[PATCH] crypto: arm64 - Drop asm fallback macros for older binutils

[PATCH] crypto: arm64 - Drop asm fallback macros for older binutils

[Ard Biesheuvel]

From: Ard Biesheuvel <ardb@kernel.org>

Now that the oldest supported binutils version is 2.30, the asm macros
to implement the various crypto opcodes for SHA-512, SHA-3, SM-3 and
SM-4 are no longer needed. So drop them.

Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
---
The binutils version bump is queued up in -next, so I suppose this could
be queued up for the next cycle too.

 arch/arm64/crypto/sha3-ce-core.S    | 24 +------------
 arch/arm64/crypto/sha512-ce-core.S  | 21 +-----------
 arch/arm64/crypto/sm3-ce-core.S     | 36 ++------------------
 arch/arm64/crypto/sm4-ce-ccm-core.S | 10 +-----
 arch/arm64/crypto/sm4-ce-core.S     | 15 +-------
 arch/arm64/crypto/sm4-ce-gcm-core.S | 10 +-----
 6 files changed, 8 insertions(+), 108 deletions(-)

diff --git a/arch/arm64/crypto/sha3-ce-core.S b/arch/arm64/crypto/sha3-ce-core.S
index 9c77313f5a60..61623c7ad3a1 100644
--- a/arch/arm64/crypto/sha3-ce-core.S
+++ b/arch/arm64/crypto/sha3-ce-core.S
@@ -12,29 +12,7 @@
 #include <linux/linkage.h>
 #include <asm/assembler.h>
 
-	.irp	b,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31
-	.set	.Lv\b\().2d, \b
-	.set	.Lv\b\().16b, \b
-	.endr
-
-	/*
-	 * ARMv8.2 Crypto Extensions instructions
-	 */
-	.macro	eor3, rd, rn, rm, ra
-	.inst	0xce000000 | .L\rd | (.L\rn << 5) | (.L\ra << 10) | (.L\rm << 16)
-	.endm
-
-	.macro	rax1, rd, rn, rm
-	.inst	0xce608c00 | .L\rd | (.L\rn << 5) | (.L\rm << 16)
-	.endm
-
-	.macro	bcax, rd, rn, rm, ra
-	.inst	0xce200000 | .L\rd | (.L\rn << 5) | (.L\ra << 10) | (.L\rm << 16)
-	.endm
-
-	.macro	xar, rd, rn, rm, imm6
-	.inst	0xce800000 | .L\rd | (.L\rn << 5) | ((\imm6) << 10) | (.L\rm << 16)
-	.endm
+	.arch	armv8-a+sha3
 
 	/*
 	 * int sha3_ce_transform(u64 *st, const u8 *data, int blocks, int dg_size)
diff --git a/arch/arm64/crypto/sha512-ce-core.S b/arch/arm64/crypto/sha512-ce-core.S
index 91ef68b15fcc..deb2469ab631 100644
--- a/arch/arm64/crypto/sha512-ce-core.S
+++ b/arch/arm64/crypto/sha512-ce-core.S
@@ -12,26 +12,7 @@
 #include <linux/linkage.h>
 #include <asm/assembler.h>
 
-	.irp		b,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19
-	.set		.Lq\b, \b
-	.set		.Lv\b\().2d, \b
-	.endr
-
-	.macro		sha512h, rd, rn, rm
-	.inst		0xce608000 | .L\rd | (.L\rn << 5) | (.L\rm << 16)
-	.endm
-
-	.macro		sha512h2, rd, rn, rm
-	.inst		0xce608400 | .L\rd | (.L\rn << 5) | (.L\rm << 16)
-	.endm
-
-	.macro		sha512su0, rd, rn
-	.inst		0xcec08000 | .L\rd | (.L\rn << 5)
-	.endm
-
-	.macro		sha512su1, rd, rn, rm
-	.inst		0xce608800 | .L\rd | (.L\rn << 5) | (.L\rm << 16)
-	.endm
+	.arch	armv8-a+sha3
 
 	/*
 	 * The SHA-512 round constants
diff --git a/arch/arm64/crypto/sm3-ce-core.S b/arch/arm64/crypto/sm3-ce-core.S
index ca70cfacd0d0..94a97ca367f0 100644
--- a/arch/arm64/crypto/sm3-ce-core.S
+++ b/arch/arm64/crypto/sm3-ce-core.S
@@ -9,44 +9,14 @@
 #include <linux/cfi_types.h>
 #include <asm/assembler.h>
 
-	.irp		b, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12
-	.set		.Lv\b\().4s, \b
-	.endr
-
-	.macro		sm3partw1, rd, rn, rm
-	.inst		0xce60c000 | .L\rd | (.L\rn << 5) | (.L\rm << 16)
-	.endm
-
-	.macro		sm3partw2, rd, rn, rm
-	.inst		0xce60c400 | .L\rd | (.L\rn << 5) | (.L\rm << 16)
-	.endm
-
-	.macro		sm3ss1, rd, rn, rm, ra
-	.inst		0xce400000 | .L\rd | (.L\rn << 5) | (.L\ra << 10) | (.L\rm << 16)
-	.endm
-
-	.macro		sm3tt1a, rd, rn, rm, imm2
-	.inst		0xce408000 | .L\rd | (.L\rn << 5) | ((\imm2) << 12) | (.L\rm << 16)
-	.endm
-
-	.macro		sm3tt1b, rd, rn, rm, imm2
-	.inst		0xce408400 | .L\rd | (.L\rn << 5) | ((\imm2) << 12) | (.L\rm << 16)
-	.endm
-
-	.macro		sm3tt2a, rd, rn, rm, imm2
-	.inst		0xce408800 | .L\rd | (.L\rn << 5) | ((\imm2) << 12) | (.L\rm << 16)
-	.endm
-
-	.macro		sm3tt2b, rd, rn, rm, imm2
-	.inst		0xce408c00 | .L\rd | (.L\rn << 5) | ((\imm2) << 12) | (.L\rm << 16)
-	.endm
+	.arch		armv8-a+sm4
 
