* [PATCH] lib/crypto: arm64/sha512-ce: Drop compatibility macros for older binutils
@ 2025-07-18 22:07 Eric Biggers
2025-07-21 3:31 ` Ard Biesheuvel
0 siblings, 1 reply; 4+ messages in thread
From: Eric Biggers @ 2025-07-18 22:07 UTC (permalink / raw)
To: linux-crypto
Cc: linux-arm-kernel, linux-kernel, Ard Biesheuvel,
Jason A . Donenfeld, Eric Biggers
Now that the oldest supported binutils version is 2.30, the macros that
emit the SHA-512 instructions as '.inst' words are no longer needed. So
drop them. No change in the generated machine code.
Changed from the original patch by Ard Biesheuvel:
(https://lore.kernel.org/r/20250515142702.2592942-2-ardb+git@google.com):
- Reduced scope to just SHA-512
- Added comment that explains why "sha3" is used instead of "sha2"
Signed-off-by: Eric Biggers <ebiggers@kernel.org>
---
This patch is targeting libcrypto-next
lib/crypto/arm64/sha512-ce-core.S | 27 +++++++--------------------
1 file changed, 7 insertions(+), 20 deletions(-)
diff --git a/lib/crypto/arm64/sha512-ce-core.S b/lib/crypto/arm64/sha512-ce-core.S
index 7d870a435ea38..eaa485244af52 100644
--- a/lib/crypto/arm64/sha512-ce-core.S
+++ b/lib/crypto/arm64/sha512-ce-core.S
@@ -10,30 +10,17 @@
*/
#include <linux/linkage.h>
#include <asm/assembler.h>
- .irp b,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19
- .set .Lq\b, \b
- .set .Lv\b\().2d, \b
- .endr
-
- .macro sha512h, rd, rn, rm
- .inst 0xce608000 | .L\rd | (.L\rn << 5) | (.L\rm << 16)
- .endm
-
- .macro sha512h2, rd, rn, rm
- .inst 0xce608400 | .L\rd | (.L\rn << 5) | (.L\rm << 16)
- .endm
-
- .macro sha512su0, rd, rn
- .inst 0xcec08000 | .L\rd | (.L\rn << 5)
- .endm
-
- .macro sha512su1, rd, rn, rm
- .inst 0xce608800 | .L\rd | (.L\rn << 5) | (.L\rm << 16)
- .endm
+ /*
+ * While SHA-512 is part of the SHA-2 family of algorithms, the
+ * corresponding arm64 instructions are actually part of the "sha3" CPU
+ * feature. (Except in binutils 2.30 through 2.42, which used "sha2".
+ * But "sha3" implies "sha2", so "sha3" still works in those versions.)
+ */
+ .arch armv8-a+sha3
/*
* The SHA-512 round constants
*/
.section ".rodata", "a"
base-commit: 66be847cc4c2e82fb50190b52b05b3bb0ef57999
--
2.50.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH] lib/crypto: arm64/sha512-ce: Drop compatibility macros for older binutils
2025-07-18 22:07 [PATCH] lib/crypto: arm64/sha512-ce: Drop compatibility macros for older binutils Eric Biggers
@ 2025-07-21 3:31 ` Ard Biesheuvel
2025-07-21 4:17 ` Eric Biggers
0 siblings, 1 reply; 4+ messages in thread
From: Ard Biesheuvel @ 2025-07-21 3:31 UTC (permalink / raw)
To: Eric Biggers
Cc: linux-crypto, linux-arm-kernel, linux-kernel, Jason A . Donenfeld
On Sat, 19 Jul 2025 at 08:07, Eric Biggers <ebiggers@kernel.org> wrote:
>
> Now that the oldest supported binutils version is 2.30, the macros that
> emit the SHA-512 instructions as '.inst' words are no longer needed. So
> drop them. No change in the generated machine code.
