[PATCH v2 00/10] Enable Hardware Acceleration for SHA2 Family

[PATCH v2 00/10] Enable Hardware Acceleration for SHA2 Family

[Gary Lin via Grub-devel]

This patch series speeds up LUKS PBKDF2 unlocking by using assembly files
from libgcrypt 1.11.0 to enable hardware-accelerated SHA-256 and SHA-512.

As an initial step, the scope is limited to x86_64 EFI targets.

Patch 1 modifies autoconf/automake files to check the availablity of
special CPU instructions.
Patch 2 and 3 introduce the functions to enable/disable the hardware
features.
Patch 4 and 5 copy the selected assembly files.
Patch 6 implements _gcry_get_hw_features() to control the hardware
features detection in libgcrypt.
Patch 7 fixes a potential build error when compiling the Intel SHA
extention function for the gcry_sha256 module.
Patch 8 and 9 build the gcry_sha256 and gcry_sha512 modules with the
assembly files.
Patch 10 adds a new option to cryptomount to enable hardware
acceleration.

NOTE: The libgcrypt patch numbering begins at 13 to follow the Argon2
patch set(*).

(*) https://lists.gnu.org/archive/html/grub-devel/2025-10/msg00235.html

v2:
- Fixing the coding style issues in patch 3
- Removing 'inline' from get_cpuid_ecx() and get_cpuid_ecx()
- Rebasing to the latest git master

Gary Lin (10):
  Tweak autoconf/automake files to detect x86_64 features
  lib/hwfeatures-gcry: Introduce functions to manage hardware features
  lib/hwfeatures-gcry: Enable SSE and AVX for x86_64 EFI
  libgcrypt: Copy sha256 x86_64 assembly files
  libgcrypt: Copy sha512 x86_64 assembly files
  libgcrypt: Implement _gcry_get_hw_features()
  libgcrypt: Declare the sha256 shaext function
  libgcrypt: Add hardware acceleration for gcry_sha256
  libgcrypt: Add hardware acceleration for gcry_sha512
  disk/cryptodisk: Add '--hw-accel' to enable hardware acceleration

 Makefile.util.def                             |   1 +
 autogen.sh                                    |  11 +
 conf/Makefile.common                          |   2 +
 conf/Makefile.extra-dist                      |   4 +
 configure.ac                                  | 233 +++++++++++++++++
 docs/grub.texi                                |   5 +-
 grub-core/Makefile.core.def                   |   2 +
 grub-core/disk/cryptodisk.c                   |  26 +-
 grub-core/lib/hwfeatures-gcry.c               |  52 ++++
 .../libgcrypt-patches/13_add_hwfeatures.patch |  87 +++++++
 .../14_fix_build_shaext.patch                 |  35 +++
 .../15_build_sha256_x86_64_efi_opt_code.patch |  43 +++
 .../16_build_sha512_x86_64_efi_opt_code.patch |  35 +++
 grub-core/lib/x86_64/efi/hwfeatures-gcry.c    | 246 ++++++++++++++++++
 grub-core/normal/main.c                       |   3 +-
 include/grub/crypto.h                         |   7 +-
 include/grub/hwfeatures-gcry.h                |  26 ++
 include/grub/x86_64/cpuid.h                   |   1 +
 include/grub/x86_64/efi/hwfeatures-gcry.h     |  25 ++
 19 files changed, 836 insertions(+), 8 deletions(-)
 create mode 100644 grub-core/lib/hwfeatures-gcry.c
 create mode 100644 grub-core/lib/libgcrypt-patches/13_add_hwfeatures.patch
 create mode 100644 grub-core/lib/libgcrypt-patches/14_fix_build_shaext.patch
 create mode 100644 grub-core/lib/libgcrypt-patches/15_build_sha256_x86_64_efi_opt_code.patch
 create mode 100644 grub-core/lib/libgcrypt-patches/16_build_sha512_x86_64_efi_opt_code.patch
 create mode 100644 grub-core/lib/x86_64/efi/hwfeatures-gcry.c
 create mode 100644 include/grub/hwfeatures-gcry.h
 create mode 100644 include/grub/x86_64/cpuid.h
 create mode 100644 include/grub/x86_64/efi/hwfeatures-gcry.h

Range-diff against v1:
 1:  4c2b3fec8 <  -:  --------- util/import_gcry: Import kdf.c for Argon2
 2:  210b6292b <  -:  --------- crypto: Update crypto.h for libgcrypt KDF functions
 3:  3b72e07b8 <  -:  --------- libgcrypt/kdf: Implement blake2b_512.hash_buffers()
 4:  d90a709b1 <  -:  --------- libgcrypt/kdf: Get rid of gpg_err_code_from_errno()
 5:  5980e8a1a <  -:  --------- libgcrypt/kdf: Remove unsupported KDFs
 6:  6f3a415ca <  -:  --------- libgcrypt/kdf: Fix 64-bit modulus on 32-bit platforms
 7:  8298d3139 <  -:  --------- argon2: Introduce grub_crypto_argon2()
 8:  e3ff82e7c <  -:  --------- Import Argon2 tests from libgcrypt
 9:  168a8d24b <  -:  --------- Integrate Argon2 tests into functional_test
10:  3bc593992 <  -:  --------- disk/luks2: Add Argon2 support
11:  1fb5cac29 <  -:  --------- tests/util/grub-fs-tester: Use Argon2id for LUKS2 test
12:  840cf2fb0 <  -:  --------- docs: Document argon2 and argon2_test
13:  1fbd2a278 <  -:  --------- kern/misc: Implement faster grub_memcpy() for aligned buffers
14:  3b2ccefb0 !  1:  1890cf937 Tweak autoconf/automake files to detect x86_64 features
    @@ Commit message
         detection is currently limited to the x86_64 EFI target.
     
         Signed-off-by: Gary Lin <glin@suse.com>
    +    Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
     
      ## conf/Makefile.common ##
     @@ conf/Makefile.common: if COND_HAVE_PCI
15:  e92856ba5 !  2:  0992871e9 lib/hwfeatures-gcry: Introduce functions to manage hardware features
    @@ Commit message
           functions and sets '__gcry_use_hwf' to 'false'.
     
         Signed-off-by: Gary Lin <glin@suse.com>
    +    Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
     
      ## Makefile.util.def ##
     @@ Makefile.util.def: library = {
16:  43f2e43de !  3:  baf25b5ad lib/hwfeatures-gcry: Enable SSE and AVX for x86_64 EFI
    @@ Commit message
         on x86_64 EFI systems when the hardware is capable.
     
         Signed-off-by: Gary Lin <glin@suse.com>
    +    Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
     
      ## grub-core/Makefile.core.def ##
     @@ grub-core/Makefile.core.def: module = {
    @@ grub-core/lib/x86_64/efi/hwfeatures-gcry.c (new)
     + *
     + * Ref: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=aa5cacdc29d76a005cbbee018a47faa6e724dd2d
     + */
    -+#define __FORCE_ORDER "m"(*(unsigned int *)0x1000UL)
    ++#define __FORCE_ORDER "m"(*(unsigned int *) 0x1000UL)
     +
     +#define HW_FEATURE_X86_64_SSE (1 << 0)
     +#define HW_FEATURE_X86_64_AVX (1 << 1)
    @@ grub-core/lib/x86_64/efi/hwfeatures-gcry.c (new)
     +read_cr0 (void)
     +{
     +  grub_uint64_t val;
    ++
     +  asm volatile ("mov %%cr0, %0" : "=r" (val) : __FORCE_ORDER);
     +  return val;
     +}
    @@ grub-core/lib/x86_64/efi/hwfeatures-gcry.c (new)
     +read_cr4 (void)
     +{
     +  grub_uint64_t val;
    ++
     +  asm volatile ("mov %%cr4,%0" : "=r" (val) : __FORCE_ORDER);
     +  return val;
     +}
    @@ grub-core/lib/x86_64/efi/hwfeatures-gcry.c (new)
     +  asm volatile ("mov %0,%%cr4": "+r" (val) : : "memory");
     +}
     +
    -+static inline grub_uint32_t
    ++static grub_uint32_t
     +get_cpuid_ecx (void)
     +{
     +  grub_uint32_t eax, ebx, ecx, edx;
    @@ grub-core/lib/x86_64/efi/hwfeatures-gcry.c (new)
     +  return ecx;
     +}
     +
    -+static inline grub_uint32_t
    ++static grub_uint32_t
     +get_cpuid_edx (void)
     +{
     +  grub_uint32_t eax, ebx, ecx, edx;
17:  fa139ede3 !  4:  5195b898a libgcrypt: Copy sha256 x86_64 assembly files
    @@ Commit message
         acceleration for sha256.
     
         Signed-off-by: Gary Lin <glin@suse.com>
    +    Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
     
      ## autogen.sh ##
     @@ autogen.sh: for x in mpi-asm-defs.h mpih-add1.c mpih-sub1.c mpih-mul1.c mpih-mul2.c mpih-mul
18:  7cf761b87 !  5:  77d309e18 libgcrypt: Copy sha512 x86_64 assembly files
    @@ Commit message
         acceleration for sha512.
     