 	.macro		round, ab, s0, t0, t1, i
 	sm3ss1		v5.4s, v8.4s, \t0\().4s, v9.4s
 	shl		\t1\().4s, \t0\().4s, #1
 	sri		\t1\().4s, \t0\().4s, #31
-	sm3tt1\ab	v8.4s, v5.4s, v10.4s, \i
-	sm3tt2\ab	v9.4s, v5.4s, \s0\().4s, \i
+	sm3tt1\ab	v8.4s, v5.4s, v10.s[\i]
+	sm3tt2\ab	v9.4s, v5.4s, \s0\().s[\i]
 	.endm
 
 	.macro		qround, ab, s0, s1, s2, s3, s4
diff --git a/arch/arm64/crypto/sm4-ce-ccm-core.S b/arch/arm64/crypto/sm4-ce-ccm-core.S
index fa85856f33ce..b658cf2577d1 100644
--- a/arch/arm64/crypto/sm4-ce-ccm-core.S
+++ b/arch/arm64/crypto/sm4-ce-ccm-core.S
@@ -12,15 +12,7 @@
 #include <asm/assembler.h>
 #include "sm4-ce-asm.h"
 
-.arch	armv8-a+crypto
-
-.irp b, 0, 1, 8, 9, 10, 11, 12, 13, 14, 15, 16, 24, 25, 26, 27, 28, 29, 30, 31
-	.set .Lv\b\().4s, \b
-.endr
-
-.macro sm4e, vd, vn
-	.inst 0xcec08400 | (.L\vn << 5) | .L\vd
-.endm
+.arch	armv8-a+sm4
 
 /* Register macros */
 
diff --git a/arch/arm64/crypto/sm4-ce-core.S b/arch/arm64/crypto/sm4-ce-core.S
index 1f3625c2c67e..dd4e86b0a526 100644
--- a/arch/arm64/crypto/sm4-ce-core.S
+++ b/arch/arm64/crypto/sm4-ce-core.S
@@ -12,20 +12,7 @@
 #include <asm/assembler.h>
 #include "sm4-ce-asm.h"
 
-.arch	armv8-a+crypto
-
-.irp b, 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, \
-		20, 24, 25, 26, 27, 28, 29, 30, 31
-	.set .Lv\b\().4s, \b
-.endr
-
-.macro sm4e, vd, vn
-	.inst 0xcec08400 | (.L\vn << 5) | .L\vd
-.endm
-
-.macro sm4ekey, vd, vn, vm
-	.inst 0xce60c800 | (.L\vm << 16) | (.L\vn << 5) | .L\vd
-.endm
+.arch	armv8-a+sm4
 
 /* Register macros */
 
diff --git a/arch/arm64/crypto/sm4-ce-gcm-core.S b/arch/arm64/crypto/sm4-ce-gcm-core.S
index 347f25d75727..92d26d8a9254 100644
--- a/arch/arm64/crypto/sm4-ce-gcm-core.S
+++ b/arch/arm64/crypto/sm4-ce-gcm-core.S
@@ -13,15 +13,7 @@
 #include <asm/assembler.h>
 #include "sm4-ce-asm.h"
 
-.arch	armv8-a+crypto
-
-.irp b, 0, 1, 2, 3, 24, 25, 26, 27, 28, 29, 30, 31
-	.set .Lv\b\().4s, \b
-.endr
-
-.macro sm4e, vd, vn
-	.inst 0xcec08400 | (.L\vn << 5) | .L\vd
-.endm
+	.arch		armv8-a+sm4+aes
 
 /* Register macros */
 
-- 
2.49.0.1101.gccaa498523-goog

Re: [PATCH] crypto: arm64 - Drop asm fallback macros for older binutils

[Eric Biggers]

On Thu, May 15, 2025 at 04:27:03PM +0200, Ard Biesheuvel wrote:
> diff --git a/arch/arm64/crypto/sha512-ce-core.S b/arch/arm64/crypto/sha512-ce-core.S
> index 91ef68b15fcc..deb2469ab631 100644
> --- a/arch/arm64/crypto/sha512-ce-core.S
> +++ b/arch/arm64/crypto/sha512-ce-core.S
> @@ -12,26 +12,7 @@
>  #include <linux/linkage.h>
>  #include <asm/assembler.h>
>  
> -	.irp		b,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19
> -	.set		.Lq\b, \b
> -	.set		.Lv\b\().2d, \b
> -	.endr
> -
> -	.macro		sha512h, rd, rn, rm
> -	.inst		0xce608000 | .L\rd | (.L\rn << 5) | (.L\rm << 16)
> -	.endm
> -
> -	.macro		sha512h2, rd, rn, rm
> -	.inst		0xce608400 | .L\rd | (.L\rn << 5) | (.L\rm << 16)
> -	.endm
> -
> -	.macro		sha512su0, rd, rn
> -	.inst		0xcec08000 | .L\rd | (.L\rn << 5)
> -	.endm
> -
> -	.macro		sha512su1, rd, rn, rm
> -	.inst		0xce608800 | .L\rd | (.L\rn << 5) | (.L\rm << 16)
> -	.endm
> +	.arch	armv8-a+sha3

This looked like a mistake: SHA-512 is part of SHA-2, not SHA-3.  However, the
current versions of binutils and clang do indeed put it under sha3.  There
should be a comment that mentions this unfortunate quirk.