>
> Changed from the original patch by Ard Biesheuvel:
> (https://lore.kernel.org/r/20250515142702.2592942-2-ardb+git@google.com):
> - Reduced scope to just SHA-512
> - Added comment that explains why "sha3" is used instead of "sha2"
>
> Signed-off-by: Eric Biggers <ebiggers@kernel.org>
Acked-by: Ard Biesheuvel <ardb@kernel.org>
Nit below
> ---
>
> This patch is targeting libcrypto-next
>
> lib/crypto/arm64/sha512-ce-core.S | 27 +++++++--------------------
> 1 file changed, 7 insertions(+), 20 deletions(-)
>
> diff --git a/lib/crypto/arm64/sha512-ce-core.S b/lib/crypto/arm64/sha512-ce-core.S
> index 7d870a435ea38..eaa485244af52 100644
> --- a/lib/crypto/arm64/sha512-ce-core.S
> +++ b/lib/crypto/arm64/sha512-ce-core.S
> @@ -10,30 +10,17 @@
> */
>
> #include <linux/linkage.h>
> #include <asm/assembler.h>
>
> - .irp b,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19
> - .set .Lq\b, \b
> - .set .Lv\b\().2d, \b
> - .endr
> -
> - .macro sha512h, rd, rn, rm
> - .inst 0xce608000 | .L\rd | (.L\rn << 5) | (.L\rm << 16)
> - .endm
> -
> - .macro sha512h2, rd, rn, rm
> - .inst 0xce608400 | .L\rd | (.L\rn << 5) | (.L\rm << 16)
> - .endm
> -
> - .macro sha512su0, rd, rn
> - .inst 0xcec08000 | .L\rd | (.L\rn << 5)
> - .endm
> -
> - .macro sha512su1, rd, rn, rm
> - .inst 0xce608800 | .L\rd | (.L\rn << 5) | (.L\rm << 16)
> - .endm
> + /*
> + * While SHA-512 is part of the SHA-2 family of algorithms, the
> + * corresponding arm64 instructions are actually part of the "sha3" CPU
> + * feature. (Except in binutils 2.30 through 2.42, which used "sha2".
Nit: the ARM ARM describes these features as FEAT_SHA256, FEAT_SHA512
and FEAT_SHA3, and the latter two happen to have appeared in the same
architecture revision. So this is likely just the GCC/binutils devs
getting confused, and assuming a) that SHA-3 implies SHA-2 (which is
silly if you know the difference) and b) SHA512 has anything to do
with SHA-3.
> + * But "sha3" implies "sha2", so "sha3" still works in those versions.)
> + */
> + .arch armv8-a+sha3
>
> /*
> * The SHA-512 round constants
> */
> .section ".rodata", "a"
>
> base-commit: 66be847cc4c2e82fb50190b52b05b3bb0ef57999
> --
> 2.50.1
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] lib/crypto: arm64/sha512-ce: Drop compatibility macros for older binutils
2025-07-21 3:31 ` Ard Biesheuvel
@ 2025-07-21 4:17 ` Eric Biggers
2025-07-21 4:27 ` Ard Biesheuvel
0 siblings, 1 reply; 4+ messages in thread
From: Eric Biggers @ 2025-07-21 4:17 UTC (permalink / raw)
To: Ard Biesheuvel
Cc: linux-crypto, linux-arm-kernel, linux-kernel, Jason A . Donenfeld
On Mon, Jul 21, 2025 at 01:31:47PM +1000, Ard Biesheuvel wrote:
> On Sat, 19 Jul 2025 at 08:07, Eric Biggers <ebiggers@kernel.org> wrote:
> >
> > Now that the oldest supported binutils version is 2.30, the macros that
> > emit the SHA-512 instructions as '.inst' words are no longer needed. So
> > drop them. No change in the generated machine code.