         Signed-off-by: Gary Lin <glin@suse.com>
    +    Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
     
      ## autogen.sh ##
     @@ autogen.sh: for x in mpi-asm-defs.h mpih-add1.c mpih-sub1.c mpih-mul1.c mpih-mul2.c mpih-mul
19:  09f2baf1e !  6:  61042e067 libgcrypt: Implement _gcry_get_hw_features()
    @@ Commit message
         for x86_64.
     
         Signed-off-by: Gary Lin <glin@suse.com>
    +    Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
     
      ## autogen.sh ##
     @@ autogen.sh: for x in sha256-ssse3-amd64.S sha256-avx-amd64.S sha256-avx2-bmi2-amd64.S sha256
20:  9176b4266 !  7:  9a5776f31 libgcrypt: Declare the sha256 shaext function
    @@ Commit message
         Declare the prototype in sha256-intel-shaext.c to avoid the error.
     
         Signed-off-by: Gary Lin <glin@suse.com>
    +    Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
     
      ## conf/Makefile.extra-dist ##
     @@ conf/Makefile.extra-dist: EXTRA_DIST += grub-core/lib/libgcrypt-patches/10-kdf-use-GPG-errs.patch
21:  0e1265bf8 !  8:  2df17f531 libgcrypt: Add hardware acceleration for gcry_sha256
    @@ Commit message
         for the x86_64 EFI target.
     
         Signed-off-by: Gary Lin <glin@suse.com>
    +    Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
     
      ## conf/Makefile.extra-dist ##
     @@ conf/Makefile.extra-dist: EXTRA_DIST += grub-core/lib/libgcrypt-patches/11-kdf-remove-unsupported-kdfs.pat
22:  d6f0e1707 !  9:  ba3a8ac3a libgcrypt: Add hardware acceleration for gcry_sha512
    @@ Commit message
         for the x86_64 EFI target.
     
         Signed-off-by: Gary Lin <glin@suse.com>
    +    Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
     
      ## conf/Makefile.extra-dist ##
     @@ conf/Makefile.extra-dist: EXTRA_DIST += grub-core/lib/libgcrypt-patches/12-kdf-use-grub_divmod64.patch
23:  ab712f1fd ! 10:  9798849dd disk/cryptodisk: Add '--hw-accel' to enable hardware acceleration
    @@ Commit message
         availability of the new option.
     
         Signed-off-by: Gary Lin <glin@suse.com>
    +    Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
     
      ## docs/grub.texi ##
     @@ docs/grub.texi: The option @option{--quiet} can be given to suppress the output.
    @@ grub-core/normal/main.c: static const char *features[] = {
        "feature_default_font_path", "feature_all_video_module",
        "feature_menuentry_id", "feature_menuentry_options", "feature_200_final",
        "feature_nativedisk_cmd", "feature_timeout_style",
    --  "feature_search_cryptodisk_only"
    -+  "feature_search_cryptodisk_only", "feature_gcry_hw_accel"
    +-  "feature_search_cryptodisk_only", "feature_tpm2_cap_pcrs"
    ++  "feature_search_cryptodisk_only", "feature_tpm2_cap_pcrs",
    ++  "feature_gcry_hw_accel"
      };
      
      GRUB_MOD_INIT(normal)
-- 
2.51.0


_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

[PATCH v2 01/10] Tweak autoconf/automake files to detect x86_64 features

[Gary Lin via Grub-devel]

To enable hardware acceleration, this commit ports the feature detection
logic from libgcrypt. This allows us to check if the compiler supports
specific assembly instructions, including SSSE3, Intel SHA extensions,
SSE4.1, AVX, AVX2, AVX512, and BMI2.

To simplify the initial implementation, support for x86_64 feature
detection is currently limited to the x86_64 EFI target.

Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
 conf/Makefile.common |   2 +
 configure.ac         | 233 +++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 235 insertions(+)

diff --git a/conf/Makefile.common b/conf/Makefile.common
index 4d38ff034..7ef171b2b 100644
--- a/conf/Makefile.common
+++ b/conf/Makefile.common
@@ -24,6 +24,8 @@ if COND_HAVE_PCI
   CFLAGS_PLATFORM += -DGRUB_HAS_PCI
 endif
 
+CPPFLAGS_GCRY_ASM = @CPPFLAGS_GCRY_ASM@
+
 # Other options
 
 CPPFLAGS_DEFAULT = -DGRUB_FILE=\"$(subst $(srcdir)/,,$<)\"
diff --git a/configure.ac b/configure.ac
index 1036638a9..1f391fa8e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1148,6 +1148,239 @@ if test "x$grub_cv_cc_fno_ident" = xyes; then
   TARGET_CFLAGS="$TARGET_CFLAGS -fno-ident"
 fi
 