However, there's also the following commit which went into binutils 2.43:

    commit 0aac62aa3256719c37be9e0ce6af8b190f45c928
    Author: Andrew Carlotti <andrew.carlotti@arm.com>
    Date:   Fri Jan 19 13:01:40 2024 +0000

        aarch64: move SHA512 instructions to +sha3

        SHA512 instructions were added to the architecture at the same time as SHA3
        instructions, but later than the SHA1 and SHA256 instructions.  Furthermore,
        implementations must support either both or neither of the SHA512 and SHA3
        instruction sets.  However, SHA512 instructions were originally (and
        incorrectly) added to Binutils under the +sha2 flag.

        This patch moves SHA512 instructions under the +sha3 flag, which matches the
        architecture constraints and existing GCC and LLVM behaviour.

So probably we need ".arch armv8-a+sha2+sha3" to support binutils 2.30 through
2.42, as well as clang and the latest version of binutils?  (I didn't test it
yet, but it seems likely...)

- Eric

Re: [PATCH] crypto: arm64 - Drop asm fallback macros for older binutils

[Eric Biggers]

On Thu, May 15, 2025 at 11:52:54AM -0700, Eric Biggers wrote:
> On Thu, May 15, 2025 at 04:27:03PM +0200, Ard Biesheuvel wrote:
> > diff --git a/arch/arm64/crypto/sha512-ce-core.S b/arch/arm64/crypto/sha512-ce-core.S
> > index 91ef68b15fcc..deb2469ab631 100644
> > --- a/arch/arm64/crypto/sha512-ce-core.S
> > +++ b/arch/arm64/crypto/sha512-ce-core.S
> > @@ -12,26 +12,7 @@
> >  #include <linux/linkage.h>
> >  #include <asm/assembler.h>
> >  
> > -	.irp		b,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19
> > -	.set		.Lq\b, \b
> > -	.set		.Lv\b\().2d, \b
> > -	.endr
> > -
> > -	.macro		sha512h, rd, rn, rm
> > -	.inst		0xce608000 | .L\rd | (.L\rn << 5) | (.L\rm << 16)
> > -	.endm
> > -
> > -	.macro		sha512h2, rd, rn, rm
> > -	.inst		0xce608400 | .L\rd | (.L\rn << 5) | (.L\rm << 16)
> > -	.endm
> > -
> > -	.macro		sha512su0, rd, rn
> > -	.inst		0xcec08000 | .L\rd | (.L\rn << 5)
> > -	.endm
> > -
> > -	.macro		sha512su1, rd, rn, rm
> > -	.inst		0xce608800 | .L\rd | (.L\rn << 5) | (.L\rm << 16)
> > -	.endm
> > +	.arch	armv8-a+sha3
> 
> This looked like a mistake: SHA-512 is part of SHA-2, not SHA-3.  However, the
> current versions of binutils and clang do indeed put it under sha3.  There
> should be a comment that mentions this unfortunate quirk.
> 
> However, there's also the following commit which went into binutils 2.43:
> 
>     commit 0aac62aa3256719c37be9e0ce6af8b190f45c928
>     Author: Andrew Carlotti <andrew.carlotti@arm.com>
>     Date:   Fri Jan 19 13:01:40 2024 +0000
> 
>         aarch64: move SHA512 instructions to +sha3
> 
>         SHA512 instructions were added to the architecture at the same time as SHA3
>         instructions, but later than the SHA1 and SHA256 instructions.  Furthermore,
>         implementations must support either both or neither of the SHA512 and SHA3
>         instruction sets.  However, SHA512 instructions were originally (and
>         incorrectly) added to Binutils under the +sha2 flag.
> 
>         This patch moves SHA512 instructions under the +sha3 flag, which matches the
>         architecture constraints and existing GCC and LLVM behaviour.
> 
> So probably we need ".arch armv8-a+sha2+sha3" to support binutils 2.30 through
> 2.42, as well as clang and the latest version of binutils?  (I didn't test it
> yet, but it seems likely...)

I see there's also a similar quirk where "sm4" enables the SM3 instructions.
The use of that in sm3-ce-core.S could use a comment as well...

Fortunately at least in that case it looks like the instructions were always
under "sm4" in both binutils and clang.

- Eric

Re: [PATCH] crypto: arm64 - Drop asm fallback macros for older binutils

[kernel test robot]

Hi Ard,

kernel test robot noticed the following build errors:

[auto build test ERROR on herbert-cryptodev-2.6/master]
[also build test ERROR on herbert-crypto-2.6/master soc/for-next linus/master v6.15-rc7 next-20250516]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch#_base_tree_information]

url:    https://github.com/intel-lab-lkp/linux/commits/Ard-Biesheuvel/crypto-arm64-Drop-asm-fallback-macros-for-older-binutils/20250515-222813
base:   https://git.kernel.org/pub/scm/linux/kernel/git/herbert/cryptodev-2.6.git master
patch link:    https://lore.kernel.org/r/20250515142702.2592942-2-ardb%2Bgit%40google.com
patch subject: [PATCH] crypto: arm64 - Drop asm fallback macros for older binutils
config: arm64-randconfig-002-20250520 (https://download.01.org/0day-ci/archive/20250520/202505202250.zpqKFIYE-lkp@intel.com/config)
compiler: aarch64-linux-gcc (GCC) 9.5.0
reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250520/202505202250.zpqKFIYE-lkp@intel.com/reproduce)

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Closes: https://lore.kernel.org/oe-kbuild-all/202505202250.zpqKFIYE-lkp@intel.com/