> >
> > Changed from the original patch by Ard Biesheuvel:
> > (https://lore.kernel.org/r/20250515142702.2592942-2-ardb+git@google.com):
> > - Reduced scope to just SHA-512
> > - Added comment that explains why "sha3" is used instead of "sha2"
> >
> > Signed-off-by: Eric Biggers <ebiggers@kernel.org>
>
> Acked-by: Ard Biesheuvel <ardb@kernel.org>
>
> Nit below
>
> > ---
> >
> > This patch is targeting libcrypto-next
> >
> > lib/crypto/arm64/sha512-ce-core.S | 27 +++++++--------------------
> > 1 file changed, 7 insertions(+), 20 deletions(-)
> >
> > diff --git a/lib/crypto/arm64/sha512-ce-core.S b/lib/crypto/arm64/sha512-ce-core.S
> > index 7d870a435ea38..eaa485244af52 100644
> > --- a/lib/crypto/arm64/sha512-ce-core.S
> > +++ b/lib/crypto/arm64/sha512-ce-core.S
> > @@ -10,30 +10,17 @@
> > */
> >
> > #include <linux/linkage.h>
> > #include <asm/assembler.h>
> >
> > - .irp b,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19
> > - .set .Lq\b, \b
> > - .set .Lv\b\().2d, \b
> > - .endr
> > -
> > - .macro sha512h, rd, rn, rm
> > - .inst 0xce608000 | .L\rd | (.L\rn << 5) | (.L\rm << 16)
> > - .endm
> > -
> > - .macro sha512h2, rd, rn, rm
> > - .inst 0xce608400 | .L\rd | (.L\rn << 5) | (.L\rm << 16)
> > - .endm
> > -
> > - .macro sha512su0, rd, rn
> > - .inst 0xcec08000 | .L\rd | (.L\rn << 5)
> > - .endm
> > -
> > - .macro sha512su1, rd, rn, rm
> > - .inst 0xce608800 | .L\rd | (.L\rn << 5) | (.L\rm << 16)
> > - .endm
> > + /*
> > + * While SHA-512 is part of the SHA-2 family of algorithms, the
> > + * corresponding arm64 instructions are actually part of the "sha3" CPU
> > + * feature. (Except in binutils 2.30 through 2.42, which used "sha2".
>
> Nit: the ARM ARM describes these features as FEAT_SHA256, FEAT_SHA512
> and FEAT_SHA3, and the latter two happen to have appeared in the same
> architecture revision. So this is likely just the GCC/binutils devs
> getting confused, and assuming a) that SHA-3 implies SHA-2 (which is
> silly if you know the difference) and b) SHA512 has anything to do
> with SHA-3.
How does the following look?
/*
* We have to specify the "sha3" feature here, since the GNU and clang
* assemblers both consider the SHA-512 instructions to be part of the
* "sha3" feature. (Except binutils 2.30 through 2.42, which used
* "sha2". But "sha3" implies "sha2", so "sha3" still works in those
* versions.) "sha3" doesn't make a lot of sense, since SHA-512 is part
* of the SHA-2 family of algorithms, and also the Arm Architecture
* Reference Manual defines FEAT_SHA512 and FEAT_SHA3 separately.
* Regardless, we must use "sha3" to be compatible with the assemblers.
*/
By the way, the ARM ARM does actually have the following:
If FEAT_SHA256 is implemented, then FEAT_SHA1 is implemented.
If FEAT_SHA512 is implemented, then FEAT_SHA256 and FEAT_SHA1 are implemented.
If FEAT_SHA3 is implemented, then FEAT_SHA256 and FEAT_SHA1 are implemented.
So some of the SHAs do imply other ones. But notably absent is
FEAT_SHA3 implying FEAT_SHA512...
- Eric
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] lib/crypto: arm64/sha512-ce: Drop compatibility macros for older binutils
2025-07-21 4:17 ` Eric Biggers
@ 2025-07-21 4:27 ` Ard Biesheuvel
0 siblings, 0 replies; 4+ messages in thread
From: Ard Biesheuvel @ 2025-07-21 4:27 UTC (permalink / raw)
To: Eric Biggers
Cc: linux-crypto, linux-arm-kernel, linux-kernel, Jason A . Donenfeld
On Mon, 21 Jul 2025 at 14:18, Eric Biggers <ebiggers@kernel.org> wrote:
>
> On Mon, Jul 21, 2025 at 01:31:47PM +1000, Ard Biesheuvel wrote:
> > On Sat, 19 Jul 2025 at 08:07, Eric Biggers <ebiggers@kernel.org> wrote:
> > >
> > > Now that the oldest supported binutils version is 2.30, the macros that
> > > emit the SHA-512 instructions as '.inst' words are no longer needed. So
> > > drop them. No change in the generated machine code.