+# Implementation of the --disable-amd64-as-feature-detection switch.
+AC_MSG_CHECKING([whether to enable AMD64 as(1) feature detection])
+if test x$target_cpu == xx86_64 -a x$platform == xefi; then
+  CPPFLAGS_GCRY_ASM="-D__x86_64 -DHAVE_CPU_ARCH_X86"
+  AC_ARG_ENABLE(amd64-as-feature-detection,
+    AS_HELP_STRING([--disable-amd64-as-feature-detection],
+      [Disable the auto-detection of AMD64 as(1) features]),
+    [amd64_as_feature_detection=$enableval],
+    [amd64_as_feature_detection=yes])
+else
+  CPPFLAGS_GCRY_ASM=
+  amd64_as_feature_detection=no
+fi
+AC_MSG_RESULT($amd64_as_feature_detection)
+
+#
+# Check whether GCC assembler supports features needed for libgcrypt amd64
+# implementations
+#
+if test $amd64_as_feature_detection = yes; then
+  AC_CACHE_CHECK([whether GCC assembler is compatible for amd64 assembly implementations],
+    [grub_cv_gcc_x86_platform_as_ok],
+    [if test "$target_cpu" != "x86_64" ; then
+       grub_cv_gcc_x86_platform_as_ok="n/a"
+     else
+       grub_cv_gcc_x86_platform_as_ok=no
+       AC_LINK_IFELSE([AC_LANG_PROGRAM(
+       [[__asm__(
+             /* Test if '.type' and '.size' are supported.  */
+             /* These work only on ELF targets. */
+             ".text\n\t"
+             "asmfunc:\n\t"
+             ".size asmfunc,.-asmfunc;\n\t"
+             ".type asmfunc,@function;\n\t"
+             /* Test if assembler allows use of '/' for constant division
+              * (Solaris/x86 issue). If previous constant division check
+              * and "-Wa,--divide" workaround failed, this causes assembly
+              * to be disable on this machine. */
+              "xorl \$(123456789/12345678), %ebp;\n\t"
+         );
+         void asmfunc(void);]], [ asmfunc(); ])],
+       [grub_cv_gcc_x86_platform_as_ok=yes])
+     fi])
+  if test "$grub_cv_gcc_x86_platform_as_ok" = "yes"; then
+    # Define __PIC__ to ensure the assembly code use PIC instructions
+    CPPFLAGS_GCRY_ASM="$CPPFLAGS_GCRY_ASM -D__PIC__=1 -DHAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS"
+  fi
+
+  #
+  # Check whether GCC assembler supports Intel syntax
+  #
+  AC_CACHE_CHECK([whether GCC assembler is compatible for Intel syntax assembly implementations],
+    [grub_cv_gcc_platform_as_ok_for_intel_syntax],
+    [if test "$target_cpu" != "x86_64" ; then
+       grub_cv_gcc_platform_as_ok_for_intel_syntax="n/a"
+     else
+       grub_cv_gcc_platform_as_ok_for_intel_syntax=no
+       AC_LINK_IFELSE([AC_LANG_PROGRAM(
+       [[__asm__(
+             ".intel_syntax noprefix\n\t"
+             ".text\n\t"
+             "actest:\n\t"
+             "pxor xmm1, xmm7;\n\t"
+             "vperm2i128 ymm2, ymm3, ymm0, 1;\n\t"
+             "add eax, ebp;\n\t"
+             "rorx eax, ebp, 1;\n\t"
+             "sub eax, [esp + 4];\n\t"
+             "add dword ptr [esp + eax], 0b10101;\n\t"
+             ".att_syntax prefix\n\t"
+         );
+         void actest(void);]], [ actest(); ])],
+       [grub_cv_gcc_platform_as_ok_for_intel_syntax=yes])
+     fi])
+  if test "$grub_cv_gcc_platform_as_ok_for_intel_syntax" = "yes" ; then
+    CPPFLAGS_GCRY_ASM="$CPPFLAGS_GCRY_ASM -DHAVE_INTEL_SYNTAX_PLATFORM_AS"
+  fi
+
+  #
+  # Check whether GCC inline assembler supports SSSE3 instructions
+  #
+  AC_CACHE_CHECK([whether GCC inline assembler supports SSSE3 instructions],
+    [grub_cv_gcc_inline_asm_ssse3],
+    [if test "$target_cpu" != "x86_64" ; then
+       grub_cv_gcc_inline_asm_ssse3="n/a"
+     else
+       grub_cv_gcc_inline_asm_ssse3=no
+       AC_LINK_IFELSE([AC_LANG_PROGRAM(
+       [[static unsigned char be_mask[16] __attribute__ ((aligned (16))) =
+           { 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0 };
+         void a(void) {
+           __asm__("pshufb %[mask], %%xmm2\n\t"::[mask]"m"(*be_mask):);
+         }]], [ a(); ] )],
+       [grub_cv_gcc_inline_asm_ssse3=yes])
+     fi])
+  if test "$grub_cv_gcc_inline_asm_ssse3" = "yes" ; then
+    CPPFLAGS_GCRY_ASM="$CPPFLAGS_GCRY_ASM -DHAVE_GCC_INLINE_ASM_SSSE3"
+  fi
+
+  #
+  # Check whether GCC inline assembler supports SHA Extensions instructions.
+  #
+  AC_CACHE_CHECK([whether GCC inline assembler supports SHA Extensions instructions],
+    [grub_cv_gcc_inline_asm_shaext],
+    [if test "$target_cpu" != "x86_64" ; then
+       grub_cv_gcc_inline_asm_shaext="n/a"
+     else
+       grub_cv_gcc_inline_asm_shaext=no
+       AC_LINK_IFELSE([AC_LANG_PROGRAM(
+       [[void a(void) {
+           __asm__("sha1rnds4 \$0, %%xmm1, %%xmm3\n\t":::"cc");
+           __asm__("sha1nexte %%xmm1, %%xmm3\n\t":::"cc");
+           __asm__("sha1msg1 %%xmm1, %%xmm3\n\t":::"cc");
+           __asm__("sha1msg2 %%xmm1, %%xmm3\n\t":::"cc");
+           __asm__("sha256rnds2 %%xmm0, %%xmm1, %%xmm3\n\t":::"cc");
+           __asm__("sha256msg1 %%xmm1, %%xmm3\n\t":::"cc");
+           __asm__("sha256msg2 %%xmm1, %%xmm3\n\t":::"cc");
+         }]], [ a(); ] )],
+       [grub_cv_gcc_inline_asm_shaext=yes])
+     fi])
+  if test "$grub_cv_gcc_inline_asm_shaext" = "yes" ; then
+    CPPFLAGS_GCRY_ASM="$CPPFLAGS_GCRY_ASM -DHAVE_GCC_INLINE_ASM_SHAEXT -DENABLE_SHAEXT_SUPPORT"
+  fi
+
+  #
+  # Check whether GCC inline assembler supports SSE4.1 instructions.
+  #
+  AC_CACHE_CHECK([whether GCC inline assembler supports SSE4.1 instructions],
+    [grub_cv_gcc_inline_asm_sse41],
+    [if test "$target_cpu" != "x86_64" ; then
+       grub_cv_gcc_inline_asm_sse41="n/a"
+     else
+       grub_cv_gcc_inline_asm_sse41=no
+       AC_LINK_IFELSE([AC_LANG_PROGRAM(
+       [[void a(void) {
+           int i;
+           __asm__("pextrd \$2, %%xmm0, %[out]\n\t" : [out] "=m" (i));
+         }]], [ a(); ] )],
+       [grub_cv_gcc_inline_asm_sse41=yes])
+     fi])
+  if test "$grub_cv_gcc_inline_asm_sse41" = "yes" ; then
+    CPPFLAGS_GCRY_ASM="$CPPFLAGS_GCRY_ASM -DHAVE_GCC_INLINE_ASM_SSE41"
+  fi
+
+  #
+  # Check whether GCC inline assembler supports AVX instructions
+  #
+  AC_CACHE_CHECK([whether GCC inline assembler supports AVX instructions],
+    [grub_cv_gcc_inline_asm_avx],
+    [if test "$target_cpu" != "x86_64" ; then
+       grub_cv_gcc_inline_asm_avx="n/a"
+     else
+       grub_cv_gcc_inline_asm_avx=no
+       AC_LINK_IFELSE([AC_LANG_PROGRAM(
+       [[void a(void) {
+           __asm__("xgetbv; vaesdeclast (%[mem]),%%xmm0,%%xmm7\n\t"::[mem]"r"(0):);
+         }]], [ a(); ] )],
+       [grub_cv_gcc_inline_asm_avx=yes])
+     fi])
+  if test "$grub_cv_gcc_inline_asm_avx" = "yes" ; then
+    CPPFLAGS_GCRY_ASM="$CPPFLAGS_GCRY_ASM -DHAVE_GCC_INLINE_ASM_AVX"
+  fi
+
+  #
+  # Check whether GCC inline assembler supports AVX2 instructions
+  #
+  AC_CACHE_CHECK([whether GCC inline assembler supports AVX2 instructions],
+    [grub_cv_gcc_inline_asm_avx2],
+    [if test "$target_cpu" != "x86_64" ; then
+       grub_cv_gcc_inline_asm_avx2="n/a"
+     else
+       grub_cv_gcc_inline_asm_avx2=no
+       AC_LINK_IFELSE([AC_LANG_PROGRAM(
+       [[void a(void) {
+           __asm__("xgetbv; vpbroadcastb %%xmm7,%%ymm1\n\t":::"cc");
+         }]], [ a(); ] )],
+       [grub_cv_gcc_inline_asm_avx2=yes])
+     fi])
+  if test "$grub_cv_gcc_inline_asm_avx2" = "yes" ; then
+    CPPFLAGS_GCRY_ASM="$CPPFLAGS_GCRY_ASM -DHAVE_GCC_INLINE_ASM_AVX2"
+  fi
+
+  #
+  # Check whether GCC inline assembler supports AVX512 instructions
+  #
+  AC_CACHE_CHECK([whether GCC inline assembler supports AVX512 instructions],
+    [grub_cv_gcc_inline_asm_avx512],
+    [if test "$target_cpu" != "x86_64" ; then
+       grub_cv_gcc_inline_asm_avx512="n/a"
+     else
+       grub_cv_gcc_inline_asm_avx512=no
+       AC_LINK_IFELSE([AC_LANG_PROGRAM(
+       [[void a(void) {
+           __asm__("xgetbv; vpopcntq %%zmm7, %%zmm1%{%%k1%}%{z%};\n\t":::"cc");
+           __asm__("vpexpandb %%zmm3, %%zmm1;\n\t":::"cc");
+           __asm__("vpxorq %%xmm7, %%xmm7, %%xmm7;\n\t":::"cc");
+           __asm__("vpxorq %%ymm7, %%ymm7, %%ymm7;\n\t":::"cc");
+           __asm__("vpxorq (%%eax)%{1to8%}, %%zmm7, %%zmm7;\n\t":::"cc");
+         }]], [ a(); ] )],
+       [grub_cv_gcc_inline_asm_avx512=yes])
+     fi])
+  if test "$grub_cv_gcc_inline_asm_avx512" = "yes" ; then
+    CPPFLAGS_GCRY_ASM="$CPPFLAGS_GCRY_ASM -DHAVE_GCC_INLINE_ASM_AVX512"
+  fi
+
+  #
+  # Check whether GCC inline assembler supports BMI2 instructions
+  #
+  AC_CACHE_CHECK([whether GCC inline assembler supports BMI2 instructions],
+    [grub_cv_gcc_inline_asm_bmi2],
+    [if test "$target_cpu" != "x86_64" ; then
+       grub_cv_gcc_inline_asm_bmi2="n/a"
+     else
+       grub_cv_gcc_inline_asm_bmi2=no
+       AC_LINK_IFELSE([AC_LANG_PROGRAM(
+       [[unsigned int a(unsigned int x, unsigned int y) {
+           unsigned int tmp1, tmp2;
+           asm ("rorxl %2, %1, %0"
+                : "=r" (tmp1)
+                : "rm0" (x), "J" (32 - ((23) & 31)));
+           asm ("andnl %2, %1, %0"
+                : "=r" (tmp2)
+                : "r0" (x), "rm" (y));
+           return tmp1 + tmp2;
+         }]], [ a(1, 2); ] )],
+       [grub_cv_gcc_inline_asm_bmi2=yes])
+     fi])
+  if test "$grub_cv_gcc_inline_asm_bmi2" = "yes" ; then
+    CPPFLAGS_GCRY_ASM="$CPPFLAGS_GCRY_ASM -DHAVE_GCC_INLINE_ASM_BMI2"
+  fi
+fi
+
+AC_SUBST(CPPFLAGS_GCRY_ASM)
+
 CFLAGS="$TARGET_CFLAGS"
 
 
-- 
2.51.0


_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

[PATCH v2 02/10] lib/hwfeatures-gcry: Introduce functions to manage hardware features

[Gary Lin via Grub-devel]

This commit introduces the generic functions to manage the hardware
features in libgcrypt. These functions are stubs for future
platform-specific implementations.