All errors (new ones prefixed by >>):

   arch/arm64/crypto/sha3-ce-core.S: Assembler messages:
>> arch/arm64/crypto/sha3-ce-core.S:87: Error: selected processor does not support `eor3 v29.16b,v4.16b,v9.16b,v14.16b'
>> arch/arm64/crypto/sha3-ce-core.S:88: Error: selected processor does not support `eor3 v26.16b,v1.16b,v6.16b,v11.16b'
>> arch/arm64/crypto/sha3-ce-core.S:89: Error: selected processor does not support `eor3 v28.16b,v3.16b,v8.16b,v13.16b'
>> arch/arm64/crypto/sha3-ce-core.S:90: Error: selected processor does not support `eor3 v25.16b,v0.16b,v5.16b,v10.16b'
>> arch/arm64/crypto/sha3-ce-core.S:91: Error: selected processor does not support `eor3 v27.16b,v2.16b,v7.16b,v12.16b'
>> arch/arm64/crypto/sha3-ce-core.S:92: Error: selected processor does not support `eor3 v29.16b,v29.16b,v19.16b,v24.16b'
>> arch/arm64/crypto/sha3-ce-core.S:93: Error: selected processor does not support `eor3 v26.16b,v26.16b,v16.16b,v21.16b'
>> arch/arm64/crypto/sha3-ce-core.S:94: Error: selected processor does not support `eor3 v28.16b,v28.16b,v18.16b,v23.16b'
>> arch/arm64/crypto/sha3-ce-core.S:95: Error: selected processor does not support `eor3 v25.16b,v25.16b,v15.16b,v20.16b'
>> arch/arm64/crypto/sha3-ce-core.S:96: Error: selected processor does not support `eor3 v27.16b,v27.16b,v17.16b,v22.16b'
>> arch/arm64/crypto/sha3-ce-core.S:98: Error: selected processor does not support `rax1 v30.2d,v29.2d,v26.2d'
>> arch/arm64/crypto/sha3-ce-core.S:99: Error: selected processor does not support `rax1 v26.2d,v26.2d,v28.2d'
>> arch/arm64/crypto/sha3-ce-core.S:100: Error: selected processor does not support `rax1 v28.2d,v28.2d,v25.2d'
>> arch/arm64/crypto/sha3-ce-core.S:101: Error: selected processor does not support `rax1 v25.2d,v25.2d,v27.2d'
>> arch/arm64/crypto/sha3-ce-core.S:102: Error: selected processor does not support `rax1 v27.2d,v27.2d,v29.2d'
>> arch/arm64/crypto/sha3-ce-core.S:105: Error: selected processor does not support `xar v29.2d,v1.2d,v25.2d,(64-1)'
>> arch/arm64/crypto/sha3-ce-core.S:106: Error: selected processor does not support `xar v1.2d,v6.2d,v25.2d,(64-44)'
>> arch/arm64/crypto/sha3-ce-core.S:107: Error: selected processor does not support `xar v6.2d,v9.2d,v28.2d,(64-20)'
>> arch/arm64/crypto/sha3-ce-core.S:108: Error: selected processor does not support `xar v9.2d,v22.2d,v26.2d,(64-61)'
>> arch/arm64/crypto/sha3-ce-core.S:109: Error: selected processor does not support `xar v22.2d,v14.2d,v28.2d,(64-39)'
   arch/arm64/crypto/sha3-ce-core.S:110: Error: selected processor does not support `xar v14.2d,v20.2d,v30.2d,(64-18)'
   arch/arm64/crypto/sha3-ce-core.S:111: Error: selected processor does not support `xar v31.2d,v2.2d,v26.2d,(64-62)'
   arch/arm64/crypto/sha3-ce-core.S:112: Error: selected processor does not support `xar v2.2d,v12.2d,v26.2d,(64-43)'
   arch/arm64/crypto/sha3-ce-core.S:113: Error: selected processor does not support `xar v12.2d,v13.2d,v27.2d,(64-25)'
   arch/arm64/crypto/sha3-ce-core.S:114: Error: selected processor does not support `xar v13.2d,v19.2d,v28.2d,(64-8)'
   arch/arm64/crypto/sha3-ce-core.S:115: Error: selected processor does not support `xar v19.2d,v23.2d,v27.2d,(64-56)'
   arch/arm64/crypto/sha3-ce-core.S:116: Error: selected processor does not support `xar v23.2d,v15.2d,v30.2d,(64-41)'
   arch/arm64/crypto/sha3-ce-core.S:117: Error: selected processor does not support `xar v15.2d,v4.2d,v28.2d,(64-27)'
   arch/arm64/crypto/sha3-ce-core.S:118: Error: selected processor does not support `xar v28.2d,v24.2d,v28.2d,(64-14)'
   arch/arm64/crypto/sha3-ce-core.S:119: Error: selected processor does not support `xar v24.2d,v21.2d,v25.2d,(64-2)'
   arch/arm64/crypto/sha3-ce-core.S:120: Error: selected processor does not support `xar v8.2d,v8.2d,v27.2d,(64-55)'
   arch/arm64/crypto/sha3-ce-core.S:121: Error: selected processor does not support `xar v4.2d,v16.2d,v25.2d,(64-45)'
   arch/arm64/crypto/sha3-ce-core.S:122: Error: selected processor does not support `xar v16.2d,v5.2d,v30.2d,(64-36)'
   arch/arm64/crypto/sha3-ce-core.S:123: Error: selected processor does not support `xar v5.2d,v3.2d,v27.2d,(64-28)'
   arch/arm64/crypto/sha3-ce-core.S:124: Error: selected processor does not support `xar v27.2d,v18.2d,v27.2d,(64-21)'
   arch/arm64/crypto/sha3-ce-core.S:125: Error: selected processor does not support `xar v3.2d,v17.2d,v26.2d,(64-15)'
   arch/arm64/crypto/sha3-ce-core.S:126: Error: selected processor does not support `xar v25.2d,v11.2d,v25.2d,(64-10)'
   arch/arm64/crypto/sha3-ce-core.S:127: Error: selected processor does not support `xar v26.2d,v7.2d,v26.2d,(64-6)'
   arch/arm64/crypto/sha3-ce-core.S:128: Error: selected processor does not support `xar v30.2d,v10.2d,v30.2d,(64-3)'
   arch/arm64/crypto/sha3-ce-core.S:130: Error: selected processor does not support `bcax v20.16b,v31.16b,v22.16b,v8.16b'
   arch/arm64/crypto/sha3-ce-core.S:131: Error: selected processor does not support `bcax v21.16b,v8.16b,v23.16b,v22.16b'
   arch/arm64/crypto/sha3-ce-core.S:132: Error: selected processor does not support `bcax v22.16b,v22.16b,v24.16b,v23.16b'
   arch/arm64/crypto/sha3-ce-core.S:133: Error: selected processor does not support `bcax v23.16b,v23.16b,v31.16b,v24.16b'
   arch/arm64/crypto/sha3-ce-core.S:134: Error: selected processor does not support `bcax v24.16b,v24.16b,v8.16b,v31.16b'
   arch/arm64/crypto/sha3-ce-core.S:138: Error: selected processor does not support `bcax v17.16b,v25.16b,v19.16b,v3.16b'
   arch/arm64/crypto/sha3-ce-core.S:139: Error: selected processor does not support `bcax v18.16b,v3.16b,v15.16b,v19.16b'
   arch/arm64/crypto/sha3-ce-core.S:140: Error: selected processor does not support `bcax v19.16b,v19.16b,v16.16b,v15.16b'
   arch/arm64/crypto/sha3-ce-core.S:141: Error: selected processor does not support `bcax v15.16b,v15.16b,v25.16b,v16.16b'
   arch/arm64/crypto/sha3-ce-core.S:142: Error: selected processor does not support `bcax v16.16b,v16.16b,v3.16b,v25.16b'
   arch/arm64/crypto/sha3-ce-core.S:144: Error: selected processor does not support `bcax v10.16b,v29.16b,v12.16b,v26.16b'
   arch/arm64/crypto/sha3-ce-core.S:145: Error: selected processor does not support `bcax v11.16b,v26.16b,v13.16b,v12.16b'
   arch/arm64/crypto/sha3-ce-core.S:146: Error: selected processor does not support `bcax v12.16b,v12.16b,v14.16b,v13.16b'
   arch/arm64/crypto/sha3-ce-core.S:147: Error: selected processor does not support `bcax v13.16b,v13.16b,v29.16b,v14.16b'
   arch/arm64/crypto/sha3-ce-core.S:148: Error: selected processor does not support `bcax v14.16b,v14.16b,v26.16b,v29.16b'
   arch/arm64/crypto/sha3-ce-core.S:150: Error: selected processor does not support `bcax v7.16b,v30.16b,v9.16b,v4.16b'
   arch/arm64/crypto/sha3-ce-core.S:151: Error: selected processor does not support `bcax v8.16b,v4.16b,v5.16b,v9.16b'
   arch/arm64/crypto/sha3-ce-core.S:152: Error: selected processor does not support `bcax v9.16b,v9.16b,v6.16b,v5.16b'
   arch/arm64/crypto/sha3-ce-core.S:153: Error: selected processor does not support `bcax v5.16b,v5.16b,v30.16b,v6.16b'
   arch/arm64/crypto/sha3-ce-core.S:154: Error: selected processor does not support `bcax v6.16b,v6.16b,v4.16b,v30.16b'
   arch/arm64/crypto/sha3-ce-core.S:156: Error: selected processor does not support `bcax v3.16b,v27.16b,v0.16b,v28.16b'
   arch/arm64/crypto/sha3-ce-core.S:157: Error: selected processor does not support `bcax v4.16b,v28.16b,v1.16b,v0.16b'
   arch/arm64/crypto/sha3-ce-core.S:158: Error: selected processor does not support `bcax v0.16b,v0.16b,v2.16b,v1.16b'
   arch/arm64/crypto/sha3-ce-core.S:159: Error: selected processor does not support `bcax v1.16b,v1.16b,v27.16b,v2.16b'
   arch/arm64/crypto/sha3-ce-core.S:160: Error: selected processor does not support `bcax v2.16b,v2.16b,v28.16b,v27.16b'