> > >
> > > Changed from the original patch by Ard Biesheuvel:
> > > (https://lore.kernel.org/r/20250515142702.2592942-2-ardb+git@google.com):
> > > - Reduced scope to just SHA-512
> > > - Added comment that explains why "sha3" is used instead of "sha2"
> > >
> > > Signed-off-by: Eric Biggers <ebiggers@kernel.org>
> >
> > Acked-by: Ard Biesheuvel <ardb@kernel.org>
> >
> > Nit below
> >
> > > ---
> > >
> > > This patch is targeting libcrypto-next
> > >
> > > lib/crypto/arm64/sha512-ce-core.S | 27 +++++++--------------------
> > > 1 file changed, 7 insertions(+), 20 deletions(-)
> > >
> > > diff --git a/lib/crypto/arm64/sha512-ce-core.S b/lib/crypto/arm64/sha512-ce-core.S
> > > index 7d870a435ea38..eaa485244af52 100644
> > > --- a/lib/crypto/arm64/sha512-ce-core.S
> > > +++ b/lib/crypto/arm64/sha512-ce-core.S
> > > @@ -10,30 +10,17 @@
> > > */
> > >
> > > #include <linux/linkage.h>
> > > #include <asm/assembler.h>
> > >
> > > - .irp b,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19
> > > - .set .Lq\b, \b
> > > - .set .Lv\b\().2d, \b
> > > - .endr
> > > -
> > > - .macro sha512h, rd, rn, rm
> > > - .inst 0xce608000 | .L\rd | (.L\rn << 5) | (.L\rm << 16)
> > > - .endm
> > > -
> > > - .macro sha512h2, rd, rn, rm
> > > - .inst 0xce608400 | .L\rd | (.L\rn << 5) | (.L\rm << 16)
> > > - .endm
> > > -
> > > - .macro sha512su0, rd, rn
> > > - .inst 0xcec08000 | .L\rd | (.L\rn << 5)
> > > - .endm
> > > -
> > > - .macro sha512su1, rd, rn, rm
> > > - .inst 0xce608800 | .L\rd | (.L\rn << 5) | (.L\rm << 16)
> > > - .endm
> > > + /*
> > > + * While SHA-512 is part of the SHA-2 family of algorithms, the
> > > + * corresponding arm64 instructions are actually part of the "sha3" CPU
> > > + * feature. (Except in binutils 2.30 through 2.42, which used "sha2".
> >
> > Nit: the ARM ARM describes these features as FEAT_SHA256, FEAT_SHA512
> > and FEAT_SHA3, and the latter two happen to have appeared in the same
> > architecture revision. So this is likely just the GCC/binutils devs
> > getting confused, and assuming a) that SHA-3 implies SHA-2 (which is
> > silly if you know the difference) and b) SHA512 has anything to do
> > with SHA-3.
>
> How does the following look?
>
> /*
> * We have to specify the "sha3" feature here, since the GNU and clang
> * assemblers both consider the SHA-512 instructions to be part of the
> * "sha3" feature. (Except binutils 2.30 through 2.42, which used
> * "sha2". But "sha3" implies "sha2", so "sha3" still works in those
> * versions.) "sha3" doesn't make a lot of sense, since SHA-512 is part
> * of the SHA-2 family of algorithms, and also the Arm Architecture
> * Reference Manual defines FEAT_SHA512 and FEAT_SHA3 separately.
> * Regardless, we must use "sha3" to be compatible with the assemblers.
> */
>
LGTM
> By the way, the ARM ARM does actually have the following:
>
> If FEAT_SHA256 is implemented, then FEAT_SHA1 is implemented.
> If FEAT_SHA512 is implemented, then FEAT_SHA256 and FEAT_SHA1 are implemented.
> If FEAT_SHA3 is implemented, then FEAT_SHA256 and FEAT_SHA1 are implemented.
>
> So some of the SHAs do imply other ones. But notably absent is
> FEAT_SHA3 implying FEAT_SHA512...
Yeah, and such policies usually evaporate into thin air as soon as
Apple decides to implement something different, so they tend to be
rather meaningless. (E.g, FEAT_SME used to imply FEAT_SVE but it no
longer does)
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2025-07-21 4:30 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-07-18 22:07 [PATCH] lib/crypto: arm64/sha512-ce: Drop compatibility macros for older binutils Eric Biggers
2025-07-21 3:31 ` Ard Biesheuvel
2025-07-21 4:17 ` Eric Biggers
2025-07-21 4:27 ` Ard Biesheuvel
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).