* grub_gcry_hwf_enabled() returns '__gcry_use_hwf' which indicates if
  the hardware features are enabled specifically by
  grub_enable_gcry_hwf().
* grub_enable_gcry_hwf() invokes the architecture specific enablement
  functions and sets '__gcry_use_hwf' to 'true'.
* grub_reset_gcry_hwf() invokes the architecture specific reset
  functions and sets '__gcry_use_hwf' to 'false'.

Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
 Makefile.util.def               |  1 +
 grub-core/Makefile.core.def     |  1 +
 grub-core/lib/hwfeatures-gcry.c | 43 +++++++++++++++++++++++++++++++++
 include/grub/hwfeatures-gcry.h  | 26 ++++++++++++++++++++
 4 files changed, 71 insertions(+)
 create mode 100644 grub-core/lib/hwfeatures-gcry.c
 create mode 100644 include/grub/hwfeatures-gcry.h

diff --git a/Makefile.util.def b/Makefile.util.def
index f8d4ae7d3..0196911e6 100644
--- a/Makefile.util.def
+++ b/Makefile.util.def
@@ -36,6 +36,7 @@ library = {
   common = grub-core/kern/misc.c;
   common = grub-core/kern/partition.c;
   common = grub-core/lib/crypto.c;
+  common = grub-core/lib/hwfeatures-gcry.c;
   common = grub-core/lib/json/json.c;
   common = grub-core/disk/luks.c;
   common = grub-core/disk/luks2.c;
diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
index 2b84d76d2..3173e66be 100644
--- a/grub-core/Makefile.core.def
+++ b/grub-core/Makefile.core.def
@@ -1720,6 +1720,7 @@ module = {
 module = {
   name = crypto;
   common = lib/crypto.c;
+  common = lib/hwfeatures-gcry.c;
 
   extra_dist = lib/libgcrypt-grub/cipher/crypto.lst;
 };
diff --git a/grub-core/lib/hwfeatures-gcry.c b/grub-core/lib/hwfeatures-gcry.c
new file mode 100644
index 000000000..652e67c43
--- /dev/null
+++ b/grub-core/lib/hwfeatures-gcry.c
@@ -0,0 +1,43 @@
+/*
+ *  GRUB  --  GRand Unified Bootloader
+ *  Copyright (C) 2025  Free Software Foundation, Inc.
+ *
+ *  GRUB is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation, either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  GRUB is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <grub/dl.h>
+
+#include <grub/hwfeatures-gcry.h>
+
+GRUB_MOD_LICENSE ("GPLv3+");
+
+static bool __gcry_use_hwf = false;
+
+bool
+grub_gcry_hwf_enabled (void)
+{
+  return __gcry_use_hwf;
+}
+
+void
+grub_enable_gcry_hwf (void)
+{
+  __gcry_use_hwf = true;
+}
+
+void
+grub_reset_gcry_hwf (void)
+{
+  __gcry_use_hwf = false;
+}
diff --git a/include/grub/hwfeatures-gcry.h b/include/grub/hwfeatures-gcry.h
new file mode 100644
index 000000000..2884f054a
--- /dev/null
+++ b/include/grub/hwfeatures-gcry.h
@@ -0,0 +1,26 @@
+/*
+ *  GRUB  --  GRand Unified Bootloader
+ *  Copyright (C) 2025  Free Software Foundation, Inc.
+ *
+ *  GRUB is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation, either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  GRUB is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef HWF_GCRY_HEADER
+#define HWF_GCRY_HEADER 1
+
+extern bool grub_gcry_hwf_enabled (void);
+extern void grub_enable_gcry_hwf (void);
+extern void grub_reset_gcry_hwf (void);
+
+#endif /* HWF_GCRY_HEADER */
-- 
2.51.0


_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

[PATCH v2 03/10] lib/hwfeatures-gcry: Enable SSE and AVX for x86_64 EFI

[Gary Lin via Grub-devel]

Implement the necessary functions to dynamically enable SSE and AVX
on x86_64 EFI systems when the hardware is capable.

Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
 grub-core/Makefile.core.def                |   1 +
 grub-core/lib/hwfeatures-gcry.c            |   9 +
 grub-core/lib/x86_64/efi/hwfeatures-gcry.c | 246 +++++++++++++++++++++
 include/grub/x86_64/cpuid.h                |   1 +
 include/grub/x86_64/efi/hwfeatures-gcry.h  |  25 +++
 5 files changed, 282 insertions(+)
 create mode 100644 grub-core/lib/x86_64/efi/hwfeatures-gcry.c
 create mode 100644 include/grub/x86_64/cpuid.h
 create mode 100644 include/grub/x86_64/efi/hwfeatures-gcry.h

diff --git a/grub-core/Makefile.core.def b/grub-core/Makefile.core.def
index 3173e66be..3d4b1a3b4 100644
--- a/grub-core/Makefile.core.def
+++ b/grub-core/Makefile.core.def
@@ -1721,6 +1721,7 @@ module = {
   name = crypto;
   common = lib/crypto.c;
   common = lib/hwfeatures-gcry.c;
+  x86_64_efi = lib/x86_64/efi/hwfeatures-gcry.c;
 
   extra_dist = lib/libgcrypt-grub/cipher/crypto.lst;
 };
diff --git a/grub-core/lib/hwfeatures-gcry.c b/grub-core/lib/hwfeatures-gcry.c
index 652e67c43..acfa7be33 100644
--- a/grub-core/lib/hwfeatures-gcry.c
+++ b/grub-core/lib/hwfeatures-gcry.c
@@ -19,6 +19,9 @@
 #include <grub/dl.h>
 
 #include <grub/hwfeatures-gcry.h>
+#if defined (__x86_64__) && defined (GRUB_MACHINE_EFI)
+#include <grub/x86_64/efi/hwfeatures-gcry.h>
+#endif
 
 GRUB_MOD_LICENSE ("GPLv3+");
 
@@ -33,11 +36,17 @@ grub_gcry_hwf_enabled (void)
 void
 grub_enable_gcry_hwf (void)
 {
+#if defined (__x86_64__) && defined (GRUB_MACHINE_EFI)
+  grub_enable_gcry_hwf_x86_64_efi ();
+#endif
   __gcry_use_hwf = true;
 }
 