vim +87 arch/arm64/crypto/sha3-ce-core.S

15d5910e92614e Ard Biesheuvel 2018-01-19   86  
15d5910e92614e Ard Biesheuvel 2018-01-19  @87  	eor3	v29.16b,  v4.16b,  v9.16b, v14.16b
15d5910e92614e Ard Biesheuvel 2018-01-19  @88  	eor3	v26.16b,  v1.16b,  v6.16b, v11.16b
15d5910e92614e Ard Biesheuvel 2018-01-19  @89  	eor3	v28.16b,  v3.16b,  v8.16b, v13.16b
15d5910e92614e Ard Biesheuvel 2018-01-19  @90  	eor3	v25.16b,  v0.16b,  v5.16b, v10.16b
15d5910e92614e Ard Biesheuvel 2018-01-19  @91  	eor3	v27.16b,  v2.16b,  v7.16b, v12.16b
15d5910e92614e Ard Biesheuvel 2018-01-19  @92  	eor3	v29.16b, v29.16b, v19.16b, v24.16b
15d5910e92614e Ard Biesheuvel 2018-01-19  @93  	eor3	v26.16b, v26.16b, v16.16b, v21.16b
15d5910e92614e Ard Biesheuvel 2018-01-19  @94  	eor3	v28.16b, v28.16b, v18.16b, v23.16b
15d5910e92614e Ard Biesheuvel 2018-01-19  @95  	eor3	v25.16b, v25.16b, v15.16b, v20.16b
15d5910e92614e Ard Biesheuvel 2018-01-19  @96  	eor3	v27.16b, v27.16b, v17.16b, v22.16b
15d5910e92614e Ard Biesheuvel 2018-01-19   97  
15d5910e92614e Ard Biesheuvel 2018-01-19  @98  	rax1	v30.2d, v29.2d, v26.2d	// bc[0]
15d5910e92614e Ard Biesheuvel 2018-01-19  @99  	rax1	v26.2d, v26.2d, v28.2d	// bc[2]
15d5910e92614e Ard Biesheuvel 2018-01-19 @100  	rax1	v28.2d, v28.2d, v25.2d	// bc[4]
15d5910e92614e Ard Biesheuvel 2018-01-19 @101  	rax1	v25.2d, v25.2d, v27.2d	// bc[1]
15d5910e92614e Ard Biesheuvel 2018-01-19 @102  	rax1	v27.2d, v27.2d, v29.2d	// bc[3]
15d5910e92614e Ard Biesheuvel 2018-01-19  103  
15d5910e92614e Ard Biesheuvel 2018-01-19  104  	eor	 v0.16b,  v0.16b, v30.16b
15d5910e92614e Ard Biesheuvel 2018-01-19 @105  	xar	 v29.2d,   v1.2d,  v25.2d, (64 - 1)
15d5910e92614e Ard Biesheuvel 2018-01-19 @106  	xar	  v1.2d,   v6.2d,  v25.2d, (64 - 44)
15d5910e92614e Ard Biesheuvel 2018-01-19 @107  	xar	  v6.2d,   v9.2d,  v28.2d, (64 - 20)
15d5910e92614e Ard Biesheuvel 2018-01-19 @108  	xar	  v9.2d,  v22.2d,  v26.2d, (64 - 61)
15d5910e92614e Ard Biesheuvel 2018-01-19 @109  	xar	 v22.2d,  v14.2d,  v28.2d, (64 - 39)
15d5910e92614e Ard Biesheuvel 2018-01-19 @110  	xar	 v14.2d,  v20.2d,  v30.2d, (64 - 18)
15d5910e92614e Ard Biesheuvel 2018-01-19 @111  	xar	 v31.2d,   v2.2d,  v26.2d, (64 - 62)
15d5910e92614e Ard Biesheuvel 2018-01-19 @112  	xar	  v2.2d,  v12.2d,  v26.2d, (64 - 43)
15d5910e92614e Ard Biesheuvel 2018-01-19 @113  	xar	 v12.2d,  v13.2d,  v27.2d, (64 - 25)
15d5910e92614e Ard Biesheuvel 2018-01-19 @114  	xar	 v13.2d,  v19.2d,  v28.2d, (64 - 8)
15d5910e92614e Ard Biesheuvel 2018-01-19 @115  	xar	 v19.2d,  v23.2d,  v27.2d, (64 - 56)
15d5910e92614e Ard Biesheuvel 2018-01-19 @116  	xar	 v23.2d,  v15.2d,  v30.2d, (64 - 41)
15d5910e92614e Ard Biesheuvel 2018-01-19 @117  	xar	 v15.2d,   v4.2d,  v28.2d, (64 - 27)
15d5910e92614e Ard Biesheuvel 2018-01-19 @118  	xar	 v28.2d,  v24.2d,  v28.2d, (64 - 14)
15d5910e92614e Ard Biesheuvel 2018-01-19 @119  	xar	 v24.2d,  v21.2d,  v25.2d, (64 - 2)
15d5910e92614e Ard Biesheuvel 2018-01-19 @120  	xar	  v8.2d,   v8.2d,  v27.2d, (64 - 55)
15d5910e92614e Ard Biesheuvel 2018-01-19 @121  	xar	  v4.2d,  v16.2d,  v25.2d, (64 - 45)
15d5910e92614e Ard Biesheuvel 2018-01-19 @122  	xar	 v16.2d,   v5.2d,  v30.2d, (64 - 36)
