypto/index.rst                |   1 +
>  Documentation/crypto/sha3.rst                 | 130 ++++++
>  arch/arm64/configs/defconfig                  |   2 +-
>  arch/arm64/crypto/Kconfig                     |  11 -
>  arch/arm64/crypto/Makefile                    |   3 -
>  arch/arm64/crypto/sha3-ce-glue.c              | 151 -------
>  arch/s390/configs/debug_defconfig             |   3 +-
>  arch/s390/configs/defconfig                   |   3 +-
>  arch/s390/crypto/Kconfig                      |  20 -
>  arch/s390/crypto/Makefile                     |   2 -
>  arch/s390/crypto/sha.h                        |  51 ---
>  arch/s390/crypto/sha3_256_s390.c              | 157 -------
>  arch/s390/crypto/sha3_512_s390.c              | 157 -------
>  arch/s390/crypto/sha_common.c                 | 117 -----
>  crypto/Kconfig                                |   1 +
>  crypto/Makefile                               |   2 +-
>  crypto/jitterentropy-kcapi.c                  |  12 +-
>  crypto/sha3.c                                 | 166 +++++++
>  crypto/sha3_generic.c                         | 290 ------------
>  crypto/testmgr.c                              |   8 +
>  include/crypto/sha3.h                         | 306 ++++++++++++-
>  lib/crypto/Kconfig                            |  13 +
>  lib/crypto/Makefile                           |  10 +
>  .../crypto/arm64}/sha3-ce-core.S              |  67 +--
>  lib/crypto/arm64/sha3.h                       |  62 +++
>  lib/crypto/fips.h                             |   7 +
>  lib/crypto/s390/sha3.h                        | 151 +++++++
>  lib/crypto/sha3.c                             | 411 +++++++++++++++++
>  lib/crypto/tests/Kconfig                      |  11 +
>  lib/crypto/tests/Makefile                     |   1 +
>  lib/crypto/tests/sha3-testvecs.h              | 249 +++++++++++
>  lib/crypto/tests/sha3_kunit.c                 | 422 ++++++++++++++++++
>  scripts/crypto/gen-fips-testvecs.py           |   4 +
>  scripts/crypto/gen-hash-testvecs.py           |  27 +-
>  34 files changed, 2012 insertions(+), 1016 deletions(-)
>  create mode 100644 Documentation/crypto/sha3.rst
>  delete mode 100644 arch/arm64/crypto/sha3-ce-glue.c
>  delete mode 100644 arch/s390/crypto/sha.h
>  delete mode 100644 arch/s390/crypto/sha3_256_s390.c
>  delete mode 100644 arch/s390/crypto/sha3_512_s390.c
>  delete mode 100644 arch/s390/crypto/sha_common.c
>  create mode 100644 crypto/sha3.c
>  delete mode 100644 crypto/sha3_generic.c
>  rename {arch/arm64/crypto => lib/crypto/arm64}/sha3-ce-core.S (84%)
>  create mode 100644 lib/crypto/arm64/sha3.h
>  create mode 100644 lib/crypto/s390/sha3.h
>  create mode 100644 lib/crypto/sha3.c
>  create mode 100644 lib/crypto/tests/sha3-testvecs.h
>  create mode 100644 lib/crypto/tests/sha3_kunit.c
> 
> base-commit: e3068492d0016d0ea9a1ff07dbfa624d2ec773ca

Picked this series from your ebiggers repo branch sha3-lib-v2.
Build on s390 runs without any complains, no warnings.
As recommended I enabled the KUNIT option and also 
CRYPTO_SELFTESTS_FULL.
With an "modprobe tcrypt" I enforced to run the selftests
and in parallel I checked that the s390 specific CPACF instructions
are really used (can be done with the pai command and check for
the KIMD_SHA3_* counters). Also ran some AF-alg tests to verify
all the the sha3 hashes and check for thread safety.
All this ran without any findings. However there are NO performance
related tests involved.

What's a little bit tricky here is that the sha3 lib is statically
build into the kernel. So no chance to unload/load this as a module.
For sha1 and the sha2 stuff I can understand the need to have this
statically enabled in the kernel. Sha3 is only supposed to be available
as backup in case of sha2 deficiencies. So I can't see why this is
really statically needed.

Tested-by: Harald Freudenberger <freude@linux.ibm.com>