 void
 grub_reset_gcry_hwf (void)
 {
+#if defined (__x86_64__) && defined (GRUB_MACHINE_EFI)
+  grub_reset_gcry_hwf_x86_64_efi ();
+#endif
   __gcry_use_hwf = false;
 }
diff --git a/grub-core/lib/x86_64/efi/hwfeatures-gcry.c b/grub-core/lib/x86_64/efi/hwfeatures-gcry.c
new file mode 100644
index 000000000..26cb0f512
--- /dev/null
+++ b/grub-core/lib/x86_64/efi/hwfeatures-gcry.c
@@ -0,0 +1,246 @@
+/*
+ *  GRUB  --  GRand Unified Bootloader
+ *  Copyright (C) 2025  Free Software Foundation, Inc.
+ *
+ *  GRUB is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation, either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  GRUB is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <grub/types.h>
+#include <grub/x86_64/efi/hwfeatures-gcry.h>
+#include <grub/x86_64/cpuid.h>
+#include <grub/misc.h>
+
+/*
+ * Older versions of GCC may reorder the inline asm, which can lead to
+ * unexpected behavior when reading the Control Registers. The __FORCE_ORDER
+ * macro is used to prevent this.
+ *
+ * Ref: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=aa5cacdc29d76a005cbbee018a47faa6e724dd2d
+ */
+#define __FORCE_ORDER "m"(*(unsigned int *) 0x1000UL)
+
+#define HW_FEATURE_X86_64_SSE (1 << 0)
+#define HW_FEATURE_X86_64_AVX (1 << 1)
+
+static grub_uint32_t hw_features = 0;
+static grub_uint64_t old_cr0, old_cr4, old_xcr0;
+
+static inline grub_uint64_t
+read_cr0 (void)
+{
+  grub_uint64_t val;
+
+  asm volatile ("mov %%cr0, %0" : "=r" (val) : __FORCE_ORDER);
+  return val;
+}
+
+static inline grub_uint64_t
+read_cr4 (void)
+{
+  grub_uint64_t val;
+
+  asm volatile ("mov %%cr4,%0" : "=r" (val) : __FORCE_ORDER);
+  return val;
+}
+
+static inline void
+write_cr0 (grub_uint64_t val)
+{
+  asm volatile ("mov %0,%%cr4": "+r" (val) : : "memory");
+}
+
+static inline void
+write_cr4 (grub_uint64_t val)
+{
+  asm volatile ("mov %0,%%cr4": "+r" (val) : : "memory");
+}
+
+static grub_uint32_t
+get_cpuid_ecx (void)
+{
+  grub_uint32_t eax, ebx, ecx, edx;
+
+  grub_cpuid (1, eax, ebx, ecx, edx);
+
+  return ecx;
+}
+
+static grub_uint32_t
+get_cpuid_edx (void)
+{
+  grub_uint32_t eax, ebx, ecx, edx;
+
+  grub_cpuid (1, eax, ebx, ecx, edx);
+
+  return edx;
+}
+
+static bool
+enable_sse (void)
+{
+  grub_uint64_t cr0, cr4;
+  grub_uint32_t edx;
+
+  edx = get_cpuid_edx ();
+
+  /* Check CPUID.01H:EDX.FXSR[bit 24] and CPUID.01H:EDX.SSE[bit 25] */
+  if ((edx & (3 << 24)) != (3 << 24))
+    return false;
+
+  cr0 = old_cr0 = read_cr0 ();
+  cr4 = old_cr4 = read_cr4 ();
+
+  /* clear CR0.EM[bit 2] */
+  if ((cr0 & (1 << 2)) != 0)
+    cr0 &= ~(1 << 2);
+
+  /* Set CR0.MP[bit 1] */
+  if ((cr0 & (1 << 1)) == 0)
+    cr0 |= (1 << 1);
+
+  grub_dprintf ("hwfeatures", "CR0: 0x%"PRIxGRUB_UINT64_T" 0x%"PRIxGRUB_UINT64_T"\n", old_cr0, cr0);
+  if (old_cr0 != cr0)
+    write_cr0 (cr0);
+
+  /* Set CR4.OSFXSR[bit 9] and CR4.OSXMMEXCPT[bit 10] */
+  if ((cr4 & (3 << 9)) != (3 << 9))
+    cr4 |= (3 << 9);
+
+  grub_dprintf ("hwfeatures", "CR4: 0x%"PRIxGRUB_UINT64_T" 0x%"PRIxGRUB_UINT64_T"\n", old_cr4, cr4);
+  if (old_cr4 != cr4)
+    write_cr4 (cr4);
+
+  return true;
+}
+
+static inline grub_uint64_t
+xgetbv (grub_uint32_t index)
+{
+  grub_uint32_t eax, edx;
+
+  asm volatile ("xgetbv" : "=a" (eax), "=d" (edx) : "c" (index));
+
+  return eax + ((grub_uint64_t)edx << 32);
+}
+
+static inline void
+xsetbv (grub_uint32_t index, grub_uint64_t value)
+{
+  grub_uint32_t eax = (grub_uint32_t)value;
+  grub_uint32_t edx = (grub_uint32_t)(value >> 32);
+
+  asm volatile ("xsetbv" :: "a" (eax), "d" (edx), "c" (index));
+}
+
+static bool
+enable_avx (void)
+{
+  grub_uint64_t cr4;
+  grub_uint32_t ecx;
+  grub_uint64_t sse_avx_mask = (1 << 2) | (1 << 1);
+  grub_uint64_t xcr0;
+
+  ecx = get_cpuid_ecx ();
+
+  /* Check the following two bits
+   * -  CPUID.01H:ECX.XSAVE[bit 26]
+   *    If XSAVE is not supported, setting CR4.OSXSAVE will cause
+   *    general-protection fault (#GP).
+   * - CPUID.01H:ECX.AVX[bit 28]
+   */
+  grub_dprintf ("hwfeatures", "Check CPUID.01H:ECX 0x%"PRIuGRUB_UINT32_T"\n", ecx);
+  if ((ecx & (5 << 26)) != (5 << 26))
+    return false;
+
+  cr4 = read_cr4 ();
+
+  /* Set CR4.OSXSAVE[bit 18] */
+  if ((cr4 & (1 << 18)) == 0)
+    {
+      grub_dprintf ("hwfeatures", "Set CR4.OSXSAVE\n");
+      cr4 |= 1 << 18;
+      write_cr4 (cr4);
+    }
+
+  ecx = get_cpuid_ecx ();
+
+  /* Check CPUID.01H:ECX.OSXSAVE[bit 27] */
+  if ((ecx & (1 << 27)) == 0)
+    return false;
+
+  xcr0 = old_xcr0 = xgetbv (0);
+
+  /* Set XCR0[bit 1] and XCR0[bit 2] to enable SSE/AVX */
+  if ((xcr0 & sse_avx_mask) != sse_avx_mask)
+    {
+      grub_dprintf ("hwfeatures", "Set XCR0[2:1] to 11b\n");
+      xcr0 |= sse_avx_mask;
+      xsetbv (0, xcr0);
+    }
+
+  return true;
+}
+
+void
+grub_enable_gcry_hwf_x86_64_efi (void)
+{
+  if (enable_sse () == true)
+    hw_features |= HW_FEATURE_X86_64_SSE;
+
+  if (enable_avx () == true)
+    hw_features |= HW_FEATURE_X86_64_AVX;
+}
+
+void
+grub_reset_gcry_hwf_x86_64_efi (void)
+{
+  grub_uint64_t cr0, cr4, xcr0;
+
+  if ((hw_features & HW_FEATURE_X86_64_AVX) != 0)
+    {
+      xcr0 = xgetbv (0);
+      if (xcr0 != old_xcr0)
+	{
+	  /*
+	   * Reset the AVX state with 'vzeroupper' before clearing XCR0[bit 2].
+	   *
+	   * Ref: Intel 64 and IA-32 Architectures Software Developer's Manual
+	   *      - 13.3 ENABLING THE XSAVE FEATURE SET AND XSAVE-ENABLED FEATURES
+	   *
+	   * "As noted in Section 13.1, the processor will preserve AVX state
+	   *  unmodified if software clears XCR0[2]. However, clearing XCR0[2]
+	   *  while AVX state is not in its initial configuration may cause SSE
+	   *  instructions to incur a power and performance penalty."
+	   */
+	  asm volatile ("vzeroupper" ::: "memory");
+	  xsetbv (0, old_xcr0);
+	}
+    }
+
+  if ((hw_features & HW_FEATURE_X86_64_AVX) != 0 || (hw_features & HW_FEATURE_X86_64_SSE) != 0)
+    {
+      cr4 = read_cr4 ();
+      if (cr4 != old_cr4)
+	write_cr4 (old_cr4);
+    }
+
+  if ((hw_features & HW_FEATURE_X86_64_SSE) != 0)
+    {
+      cr0 = read_cr0 ();
+      if (cr0 != old_cr0)
+	write_cr0 (old_cr0);
+    }
+
+  hw_features = 0;
+}
diff --git a/include/grub/x86_64/cpuid.h b/include/grub/x86_64/cpuid.h
new file mode 100644
index 000000000..acd93e3a7
--- /dev/null
+++ b/include/grub/x86_64/cpuid.h
@@ -0,0 +1 @@
+#include <grub/i386/cpuid.h>
diff --git a/include/grub/x86_64/efi/hwfeatures-gcry.h b/include/grub/x86_64/efi/hwfeatures-gcry.h
new file mode 100644
index 000000000..a8e671058
--- /dev/null
+++ b/include/grub/x86_64/efi/hwfeatures-gcry.h
@@ -0,0 +1,25 @@
+/*
+ *  GRUB  --  GRand Unified Bootloader
+ *  Copyright (C) 2025  Free Software Foundation, Inc.
+ *
+ *  GRUB is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation, either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  GRUB is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef HWF_GCRY_X86_64_EFI_HEADER
+#define HWF_GCRY_X86_64_EFI_HEADER 1
+
+extern void grub_enable_gcry_hwf_x86_64_efi (void);
+extern void grub_reset_gcry_hwf_x86_64_efi (void);
+
+#endif /* HWF_GCRY_X86_64_EFI_HEADER */
-- 
2.51.0


_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

[PATCH v2 04/10] libgcrypt: Copy sha256 x86_64 assembly files

[Gary Lin via Grub-devel]

Copy the selected x86_64 assembly files to support hardware
acceleration for sha256.

Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
 autogen.sh | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/autogen.sh b/autogen.sh
index fbdb33879..0e3c23f65 100755
--- a/autogen.sh
+++ b/autogen.sh
@@ -52,6 +52,13 @@ for x in mpi-asm-defs.h mpih-add1.c mpih-sub1.c mpih-mul1.c mpih-mul2.c mpih-mul
     cp grub-core/lib/libgcrypt-grub/mpi/generic/"$x" grub-core/lib/libgcrypt-grub/mpi/"$x"
 done
 
+for x in sha256-ssse3-amd64.S sha256-avx-amd64.S sha256-avx2-bmi2-amd64.S sha256-intel-shaext.c; do
+    if [ -h grub-core/lib/libgcrypt-grub/cipher/"$x" ] || [ -f grub-core/lib/libgcrypt-grub/cipher/"$x" ]; then
+	rm grub-core/lib/libgcrypt-grub/cipher/"$x"
+    fi
+    cp grub-core/lib/libgcrypt/cipher/"$x" grub-core/lib/libgcrypt-grub/cipher/"$x"
+done
+
 for x in grub-core/lib/libgcrypt-patches/*.patch; do
     patch -i $x -p1
 done
-- 
2.51.0


_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

[PATCH v2 05/10] libgcrypt: Copy sha512 x86_64 assembly files

[Gary Lin via Grub-devel]

Copy the selected x86_64 assembly files to support hardware
acceleration for sha512.

Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
 autogen.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/autogen.sh b/autogen.sh
index 0e3c23f65..7ff90cb93 100755
--- a/autogen.sh
+++ b/autogen.sh
@@ -52,7 +52,7 @@ for x in mpi-asm-defs.h mpih-add1.c mpih-sub1.c mpih-mul1.c mpih-mul2.c mpih-mul
     cp grub-core/lib/libgcrypt-grub/mpi/generic/"$x" grub-core/lib/libgcrypt-grub/mpi/"$x"
 done
 
-for x in sha256-ssse3-amd64.S sha256-avx-amd64.S sha256-avx2-bmi2-amd64.S sha256-intel-shaext.c; do
+for x in sha256-ssse3-amd64.S sha256-avx-amd64.S sha256-avx2-bmi2-amd64.S sha256-intel-shaext.c sha512-ssse3-amd64.S sha512-avx-amd64.S sha512-avx2-bmi2-amd64.S sha512-avx512-amd64.S; do
     if [ -h grub-core/lib/libgcrypt-grub/cipher/"$x" ] || [ -f grub-core/lib/libgcrypt-grub/cipher/"$x" ]; then
 	rm grub-core/lib/libgcrypt-grub/cipher/"$x"
     fi
-- 
2.51.0


_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

[PATCH v2 06/10] libgcrypt: Implement _gcry_get_hw_features()

[Gary Lin via Grub-devel]

Implement _gcry_get_hw_features() and enable hardware feature detection
for x86_64.

Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
 autogen.sh                                    |  4 +
 conf/Makefile.extra-dist                      |  1 +
 .../libgcrypt-patches/13_add_hwfeatures.patch | 87 +++++++++++++++++++
 include/grub/crypto.h                         |  7 +-
 4 files changed, 97 insertions(+), 2 deletions(-)
 create mode 100644 grub-core/lib/libgcrypt-patches/13_add_hwfeatures.patch

diff --git a/autogen.sh b/autogen.sh
index 7ff90cb93..7dd26cd33 100755
--- a/autogen.sh
+++ b/autogen.sh
@@ -59,6 +59,10 @@ for x in sha256-ssse3-amd64.S sha256-avx-amd64.S sha256-avx2-bmi2-amd64.S sha256
     cp grub-core/lib/libgcrypt/cipher/"$x" grub-core/lib/libgcrypt-grub/cipher/"$x"
 done
 
+if [ -f grub-core/lib/libgcrypt-grub/src/hwfeatures.c ]; then
+  rm grub-core/lib/libgcrypt-grub/src/hwfeatures.c
+fi
+
 for x in grub-core/lib/libgcrypt-patches/*.patch; do
     patch -i $x -p1
 done
diff --git a/conf/Makefile.extra-dist b/conf/Makefile.extra-dist
index 48c2b75f8..7c5afe680 100644
--- a/conf/Makefile.extra-dist
+++ b/conf/Makefile.extra-dist
@@ -47,6 +47,7 @@ EXTRA_DIST += grub-core/lib/libgcrypt-patches/09-blake2b-hash-buffers.patch
 EXTRA_DIST += grub-core/lib/libgcrypt-patches/10-kdf-use-GPG-errs.patch
 EXTRA_DIST += grub-core/lib/libgcrypt-patches/11-kdf-remove-unsupported-kdfs.patch
 EXTRA_DIST += grub-core/lib/libgcrypt-patches/12-kdf-use-grub_divmod64.patch
+EXTRA_DIST += grub-core/lib/libgcrypt-patches/13_add_hwfeatures.patch
 
 EXTRA_DIST += grub-core/lib/libtasn1-patches/0001-libtasn1-disable-code-not-needed-in-grub.patch
 EXTRA_DIST += grub-core/lib/libtasn1-patches/0002-libtasn1-replace-strcat-with-strcpy-in-_asn1_str_cat.patch
diff --git a/grub-core/lib/libgcrypt-patches/13_add_hwfeatures.patch b/grub-core/lib/libgcrypt-patches/13_add_hwfeatures.patch
new file mode 100644
index 000000000..1360b666e
--- /dev/null
+++ b/grub-core/lib/libgcrypt-patches/13_add_hwfeatures.patch
@@ -0,0 +1,87 @@
+From 4403c452240417aaac7d3120c80b1325b7218768 Mon Sep 17 00:00:00 2001
+From: Gary Lin <glin@suse.com>
+Date: Fri, 18 Jul 2025 15:21:51 +0800
+Subject: [PATCH 1/4] libgcrypt: Implement _gcry_get_hw_features()
+
+Implement _gcry_get_hw_features() and enable hardware feature detection
+for x86_64.
+
+Signed-off-by: Gary Lin <glin@suse.com>
+---
+ grub-core/Makefile.gcry.def                   |  8 ++++
+ grub-core/lib/libgcrypt-grub/src/hwfeatures.c | 47 +++++++++++++++++++
+ 2 files changed, 55 insertions(+)
+ create mode 100644 grub-core/lib/libgcrypt-grub/src/hwfeatures.c
+
+diff --git a/grub-core/Makefile.gcry.def b/grub-core/Makefile.gcry.def
+index a0593fa09..c8caf17dc 100644
+--- a/grub-core/Makefile.gcry.def
++++ b/grub-core/Makefile.gcry.def
+@@ -226,3 +226,11 @@ module = {
+   cppflags = '$(CPPFLAGS_GCRY)';
+ };
+ 
++module = {
++  name = gcry_hwfeatures;
++  common = lib/libgcrypt-grub/src/hwfeatures.c;
++  x86_64_efi = lib/libgcrypt-grub/src/hwf-x86.c;
++
++  cflags = '$(CFLAGS_GCRY)';
++  cppflags = '$(CPPFLAGS_GCRY) $(CPPFLAGS_GCRY_ASM)';
++};
+diff --git a/grub-core/lib/libgcrypt-grub/src/hwfeatures.c b/grub-core/lib/libgcrypt-grub/src/hwfeatures.c
+new file mode 100644
+index 000000000..4d744f8ec
+--- /dev/null
++++ b/grub-core/lib/libgcrypt-grub/src/hwfeatures.c
+@@ -0,0 +1,47 @@
++/*
++ *  GRUB  --  GRand Unified Bootloader
++ *  Copyright (C) 2025  Free Software Foundation, Inc.
++ *
++ *  GRUB is free software: you can redistribute it and/or modify
++ *  it under the terms of the GNU General Public License as published by
++ *  the Free Software Foundation, either version 3 of the License, or
++ *  (at your option) any later version.
++ *
++ *  GRUB is distributed in the hope that it will be useful,
++ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
++ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
++ *  GNU General Public License for more details.
++ *
++ *  You should have received a copy of the GNU General Public License
++ *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
++ */
++
++#include <grub/dl.h>
++GRUB_MOD_LICENSE ("GPLv3+");
++
++#include <grub/crypto.h>
++#include <grub/hwfeatures-gcry.h>
++#include "hwf-common.h"
++
++unsigned int
++_gcry_get_hw_features (void)
++{
++  static bool detected = false;
++  static unsigned int hw_features = 0;
++
++  if (grub_gcry_hwf_enabled () == false)
++    return 0;
++
++  if (detected == true)
++    return hw_features;
++
++#if defined (__x86_64__) && defined (GRUB_MACHINE_EFI)
++  hw_features = _gcry_hwf_detect_x86 ();
++#endif
++
++  grub_dprintf ("hwfeatures", "Detected features: 0x%x\n", hw_features);
++
++  detected = true;
++
++  return hw_features;
++}
+-- 
+2.51.0
+
diff --git a/include/grub/crypto.h b/include/grub/crypto.h
index 125502582..14ca8faa8 100644
--- a/include/grub/crypto.h
+++ b/include/grub/crypto.h
@@ -620,11 +620,14 @@ _gcry_ct_memequal (const void *b1, const void *b2, grub_size_t len);
 unsigned int
 _gcry_ct_not_memequal (const void *b1, const void *b2, grub_size_t len);
 
-
-static inline unsigned int _gcry_get_hw_features(void)
+#if defined (GRUB_UTIL)
+static inline unsigned int _gcry_get_hw_features (void)
 {
   return 0;
 }
+#else
+extern unsigned int _gcry_get_hw_features (void);
+#endif
 
 void *_gcry_malloc(grub_size_t n);
 void *_gcry_malloc_secure(grub_size_t n);
-- 
2.51.0


_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

[PATCH v2 07/10] libgcrypt: Declare the sha256 shaext function

[Gary Lin via Grub-devel]

There is no prototype of _gcry_sha256_transform_intel_shaext() defined
in the header or libgcrypt-grub/cipher/sha256.c, and gcc may complain
the missing-prototypes error when compiling sha256-intel-shaext.c.

Declare the prototype in sha256-intel-shaext.c to avoid the error.

Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
 conf/Makefile.extra-dist                      |  1 +
 .../14_fix_build_shaext.patch                 | 35 +++++++++++++++++++
 2 files changed, 36 insertions(+)
 create mode 100644 grub-core/lib/libgcrypt-patches/14_fix_build_shaext.patch

diff --git a/conf/Makefile.extra-dist b/conf/Makefile.extra-dist
index 7c5afe680..cebf780b5 100644
--- a/conf/Makefile.extra-dist
+++ b/conf/Makefile.extra-dist
@@ -48,6 +48,7 @@ EXTRA_DIST += grub-core/lib/libgcrypt-patches/10-kdf-use-GPG-errs.patch
 EXTRA_DIST += grub-core/lib/libgcrypt-patches/11-kdf-remove-unsupported-kdfs.patch
 EXTRA_DIST += grub-core/lib/libgcrypt-patches/12-kdf-use-grub_divmod64.patch
 EXTRA_DIST += grub-core/lib/libgcrypt-patches/13_add_hwfeatures.patch
+EXTRA_DIST += grub-core/lib/libgcrypt-patches/14_fix_build_shaext.patch
 
 EXTRA_DIST += grub-core/lib/libtasn1-patches/0001-libtasn1-disable-code-not-needed-in-grub.patch
 EXTRA_DIST += grub-core/lib/libtasn1-patches/0002-libtasn1-replace-strcat-with-strcpy-in-_asn1_str_cat.patch
diff --git a/grub-core/lib/libgcrypt-patches/14_fix_build_shaext.patch b/grub-core/lib/libgcrypt-patches/14_fix_build_shaext.patch
new file mode 100644
index 000000000..b9d311465
--- /dev/null
+++ b/grub-core/lib/libgcrypt-patches/14_fix_build_shaext.patch
@@ -0,0 +1,35 @@
+From 5698f7c5055ea481d0040ea4495829e5d02781cc Mon Sep 17 00:00:00 2001
+From: Gary Lin <glin@suse.com>
+Date: Fri, 18 Jul 2025 15:34:21 +0800
+Subject: [PATCH 2/4] libgcrypt: Declare the sha256 shaext function
+
+There is no prototype of _gcry_sha256_transform_intel_shaext() defined
+in the header or libgcrypt-grub/cipher/sha256.c, and gcc may complain
+the missing-prototypes error when compiling sha256-intel-shaext.c.
+
+Declare the prototype in sha256-intel-shaext.c to avoid the error.
+
+Signed-off-by: Gary Lin <glin@suse.com>
+---
+ grub-core/lib/libgcrypt-grub/cipher/sha256-intel-shaext.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/grub-core/lib/libgcrypt-grub/cipher/sha256-intel-shaext.c b/grub-core/lib/libgcrypt-grub/cipher/sha256-intel-shaext.c
+index 48c09eefe..7ec49f05e 100644
+--- a/grub-core/lib/libgcrypt-grub/cipher/sha256-intel-shaext.c
++++ b/grub-core/lib/libgcrypt-grub/cipher/sha256-intel-shaext.c
+@@ -95,6 +95,11 @@ typedef struct u128_s
+   u32 a, b, c, d;
+ } u128_t;
+ 
++
++unsigned int ASM_FUNC_ATTR
++_gcry_sha256_transform_intel_shaext(u32 state[8], const unsigned char *data,
++                                    size_t nblks);
++
+ /*
+  * Transform nblks*64 bytes (nblks*16 32-bit words) at DATA.
+  */
+-- 
+2.51.0
+
-- 
2.51.0


_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

[PATCH v2 08/10] libgcrypt: Add hardware acceleration for gcry_sha256

[Gary Lin via Grub-devel]

Enable hardware acceleration for the gcry_sha256 module when building
for the x86_64 EFI target.

Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
 conf/Makefile.extra-dist                      |  1 +
 .../15_build_sha256_x86_64_efi_opt_code.patch | 43 +++++++++++++++++++
 2 files changed, 44 insertions(+)
 create mode 100644 grub-core/lib/libgcrypt-patches/15_build_sha256_x86_64_efi_opt_code.patch

diff --git a/conf/Makefile.extra-dist b/conf/Makefile.extra-dist
index cebf780b5..f524f944b 100644
--- a/conf/Makefile.extra-dist
+++ b/conf/Makefile.extra-dist
@@ -49,6 +49,7 @@ EXTRA_DIST += grub-core/lib/libgcrypt-patches/11-kdf-remove-unsupported-kdfs.pat
 EXTRA_DIST += grub-core/lib/libgcrypt-patches/12-kdf-use-grub_divmod64.patch
 EXTRA_DIST += grub-core/lib/libgcrypt-patches/13_add_hwfeatures.patch
 EXTRA_DIST += grub-core/lib/libgcrypt-patches/14_fix_build_shaext.patch
+EXTRA_DIST += grub-core/lib/libgcrypt-patches/15_build_sha256_x86_64_efi_opt_code.patch
 
 EXTRA_DIST += grub-core/lib/libtasn1-patches/0001-libtasn1-disable-code-not-needed-in-grub.patch
 EXTRA_DIST += grub-core/lib/libtasn1-patches/0002-libtasn1-replace-strcat-with-strcpy-in-_asn1_str_cat.patch
diff --git a/grub-core/lib/libgcrypt-patches/15_build_sha256_x86_64_efi_opt_code.patch b/grub-core/lib/libgcrypt-patches/15_build_sha256_x86_64_efi_opt_code.patch
new file mode 100644
index 000000000..8cab9b866
--- /dev/null
+++ b/grub-core/lib/libgcrypt-patches/15_build_sha256_x86_64_efi_opt_code.patch
@@ -0,0 +1,43 @@
+From 3443b213bb87112144d753678d0f1bbbc72b2b7a Mon Sep 17 00:00:00 2001
+From: Gary Lin <glin@suse.com>
+Date: Fri, 18 Jul 2025 15:23:25 +0800
+Subject: [PATCH 3/4] libgcrypt: Add hardware acceleration for gcry_sha256
+
+Enable hardware acceleration for the gcry_sha256 module when building
+for the x86_64 EFI target.
+
+Signed-off-by: Gary Lin <glin@suse.com>
+---
+ grub-core/Makefile.gcry.def | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/Makefile.gcry.def b/grub-core/Makefile.gcry.def
+index c8caf17dc..ac1d9a088 100644
+--- a/grub-core/Makefile.gcry.def
++++ b/grub-core/Makefile.gcry.def
+@@ -17,6 +17,7 @@ module = {
+ module = {
+   name = gcry_blake2;
+   common = lib/libgcrypt-grub/cipher/blake2.c;
++
+   cflags = '$(CFLAGS_GCRY)';
+   cppflags = '$(CPPFLAGS_GCRY)';
+ };
+@@ -172,8 +173,13 @@ module = {
+ module = {
+   name = gcry_sha256;
+   common = lib/libgcrypt-grub/cipher/sha256.c;
++  x86_64_efi = lib/libgcrypt-grub/cipher/sha256-ssse3-amd64.S;
++  x86_64_efi = lib/libgcrypt-grub/cipher/sha256-avx-amd64.S;
++  x86_64_efi = lib/libgcrypt-grub/cipher/sha256-avx2-bmi2-amd64.S;
++  x86_64_efi = lib/libgcrypt-grub/cipher/sha256-intel-shaext.c;
++
+   cflags = '$(CFLAGS_GCRY) -Wno-cast-align';
+-  cppflags = '$(CPPFLAGS_GCRY)';
++  cppflags = '$(CPPFLAGS_GCRY) -DUSE_SHA256 $(CPPFLAGS_GCRY_ASM)';
+ };
+ 
+ module = {
+-- 
+2.51.0
+
-- 
2.51.0


_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

[PATCH v2 09/10] libgcrypt: Add hardware acceleration for gcry_sha512

[Gary Lin via Grub-devel]

Enable hardware acceleration for the gcry_sha512 module when building
for the x86_64 EFI target.

Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
 conf/Makefile.extra-dist                      |  1 +
 .../16_build_sha512_x86_64_efi_opt_code.patch | 35 +++++++++++++++++++
 2 files changed, 36 insertions(+)
 create mode 100644 grub-core/lib/libgcrypt-patches/16_build_sha512_x86_64_efi_opt_code.patch

diff --git a/conf/Makefile.extra-dist b/conf/Makefile.extra-dist
index f524f944b..846d45341 100644
--- a/conf/Makefile.extra-dist
+++ b/conf/Makefile.extra-dist
@@ -50,6 +50,7 @@ EXTRA_DIST += grub-core/lib/libgcrypt-patches/12-kdf-use-grub_divmod64.patch
 EXTRA_DIST += grub-core/lib/libgcrypt-patches/13_add_hwfeatures.patch
 EXTRA_DIST += grub-core/lib/libgcrypt-patches/14_fix_build_shaext.patch
 EXTRA_DIST += grub-core/lib/libgcrypt-patches/15_build_sha256_x86_64_efi_opt_code.patch
+EXTRA_DIST += grub-core/lib/libgcrypt-patches/16_build_sha512_x86_64_efi_opt_code.patch
 