15d5910e92614e Ard Biesheuvel 2018-01-19 @123  	xar	  v5.2d,   v3.2d,  v27.2d, (64 - 28)
15d5910e92614e Ard Biesheuvel 2018-01-19 @124  	xar	 v27.2d,  v18.2d,  v27.2d, (64 - 21)
15d5910e92614e Ard Biesheuvel 2018-01-19 @125  	xar	  v3.2d,  v17.2d,  v26.2d, (64 - 15)
15d5910e92614e Ard Biesheuvel 2018-01-19 @126  	xar	 v25.2d,  v11.2d,  v25.2d, (64 - 10)
15d5910e92614e Ard Biesheuvel 2018-01-19 @127  	xar	 v26.2d,   v7.2d,  v26.2d, (64 - 6)
15d5910e92614e Ard Biesheuvel 2018-01-19 @128  	xar	 v30.2d,  v10.2d,  v30.2d, (64 - 3)
15d5910e92614e Ard Biesheuvel 2018-01-19  129  
15d5910e92614e Ard Biesheuvel 2018-01-19 @130  	bcax	v20.16b, v31.16b, v22.16b,  v8.16b
15d5910e92614e Ard Biesheuvel 2018-01-19 @131  	bcax	v21.16b,  v8.16b, v23.16b, v22.16b
15d5910e92614e Ard Biesheuvel 2018-01-19 @132  	bcax	v22.16b, v22.16b, v24.16b, v23.16b
15d5910e92614e Ard Biesheuvel 2018-01-19 @133  	bcax	v23.16b, v23.16b, v31.16b, v24.16b
15d5910e92614e Ard Biesheuvel 2018-01-19 @134  	bcax	v24.16b, v24.16b,  v8.16b, v31.16b
15d5910e92614e Ard Biesheuvel 2018-01-19  135  
15d5910e92614e Ard Biesheuvel 2018-01-19  136  	ld1r	{v31.2d}, [x9], #8
15d5910e92614e Ard Biesheuvel 2018-01-19  137  
15d5910e92614e Ard Biesheuvel 2018-01-19 @138  	bcax	v17.16b, v25.16b, v19.16b,  v3.16b
15d5910e92614e Ard Biesheuvel 2018-01-19 @139  	bcax	v18.16b,  v3.16b, v15.16b, v19.16b
15d5910e92614e Ard Biesheuvel 2018-01-19 @140  	bcax	v19.16b, v19.16b, v16.16b, v15.16b
15d5910e92614e Ard Biesheuvel 2018-01-19 @141  	bcax	v15.16b, v15.16b, v25.16b, v16.16b
15d5910e92614e Ard Biesheuvel 2018-01-19 @142  	bcax	v16.16b, v16.16b,  v3.16b, v25.16b
15d5910e92614e Ard Biesheuvel 2018-01-19  143  
15d5910e92614e Ard Biesheuvel 2018-01-19 @144  	bcax	v10.16b, v29.16b, v12.16b, v26.16b
15d5910e92614e Ard Biesheuvel 2018-01-19 @145  	bcax	v11.16b, v26.16b, v13.16b, v12.16b
15d5910e92614e Ard Biesheuvel 2018-01-19 @146  	bcax	v12.16b, v12.16b, v14.16b, v13.16b
15d5910e92614e Ard Biesheuvel 2018-01-19 @147  	bcax	v13.16b, v13.16b, v29.16b, v14.16b
15d5910e92614e Ard Biesheuvel 2018-01-19 @148  	bcax	v14.16b, v14.16b, v26.16b, v29.16b
15d5910e92614e Ard Biesheuvel 2018-01-19  149  
15d5910e92614e Ard Biesheuvel 2018-01-19 @150  	bcax	 v7.16b, v30.16b,  v9.16b,  v4.16b
15d5910e92614e Ard Biesheuvel 2018-01-19 @151  	bcax	 v8.16b,  v4.16b,  v5.16b,  v9.16b
15d5910e92614e Ard Biesheuvel 2018-01-19 @152  	bcax	 v9.16b,  v9.16b,  v6.16b,  v5.16b
15d5910e92614e Ard Biesheuvel 2018-01-19 @153  	bcax	 v5.16b,  v5.16b, v30.16b,  v6.16b
15d5910e92614e Ard Biesheuvel 2018-01-19 @154  	bcax	 v6.16b,  v6.16b,  v4.16b, v30.16b
15d5910e92614e Ard Biesheuvel 2018-01-19  155  
15d5910e92614e Ard Biesheuvel 2018-01-19 @156  	bcax	 v3.16b, v27.16b,  v0.16b, v28.16b
15d5910e92614e Ard Biesheuvel 2018-01-19 @157  	bcax	 v4.16b, v28.16b,  v1.16b,  v0.16b
15d5910e92614e Ard Biesheuvel 2018-01-19 @158  	bcax	 v0.16b,  v0.16b,  v2.16b,  v1.16b
15d5910e92614e Ard Biesheuvel 2018-01-19 @159  	bcax	 v1.16b,  v1.16b, v27.16b,  v2.16b
15d5910e92614e Ard Biesheuvel 2018-01-19 @160  	bcax	 v2.16b,  v2.16b, v28.16b, v27.16b

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

Re: [PATCH] crypto: arm64 - Drop asm fallback macros for older binutils

[Eric Biggers]

On Thu, May 15, 2025 at 11:52:54AM -0700, Eric Biggers wrote:
> On Thu, May 15, 2025 at 04:27:03PM +0200, Ard Biesheuvel wrote:
> > diff --git a/arch/arm64/crypto/sha512-ce-core.S b/arch/arm64/crypto/sha512-ce-core.S
> > index 91ef68b15fcc..deb2469ab631 100644
> > --- a/arch/arm64/crypto/sha512-ce-core.S
> > +++ b/arch/arm64/crypto/sha512-ce-core.S
> > @@ -12,26 +12,7 @@
> >  #include <linux/linkage.h>
> >  #include <asm/assembler.h>
> >  
> > -	.irp		b,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19
> > -	.set		.Lq\b, \b
> > -	.set		.Lv\b\().2d, \b
> > -	.endr
> > -
> > -	.macro		sha512h, rd, rn, rm
> > -	.inst		0xce608000 | .L\rd | (.L\rn << 5) | (.L\rm << 16)
> > -	.endm
> > -
> > -	.macro		sha512h2, rd, rn, rm
> > -	.inst		0xce608400 | .L\rd | (.L\rn << 5) | (.L\rm << 16)
> > -	.endm
> > -
> > -	.macro		sha512su0, rd, rn
> > -	.inst		0xcec08000 | .L\rd | (.L\rn << 5)
> > -	.endm
> > -
> > -	.macro		sha512su1, rd, rn, rm
> > -	.inst		0xce608800 | .L\rd | (.L\rn << 5) | (.L\rm << 16)
> > -	.endm
> > +	.arch	armv8-a+sha3
> 
> This looked like a mistake: SHA-512 is part of SHA-2, not SHA-3.  However, the
> current versions of binutils and clang do indeed put it under sha3.  There
> should be a comment that mentions this unfortunate quirk.
> 
> However, there's also the following commit which went into binutils 2.43:
> 
>     commit 0aac62aa3256719c37be9e0ce6af8b190f45c928
>     Author: Andrew Carlotti <andrew.carlotti@arm.com>
>     Date:   Fri Jan 19 13:01:40 2024 +0000
> 
>         aarch64: move SHA512 instructions to +sha3
> 
>         SHA512 instructions were added to the architecture at the same time as SHA3
>         instructions, but later than the SHA1 and SHA256 instructions.  Furthermore,
>         implementations must support either both or neither of the SHA512 and SHA3
>         instruction sets.  However, SHA512 instructions were originally (and
>         incorrectly) added to Binutils under the +sha2 flag.
> 
>         This patch moves SHA512 instructions under the +sha3 flag, which matches the
>         architecture constraints and existing GCC and LLVM behaviour.
> 
> So probably we need ".arch armv8-a+sha2+sha3" to support binutils 2.30 through
> 2.42, as well as clang and the latest version of binutils?  (I didn't test it
> yet, but it seems likely...)

Actually "sha2" isn't required here, since "sha3" implies "sha2".

The kernel test robot did report a build error on this series.  But it
was with SHA-3, because in binutils 2.40 and earlier the SHA-3
instructions required both "sha3" and "armv8.2-a", not just "sha3" like
they do in clang and in binutils 2.41 and later.

For now, I split the SHA-512 part into a separate patch
https://lore.kernel.org/r/20250718220706.475240-1-ebiggers@kernel.org

- Eric

Re: [PATCH] crypto: arm64 - Drop asm fallback macros for older binutils

[Ard Biesheuvel]

On Sat, 19 Jul 2025 at 08:16, Eric Biggers <ebiggers@kernel.org> wrote:
>
> On Thu, May 15, 2025 at 11:52:54AM -0700, Eric Biggers wrote:
> > On Thu, May 15, 2025 at 04:27:03PM +0200, Ard Biesheuvel wrote:
> > > diff --git a/arch/arm64/crypto/sha512-ce-core.S b/arch/arm64/crypto/sha512-ce-core.S
> > > index 91ef68b15fcc..deb2469ab631 100644
> > > --- a/arch/arm64/crypto/sha512-ce-core.S
> > > +++ b/arch/arm64/crypto/sha512-ce-core.S
> > > @@ -12,26 +12,7 @@
> > >  #include <linux/linkage.h>
> > >  #include <asm/assembler.h>
> > >
> > > -   .irp            b,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19
> > > -   .set            .Lq\b, \b
> > > -   .set            .Lv\b\().2d, \b
> > > -   .endr
> > > -
> > > -   .macro          sha512h, rd, rn, rm
> > > -   .inst           0xce608000 | .L\rd | (.L\rn << 5) | (.L\rm << 16)
> > > -   .endm
> > > -
> > > -   .macro          sha512h2, rd, rn, rm
> > > -   .inst           0xce608400 | .L\rd | (.L\rn << 5) | (.L\rm << 16)
> > > -   .endm
> > > -
> > > -   .macro          sha512su0, rd, rn
> > > -   .inst           0xcec08000 | .L\rd | (.L\rn << 5)
> > > -   .endm
> > > -
> > > -   .macro          sha512su1, rd, rn, rm
> > > -   .inst           0xce608800 | .L\rd | (.L\rn << 5) | (.L\rm << 16)
> > > -   .endm
> > > +   .arch   armv8-a+sha3
> >
> > This looked like a mistake: SHA-512 is part of SHA-2, not SHA-3.  However, the
> > current versions of binutils and clang do indeed put it under sha3.  There
> > should be a comment that mentions this unfortunate quirk.
> >
> > However, there's also the following commit which went into binutils 2.43:
> >
> >     commit 0aac62aa3256719c37be9e0ce6af8b190f45c928
> >     Author: Andrew Carlotti <andrew.carlotti@arm.com>
> >     Date:   Fri Jan 19 13:01:40 2024 +0000
> >
> >         aarch64: move SHA512 instructions to +sha3
> >
> >         SHA512 instructions were added to the architecture at the same time as SHA3
> >         instructions, but later than the SHA1 and SHA256 instructions.  Furthermore,
> >         implementations must support either both or neither of the SHA512 and SHA3
> >         instruction sets.  However, SHA512 instructions were originally (and
> >         incorrectly) added to Binutils under the +sha2 flag.
> >
> >         This patch moves SHA512 instructions under the +sha3 flag, which matches the
> >         architecture constraints and existing GCC and LLVM behaviour.
> >
> > So probably we need ".arch armv8-a+sha2+sha3" to support binutils 2.30 through
> > 2.42, as well as clang and the latest version of binutils?  (I didn't test it
> > yet, but it seems likely...)
>
> Actually "sha2" isn't required here, since "sha3" implies "sha2".
>
> The kernel test robot did report a build error on this series.  But it
> was with SHA-3, because in binutils 2.40 and earlier the SHA-3
> instructions required both "sha3" and "armv8.2-a",

... even though it is part of the ARMv8.1 architecture revision ...

> not just "sha3" like
> they do in clang and in binutils 2.41 and later.
>
> For now, I split the SHA-512 part into a separate patch
> https://lore.kernel.org/r/20250718220706.475240-1-ebiggers@kernel.org
>

That looks fine. I'll revisit the remaining ones at some point, but
not a priority.