 EXTRA_DIST += grub-core/lib/libtasn1-patches/0001-libtasn1-disable-code-not-needed-in-grub.patch
 EXTRA_DIST += grub-core/lib/libtasn1-patches/0002-libtasn1-replace-strcat-with-strcpy-in-_asn1_str_cat.patch
diff --git a/grub-core/lib/libgcrypt-patches/16_build_sha512_x86_64_efi_opt_code.patch b/grub-core/lib/libgcrypt-patches/16_build_sha512_x86_64_efi_opt_code.patch
new file mode 100644
index 000000000..9cdde8830
--- /dev/null
+++ b/grub-core/lib/libgcrypt-patches/16_build_sha512_x86_64_efi_opt_code.patch
@@ -0,0 +1,35 @@
+From f62c2c7565237bbf059220e90d3f1f8c8d6eebd5 Mon Sep 17 00:00:00 2001
+From: Gary Lin <glin@suse.com>
+Date: Wed, 3 Sep 2025 16:26:55 +0800
+Subject: [PATCH 4/4] libgcrypt: Add hardware acceleration for gcry_sha512
+
+Enable hardware acceleration for the gcry_sha512 module when building
+for the x86_64 EFI target.
+
+Signed-off-by: Gary Lin <glin@suse.com>
+---
+ grub-core/Makefile.gcry.def | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/grub-core/Makefile.gcry.def b/grub-core/Makefile.gcry.def
+index ac1d9a088..64ea5ee24 100644
+--- a/grub-core/Makefile.gcry.def
++++ b/grub-core/Makefile.gcry.def
+@@ -186,8 +186,13 @@ module = {
+   name = gcry_sha512;
+   common = lib/libgcrypt-grub/cipher/sha512.c;
+   common = lib/libgcrypt-grub/cipher/hash-common.c;
++  x86_64_efi = lib/libgcrypt-grub/cipher/sha512-ssse3-amd64.S;
++  x86_64_efi = lib/libgcrypt-grub/cipher/sha512-avx-amd64.S;
++  x86_64_efi = lib/libgcrypt-grub/cipher/sha512-avx2-bmi2-amd64.S;
++  x86_64_efi = lib/libgcrypt-grub/cipher/sha512-avx512-amd64.S;
++
+   cflags = '$(CFLAGS_GCRY) -Wno-cast-align';
+-  cppflags = '$(CPPFLAGS_GCRY)';
++  cppflags = '$(CPPFLAGS_GCRY) -DUSE_SHA512 $(CPPFLAGS_GCRY_ASM)';
+ };
+ 
+ module = {
+-- 
+2.51.0
+
-- 
2.51.0


_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

[PATCH v2 10/10] disk/cryptodisk: Add '--hw-accel' to enable hardware acceleration

[Gary Lin via Grub-devel]

The '--hw-accel' option has been added to cryptomount to speed up
decryption by temporarily enabling hardware-specific instruction
sets (e.g., AVX, SSE) in libgcrypt.

A new feature, "feature_gcry_hw_accel", is also introduced to mark the
availability of the new option.

Signed-off-by: Gary Lin <glin@suse.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
---
 docs/grub.texi              |  5 +++--
 grub-core/disk/cryptodisk.c | 26 +++++++++++++++++++++++---
 grub-core/normal/main.c     |  3 ++-
 3 files changed, 28 insertions(+), 6 deletions(-)

diff --git a/docs/grub.texi b/docs/grub.texi
index 52a98a97d..99f583f9b 100644
--- a/docs/grub.texi
+++ b/docs/grub.texi
@@ -7134,7 +7134,7 @@ The option @option{--quiet} can be given to suppress the output.
 @node cryptomount
 @subsection cryptomount
 
-@deffn Command cryptomount [ [@option{-p} password] | [@option{-k} keyfile [@option{-O} keyoffset] [@option{-S} keysize] ] | [@option{-P} protector] ] [@option{-H} file] device|@option{-u} uuid|@option{-a}|@option{-b}
+@deffn Command cryptomount [ [@option{-p} password] | [@option{-k} keyfile [@option{-O} keyoffset] [@option{-S} keysize] ] | [@option{-P} protector] | [@option{-A}] ] [@option{-H} file] device|@option{-u} uuid|@option{-a}|@option{-b}
 Setup access to encrypted device. A passphrase will be requested interactively,
 if neither the @option{-p} nor @option{-k} options are given. The option
 @option{-p} can be used to supply a passphrase (useful for scripts).
@@ -7142,7 +7142,8 @@ Alternatively the @option{-k} option can be used to supply a keyfile with
 options @option{-O} and @option{-S} optionally supplying the offset and size,
 respectively, of the key data in the given key file. Besides the keyfile,
 the key can be stored in a key protector, and option @option{-P} configures
-specific key protector, e.g. tpm2, to retrieve the key from.
+specific key protector, e.g. tpm2, to retrieve the key from. The option @option{-A}
+enables hardware acceleration in libgcrypt to speed up decryption.
 The @option{-H} options can be used to supply cryptomount backends with an
 alternative header file (aka detached header). Not all backends have headers
 nor support alternative header files (currently only LUKS1 and LUKS2 support them).
diff --git a/grub-core/disk/cryptodisk.c b/grub-core/disk/cryptodisk.c
index 9af665df3..290821bb6 100644
--- a/grub-core/disk/cryptodisk.c
+++ b/grub-core/disk/cryptodisk.c
@@ -29,6 +29,7 @@
 #include <grub/partition.h>
 #include <grub/key_protector.h>
 #include <grub/safemath.h>
+#include <grub/hwfeatures-gcry.h>
 
 #ifdef GRUB_UTIL
 #include <grub/emu/hostdisk.h>
@@ -48,7 +49,8 @@ enum
     OPTION_KEYFILE_OFFSET,
     OPTION_KEYFILE_SIZE,
     OPTION_HEADER,
-    OPTION_PROTECTOR
+    OPTION_PROTECTOR,
+    OPTION_HWACCEL
   };
 
 static const struct grub_arg_option options[] =
@@ -64,6 +66,7 @@ static const struct grub_arg_option options[] =
     {"header", 'H', 0, N_("Read header from file"), 0, ARG_TYPE_STRING},
     {"protector", 'P', GRUB_ARG_OPTION_REPEATABLE,
      N_("Unlock volume(s) using key protector(s)."), 0, ARG_TYPE_STRING},
+    {"hw-accel", 'A', 0, N_("Enable hardware acceleration."), 0, 0},
     {0, 0, 0, 0, 0, 0}
   };
 
@@ -1420,7 +1423,7 @@ grub_cryptodisk_clear_key_cache (struct grub_cryptomount_args *cargs)
 }
 
 static grub_err_t
-grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args)
+__grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args)
 {
   struct grub_arg_list *state = ctxt->state;
   struct grub_cryptomount_args cargs = {0};
@@ -1629,6 +1632,23 @@ grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args)
     }
 }
 
+static grub_err_t
+grub_cmd_cryptomount (grub_extcmd_context_t ctxt, int argc, char **args)
+{
+  struct grub_arg_list *state = ctxt->state;
+  grub_err_t err;
+
+  if (state[OPTION_HWACCEL].set)
+    grub_enable_gcry_hwf ();
+
+  err = __grub_cmd_cryptomount (ctxt, argc, args);
+
+  if (state[OPTION_HWACCEL].set)
+    grub_reset_gcry_hwf ();
+
+  return err;
+}
+
 static struct grub_disk_dev grub_cryptodisk_dev = {
   .name = "cryptodisk",
   .id = GRUB_DISK_DEVICE_CRYPTODISK_ID,
@@ -1898,7 +1918,7 @@ GRUB_MOD_INIT (cryptodisk)
   cmd = grub_register_extcmd ("cryptomount", grub_cmd_cryptomount, 0,
 			      N_("[ [-p password] | [-k keyfile"
 				 " [-O keyoffset] [-S keysize] ] ] [-H file]"
-				 " [-P protector [-P protector ...]]"
+				 " [-P protector [-P protector ...]] | [-A]"
 				 " <SOURCE|-u UUID|-a|-b>"),
 			      N_("Mount a crypto device."), options);
   grub_procfs_register ("luks_script", &luks_script);
diff --git a/grub-core/normal/main.c b/grub-core/normal/main.c
index 01b79ac32..8c2acf938 100644
--- a/grub-core/normal/main.c
+++ b/grub-core/normal/main.c
@@ -518,7 +518,8 @@ static const char *features[] = {
   "feature_default_font_path", "feature_all_video_module",
   "feature_menuentry_id", "feature_menuentry_options", "feature_200_final",
   "feature_nativedisk_cmd", "feature_timeout_style",
-  "feature_search_cryptodisk_only", "feature_tpm2_cap_pcrs"
+  "feature_search_cryptodisk_only", "feature_tpm2_cap_pcrs",
+  "feature_gcry_hw_accel"
 };
 
 GRUB_MOD_INIT(normal)
-- 
2.51.0


_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

Re: [PATCH v2 00/10] Enable Hardware Acceleration for SHA2 Family

[Daniel Kiper]

Gary,

On Thu, Oct 16, 2025 at 05:08:16PM +0800, Gary Lin via Grub-devel wrote:
> This patch series speeds up LUKS PBKDF2 unlocking by using assembly files
> from libgcrypt 1.11.0 to enable hardware-accelerated SHA-256 and SHA-512.

Please post updated patch set as we discussed it a few days ago. I want
to merge it tomorrow...

Daniel

_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel