[v4 PATCH 00/11] crypto: lib - Add partial block helper

[v4 PATCH 00/11] crypto: lib - Add partial block helper

[Herbert Xu]

v4 modifies the block helper so that the block function and state
are back in local-scope variables, the lengths have been extended
to size_t where necessary.

This is based on

	https://patchwork.kernel.org/project/linux-crypto/list/?series=955753
	https://patchwork.kernel.org/project/linux-crypto/list/?series=957401

This series introduces a partial block helper for lib/crypto hash
algorithms based on the one from sha256_base.

It then uses it on poly1305 to eliminate duplication between
architectures.  In particular, instead of having complete update
functions for each architecture, reduce it to a block function
per architecture instead.  The partial block handling is handled
by the generic library layer.

The poly1305 implementation was anomalous due to the inability
to call setkey in softirq.  It also has just a single user, which
is chacha20poly1305 that is hard-coded to use poly1305.  Replace
the gratuitous use of ahash in chacha20poly1305 with the lib/crypto
poly1305 instead.

This then allows the shash poly1305 to be removed.

Note that there is still some testing coverage for lib/poly1305
through the Crypto API chacha20poly1305 algorithm.

Herbert Xu (11):
  crypto: lib/sha256 - Move partial block handling out
  crypto: lib/poly1305 - Add block-only interface
  crypto: arm/poly1305 - Add block-only interface
  crypto: arm64/poly1305 - Add block-only interface
  crypto: mips/poly1305 - Add block-only interface
  crypto: powerpc/poly1305 - Add block-only interface
  crypto: x86/poly1305 - Add block-only interface
  crypto: chacha20poly1305 - Use lib/crypto poly1305
  crypto: testmgr - Remove poly1305
  crypto: poly1305 - Remove algorithm
  crypto: lib/poly1305 - Use block-only interface

 arch/arm/lib/crypto/poly1305-armv4.pl         |   4 +-
 arch/arm/lib/crypto/poly1305-glue.c           | 113 ++----
 arch/arm64/lib/crypto/Makefile                |   3 +-
 arch/arm64/lib/crypto/poly1305-glue.c         | 105 ++----
 arch/mips/lib/crypto/poly1305-glue.c          |  75 +---
 arch/mips/lib/crypto/poly1305-mips.pl         |  12 +-
 arch/powerpc/lib/crypto/poly1305-p10-glue.c   | 109 ++----
 .../lib/crypto/poly1305-x86_64-cryptogams.pl  |  33 +-
 arch/x86/lib/crypto/poly1305_glue.c           | 169 +++------
 crypto/Kconfig                                |  14 +-
 crypto/Makefile                               |   2 -
 crypto/chacha20poly1305.c                     | 323 ++++--------------
 crypto/poly1305.c                             | 152 ---------
 crypto/testmgr.c                              |   6 -
 crypto/testmgr.h                              | 288 ----------------
 include/crypto/internal/blockhash.h           |  52 +++
 include/crypto/internal/poly1305.h            |  28 +-
 include/crypto/poly1305.h                     |  60 +---
 include/crypto/sha2.h                         |   9 +-
 include/crypto/sha256_base.h                  |  38 +--
 lib/crypto/poly1305.c                         |  83 ++---
 21 files changed, 396 insertions(+), 1282 deletions(-)
 delete mode 100644 crypto/poly1305.c
 create mode 100644 include/crypto/internal/blockhash.h

-- 
2.39.5

[v4 PATCH 01/11] crypto: lib/sha256 - Move partial block handling out

[Herbert Xu]

Extract the common partial block handling into a helper macro
that can be reused by other library code.

Also delete the unused sha256_base_do_finalize function.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
---
 include/crypto/internal/blockhash.h | 52 +++++++++++++++++++++++++++++
 include/crypto/sha2.h               |  9 +++--
 include/crypto/sha256_base.h        | 38 ++-------------------
 3 files changed, 62 insertions(+), 37 deletions(-)
 create mode 100644 include/crypto/internal/blockhash.h

diff --git a/include/crypto/internal/blockhash.h b/include/crypto/internal/blockhash.h
new file mode 100644
index 000000000000..52d9d4c82493
--- /dev/null
+++ b/include/crypto/internal/blockhash.h
@@ -0,0 +1,52 @@
+/* SPDX-License-Identifier: GPL-2.0-or-later */
+/*
+ * Handle partial blocks for block hash.
+ *
+ * Copyright (c) 2015 Linaro Ltd <ard.biesheuvel@linaro.org>
+ * Copyright (c) 2025 Herbert Xu <herbert@gondor.apana.org.au>
+ */
+
+#ifndef _CRYPTO_INTERNAL_BLOCKHASH_H
+#define _CRYPTO_INTERNAL_BLOCKHASH_H
+
+#include <linux/string.h>
+#include <linux/types.h>
+
+#define BLOCK_HASH_UPDATE_BASE(block_fn, state, src, nbytes, bs, dv,	\
+			       buf, buflen)				\
+	({								\
+		typeof(block_fn) *_block_fn = &(block_fn);		\
+		typeof(state + 0) _state = (state);			\
+		unsigned int _buflen = (buflen);			\
+		size_t _nbytes = (nbytes);				\
+		unsigned int _bs = (bs);				\
+		const u8 *_src = (src);					\
+		u8 *_buf = (buf);					\
+		while ((_buflen + _nbytes) >= _bs) {			\
+			const u8 *data = _src;				\
+			size_t len = _nbytes;				\
+			size_t blocks;					\
+			int remain;					\
+			if (_buflen) {					\
+				remain = _bs - _buflen;			\
+				memcpy(_buf + _buflen, _src, remain);	\
+				data = _buf;				\
+				len = _bs;				\
+			}						\
+			remain = len % bs;				\
+			blocks = (len - remain) / (dv);			\
+			(*_block_fn)(_state, data, blocks);		\
+			_src += len - remain - _buflen;			\
+			_nbytes -= len - remain - _buflen;		\
+			_buflen = 0;					\
+		}							\
+		memcpy(_buf + _buflen, _src, _nbytes);			\
+		_buflen += _nbytes;					\
+	})
+
+#define BLOCK_HASH_UPDATE(block, state, src, nbytes, bs, buf, buflen) \
+	BLOCK_HASH_UPDATE_BASE(block, state, src, nbytes, bs, 1, buf, buflen)
+#define BLOCK_HASH_UPDATE_BLOCKS(block, state, src, nbytes, bs, buf, buflen) \
+	BLOCK_HASH_UPDATE_BASE(block, state, src, nbytes, bs, bs, buf, buflen)
+
+#endif	/* _CRYPTO_INTERNAL_BLOCKHASH_H */
diff --git a/include/crypto/sha2.h b/include/crypto/sha2.h
index abbd882f7849..f873c2207b1e 100644
--- a/include/crypto/sha2.h
+++ b/include/crypto/sha2.h
@@ -71,8 +71,13 @@ struct crypto_sha256_state {
 };
 
 struct sha256_state {
-	u32 state[SHA256_DIGEST_SIZE / 4];
-	u64 count;
+	union {
+		struct crypto_sha256_state ctx;
+		struct {
+			u32 state[SHA256_DIGEST_SIZE / 4];
+			u64 count;
+		};
+	};
 	u8 buf[SHA256_BLOCK_SIZE];
 };
 
diff --git a/include/crypto/sha256_base.h b/include/crypto/sha256_base.h
index 08cd5e41d4fd..9f284bed5a51 100644
--- a/include/crypto/sha256_base.h
+++ b/include/crypto/sha256_base.h
@@ -8,6 +8,7 @@
 #ifndef _CRYPTO_SHA256_BASE_H
 #define _CRYPTO_SHA256_BASE_H
 
+#include <crypto/internal/blockhash.h>
 #include <crypto/internal/hash.h>
 #include <crypto/sha2.h>
 #include <linux/math.h>
@@ -40,35 +41,10 @@ static inline int lib_sha256_base_do_update(struct sha256_state *sctx,
 					    sha256_block_fn *block_fn)
 {
 	unsigned int partial = sctx->count % SHA256_BLOCK_SIZE;
-	struct crypto_sha256_state *state = (void *)sctx;
 
 	sctx->count += len;
-
-	if (unlikely((partial + len) >= SHA256_BLOCK_SIZE)) {
-		int blocks;
-
-		if (partial) {
-			int p = SHA256_BLOCK_SIZE - partial;
-
-			memcpy(sctx->buf + partial, data, p);
-			data += p;
-			len -= p;
-
-			block_fn(state, sctx->buf, 1);
-		}
-
-		blocks = len / SHA256_BLOCK_SIZE;
-		len %= SHA256_BLOCK_SIZE;
-
-		if (blocks) {
-			block_fn(state, data, blocks);
-			data += blocks * SHA256_BLOCK_SIZE;
-		}
-		partial = 0;
-	}
-	if (len)
-		memcpy(sctx->buf + partial, data, len);
-
+	BLOCK_HASH_UPDATE_BLOCKS(block_fn, &sctx->ctx, data, len,
+				 SHA256_BLOCK_SIZE, sctx->buf, partial);
 	return 0;
 }
 
@@ -140,14 +116,6 @@ static inline int lib_sha256_base_do_finalize(struct sha256_state *sctx,
 	return lib_sha256_base_do_finup(state, sctx->buf, partial, block_fn);
 }
 
-static inline int sha256_base_do_finalize(struct shash_desc *desc,
-					  sha256_block_fn *block_fn)
-{
-	struct sha256_state *sctx = shash_desc_ctx(desc);
-
-	return lib_sha256_base_do_finalize(sctx, block_fn);
-}
-
 static inline int __sha256_base_finish(u32 state[SHA256_DIGEST_SIZE / 4],
 				       u8 *out, unsigned int digest_size)
 {
-- 
2.39.5

[v4 PATCH 02/11] crypto: lib/poly1305 - Add block-only interface

[Herbert Xu]

Add a block-only interface for poly1305.  Implement the generic
code first.

Also use the generic partial block helper.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
---
 include/crypto/internal/poly1305.h | 28 ++++++++++++++--
 include/crypto/poly1305.h          | 25 ++++++++++----
 lib/crypto/poly1305.c              | 54 +++++++++++++-----------------
 3 files changed, 68 insertions(+), 39 deletions(-)

diff --git a/include/crypto/internal/poly1305.h b/include/crypto/internal/poly1305.h
index e614594f88c1..c60315f47562 100644
--- a/include/crypto/internal/poly1305.h
+++ b/include/crypto/internal/poly1305.h
@@ -6,9 +6,8 @@
 #ifndef _CRYPTO_INTERNAL_POLY1305_H
 #define _CRYPTO_INTERNAL_POLY1305_H
 
-#include <linux/unaligned.h>
-#include <linux/types.h>
 #include <crypto/poly1305.h>
+#include <linux/types.h>
 
 /*
  * Poly1305 core functions.  These only accept whole blocks; the caller must
@@ -31,4 +30,29 @@ void poly1305_core_blocks(struct poly1305_state *state,
 void poly1305_core_emit(const struct poly1305_state *state, const u32 nonce[4],
 			void *dst);
 
+void poly1305_block_init_arch(struct poly1305_block_state *state,
+			      const u8 raw_key[POLY1305_BLOCK_SIZE]);
+void poly1305_block_init_generic(struct poly1305_block_state *state,
+				 const u8 raw_key[POLY1305_BLOCK_SIZE]);
+void poly1305_blocks_arch(struct poly1305_block_state *state, const u8 *src,
+			  unsigned int len, u32 padbit);
+
+static inline void poly1305_blocks_generic(struct poly1305_block_state *state,
+					   const u8 *src, unsigned int len,
+					   u32 padbit)
+{
+	poly1305_core_blocks(&state->h, &state->core_r, src,
+			     len / POLY1305_BLOCK_SIZE, padbit);
+}
+
+void poly1305_emit_arch(const struct poly1305_state *state,
+			u8 digest[POLY1305_DIGEST_SIZE], const u32 nonce[4]);
+
+static inline void poly1305_emit_generic(const struct poly1305_state *state,
+					 u8 digest[POLY1305_DIGEST_SIZE],
+					 const u32 nonce[4])
+{
+	poly1305_core_emit(state, nonce, digest);
+}
+
 #endif
diff --git a/include/crypto/poly1305.h b/include/crypto/poly1305.h
index 6e21ec2d1dc2..027d74842cd5 100644
--- a/include/crypto/poly1305.h
+++ b/include/crypto/poly1305.h
@@ -7,7 +7,6 @@
 #define _CRYPTO_POLY1305_H
 
 #include <linux/types.h>
-#include <linux/crypto.h>
 
 #define POLY1305_BLOCK_SIZE	16
 #define POLY1305_KEY_SIZE	32
@@ -38,6 +37,17 @@ struct poly1305_state {
 	};
 };
 
+/* Combined state for block function. */
+struct poly1305_block_state {
+	/* accumulator */
+	struct poly1305_state h;
+	/* key */
+	union {
+		struct poly1305_key opaque_r[CONFIG_CRYPTO_LIB_POLY1305_RSIZE];
+		struct poly1305_core_key core_r;
+	};
+};
+
 struct poly1305_desc_ctx {
 	/* partial buffer */
 	u8 buf[POLY1305_BLOCK_SIZE];
@@ -45,12 +55,15 @@ struct poly1305_desc_ctx {
 	unsigned int buflen;
 	/* finalize key */
 	u32 s[4];
-	/* accumulator */
-	struct poly1305_state h;
-	/* key */
 	union {
-		struct poly1305_key opaque_r[CONFIG_CRYPTO_LIB_POLY1305_RSIZE];
-		struct poly1305_core_key core_r;
+		struct {
+			struct poly1305_state h;
+			union {
+				struct poly1305_key opaque_r[CONFIG_CRYPTO_LIB_POLY1305_RSIZE];
+				struct poly1305_core_key core_r;
+			};
+		};
+		struct poly1305_block_state state;
 	};
 };
 
diff --git a/lib/crypto/poly1305.c b/lib/crypto/poly1305.c
index b633b043f0f6..9fec64a599c1 100644
--- a/lib/crypto/poly1305.c
+++ b/lib/crypto/poly1305.c
@@ -7,54 +7,45 @@
  * Based on public domain code by Andrew Moon and Daniel J. Bernstein.
  */
 
+#include <crypto/internal/blockhash.h>
 #include <crypto/internal/poly1305.h>
 #include <linux/kernel.h>
 #include <linux/module.h>
+#include <linux/string.h>
 #include <linux/unaligned.h>
 
+void poly1305_block_init_generic(struct poly1305_block_state *desc,
+				 const u8 raw_key[POLY1305_BLOCK_SIZE])
+{
+	poly1305_core_init(&desc->h);
+	poly1305_core_setkey(&desc->core_r, raw_key);
+}
+EXPORT_SYMBOL_GPL(poly1305_block_init_generic);
+
 void poly1305_init_generic(struct poly1305_desc_ctx *desc,
 			   const u8 key[POLY1305_KEY_SIZE])
 {
-	poly1305_core_setkey(&desc->core_r, key);
 	desc->s[0] = get_unaligned_le32(key + 16);
 	desc->s[1] = get_unaligned_le32(key + 20);
 	desc->s[2] = get_unaligned_le32(key + 24);
 	desc->s[3] = get_unaligned_le32(key + 28);
-	poly1305_core_init(&desc->h);
 	desc->buflen = 0;
+	poly1305_block_init_generic(&desc->state, key);
 }
 EXPORT_SYMBOL_GPL(poly1305_init_generic);
 
+static inline void poly1305_blocks(struct poly1305_block_state *state,
+				   const u8 *src, unsigned int len)
+{
+	poly1305_blocks_generic(state, src, len, 1);
+}
+
 void poly1305_update_generic(struct poly1305_desc_ctx *desc, const u8 *src,
 			     unsigned int nbytes)
 {
-	unsigned int bytes;
-
-	if (unlikely(desc->buflen)) {
-		bytes = min(nbytes, POLY1305_BLOCK_SIZE - desc->buflen);
-		memcpy(desc->buf + desc->buflen, src, bytes);
-		src += bytes;
-		nbytes -= bytes;
-		desc->buflen += bytes;
-
-		if (desc->buflen == POLY1305_BLOCK_SIZE) {
-			poly1305_core_blocks(&desc->h, &desc->core_r, desc->buf,
-					     1, 1);
-			desc->buflen = 0;
-		}
-	}
-
-	if (likely(nbytes >= POLY1305_BLOCK_SIZE)) {
-		poly1305_core_blocks(&desc->h, &desc->core_r, src,
-				     nbytes / POLY1305_BLOCK_SIZE, 1);
-		src += nbytes - (nbytes % POLY1305_BLOCK_SIZE);
-		nbytes %= POLY1305_BLOCK_SIZE;
-	}
-
-	if (unlikely(nbytes)) {
-		desc->buflen = nbytes;
-		memcpy(desc->buf, src, nbytes);
-	}
+	desc->buflen = BLOCK_HASH_UPDATE(poly1305_blocks, &desc->state,
+					 src, nbytes, POLY1305_BLOCK_SIZE,
+					 desc->buf, desc->buflen);
 }
 EXPORT_SYMBOL_GPL(poly1305_update_generic);
 
@@ -64,10 +55,11 @@ void poly1305_final_generic(struct poly1305_desc_ctx *desc, u8 *dst)
 		desc->buf[desc->buflen++] = 1;
 		memset(desc->buf + desc->buflen, 0,
 		       POLY1305_BLOCK_SIZE - desc->buflen);
-		poly1305_core_blocks(&desc->h, &desc->core_r, desc->buf, 1, 0);
+		poly1305_blocks_generic(&desc->state, desc->buf,
+					POLY1305_BLOCK_SIZE, 0);
 	}
 
-	poly1305_core_emit(&desc->h, desc->s, dst);
+	poly1305_emit_generic(&desc->h, dst, desc->s);
 	*desc = (struct poly1305_desc_ctx){};
 }
 EXPORT_SYMBOL_GPL(poly1305_final_generic);
-- 
2.39.5

[v4 PATCH 03/11] crypto: arm/poly1305 - Add block-only interface

[Herbert Xu]

Add block-only interface.

Also remove the unnecessary SIMD fallback path.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
---
 arch/arm/lib/crypto/poly1305-armv4.pl |  4 +-
 arch/arm/lib/crypto/poly1305-glue.c   | 78 +++++++++++++++------------
 2 files changed, 47 insertions(+), 35 deletions(-)

diff --git a/arch/arm/lib/crypto/poly1305-armv4.pl b/arch/arm/lib/crypto/poly1305-armv4.pl
index 6d79498d3115..d57c6e2fc84a 100644
--- a/arch/arm/lib/crypto/poly1305-armv4.pl
+++ b/arch/arm/lib/crypto/poly1305-armv4.pl
@@ -43,9 +43,9 @@ $code.=<<___;
 #else
 # define __ARM_ARCH__ __LINUX_ARM_ARCH__
 # define __ARM_MAX_ARCH__ __LINUX_ARM_ARCH__
-# define poly1305_init   poly1305_init_arm
+# define poly1305_init   poly1305_block_init_arch
 # define poly1305_blocks poly1305_blocks_arm
-# define poly1305_emit   poly1305_emit_arm
+# define poly1305_emit   poly1305_emit_arch
 .globl	poly1305_blocks_neon
 #endif
 
diff --git a/arch/arm/lib/crypto/poly1305-glue.c b/arch/arm/lib/crypto/poly1305-glue.c
index 42d0ebde1ae1..3ee16048ec7c 100644
--- a/arch/arm/lib/crypto/poly1305-glue.c
+++ b/arch/arm/lib/crypto/poly1305-glue.c
@@ -7,20 +7,29 @@
 
 #include <asm/hwcap.h>
 #include <asm/neon.h>
-#include <asm/simd.h>
-#include <crypto/poly1305.h>
-#include <crypto/internal/simd.h>
+#include <crypto/internal/poly1305.h>
 #include <linux/cpufeature.h>
 #include <linux/jump_label.h>
+#include <linux/kernel.h>
 #include <linux/module.h>
+#include <linux/string.h>
 #include <linux/unaligned.h>
 
-void poly1305_init_arm(void *state, const u8 *key);
-void poly1305_blocks_arm(void *state, const u8 *src, u32 len, u32 hibit);
-void poly1305_blocks_neon(void *state, const u8 *src, u32 len, u32 hibit);
-void poly1305_emit_arm(void *state, u8 *digest, const u32 *nonce);
+asmlinkage void poly1305_block_init_arch(
+	struct poly1305_block_state *state,
+	const u8 raw_key[POLY1305_BLOCK_SIZE]);
+EXPORT_SYMBOL_GPL(poly1305_block_init_arch);
+asmlinkage void poly1305_blocks_arm(struct poly1305_block_state *state,
+				    const u8 *src, u32 len, u32 hibit);
+asmlinkage void poly1305_blocks_neon(struct poly1305_block_state *state,
+				     const u8 *src, u32 len, u32 hibit);
+asmlinkage void poly1305_emit_arch(const struct poly1305_state *state,
+				   u8 digest[POLY1305_DIGEST_SIZE],
+				   const u32 nonce[4]);
+EXPORT_SYMBOL_GPL(poly1305_emit_arch);
 
-void __weak poly1305_blocks_neon(void *state, const u8 *src, u32 len, u32 hibit)
+void __weak poly1305_blocks_neon(struct poly1305_block_state *state,
+				 const u8 *src, u32 len, u32 hibit)
 {
 }
 
@@ -28,21 +37,39 @@ static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_neon);
 
 void poly1305_init_arch(struct poly1305_desc_ctx *dctx, const u8 key[POLY1305_KEY_SIZE])
 {
-	poly1305_init_arm(&dctx->h, key);
 	dctx->s[0] = get_unaligned_le32(key + 16);
 	dctx->s[1] = get_unaligned_le32(key + 20);
 	dctx->s[2] = get_unaligned_le32(key + 24);
 	dctx->s[3] = get_unaligned_le32(key + 28);
 	dctx->buflen = 0;
+	poly1305_block_init_arch(&dctx->state, key);
 }
 EXPORT_SYMBOL(poly1305_init_arch);
 
+void poly1305_blocks_arch(struct poly1305_block_state *state, const u8 *src,
+			  unsigned int len, u32 padbit)
+{
+	len = round_down(len, POLY1305_BLOCK_SIZE);
+	if (IS_ENABLED(CONFIG_KERNEL_MODE_NEON) &&
+	    static_branch_likely(&have_neon)) {
+		do {
+			unsigned int todo = min_t(unsigned int, len, SZ_4K);
+
+			kernel_neon_begin();
+			poly1305_blocks_neon(state, src, todo, padbit);
+			kernel_neon_end();
+
+			len -= todo;
+			src += todo;
+		} while (len);
+	} else
+		poly1305_blocks_arm(state, src, len, padbit);
+}
+EXPORT_SYMBOL_GPL(poly1305_blocks_arch);
+
 void poly1305_update_arch(struct poly1305_desc_ctx *dctx, const u8 *src,
 			  unsigned int nbytes)
 {
-	bool do_neon = IS_ENABLED(CONFIG_KERNEL_MODE_NEON) &&
-		       crypto_simd_usable();
-
 	if (unlikely(dctx->buflen)) {
 		u32 bytes = min(nbytes, POLY1305_BLOCK_SIZE - dctx->buflen);
 
@@ -52,30 +79,15 @@ void poly1305_update_arch(struct poly1305_desc_ctx *dctx, const u8 *src,
 		dctx->buflen += bytes;
 
 		if (dctx->buflen == POLY1305_BLOCK_SIZE) {
-			poly1305_blocks_arm(&dctx->h, dctx->buf,
-					    POLY1305_BLOCK_SIZE, 1);
+			poly1305_blocks_arch(&dctx->state, dctx->buf,
+					     POLY1305_BLOCK_SIZE, 1);
 			dctx->buflen = 0;
 		}
 	}
 
 	if (likely(nbytes >= POLY1305_BLOCK_SIZE)) {
-		unsigned int len = round_down(nbytes, POLY1305_BLOCK_SIZE);
-
-		if (static_branch_likely(&have_neon) && do_neon) {
-			do {
-				unsigned int todo = min_t(unsigned int, len, SZ_4K);
-
-				kernel_neon_begin();
-				poly1305_blocks_neon(&dctx->h, src, todo, 1);
-				kernel_neon_end();
-
-				len -= todo;
-				src += todo;
-			} while (len);
-		} else {
-			poly1305_blocks_arm(&dctx->h, src, len, 1);
-			src += len;
-		}
+		poly1305_blocks_arch(&dctx->state, src, nbytes, 1);
+		src += round_down(nbytes, POLY1305_BLOCK_SIZE);
 		nbytes %= POLY1305_BLOCK_SIZE;
 	}
 
@@ -92,10 +104,10 @@ void poly1305_final_arch(struct poly1305_desc_ctx *dctx, u8 *dst)
 		dctx->buf[dctx->buflen++] = 1;
 		memset(dctx->buf + dctx->buflen, 0,
 		       POLY1305_BLOCK_SIZE - dctx->buflen);
-		poly1305_blocks_arm(&dctx->h, dctx->buf, POLY1305_BLOCK_SIZE, 0);
+		poly1305_blocks_arch(&dctx->state, dctx->buf, POLY1305_BLOCK_SIZE, 0);
 	}
 
-	poly1305_emit_arm(&dctx->h, dst, dctx->s);
+	poly1305_emit_arch(&dctx->h, dst, dctx->s);
 	*dctx = (struct poly1305_desc_ctx){};
 }
 EXPORT_SYMBOL(poly1305_final_arch);
-- 
2.39.5

[v4 PATCH 04/11] crypto: arm64/poly1305 - Add block-only interface

[Herbert Xu]

Add block-only interface.

Also remove the unnecessary SIMD fallback path.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
---
 arch/arm64/lib/crypto/Makefile        |  3 +-
 arch/arm64/lib/crypto/poly1305-glue.c | 71 ++++++++++++++++-----------
 2 files changed, 45 insertions(+), 29 deletions(-)

diff --git a/arch/arm64/lib/crypto/Makefile b/arch/arm64/lib/crypto/Makefile
index ac624c3effda..6207088397a7 100644
--- a/arch/arm64/lib/crypto/Makefile
+++ b/arch/arm64/lib/crypto/Makefile
@@ -5,7 +5,8 @@ chacha-neon-y := chacha-neon-core.o chacha-neon-glue.o
 
 obj-$(CONFIG_CRYPTO_POLY1305_NEON) += poly1305-neon.o
 poly1305-neon-y := poly1305-core.o poly1305-glue.o
-AFLAGS_poly1305-core.o += -Dpoly1305_init=poly1305_init_arm64
+AFLAGS_poly1305-core.o += -Dpoly1305_init=poly1305_block_init_arch
+AFLAGS_poly1305-core.o += -Dpoly1305_emit=poly1305_emit_arch
 
 quiet_cmd_perlasm = PERLASM $@
       cmd_perlasm = $(PERL) $(<) void $(@)
diff --git a/arch/arm64/lib/crypto/poly1305-glue.c b/arch/arm64/lib/crypto/poly1305-glue.c
index 906970dd5373..d66a820e32d5 100644
--- a/arch/arm64/lib/crypto/poly1305-glue.c
+++ b/arch/arm64/lib/crypto/poly1305-glue.c
@@ -7,32 +7,60 @@
 
 #include <asm/hwcap.h>
 #include <asm/neon.h>
-#include <asm/simd.h>
-#include <crypto/poly1305.h>
-#include <crypto/internal/simd.h>
+#include <crypto/internal/poly1305.h>
 #include <linux/cpufeature.h>
 #include <linux/jump_label.h>
+#include <linux/kernel.h>
 #include <linux/module.h>
+#include <linux/string.h>
 #include <linux/unaligned.h>
 
-asmlinkage void poly1305_init_arm64(void *state, const u8 *key);
-asmlinkage void poly1305_blocks(void *state, const u8 *src, u32 len, u32 hibit);
-asmlinkage void poly1305_blocks_neon(void *state, const u8 *src, u32 len, u32 hibit);
-asmlinkage void poly1305_emit(void *state, u8 *digest, const u32 *nonce);
+asmlinkage void poly1305_block_init_arch(
+	struct poly1305_block_state *state,
+	const u8 raw_key[POLY1305_BLOCK_SIZE]);
+EXPORT_SYMBOL_GPL(poly1305_block_init_arch);
+asmlinkage void poly1305_blocks(struct poly1305_block_state *state,
+				const u8 *src, u32 len, u32 hibit);
+asmlinkage void poly1305_blocks_neon(struct poly1305_block_state *state,
+				     const u8 *src, u32 len, u32 hibit);
+asmlinkage void poly1305_emit_arch(const struct poly1305_state *state,
+				   u8 digest[POLY1305_DIGEST_SIZE],
+				   const u32 nonce[4]);
+EXPORT_SYMBOL_GPL(poly1305_emit_arch);
 
 static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_neon);
 
 void poly1305_init_arch(struct poly1305_desc_ctx *dctx, const u8 key[POLY1305_KEY_SIZE])
 {
-	poly1305_init_arm64(&dctx->h, key);
 	dctx->s[0] = get_unaligned_le32(key + 16);
 	dctx->s[1] = get_unaligned_le32(key + 20);
 	dctx->s[2] = get_unaligned_le32(key + 24);
 	dctx->s[3] = get_unaligned_le32(key + 28);
 	dctx->buflen = 0;
+	poly1305_block_init_arch(&dctx->state, key);
 }
 EXPORT_SYMBOL(poly1305_init_arch);
 
+void poly1305_blocks_arch(struct poly1305_block_state *state, const u8 *src,
+			  unsigned int len, u32 padbit)
+{
+	len = round_down(len, POLY1305_BLOCK_SIZE);
+	if (static_branch_likely(&have_neon)) {
+		do {
+			unsigned int todo = min_t(unsigned int, len, SZ_4K);
+
+			kernel_neon_begin();
+			poly1305_blocks_neon(state, src, todo, 1);
+			kernel_neon_end();
+
+			len -= todo;
+			src += todo;
+		} while (len);
+	} else
+		poly1305_blocks(state, src, len, 1);
+}
+EXPORT_SYMBOL_GPL(poly1305_blocks_arch);
+
 void poly1305_update_arch(struct poly1305_desc_ctx *dctx, const u8 *src,
 			  unsigned int nbytes)
 {
@@ -45,29 +73,15 @@ void poly1305_update_arch(struct poly1305_desc_ctx *dctx, const u8 *src,
 		dctx->buflen += bytes;
 
 		if (dctx->buflen == POLY1305_BLOCK_SIZE) {
-			poly1305_blocks(&dctx->h, dctx->buf, POLY1305_BLOCK_SIZE, 1);
+			poly1305_blocks_arch(&dctx->state, dctx->buf,
+					     POLY1305_BLOCK_SIZE, 1);
 			dctx->buflen = 0;
 		}
 	}
 
 	if (likely(nbytes >= POLY1305_BLOCK_SIZE)) {
-		unsigned int len = round_down(nbytes, POLY1305_BLOCK_SIZE);
-
-		if (static_branch_likely(&have_neon) && crypto_simd_usable()) {
-			do {
-				unsigned int todo = min_t(unsigned int, len, SZ_4K);
-
-				kernel_neon_begin();
-				poly1305_blocks_neon(&dctx->h, src, todo, 1);
-				kernel_neon_end();
-
-				len -= todo;
-				src += todo;
-			} while (len);
-		} else {
-			poly1305_blocks(&dctx->h, src, len, 1);
-			src += len;
-		}
+		poly1305_blocks_arch(&dctx->state, src, nbytes, 1);
+		src += round_down(nbytes, POLY1305_BLOCK_SIZE);
 		nbytes %= POLY1305_BLOCK_SIZE;
 	}
 
@@ -84,10 +98,11 @@ void poly1305_final_arch(struct poly1305_desc_ctx *dctx, u8 *dst)
 		dctx->buf[dctx->buflen++] = 1;
 		memset(dctx->buf + dctx->buflen, 0,
 		       POLY1305_BLOCK_SIZE - dctx->buflen);
-		poly1305_blocks(&dctx->h, dctx->buf, POLY1305_BLOCK_SIZE, 0);
+		poly1305_blocks_arch(&dctx->state, dctx->buf,
+				     POLY1305_BLOCK_SIZE, 0);
 	}
 
-	poly1305_emit(&dctx->h, dst, dctx->s);
+	poly1305_emit_arch(&dctx->h, dst, dctx->s);
 	memzero_explicit(dctx, sizeof(*dctx));
 }
 EXPORT_SYMBOL(poly1305_final_arch);
-- 
2.39.5

[v4 PATCH 05/11] crypto: mips/poly1305 - Add block-only interface

[Herbert Xu]

Add block-only interface.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
---
 arch/mips/lib/crypto/poly1305-glue.c  | 29 ++++++++++++++++++---------
 arch/mips/lib/crypto/poly1305-mips.pl | 12 +++++------
 2 files changed, 26 insertions(+), 15 deletions(-)

diff --git a/arch/mips/lib/crypto/poly1305-glue.c b/arch/mips/lib/crypto/poly1305-glue.c
index 576e7a58e0b1..2fea4cacfe27 100644
--- a/arch/mips/lib/crypto/poly1305-glue.c
+++ b/arch/mips/lib/crypto/poly1305-glue.c
@@ -5,23 +5,33 @@
  * Copyright (C) 2019 Linaro Ltd. <ard.biesheuvel@linaro.org>
  */
 
-#include <crypto/poly1305.h>
+#include <crypto/internal/poly1305.h>
 #include <linux/cpufeature.h>
+#include <linux/kernel.h>
 #include <linux/module.h>
+#include <linux/string.h>
 #include <linux/unaligned.h>
 
-asmlinkage void poly1305_init_mips(void *state, const u8 *key);
-asmlinkage void poly1305_blocks_mips(void *state, const u8 *src, u32 len, u32 hibit);
-asmlinkage void poly1305_emit_mips(void *state, u8 *digest, const u32 *nonce);
+asmlinkage void poly1305_block_init_arch(
+	struct poly1305_block_state *state,
+	const u8 raw_key[POLY1305_BLOCK_SIZE]);
+EXPORT_SYMBOL_GPL(poly1305_block_init_arch);
+asmlinkage void poly1305_blocks_arch(struct poly1305_block_state *state,
+				     const u8 *src, u32 len, u32 hibit);
+EXPORT_SYMBOL_GPL(poly1305_blocks_arch);
+asmlinkage void poly1305_emit_arch(const struct poly1305_state *state,
+				   u8 digest[POLY1305_DIGEST_SIZE],
+				   const u32 nonce[4]);
+EXPORT_SYMBOL_GPL(poly1305_emit_arch);
 
 void poly1305_init_arch(struct poly1305_desc_ctx *dctx, const u8 key[POLY1305_KEY_SIZE])
 {
-	poly1305_init_mips(&dctx->h, key);
 	dctx->s[0] = get_unaligned_le32(key + 16);
 	dctx->s[1] = get_unaligned_le32(key + 20);
 	dctx->s[2] = get_unaligned_le32(key + 24);
 	dctx->s[3] = get_unaligned_le32(key + 28);
 	dctx->buflen = 0;
+	poly1305_block_init_arch(&dctx->state, key);
 }
 EXPORT_SYMBOL(poly1305_init_arch);
 
@@ -37,7 +47,7 @@ void poly1305_update_arch(struct poly1305_desc_ctx *dctx, const u8 *src,
 		dctx->buflen += bytes;
 
 		if (dctx->buflen == POLY1305_BLOCK_SIZE) {
-			poly1305_blocks_mips(&dctx->h, dctx->buf,
+			poly1305_blocks_arch(&dctx->state, dctx->buf,
 					     POLY1305_BLOCK_SIZE, 1);
 			dctx->buflen = 0;
 		}
@@ -46,7 +56,7 @@ void poly1305_update_arch(struct poly1305_desc_ctx *dctx, const u8 *src,
 	if (likely(nbytes >= POLY1305_BLOCK_SIZE)) {
 		unsigned int len = round_down(nbytes, POLY1305_BLOCK_SIZE);
 
-		poly1305_blocks_mips(&dctx->h, src, len, 1);
+		poly1305_blocks_arch(&dctx->state, src, len, 1);
 		src += len;
 		nbytes %= POLY1305_BLOCK_SIZE;
 	}
@@ -64,10 +74,11 @@ void poly1305_final_arch(struct poly1305_desc_ctx *dctx, u8 *dst)
 		dctx->buf[dctx->buflen++] = 1;
 		memset(dctx->buf + dctx->buflen, 0,
 		       POLY1305_BLOCK_SIZE - dctx->buflen);
-		poly1305_blocks_mips(&dctx->h, dctx->buf, POLY1305_BLOCK_SIZE, 0);
+		poly1305_blocks_arch(&dctx->state, dctx->buf,
+				     POLY1305_BLOCK_SIZE, 0);
 	}
 
-	poly1305_emit_mips(&dctx->h, dst, dctx->s);
+	poly1305_emit_arch(&dctx->h, dst, dctx->s);
 	*dctx = (struct poly1305_desc_ctx){};
 }
 EXPORT_SYMBOL(poly1305_final_arch);
diff --git a/arch/mips/lib/crypto/poly1305-mips.pl b/arch/mips/lib/crypto/poly1305-mips.pl
index b05bab884ed2..399f10c3e385 100644
--- a/arch/mips/lib/crypto/poly1305-mips.pl
+++ b/arch/mips/lib/crypto/poly1305-mips.pl
@@ -93,9 +93,9 @@ $code.=<<___;
 #endif
 
 #ifdef	__KERNEL__
-# define poly1305_init   poly1305_init_mips
-# define poly1305_blocks poly1305_blocks_mips
-# define poly1305_emit   poly1305_emit_mips
+# define poly1305_init   poly1305_block_init_arch
+# define poly1305_blocks poly1305_blocks_arch
+# define poly1305_emit   poly1305_emit_arch
 #endif
 
 #if defined(__MIPSEB__) && !defined(MIPSEB)
@@ -565,9 +565,9 @@ $code.=<<___;
 #endif
 
 #ifdef	__KERNEL__
-# define poly1305_init   poly1305_init_mips
-# define poly1305_blocks poly1305_blocks_mips
-# define poly1305_emit   poly1305_emit_mips
+# define poly1305_init   poly1305_block_init_arch
+# define poly1305_blocks poly1305_blocks_arch
+# define poly1305_emit   poly1305_emit_arch
 #endif
 
 #if defined(__MIPSEB__) && !defined(MIPSEB)
-- 
2.39.5

[v4 PATCH 06/11] crypto: powerpc/poly1305 - Add block-only interface

[Herbert Xu]

Add block-only interface.

Also remove the unnecessary SIMD fallback path.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
---
 arch/powerpc/lib/crypto/poly1305-p10-glue.c | 84 ++++++++++++---------
 1 file changed, 49 insertions(+), 35 deletions(-)

diff --git a/arch/powerpc/lib/crypto/poly1305-p10-glue.c b/arch/powerpc/lib/crypto/poly1305-p10-glue.c
index 00617f4c58e6..708435beaba6 100644
--- a/arch/powerpc/lib/crypto/poly1305-p10-glue.c
+++ b/arch/powerpc/lib/crypto/poly1305-p10-glue.c
@@ -4,19 +4,20 @@
  *
  * Copyright 2023- IBM Corp. All rights reserved.
  */
+#include <asm/switch_to.h>
+#include <crypto/internal/poly1305.h>
+#include <linux/cpufeature.h>
+#include <linux/jump_label.h>
 #include <linux/kernel.h>
 #include <linux/module.h>
-#include <linux/jump_label.h>
-#include <crypto/internal/simd.h>
-#include <crypto/poly1305.h>
-#include <linux/cpufeature.h>
+#include <linux/string.h>
 #include <linux/unaligned.h>
-#include <asm/simd.h>
-#include <asm/switch_to.h>
 
-asmlinkage void poly1305_p10le_4blocks(void *h, const u8 *m, u32 mlen);
-asmlinkage void poly1305_64s(void *h, const u8 *m, u32 mlen, int highbit);
-asmlinkage void poly1305_emit_64(void *h, void *s, u8 *dst);
+asmlinkage void poly1305_p10le_4blocks(struct poly1305_block_state *state, const u8 *m, u32 mlen);
+asmlinkage void poly1305_64s(struct poly1305_block_state *state, const u8 *m, u32 mlen, int highbit);
+asmlinkage void poly1305_emit_arch(const struct poly1305_state *state,
+				   u8 digest[POLY1305_DIGEST_SIZE],
+				   const u32 nonce[4]);
 
 static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_p10);
 
@@ -32,22 +33,49 @@ static void vsx_end(void)
 	preempt_enable();
 }
 
-void poly1305_init_arch(struct poly1305_desc_ctx *dctx, const u8 key[POLY1305_KEY_SIZE])
+void poly1305_block_init_arch(struct poly1305_block_state *dctx,
+			      const u8 raw_key[POLY1305_BLOCK_SIZE])
 {
 	if (!static_key_enabled(&have_p10))
-		return poly1305_init_generic(dctx, key);
+		return poly1305_block_init_generic(dctx, raw_key);
 
 	dctx->h = (struct poly1305_state){};
-	dctx->core_r.key.r64[0] = get_unaligned_le64(key + 0);
-	dctx->core_r.key.r64[1] = get_unaligned_le64(key + 8);
+	dctx->core_r.key.r64[0] = get_unaligned_le64(raw_key + 0);
+	dctx->core_r.key.r64[1] = get_unaligned_le64(raw_key + 8);
+}
+EXPORT_SYMBOL_GPL(poly1305_block_init_arch);
+
+void poly1305_init_arch(struct poly1305_desc_ctx *dctx, const u8 key[POLY1305_KEY_SIZE])
+{
 	dctx->s[0] = get_unaligned_le32(key + 16);
 	dctx->s[1] = get_unaligned_le32(key + 20);
 	dctx->s[2] = get_unaligned_le32(key + 24);
 	dctx->s[3] = get_unaligned_le32(key + 28);
 	dctx->buflen = 0;
+	poly1305_block_init_arch(&dctx->state, key);
 }
 EXPORT_SYMBOL(poly1305_init_arch);
 
+void poly1305_blocks_arch(struct poly1305_block_state *state, const u8 *src,
+			  unsigned int len, u32 padbit)
+{
+	if (!static_key_enabled(&have_p10))
+		return poly1305_blocks_generic(state, src, len, padbit);
+	vsx_begin();
+	if (len >= POLY1305_BLOCK_SIZE * 4) {
+		poly1305_p10le_4blocks(state, src, len);
+		src += len - (len % (POLY1305_BLOCK_SIZE * 4));
+		len %= POLY1305_BLOCK_SIZE * 4;
+	}
+	while (len >= POLY1305_BLOCK_SIZE) {
+		poly1305_64s(state, src, POLY1305_BLOCK_SIZE, padbit);
+		len -= POLY1305_BLOCK_SIZE;
+		src += POLY1305_BLOCK_SIZE;
+	}
+	vsx_end();
+}
+EXPORT_SYMBOL_GPL(poly1305_blocks_arch);
+
 void poly1305_update_arch(struct poly1305_desc_ctx *dctx,
 			  const u8 *src, unsigned int srclen)
 {
@@ -64,28 +92,15 @@ void poly1305_update_arch(struct poly1305_desc_ctx *dctx,
 		dctx->buflen += bytes;
 		if (dctx->buflen < POLY1305_BLOCK_SIZE)
 			return;
-		vsx_begin();
-		poly1305_64s(&dctx->h, dctx->buf, POLY1305_BLOCK_SIZE, 1);
-		vsx_end();
+		poly1305_blocks_arch(&dctx->state, dctx->buf,
+				     POLY1305_BLOCK_SIZE, 1);
 		dctx->buflen = 0;
 	}
 
 	if (likely(srclen >= POLY1305_BLOCK_SIZE)) {
-		bytes = round_down(srclen, POLY1305_BLOCK_SIZE);
-		if (crypto_simd_usable() && (srclen >= POLY1305_BLOCK_SIZE*4)) {
-			vsx_begin();
-			poly1305_p10le_4blocks(&dctx->h, src, srclen);
-			vsx_end();
-			src += srclen - (srclen % (POLY1305_BLOCK_SIZE * 4));
-			srclen %= POLY1305_BLOCK_SIZE * 4;
-		}
-		while (srclen >= POLY1305_BLOCK_SIZE) {
-			vsx_begin();
-			poly1305_64s(&dctx->h, src, POLY1305_BLOCK_SIZE, 1);
-			vsx_end();
-			srclen -= POLY1305_BLOCK_SIZE;
-			src += POLY1305_BLOCK_SIZE;
-		}
+		poly1305_blocks_arch(&dctx->state, src, srclen, 1);
+		src += srclen - (srclen % POLY1305_BLOCK_SIZE);
+		srclen %= POLY1305_BLOCK_SIZE;
 	}
 
 	if (unlikely(srclen)) {
@@ -104,12 +119,11 @@ void poly1305_final_arch(struct poly1305_desc_ctx *dctx, u8 *dst)
 		dctx->buf[dctx->buflen++] = 1;
 		memset(dctx->buf + dctx->buflen, 0,
 		       POLY1305_BLOCK_SIZE - dctx->buflen);
-		vsx_begin();
-		poly1305_64s(&dctx->h, dctx->buf, POLY1305_BLOCK_SIZE, 0);
-		vsx_end();
+		poly1305_blocks_arch(&dctx->state, dctx->buf,
+				     POLY1305_BLOCK_SIZE, 0);
 	}
 
-	poly1305_emit_64(&dctx->h, &dctx->s, dst);
+	poly1305_emit_arch(&dctx->h, dst, dctx->s);
 }
 EXPORT_SYMBOL(poly1305_final_arch);
 
-- 
2.39.5

[v4 PATCH 07/11] crypto: x86/poly1305 - Add block-only interface

[Herbert Xu]

Add block-only interface.

Also remove the unnecessary SIMD fallback path.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
---
 .../lib/crypto/poly1305-x86_64-cryptogams.pl  |  33 +++--
 arch/x86/lib/crypto/poly1305_glue.c           | 125 +++++++-----------
 2 files changed, 71 insertions(+), 87 deletions(-)

diff --git a/arch/x86/lib/crypto/poly1305-x86_64-cryptogams.pl b/arch/x86/lib/crypto/poly1305-x86_64-cryptogams.pl
index 409ec6955733..501827254fed 100644
--- a/arch/x86/lib/crypto/poly1305-x86_64-cryptogams.pl
+++ b/arch/x86/lib/crypto/poly1305-x86_64-cryptogams.pl
@@ -118,6 +118,19 @@ sub declare_function() {
 	}
 }
 
+sub declare_typed_function() {
+	my ($name, $align, $nargs) = @_;
+	if($kernel) {
+		$code .= "SYM_TYPED_FUNC_START($name)\n";
+		$code .= ".L$name:\n";
+	} else {
+		$code .= ".globl	$name\n";
+		$code .= ".type	$name,\@function,$nargs\n";
+		$code .= ".align	$align\n";
+		$code .= "$name:\n";
+	}
+}
+
 sub end_function() {
 	my ($name) = @_;
 	if($kernel) {
@@ -128,7 +141,7 @@ sub end_function() {
 }
 
 $code.=<<___ if $kernel;
-#include <linux/linkage.h>
+#include <linux/cfi_types.h>
 ___
 
 if ($avx) {
@@ -236,14 +249,14 @@ ___
 $code.=<<___ if (!$kernel);
 .extern	OPENSSL_ia32cap_P
 
-.globl	poly1305_init_x86_64
-.hidden	poly1305_init_x86_64
+.globl	poly1305_block_init_arch
+.hidden	poly1305_block_init_arch
 .globl	poly1305_blocks_x86_64
 .hidden	poly1305_blocks_x86_64
 .globl	poly1305_emit_x86_64
 .hidden	poly1305_emit_x86_64
 ___
-&declare_function("poly1305_init_x86_64", 32, 3);
+&declare_typed_function("poly1305_block_init_arch", 32, 3);
 $code.=<<___;
 	xor	%eax,%eax
 	mov	%rax,0($ctx)		# initialize hash value
@@ -298,7 +311,7 @@ $code.=<<___;
 .Lno_key:
 	RET
 ___
-&end_function("poly1305_init_x86_64");
+&end_function("poly1305_block_init_arch");
 
 &declare_function("poly1305_blocks_x86_64", 32, 4);
 $code.=<<___;
@@ -4105,9 +4118,9 @@ avx_handler:
 
 .section	.pdata
 .align	4
-	.rva	.LSEH_begin_poly1305_init_x86_64
-	.rva	.LSEH_end_poly1305_init_x86_64
-	.rva	.LSEH_info_poly1305_init_x86_64
+	.rva	.LSEH_begin_poly1305_block_init_arch
+	.rva	.LSEH_end_poly1305_block_init_arch
+	.rva	.LSEH_info_poly1305_block_init_arch
 
 	.rva	.LSEH_begin_poly1305_blocks_x86_64
 	.rva	.LSEH_end_poly1305_blocks_x86_64
@@ -4155,10 +4168,10 @@ ___
 $code.=<<___;
 .section	.xdata
 .align	8
-.LSEH_info_poly1305_init_x86_64:
+.LSEH_info_poly1305_block_init_arch:
 	.byte	9,0,0,0
 	.rva	se_handler
-	.rva	.LSEH_begin_poly1305_init_x86_64,.LSEH_begin_poly1305_init_x86_64
+	.rva	.LSEH_begin_poly1305_block_init_arch,.LSEH_begin_poly1305_block_init_arch
 
 .LSEH_info_poly1305_blocks_x86_64:
 	.byte	9,0,0,0
diff --git a/arch/x86/lib/crypto/poly1305_glue.c b/arch/x86/lib/crypto/poly1305_glue.c
index cff35ca5822a..d98764ec3b47 100644
--- a/arch/x86/lib/crypto/poly1305_glue.c
+++ b/arch/x86/lib/crypto/poly1305_glue.c
@@ -3,34 +3,15 @@
  * Copyright (C) 2015-2019 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
  */
 
-#include <crypto/internal/simd.h>
-#include <crypto/poly1305.h>
+#include <asm/cpu_device_id.h>
+#include <asm/fpu/api.h>
+#include <crypto/internal/poly1305.h>
 #include <linux/jump_label.h>
 #include <linux/kernel.h>
 #include <linux/module.h>
 #include <linux/sizes.h>
+#include <linux/string.h>
 #include <linux/unaligned.h>
-#include <asm/cpu_device_id.h>
-#include <asm/simd.h>
-
-asmlinkage void poly1305_init_x86_64(void *ctx,
-				     const u8 key[POLY1305_BLOCK_SIZE]);
-asmlinkage void poly1305_blocks_x86_64(void *ctx, const u8 *inp,
-				       const size_t len, const u32 padbit);
-asmlinkage void poly1305_emit_x86_64(void *ctx, u8 mac[POLY1305_DIGEST_SIZE],
-				     const u32 nonce[4]);
-asmlinkage void poly1305_emit_avx(void *ctx, u8 mac[POLY1305_DIGEST_SIZE],
-				  const u32 nonce[4]);
-asmlinkage void poly1305_blocks_avx(void *ctx, const u8 *inp, const size_t len,
-				    const u32 padbit);
-asmlinkage void poly1305_blocks_avx2(void *ctx, const u8 *inp, const size_t len,
-				     const u32 padbit);
-asmlinkage void poly1305_blocks_avx512(void *ctx, const u8 *inp,
-				       const size_t len, const u32 padbit);
-
-static __ro_after_init DEFINE_STATIC_KEY_FALSE(poly1305_use_avx);
-static __ro_after_init DEFINE_STATIC_KEY_FALSE(poly1305_use_avx2);
-static __ro_after_init DEFINE_STATIC_KEY_FALSE(poly1305_use_avx512);
 
 struct poly1305_arch_internal {
 	union {
@@ -45,64 +26,50 @@ struct poly1305_arch_internal {
 	struct { u32 r2, r1, r4, r3; } rn[9];
 };
 
-/* The AVX code uses base 2^26, while the scalar code uses base 2^64. If we hit
- * the unfortunate situation of using AVX and then having to go back to scalar
- * -- because the user is silly and has called the update function from two
- * separate contexts -- then we need to convert back to the original base before
- * proceeding. It is possible to reason that the initial reduction below is
- * sufficient given the implementation invariants. However, for an avoidance of
- * doubt and because this is not performance critical, we do the full reduction
- * anyway. Z3 proof of below function: https://xn--4db.cc/ltPtHCKN/py
- */
-static void convert_to_base2_64(void *ctx)
+asmlinkage void poly1305_block_init_arch(
+	struct poly1305_block_state *state,
+	const u8 raw_key[POLY1305_BLOCK_SIZE]);
+EXPORT_SYMBOL_GPL(poly1305_block_init_arch);
+asmlinkage void poly1305_blocks_x86_64(struct poly1305_arch_internal *ctx,
+				       const u8 *inp,
+				       const size_t len, const u32 padbit);
+asmlinkage void poly1305_emit_x86_64(const struct poly1305_state *ctx,
+				     u8 mac[POLY1305_DIGEST_SIZE],
+				     const u32 nonce[4]);
+asmlinkage void poly1305_emit_avx(const struct poly1305_state *ctx,
+				  u8 mac[POLY1305_DIGEST_SIZE],
+				  const u32 nonce[4]);
+asmlinkage void poly1305_blocks_avx(struct poly1305_arch_internal *ctx,
+				    const u8 *inp, const size_t len,
+				    const u32 padbit);
+asmlinkage void poly1305_blocks_avx2(struct poly1305_arch_internal *ctx,
+				     const u8 *inp, const size_t len,
+				     const u32 padbit);
+asmlinkage void poly1305_blocks_avx512(struct poly1305_arch_internal *ctx,
+				       const u8 *inp,
+				       const size_t len, const u32 padbit);
+
+static __ro_after_init DEFINE_STATIC_KEY_FALSE(poly1305_use_avx);
+static __ro_after_init DEFINE_STATIC_KEY_FALSE(poly1305_use_avx2);
+static __ro_after_init DEFINE_STATIC_KEY_FALSE(poly1305_use_avx512);
+
+void poly1305_blocks_arch(struct poly1305_block_state *state, const u8 *inp,
+			  unsigned int len, u32 padbit)
 {
-	struct poly1305_arch_internal *state = ctx;
-	u32 cy;
-
-	if (!state->is_base2_26)
-		return;
-
-	cy = state->h[0] >> 26; state->h[0] &= 0x3ffffff; state->h[1] += cy;
-	cy = state->h[1] >> 26; state->h[1] &= 0x3ffffff; state->h[2] += cy;
-	cy = state->h[2] >> 26; state->h[2] &= 0x3ffffff; state->h[3] += cy;
-	cy = state->h[3] >> 26; state->h[3] &= 0x3ffffff; state->h[4] += cy;
-	state->hs[0] = ((u64)state->h[2] << 52) | ((u64)state->h[1] << 26) | state->h[0];
-	state->hs[1] = ((u64)state->h[4] << 40) | ((u64)state->h[3] << 14) | (state->h[2] >> 12);
-	state->hs[2] = state->h[4] >> 24;
-#define ULT(a, b) ((a ^ ((a ^ b) | ((a - b) ^ b))) >> (sizeof(a) * 8 - 1))
-	cy = (state->hs[2] >> 2) + (state->hs[2] & ~3ULL);
-	state->hs[2] &= 3;
-	state->hs[0] += cy;
-	state->hs[1] += (cy = ULT(state->hs[0], cy));
-	state->hs[2] += ULT(state->hs[1], cy);
-#undef ULT
-	state->is_base2_26 = 0;
-}
-
-static void poly1305_simd_init(void *ctx, const u8 key[POLY1305_BLOCK_SIZE])
-{
-	poly1305_init_x86_64(ctx, key);
-}
-
-static void poly1305_simd_blocks(void *ctx, const u8 *inp, size_t len,
-				 const u32 padbit)
-{
-	struct poly1305_arch_internal *state = ctx;
+	struct poly1305_arch_internal *ctx =
+		container_of(&state->h.h, struct poly1305_arch_internal, h);
 
 	/* SIMD disables preemption, so relax after processing each page. */
 	BUILD_BUG_ON(SZ_4K < POLY1305_BLOCK_SIZE ||
 		     SZ_4K % POLY1305_BLOCK_SIZE);
 
-	if (!static_branch_likely(&poly1305_use_avx) ||
-	    (len < (POLY1305_BLOCK_SIZE * 18) && !state->is_base2_26) ||
-	    !crypto_simd_usable()) {
-		convert_to_base2_64(ctx);
+	if (!static_branch_likely(&poly1305_use_avx)) {
 		poly1305_blocks_x86_64(ctx, inp, len, padbit);
 		return;
 	}
 
 	do {
-		const size_t bytes = min_t(size_t, len, SZ_4K);
+		const unsigned int bytes = min(len, SZ_4K);
 
 		kernel_fpu_begin();
 		if (static_branch_likely(&poly1305_use_avx512))
@@ -117,24 +84,26 @@ static void poly1305_simd_blocks(void *ctx, const u8 *inp, size_t len,
 		inp += bytes;
 	} while (len);
 }
+EXPORT_SYMBOL_GPL(poly1305_blocks_arch);
 
-static void poly1305_simd_emit(void *ctx, u8 mac[POLY1305_DIGEST_SIZE],
-			       const u32 nonce[4])
+void poly1305_emit_arch(const struct poly1305_state *ctx,
+			u8 mac[POLY1305_DIGEST_SIZE], const u32 nonce[4])
 {
 	if (!static_branch_likely(&poly1305_use_avx))
 		poly1305_emit_x86_64(ctx, mac, nonce);
 	else
 		poly1305_emit_avx(ctx, mac, nonce);
 }
+EXPORT_SYMBOL_GPL(poly1305_emit_arch);
 
 void poly1305_init_arch(struct poly1305_desc_ctx *dctx, const u8 key[POLY1305_KEY_SIZE])
 {
-	poly1305_simd_init(&dctx->h, key);
 	dctx->s[0] = get_unaligned_le32(&key[16]);
 	dctx->s[1] = get_unaligned_le32(&key[20]);
 	dctx->s[2] = get_unaligned_le32(&key[24]);
 	dctx->s[3] = get_unaligned_le32(&key[28]);
 	dctx->buflen = 0;
+	poly1305_block_init_arch(&dctx->state, key);
 }
 EXPORT_SYMBOL(poly1305_init_arch);
 
@@ -151,14 +120,15 @@ void poly1305_update_arch(struct poly1305_desc_ctx *dctx, const u8 *src,
 		dctx->buflen += bytes;
 
 		if (dctx->buflen == POLY1305_BLOCK_SIZE) {
-			poly1305_simd_blocks(&dctx->h, dctx->buf, POLY1305_BLOCK_SIZE, 1);
+			poly1305_blocks_arch(&dctx->state, dctx->buf,
+					     POLY1305_BLOCK_SIZE, 1);
 			dctx->buflen = 0;
 		}
 	}
 
 	if (likely(srclen >= POLY1305_BLOCK_SIZE)) {
 		bytes = round_down(srclen, POLY1305_BLOCK_SIZE);
-		poly1305_simd_blocks(&dctx->h, src, bytes, 1);
+		poly1305_blocks_arch(&dctx->state, src, bytes, 1);
 		src += bytes;
 		srclen -= bytes;
 	}
@@ -176,10 +146,11 @@ void poly1305_final_arch(struct poly1305_desc_ctx *dctx, u8 *dst)
 		dctx->buf[dctx->buflen++] = 1;
 		memset(dctx->buf + dctx->buflen, 0,
 		       POLY1305_BLOCK_SIZE - dctx->buflen);
-		poly1305_simd_blocks(&dctx->h, dctx->buf, POLY1305_BLOCK_SIZE, 0);
+		poly1305_blocks_arch(&dctx->state, dctx->buf,
+				     POLY1305_BLOCK_SIZE, 0);
 	}
 
-	poly1305_simd_emit(&dctx->h, dst, dctx->s);
+	poly1305_emit_arch(&dctx->h, dst, dctx->s);
 	memzero_explicit(dctx, sizeof(*dctx));
 }
 EXPORT_SYMBOL(poly1305_final_arch);
-- 
2.39.5

[v4 PATCH 08/11] crypto: chacha20poly1305 - Use lib/crypto poly1305

[Herbert Xu]

Since the poly1305 algorithm is fixed, there is no point in going
through the Crypto API for it.  Use the lib/crypto poly1305 interface
instead.

For compatiblity keep the poly1305 parameter in the algorithm name.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
---
 crypto/Kconfig            |   2 +-
 crypto/chacha20poly1305.c | 323 ++++++++------------------------------
 2 files changed, 67 insertions(+), 258 deletions(-)

diff --git a/crypto/Kconfig b/crypto/Kconfig
index 9878286d1d68..f87e2a26d2dd 100644
--- a/crypto/Kconfig
+++ b/crypto/Kconfig
@@ -784,8 +784,8 @@ config CRYPTO_AEGIS128_SIMD
 config CRYPTO_CHACHA20POLY1305
 	tristate "ChaCha20-Poly1305"
 	select CRYPTO_CHACHA20
-	select CRYPTO_POLY1305
 	select CRYPTO_AEAD
+	select CRYPTO_LIB_POLY1305
 	select CRYPTO_MANAGER
 	help
 	  ChaCha20 stream cipher and Poly1305 authenticator combined
diff --git a/crypto/chacha20poly1305.c b/crypto/chacha20poly1305.c
index d740849f1c19..b29f66ba1e2f 100644
--- a/crypto/chacha20poly1305.c
+++ b/crypto/chacha20poly1305.c
@@ -12,36 +12,23 @@
 #include <crypto/chacha.h>
 #include <crypto/poly1305.h>
 #include <linux/err.h>
-#include <linux/init.h>
 #include <linux/kernel.h>
+#include <linux/mm.h>
 #include <linux/module.h>
+#include <linux/string.h>
 
 struct chachapoly_instance_ctx {
 	struct crypto_skcipher_spawn chacha;
-	struct crypto_ahash_spawn poly;
 	unsigned int saltlen;
 };
 
 struct chachapoly_ctx {
 	struct crypto_skcipher *chacha;
-	struct crypto_ahash *poly;
 	/* key bytes we use for the ChaCha20 IV */
 	unsigned int saltlen;
 	u8 salt[] __counted_by(saltlen);
 };
 
-struct poly_req {
-	/* zero byte padding for AD/ciphertext, as needed */
-	u8 pad[POLY1305_BLOCK_SIZE];
-	/* tail data with AD/ciphertext lengths */
-	struct {
-		__le64 assoclen;
-		__le64 cryptlen;
-	} tail;
-	struct scatterlist src[1];
-	struct ahash_request req; /* must be last member */
-};
-
 struct chacha_req {
 	u8 iv[CHACHA_IV_SIZE];
 	struct scatterlist src[1];
@@ -62,7 +49,6 @@ struct chachapoly_req_ctx {
 	/* request flags, with MAY_SLEEP cleared if needed */
 	u32 flags;
 	union {
-		struct poly_req poly;
 		struct chacha_req chacha;
 	} u;
 };
@@ -105,16 +91,6 @@ static int poly_verify_tag(struct aead_request *req)
 	return 0;
 }
 
-static int poly_copy_tag(struct aead_request *req)
-{
-	struct chachapoly_req_ctx *rctx = aead_request_ctx(req);
-
-	scatterwalk_map_and_copy(rctx->tag, req->dst,
-				 req->assoclen + rctx->cryptlen,
-				 sizeof(rctx->tag), 1);
-	return 0;
-}
-
 static void chacha_decrypt_done(void *data, int err)
 {
 	async_done_continue(data, err, poly_verify_tag);
@@ -151,210 +127,76 @@ static int chacha_decrypt(struct aead_request *req)
 	return poly_verify_tag(req);
 }
 
-static int poly_tail_continue(struct aead_request *req)
+static int poly_hash(struct aead_request *req)
 {
 	struct chachapoly_req_ctx *rctx = aead_request_ctx(req);
+	const void *zp = page_address(ZERO_PAGE(0));
+	struct scatterlist *sg = req->src;
+	struct poly1305_desc_ctx desc;
+	struct scatter_walk walk;
+	struct {
+		union {
+			struct {
+				__le64 assoclen;
+				__le64 cryptlen;
+			};
+			u8 u8[16];
+		};
+	} tail;
+	unsigned int padlen;
+	unsigned int total;
+
+	if (sg != req->dst)
+		memcpy_sglist(req->dst, sg, req->assoclen);
 
 	if (rctx->cryptlen == req->cryptlen) /* encrypting */
-		return poly_copy_tag(req);
+		sg = req->dst;
 
-	return chacha_decrypt(req);
-}
+	poly1305_init(&desc, rctx->key);
+	scatterwalk_start(&walk, sg);
 
-static void poly_tail_done(void *data, int err)
-{
-	async_done_continue(data, err, poly_tail_continue);
-}
+	total = rctx->assoclen;
+	while (total) {
+		unsigned int n = scatterwalk_next(&walk, total);
 
-static int poly_tail(struct aead_request *req)
-{
-	struct crypto_aead *tfm = crypto_aead_reqtfm(req);
-	struct chachapoly_ctx *ctx = crypto_aead_ctx(tfm);
-	struct chachapoly_req_ctx *rctx = aead_request_ctx(req);
-	struct poly_req *preq = &rctx->u.poly;
-	int err;
-
-	preq->tail.assoclen = cpu_to_le64(rctx->assoclen);
-	preq->tail.cryptlen = cpu_to_le64(rctx->cryptlen);
-	sg_init_one(preq->src, &preq->tail, sizeof(preq->tail));
-
-	ahash_request_set_callback(&preq->req, rctx->flags,
-				   poly_tail_done, req);
-	ahash_request_set_tfm(&preq->req, ctx->poly);
-	ahash_request_set_crypt(&preq->req, preq->src,
-				rctx->tag, sizeof(preq->tail));
-
-	err = crypto_ahash_finup(&preq->req);
-	if (err)
-		return err;
-
-	return poly_tail_continue(req);
-}
-
-static void poly_cipherpad_done(void *data, int err)
-{
-	async_done_continue(data, err, poly_tail);
-}
-
-static int poly_cipherpad(struct aead_request *req)
-{
-	struct chachapoly_ctx *ctx = crypto_aead_ctx(crypto_aead_reqtfm(req));
-	struct chachapoly_req_ctx *rctx = aead_request_ctx(req);
-	struct poly_req *preq = &rctx->u.poly;
-	unsigned int padlen;
-	int err;
-
-	padlen = -rctx->cryptlen % POLY1305_BLOCK_SIZE;
-	memset(preq->pad, 0, sizeof(preq->pad));
-	sg_init_one(preq->src, preq->pad, padlen);
-
-	ahash_request_set_callback(&preq->req, rctx->flags,
-				   poly_cipherpad_done, req);
-	ahash_request_set_tfm(&preq->req, ctx->poly);
-	ahash_request_set_crypt(&preq->req, preq->src, NULL, padlen);
-
-	err = crypto_ahash_update(&preq->req);
-	if (err)
-		return err;
-
-	return poly_tail(req);
-}
-
-static void poly_cipher_done(void *data, int err)
-{
-	async_done_continue(data, err, poly_cipherpad);
-}
-
-static int poly_cipher(struct aead_request *req)
-{
-	struct chachapoly_ctx *ctx = crypto_aead_ctx(crypto_aead_reqtfm(req));
-	struct chachapoly_req_ctx *rctx = aead_request_ctx(req);
-	struct poly_req *preq = &rctx->u.poly;
-	struct scatterlist *crypt = req->src;
-	int err;
-
-	if (rctx->cryptlen == req->cryptlen) /* encrypting */
-		crypt = req->dst;
-
-	crypt = scatterwalk_ffwd(rctx->src, crypt, req->assoclen);
-
-	ahash_request_set_callback(&preq->req, rctx->flags,
-				   poly_cipher_done, req);
-	ahash_request_set_tfm(&preq->req, ctx->poly);
-	ahash_request_set_crypt(&preq->req, crypt, NULL, rctx->cryptlen);
-
-	err = crypto_ahash_update(&preq->req);
-	if (err)
-		return err;
-
-	return poly_cipherpad(req);
-}
-
-static void poly_adpad_done(void *data, int err)
-{
-	async_done_continue(data, err, poly_cipher);
-}
-
-static int poly_adpad(struct aead_request *req)
-{
-	struct chachapoly_ctx *ctx = crypto_aead_ctx(crypto_aead_reqtfm(req));
-	struct chachapoly_req_ctx *rctx = aead_request_ctx(req);
-	struct poly_req *preq = &rctx->u.poly;
-	unsigned int padlen;
-	int err;
+		poly1305_update(&desc, walk.addr, n);
+		scatterwalk_done_src(&walk, n);
+		total -= n;
+	}
 
 	padlen = -rctx->assoclen % POLY1305_BLOCK_SIZE;
-	memset(preq->pad, 0, sizeof(preq->pad));
-	sg_init_one(preq->src, preq->pad, padlen);
+	poly1305_update(&desc, zp, padlen);
 
-	ahash_request_set_callback(&preq->req, rctx->flags,
-				   poly_adpad_done, req);
-	ahash_request_set_tfm(&preq->req, ctx->poly);
-	ahash_request_set_crypt(&preq->req, preq->src, NULL, padlen);
+	scatterwalk_skip(&walk, req->assoclen - rctx->assoclen);
 
-	err = crypto_ahash_update(&preq->req);
-	if (err)
-		return err;
+	total = rctx->cryptlen;
+	while (total) {
+		unsigned int n = scatterwalk_next(&walk, total);
 
-	return poly_cipher(req);
-}
+		poly1305_update(&desc, walk.addr, n);
+		scatterwalk_done_src(&walk, n);
+		total -= n;
+	}
 
-static void poly_ad_done(void *data, int err)
-{
-	async_done_continue(data, err, poly_adpad);
-}
+	padlen = -rctx->cryptlen % POLY1305_BLOCK_SIZE;
+	poly1305_update(&desc, zp, padlen);
 
-static int poly_ad(struct aead_request *req)
-{
-	struct chachapoly_ctx *ctx = crypto_aead_ctx(crypto_aead_reqtfm(req));
-	struct chachapoly_req_ctx *rctx = aead_request_ctx(req);
-	struct poly_req *preq = &rctx->u.poly;
-	int err;
+	tail.assoclen = cpu_to_le64(rctx->assoclen);
+	tail.cryptlen = cpu_to_le64(rctx->cryptlen);
+	poly1305_update(&desc, tail.u8, sizeof(tail));
+	memzero_explicit(&tail, sizeof(tail));
+	poly1305_final(&desc, rctx->tag);
 
-	ahash_request_set_callback(&preq->req, rctx->flags,
-				   poly_ad_done, req);
-	ahash_request_set_tfm(&preq->req, ctx->poly);
-	ahash_request_set_crypt(&preq->req, req->src, NULL, rctx->assoclen);
+	if (rctx->cryptlen != req->cryptlen)
+		return chacha_decrypt(req);
 
-	err = crypto_ahash_update(&preq->req);
-	if (err)
-		return err;
-
-	return poly_adpad(req);
-}
-
-static void poly_setkey_done(void *data, int err)
-{
-	async_done_continue(data, err, poly_ad);
-}
-
-static int poly_setkey(struct aead_request *req)
-{
-	struct chachapoly_ctx *ctx = crypto_aead_ctx(crypto_aead_reqtfm(req));
-	struct chachapoly_req_ctx *rctx = aead_request_ctx(req);
-	struct poly_req *preq = &rctx->u.poly;
-	int err;
-
-	sg_init_one(preq->src, rctx->key, sizeof(rctx->key));
-
-	ahash_request_set_callback(&preq->req, rctx->flags,
-				   poly_setkey_done, req);
-	ahash_request_set_tfm(&preq->req, ctx->poly);
-	ahash_request_set_crypt(&preq->req, preq->src, NULL, sizeof(rctx->key));
-
-	err = crypto_ahash_update(&preq->req);
-	if (err)
-		return err;
-
-	return poly_ad(req);
-}
-
-static void poly_init_done(void *data, int err)
-{
-	async_done_continue(data, err, poly_setkey);
-}
-
-static int poly_init(struct aead_request *req)
-{
-	struct chachapoly_ctx *ctx = crypto_aead_ctx(crypto_aead_reqtfm(req));
-	struct chachapoly_req_ctx *rctx = aead_request_ctx(req);
-	struct poly_req *preq = &rctx->u.poly;
-	int err;
-
-	ahash_request_set_callback(&preq->req, rctx->flags,
-				   poly_init_done, req);
-	ahash_request_set_tfm(&preq->req, ctx->poly);
-
-	err = crypto_ahash_init(&preq->req);
-	if (err)
-		return err;
-
-	return poly_setkey(req);
+	memcpy_to_scatterwalk(&walk, rctx->tag, sizeof(rctx->tag));
+	return 0;
 }
 
 static void poly_genkey_done(void *data, int err)
 {
-	async_done_continue(data, err, poly_init);
+	async_done_continue(data, err, poly_hash);
 }
 
 static int poly_genkey(struct aead_request *req)
@@ -388,7 +230,7 @@ static int poly_genkey(struct aead_request *req)
 	if (err)
 		return err;
 
-	return poly_init(req);
+	return poly_hash(req);
 }
 
 static void chacha_encrypt_done(void *data, int err)
@@ -437,14 +279,7 @@ static int chachapoly_encrypt(struct aead_request *req)
 	/* encrypt call chain:
 	 * - chacha_encrypt/done()
 	 * - poly_genkey/done()
-	 * - poly_init/done()
-	 * - poly_setkey/done()
-	 * - poly_ad/done()
-	 * - poly_adpad/done()
-	 * - poly_cipher/done()
-	 * - poly_cipherpad/done()
-	 * - poly_tail/done/continue()
-	 * - poly_copy_tag()
+	 * - poly_hash()
 	 */
 	return chacha_encrypt(req);
 }
@@ -458,13 +293,7 @@ static int chachapoly_decrypt(struct aead_request *req)
 
 	/* decrypt call chain:
 	 * - poly_genkey/done()
-	 * - poly_init/done()
-	 * - poly_setkey/done()
-	 * - poly_ad/done()
-	 * - poly_adpad/done()
-	 * - poly_cipher/done()
-	 * - poly_cipherpad/done()
-	 * - poly_tail/done/continue()
+	 * - poly_hash()
 	 * - chacha_decrypt/done()
 	 * - poly_verify_tag()
 	 */
@@ -503,21 +332,13 @@ static int chachapoly_init(struct crypto_aead *tfm)
 	struct chachapoly_instance_ctx *ictx = aead_instance_ctx(inst);
 	struct chachapoly_ctx *ctx = crypto_aead_ctx(tfm);
 	struct crypto_skcipher *chacha;
-	struct crypto_ahash *poly;
 	unsigned long align;
 
-	poly = crypto_spawn_ahash(&ictx->poly);
-	if (IS_ERR(poly))
-		return PTR_ERR(poly);
-
 	chacha = crypto_spawn_skcipher(&ictx->chacha);
-	if (IS_ERR(chacha)) {
-		crypto_free_ahash(poly);
+	if (IS_ERR(chacha))
 		return PTR_ERR(chacha);
-	}
 
 	ctx->chacha = chacha;
-	ctx->poly = poly;
 	ctx->saltlen = ictx->saltlen;
 
 	align = crypto_aead_alignmask(tfm);
@@ -525,12 +346,9 @@ static int chachapoly_init(struct crypto_aead *tfm)
 	crypto_aead_set_reqsize(
 		tfm,
 		align + offsetof(struct chachapoly_req_ctx, u) +
-		max(offsetof(struct chacha_req, req) +
-		    sizeof(struct skcipher_request) +
-		    crypto_skcipher_reqsize(chacha),
-		    offsetof(struct poly_req, req) +
-		    sizeof(struct ahash_request) +
-		    crypto_ahash_reqsize(poly)));
+		offsetof(struct chacha_req, req) +
+		sizeof(struct skcipher_request) +
+		crypto_skcipher_reqsize(chacha));
 
 	return 0;
 }
@@ -539,7 +357,6 @@ static void chachapoly_exit(struct crypto_aead *tfm)
 {
 	struct chachapoly_ctx *ctx = crypto_aead_ctx(tfm);
 
-	crypto_free_ahash(ctx->poly);
 	crypto_free_skcipher(ctx->chacha);
 }
 
@@ -548,7 +365,6 @@ static void chachapoly_free(struct aead_instance *inst)
 	struct chachapoly_instance_ctx *ctx = aead_instance_ctx(inst);
 
 	crypto_drop_skcipher(&ctx->chacha);
-	crypto_drop_ahash(&ctx->poly);
 	kfree(inst);
 }
 
@@ -559,7 +375,6 @@ static int chachapoly_create(struct crypto_template *tmpl, struct rtattr **tb,
 	struct aead_instance *inst;
 	struct chachapoly_instance_ctx *ctx;
 	struct skcipher_alg_common *chacha;
-	struct hash_alg_common *poly;
 	int err;
 
 	if (ivsize > CHACHAPOLY_IV_SIZE)
@@ -581,14 +396,9 @@ static int chachapoly_create(struct crypto_template *tmpl, struct rtattr **tb,
 		goto err_free_inst;
 	chacha = crypto_spawn_skcipher_alg_common(&ctx->chacha);
 
-	err = crypto_grab_ahash(&ctx->poly, aead_crypto_instance(inst),
-				crypto_attr_alg_name(tb[2]), 0, mask);
-	if (err)
-		goto err_free_inst;
-	poly = crypto_spawn_ahash_alg(&ctx->poly);
-
 	err = -EINVAL;
-	if (poly->digestsize != POLY1305_DIGEST_SIZE)
+	if (strcmp(crypto_attr_alg_name(tb[2]), "poly1305") &&
+	    strcmp(crypto_attr_alg_name(tb[2]), "poly1305-generic"))
 		goto err_free_inst;
 	/* Need 16-byte IV size, including Initial Block Counter value */
 	if (chacha->ivsize != CHACHA_IV_SIZE)
@@ -599,16 +409,15 @@ static int chachapoly_create(struct crypto_template *tmpl, struct rtattr **tb,
 
 	err = -ENAMETOOLONG;
 	if (snprintf(inst->alg.base.cra_name, CRYPTO_MAX_ALG_NAME,
-		     "%s(%s,%s)", name, chacha->base.cra_name,
-		     poly->base.cra_name) >= CRYPTO_MAX_ALG_NAME)
+		     "%s(%s,poly1305)", name,
+		     chacha->base.cra_name) >= CRYPTO_MAX_ALG_NAME)
 		goto err_free_inst;
 	if (snprintf(inst->alg.base.cra_driver_name, CRYPTO_MAX_ALG_NAME,
-		     "%s(%s,%s)", name, chacha->base.cra_driver_name,
-		     poly->base.cra_driver_name) >= CRYPTO_MAX_ALG_NAME)
+		     "%s(%s,poly1305-generic)", name,
+		     chacha->base.cra_driver_name) >= CRYPTO_MAX_ALG_NAME)
 		goto err_free_inst;
 
-	inst->alg.base.cra_priority = (chacha->base.cra_priority +
-				       poly->base.cra_priority) / 2;
+	inst->alg.base.cra_priority = chacha->base.cra_priority;
 	inst->alg.base.cra_blocksize = 1;
 	inst->alg.base.cra_alignmask = chacha->base.cra_alignmask;
 	inst->alg.base.cra_ctxsize = sizeof(struct chachapoly_ctx) +
-- 
2.39.5

[v4 PATCH 09/11] crypto: testmgr - Remove poly1305

[Herbert Xu]

As poly1305 no longer has any in-kernel users, remove its tests.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
---
 crypto/testmgr.c |   6 -
 crypto/testmgr.h | 288 -----------------------------------------------
 2 files changed, 294 deletions(-)

diff --git a/crypto/testmgr.c b/crypto/testmgr.c
index 82977ea25db3..f100be516f52 100644
--- a/crypto/testmgr.c
+++ b/crypto/testmgr.c
@@ -5406,12 +5406,6 @@ static const struct alg_test_desc alg_test_descs[] = {
 		.alg = "pkcs1pad(rsa)",
 		.test = alg_test_null,
 		.fips_allowed = 1,
-	}, {
-		.alg = "poly1305",
-		.test = alg_test_hash,
-		.suite = {
-			.hash = __VECS(poly1305_tv_template)
-		}
 	}, {
 		.alg = "polyval",
 		.test = alg_test_hash,
diff --git a/crypto/testmgr.h b/crypto/testmgr.h
index afc10af59b0a..32d099ac9e73 100644
--- a/crypto/testmgr.h
+++ b/crypto/testmgr.h
@@ -8836,294 +8836,6 @@ static const struct hash_testvec hmac_sha3_512_tv_template[] = {
 	},
 };
 
-/*
- * Poly1305 test vectors from RFC7539 A.3.
- */
-
-static const struct hash_testvec poly1305_tv_template[] = {
-	{ /* Test Vector #1 */
-		.plaintext	= "\x00\x00\x00\x00\x00\x00\x00\x00"
-				  "\x00\x00\x00\x00\x00\x00\x00\x00"
-				  "\x00\x00\x00\x00\x00\x00\x00\x00"
-				  "\x00\x00\x00\x00\x00\x00\x00\x00"
-				  "\x00\x00\x00\x00\x00\x00\x00\x00"
-				  "\x00\x00\x00\x00\x00\x00\x00\x00"
-				  "\x00\x00\x00\x00\x00\x00\x00\x00"
-				  "\x00\x00\x00\x00\x00\x00\x00\x00"
-				  "\x00\x00\x00\x00\x00\x00\x00\x00"
-				  "\x00\x00\x00\x00\x00\x00\x00\x00"
-				  "\x00\x00\x00\x00\x00\x00\x00\x00"
-				  "\x00\x00\x00\x00\x00\x00\x00\x00",
-		.psize		= 96,
-		.digest		= "\x00\x00\x00\x00\x00\x00\x00\x00"
-				  "\x00\x00\x00\x00\x00\x00\x00\x00",
-	}, { /* Test Vector #2 */
-		.plaintext	= "\x00\x00\x00\x00\x00\x00\x00\x00"
-				  "\x00\x00\x00\x00\x00\x00\x00\x00"
-				  "\x36\xe5\xf6\xb5\xc5\xe0\x60\x70"
-				  "\xf0\xef\xca\x96\x22\x7a\x86\x3e"
-				  "\x41\x6e\x79\x20\x73\x75\x62\x6d"
-				  "\x69\x73\x73\x69\x6f\x6e\x20\x74"
-				  "\x6f\x20\x74\x68\x65\x20\x49\x45"
-				  "\x54\x46\x20\x69\x6e\x74\x65\x6e"
-				  "\x64\x65\x64\x20\x62\x79\x20\x74"
-				  "\x68\x65\x20\x43\x6f\x6e\x74\x72"
-				  "\x69\x62\x75\x74\x6f\x72\x20\x66"
-				  "\x6f\x72\x20\x70\x75\x62\x6c\x69"
-				  "\x63\x61\x74\x69\x6f\x6e\x20\x61"
-				  "\x73\x20\x61\x6c\x6c\x20\x6f\x72"
-				  "\x20\x70\x61\x72\x74\x20\x6f\x66"
-				  "\x20\x61\x6e\x20\x49\x45\x54\x46"
-				  "\x20\x49\x6e\x74\x65\x72\x6e\x65"
-				  "\x74\x2d\x44\x72\x61\x66\x74\x20"
-				  "\x6f\x72\x20\x52\x46\x43\x20\x61"
-				  "\x6e\x64\x20\x61\x6e\x79\x20\x73"
-				  "\x74\x61\x74\x65\x6d\x65\x6e\x74"
-				  "\x20\x6d\x61\x64\x65\x20\x77\x69"
-				  "\x74\x68\x69\x6e\x20\x74\x68\x65"
-				  "\x20\x63\x6f\x6e\x74\x65\x78\x74"
-				  "\x20\x6f\x66\x20\x61\x6e\x20\x49"
-				  "\x45\x54\x46\x20\x61\x63\x74\x69"
-				  "\x76\x69\x74\x79\x20\x69\x73\x20"
-				  "\x63\x6f\x6e\x73\x69\x64\x65\x72"
-				  "\x65\x64\x20\x61\x6e\x20\x22\x49"
-				  "\x45\x54\x46\x20\x43\x6f\x6e\x74"
-				  "\x72\x69\x62\x75\x74\x69\x6f\x6e"
-				  "\x22\x2e\x20\x53\x75\x63\x68\x20"
-				  "\x73\x74\x61\x74\x65\x6d\x65\x6e"
-				  "\x74\x73\x20\x69\x6e\x63\x6c\x75"
-				  "\x64\x65\x20\x6f\x72\x61\x6c\x20"
-				  "\x73\x74\x61\x74\x65\x6d\x65\x6e"
-				  "\x74\x73\x20\x69\x6e\x20\x49\x45"
-				  "\x54\x46\x20\x73\x65\x73\x73\x69"
-				  "\x6f\x6e\x73\x2c\x20\x61\x73\x20"
-				  "\x77\x65\x6c\x6c\x20\x61\x73\x20"
-				  "\x77\x72\x69\x74\x74\x65\x6e\x20"
-				  "\x61\x6e\x64\x20\x65\x6c\x65\x63"
-				  "\x74\x72\x6f\x6e\x69\x63\x20\x63"
-				  "\x6f\x6d\x6d\x75\x6e\x69\x63\x61"
-				  "\x74\x69\x6f\x6e\x73\x20\x6d\x61"
-				  "\x64\x65\x20\x61\x74\x20\x61\x6e"
-				  "\x79\x20\x74\x69\x6d\x65\x20\x6f"
-				  "\x72\x20\x70\x6c\x61\x63\x65\x2c"
-				  "\x20\x77\x68\x69\x63\x68\x20\x61"
-				  "\x72\x65\x20\x61\x64\x64\x72\x65"
-				  "\x73\x73\x65\x64\x20\x74\x6f",
-		.psize		= 407,
-		.digest		= "\x36\xe5\xf6\xb5\xc5\xe0\x60\x70"
-				  "\xf0\xef\xca\x96\x22\x7a\x86\x3e",
-	}, { /* Test Vector #3 */
-		.plaintext	= "\x36\xe5\xf6\xb5\xc5\xe0\x60\x70"
-				  "\xf0\xef\xca\x96\x22\x7a\x86\x3e"
-				  "\x00\x00\x00\x00\x00\x00\x00\x00"
-				  "\x00\x00\x00\x00\x00\x00\x00\x00"
-				  "\x41\x6e\x79\x20\x73\x75\x62\x6d"
-				  "\x69\x73\x73\x69\x6f\x6e\x20\x74"
-				  "\x6f\x20\x74\x68\x65\x20\x49\x45"
-				  "\x54\x46\x20\x69\x6e\x74\x65\x6e"
-				  "\x64\x65\x64\x20\x62\x79\x20\x74"
-				  "\x68\x65\x20\x43\x6f\x6e\x74\x72"
-				  "\x69\x62\x75\x74\x6f\x72\x20\x66"
-				  "\x6f\x72\x20\x70\x75\x62\x6c\x69"
-				  "\x63\x61\x74\x69\x6f\x6e\x20\x61"
-				  "\x73\x20\x61\x6c\x6c\x20\x6f\x72"
-				  "\x20\x70\x61\x72\x74\x20\x6f\x66"
-				  "\x20\x61\x6e\x20\x49\x45\x54\x46"
-				  "\x20\x49\x6e\x74\x65\x72\x6e\x65"
-				  "\x74\x2d\x44\x72\x61\x66\x74\x20"
-				  "\x6f\x72\x20\x52\x46\x43\x20\x61"
-				  "\x6e\x64\x20\x61\x6e\x79\x20\x73"
-				  "\x74\x61\x74\x65\x6d\x65\x6e\x74"
-				  "\x20\x6d\x61\x64\x65\x20\x77\x69"
-				  "\x74\x68\x69\x6e\x20\x74\x68\x65"
-				  "\x20\x63\x6f\x6e\x74\x65\x78\x74"
-				  "\x20\x6f\x66\x20\x61\x6e\x20\x49"
-				  "\x45\x54\x46\x20\x61\x63\x74\x69"
-				  "\x76\x69\x74\x79\x20\x69\x73\x20"
-				  "\x63\x6f\x6e\x73\x69\x64\x65\x72"
-				  "\x65\x64\x20\x61\x6e\x20\x22\x49"
-				  "\x45\x54\x46\x20\x43\x6f\x6e\x74"
-				  "\x72\x69\x62\x75\x74\x69\x6f\x6e"
-				  "\x22\x2e\x20\x53\x75\x63\x68\x20"
-				  "\x73\x74\x61\x74\x65\x6d\x65\x6e"
-				  "\x74\x73\x20\x69\x6e\x63\x6c\x75"
-				  "\x64\x65\x20\x6f\x72\x61\x6c\x20"
-				  "\x73\x74\x61\x74\x65\x6d\x65\x6e"
-				  "\x74\x73\x20\x69\x6e\x20\x49\x45"
-				  "\x54\x46\x20\x73\x65\x73\x73\x69"
-				  "\x6f\x6e\x73\x2c\x20\x61\x73\x20"
-				  "\x77\x65\x6c\x6c\x20\x61\x73\x20"
-				  "\x77\x72\x69\x74\x74\x65\x6e\x20"
-				  "\x61\x6e\x64\x20\x65\x6c\x65\x63"
-				  "\x74\x72\x6f\x6e\x69\x63\x20\x63"
-				  "\x6f\x6d\x6d\x75\x6e\x69\x63\x61"
-				  "\x74\x69\x6f\x6e\x73\x20\x6d\x61"
-				  "\x64\x65\x20\x61\x74\x20\x61\x6e"
-				  "\x79\x20\x74\x69\x6d\x65\x20\x6f"
-				  "\x72\x20\x70\x6c\x61\x63\x65\x2c"
-				  "\x20\x77\x68\x69\x63\x68\x20\x61"
-				  "\x72\x65\x20\x61\x64\x64\x72\x65"
-				  "\x73\x73\x65\x64\x20\x74\x6f",
-		.psize		= 407,
-		.digest		= "\xf3\x47\x7e\x7c\xd9\x54\x17\xaf"
-				  "\x89\xa6\xb8\x79\x4c\x31\x0c\xf0",
-	}, { /* Test Vector #4 */
-		.plaintext	= "\x1c\x92\x40\xa5\xeb\x55\xd3\x8a"
-				  "\xf3\x33\x88\x86\x04\xf6\xb5\xf0"
-				  "\x47\x39\x17\xc1\x40\x2b\x80\x09"
-				  "\x9d\xca\x5c\xbc\x20\x70\x75\xc0"
-				  "\x27\x54\x77\x61\x73\x20\x62\x72"
-				  "\x69\x6c\x6c\x69\x67\x2c\x20\x61"
-				  "\x6e\x64\x20\x74\x68\x65\x20\x73"
-				  "\x6c\x69\x74\x68\x79\x20\x74\x6f"
-				  "\x76\x65\x73\x0a\x44\x69\x64\x20"
-				  "\x67\x79\x72\x65\x20\x61\x6e\x64"
-				  "\x20\x67\x69\x6d\x62\x6c\x65\x20"
-				  "\x69\x6e\x20\x74\x68\x65\x20\x77"
-				  "\x61\x62\x65\x3a\x0a\x41\x6c\x6c"
-				  "\x20\x6d\x69\x6d\x73\x79\x20\x77"
-				  "\x65\x72\x65\x20\x74\x68\x65\x20"
-				  "\x62\x6f\x72\x6f\x67\x6f\x76\x65"
-				  "\x73\x2c\x0a\x41\x6e\x64\x20\x74"
-				  "\x68\x65\x20\x6d\x6f\x6d\x65\x20"
-				  "\x72\x61\x74\x68\x73\x20\x6f\x75"
-				  "\x74\x67\x72\x61\x62\x65\x2e",
-		.psize		= 159,
-		.digest		= "\x45\x41\x66\x9a\x7e\xaa\xee\x61"
-				  "\xe7\x08\xdc\x7c\xbc\xc5\xeb\x62",
-	}, { /* Test Vector #5 */
-		.plaintext	= "\x02\x00\x00\x00\x00\x00\x00\x00"
-				  "\x00\x00\x00\x00\x00\x00\x00\x00"
-				  "\x00\x00\x00\x00\x00\x00\x00\x00"
-				  "\x00\x00\x00\x00\x00\x00\x00\x00"
-				  "\xff\xff\xff\xff\xff\xff\xff\xff"
-				  "\xff\xff\xff\xff\xff\xff\xff\xff",
-		.psize		= 48,
-		.digest		= "\x03\x00\x00\x00\x00\x00\x00\x00"
-				  "\x00\x00\x00\x00\x00\x00\x00\x00",
-	}, { /* Test Vector #6 */
-		.plaintext	= "\x02\x00\x00\x00\x00\x00\x00\x00"
-				  "\x00\x00\x00\x00\x00\x00\x00\x00"
-				  "\xff\xff\xff\xff\xff\xff\xff\xff"
-				  "\xff\xff\xff\xff\xff\xff\xff\xff"
-				  "\x02\x00\x00\x00\x00\x00\x00\x00"
-				  "\x00\x00\x00\x00\x00\x00\x00\x00",
-		.psize		= 48,
-		.digest		= "\x03\x00\x00\x00\x00\x00\x00\x00"
-				  "\x00\x00\x00\x00\x00\x00\x00\x00",
-	}, { /* Test Vector #7 */
-		.plaintext	= "\x01\x00\x00\x00\x00\x00\x00\x00"
-				  "\x00\x00\x00\x00\x00\x00\x00\x00"
-				  "\x00\x00\x00\x00\x00\x00\x00\x00"
-				  "\x00\x00\x00\x00\x00\x00\x00\x00"
-				  "\xff\xff\xff\xff\xff\xff\xff\xff"
-				  "\xff\xff\xff\xff\xff\xff\xff\xff"
-				  "\xf0\xff\xff\xff\xff\xff\xff\xff"
-				  "\xff\xff\xff\xff\xff\xff\xff\xff"
-				  "\x11\x00\x00\x00\x00\x00\x00\x00"
-				  "\x00\x00\x00\x00\x00\x00\x00\x00",
-		.psize		= 80,
-		.digest		= "\x05\x00\x00\x00\x00\x00\x00\x00"
-				  "\x00\x00\x00\x00\x00\x00\x00\x00",
-	}, { /* Test Vector #8 */
-		.plaintext	= "\x01\x00\x00\x00\x00\x00\x00\x00"
-				  "\x00\x00\x00\x00\x00\x00\x00\x00"
-				  "\x00\x00\x00\x00\x00\x00\x00\x00"
-				  "\x00\x00\x00\x00\x00\x00\x00\x00"
-				  "\xff\xff\xff\xff\xff\xff\xff\xff"
-				  "\xff\xff\xff\xff\xff\xff\xff\xff"
-				  "\xfb\xfe\xfe\xfe\xfe\xfe\xfe\xfe"
-				  "\xfe\xfe\xfe\xfe\xfe\xfe\xfe\xfe"
-				  "\x01\x01\x01\x01\x01\x01\x01\x01"
-				  "\x01\x01\x01\x01\x01\x01\x01\x01",
-		.psize		= 80,
-		.digest		= "\x00\x00\x00\x00\x00\x00\x00\x00"
-				  "\x00\x00\x00\x00\x00\x00\x00\x00",
-	}, { /* Test Vector #9 */
-		.plaintext	= "\x02\x00\x00\x00\x00\x00\x00\x00"
-				  "\x00\x00\x00\x00\x00\x00\x00\x00"
-				  "\x00\x00\x00\x00\x00\x00\x00\x00"
-				  "\x00\x00\x00\x00\x00\x00\x00\x00"
-				  "\xfd\xff\xff\xff\xff\xff\xff\xff"
-				  "\xff\xff\xff\xff\xff\xff\xff\xff",
-		.psize		= 48,
-		.digest		= "\xfa\xff\xff\xff\xff\xff\xff\xff"
-				  "\xff\xff\xff\xff\xff\xff\xff\xff",
-	}, { /* Test Vector #10 */
-		.plaintext	= "\x01\x00\x00\x00\x00\x00\x00\x00"
-				  "\x04\x00\x00\x00\x00\x00\x00\x00"
-				  "\x00\x00\x00\x00\x00\x00\x00\x00"
-				  "\x00\x00\x00\x00\x00\x00\x00\x00"
-				  "\xe3\x35\x94\xd7\x50\x5e\x43\xb9"
-				  "\x00\x00\x00\x00\x00\x00\x00\x00"
-				  "\x33\x94\xd7\x50\x5e\x43\x79\xcd"
-				  "\x01\x00\x00\x00\x00\x00\x00\x00"
-				  "\x00\x00\x00\x00\x00\x00\x00\x00"
-				  "\x00\x00\x00\x00\x00\x00\x00\x00"
-				  "\x01\x00\x00\x00\x00\x00\x00\x00"
-				  "\x00\x00\x00\x00\x00\x00\x00\x00",
-		.psize		= 96,
-		.digest		= "\x14\x00\x00\x00\x00\x00\x00\x00"
-				  "\x55\x00\x00\x00\x00\x00\x00\x00",
-	}, { /* Test Vector #11 */
-		.plaintext	= "\x01\x00\x00\x00\x00\x00\x00\x00"
-				  "\x04\x00\x00\x00\x00\x00\x00\x00"
-				  "\x00\x00\x00\x00\x00\x00\x00\x00"
-				  "\x00\x00\x00\x00\x00\x00\x00\x00"
-				  "\xe3\x35\x94\xd7\x50\x5e\x43\xb9"
-				  "\x00\x00\x00\x00\x00\x00\x00\x00"
-				  "\x33\x94\xd7\x50\x5e\x43\x79\xcd"
-				  "\x01\x00\x00\x00\x00\x00\x00\x00"
-				  "\x00\x00\x00\x00\x00\x00\x00\x00"
-				  "\x00\x00\x00\x00\x00\x00\x00\x00",
-		.psize		= 80,
-		.digest		= "\x13\x00\x00\x00\x00\x00\x00\x00"
-				  "\x00\x00\x00\x00\x00\x00\x00\x00",
-	}, { /* Regression test for overflow in AVX2 implementation */
-		.plaintext	= "\xff\xff\xff\xff\xff\xff\xff\xff"
-				  "\xff\xff\xff\xff\xff\xff\xff\xff"
-				  "\xff\xff\xff\xff\xff\xff\xff\xff"
-				  "\xff\xff\xff\xff\xff\xff\xff\xff"
-				  "\xff\xff\xff\xff\xff\xff\xff\xff"
-				  "\xff\xff\xff\xff\xff\xff\xff\xff"
-				  "\xff\xff\xff\xff\xff\xff\xff\xff"
-				  "\xff\xff\xff\xff\xff\xff\xff\xff"
-				  "\xff\xff\xff\xff\xff\xff\xff\xff"
-				  "\xff\xff\xff\xff\xff\xff\xff\xff"
-				  "\xff\xff\xff\xff\xff\xff\xff\xff"
-				  "\xff\xff\xff\xff\xff\xff\xff\xff"
-				  "\xff\xff\xff\xff\xff\xff\xff\xff"
-				  "\xff\xff\xff\xff\xff\xff\xff\xff"
-				  "\xff\xff\xff\xff\xff\xff\xff\xff"
-				  "\xff\xff\xff\xff\xff\xff\xff\xff"
-				  "\xff\xff\xff\xff\xff\xff\xff\xff"
-				  "\xff\xff\xff\xff\xff\xff\xff\xff"
-				  "\xff\xff\xff\xff\xff\xff\xff\xff"
-				  "\xff\xff\xff\xff\xff\xff\xff\xff"
-				  "\xff\xff\xff\xff\xff\xff\xff\xff"
-				  "\xff\xff\xff\xff\xff\xff\xff\xff"
-				  "\xff\xff\xff\xff\xff\xff\xff\xff"
-				  "\xff\xff\xff\xff\xff\xff\xff\xff"
-				  "\xff\xff\xff\xff\xff\xff\xff\xff"
-				  "\xff\xff\xff\xff\xff\xff\xff\xff"
-				  "\xff\xff\xff\xff\xff\xff\xff\xff"
-				  "\xff\xff\xff\xff\xff\xff\xff\xff"
-				  "\xff\xff\xff\xff\xff\xff\xff\xff"
-				  "\xff\xff\xff\xff\xff\xff\xff\xff"
-				  "\xff\xff\xff\xff\xff\xff\xff\xff"
-				  "\xff\xff\xff\xff\xff\xff\xff\xff"
-				  "\xff\xff\xff\xff\xff\xff\xff\xff"
-				  "\xff\xff\xff\xff\xff\xff\xff\xff"
-				  "\xff\xff\xff\xff\xff\xff\xff\xff"
-				  "\xff\xff\xff\xff\xff\xff\xff\xff"
-				  "\xff\xff\xff\xff\xff\xff\xff\xff"
-				  "\xff\xff\xff\xff",
-		.psize		= 300,
-		.digest		= "\xfb\x5e\x96\xd8\x61\xd5\xc7\xc8"
-				  "\x78\xe5\x87\xcc\x2d\x5a\x22\xe1",
-	}
-};
-
 /* NHPoly1305 test vectors from https://github.com/google/adiantum */
 static const struct hash_testvec nhpoly1305_tv_template[] = {
 	{
-- 
2.39.5

[v4 PATCH 10/11] crypto: poly1305 - Remove algorithm

[Herbert Xu]

As there are no in-kernel users of the Crypto API poly1305 left,
remove it.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
---
 crypto/Kconfig    |  12 ----
 crypto/Makefile   |   2 -
 crypto/poly1305.c | 152 ----------------------------------------------
 3 files changed, 166 deletions(-)
 delete mode 100644 crypto/poly1305.c

diff --git a/crypto/Kconfig b/crypto/Kconfig
index f87e2a26d2dd..3cb5563dc4ab 100644
--- a/crypto/Kconfig
+++ b/crypto/Kconfig
@@ -953,18 +953,6 @@ config CRYPTO_POLYVAL
 	  This is used in HCTR2.  It is not a general-purpose
 	  cryptographic hash function.
 
-config CRYPTO_POLY1305
-	tristate "Poly1305"
-	select CRYPTO_HASH
-	select CRYPTO_LIB_POLY1305
-	select CRYPTO_LIB_POLY1305_GENERIC
-	help
-	  Poly1305 authenticator algorithm (RFC7539)
-
-	  Poly1305 is an authenticator algorithm designed by Daniel J. Bernstein.
-	  It is used for the ChaCha20-Poly1305 AEAD, specified in RFC7539 for use
-	  in IETF protocols. This is the portable C implementation of Poly1305.
-
 config CRYPTO_RMD160
 	tristate "RIPEMD-160"
 	select CRYPTO_HASH
diff --git a/crypto/Makefile b/crypto/Makefile
index 5d2f2a28d8a0..587bc74b6d74 100644
--- a/crypto/Makefile
+++ b/crypto/Makefile
@@ -149,8 +149,6 @@ obj-$(CONFIG_CRYPTO_SEED) += seed.o
 obj-$(CONFIG_CRYPTO_ARIA) += aria_generic.o
 obj-$(CONFIG_CRYPTO_CHACHA20) += chacha.o
 CFLAGS_chacha.o += -DARCH=$(ARCH)
-obj-$(CONFIG_CRYPTO_POLY1305) += poly1305.o
-CFLAGS_poly1305.o += -DARCH=$(ARCH)
 obj-$(CONFIG_CRYPTO_DEFLATE) += deflate.o
 obj-$(CONFIG_CRYPTO_MICHAEL_MIC) += michael_mic.o
 obj-$(CONFIG_CRYPTO_CRC32C) += crc32c_generic.o
diff --git a/crypto/poly1305.c b/crypto/poly1305.c
deleted file mode 100644
index e0436bdc462b..000000000000
--- a/crypto/poly1305.c
+++ /dev/null
@@ -1,152 +0,0 @@
-/*
- * Crypto API wrapper for the Poly1305 library functions
- *
- * Copyright (C) 2015 Martin Willi
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- */
-
-#include <crypto/algapi.h>
-#include <crypto/internal/hash.h>
-#include <crypto/internal/poly1305.h>
-#include <linux/crypto.h>
-#include <linux/kernel.h>
-#include <linux/module.h>
-
-struct crypto_poly1305_desc_ctx {
-	struct poly1305_desc_ctx base;
-	u8 key[POLY1305_KEY_SIZE];
-	unsigned int keysize;
-};
-
-static int crypto_poly1305_init(struct shash_desc *desc)
-{
-	struct crypto_poly1305_desc_ctx *dctx = shash_desc_ctx(desc);
-
-	dctx->keysize = 0;
-	return 0;
-}
-
-static int crypto_poly1305_update(struct shash_desc *desc,
-				  const u8 *src, unsigned int srclen, bool arch)
-{
-	struct crypto_poly1305_desc_ctx *dctx = shash_desc_ctx(desc);
-	unsigned int bytes;
-
-	/*
-	 * The key is passed as the first 32 "data" bytes.  The actual
-	 * poly1305_init() can be called only once the full key is available.
-	 */
-	if (dctx->keysize < POLY1305_KEY_SIZE) {
-		bytes = min(srclen, POLY1305_KEY_SIZE - dctx->keysize);
-		memcpy(&dctx->key[dctx->keysize], src, bytes);
-		dctx->keysize += bytes;
-		if (dctx->keysize < POLY1305_KEY_SIZE)
-			return 0;
-		if (arch)
-			poly1305_init(&dctx->base, dctx->key);
-		else
-			poly1305_init_generic(&dctx->base, dctx->key);
-		src += bytes;
-		srclen -= bytes;
-	}
-
-	if (arch)
-		poly1305_update(&dctx->base, src, srclen);
-	else
-		poly1305_update_generic(&dctx->base, src, srclen);
-
-	return 0;
-}
-
-static int crypto_poly1305_update_generic(struct shash_desc *desc,
-					  const u8 *src, unsigned int srclen)
-{
-	return crypto_poly1305_update(desc, src, srclen, false);
-}
-
-static int crypto_poly1305_update_arch(struct shash_desc *desc,
-				       const u8 *src, unsigned int srclen)
-{
-	return crypto_poly1305_update(desc, src, srclen, true);
-}
-
-static int crypto_poly1305_final(struct shash_desc *desc, u8 *dst, bool arch)
-{
-	struct crypto_poly1305_desc_ctx *dctx = shash_desc_ctx(desc);
-
-	if (unlikely(dctx->keysize != POLY1305_KEY_SIZE))
-		return -ENOKEY;
-
-	if (arch)
-		poly1305_final(&dctx->base, dst);
-	else
-		poly1305_final_generic(&dctx->base, dst);
-	memzero_explicit(&dctx->key, sizeof(dctx->key));
-	return 0;
-}
-
-static int crypto_poly1305_final_generic(struct shash_desc *desc, u8 *dst)
-{
-	return crypto_poly1305_final(desc, dst, false);
-}
-
-static int crypto_poly1305_final_arch(struct shash_desc *desc, u8 *dst)
-{
-	return crypto_poly1305_final(desc, dst, true);
-}
-
-static struct shash_alg poly1305_algs[] = {
-	{
-		.base.cra_name		= "poly1305",
-		.base.cra_driver_name	= "poly1305-generic",
-		.base.cra_priority	= 100,
-		.base.cra_blocksize	= POLY1305_BLOCK_SIZE,
-		.base.cra_module	= THIS_MODULE,
-		.digestsize		= POLY1305_DIGEST_SIZE,
-		.init			= crypto_poly1305_init,
-		.update			= crypto_poly1305_update_generic,
-		.final			= crypto_poly1305_final_generic,
-		.descsize		= sizeof(struct crypto_poly1305_desc_ctx),
-	},
-	{
-		.base.cra_name		= "poly1305",
-		.base.cra_driver_name	= "poly1305-" __stringify(ARCH),
-		.base.cra_priority	= 300,
-		.base.cra_blocksize	= POLY1305_BLOCK_SIZE,
-		.base.cra_module	= THIS_MODULE,
-		.digestsize		= POLY1305_DIGEST_SIZE,
-		.init			= crypto_poly1305_init,
-		.update			= crypto_poly1305_update_arch,
-		.final			= crypto_poly1305_final_arch,
-		.descsize		= sizeof(struct crypto_poly1305_desc_ctx),
-	},
-};
-
-static int num_algs;
-
-static int __init poly1305_mod_init(void)
-{
-	/* register the arch flavours only if they differ from generic */
-	num_algs = poly1305_is_arch_optimized() ? 2 : 1;
-
-	return crypto_register_shashes(poly1305_algs, num_algs);
-}
-
-static void __exit poly1305_mod_exit(void)
-{
-	crypto_unregister_shashes(poly1305_algs, num_algs);
-}
-
-subsys_initcall(poly1305_mod_init);
-module_exit(poly1305_mod_exit);
-
-MODULE_LICENSE("GPL");
-MODULE_AUTHOR("Martin Willi <martin@strongswan.org>");
-MODULE_DESCRIPTION("Crypto API wrapper for the Poly1305 library functions");
-MODULE_ALIAS_CRYPTO("poly1305");
-MODULE_ALIAS_CRYPTO("poly1305-generic");
-MODULE_ALIAS_CRYPTO("poly1305-" __stringify(ARCH));
-- 
2.39.5

[v4 PATCH 11/11] crypto: lib/poly1305 - Use block-only interface

[Herbert Xu]

Now that every architecture provides a block function, use that
to implement the lib/poly1305 and remove the old per-arch code.

Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
---
 arch/arm/lib/crypto/poly1305-glue.c         | 57 -------------------
 arch/arm64/lib/crypto/poly1305-glue.c       | 58 -------------------
 arch/mips/lib/crypto/poly1305-glue.c        | 60 --------------------
 arch/powerpc/lib/crypto/poly1305-p10-glue.c | 63 ---------------------
 arch/x86/lib/crypto/poly1305_glue.c         | 60 --------------------
 include/crypto/poly1305.h                   | 53 ++---------------
 lib/crypto/poly1305.c                       | 39 ++++++++-----
 7 files changed, 32 insertions(+), 358 deletions(-)

diff --git a/arch/arm/lib/crypto/poly1305-glue.c b/arch/arm/lib/crypto/poly1305-glue.c
index 3ee16048ec7c..91da42b26d9c 100644
--- a/arch/arm/lib/crypto/poly1305-glue.c
+++ b/arch/arm/lib/crypto/poly1305-glue.c
@@ -12,7 +12,6 @@
 #include <linux/jump_label.h>
 #include <linux/kernel.h>
 #include <linux/module.h>
-#include <linux/string.h>
 #include <linux/unaligned.h>
 
 asmlinkage void poly1305_block_init_arch(
@@ -35,17 +34,6 @@ void __weak poly1305_blocks_neon(struct poly1305_block_state *state,
 
 static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_neon);
 
-void poly1305_init_arch(struct poly1305_desc_ctx *dctx, const u8 key[POLY1305_KEY_SIZE])
-{
-	dctx->s[0] = get_unaligned_le32(key + 16);
-	dctx->s[1] = get_unaligned_le32(key + 20);
-	dctx->s[2] = get_unaligned_le32(key + 24);
-	dctx->s[3] = get_unaligned_le32(key + 28);
-	dctx->buflen = 0;
-	poly1305_block_init_arch(&dctx->state, key);
-}
-EXPORT_SYMBOL(poly1305_init_arch);
-
 void poly1305_blocks_arch(struct poly1305_block_state *state, const u8 *src,
 			  unsigned int len, u32 padbit)
 {
@@ -67,51 +55,6 @@ void poly1305_blocks_arch(struct poly1305_block_state *state, const u8 *src,
 }
 EXPORT_SYMBOL_GPL(poly1305_blocks_arch);
 
-void poly1305_update_arch(struct poly1305_desc_ctx *dctx, const u8 *src,
-			  unsigned int nbytes)
-{
-	if (unlikely(dctx->buflen)) {
-		u32 bytes = min(nbytes, POLY1305_BLOCK_SIZE - dctx->buflen);
-
-		memcpy(dctx->buf + dctx->buflen, src, bytes);
-		src += bytes;
-		nbytes -= bytes;
-		dctx->buflen += bytes;
-
-		if (dctx->buflen == POLY1305_BLOCK_SIZE) {
-			poly1305_blocks_arch(&dctx->state, dctx->buf,
-					     POLY1305_BLOCK_SIZE, 1);
-			dctx->buflen = 0;
-		}
-	}
-
-	if (likely(nbytes >= POLY1305_BLOCK_SIZE)) {
-		poly1305_blocks_arch(&dctx->state, src, nbytes, 1);
-		src += round_down(nbytes, POLY1305_BLOCK_SIZE);
-		nbytes %= POLY1305_BLOCK_SIZE;
-	}
-
-	if (unlikely(nbytes)) {
-		dctx->buflen = nbytes;
-		memcpy(dctx->buf, src, nbytes);
-	}
-}
-EXPORT_SYMBOL(poly1305_update_arch);
-
-void poly1305_final_arch(struct poly1305_desc_ctx *dctx, u8 *dst)
-{
-	if (unlikely(dctx->buflen)) {
-		dctx->buf[dctx->buflen++] = 1;
-		memset(dctx->buf + dctx->buflen, 0,
-		       POLY1305_BLOCK_SIZE - dctx->buflen);
-		poly1305_blocks_arch(&dctx->state, dctx->buf, POLY1305_BLOCK_SIZE, 0);
-	}
-
-	poly1305_emit_arch(&dctx->h, dst, dctx->s);
-	*dctx = (struct poly1305_desc_ctx){};
-}
-EXPORT_SYMBOL(poly1305_final_arch);
-
 bool poly1305_is_arch_optimized(void)
 {
 	/* We always can use at least the ARM scalar implementation. */
diff --git a/arch/arm64/lib/crypto/poly1305-glue.c b/arch/arm64/lib/crypto/poly1305-glue.c
index d66a820e32d5..681c26557336 100644
--- a/arch/arm64/lib/crypto/poly1305-glue.c
+++ b/arch/arm64/lib/crypto/poly1305-glue.c
@@ -12,7 +12,6 @@
 #include <linux/jump_label.h>
 #include <linux/kernel.h>
 #include <linux/module.h>
-#include <linux/string.h>
 #include <linux/unaligned.h>
 
 asmlinkage void poly1305_block_init_arch(
@@ -30,17 +29,6 @@ EXPORT_SYMBOL_GPL(poly1305_emit_arch);
 
 static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_neon);
 
-void poly1305_init_arch(struct poly1305_desc_ctx *dctx, const u8 key[POLY1305_KEY_SIZE])
-{
-	dctx->s[0] = get_unaligned_le32(key + 16);
-	dctx->s[1] = get_unaligned_le32(key + 20);
-	dctx->s[2] = get_unaligned_le32(key + 24);
-	dctx->s[3] = get_unaligned_le32(key + 28);
-	dctx->buflen = 0;
-	poly1305_block_init_arch(&dctx->state, key);
-}
-EXPORT_SYMBOL(poly1305_init_arch);
-
 void poly1305_blocks_arch(struct poly1305_block_state *state, const u8 *src,
 			  unsigned int len, u32 padbit)
 {
@@ -61,52 +49,6 @@ void poly1305_blocks_arch(struct poly1305_block_state *state, const u8 *src,
 }
 EXPORT_SYMBOL_GPL(poly1305_blocks_arch);
 
-void poly1305_update_arch(struct poly1305_desc_ctx *dctx, const u8 *src,
-			  unsigned int nbytes)
-{
-	if (unlikely(dctx->buflen)) {
-		u32 bytes = min(nbytes, POLY1305_BLOCK_SIZE - dctx->buflen);
-
-		memcpy(dctx->buf + dctx->buflen, src, bytes);
-		src += bytes;
-		nbytes -= bytes;
-		dctx->buflen += bytes;
-
-		if (dctx->buflen == POLY1305_BLOCK_SIZE) {
-			poly1305_blocks_arch(&dctx->state, dctx->buf,
-					     POLY1305_BLOCK_SIZE, 1);
-			dctx->buflen = 0;
-		}
-	}
-
-	if (likely(nbytes >= POLY1305_BLOCK_SIZE)) {
-		poly1305_blocks_arch(&dctx->state, src, nbytes, 1);
-		src += round_down(nbytes, POLY1305_BLOCK_SIZE);
-		nbytes %= POLY1305_BLOCK_SIZE;
-	}
-
-	if (unlikely(nbytes)) {
-		dctx->buflen = nbytes;
-		memcpy(dctx->buf, src, nbytes);
-	}
-}
-EXPORT_SYMBOL(poly1305_update_arch);
-
-void poly1305_final_arch(struct poly1305_desc_ctx *dctx, u8 *dst)
-{
-	if (unlikely(dctx->buflen)) {
-		dctx->buf[dctx->buflen++] = 1;
-		memset(dctx->buf + dctx->buflen, 0,
-		       POLY1305_BLOCK_SIZE - dctx->buflen);
-		poly1305_blocks_arch(&dctx->state, dctx->buf,
-				     POLY1305_BLOCK_SIZE, 0);
-	}
-
-	poly1305_emit_arch(&dctx->h, dst, dctx->s);
-	memzero_explicit(dctx, sizeof(*dctx));
-}
-EXPORT_SYMBOL(poly1305_final_arch);
-
 bool poly1305_is_arch_optimized(void)
 {
 	/* We always can use at least the ARM64 scalar implementation. */
diff --git a/arch/mips/lib/crypto/poly1305-glue.c b/arch/mips/lib/crypto/poly1305-glue.c
index 2fea4cacfe27..764a38a65200 100644
--- a/arch/mips/lib/crypto/poly1305-glue.c
+++ b/arch/mips/lib/crypto/poly1305-glue.c
@@ -9,7 +9,6 @@
 #include <linux/cpufeature.h>
 #include <linux/kernel.h>
 #include <linux/module.h>
-#include <linux/string.h>
 #include <linux/unaligned.h>
 
 asmlinkage void poly1305_block_init_arch(
@@ -24,65 +23,6 @@ asmlinkage void poly1305_emit_arch(const struct poly1305_state *state,
 				   const u32 nonce[4]);
 EXPORT_SYMBOL_GPL(poly1305_emit_arch);
 
-void poly1305_init_arch(struct poly1305_desc_ctx *dctx, const u8 key[POLY1305_KEY_SIZE])
-{
-	dctx->s[0] = get_unaligned_le32(key + 16);
-	dctx->s[1] = get_unaligned_le32(key + 20);
-	dctx->s[2] = get_unaligned_le32(key + 24);
-	dctx->s[3] = get_unaligned_le32(key + 28);
-	dctx->buflen = 0;
-	poly1305_block_init_arch(&dctx->state, key);
-}
-EXPORT_SYMBOL(poly1305_init_arch);
-
-void poly1305_update_arch(struct poly1305_desc_ctx *dctx, const u8 *src,
-			  unsigned int nbytes)
-{
-	if (unlikely(dctx->buflen)) {
-		u32 bytes = min(nbytes, POLY1305_BLOCK_SIZE - dctx->buflen);
-
-		memcpy(dctx->buf + dctx->buflen, src, bytes);
-		src += bytes;
-		nbytes -= bytes;
-		dctx->buflen += bytes;
-
-		if (dctx->buflen == POLY1305_BLOCK_SIZE) {
-			poly1305_blocks_arch(&dctx->state, dctx->buf,
-					     POLY1305_BLOCK_SIZE, 1);
-			dctx->buflen = 0;
-		}
-	}
-
-	if (likely(nbytes >= POLY1305_BLOCK_SIZE)) {
-		unsigned int len = round_down(nbytes, POLY1305_BLOCK_SIZE);
-
-		poly1305_blocks_arch(&dctx->state, src, len, 1);
-		src += len;
-		nbytes %= POLY1305_BLOCK_SIZE;
-	}
-
-	if (unlikely(nbytes)) {
-		dctx->buflen = nbytes;
-		memcpy(dctx->buf, src, nbytes);
-	}
-}
-EXPORT_SYMBOL(poly1305_update_arch);
-
-void poly1305_final_arch(struct poly1305_desc_ctx *dctx, u8 *dst)
-{
-	if (unlikely(dctx->buflen)) {
-		dctx->buf[dctx->buflen++] = 1;
-		memset(dctx->buf + dctx->buflen, 0,
-		       POLY1305_BLOCK_SIZE - dctx->buflen);
-		poly1305_blocks_arch(&dctx->state, dctx->buf,
-				     POLY1305_BLOCK_SIZE, 0);
-	}
-
-	poly1305_emit_arch(&dctx->h, dst, dctx->s);
-	*dctx = (struct poly1305_desc_ctx){};
-}
-EXPORT_SYMBOL(poly1305_final_arch);
-
 bool poly1305_is_arch_optimized(void)
 {
 	return true;
diff --git a/arch/powerpc/lib/crypto/poly1305-p10-glue.c b/arch/powerpc/lib/crypto/poly1305-p10-glue.c
index 708435beaba6..50ac802220e0 100644
--- a/arch/powerpc/lib/crypto/poly1305-p10-glue.c
+++ b/arch/powerpc/lib/crypto/poly1305-p10-glue.c
@@ -10,7 +10,6 @@
 #include <linux/jump_label.h>
 #include <linux/kernel.h>
 #include <linux/module.h>
-#include <linux/string.h>
 #include <linux/unaligned.h>
 
 asmlinkage void poly1305_p10le_4blocks(struct poly1305_block_state *state, const u8 *m, u32 mlen);
@@ -45,17 +44,6 @@ void poly1305_block_init_arch(struct poly1305_block_state *dctx,
 }
 EXPORT_SYMBOL_GPL(poly1305_block_init_arch);
 
-void poly1305_init_arch(struct poly1305_desc_ctx *dctx, const u8 key[POLY1305_KEY_SIZE])
-{
-	dctx->s[0] = get_unaligned_le32(key + 16);
-	dctx->s[1] = get_unaligned_le32(key + 20);
-	dctx->s[2] = get_unaligned_le32(key + 24);
-	dctx->s[3] = get_unaligned_le32(key + 28);
-	dctx->buflen = 0;
-	poly1305_block_init_arch(&dctx->state, key);
-}
-EXPORT_SYMBOL(poly1305_init_arch);
-
 void poly1305_blocks_arch(struct poly1305_block_state *state, const u8 *src,
 			  unsigned int len, u32 padbit)
 {
@@ -76,57 +64,6 @@ void poly1305_blocks_arch(struct poly1305_block_state *state, const u8 *src,
 }
 EXPORT_SYMBOL_GPL(poly1305_blocks_arch);
 
-void poly1305_update_arch(struct poly1305_desc_ctx *dctx,
-			  const u8 *src, unsigned int srclen)
-{
-	unsigned int bytes;
-
-	if (!static_key_enabled(&have_p10))
-		return poly1305_update_generic(dctx, src, srclen);
-
-	if (unlikely(dctx->buflen)) {
-		bytes = min(srclen, POLY1305_BLOCK_SIZE - dctx->buflen);
-		memcpy(dctx->buf + dctx->buflen, src, bytes);
-		src += bytes;
-		srclen -= bytes;
-		dctx->buflen += bytes;
-		if (dctx->buflen < POLY1305_BLOCK_SIZE)
-			return;
-		poly1305_blocks_arch(&dctx->state, dctx->buf,
-				     POLY1305_BLOCK_SIZE, 1);
-		dctx->buflen = 0;
-	}
-
-	if (likely(srclen >= POLY1305_BLOCK_SIZE)) {
-		poly1305_blocks_arch(&dctx->state, src, srclen, 1);
-		src += srclen - (srclen % POLY1305_BLOCK_SIZE);
-		srclen %= POLY1305_BLOCK_SIZE;
-	}
-
-	if (unlikely(srclen)) {
-		dctx->buflen = srclen;
-		memcpy(dctx->buf, src, srclen);
-	}
-}
-EXPORT_SYMBOL(poly1305_update_arch);
-
-void poly1305_final_arch(struct poly1305_desc_ctx *dctx, u8 *dst)
-{
-	if (!static_key_enabled(&have_p10))
-		return poly1305_final_generic(dctx, dst);
-
-	if (dctx->buflen) {
-		dctx->buf[dctx->buflen++] = 1;
-		memset(dctx->buf + dctx->buflen, 0,
-		       POLY1305_BLOCK_SIZE - dctx->buflen);
-		poly1305_blocks_arch(&dctx->state, dctx->buf,
-				     POLY1305_BLOCK_SIZE, 0);
-	}
-
-	poly1305_emit_arch(&dctx->h, dst, dctx->s);
-}
-EXPORT_SYMBOL(poly1305_final_arch);
-
 bool poly1305_is_arch_optimized(void)
 {
 	return static_key_enabled(&have_p10);
diff --git a/arch/x86/lib/crypto/poly1305_glue.c b/arch/x86/lib/crypto/poly1305_glue.c
index d98764ec3b47..f799828c5809 100644
--- a/arch/x86/lib/crypto/poly1305_glue.c
+++ b/arch/x86/lib/crypto/poly1305_glue.c
@@ -10,7 +10,6 @@
 #include <linux/kernel.h>
 #include <linux/module.h>
 #include <linux/sizes.h>
-#include <linux/string.h>
 #include <linux/unaligned.h>
 
 struct poly1305_arch_internal {
@@ -96,65 +95,6 @@ void poly1305_emit_arch(const struct poly1305_state *ctx,
 }
 EXPORT_SYMBOL_GPL(poly1305_emit_arch);
 
-void poly1305_init_arch(struct poly1305_desc_ctx *dctx, const u8 key[POLY1305_KEY_SIZE])
-{
-	dctx->s[0] = get_unaligned_le32(&key[16]);
-	dctx->s[1] = get_unaligned_le32(&key[20]);
-	dctx->s[2] = get_unaligned_le32(&key[24]);
-	dctx->s[3] = get_unaligned_le32(&key[28]);
-	dctx->buflen = 0;
-	poly1305_block_init_arch(&dctx->state, key);
-}
-EXPORT_SYMBOL(poly1305_init_arch);
-
-void poly1305_update_arch(struct poly1305_desc_ctx *dctx, const u8 *src,
-			  unsigned int srclen)
-{
-	unsigned int bytes;
-
-	if (unlikely(dctx->buflen)) {
-		bytes = min(srclen, POLY1305_BLOCK_SIZE - dctx->buflen);
-		memcpy(dctx->buf + dctx->buflen, src, bytes);
-		src += bytes;
-		srclen -= bytes;
-		dctx->buflen += bytes;
-
-		if (dctx->buflen == POLY1305_BLOCK_SIZE) {
-			poly1305_blocks_arch(&dctx->state, dctx->buf,
-					     POLY1305_BLOCK_SIZE, 1);
-			dctx->buflen = 0;
-		}
-	}
-
-	if (likely(srclen >= POLY1305_BLOCK_SIZE)) {
-		bytes = round_down(srclen, POLY1305_BLOCK_SIZE);
-		poly1305_blocks_arch(&dctx->state, src, bytes, 1);
-		src += bytes;
-		srclen -= bytes;
-	}
-
-	if (unlikely(srclen)) {
-		dctx->buflen = srclen;
-		memcpy(dctx->buf, src, srclen);
-	}
-}
-EXPORT_SYMBOL(poly1305_update_arch);
-
-void poly1305_final_arch(struct poly1305_desc_ctx *dctx, u8 *dst)
-{
-	if (unlikely(dctx->buflen)) {
-		dctx->buf[dctx->buflen++] = 1;
-		memset(dctx->buf + dctx->buflen, 0,
-		       POLY1305_BLOCK_SIZE - dctx->buflen);
-		poly1305_blocks_arch(&dctx->state, dctx->buf,
-				     POLY1305_BLOCK_SIZE, 0);
-	}
-
-	poly1305_emit_arch(&dctx->h, dst, dctx->s);
-	memzero_explicit(dctx, sizeof(*dctx));
-}
-EXPORT_SYMBOL(poly1305_final_arch);
-
 bool poly1305_is_arch_optimized(void)
 {
 	return static_key_enabled(&poly1305_use_avx);
diff --git a/include/crypto/poly1305.h b/include/crypto/poly1305.h
index 027d74842cd5..e54abda8cfe9 100644
--- a/include/crypto/poly1305.h
+++ b/include/crypto/poly1305.h
@@ -55,55 +55,14 @@ struct poly1305_desc_ctx {
 	unsigned int buflen;
 	/* finalize key */
 	u32 s[4];
-	union {
-		struct {
-			struct poly1305_state h;
-			union {
-				struct poly1305_key opaque_r[CONFIG_CRYPTO_LIB_POLY1305_RSIZE];
-				struct poly1305_core_key core_r;
-			};
-		};
-		struct poly1305_block_state state;
-	};
+	struct poly1305_block_state state;
 };
 
-void poly1305_init_arch(struct poly1305_desc_ctx *desc,
-			const u8 key[POLY1305_KEY_SIZE]);
-void poly1305_init_generic(struct poly1305_desc_ctx *desc,
-			   const u8 key[POLY1305_KEY_SIZE]);
-
-static inline void poly1305_init(struct poly1305_desc_ctx *desc, const u8 *key)
-{
-	if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_POLY1305))
-		poly1305_init_arch(desc, key);
-	else
-		poly1305_init_generic(desc, key);
-}
-
-void poly1305_update_arch(struct poly1305_desc_ctx *desc, const u8 *src,
-			  unsigned int nbytes);
-void poly1305_update_generic(struct poly1305_desc_ctx *desc, const u8 *src,
-			     unsigned int nbytes);
-
-static inline void poly1305_update(struct poly1305_desc_ctx *desc,
-				   const u8 *src, unsigned int nbytes)
-{
-	if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_POLY1305))
-		poly1305_update_arch(desc, src, nbytes);
-	else
-		poly1305_update_generic(desc, src, nbytes);
-}
-
-void poly1305_final_arch(struct poly1305_desc_ctx *desc, u8 *digest);
-void poly1305_final_generic(struct poly1305_desc_ctx *desc, u8 *digest);
-
-static inline void poly1305_final(struct poly1305_desc_ctx *desc, u8 *digest)
-{
-	if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_POLY1305))
-		poly1305_final_arch(desc, digest);
-	else
-		poly1305_final_generic(desc, digest);
-}
+void poly1305_init(struct poly1305_desc_ctx *desc,
+		   const u8 key[POLY1305_KEY_SIZE]);
+void poly1305_update(struct poly1305_desc_ctx *desc,
+		     const u8 *src, unsigned int nbytes);
+void poly1305_final(struct poly1305_desc_ctx *desc, u8 *digest);
 
 #if IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_POLY1305)
 bool poly1305_is_arch_optimized(void);
diff --git a/lib/crypto/poly1305.c b/lib/crypto/poly1305.c
index 9fec64a599c1..4c9996864090 100644
--- a/lib/crypto/poly1305.c
+++ b/lib/crypto/poly1305.c
@@ -22,47 +22,60 @@ void poly1305_block_init_generic(struct poly1305_block_state *desc,
 }
 EXPORT_SYMBOL_GPL(poly1305_block_init_generic);
 
-void poly1305_init_generic(struct poly1305_desc_ctx *desc,
-			   const u8 key[POLY1305_KEY_SIZE])
+void poly1305_init(struct poly1305_desc_ctx *desc,
+		   const u8 key[POLY1305_KEY_SIZE])
 {
 	desc->s[0] = get_unaligned_le32(key + 16);
 	desc->s[1] = get_unaligned_le32(key + 20);
 	desc->s[2] = get_unaligned_le32(key + 24);
 	desc->s[3] = get_unaligned_le32(key + 28);
 	desc->buflen = 0;
-	poly1305_block_init_generic(&desc->state, key);
+	if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_POLY1305))
+		poly1305_block_init_arch(&desc->state, key);
+	else
+		poly1305_block_init_generic(&desc->state, key);
 }
-EXPORT_SYMBOL_GPL(poly1305_init_generic);
+EXPORT_SYMBOL(poly1305_init);
 
 static inline void poly1305_blocks(struct poly1305_block_state *state,
 				   const u8 *src, unsigned int len)
 {
-	poly1305_blocks_generic(state, src, len, 1);
+	if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_POLY1305))
+		poly1305_blocks_arch(state, src, len, 1);
+	else
+		poly1305_blocks_generic(state, src, len, 1);
 }
 
-void poly1305_update_generic(struct poly1305_desc_ctx *desc, const u8 *src,
-			     unsigned int nbytes)
+void poly1305_update(struct poly1305_desc_ctx *desc,
+		     const u8 *src, unsigned int nbytes)
 {
 	desc->buflen = BLOCK_HASH_UPDATE(poly1305_blocks, &desc->state,
 					 src, nbytes, POLY1305_BLOCK_SIZE,
 					 desc->buf, desc->buflen);
 }
-EXPORT_SYMBOL_GPL(poly1305_update_generic);
+EXPORT_SYMBOL(poly1305_update);
 
-void poly1305_final_generic(struct poly1305_desc_ctx *desc, u8 *dst)
+void poly1305_final(struct poly1305_desc_ctx *desc, u8 *dst)
 {
 	if (unlikely(desc->buflen)) {
 		desc->buf[desc->buflen++] = 1;
 		memset(desc->buf + desc->buflen, 0,
 		       POLY1305_BLOCK_SIZE - desc->buflen);
-		poly1305_blocks_generic(&desc->state, desc->buf,
-					POLY1305_BLOCK_SIZE, 0);
+		if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_POLY1305))
+			poly1305_blocks_arch(&desc->state, desc->buf,
+					     POLY1305_BLOCK_SIZE, 0);
+		else
+			poly1305_blocks_generic(&desc->state, desc->buf,
+						POLY1305_BLOCK_SIZE, 0);
 	}
 
-	poly1305_emit_generic(&desc->h, dst, desc->s);
+	if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_POLY1305))
+		poly1305_emit_arch(&desc->state.h, dst, desc->s);
+	else
+		poly1305_emit_generic(&desc->state.h, dst, desc->s);
 	*desc = (struct poly1305_desc_ctx){};
 }
-EXPORT_SYMBOL_GPL(poly1305_final_generic);
+EXPORT_SYMBOL(poly1305_final);
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Martin Willi <martin@strongswan.org>");
-- 
2.39.5

Re: [v4 PATCH 08/11] crypto: chacha20poly1305 - Use lib/crypto poly1305

[Cabiddu, Giovanni]

Hi Herbert,

On Mon, Apr 28, 2025 at 12:56:21PM +0800, Herbert Xu wrote:
> Since the poly1305 algorithm is fixed, there is no point in going
> through the Crypto API for it.  Use the lib/crypto poly1305 interface
> instead.
> 
> For compatiblity keep the poly1305 parameter in the algorithm name.
> 
> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
> ---
>  crypto/Kconfig            |   2 +-
>  crypto/chacha20poly1305.c | 323 ++++++++------------------------------
>  2 files changed, 67 insertions(+), 258 deletions(-)
> 
> diff --git a/crypto/Kconfig b/crypto/Kconfig
> index 9878286d1d68..f87e2a26d2dd 100644
> --- a/crypto/Kconfig
> +++ b/crypto/Kconfig
> @@ -784,8 +784,8 @@ config CRYPTO_AEGIS128_SIMD
>  config CRYPTO_CHACHA20POLY1305
>  	tristate "ChaCha20-Poly1305"
>  	select CRYPTO_CHACHA20
> -	select CRYPTO_POLY1305
>  	select CRYPTO_AEAD
> +	select CRYPTO_LIB_POLY1305
Should this be `select CRYPTO_LIB_POLY1305_GENERIC`, instead?

I'm getting a build failure using the latest HEAD of cryptodev-2.6:
64745a9ca890 ("crypto: s390/sha512 - Initialise upper counter to zero
for sha384"):

    ld: vmlinux.o: in function `poly_hash':
    /devel/cryptodev-2.6/crypto/chacha20poly1305.c:155:(.text+0x751bee): undefined reference to `poly1305_init'
    ld: /devel/cryptodev-2.6/crypto/chacha20poly1305.c:162:(.text+0x751c5e): undefined reference to `poly1305_update'
    ld: /devel/cryptodev-2.6/crypto/chacha20poly1305.c:168:(.text+0x751cd5): undefined reference to `poly1305_update'
    ld: /devel/cryptodev-2.6/crypto/chacha20poly1305.c:176:(.text+0x751d4f): undefined reference to `poly1305_update'
    ld: /devel/cryptodev-2.6/crypto/chacha20poly1305.c:182:(.text+0x751da6): undefined reference to `poly1305_update'
    ld: /devel/cryptodev-2.6/crypto/chacha20poly1305.c:186:(.text+0x751dd1): undefined reference to `poly1305_update'
    ld: /devel/cryptodev-2.6/crypto/chacha20poly1305.c:188:(.text+0x751df9): undefined reference to `poly1305_final'
    ...

I have CONFIG_CRYPTO_CHACHA20POLY1305=y but CONFIG_CRYPTO_LIB_POLY1305_GENERIC=m.
Looking at lib/crypto/Makefile, I see that poly1305.o, which exports
poly1305_init() (and the other dependencies missing) is enabled by
CONFIG_CRYPTO_LIB_POLY1305_GENERIC:

    obj-$(CONFIG_CRYPTO_LIB_POLY1305_GENERIC)	+= libpoly1305.o
    libpoly1305-y				:= poly1305-donna32.o
    libpoly1305-$(CONFIG_ARCH_SUPPORTS_INT128)	:= poly1305-donna64.o
    libpoly1305-y				+= poly1305.o

Thanks,

-- 
Giovanni

Re: [v4 PATCH 08/11] crypto: chacha20poly1305 - Use lib/crypto poly1305

[Herbert Xu]

On Mon, May 05, 2025 at 02:41:40PM +0100, Cabiddu, Giovanni wrote:
>
> > diff --git a/crypto/Kconfig b/crypto/Kconfig
> > index 9878286d1d68..f87e2a26d2dd 100644
> > --- a/crypto/Kconfig
> > +++ b/crypto/Kconfig
> > @@ -784,8 +784,8 @@ config CRYPTO_AEGIS128_SIMD
> >  config CRYPTO_CHACHA20POLY1305
> >  	tristate "ChaCha20-Poly1305"
> >  	select CRYPTO_CHACHA20
> > -	select CRYPTO_POLY1305
> >  	select CRYPTO_AEAD
> > +	select CRYPTO_LIB_POLY1305
>
> Should this be `select CRYPTO_LIB_POLY1305_GENERIC`, instead?

The problem is that lib/crypto/Makefile only builds poly1305 if
LIB_POLY1305_GENERIC is enabled.  That used to be OK because it
was literally just the generic implementation.

But now it's actually the overall poly1305 library code so it needs
to become LIB_POLY1305 instead.  This also brings up the cyclic
dependency seen with libsha256.  So lib/crypto/poly1305 needs to
be split up accordingly.

---8<---
Split the lib poly1305 code just as was done with sha256.  Make
the main library code conditional on LIB_POLY1305 instead of
LIB_POLY1305_GENERIC.

Reported-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Fixes: 10a6d72ea355 ("crypto: lib/poly1305 - Use block-only interface")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile
index 71d3d05d666a..c47438161ff1 100644
--- a/lib/crypto/Makefile
+++ b/lib/crypto/Makefile
@@ -40,11 +40,13 @@ libcurve25519-y					+= curve25519.o
 obj-$(CONFIG_CRYPTO_LIB_DES)			+= libdes.o
 libdes-y					:= des.o
 
-obj-$(CONFIG_CRYPTO_LIB_POLY1305_GENERIC)	+= libpoly1305.o
-libpoly1305-y					:= poly1305-donna32.o
-libpoly1305-$(CONFIG_ARCH_SUPPORTS_INT128)	:= poly1305-donna64.o
+obj-$(CONFIG_CRYPTO_LIB_POLY1305)		+= libpoly1305.o
 libpoly1305-y					+= poly1305.o
 
+obj-$(CONFIG_CRYPTO_LIB_POLY1305_GENERIC)	+= libpoly1305-generic.o
+libpoly1305-generic-y				:= poly1305-donna32.o
+libpoly1305-generic-$(CONFIG_ARCH_SUPPORTS_INT128) := poly1305-donna64.o
+
 obj-$(CONFIG_CRYPTO_LIB_SHA1)			+= libsha1.o
 libsha1-y					:= sha1.o
 
diff --git a/lib/crypto/poly1305-generic.c b/lib/crypto/poly1305-generic.c
new file mode 100644
index 000000000000..a73f700fa1fb
--- /dev/null
+++ b/lib/crypto/poly1305-generic.c
@@ -0,0 +1,24 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Poly1305 authenticator algorithm, RFC7539
+ *
+ * Copyright (C) 2015 Martin Willi
+ *
+ * Based on public domain code by Andrew Moon and Daniel J. Bernstein.
+ */
+
+#include <crypto/internal/poly1305.h>
+#include <linux/kernel.h>
+#include <linux/module.h>
+
+void poly1305_block_init_generic(struct poly1305_block_state *desc,
+				 const u8 raw_key[POLY1305_BLOCK_SIZE])
+{
+	poly1305_core_init(&desc->h);
+	poly1305_core_setkey(&desc->core_r, raw_key);
+}
+EXPORT_SYMBOL_GPL(poly1305_block_init_generic);
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Martin Willi <martin@strongswan.org>");
+MODULE_DESCRIPTION("Poly1305 algorithm (generic implementation)");
diff --git a/lib/crypto/poly1305.c b/lib/crypto/poly1305.c
index 4c9996864090..5f2f2af3b59f 100644
--- a/lib/crypto/poly1305.c
+++ b/lib/crypto/poly1305.c
@@ -14,14 +14,6 @@
 #include <linux/string.h>
 #include <linux/unaligned.h>
 
-void poly1305_block_init_generic(struct poly1305_block_state *desc,
-				 const u8 raw_key[POLY1305_BLOCK_SIZE])
-{
-	poly1305_core_init(&desc->h);
-	poly1305_core_setkey(&desc->core_r, raw_key);
-}
-EXPORT_SYMBOL_GPL(poly1305_block_init_generic);
-
 void poly1305_init(struct poly1305_desc_ctx *desc,
 		   const u8 key[POLY1305_KEY_SIZE])
 {
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

[PATCH] crypto: lib/poly1305 - Build main library on LIB_POLY1305 and split generic code out

[Herbert Xu]

Split the lib poly1305 code just as was done with sha256.  Make
the main library code conditional on LIB_POLY1305 instead of
LIB_POLY1305_GENERIC.

Reported-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Fixes: 10a6d72ea355 ("crypto: lib/poly1305 - Use block-only interface")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile
index 71d3d05d666a..c47438161ff1 100644
--- a/lib/crypto/Makefile
+++ b/lib/crypto/Makefile
@@ -40,11 +40,13 @@ libcurve25519-y					+= curve25519.o
 obj-$(CONFIG_CRYPTO_LIB_DES)			+= libdes.o
 libdes-y					:= des.o
 
-obj-$(CONFIG_CRYPTO_LIB_POLY1305_GENERIC)	+= libpoly1305.o
-libpoly1305-y					:= poly1305-donna32.o
-libpoly1305-$(CONFIG_ARCH_SUPPORTS_INT128)	:= poly1305-donna64.o
+obj-$(CONFIG_CRYPTO_LIB_POLY1305)		+= libpoly1305.o
 libpoly1305-y					+= poly1305.o
 
+obj-$(CONFIG_CRYPTO_LIB_POLY1305_GENERIC)	+= libpoly1305-generic.o
+libpoly1305-generic-y				:= poly1305-donna32.o
+libpoly1305-generic-$(CONFIG_ARCH_SUPPORTS_INT128) := poly1305-donna64.o
+
 obj-$(CONFIG_CRYPTO_LIB_SHA1)			+= libsha1.o
 libsha1-y					:= sha1.o
 
diff --git a/lib/crypto/poly1305-generic.c b/lib/crypto/poly1305-generic.c
new file mode 100644
index 000000000000..a73f700fa1fb
--- /dev/null
+++ b/lib/crypto/poly1305-generic.c
@@ -0,0 +1,24 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Poly1305 authenticator algorithm, RFC7539
+ *
+ * Copyright (C) 2015 Martin Willi
+ *
+ * Based on public domain code by Andrew Moon and Daniel J. Bernstein.
+ */
+
+#include <crypto/internal/poly1305.h>
+#include <linux/kernel.h>
+#include <linux/module.h>
+
+void poly1305_block_init_generic(struct poly1305_block_state *desc,
+				 const u8 raw_key[POLY1305_BLOCK_SIZE])
+{
+	poly1305_core_init(&desc->h);
+	poly1305_core_setkey(&desc->core_r, raw_key);
+}
+EXPORT_SYMBOL_GPL(poly1305_block_init_generic);
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Martin Willi <martin@strongswan.org>");
+MODULE_DESCRIPTION("Poly1305 algorithm (generic implementation)");
diff --git a/lib/crypto/poly1305.c b/lib/crypto/poly1305.c
index 4c9996864090..5f2f2af3b59f 100644
--- a/lib/crypto/poly1305.c
+++ b/lib/crypto/poly1305.c
@@ -14,14 +14,6 @@
 #include <linux/string.h>
 #include <linux/unaligned.h>
 
-void poly1305_block_init_generic(struct poly1305_block_state *desc,
-				 const u8 raw_key[POLY1305_BLOCK_SIZE])
-{
-	poly1305_core_init(&desc->h);
-	poly1305_core_setkey(&desc->core_r, raw_key);
-}
-EXPORT_SYMBOL_GPL(poly1305_block_init_generic);
-
 void poly1305_init(struct poly1305_desc_ctx *desc,
 		   const u8 key[POLY1305_KEY_SIZE])
 {
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: [PATCH] crypto: lib/poly1305 - Build main library on LIB_POLY1305 and split generic code out

[Cabiddu, Giovanni]

On Tue, May 06, 2025 at 10:05:08AM +0800, Herbert Xu wrote:
> Split the lib poly1305 code just as was done with sha256.  Make
> the main library code conditional on LIB_POLY1305 instead of
> LIB_POLY1305_GENERIC.
> 
> Reported-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
> Fixes: 10a6d72ea355 ("crypto: lib/poly1305 - Use block-only interface")
> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
With this patch the build fails reporting a missing MODULE_LICENSE() and
MODULE_DESCRIPTION():

    ERROR: modpost: missing MODULE_LICENSE() in lib/crypto/libpoly1305-generic.o
    WARNING: modpost: missing MODULE_DESCRIPTION() in
    lib/crypto/libpoly1305-generic.o
    make[2]: *** [scripts/Makefile.modpost:147: Module.symvers] Error 1
    make[1]: *** [/devel/cryptodev-2.6/Makefile:1954: modpost] Error 2
    make: *** [Makefile:248: __sub-make] Error 2

My config has
    CONFIG_CRYPTO_CHACHA20POLY1305=y
    CONFIG_CRYPTO_LIB_POLY1305_GENERIC=m

Thanks,

-- 
Giovanni

[v2 PATCH] crypto: lib/poly1305 - Build main library on LIB_POLY1305 and split generic code out

[Herbert Xu]

On Tue, May 06, 2025 at 11:56:03AM +0100, Cabiddu, Giovanni wrote:
>
> With this patch the build fails reporting a missing MODULE_LICENSE() and
> MODULE_DESCRIPTION():

Oops, I messed up the Makefile:

---8<---
Split the lib poly1305 code just as was done with sha256.  Make
the main library code conditional on LIB_POLY1305 instead of
LIB_POLY1305_GENERIC.

Reported-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
Fixes: 10a6d72ea355 ("crypto: lib/poly1305 - Use block-only interface")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
---
 lib/crypto/Makefile           |  9 ++++++---
 lib/crypto/poly1305-generic.c | 24 ++++++++++++++++++++++++
 lib/crypto/poly1305.c         |  8 --------
 3 files changed, 30 insertions(+), 11 deletions(-)
 create mode 100644 lib/crypto/poly1305-generic.c

diff --git a/lib/crypto/Makefile b/lib/crypto/Makefile
index 71d3d05d666a..ff4aa22e5ccc 100644
--- a/lib/crypto/Makefile
+++ b/lib/crypto/Makefile
@@ -40,11 +40,14 @@ libcurve25519-y					+= curve25519.o
 obj-$(CONFIG_CRYPTO_LIB_DES)			+= libdes.o
 libdes-y					:= des.o
 
-obj-$(CONFIG_CRYPTO_LIB_POLY1305_GENERIC)	+= libpoly1305.o
-libpoly1305-y					:= poly1305-donna32.o
-libpoly1305-$(CONFIG_ARCH_SUPPORTS_INT128)	:= poly1305-donna64.o
+obj-$(CONFIG_CRYPTO_LIB_POLY1305)		+= libpoly1305.o
 libpoly1305-y					+= poly1305.o
 
+obj-$(CONFIG_CRYPTO_LIB_POLY1305_GENERIC)	+= libpoly1305-generic.o
+libpoly1305-generic-y				:= poly1305-donna32.o
+libpoly1305-generic-$(CONFIG_ARCH_SUPPORTS_INT128) := poly1305-donna64.o
+libpoly1305-generic-y				+= poly1305-generic.o
+
 obj-$(CONFIG_CRYPTO_LIB_SHA1)			+= libsha1.o
 libsha1-y					:= sha1.o
 
diff --git a/lib/crypto/poly1305-generic.c b/lib/crypto/poly1305-generic.c
new file mode 100644
index 000000000000..a73f700fa1fb
--- /dev/null
+++ b/lib/crypto/poly1305-generic.c
@@ -0,0 +1,24 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Poly1305 authenticator algorithm, RFC7539
+ *
+ * Copyright (C) 2015 Martin Willi
+ *
+ * Based on public domain code by Andrew Moon and Daniel J. Bernstein.
+ */
+
+#include <crypto/internal/poly1305.h>
+#include <linux/kernel.h>
+#include <linux/module.h>
+
+void poly1305_block_init_generic(struct poly1305_block_state *desc,
+				 const u8 raw_key[POLY1305_BLOCK_SIZE])
+{
+	poly1305_core_init(&desc->h);
+	poly1305_core_setkey(&desc->core_r, raw_key);
+}
+EXPORT_SYMBOL_GPL(poly1305_block_init_generic);
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Martin Willi <martin@strongswan.org>");
+MODULE_DESCRIPTION("Poly1305 algorithm (generic implementation)");
diff --git a/lib/crypto/poly1305.c b/lib/crypto/poly1305.c
index 4c9996864090..5f2f2af3b59f 100644
--- a/lib/crypto/poly1305.c
+++ b/lib/crypto/poly1305.c
@@ -14,14 +14,6 @@
 #include <linux/string.h>
 #include <linux/unaligned.h>
 
-void poly1305_block_init_generic(struct poly1305_block_state *desc,
-				 const u8 raw_key[POLY1305_BLOCK_SIZE])
-{
-	poly1305_core_init(&desc->h);
-	poly1305_core_setkey(&desc->core_r, raw_key);
-}
-EXPORT_SYMBOL_GPL(poly1305_block_init_generic);
-
 void poly1305_init(struct poly1305_desc_ctx *desc,
 		   const u8 key[POLY1305_KEY_SIZE])
 {
-- 
2.39.5

Thanks,
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: [v2 PATCH] crypto: lib/poly1305 - Build main library on LIB_POLY1305 and split generic code out

[Cabiddu, Giovanni]

On Tue, May 06, 2025 at 07:05:58PM +0800, Herbert Xu wrote:
> On Tue, May 06, 2025 at 11:56:03AM +0100, Cabiddu, Giovanni wrote:
> >
> > With this patch the build fails reporting a missing MODULE_LICENSE() and
> > MODULE_DESCRIPTION():
> 
> Oops, I messed up the Makefile:
> 
> ---8<---
> Split the lib poly1305 code just as was done with sha256.  Make
> the main library code conditional on LIB_POLY1305 instead of
> LIB_POLY1305_GENERIC.
> 
> Reported-by: Giovanni Cabiddu <giovanni.cabiddu@intel.com>
> Fixes: 10a6d72ea355 ("crypto: lib/poly1305 - Use block-only interface")
> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
> ---
Thanks Herbert. This fixes the build.

Regards,

-- 
Giovanni

Re: [v4 PATCH 11/11] crypto: lib/poly1305 - Use block-only interface

[Thorsten Leemhuis]

On 28.04.25 06:56, Herbert Xu wrote:
> Now that every architecture provides a block function, use that
> to implement the lib/poly1305 and remove the old per-arch code.
> 
> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

I ran into a problem today when building -next rpms for ppc64le Fedora
using the approach and configuration used to build the kernel rpms 
shipped in Fedora rawhide. I did not investigate yet, but I wonder if is
was caused by the quoted change or some other change in this series
which showed up in -next today.

"""
ld: warning: discarding dynamic section .glink
ld: warning: discarding dynamic section .plt
ld: linkage table error against `poly1305_emit_arch'
ld: stubs don't match calculated size
ld: can not build stubs: bad value
ld: lib/crypto/poly1305.o: in function `poly1305_final':
/builddir/build/BUILD/kernel-6.15.0-build/kernel-next-20250507/linux-6.15.0-0.0.next.20250507.443.vanilla.fc43.ppc64le/lib/crypto/poly1305.c:65:(.text+0x2dc): undefined reference to `poly1305_emit_arch'
ld: /builddir/build/BUILD/kernel-6.15.0-build/kernel-next-20250507/linux-6.15.0-0.0.next.20250507.443.vanilla.fc43.ppc64le/lib/crypto/poly1305.c:65:(.text+0x378): undefined reference to `poly1305_emit_arch'
make[2]: *** [scripts/Makefile.vmlinux:91: vmlinux] Error 1
make[1]: *** [/builddir/build/BUILD/kernel-6.15.0-build/kernel-next-20250507/linux-6.15.0-0.0.next.20250507.443.vanilla.fc43.ppc64le/Makefile:1250: vmlinux] Error 2
"""

Full build log:
https://download.copr.fedorainfracloud.org/results/@kernel-vanilla/next/fedora-rawhide-ppc64le/09006679-next-next-all/builder-live.log.gz

Same problem occured on Fedora 40, 41 and 42 as well.

Ciao, Thorsten

> ---
>  arch/arm/lib/crypto/poly1305-glue.c         | 57 -------------------
>  arch/arm64/lib/crypto/poly1305-glue.c       | 58 -------------------
>  arch/mips/lib/crypto/poly1305-glue.c        | 60 --------------------
>  arch/powerpc/lib/crypto/poly1305-p10-glue.c | 63 ---------------------
>  arch/x86/lib/crypto/poly1305_glue.c         | 60 --------------------
>  include/crypto/poly1305.h                   | 53 ++---------------
>  lib/crypto/poly1305.c                       | 39 ++++++++-----
>  7 files changed, 32 insertions(+), 358 deletions(-)
> 
> diff --git a/arch/arm/lib/crypto/poly1305-glue.c b/arch/arm/lib/crypto/poly1305-glue.c
> index 3ee16048ec7c..91da42b26d9c 100644
> --- a/arch/arm/lib/crypto/poly1305-glue.c
> +++ b/arch/arm/lib/crypto/poly1305-glue.c
> @@ -12,7 +12,6 @@
>  #include <linux/jump_label.h>
>  #include <linux/kernel.h>
>  #include <linux/module.h>
> -#include <linux/string.h>
>  #include <linux/unaligned.h>
>  
>  asmlinkage void poly1305_block_init_arch(
> @@ -35,17 +34,6 @@ void __weak poly1305_blocks_neon(struct poly1305_block_state *state,
>  
>  static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_neon);
>  
> -void poly1305_init_arch(struct poly1305_desc_ctx *dctx, const u8 key[POLY1305_KEY_SIZE])
> -{
> -	dctx->s[0] = get_unaligned_le32(key + 16);
> -	dctx->s[1] = get_unaligned_le32(key + 20);
> -	dctx->s[2] = get_unaligned_le32(key + 24);
> -	dctx->s[3] = get_unaligned_le32(key + 28);
> -	dctx->buflen = 0;
> -	poly1305_block_init_arch(&dctx->state, key);
> -}
> -EXPORT_SYMBOL(poly1305_init_arch);
> -
>  void poly1305_blocks_arch(struct poly1305_block_state *state, const u8 *src,
>  			  unsigned int len, u32 padbit)
>  {
> @@ -67,51 +55,6 @@ void poly1305_blocks_arch(struct poly1305_block_state *state, const u8 *src,
>  }
>  EXPORT_SYMBOL_GPL(poly1305_blocks_arch);
>  
> -void poly1305_update_arch(struct poly1305_desc_ctx *dctx, const u8 *src,
> -			  unsigned int nbytes)
> -{
> -	if (unlikely(dctx->buflen)) {
> -		u32 bytes = min(nbytes, POLY1305_BLOCK_SIZE - dctx->buflen);
> -
> -		memcpy(dctx->buf + dctx->buflen, src, bytes);
> -		src += bytes;
> -		nbytes -= bytes;
> -		dctx->buflen += bytes;
> -
> -		if (dctx->buflen == POLY1305_BLOCK_SIZE) {
> -			poly1305_blocks_arch(&dctx->state, dctx->buf,
> -					     POLY1305_BLOCK_SIZE, 1);
> -			dctx->buflen = 0;
> -		}
> -	}
> -
> -	if (likely(nbytes >= POLY1305_BLOCK_SIZE)) {
> -		poly1305_blocks_arch(&dctx->state, src, nbytes, 1);
> -		src += round_down(nbytes, POLY1305_BLOCK_SIZE);
> -		nbytes %= POLY1305_BLOCK_SIZE;
> -	}
> -
> -	if (unlikely(nbytes)) {
> -		dctx->buflen = nbytes;
> -		memcpy(dctx->buf, src, nbytes);
> -	}
> -}
> -EXPORT_SYMBOL(poly1305_update_arch);
> -
> -void poly1305_final_arch(struct poly1305_desc_ctx *dctx, u8 *dst)
> -{
> -	if (unlikely(dctx->buflen)) {
> -		dctx->buf[dctx->buflen++] = 1;
> -		memset(dctx->buf + dctx->buflen, 0,
> -		       POLY1305_BLOCK_SIZE - dctx->buflen);
> -		poly1305_blocks_arch(&dctx->state, dctx->buf, POLY1305_BLOCK_SIZE, 0);
> -	}
> -
> -	poly1305_emit_arch(&dctx->h, dst, dctx->s);
> -	*dctx = (struct poly1305_desc_ctx){};
> -}
> -EXPORT_SYMBOL(poly1305_final_arch);
> -
>  bool poly1305_is_arch_optimized(void)
>  {
>  	/* We always can use at least the ARM scalar implementation. */
> diff --git a/arch/arm64/lib/crypto/poly1305-glue.c b/arch/arm64/lib/crypto/poly1305-glue.c
> index d66a820e32d5..681c26557336 100644
> --- a/arch/arm64/lib/crypto/poly1305-glue.c
> +++ b/arch/arm64/lib/crypto/poly1305-glue.c
> @@ -12,7 +12,6 @@
>  #include <linux/jump_label.h>
>  #include <linux/kernel.h>
>  #include <linux/module.h>
> -#include <linux/string.h>
>  #include <linux/unaligned.h>
>  
>  asmlinkage void poly1305_block_init_arch(
> @@ -30,17 +29,6 @@ EXPORT_SYMBOL_GPL(poly1305_emit_arch);
>  
>  static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_neon);
>  
> -void poly1305_init_arch(struct poly1305_desc_ctx *dctx, const u8 key[POLY1305_KEY_SIZE])
> -{
> -	dctx->s[0] = get_unaligned_le32(key + 16);
> -	dctx->s[1] = get_unaligned_le32(key + 20);
> -	dctx->s[2] = get_unaligned_le32(key + 24);
> -	dctx->s[3] = get_unaligned_le32(key + 28);
> -	dctx->buflen = 0;
> -	poly1305_block_init_arch(&dctx->state, key);
> -}
> -EXPORT_SYMBOL(poly1305_init_arch);
> -
>  void poly1305_blocks_arch(struct poly1305_block_state *state, const u8 *src,
>  			  unsigned int len, u32 padbit)
>  {
> @@ -61,52 +49,6 @@ void poly1305_blocks_arch(struct poly1305_block_state *state, const u8 *src,
>  }
>  EXPORT_SYMBOL_GPL(poly1305_blocks_arch);
>  
> -void poly1305_update_arch(struct poly1305_desc_ctx *dctx, const u8 *src,
> -			  unsigned int nbytes)
> -{
> -	if (unlikely(dctx->buflen)) {
> -		u32 bytes = min(nbytes, POLY1305_BLOCK_SIZE - dctx->buflen);
> -
> -		memcpy(dctx->buf + dctx->buflen, src, bytes);
> -		src += bytes;
> -		nbytes -= bytes;
> -		dctx->buflen += bytes;
> -
> -		if (dctx->buflen == POLY1305_BLOCK_SIZE) {
> -			poly1305_blocks_arch(&dctx->state, dctx->buf,
> -					     POLY1305_BLOCK_SIZE, 1);
> -			dctx->buflen = 0;
> -		}
> -	}
> -
> -	if (likely(nbytes >= POLY1305_BLOCK_SIZE)) {
> -		poly1305_blocks_arch(&dctx->state, src, nbytes, 1);
> -		src += round_down(nbytes, POLY1305_BLOCK_SIZE);
> -		nbytes %= POLY1305_BLOCK_SIZE;
> -	}
> -
> -	if (unlikely(nbytes)) {
> -		dctx->buflen = nbytes;
> -		memcpy(dctx->buf, src, nbytes);
> -	}
> -}
> -EXPORT_SYMBOL(poly1305_update_arch);
> -
> -void poly1305_final_arch(struct poly1305_desc_ctx *dctx, u8 *dst)
> -{
> -	if (unlikely(dctx->buflen)) {
> -		dctx->buf[dctx->buflen++] = 1;
> -		memset(dctx->buf + dctx->buflen, 0,
> -		       POLY1305_BLOCK_SIZE - dctx->buflen);
> -		poly1305_blocks_arch(&dctx->state, dctx->buf,
> -				     POLY1305_BLOCK_SIZE, 0);
> -	}
> -
> -	poly1305_emit_arch(&dctx->h, dst, dctx->s);
> -	memzero_explicit(dctx, sizeof(*dctx));
> -}
> -EXPORT_SYMBOL(poly1305_final_arch);
> -
>  bool poly1305_is_arch_optimized(void)
>  {
>  	/* We always can use at least the ARM64 scalar implementation. */
> diff --git a/arch/mips/lib/crypto/poly1305-glue.c b/arch/mips/lib/crypto/poly1305-glue.c
> index 2fea4cacfe27..764a38a65200 100644
> --- a/arch/mips/lib/crypto/poly1305-glue.c
> +++ b/arch/mips/lib/crypto/poly1305-glue.c
> @@ -9,7 +9,6 @@
>  #include <linux/cpufeature.h>
>  #include <linux/kernel.h>
>  #include <linux/module.h>
> -#include <linux/string.h>
>  #include <linux/unaligned.h>
>  
>  asmlinkage void poly1305_block_init_arch(
> @@ -24,65 +23,6 @@ asmlinkage void poly1305_emit_arch(const struct poly1305_state *state,
>  				   const u32 nonce[4]);
>  EXPORT_SYMBOL_GPL(poly1305_emit_arch);
>  
> -void poly1305_init_arch(struct poly1305_desc_ctx *dctx, const u8 key[POLY1305_KEY_SIZE])
> -{
> -	dctx->s[0] = get_unaligned_le32(key + 16);
> -	dctx->s[1] = get_unaligned_le32(key + 20);
> -	dctx->s[2] = get_unaligned_le32(key + 24);
> -	dctx->s[3] = get_unaligned_le32(key + 28);
> -	dctx->buflen = 0;
> -	poly1305_block_init_arch(&dctx->state, key);
> -}
> -EXPORT_SYMBOL(poly1305_init_arch);
> -
> -void poly1305_update_arch(struct poly1305_desc_ctx *dctx, const u8 *src,
> -			  unsigned int nbytes)
> -{
> -	if (unlikely(dctx->buflen)) {
> -		u32 bytes = min(nbytes, POLY1305_BLOCK_SIZE - dctx->buflen);
> -
> -		memcpy(dctx->buf + dctx->buflen, src, bytes);
> -		src += bytes;
> -		nbytes -= bytes;
> -		dctx->buflen += bytes;
> -
> -		if (dctx->buflen == POLY1305_BLOCK_SIZE) {
> -			poly1305_blocks_arch(&dctx->state, dctx->buf,
> -					     POLY1305_BLOCK_SIZE, 1);
> -			dctx->buflen = 0;
> -		}
> -	}
> -
> -	if (likely(nbytes >= POLY1305_BLOCK_SIZE)) {
> -		unsigned int len = round_down(nbytes, POLY1305_BLOCK_SIZE);
> -
> -		poly1305_blocks_arch(&dctx->state, src, len, 1);
> -		src += len;
> -		nbytes %= POLY1305_BLOCK_SIZE;
> -	}
> -
> -	if (unlikely(nbytes)) {
> -		dctx->buflen = nbytes;
> -		memcpy(dctx->buf, src, nbytes);
> -	}
> -}
> -EXPORT_SYMBOL(poly1305_update_arch);
> -
> -void poly1305_final_arch(struct poly1305_desc_ctx *dctx, u8 *dst)
> -{
> -	if (unlikely(dctx->buflen)) {
> -		dctx->buf[dctx->buflen++] = 1;
> -		memset(dctx->buf + dctx->buflen, 0,
> -		       POLY1305_BLOCK_SIZE - dctx->buflen);
> -		poly1305_blocks_arch(&dctx->state, dctx->buf,
> -				     POLY1305_BLOCK_SIZE, 0);
> -	}
> -
> -	poly1305_emit_arch(&dctx->h, dst, dctx->s);
> -	*dctx = (struct poly1305_desc_ctx){};
> -}
> -EXPORT_SYMBOL(poly1305_final_arch);
> -
>  bool poly1305_is_arch_optimized(void)
>  {
>  	return true;
> diff --git a/arch/powerpc/lib/crypto/poly1305-p10-glue.c b/arch/powerpc/lib/crypto/poly1305-p10-glue.c
> index 708435beaba6..50ac802220e0 100644
> --- a/arch/powerpc/lib/crypto/poly1305-p10-glue.c
> +++ b/arch/powerpc/lib/crypto/poly1305-p10-glue.c
> @@ -10,7 +10,6 @@
>  #include <linux/jump_label.h>
>  #include <linux/kernel.h>
>  #include <linux/module.h>
> -#include <linux/string.h>
>  #include <linux/unaligned.h>
>  
>  asmlinkage void poly1305_p10le_4blocks(struct poly1305_block_state *state, const u8 *m, u32 mlen);
> @@ -45,17 +44,6 @@ void poly1305_block_init_arch(struct poly1305_block_state *dctx,
>  }
>  EXPORT_SYMBOL_GPL(poly1305_block_init_arch);
>  
> -void poly1305_init_arch(struct poly1305_desc_ctx *dctx, const u8 key[POLY1305_KEY_SIZE])
> -{
> -	dctx->s[0] = get_unaligned_le32(key + 16);
> -	dctx->s[1] = get_unaligned_le32(key + 20);
> -	dctx->s[2] = get_unaligned_le32(key + 24);
> -	dctx->s[3] = get_unaligned_le32(key + 28);
> -	dctx->buflen = 0;
> -	poly1305_block_init_arch(&dctx->state, key);
> -}
> -EXPORT_SYMBOL(poly1305_init_arch);
> -
>  void poly1305_blocks_arch(struct poly1305_block_state *state, const u8 *src,
>  			  unsigned int len, u32 padbit)
>  {
> @@ -76,57 +64,6 @@ void poly1305_blocks_arch(struct poly1305_block_state *state, const u8 *src,
>  }
>  EXPORT_SYMBOL_GPL(poly1305_blocks_arch);
>  
> -void poly1305_update_arch(struct poly1305_desc_ctx *dctx,
> -			  const u8 *src, unsigned int srclen)
> -{
> -	unsigned int bytes;
> -
> -	if (!static_key_enabled(&have_p10))
> -		return poly1305_update_generic(dctx, src, srclen);
> -
> -	if (unlikely(dctx->buflen)) {
> -		bytes = min(srclen, POLY1305_BLOCK_SIZE - dctx->buflen);
> -		memcpy(dctx->buf + dctx->buflen, src, bytes);
> -		src += bytes;
> -		srclen -= bytes;
> -		dctx->buflen += bytes;
> -		if (dctx->buflen < POLY1305_BLOCK_SIZE)
> -			return;
> -		poly1305_blocks_arch(&dctx->state, dctx->buf,
> -				     POLY1305_BLOCK_SIZE, 1);
> -		dctx->buflen = 0;
> -	}
> -
> -	if (likely(srclen >= POLY1305_BLOCK_SIZE)) {
> -		poly1305_blocks_arch(&dctx->state, src, srclen, 1);
> -		src += srclen - (srclen % POLY1305_BLOCK_SIZE);
> -		srclen %= POLY1305_BLOCK_SIZE;
> -	}
> -
> -	if (unlikely(srclen)) {
> -		dctx->buflen = srclen;
> -		memcpy(dctx->buf, src, srclen);
> -	}
> -}
> -EXPORT_SYMBOL(poly1305_update_arch);
> -
> -void poly1305_final_arch(struct poly1305_desc_ctx *dctx, u8 *dst)
> -{
> -	if (!static_key_enabled(&have_p10))
> -		return poly1305_final_generic(dctx, dst);
> -
> -	if (dctx->buflen) {
> -		dctx->buf[dctx->buflen++] = 1;
> -		memset(dctx->buf + dctx->buflen, 0,
> -		       POLY1305_BLOCK_SIZE - dctx->buflen);
> -		poly1305_blocks_arch(&dctx->state, dctx->buf,
> -				     POLY1305_BLOCK_SIZE, 0);
> -	}
> -
> -	poly1305_emit_arch(&dctx->h, dst, dctx->s);
> -}
> -EXPORT_SYMBOL(poly1305_final_arch);
> -
>  bool poly1305_is_arch_optimized(void)
>  {
>  	return static_key_enabled(&have_p10);
> diff --git a/arch/x86/lib/crypto/poly1305_glue.c b/arch/x86/lib/crypto/poly1305_glue.c
> index d98764ec3b47..f799828c5809 100644
> --- a/arch/x86/lib/crypto/poly1305_glue.c
> +++ b/arch/x86/lib/crypto/poly1305_glue.c
> @@ -10,7 +10,6 @@
>  #include <linux/kernel.h>
>  #include <linux/module.h>
>  #include <linux/sizes.h>
> -#include <linux/string.h>
>  #include <linux/unaligned.h>
>  
>  struct poly1305_arch_internal {
> @@ -96,65 +95,6 @@ void poly1305_emit_arch(const struct poly1305_state *ctx,
>  }
>  EXPORT_SYMBOL_GPL(poly1305_emit_arch);
>  
> -void poly1305_init_arch(struct poly1305_desc_ctx *dctx, const u8 key[POLY1305_KEY_SIZE])
> -{
> -	dctx->s[0] = get_unaligned_le32(&key[16]);
> -	dctx->s[1] = get_unaligned_le32(&key[20]);
> -	dctx->s[2] = get_unaligned_le32(&key[24]);
> -	dctx->s[3] = get_unaligned_le32(&key[28]);
> -	dctx->buflen = 0;
> -	poly1305_block_init_arch(&dctx->state, key);
> -}
> -EXPORT_SYMBOL(poly1305_init_arch);
> -
> -void poly1305_update_arch(struct poly1305_desc_ctx *dctx, const u8 *src,
> -			  unsigned int srclen)
> -{
> -	unsigned int bytes;
> -
> -	if (unlikely(dctx->buflen)) {
> -		bytes = min(srclen, POLY1305_BLOCK_SIZE - dctx->buflen);
> -		memcpy(dctx->buf + dctx->buflen, src, bytes);
> -		src += bytes;
> -		srclen -= bytes;
> -		dctx->buflen += bytes;
> -
> -		if (dctx->buflen == POLY1305_BLOCK_SIZE) {
> -			poly1305_blocks_arch(&dctx->state, dctx->buf,
> -					     POLY1305_BLOCK_SIZE, 1);
> -			dctx->buflen = 0;
> -		}
> -	}
> -
> -	if (likely(srclen >= POLY1305_BLOCK_SIZE)) {
> -		bytes = round_down(srclen, POLY1305_BLOCK_SIZE);
> -		poly1305_blocks_arch(&dctx->state, src, bytes, 1);
> -		src += bytes;
> -		srclen -= bytes;
> -	}
> -
> -	if (unlikely(srclen)) {
> -		dctx->buflen = srclen;
> -		memcpy(dctx->buf, src, srclen);
> -	}
> -}
> -EXPORT_SYMBOL(poly1305_update_arch);
> -
> -void poly1305_final_arch(struct poly1305_desc_ctx *dctx, u8 *dst)
> -{
> -	if (unlikely(dctx->buflen)) {
> -		dctx->buf[dctx->buflen++] = 1;
> -		memset(dctx->buf + dctx->buflen, 0,
> -		       POLY1305_BLOCK_SIZE - dctx->buflen);
> -		poly1305_blocks_arch(&dctx->state, dctx->buf,
> -				     POLY1305_BLOCK_SIZE, 0);
> -	}
> -
> -	poly1305_emit_arch(&dctx->h, dst, dctx->s);
> -	memzero_explicit(dctx, sizeof(*dctx));
> -}
> -EXPORT_SYMBOL(poly1305_final_arch);
> -
>  bool poly1305_is_arch_optimized(void)
>  {
>  	return static_key_enabled(&poly1305_use_avx);
> diff --git a/include/crypto/poly1305.h b/include/crypto/poly1305.h
> index 027d74842cd5..e54abda8cfe9 100644
> --- a/include/crypto/poly1305.h
> +++ b/include/crypto/poly1305.h
> @@ -55,55 +55,14 @@ struct poly1305_desc_ctx {
>  	unsigned int buflen;
>  	/* finalize key */
>  	u32 s[4];
> -	union {
> -		struct {
> -			struct poly1305_state h;
> -			union {
> -				struct poly1305_key opaque_r[CONFIG_CRYPTO_LIB_POLY1305_RSIZE];
> -				struct poly1305_core_key core_r;
> -			};
> -		};
> -		struct poly1305_block_state state;
> -	};
> +	struct poly1305_block_state state;
>  };
>  
> -void poly1305_init_arch(struct poly1305_desc_ctx *desc,
> -			const u8 key[POLY1305_KEY_SIZE]);
> -void poly1305_init_generic(struct poly1305_desc_ctx *desc,
> -			   const u8 key[POLY1305_KEY_SIZE]);
> -
> -static inline void poly1305_init(struct poly1305_desc_ctx *desc, const u8 *key)
> -{
> -	if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_POLY1305))
> -		poly1305_init_arch(desc, key);
> -	else
> -		poly1305_init_generic(desc, key);
> -}
> -
> -void poly1305_update_arch(struct poly1305_desc_ctx *desc, const u8 *src,
> -			  unsigned int nbytes);
> -void poly1305_update_generic(struct poly1305_desc_ctx *desc, const u8 *src,
> -			     unsigned int nbytes);
> -
> -static inline void poly1305_update(struct poly1305_desc_ctx *desc,
> -				   const u8 *src, unsigned int nbytes)
> -{
> -	if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_POLY1305))
> -		poly1305_update_arch(desc, src, nbytes);
> -	else
> -		poly1305_update_generic(desc, src, nbytes);
> -}
> -
> -void poly1305_final_arch(struct poly1305_desc_ctx *desc, u8 *digest);
> -void poly1305_final_generic(struct poly1305_desc_ctx *desc, u8 *digest);
> -
> -static inline void poly1305_final(struct poly1305_desc_ctx *desc, u8 *digest)
> -{
> -	if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_POLY1305))
> -		poly1305_final_arch(desc, digest);
> -	else
> -		poly1305_final_generic(desc, digest);
> -}
> +void poly1305_init(struct poly1305_desc_ctx *desc,
> +		   const u8 key[POLY1305_KEY_SIZE]);
> +void poly1305_update(struct poly1305_desc_ctx *desc,
> +		     const u8 *src, unsigned int nbytes);
> +void poly1305_final(struct poly1305_desc_ctx *desc, u8 *digest);
>  
>  #if IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_POLY1305)
>  bool poly1305_is_arch_optimized(void);
> diff --git a/lib/crypto/poly1305.c b/lib/crypto/poly1305.c
> index 9fec64a599c1..4c9996864090 100644
> --- a/lib/crypto/poly1305.c
> +++ b/lib/crypto/poly1305.c
> @@ -22,47 +22,60 @@ void poly1305_block_init_generic(struct poly1305_block_state *desc,
>  }
>  EXPORT_SYMBOL_GPL(poly1305_block_init_generic);
>  
> -void poly1305_init_generic(struct poly1305_desc_ctx *desc,
> -			   const u8 key[POLY1305_KEY_SIZE])
> +void poly1305_init(struct poly1305_desc_ctx *desc,
> +		   const u8 key[POLY1305_KEY_SIZE])
>  {
>  	desc->s[0] = get_unaligned_le32(key + 16);
>  	desc->s[1] = get_unaligned_le32(key + 20);
>  	desc->s[2] = get_unaligned_le32(key + 24);
>  	desc->s[3] = get_unaligned_le32(key + 28);
>  	desc->buflen = 0;
> -	poly1305_block_init_generic(&desc->state, key);
> +	if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_POLY1305))
> +		poly1305_block_init_arch(&desc->state, key);
> +	else
> +		poly1305_block_init_generic(&desc->state, key);
>  }
> -EXPORT_SYMBOL_GPL(poly1305_init_generic);
> +EXPORT_SYMBOL(poly1305_init);
>  
>  static inline void poly1305_blocks(struct poly1305_block_state *state,
>  				   const u8 *src, unsigned int len)
>  {
> -	poly1305_blocks_generic(state, src, len, 1);
> +	if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_POLY1305))
> +		poly1305_blocks_arch(state, src, len, 1);
> +	else
> +		poly1305_blocks_generic(state, src, len, 1);
>  }
>  
> -void poly1305_update_generic(struct poly1305_desc_ctx *desc, const u8 *src,
> -			     unsigned int nbytes)
> +void poly1305_update(struct poly1305_desc_ctx *desc,
> +		     const u8 *src, unsigned int nbytes)
>  {
>  	desc->buflen = BLOCK_HASH_UPDATE(poly1305_blocks, &desc->state,
>  					 src, nbytes, POLY1305_BLOCK_SIZE,
>  					 desc->buf, desc->buflen);
>  }
> -EXPORT_SYMBOL_GPL(poly1305_update_generic);
> +EXPORT_SYMBOL(poly1305_update);
>  
> -void poly1305_final_generic(struct poly1305_desc_ctx *desc, u8 *dst)
> +void poly1305_final(struct poly1305_desc_ctx *desc, u8 *dst)
>  {
>  	if (unlikely(desc->buflen)) {
>  		desc->buf[desc->buflen++] = 1;
>  		memset(desc->buf + desc->buflen, 0,
>  		       POLY1305_BLOCK_SIZE - desc->buflen);
> -		poly1305_blocks_generic(&desc->state, desc->buf,
> -					POLY1305_BLOCK_SIZE, 0);
> +		if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_POLY1305))
> +			poly1305_blocks_arch(&desc->state, desc->buf,
> +					     POLY1305_BLOCK_SIZE, 0);
> +		else
> +			poly1305_blocks_generic(&desc->state, desc->buf,
> +						POLY1305_BLOCK_SIZE, 0);
>  	}
>  
> -	poly1305_emit_generic(&desc->h, dst, desc->s);
> +	if (IS_ENABLED(CONFIG_CRYPTO_ARCH_HAVE_LIB_POLY1305))
> +		poly1305_emit_arch(&desc->state.h, dst, desc->s);
> +	else
> +		poly1305_emit_generic(&desc->state.h, dst, desc->s);
>  	*desc = (struct poly1305_desc_ctx){};
>  }
> -EXPORT_SYMBOL_GPL(poly1305_final_generic);
> +EXPORT_SYMBOL(poly1305_final);
>  
>  MODULE_LICENSE("GPL");
>  MODULE_AUTHOR("Martin Willi <martin@strongswan.org>");

[PATCH] crypto: powerpc/poly1305 - Add missing poly1305_emit_arch

[Herbert Xu]

On Wed, May 07, 2025 at 01:03:06PM +0200, Thorsten Leemhuis wrote:
>
> """
> ld: warning: discarding dynamic section .glink
> ld: warning: discarding dynamic section .plt
> ld: linkage table error against `poly1305_emit_arch'
> ld: stubs don't match calculated size
> ld: can not build stubs: bad value
> ld: lib/crypto/poly1305.o: in function `poly1305_final':
> /builddir/build/BUILD/kernel-6.15.0-build/kernel-next-20250507/linux-6.15.0-0.0.next.20250507.443.vanilla.fc43.ppc64le/lib/crypto/poly1305.c:65:(.text+0x2dc): undefined reference to `poly1305_emit_arch'
> ld: /builddir/build/BUILD/kernel-6.15.0-build/kernel-next-20250507/linux-6.15.0-0.0.next.20250507.443.vanilla.fc43.ppc64le/lib/crypto/poly1305.c:65:(.text+0x378): undefined reference to `poly1305_emit_arch'
> make[2]: *** [scripts/Makefile.vmlinux:91: vmlinux] Error 1
> make[1]: *** [/builddir/build/BUILD/kernel-6.15.0-build/kernel-next-20250507/linux-6.15.0-0.0.next.20250507.443.vanilla.fc43.ppc64le/Makefile:1250: vmlinux] Error 2
> """

Oops, the powerpc patch was missing the assembly part:

---8<---
Rename poly1305_emit_64 to poly1305_emit_arch to conform with
the expectation of the poly1305 library.

Reported-by: Thorsten Leemhuis <linux@leemhuis.info>
Fixes: 14d31979145d ("crypto: powerpc/poly1305 - Add block-only interface")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

diff --git a/arch/powerpc/lib/crypto/poly1305-p10-glue.c b/arch/powerpc/lib/crypto/poly1305-p10-glue.c
index 16c2a8316696..7cea0ebcc6bc 100644
--- a/arch/powerpc/lib/crypto/poly1305-p10-glue.c
+++ b/arch/powerpc/lib/crypto/poly1305-p10-glue.c
@@ -17,6 +17,7 @@ asmlinkage void poly1305_64s(struct poly1305_block_state *state, const u8 *m, u3
 asmlinkage void poly1305_emit_arch(const struct poly1305_state *state,
 				   u8 digest[POLY1305_DIGEST_SIZE],
 				   const u32 nonce[4]);
+EXPORT_SYMBOL_GPL(poly1305_emit_arch);
 
 static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_p10);
 
diff --git a/arch/powerpc/lib/crypto/poly1305-p10le_64.S b/arch/powerpc/lib/crypto/poly1305-p10le_64.S
index a3c1987f1ecd..2ba2911b8038 100644
--- a/arch/powerpc/lib/crypto/poly1305-p10le_64.S
+++ b/arch/powerpc/lib/crypto/poly1305-p10le_64.S
@@ -1030,7 +1030,7 @@ SYM_FUNC_END(poly1305_64s)
 # Input: r3 = h, r4 = s, r5 = mac
 # mac = h + s
 #
-SYM_FUNC_START(poly1305_emit_64)
+SYM_FUNC_START(poly1305_emit_arch)
 	ld	10, 0(3)
 	ld	11, 8(3)
 	ld	12, 16(3)
@@ -1060,7 +1060,7 @@ Skip_h64:
 	std	10, 0(5)
 	std	11, 8(5)
 	blr
-SYM_FUNC_END(poly1305_emit_64)
+SYM_FUNC_END(poly1305_emit_arch)
 
 SYM_DATA_START_LOCAL(RMASK)
 .align 5
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: [PATCH] crypto: powerpc/poly1305 - Add missing poly1305_emit_arch

[Thorsten Leemhuis]

On 07.05.25 13:36, Herbert Xu wrote:
> On Wed, May 07, 2025 at 01:03:06PM +0200, Thorsten Leemhuis wrote:
>>
>> """
>> ld: warning: discarding dynamic section .glink
>> ld: warning: discarding dynamic section .plt
>> ld: linkage table error against `poly1305_emit_arch'
>> ld: stubs don't match calculated size
>> ld: can not build stubs: bad value
>> ld: lib/crypto/poly1305.o: in function `poly1305_final':
>> /builddir/build/BUILD/kernel-6.15.0-build/kernel-next-20250507/linux-6.15.0-0.0.next.20250507.443.vanilla.fc43.ppc64le/lib/crypto/poly1305.c:65:(.text+0x2dc): undefined reference to `poly1305_emit_arch'
>> ld: /builddir/build/BUILD/kernel-6.15.0-build/kernel-next-20250507/linux-6.15.0-0.0.next.20250507.443.vanilla.fc43.ppc64le/lib/crypto/poly1305.c:65:(.text+0x378): undefined reference to `poly1305_emit_arch'
>> make[2]: *** [scripts/Makefile.vmlinux:91: vmlinux] Error 1
>> make[1]: *** [/builddir/build/BUILD/kernel-6.15.0-build/kernel-next-20250507/linux-6.15.0-0.0.next.20250507.443.vanilla.fc43.ppc64le/Makefile:1250: vmlinux] Error 2
>> """
> 
> Oops, the powerpc patch was missing the assembly part:

Ha, happens, thx for providing the patch this quickly, it did
the trick for me:

Tested-by: Thorsten Leemhuis <linux@leemhuis.info>

Ciao, Thorsten

Re: [PATCH] crypto: powerpc/poly1305 - Add missing poly1305_emit_arch

[Venkat Rao Bagalkote]

Hello Herbert,

On 07/05/25 5:06 pm, Herbert Xu wrote:
> On Wed, May 07, 2025 at 01:03:06PM +0200, Thorsten Leemhuis wrote:
>> """
>> ld: warning: discarding dynamic section .glink
>> ld: warning: discarding dynamic section .plt
>> ld: linkage table error against `poly1305_emit_arch'
>> ld: stubs don't match calculated size
>> ld: can not build stubs: bad value
>> ld: lib/crypto/poly1305.o: in function `poly1305_final':
>> /builddir/build/BUILD/kernel-6.15.0-build/kernel-next-20250507/linux-6.15.0-0.0.next.20250507.443.vanilla.fc43.ppc64le/lib/crypto/poly1305.c:65:(.text+0x2dc): undefined reference to `poly1305_emit_arch'
>> ld: /builddir/build/BUILD/kernel-6.15.0-build/kernel-next-20250507/linux-6.15.0-0.0.next.20250507.443.vanilla.fc43.ppc64le/lib/crypto/poly1305.c:65:(.text+0x378): undefined reference to `poly1305_emit_arch'
>> make[2]: *** [scripts/Makefile.vmlinux:91: vmlinux] Error 1
>> make[1]: *** [/builddir/build/BUILD/kernel-6.15.0-build/kernel-next-20250507/linux-6.15.0-0.0.next.20250507.443.vanilla.fc43.ppc64le/Makefile:1250: vmlinux] Error 2
>> """
> Oops, the powerpc patch was missing the assembly part:
>
> ---8<---
> Rename poly1305_emit_64 to poly1305_emit_arch to conform with
> the expectation of the poly1305 library.
>
> Reported-by: Thorsten Leemhuis <linux@leemhuis.info>
> Fixes: 14d31979145d ("crypto: powerpc/poly1305 - Add block-only interface")
> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
>
> diff --git a/arch/powerpc/lib/crypto/poly1305-p10-glue.c b/arch/powerpc/lib/crypto/poly1305-p10-glue.c
> index 16c2a8316696..7cea0ebcc6bc 100644
> --- a/arch/powerpc/lib/crypto/poly1305-p10-glue.c
> +++ b/arch/powerpc/lib/crypto/poly1305-p10-glue.c
> @@ -17,6 +17,7 @@ asmlinkage void poly1305_64s(struct poly1305_block_state *state, const u8 *m, u3
>   asmlinkage void poly1305_emit_arch(const struct poly1305_state *state,
>   				   u8 digest[POLY1305_DIGEST_SIZE],
>   				   const u32 nonce[4]);
> +EXPORT_SYMBOL_GPL(poly1305_emit_arch);
>   
>   static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_p10);
>   
> diff --git a/arch/powerpc/lib/crypto/poly1305-p10le_64.S b/arch/powerpc/lib/crypto/poly1305-p10le_64.S
> index a3c1987f1ecd..2ba2911b8038 100644
> --- a/arch/powerpc/lib/crypto/poly1305-p10le_64.S
> +++ b/arch/powerpc/lib/crypto/poly1305-p10le_64.S
> @@ -1030,7 +1030,7 @@ SYM_FUNC_END(poly1305_64s)
>   # Input: r3 = h, r4 = s, r5 = mac
>   # mac = h + s
>   #
> -SYM_FUNC_START(poly1305_emit_64)
> +SYM_FUNC_START(poly1305_emit_arch)
>   	ld	10, 0(3)
>   	ld	11, 8(3)
>   	ld	12, 16(3)
> @@ -1060,7 +1060,7 @@ Skip_h64:
>   	std	10, 0(5)
>   	std	11, 8(5)
>   	blr
> -SYM_FUNC_END(poly1305_emit_64)
> +SYM_FUNC_END(poly1305_emit_arch)
>   
>   SYM_DATA_START_LOCAL(RMASK)
>   .align 5


I tested this patch by applying on next-20250507, though it fixes the 
build issue, it has introduced a boot warning.


Warning:


[    1.644487] ------------[ cut here ]------------
[    1.644490] WARNING: CPU: 3 PID: 1 at 
lib/crypto/chacha20poly1305.c:359 chacha20poly1305_init+0x28/0x50
[    1.644501] Modules linked in:
[    1.644507] CPU: 3 UID: 0 PID: 1 Comm: swapper/0 Not tainted 
6.15.0-rc5-next-20250507-00002-g8be5012869c6-dirty #1 VOLUNTARY
[    1.644515] Hardware name: IBM,8375-42A POWER9 (architected) 0x4e0202 
0xf000005 of:IBM,FW950.80 (VL950_131) hv:phyp pSeries
[    1.644520] NIP:  c0000000020646c0 LR: c0000000020646b4 CTR: 
00000000007088ec
[    1.644525] REGS: c000000a03757960 TRAP: 0700   Not tainted 
(6.15.0-rc5-next-20250507-00002-g8be5012869c6-dirty)
[    1.644530] MSR:  8000000002029033 <SF,VEC,EE,ME,IR,DR,RI,LE>  CR: 
28000282  XER: 0000000f
[    1.644544] CFAR: c000000002064ec8 IRQMASK: 0
[    1.644544] GPR00: c0000000020646b4 c000000a03757c00 c000000001dc8100 
0000000000000001
[    1.644544] GPR04: 0000000000000961 c0000009e94dd5c0 c000000a0d348000 
0000000000000960
[    1.644544] GPR08: 00000009e7270000 0000000000000000 0000000000000000 
c0000013fb400000
[    1.644544] GPR12: c0000013fc9fffa8 c000000017ffcb00 c0000000000113d8 
0000000000000000
[    1.644544] GPR16: 0000000000000000 0000000000000000 0000000000000000 
0000000000000000
[    1.644544] GPR20: 0000000000000000 0000000000000000 0000000000000000 
0000000000000000
[    1.644544] GPR24: 0000000000000000 0000000000000000 c0000000020b19a8 
0000000000000006
[    1.644544] GPR28: 0000000000000000 c0000000020b1960 c000000a05490a00 
c000000002064698
[    1.644600] NIP [c0000000020646c0] chacha20poly1305_init+0x28/0x50
[    1.644607] LR [c0000000020646b4] chacha20poly1305_init+0x1c/0x50
[    1.644612] Call Trace:
[    1.644615] [c000000a03757c00] [c0000000020646b4] 
chacha20poly1305_init+0x1c/0x50 (unreliable)
[    1.644624] [c000000a03757c20] [c000000000010d1c] 
do_one_initcall+0x5c/0x37c
[    1.644631] [c000000a03757d00] [c000000002005394] 
do_initcalls+0x144/0x18c
[    1.644638] [c000000a03757d90] [c000000002005688] 
kernel_init_freeable+0x214/0x288
[    1.644645] [c000000a03757df0] [c0000000000113fc] kernel_init+0x2c/0x1b0
[    1.644651] [c000000a03757e50] [c00000000000df5c] 
ret_from_kernel_user_thread+0x14/0x1c
[    1.644657] ---- interrupt: 0 at 0x0
[    1.644661] Code: 7c0803a6 4e800020 3c4cffd6 38423a68 60000000 
7c0802a6 f8010010 f821ffe1 4800028d 60000000 68630001 5463063e 
<0b030000> 2c030000 4082000c 38600000
[    1.644681] ---[ end trace 0000000000000000 ]---


If you are planning to fix this in seperate patch, please add below tag.


Reported-by: Venkat Rao Bagalkote <venkat88@linux.ibm.com>


Regards,

Venkat.

Re: [PATCH] crypto: powerpc/poly1305 - Add missing poly1305_emit_arch

[Herbert Xu]

On Thu, May 08, 2025 at 02:46:06PM +0530, Venkat Rao Bagalkote wrote:
>
> I tested this patch by applying on next-20250507, though it fixes the build
> issue, it has introduced a boot warning.
> 
> 
> Warning:

Can you post the complete boot up messages please?

Thanks,
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: [PATCH] crypto: powerpc/poly1305 - Add missing poly1305_emit_arch

[Herbert Xu]

On Thu, May 08, 2025 at 02:46:06PM +0530, Venkat Rao Bagalkote wrote:
>
> I tested this patch by applying on next-20250507, though it fixes the build
> issue, it has introduced a boot warning.

Looking at the history of this code it was never used as lib/crypto
prior to commit 378a337ab40f88d63ba71d68ff578ead7f5ac8f1.  So either
this code simply doesn't work as lib/crypto for some reason, or my
subsequent blockhash change broke it.

Could you please revert back to commit 378a337ab40f and see if the
lib/crypto chacha20poly1305 self-test passes with that?

Thanks,
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: [PATCH] crypto: powerpc/poly1305 - Add missing poly1305_emit_arch

[Herbert Xu]

On Thu, May 08, 2025 at 02:46:06PM +0530, Venkat Rao Bagalkote wrote:
>
> Warning:

Please also run the Crypto API self-tests for chacha20poly1305.
If you have built it as a module, then load it with

modprobe chacha20poly1305

Thanks,
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: [PATCH] crypto: powerpc/poly1305 - Add missing poly1305_emit_arch

[Venkat Rao Bagalkote]

[-- Attachment #1: Type: text/plain, Size: 379 bytes --]


On 08/05/25 3:01 pm, Herbert Xu wrote:
> On Thu, May 08, 2025 at 02:46:06PM +0530, Venkat Rao Bagalkote wrote:
>> I tested this patch by applying on next-20250507, though it fixes the build
>> issue, it has introduced a boot warning.
>>
>>
>> Warning:
> Can you post the complete boot up messages please?


Attached is the complete boot up logs.


Regards,

Venkat.

>
> Thanks,

[-- Attachment #2: powerpc_poly1305_bootup_logs.txt --]
[-- Type: text/plain, Size: 90010 bytes --]

Booting Linux via __start() @ 0x000000000a6e0000 ...
[    0.000000] crashkernel reserved: 0x0000000018000000 - 0x0000000098000000 (2048 MB)
[    0.000000] hash-mmu: Page sizes from device-tree:
[    0.000000] hash-mmu: base_shift=12: shift=12, sllp=0x0000, avpnm=0x00000000, tlbiel=1, penc=0
[    0.000000] hash-mmu: base_shift=12: shift=16, sllp=0x0000, avpnm=0x00000000, tlbiel=1, penc=7
[    0.000000] hash-mmu: base_shift=12: shift=24, sllp=0x0000, avpnm=0x00000000, tlbiel=1, penc=56
[    0.000000] hash-mmu: base_shift=16: shift=16, sllp=0x0110, avpnm=0x00000000, tlbiel=1, penc=1
[    0.000000] hash-mmu: base_shift=16: shift=24, sllp=0x0110, avpnm=0x00000000, tlbiel=1, penc=8
[    0.000000] hash-mmu: base_shift=24: shift=24, sllp=0x0100, avpnm=0x00000001, tlbiel=0, penc=0
[    0.000000] hash-mmu: base_shift=34: shift=34, sllp=0x0120, avpnm=0x000007ff, tlbiel=0, penc=3
[    0.000000] fadump: WARNING: Could not setup area to pass additional parameters!
[    0.000000] Enabling pkeys with max key count 31
[    0.000000] Activating Kernel Userspace Access Prevention
[    0.000000] Activating Kernel Userspace Execution Prevention
[    0.000000] Using 1TB segments
[    0.000000] hash-mmu: Initializing hash mmu with SLB
[    0.000000] Linux version 6.15.0-rc5-next-20250507-00002-g8be5012869c6-dirty (root@ltc-zzci-3.ltc.tadn.ibm.com) (gcc (GCC) 14.2.1 20250110 (Red Hat 14.2.1-7), GNU ld version 2.41-53.el10) #1 SMP Tue Jun  3 20:47:43 CDT 2025
[    0.000000] OF: reserved mem: Reserved memory: No reserved-memory node in the DT
[    0.000000] Found initrd at 0xc00000000d800000:0xc00000001177fd75
[    0.000000] Hardware name: IBM,8375-42A POWER9 (architected) 0x4e0202 0xf000005 of:IBM,FW950.80 (VL950_131) hv:phyp pSeries
[    0.000000] printk: legacy bootconsole [udbg0] enabled
[    0.000000] Partition configured for 1024 cpus.
[    0.000000] CPU maps initialized for 8 threads per core
[    0.000000] numa: Partition configured for 32 NUMA nodes.
[    0.000000] -----------------------------------------------------
[    0.000000] phys_mem_size     = 0x1400000000
[    0.000000] dcache_bsize      = 0x80
[    0.000000] icache_bsize      = 0x80
[    0.000000] cpu_features      = 0x0001c07b8f5f9187
[    0.000000]   possible        = 0x003ffbfbcf5fb187
[    0.000000]   always          = 0x0000000380008181
[    0.000000] cpu_user_features = 0xdc0065c2 0xeff00000
[    0.000000] mmu_features      = 0xfc006e01
[    0.000000] firmware_features = 0x0000109fc45bfc57
[    0.000000] vmalloc start     = 0xc008000000000000
[    0.000000] IO start          = 0xc00a000000000000
[    0.000000] vmemmap start     = 0xc00c000000000000
[    0.000000] hash-mmu: ppc64_pft_size    = 0x1e
[    0.000000] hash-mmu: htab_hash_mask    = 0x7fffff
[    0.000000] -----------------------------------------------------
[    0.000000] NODE_DATA(0) allocated [mem 0x9fc0f8800-0x9fc0fffff]
[    0.000000] NODE_DATA(1) allocated [mem 0x13ffea8800-0x13ffeaffff]
[    0.000000] rfi-flush: fallback displacement flush available
[    0.000000] rfi-flush: mttrig type flush available
[    0.000000] count-cache-flush: flush disabled.
[    0.000000] link-stack-flush: software flush enabled.
[    0.000000] stf-barrier: eieio barrier available
[    0.000000] lpar: H_BLOCK_REMOVE supports base psize:0 psize:0 block size:8
[    0.000000] lpar: H_BLOCK_REMOVE supports base psize:0 psize:2 block size:8
[    0.000000] lpar: H_BLOCK_REMOVE supports base psize:0 psize:10 block size:8
[    0.000000] lpar: H_BLOCK_REMOVE supports base psize:2 psize:2 block size:8
[    0.000000] lpar: H_BLOCK_REMOVE supports base psize:2 psize:10 block size:8
[    0.000000] PPC64 nvram contains 15360 bytes
[    0.000000] barrier-nospec: using ORI speculation barrier
[    0.000000] Zone ranges:
[    0.000000]   Normal   [mem 0x0000000000000000-0x00000013ffffffff]
[    0.000000]   Device   empty
[    0.000000] Movable zone start for each node
[    0.000000] Early memory node ranges
[    0.000000]   node   0: [mem 0x0000000000000000-0x00000009ffffffff]
[    0.000000]   node   1: [mem 0x0000000a00000000-0x00000013ffffffff]
[    0.000000] Initmem setup node 0 [mem 0x0000000000000000-0x00000009ffffffff]
[    0.000000] Initmem setup node 1 [mem 0x0000000a00000000-0x00000013ffffffff]
[    0.000000] Initmem setup node 2 as memoryless
[    0.000000] Initmem setup node 3 as memoryless
[    0.000000] Initmem setup node 4 as memoryless
[    0.000000] Initmem setup node 5 as memoryless
[    0.000000] Initmem setup node 6 as memoryless
[    0.000000] Initmem setup node 7 as memoryless
[    0.000000] Initmem setup node 8 as memoryless
[    0.000000] Initmem setup node 9 as memoryless
[    0.000000] Initmem setup node 10 as memoryless
[    0.000000] Initmem setup node 11 as memoryless
[    0.000000] Initmem setup node 12 as memoryless
[    0.000000] Initmem setup node 13 as memoryless
[    0.000000] Initmem setup node 14 as memoryless
[    0.000000] Initmem setup node 15 as memoryless
[    0.000000] Initmem setup node 16 as memoryless
[    0.000000] Initmem setup node 17 as memoryless
[    0.000000] Initmem setup node 18 as memoryless
[    0.000000] Initmem setup node 19 as memoryless
[    0.000000] Initmem setup node 20 as memoryless
[    0.000000] Initmem setup node 21 as memoryless
[    0.000000] Initmem setup node 22 as memoryless
[    0.000000] Initmem setup node 23 as memoryless
[    0.000000] Initmem setup node 24 as memoryless
[    0.000000] Initmem setup node 25 as memoryless
[    0.000000] Initmem setup node 26 as memoryless
[    0.000000] Initmem setup node 27 as memoryless
[    0.000000] Initmem setup node 28 as memoryless
[    0.000000] Initmem setup node 29 as memoryless
[    0.000000] Initmem setup node 30 as memoryless
[    0.000000] Initmem setup node 31 as memoryless
[    0.000000] percpu: Embedded 3 pages/cpu s119832 r0 d76776 u262144
[    0.000000] Kernel command line: BOOT_IMAGE=(ieee1275//vdevice/v-scsi@30000067/disk@8100000000000000,msdos9)/boot/vmlinuz-6.15.0-rc5-next-20250507-00002-g8be5012869c6-dirty root=UUID=a4ffacf6-03ad-45c0-80c6-cbfaeedef279 ro crashkernel=2G-4G:384M,4G-16G:512M,16G-64G:1G,64G-128G:2G,128G-:4G
[    0.000000] Unknown kernel command line parameters "BOOT_IMAGE=(ieee1275//vdevice/v-scsi@30000067/disk@8100000000000000,msdos9)/boot/vmlinuz-6.15.0-rc5-next-20250507-00002-g8be5012869c6-dirty", will be passed to user space.
[    0.000000] random: crng init done
[    0.000000] printk: log_buf_len individual max cpu contribution: 4096 bytes
[    0.000000] printk: log_buf_len total cpu_extra contributions: 4190208 bytes
[    0.000000] printk: log_buf_len min size: 1048576 bytes
[    0.000000] printk: log buffer data + meta data: 8388608 + 29360128 = 37748736 bytes
[    0.000000] printk: early log buf free: 1032544(98%)
[    0.000000] Fallback order for Node 0: 0 1 
[    0.000000] Fallback order for Node 1: 1 0 
[    0.000000] Fallback order for Node 2: 0 1 
[    0.000000] Fallback order for Node 3: 0 1 
[    0.000000] Fallback order for Node 4: 0 1 
[    0.000000] Fallback order for Node 5: 0 1 
[    0.000000] Fallback order for Node 6: 0 1 
[    0.000000] Fallback order for Node 7: 0 1 
[    0.000000] Fallback order for Node 8: 0 1 
[    0.000000] Fallback order for Node 9: 0 1 
[    0.000000] Fallback order for Node 10: 0 1 
[    0.000000] Fallback order for Node 11: 0 1 
[    0.000000] Fallback order for Node 12: 0 1 
[    0.000000] Fallback order for Node 13: 0 1 
[    0.000000] Fallback order for Node 14: 0 1 
[    0.000000] Fallback order for Node 15: 0 1 
[    0.000000] Fallback order for Node 16: 0 1 
[    0.000000] Fallback order for Node 17: 0 1 
[    0.000000] Fallback order for Node 18: 0 1 
[    0.000000] Fallback order for Node 19: 0 1 
[    0.000000] Fallback order for Node 20: 0 1 
[    0.000000] Fallback order for Node 21: 0 1 
[    0.000000] Fallback order for Node 22: 0 1 
[    0.000000] Fallback order for Node 23: 0 1 
[    0.000000] Fallback order for Node 24: 0 1 
[    0.000000] Fallback order for Node 25: 0 1 
[    0.000000] Fallback order for Node 26: 0 1 
[    0.000000] Fallback order for Node 27: 0 1 
[    0.000000] Fallback order for Node 28: 0 1 
[    0.000000] Fallback order for Node 29: 0 1 
[    0.000000] Fallback order for Node 30: 0 1 
[    0.000000] Fallback order for Node 31: 0 1 
[    0.000000] Built 2 zonelists, mobility grouping on.  Total pages: 1310720
[    0.000000] Policy zone: Normal
[    0.000000] mem auto-init: stack:off, heap alloc:off, heap free:off
[    0.000000] SLUB: HWalign=128, Order=0-3, MinObjects=0, CPUs=1024, Nodes=32
[    0.000000] ftrace: allocating 46901 entries in 18 pages
[    0.000000] ftrace: allocated 18 pages with 2 groups
[    0.000000] rcu: Hierarchical RCU implementation.
[    0.000000] rcu: 	RCU restricting CPUs from NR_CPUS=8192 to nr_cpu_ids=1024.
[    0.000000] 	Rude variant of Tasks RCU enabled.
[    0.000000] 	Tracing variant of Tasks RCU enabled.
[    0.000000] rcu: RCU calculated value of scheduler-enlistment delay is 15 jiffies.
[    0.000000] rcu: Adjusting geometry for rcu_fanout_leaf=16, nr_cpu_ids=1024
[    0.000000] RCU Tasks Rude: Setting shift to 10 and lim to 1 rcu_task_cb_adjust=1 rcu_task_cpu_ids=1024.
[    0.000000] RCU Tasks Trace: Setting shift to 10 and lim to 1 rcu_task_cb_adjust=1 rcu_task_cpu_ids=1024.
[    0.000000] NR_IRQS: 512, nr_irqs: 512, preallocated irqs: 16
[    0.000000] rcu: srcu_init: Setting srcu_struct sizes to big.
[    0.000002] time_init: 56 bit decrementer (max: 7fffffffffffff)
[    0.000041] clocksource: timebase: mask: 0xffffffffffffffff max_cycles: 0x761537d007, max_idle_ns: 440795202126 ns
[    0.000108] clocksource: timebase mult[1f40000] shift[24] registered
[    0.001743] Console: colour dummy device 80x25
[    0.001778] printk: legacy console [hvc0] enabled
[    0.001778] printk: legacy console [hvc0] enabled
[    0.001813] printk: legacy bootconsole [udbg0] disabled
[    0.001813] printk: legacy bootconsole [udbg0] disabled
[    0.002360] mempolicy: Enabling automatic NUMA balancing. Configure with numa_balancing= or the kernel.numa_balancing sysctl
[    0.002389] pid_max: default: 1048576 minimum: 8192
[    0.003249] LSM: initializing lsm=lockdown,capability,yama,selinux,bpf,ima,evm
[    0.003589] Yama: becoming mindful.
[    0.003615] SELinux:  Initializing.
[    0.007111] LSM support for eBPF active
[    0.012090] Dentry cache hash table entries: 8388608 (order: 10, 67108864 bytes, vmalloc)
[    0.014367] Inode-cache hash table entries: 4194304 (order: 9, 33554432 bytes, vmalloc)
[    0.014616] Mount-cache hash table entries: 131072 (order: 4, 1048576 bytes, vmalloc)
[    0.014692] Mountpoint-cache hash table entries: 131072 (order: 4, 1048576 bytes, vmalloc)
[    0.041578] POWER9 performance monitor hardware support registered
[    0.041706] rcu: Hierarchical SRCU implementation.
[    0.041710] rcu: 	Max phase no-delay instances is 1000.
[    0.041810] Timer migration: 4 hierarchy levels; 8 children per group; 2 crossnode level
[    0.048974] smp: Bringing up secondary CPUs ...
[    0.712970] smp: Brought up 2 nodes, 32 CPUs
[    0.712987] numa: Node 0 CPUs: 0-7 16-23
[    0.713001] numa: Node 1 CPUs: 8-15 24-31
[    0.713034] Big cores detected but using small core scheduling
[    0.737492] Memory: 80966784K/83886080K available (19520K kernel code, 6400K rwdata, 13248K rodata, 6912K init, 2851K bss, 2703232K reserved, 0K cma-reserved)
[    0.738509] devtmpfs: initialized
[    0.749575] PCI host bridge /pci@800000020000021  ranges:
[    0.749586]  MEM 0x0000040080000000..0x00000400feffffff -> 0x0000000080000000 
[    0.749593]  MEM 0x0000044000000000..0x0000047fffffffff -> 0x0006204000000000 
[    0.749622] PCI host bridge /pci@80000002000001a  ranges:
[    0.749629]  MEM 0x0000040020000000..0x000004003fffffff -> 0x0000000080000000 
[    0.749635]  MEM 0x0000041000000000..0x00000417ffffffff -> 0x0006024000000000 
[    0.749659] PCI host bridge /pci@800000020000014  ranges:
[    0.749666]  MEM 0x0000040000000000..0x000004001fffffff -> 0x00000000c0000000 
[    0.749672]  MEM 0x0000040800000000..0x0000040fffffffff -> 0x0006005000000000 
[    0.750126] clocksource: jiffies: mask: 0xffffffff max_cycles: 0xffffffff, max_idle_ns: 19112604462750000 ns
[    0.750195] posixtimers hash table entries: 524288 (order: 7, 8388608 bytes, vmalloc)
[    0.751096] futex hash table entries: 262144 (order: 9, 33554432 bytes, vmalloc)
[    0.761887] NET: Registered PF_NETLINK/PF_ROUTE protocol family
[    0.762198] audit: initializing netlink subsys (disabled)
[    0.762370] audit: type=2000 audit(1749002017.760:1): state=initialized audit_enabled=0 res=1
[    0.762616] thermal_sys: Registered thermal governor 'fair_share'
[    0.762619] thermal_sys: Registered thermal governor 'step_wise'
[    0.762703] cpuidle: using governor menu
[    0.765035] pstore: Using crash dump compression: deflate
[    0.765039] pstore: Registered nvram as persistent store backend
[    0.765796] EEH: pSeries platform initialized
[    0.767483] plpks: POWER LPAR Platform KeyStore is not supported or enabled
[    0.796803] kprobes: kprobe jump-optimization is enabled. All kprobes are optimized if possible.
[    0.800644] HugeTLB: allocation took 0ms with hugepage_allocation_threads=8
[    0.800817] HugeTLB: registered 16.0 MiB page size, pre-allocated 0 pages
[    0.800824] HugeTLB: 0 KiB vmemmap can be freed for a 16.0 MiB page
[    0.800831] HugeTLB: registered 16.0 GiB page size, pre-allocated 0 pages
[    0.800837] HugeTLB: 0 KiB vmemmap can be freed for a 16.0 GiB page
[    0.805668] iommu: Default domain type: Translated
[    0.805676] iommu: DMA domain TLB invalidation policy: strict mode
[    0.806055] SCSI subsystem initialized
[    0.806101] usbcore: registered new interface driver usbfs
[    0.806113] usbcore: registered new interface driver hub
[    0.806367] usbcore: registered new device driver usb
[    0.806406] pps_core: LinuxPPS API ver. 1 registered
[    0.806410] pps_core: Software ver. 5.3.6 - Copyright 2005-2007 Rodolfo Giometti <giometti@linux.it>
[    0.806417] PTP clock support registered
[    0.807445] EDAC MC: Ver: 3.0.0
[    0.808904] NetLabel: Initializing
[    0.808908] NetLabel:  domain hash size = 128
[    0.808912] NetLabel:  protocols = UNLABELED CIPSOv4 CALIPSO
[    0.808929] NetLabel:  unlabeled traffic allowed by default
[    0.808946] PCI: Probing PCI hardware
[    0.809110] PCI host bridge to bus 0021:01
[    0.809115] pci_bus 0021:01: root bus resource [mem 0x40080000000-0x400feffffff] (bus address [0x80000000-0xfeffffff])
[    0.809123] pci_bus 0021:01: root bus resource [mem 0x44000000000-0x47fffffffff 64bit] (bus address [0x6204000000000-0x6207fffffffff])
[    0.809130] pci_bus 0021:01: root bus resource [bus 01-ff]
[    0.810581] pci 0021:01:00.0: No hypervisor support for SR-IOV on this device, IOV BARs disabled.
[    0.813978] pci 0021:01:00.0: PME# supported from D0 D3hot D3cold
[    0.820134] pci 0021:01:00.1: No hypervisor support for SR-IOV on this device, IOV BARs disabled.
[    0.823068] pci 0021:01:00.1: PME# supported from D0 D3hot D3cold
[    0.828142] pci 0021:01:00.2: No hypervisor support for SR-IOV on this device, IOV BARs disabled.
[    0.831055] pci 0021:01:00.2: PME# supported from D0 D3hot D3cold
[    0.836126] pci 0021:01:00.3: No hypervisor support for SR-IOV on this device, IOV BARs disabled.
[    0.839041] pci 0021:01:00.3: PME# supported from D0 D3hot D3cold
[    0.851284] IOMMU table initialized, virtual merging enabled
[    0.851476] PCI host bridge to bus 001a:50
[    0.851481] pci_bus 001a:50: root bus resource [mem 0x40020000000-0x4003fffffff] (bus address [0x80000000-0x9fffffff])
[    0.851488] pci_bus 001a:50: root bus resource [mem 0x41000000000-0x417ffffffff 64bit] (bus address [0x6024000000000-0x60247ffffffff])
[    0.851495] pci_bus 001a:50: root bus resource [bus 50-ff]
[    0.852298] pci 001a:50:00.0: enabling Extended Tags
[    0.853317] pci 001a:50:00.0: No hypervisor support for SR-IOV on this device, IOV BARs disabled.
[    0.876597] pci 001a:50:00.0: No hypervisor support for SR-IOV on this device, IOV BARs disabled.
[    0.877366] pci 001a:50:00.1: enabling Extended Tags
[    0.878186] pci 001a:50:00.1: No hypervisor support for SR-IOV on this device, IOV BARs disabled.
[    0.900119] pci 001a:50:00.1: No hypervisor support for SR-IOV on this device, IOV BARs disabled.
[    0.900883] pci 001a:50:00.2: enabling Extended Tags
[    0.901706] pci 001a:50:00.2: No hypervisor support for SR-IOV on this device, IOV BARs disabled.
[    0.913802] pci 001a:50:00.2: No hypervisor support for SR-IOV on this device, IOV BARs disabled.
[    0.914568] pci 001a:50:00.3: enabling Extended Tags
[    0.915387] pci 001a:50:00.3: No hypervisor support for SR-IOV on this device, IOV BARs disabled.
[    0.927470] pci 001a:50:00.3: No hypervisor support for SR-IOV on this device, IOV BARs disabled.
[    0.928239] pci 001a:50:00.4: enabling Extended Tags
[    0.929057] pci 001a:50:00.4: No hypervisor support for SR-IOV on this device, IOV BARs disabled.
[    0.941169] pci 001a:50:00.4: No hypervisor support for SR-IOV on this device, IOV BARs disabled.
[    0.941937] pci 001a:50:00.5: enabling Extended Tags
[    0.942755] pci 001a:50:00.5: No hypervisor support for SR-IOV on this device, IOV BARs disabled.
[    0.954860] pci 001a:50:00.5: No hypervisor support for SR-IOV on this device, IOV BARs disabled.
[    0.964141] PCI host bridge to bus 0014:70
[    0.964146] pci_bus 0014:70: root bus resource [mem 0x40000000000-0x4001fffffff] (bus address [0xc0000000-0xdfffffff])
[    0.964153] pci_bus 0014:70: root bus resource [mem 0x40800000000-0x40fffffffff 64bit] (bus address [0x6005000000000-0x60057ffffffff])
[    0.964160] pci_bus 0014:70: root bus resource [bus 70-ff]
[    0.964928] pci 0014:70:00.0: enabling Extended Tags
[    0.965936] pci 0014:70:00.0: No hypervisor support for SR-IOV on this device, IOV BARs disabled.
[    0.977400] pci 0014:70:00.0: No hypervisor support for SR-IOV on this device, IOV BARs disabled.
[    0.978163] pci 0014:70:00.1: enabling Extended Tags
[    0.978984] pci 0014:70:00.1: No hypervisor support for SR-IOV on this device, IOV BARs disabled.
[    0.989074] pci 0014:70:00.1: No hypervisor support for SR-IOV on this device, IOV BARs disabled.
[    0.989835] pci 0014:70:00.2: enabling Extended Tags
[    0.990654] pci 0014:70:00.2: No hypervisor support for SR-IOV on this device, IOV BARs disabled.
[    1.000747] pci 0014:70:00.2: No hypervisor support for SR-IOV on this device, IOV BARs disabled.
[    1.001510] pci 0014:70:00.3: enabling Extended Tags
[    1.002334] pci 0014:70:00.3: No hypervisor support for SR-IOV on this device, IOV BARs disabled.
[    1.012421] pci 0014:70:00.3: No hypervisor support for SR-IOV on this device, IOV BARs disabled.
[    1.022892] pci_bus 0021:01: resource 4 [mem 0x40080000000-0x400feffffff]
[    1.022898] pci_bus 0021:01: resource 5 [mem 0x44000000000-0x47fffffffff 64bit]
[    1.022905] pci_bus 001a:50: resource 4 [mem 0x40020000000-0x4003fffffff]
[    1.022909] pci_bus 001a:50: resource 5 [mem 0x41000000000-0x417ffffffff 64bit]
[    1.022915] pci_bus 0014:70: resource 4 [mem 0x40000000000-0x4001fffffff]
[    1.022919] pci_bus 0014:70: resource 5 [mem 0x40800000000-0x40fffffffff 64bit]
[    1.023008] pci 0021:01:00.0: ibm,query-pe-dma-windows(53) 10000 8000000 20000021 returned 0, lb=1000000 ps=3 wn=1
[    1.023021] pci 0021:01:00.0: Adding to iommu group 0
[    1.025535] pci 0021:01:00.1: Adding to iommu group 0
[    1.027980] pci 0021:01:00.2: Adding to iommu group 0
[    1.030410] pci 0021:01:00.3: Adding to iommu group 0
[    1.032925] pci 001a:50:00.0: ibm,query-pe-dma-windows(53) 500000 8000000 2000001a returned 0, lb=1000000 ps=3 wn=1
[    1.032938] pci 001a:50:00.0: Adding to iommu group 1
[    1.032993] pci 001a:50:00.0: of_irq_parse_pci: no interrupt-map found, INTx interrupts not available
[    1.032998] PCI: OF: of_irq_parse_pci: possibly some PCI slots don't have level triggered interrupts capability
[    1.035422] pci 001a:50:00.1: Adding to iommu group 1
[    1.035476] pci 001a:50:00.1: of_irq_parse_pci: no interrupt-map found, INTx interrupts not available
[    1.037699] pci 001a:50:00.2: Adding to iommu group 1
[    1.037753] pci 001a:50:00.2: of_irq_parse_pci: no interrupt-map found, INTx interrupts not available
[    1.039983] pci 001a:50:00.3: Adding to iommu group 1
[    1.040037] pci 001a:50:00.3: of_irq_parse_pci: no interrupt-map found, INTx interrupts not available
[    1.042270] pci 001a:50:00.4: Adding to iommu group 1
[    1.042324] pci 001a:50:00.4: of_irq_parse_pci: no interrupt-map found, INTx interrupts not available
[    1.044553] pci 001a:50:00.5: Adding to iommu group 1
[    1.044607] pci 001a:50:00.5: of_irq_parse_pci: no interrupt-map found, INTx interrupts not available
[    1.046900] pci 0014:70:00.0: ibm,query-pe-dma-windows(53) 700000 8000000 20000014 returned 0, lb=1000000 ps=3 wn=1
[    1.046914] pci 0014:70:00.0: Adding to iommu group 2
[    1.046969] pci 0014:70:00.0: of_irq_parse_pci: no interrupt-map found, INTx interrupts not available
[    1.049375] pci 0014:70:00.1: Adding to iommu group 2
[    1.049429] pci 0014:70:00.1: of_irq_parse_pci: no interrupt-map found, INTx interrupts not available
[    1.051646] pci 0014:70:00.2: Adding to iommu group 2
[    1.051700] pci 0014:70:00.2: of_irq_parse_pci: no interrupt-map found, INTx interrupts not available
[    1.053922] pci 0014:70:00.3: Adding to iommu group 2
[    1.053977] pci 0014:70:00.3: of_irq_parse_pci: no interrupt-map found, INTx interrupts not available
[    1.056189] EEH: Capable adapter found: recovery enabled.
[    1.056316] vgaarb: loaded
[    1.056863] clocksource: Switched to clocksource timebase
[    1.057898] VFS: Disk quotas dquot_6.6.0
[    1.057988] VFS: Dquot-cache hash table entries: 8192 (order 0, 65536 bytes)
[    1.061991] NET: Registered PF_INET protocol family
[    1.062213] IP idents hash table entries: 262144 (order: 5, 2097152 bytes, vmalloc)
[    1.078403] tcp_listen_portaddr_hash hash table entries: 65536 (order: 4, 1048576 bytes, vmalloc)
[    1.078549] Table-perturb hash table entries: 65536 (order: 2, 262144 bytes, vmalloc)
[    1.078647] TCP established hash table entries: 524288 (order: 6, 4194304 bytes, vmalloc)
[    1.079570] TCP bind hash table entries: 65536 (order: 5, 2097152 bytes, vmalloc)
[    1.079783] TCP: Hash tables configured (established 524288 bind 65536)
[    1.081825] MPTCP token hash table entries: 65536 (order: 4, 1572864 bytes, vmalloc)
[    1.081982] UDP hash table entries: 65536 (order: 6, 4194304 bytes, vmalloc)
[    1.082446] UDP-Lite hash table entries: 65536 (order: 6, 4194304 bytes, vmalloc)
[    1.084376] NET: Registered PF_UNIX/PF_LOCAL protocol family
[    1.084387] NET: Registered PF_XDP protocol family
[    1.085095] PCI: CLS 128 bytes, default 128
[    1.085161] Trying to unpack rootfs image as initramfs...
[    1.102297] vas: API is supported only with radix page tables
[    1.103376] hv-24x7: read 1530 catalog entries, created 509 event attrs (0 failures), 275 descs
[    1.126262] Initialise system trusted keyrings
[    1.126464] workingset: timestamp_bits=38 max_order=21 bucket_order=0
[    1.128261] cryptd: max_cpu_qlen set to 1000
[    1.141594] NET: Registered PF_ALG protocol family
[    1.141608] Key type asymmetric registered
[    1.141612] Asymmetric key parser 'x509' registered
[    1.637477] Freeing initrd memory: 64960K
[    1.641939] Block layer SCSI generic (bsg) driver version 0.4 loaded (major 244)
[    1.642335] io scheduler mq-deadline registered
[    1.642340] io scheduler kyber registered
[    1.642444] io scheduler bfq registered
[    1.643493] chacha20poly1305 encryption self-test 1: FAIL
[    1.643498] chacha20poly1305 encryption self-test 2: FAIL
[    1.643502] chacha20poly1305 encryption self-test 3: FAIL
[    1.643507] chacha20poly1305 encryption self-test 4: FAIL
[    1.643511] chacha20poly1305 encryption self-test 5: FAIL
[    1.643515] chacha20poly1305 encryption self-test 6: FAIL
[    1.643520] chacha20poly1305 encryption self-test 7: FAIL
[    1.643526] chacha20poly1305 encryption self-test 8: FAIL
[    1.643532] chacha20poly1305 encryption self-test 9: FAIL
[    1.643541] chacha20poly1305 encryption self-test 10: FAIL
[    1.643553] chacha20poly1305 encryption self-test 11: FAIL
[    1.643565] chacha20poly1305 encryption self-test 12: FAIL
[    1.643569] chacha20poly1305 encryption self-test 13: FAIL
[    1.643573] chacha20poly1305 encryption self-test 14: FAIL
[    1.643577] chacha20poly1305 encryption self-test 15: FAIL
[    1.643581] chacha20poly1305 encryption self-test 16: FAIL
[    1.643585] chacha20poly1305 encryption self-test 17: FAIL
[    1.643589] chacha20poly1305 encryption self-test 18: FAIL
[    1.643593] chacha20poly1305 encryption self-test 19: FAIL
[    1.643597] chacha20poly1305 encryption self-test 20: FAIL
[    1.643601] chacha20poly1305 encryption self-test 21: FAIL
[    1.643605] chacha20poly1305 encryption self-test 22: FAIL
[    1.643609] chacha20poly1305 encryption self-test 23: FAIL
[    1.643613] chacha20poly1305 encryption self-test 24: FAIL
[    1.643617] chacha20poly1305 encryption self-test 25: FAIL
[    1.643621] chacha20poly1305 encryption self-test 26: FAIL
[    1.643625] chacha20poly1305 encryption self-test 27: FAIL
[    1.643629] chacha20poly1305 encryption self-test 28: FAIL
[    1.643632] chacha20poly1305 encryption self-test 29: FAIL
[    1.643636] chacha20poly1305 encryption self-test 30: FAIL
[    1.643640] chacha20poly1305 encryption self-test 31: FAIL
[    1.643644] chacha20poly1305 encryption self-test 32: FAIL
[    1.643648] chacha20poly1305 encryption self-test 33: FAIL
[    1.643652] chacha20poly1305 encryption self-test 34: FAIL
[    1.643656] chacha20poly1305 encryption self-test 35: FAIL
[    1.643660] chacha20poly1305 encryption self-test 36: FAIL
[    1.643664] chacha20poly1305 encryption self-test 37: FAIL
[    1.643668] chacha20poly1305 encryption self-test 38: FAIL
[    1.643672] chacha20poly1305 encryption self-test 39: FAIL
[    1.643676] chacha20poly1305 encryption self-test 40: FAIL
[    1.643680] chacha20poly1305 encryption self-test 41: FAIL
[    1.643685] chacha20poly1305 encryption self-test 42: FAIL
[    1.643689] chacha20poly1305 encryption self-test 43: FAIL
[    1.643693] chacha20poly1305 encryption self-test 44: FAIL
[    1.643697] chacha20poly1305 encryption self-test 45: FAIL
[    1.643701] chacha20poly1305 encryption self-test 46: FAIL
[    1.643705] chacha20poly1305 encryption self-test 47: FAIL
[    1.643709] chacha20poly1305 encryption self-test 48: FAIL
[    1.643713] chacha20poly1305 encryption self-test 49: FAIL
[    1.643717] chacha20poly1305 encryption self-test 50: FAIL
[    1.643721] chacha20poly1305 encryption self-test 51: FAIL
[    1.643725] chacha20poly1305 encryption self-test 52: FAIL
[    1.643729] chacha20poly1305 encryption self-test 53: FAIL
[    1.643733] chacha20poly1305 encryption self-test 54: FAIL
[    1.643737] chacha20poly1305 encryption self-test 55: FAIL
[    1.643741] chacha20poly1305 encryption self-test 56: FAIL
[    1.643745] chacha20poly1305 encryption self-test 57: FAIL
[    1.643749] chacha20poly1305 encryption self-test 58: FAIL
[    1.643753] chacha20poly1305 encryption self-test 59: FAIL
[    1.643757] chacha20poly1305 encryption self-test 60: FAIL
[    1.643761] chacha20poly1305 encryption self-test 61: FAIL
[    1.643765] chacha20poly1305 encryption self-test 62: FAIL
[    1.643769] chacha20poly1305 encryption self-test 63: FAIL
[    1.643773] chacha20poly1305 encryption self-test 64: FAIL
[    1.643777] chacha20poly1305 encryption self-test 65: FAIL
[    1.643781] chacha20poly1305 encryption self-test 66: FAIL
[    1.643785] chacha20poly1305 encryption self-test 67: FAIL
[    1.643789] chacha20poly1305 encryption self-test 68: FAIL
[    1.643793] chacha20poly1305 encryption self-test 69: FAIL
[    1.643797] chacha20poly1305 encryption self-test 70: FAIL
[    1.643801] chacha20poly1305 encryption self-test 71: FAIL
[    1.643805] chacha20poly1305 encryption self-test 72: FAIL
[    1.643810] chacha20poly1305 encryption self-test 73: FAIL
[    1.643814] chacha20poly1305 encryption self-test 74: FAIL
[    1.643818] chacha20poly1305 encryption self-test 75: FAIL
[    1.643823] chacha20poly1305 encryption self-test 76: FAIL
[    1.643827] chacha20poly1305 encryption self-test 77: FAIL
[    1.643831] chacha20poly1305 encryption self-test 78: FAIL
[    1.643836] chacha20poly1305 encryption self-test 79: FAIL
[    1.643841] chacha20poly1305 encryption self-test 80: FAIL
[    1.643845] chacha20poly1305 encryption self-test 81: FAIL
[    1.643849] chacha20poly1305 encryption self-test 82: FAIL
[    1.643853] chacha20poly1305 encryption self-test 83: FAIL
[    1.643858] chacha20poly1305 encryption self-test 84: FAIL
[    1.643862] chacha20poly1305 encryption self-test 85: FAIL
[    1.643866] chacha20poly1305 encryption self-test 86: FAIL
[    1.643870] chacha20poly1305 encryption self-test 88: FAIL
[    1.643874] chacha20poly1305 encryption self-test 89: FAIL
[    1.643878] chacha20poly1305 encryption self-test 90: FAIL
[    1.643882] chacha20poly1305 encryption self-test 91: FAIL
[    1.643887] chacha20poly1305 encryption self-test 92: FAIL
[    1.643891] chacha20poly1305 encryption self-test 93: FAIL
[    1.643895] chacha20poly1305 encryption self-test 94: FAIL
[    1.643899] chacha20poly1305 encryption self-test 95: FAIL
[    1.643903] chacha20poly1305 encryption self-test 96: FAIL
[    1.643908] chacha20poly1305 encryption self-test 97: FAIL
[    1.643912] chacha20poly1305 encryption self-test 98: FAIL
[    1.643916] chacha20poly1305 encryption self-test 99: FAIL
[    1.643920] chacha20poly1305 encryption self-test 100: FAIL
[    1.643925] chacha20poly1305 encryption self-test 101: FAIL
[    1.643929] chacha20poly1305 encryption self-test 102: FAIL
[    1.643933] chacha20poly1305 encryption self-test 103: FAIL
[    1.643937] chacha20poly1305 encryption self-test 104: FAIL
[    1.643941] chacha20poly1305 encryption self-test 105: FAIL
[    1.643945] chacha20poly1305 encryption self-test 106: FAIL
[    1.643950] chacha20poly1305 encryption self-test 107: FAIL
[    1.643954] chacha20poly1305 encryption self-test 108: FAIL
[    1.643958] chacha20poly1305 encryption self-test 109: FAIL
[    1.643963] chacha20poly1305 encryption self-test 110: FAIL
[    1.643967] chacha20poly1305 encryption self-test 111: FAIL
[    1.643971] chacha20poly1305 encryption self-test 112: FAIL
[    1.643975] chacha20poly1305 encryption self-test 113: FAIL
[    1.643980] chacha20poly1305 encryption self-test 114: FAIL
[    1.643984] chacha20poly1305 encryption self-test 115: FAIL
[    1.643988] chacha20poly1305 encryption self-test 116: FAIL
[    1.643992] chacha20poly1305 encryption self-test 117: FAIL
[    1.643997] chacha20poly1305 encryption self-test 118: FAIL
[    1.644003] chacha20poly1305 sg encryption self-test 1: FAIL
[    1.644008] chacha20poly1305 sg encryption self-test 2: FAIL
[    1.644012] chacha20poly1305 sg encryption self-test 3: FAIL
[    1.644016] chacha20poly1305 sg encryption self-test 4: FAIL
[    1.644020] chacha20poly1305 sg encryption self-test 5: FAIL
[    1.644025] chacha20poly1305 sg encryption self-test 6: FAIL
[    1.644030] chacha20poly1305 sg encryption self-test 7: FAIL
[    1.644036] chacha20poly1305 sg encryption self-test 8: FAIL
[    1.644042] chacha20poly1305 sg encryption self-test 9: FAIL
[    1.644050] chacha20poly1305 sg encryption self-test 10: FAIL
[    1.644062] chacha20poly1305 sg encryption self-test 11: FAIL
[    1.644074] chacha20poly1305 sg encryption self-test 12: FAIL
[    1.644078] chacha20poly1305 sg encryption self-test 53: FAIL
[    1.644082] chacha20poly1305 sg encryption self-test 54: FAIL
[    1.644087] chacha20poly1305 sg encryption self-test 55: FAIL
[    1.644091] chacha20poly1305 sg encryption self-test 56: FAIL
[    1.644095] chacha20poly1305 sg encryption self-test 57: FAIL
[    1.644099] chacha20poly1305 sg encryption self-test 58: FAIL
[    1.644103] chacha20poly1305 sg encryption self-test 59: FAIL
[    1.644107] chacha20poly1305 sg encryption self-test 60: FAIL
[    1.644112] chacha20poly1305 sg encryption self-test 61: FAIL
[    1.644116] chacha20poly1305 sg encryption self-test 62: FAIL
[    1.644120] chacha20poly1305 sg encryption self-test 63: FAIL
[    1.644124] chacha20poly1305 sg encryption self-test 64: FAIL
[    1.644128] chacha20poly1305 sg encryption self-test 65: FAIL
[    1.644132] chacha20poly1305 sg encryption self-test 66: FAIL
[    1.644137] chacha20poly1305 sg encryption self-test 67: FAIL
[    1.644141] chacha20poly1305 sg encryption self-test 68: FAIL
[    1.644145] chacha20poly1305 sg encryption self-test 69: FAIL
[    1.644149] chacha20poly1305 sg encryption self-test 70: FAIL
[    1.644153] chacha20poly1305 sg encryption self-test 71: FAIL
[    1.644158] chacha20poly1305 sg encryption self-test 72: FAIL
[    1.644162] chacha20poly1305 sg encryption self-test 73: FAIL
[    1.644167] chacha20poly1305 sg encryption self-test 76: FAIL
[    1.644171] chacha20poly1305 sg encryption self-test 77: FAIL
[    1.644176] chacha20poly1305 sg encryption self-test 78: FAIL
[    1.644180] chacha20poly1305 sg encryption self-test 79: FAIL
[    1.644185] chacha20poly1305 sg encryption self-test 80: FAIL
[    1.644189] chacha20poly1305 sg encryption self-test 81: FAIL
[    1.644194] chacha20poly1305 sg encryption self-test 82: FAIL
[    1.644198] chacha20poly1305 sg encryption self-test 83: FAIL
[    1.644203] chacha20poly1305 sg encryption self-test 84: FAIL
[    1.644207] chacha20poly1305 sg encryption self-test 85: FAIL
[    1.644212] chacha20poly1305 sg encryption self-test 93: FAIL
[    1.644216] chacha20poly1305 sg encryption self-test 94: FAIL
[    1.644221] chacha20poly1305 sg encryption self-test 95: FAIL
[    1.644225] chacha20poly1305 sg encryption self-test 96: FAIL
[    1.644229] chacha20poly1305 sg encryption self-test 97: FAIL
[    1.644234] chacha20poly1305 sg encryption self-test 98: FAIL
[    1.644238] chacha20poly1305 sg encryption self-test 99: FAIL
[    1.644242] chacha20poly1305 sg encryption self-test 100: FAIL
[    1.644247] chacha20poly1305 sg encryption self-test 101: FAIL
[    1.644251] chacha20poly1305 sg encryption self-test 102: FAIL
[    1.644256] chacha20poly1305 sg encryption self-test 103: FAIL
[    1.644261] chacha20poly1305 sg encryption self-test 104: FAIL
[    1.644265] chacha20poly1305 sg encryption self-test 105: FAIL
[    1.644270] chacha20poly1305 sg encryption self-test 106: FAIL
[    1.644274] chacha20poly1305 sg encryption self-test 107: FAIL
[    1.644278] chacha20poly1305 sg encryption self-test 108: FAIL
[    1.644283] chacha20poly1305 sg encryption self-test 109: FAIL
[    1.644287] chacha20poly1305 sg encryption self-test 110: FAIL
[    1.644292] chacha20poly1305 sg encryption self-test 111: FAIL
[    1.644296] chacha20poly1305 sg encryption self-test 112: FAIL
[    1.644300] chacha20poly1305 sg encryption self-test 113: FAIL
[    1.644305] chacha20poly1305 sg encryption self-test 114: FAIL
[    1.644309] chacha20poly1305 sg encryption self-test 115: FAIL
[    1.644314] chacha20poly1305 sg encryption self-test 116: FAIL
[    1.644318] chacha20poly1305 sg encryption self-test 117: FAIL
[    1.644323] chacha20poly1305 sg encryption self-test 118: FAIL
[    1.644328] chacha20poly1305 decryption self-test 1: FAIL
[    1.644332] chacha20poly1305 decryption self-test 2: FAIL
[    1.644335] chacha20poly1305 decryption self-test 3: FAIL
[    1.644339] chacha20poly1305 decryption self-test 4: FAIL
[    1.644343] chacha20poly1305 decryption self-test 5: FAIL
[    1.644347] chacha20poly1305 decryption self-test 6: FAIL
[    1.644351] chacha20poly1305 decryption self-test 7: FAIL
[    1.644355] chacha20poly1305 decryption self-test 8: FAIL
[    1.644360] chacha20poly1305 decryption self-test 9: FAIL
[    1.644365] chacha20poly1305 decryption self-test 10: FAIL
[    1.644371] chacha20poly1305 decryption self-test 11: FAIL
[    1.644377] chacha20poly1305 decryption self-test 12: FAIL
[    1.644385] chacha20poly1305 sg decryption self-test 1: FAIL
[    1.644389] chacha20poly1305 sg decryption self-test 2: FAIL
[    1.644393] chacha20poly1305 sg decryption self-test 3: FAIL
[    1.644398] chacha20poly1305 sg decryption self-test 4: FAIL
[    1.644402] chacha20poly1305 sg decryption self-test 5: FAIL
[    1.644406] chacha20poly1305 sg decryption self-test 6: FAIL
[    1.644411] chacha20poly1305 sg decryption self-test 7: FAIL
[    1.644417] chacha20poly1305 sg decryption self-test 8: FAIL
[    1.644424] chacha20poly1305 sg decryption self-test 9: FAIL
[    1.644432] chacha20poly1305 sg decryption self-test 10: FAIL
[    1.644443] chacha20poly1305 sg decryption self-test 11: FAIL
[    1.644456] chacha20poly1305 sg decryption self-test 12: FAIL
[    1.644470] xchacha20poly1305 encryption self-test 1: FAIL
[    1.644474] xchacha20poly1305 decryption self-test 1: FAIL
[    1.644487] ------------[ cut here ]------------
[    1.644490] WARNING: CPU: 3 PID: 1 at lib/crypto/chacha20poly1305.c:359 chacha20poly1305_init+0x28/0x50
[    1.644501] Modules linked in:
[    1.644507] CPU: 3 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.15.0-rc5-next-20250507-00002-g8be5012869c6-dirty #1 VOLUNTARY 
[    1.644515] Hardware name: IBM,8375-42A POWER9 (architected) 0x4e0202 0xf000005 of:IBM,FW950.80 (VL950_131) hv:phyp pSeries
[    1.644520] NIP:  c0000000020646c0 LR: c0000000020646b4 CTR: 00000000007088ec
[    1.644525] REGS: c000000a03757960 TRAP: 0700   Not tainted  (6.15.0-rc5-next-20250507-00002-g8be5012869c6-dirty)
[    1.644530] MSR:  8000000002029033 <SF,VEC,EE,ME,IR,DR,RI,LE>  CR: 28000282  XER: 0000000f
[    1.644544] CFAR: c000000002064ec8 IRQMASK: 0 
[    1.644544] GPR00: c0000000020646b4 c000000a03757c00 c000000001dc8100 0000000000000001 
[    1.644544] GPR04: 0000000000000961 c0000009e94dd5c0 c000000a0d348000 0000000000000960 
[    1.644544] GPR08: 00000009e7270000 0000000000000000 0000000000000000 c0000013fb400000 
[    1.644544] GPR12: c0000013fc9fffa8 c000000017ffcb00 c0000000000113d8 0000000000000000 
[    1.644544] GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 
[    1.644544] GPR20: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 
[    1.644544] GPR24: 0000000000000000 0000000000000000 c0000000020b19a8 0000000000000006 
[    1.644544] GPR28: 0000000000000000 c0000000020b1960 c000000a05490a00 c000000002064698 
[    1.644600] NIP [c0000000020646c0] chacha20poly1305_init+0x28/0x50
[    1.644607] LR [c0000000020646b4] chacha20poly1305_init+0x1c/0x50
[    1.644612] Call Trace:
[    1.644615] [c000000a03757c00] [c0000000020646b4] chacha20poly1305_init+0x1c/0x50 (unreliable)
[    1.644624] [c000000a03757c20] [c000000000010d1c] do_one_initcall+0x5c/0x37c
[    1.644631] [c000000a03757d00] [c000000002005394] do_initcalls+0x144/0x18c
[    1.644638] [c000000a03757d90] [c000000002005688] kernel_init_freeable+0x214/0x288
[    1.644645] [c000000a03757df0] [c0000000000113fc] kernel_init+0x2c/0x1b0
[    1.644651] [c000000a03757e50] [c00000000000df5c] ret_from_kernel_user_thread+0x14/0x1c
[    1.644657] ---- interrupt: 0 at 0x0
[    1.644661] Code: 7c0803a6 4e800020 3c4cffd6 38423a68 60000000 7c0802a6 f8010010 f821ffe1 4800028d 60000000 68630001 5463063e <0b030000> 2c030000 4082000c 38600000 
[    1.644681] ---[ end trace 0000000000000000 ]---
[    1.646225] atomic64_test: passed
[    1.646625] PowerPC PowerNV PCI Hotplug Driver version: 0.1
[    1.647199] Serial: 8250/16550 driver, 4 ports, IRQ sharing enabled
[    1.647838] tpm_ibmvtpm 30000003: CRQ initialization completed
[    2.722009] loop: module loaded
[    2.722083] rdac: device handler registered
[    2.722286] hp_sw: device handler registered
[    2.722292] emc: device handler registered
[    2.722682] alua: device handler registered
[    2.723713] usbcore: registered new interface driver usbserial_generic
[    2.723727] usbserial: USB Serial support registered for generic
[    2.723786] mousedev: PS/2 mouse device common for all mice
[    2.723896] rtc-generic rtc-generic: registered as rtc0
[    2.723952] rtc-generic rtc-generic: setting system clock to 2025-06-04T01:53:40 UTC (1749002020)
[    2.741561] nx_compress_pseries ibm,compression-v1: nx842_OF_upd: max_sync_size new:65536 old:0
[    2.741570] nx_compress_pseries ibm,compression-v1: nx842_OF_upd: max_sync_sg new:510 old:0
[    2.741577] nx_compress_pseries ibm,compression-v1: nx842_OF_upd: max_sg_len new:4080 old:0
[    2.741652] NX-GZIP is not supported. Returned=-524
[    2.741697] hid: raw HID events driver (C) Jiri Kosina
[    2.741752] usbcore: registered new interface driver usbhid
[    2.741756] usbhid: USB HID core driver
[    2.742044] drop_monitor: Initializing network drop monitor service
[    2.742074] GACT probability on
[    2.744134] ipip: IPv4 and MPLS over IPv4 tunneling driver
[    2.744906] gre: GRE over IPv4 demultiplexer driver
[    2.744910] ip_gre: GRE over IPv4 tunneling driver
[    2.747214] Initializing XFRM netlink socket
[    2.747222] IPsec XFRM device driver
[    2.747509] NET: Registered PF_INET6 protocol family
[    2.751603] Segment Routing with IPv6
[    2.751614] In-situ OAM (IOAM) with IPv6
[    2.751678] sit: IPv6, IPv4 and MPLS over IPv4 tunneling driver
[    2.752801] ip6_gre: GRE over IPv6 tunneling driver
[    2.753767] NET: Registered PF_PACKET protocol family
[    2.753987] NET: Registered PF_VSOCK protocol family
[    2.753991] mpls_gso: MPLS GSO support
[    2.754284] secvar-sysfs: Failed to retrieve secvar operations
[    2.760232] registered taskstats version 1
[    2.768996] Loading compiled-in X.509 certificates
[    2.778528] Loaded X.509 cert 'Build time autogenerated kernel key: c986a21492d09e4fd382607bdadd8a4261dceb27'
[    2.782800] Demotion targets for Node 0: null
[    2.782806] Demotion targets for Node 1: null
[    2.782814] page_owner is disabled
[    2.783177] Key type big_key registered
[    2.786823] Key type trusted registered
[    2.799548] Key type encrypted registered
[    2.799609] Secure boot mode disabled
[    2.799617] Loading compiled-in module X.509 certificates
[    2.800152] Loaded X.509 cert 'Build time autogenerated kernel key: c986a21492d09e4fd382607bdadd8a4261dceb27'
[    2.800159] ima: Allocated hash algorithm: sha256
[    2.809449] Secure boot mode disabled
[    2.809476] Trusted boot mode disabled
[    2.809479] ima: No architecture policies found
[    2.809499] evm: Initialising EVM extended attributes:
[    2.809503] evm: security.selinux
[    2.809506] evm: security.SMACK64 (disabled)
[    2.809509] evm: security.SMACK64EXEC (disabled)
[    2.809512] evm: security.SMACK64TRANSMUTE (disabled)
[    2.809516] evm: security.SMACK64MMAP (disabled)
[    2.809519] evm: security.apparmor (disabled)
[    2.809522] evm: security.ima
[    2.809525] evm: security.capability
[    2.809527] evm: HMAC attrs: 0x1
[    2.809637] alg: No test for 842 (842-nx)
[    2.829759] clk: Disabling unused clocks

[    2.841320] Freeing unused kernel image (initmem) memory: 6912K
[    2.856815] Run /init as init process
[    2.868434] systemd[1]: Successfully made /usr/ read-only.
[    2.869596] systemd[1]: systemd 257-9.el10_0.1-gd1d3a11 running in system mode (+PAM +AUDIT +SELINUX -APPARMOR +IMA +IPE +SMACK +SECCOMP -GCRYPT -GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN -IPTC +KMOD +LIBCRYPTSETUP +LIBCRYPTSETUP_PLUGINS +LIBFDISK +PCRE2 +PWQUALITY +P11KIT -QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +BPF_FRAMEWORK -BTF +XKBCOMMON +UTMP +SYSVINIT +LIBARCHIVE)
[    2.869615] systemd[1]: Detected virtualization powervm.
[    2.869623] systemd[1]: Detected architecture ppc64-le.
[    2.869630] systemd[1]: Running in initrd.
Booting initrd of Red Hat Enterprise Linux 10.0 Beta (Coughlan) dracut-105-2.el10 (Initramfs).
[    2.869993] systemd[1]: Hostname set to <ltc-zzci-3.ltc.tadn.ibm.com>.
[    3.137005] systemd[1]: Queued start job for default target initrd.target.
[    3.140875] systemd[1]: Started systemd-ask-password-console.path - Dispatch Password Requests to Console Directory Watch.
[  OK  ] Started systemd-ask-password-conso…equests to Console Directory Watch.
[    3.141137] systemd[1]: Expecting device dev-disk-by\x2duuid-a4ffacf6\x2d03ad\x2d45c0\x2d80c6\x2dcbfaeedef279.device - /dev/disk/by-uuid/a4ffacf6-03ad-45c0-80c6-cbfaeedef279...
         Expecting device dev-disk-by\x2duu…acf6-03ad-45c0-80c6-cbfaeedef279...
[    3.141289] systemd[1]: Reached target initrd-usr-fs.target - Initrd /usr File System.
[  OK  ] Reached target initrd-usr-fs.target - Initrd /usr File System.
[    3.141431] systemd[1]: Reached target paths.target - Path Units.
[  OK  ] Reached target paths.target - Path Units.
[    3.141573] systemd[1]: Reached target slices.target - Slice Units.
[  OK  ] Reached target slices.target - Slice Units.
[    3.141708] systemd[1]: Reached target swap.target - Swaps.
[  OK  ] Reached target swap.target - Swaps.
[    3.141843] systemd[1]: Reached target timers.target - Timer Units.
[  OK  ] Reached target timers.target - Timer Units.
[    3.142073] systemd[1]: Listening on systemd-journald-dev-log.socket - Journal Socket (/dev/log).
[  OK  ] Listening on systemd-journald-dev-…socket - Journal Socket (/dev/log).
[    3.142295] systemd[1]: Listening on systemd-journald.socket - Journal Sockets.
[  OK  ] Listening on systemd-journald.socket - Journal Sockets.
[    3.142504] systemd[1]: Listening on systemd-udevd-control.socket - udev Control Socket.
[  OK  ] Listening on systemd-udevd-control.socket - udev Control Socket.
[    3.142687] systemd[1]: Listening on systemd-udevd-kernel.socket - udev Kernel Socket.
[  OK  ] Listening on systemd-udevd-kernel.socket - udev Kernel Socket.
[    3.142824] systemd[1]: Reached target sockets.target - Socket Units.
[  OK  ] Reached target sockets.target - Socket Units.
[    3.148597] systemd[1]: Starting kmod-static-nodes.service - Create List of Static Device Nodes...
         Starting kmod-static-nodes.service…eate List of Static Device Nodes...
[    3.152992] systemd[1]: Starting systemd-journald.service - Journal Service...
         Starting systemd-journald.service - Journal Service...
[    3.153425] systemd[1]: systemd-modules-load.service - Load Kernel Modules was skipped because no trigger condition checks were met.
[    3.157537] systemd[1]: Starting systemd-sysctl.service - Apply Kernel Variables...
         Starting systemd-sysctl.service - Apply Kernel Variables...
[    3.160912] systemd[1]: Starting systemd-vconsole-setup.service - Virtual Console Setup...
         Starting systemd-vconsole-setup.service - Virtual Console Setup...
[    3.162406] systemd[1]: Finished kmod-static-nodes.service - Create List of Static Device Nodes.
[  OK  ] Finished kmod-static-nodes.service…Create List of Static Device Nodes.
[    3.166772] systemd[1]: Starting systemd-tmpfiles-setup-dev-early.service - Create Static Device Nodes in /dev gracefully...
         Starting systemd-tmpfiles-setup-de… Device Nodes in /dev gracefully...
[    3.170810] systemd[1]: Finished systemd-sysctl.service - Apply Kernel Variables.
[  OK  ] Finished systemd-sysctl.service - Apply Kernel Variables.
[    3.184463] systemd-journald[387]: Collecting audit messages is disabled.
[    3.192565] systemd[1]: Finished systemd-tmpfiles-setup-dev-early.service - Create Static Device Nodes in /dev gracefully.
[  OK  ] Finished systemd-tmpfiles-setup-de…ic Device Nodes in /dev gracefully.
[    3.197537] systemd[1]: Starting systemd-sysusers.service - Create System Users...
         Starting systemd-sysusers.service - Create System Users...
[    3.209820] systemd[1]: Finished systemd-sysusers.service - Create System Users.
[  OK  ] Finished systemd-sysusers.service - Create System Users.
[    3.212934] systemd[1]: Starting systemd-tmpfiles-setup-dev.service - Create Static Device Nodes in /dev...
         Starting systemd-tmpfiles-setup-de…eate Static Device Nodes in /dev...
[    3.221052] systemd[1]: Started systemd-journald.service - Journal Service.
[  OK  ] Started systemd-journald.service - Journal Service.
[  OK  ] Finished systemd-vconsole-setup.service - Virtual Console Setup.
         Starting dracut-cmdline.service - dracut cmdline hook...
[  OK  ] Finished systemd-tmpfiles-setup-de…Create Static Device Nodes in /dev.
[  OK  ] Reached target local-fs-pre.target…Preparation for Local File Systems.
[  OK  ] Reached target local-fs.target - Local File Systems.
         Starting systemd-tmpfiles-setup.se…ate System Files and Directories...
[  OK  ] Finished dracut-cmdline.service - dracut cmdline hook.
         Starting dracut-pre-udev.service - dracut pre-udev hook...
[  OK  ] Finished systemd-tmpfiles-setup.se…reate System Files and Directories.
[  OK  ] Finished dracut-pre-udev.service - dracut pre-udev hook.
         Starting systemd-udevd.service - R…ager for Device Events and Files...
[  OK  ] Started systemd-udevd.service - Ru…anager for Device Events and Files.
         Starting systemd-udev-trigger.service - Coldplug All udev Devices...
[  OK  ] Created slice system-modprobe.slice - Slice /system/modprobe.
         Starting modprobe@configfs.service - Load Kernel Module configfs...
[    4.084412] scsi_transport_fc: module verification failed: signature and/or required key missing - tainting kernel
[  OK  ] Finished systemd-udev-trigger.service - Coldplug All udev Devices.
[  OK  ] Reached target remote-fs-pre.targe…reparation for Remote File Systems.
[  OK  ] Reached target remote-fs.target - Remote File Systems.
[  OK  ] Finished modprobe@configfs.service - Load Kernel Module configfs.
         Mounting sys-kernel-config.mount - Kernel Configuration File System...
[  OK  ] Mounted sys-kernel-config.mount - Kernel Configuration File System.
[  OK  ] Reached target sysinit.target - System Initialization.
[  OK  ] Reached target basic.target - Basic System.
[  OK  ] Stopped systemd-vconsole-setup.service - Virtual Console Setup.
         Stopping systemd-vconsole-setup.service - Virtual Console Setup...
         Starting systemd-vconsole-setup.service - Virtual Console Setup...
[    4.282343] ibmvscsi 30000067: SRP_VERSION: 16.a
[    4.282482] ibmvscsi 30000067: Maximum ID: 64 Maximum LUN: 32 Maximum Channel: 3
[    4.282490] scsi host0: IBM POWER Virtual SCSI Adapter 1.5.9
[    4.282987] ibmvscsi 30000067: partner initialization complete
[    4.283038] ibmvscsi 30000067: host srp version: 16.a, host partition ltc-zzci-vios1 (100), OS 3, max io 1048576
[    4.283093] ibmvscsi 30000067: Client reserve enabled
[    4.283102] ibmvscsi 30000067: sent SRP login
[    4.283128] ibmvscsi 30000067: SRP_LOGIN succeeded
[    4.297957] scsi 0:0:1:0: Direct-Access     AIX      VDASD            0001 PQ: 0 ANSI: 3
[    4.298653] scsi 0:0:2:0: CD-ROM            AIX      VOPTA                 PQ: 0 ANSI: 4
[    4.414814] sd 0:0:1:0: [sda] 26214400 4096-byte logical blocks: (107 GB/100 GiB)
[    4.414884] sd 0:0:1:0: [sda] Write Protect is off
[    4.414946] sd 0:0:1:0: [sda] Cache data unavailable
[    4.414951] sd 0:0:1:0: [sda] Assuming drive cache: write through
[    4.522988] Emulex LightPulse Fibre Channel SCSI driver 14.4.0.9
[    4.523000] Copyright (C) 2017-2025 Broadcom. All Rights Reserved. The term "Broadcom" refers to Broadcom Inc. and/or its subsidiaries.
[    4.523336] lpfc 001a:50:00.4: enabling device (0140 -> 0142)
[    4.526862] lpfc 001a:50:00.4: ibm,query-pe-dma-windows(53) 500400 8000000 2000001a returned 0, lb=1000000 ps=3 wn=1
[  OK  ] Finished systemd-vconsole-setup.service - Virtual Console Setup.
[    4.589676] lpfc 001a:50:00.4: ibm,create-pe-dma-window(54) 500400 8000000 2000001a 10 25 returned 0 (liobn = 0x7000001a starting addr = 8000000 0)
[    4.673669] lpfc 001a:50:00.4: lsa_required: 0, lsa_enabled: 0, direct mapping: 1
[    4.673706] lpfc 001a:50:00.4: lsa_required: 0, lsa_enabled: 0, direct mapping: 1
[    4.769079] lpfc 001a:50:00.4: 0:6101 Disabling NVME support: Not supported by firmware (0 0) x3
[    4.769275] lpfc 001a:50:00.4: 0:2574 IO channels: hdwQ 32 IRQ 32 MRQ: 0
[    4.798782] scsi host1: Emulex OneConnect OCe15100, FCoE Initiator  on PCI bus 50 device 04 irq 0 BSG
[    4.846266]  sda: sda1 sda2 sda3 sda4 < sda5 sda6 sda7 sda8 sda9 >
[    4.848129] sd 0:0:1:0: [sda] Attached SCSI disk
[    4.848474] sr 0:0:2:0: [sr0] scsi-1 drive
[    4.848484] cdrom: Uniform CD-ROM driver Revision: 3.20
[    4.885016] lpfc 001a:50:00.4: 0:6468 Set host date / time: Status x10:
[  OK  ] Found device dev-disk-by\x2duuid-a…6\x2dcbfaeedef279.device - VDASD 9.
[  OK  ] Reached target initrd-root-device.target - Initrd Root Device.
         Starting systemd-fsck-root.service…acf6-03ad-45c0-80c6-cbfaeedef279...
[  OK  ] Finished systemd-fsck-root.service…ffacf6-03ad-45c0-80c6-cbfaeedef279.
         Mounting sysroot.mount - /sysroot...
[    5.489030] lpfc 001a:50:00.4: 0:3176 Port Name 0 Physical Link is functional
[    5.489601] lpfc 001a:50:00.5: enabling device (0140 -> 0142)
[    5.493002] lpfc 001a:50:00.5: lsa_required: 0, lsa_enabled: 0, direct mapping: 1
[    5.493016] lpfc 001a:50:00.5: lsa_required: 0, lsa_enabled: 0, direct mapping: 1
[    5.609055] lpfc 001a:50:00.5: 1:6101 Disabling NVME support: Not supported by firmware (0 0) x3
[    5.609068] lpfc 001a:50:00.5: 1:2574 IO channels: hdwQ 32 IRQ 32 MRQ: 0
[    5.639176] scsi host2: Emulex OneConnect OCe15100, FCoE Initiator  on PCI bus 50 device 05 irq 0 BSG
[    5.734985] lpfc 001a:50:00.5: 1:6468 Set host date / time: Status x10:
[    6.271098] SGI XFS with ACLs, security attributes, scrub, quota, no debug enabled
[    6.279988] XFS (sda9): Mounting V5 Filesystem a4ffacf6-03ad-45c0-80c6-cbfaeedef279
[    6.349040] lpfc 001a:50:00.5: 1:3176 Port Name 1 Physical Link is functional
[    6.349568] lpfc 0014:70:00.0: enabling device (0144 -> 0146)
[    6.351831] XFS (sda9): Ending clean mount
[    6.353095] lpfc 0014:70:00.0: ibm,query-pe-dma-windows(53) 700000 8000000 20000014 returned 0, lb=1000000 ps=3 wn=1
[  OK  ] Mounted sysroot.mount - /sysroot.
[  OK  ] Reached target initrd-root-fs.target - Initrd Root File System.
         Starting initrd-parse-etc.service …ints Configured in the Real Root...
[    6.415347] lpfc 0014:70:00.0: ibm,create-pe-dma-window(54) 700000 8000000 20000014 10 25 returned 0 (liobn = 0x70000014 starting addr = 8000000 0)
[    6.498577] lpfc 0014:70:00.0: lsa_required: 0, lsa_enabled: 0, direct mapping: 1
[    6.498611] lpfc 0014:70:00.0: lsa_required: 0, lsa_enabled: 0, direct mapping: 1
[    6.599018] lpfc 0014:70:00.0: 2:2574 IO channels: hdwQ 32 IRQ 32 MRQ: 0
[    6.622501] scsi host3: Emulex LPe32000 16Gb PCIe Fibre Channel Adapter on PCI bus 70 device 00 irq 0 BSG PCI resettable
[    6.714956] lpfc 0014:70:00.0: 2:6468 Set host date / time: Status x10:
[  OK  ] Finished initrd-parse-etc.service …points Configured in the Real Root.
[  OK  ] Reached target initrd-fs.target - Initrd File Systems.
[  OK  ] Reached target initrd.target - Initrd Default Target.
         Starting dracut-pre-pivot.service …racut pre-pivot and cleanup hook...
[  OK  ] Finished dracut-pre-pivot.service - dracut pre-pivot and cleanup hook.
         Starting initrd-cleanup.service - …ing Up and Shutting Down Daemons...
[  OK  ] Stopped target timers.target - Timer Units.
[  OK  ] Stopped dracut-pre-pivot.service - dracut pre-pivot and cleanup hook.
[  OK  ] Stopped target initrd.target - Initrd Default Target.
[  OK  ] Stopped target basic.target - Basic System.
[  OK  ] Stopped target initrd-root-device.target - Initrd Root Device.
[  OK  ] Stopped target initrd-usr-fs.target - Initrd /usr File System.
[  OK  ] Stopped target paths.target - Path Units.
[  OK  ] Stopped systemd-ask-password-conso…equests to Console Directory Watch.
[  OK  ] Stopped target remote-fs.target - Remote File Systems.
[  OK  ] Stopped target remote-fs-pre.targe…reparation for Remote File Systems.
[  OK  ] Stopped target slices.target - Slice Units.
[  OK  ] Stopped target sockets.target - Socket Units.
[  OK  ] Stopped target sysinit.target - System Initialization.
[  OK  ] Stopped target swap.target - Swaps.
[  OK  ] Stopped systemd-sysctl.service - Apply Kernel Variables.
[  OK  ] Stopped systemd-tmpfiles-setup.ser…reate System Files and Directories.
[  OK  ] Stopped target local-fs.target - Local File Systems.
[  OK  ] Stopped target local-fs-pre.target…Preparation for Local File Systems.
[  OK  ] Stopped systemd-udev-trigger.service - Coldplug All udev Devices.
         Stopping systemd-udevd.service - R…ager for Device Events and Files...
[  OK  ] Stopped systemd-vconsole-setup.service - Virtual Console Setup.
[  OK  ] Finished initrd-cleanup.service - …aning Up and Shutting Down Daemons.
[    7.321295] lpfc 0014:70:00.0: 2:3176 Port Name 0 Physical Link is functional
[    7.321789] lpfc 0014:70:00.1: enabling device (0144 -> 0146)
[    7.324737] lpfc 0014:70:00.1: lsa_required: 0, lsa_enabled: 0, direct mapping: 1
[    7.324751] lpfc 0014:70:00.1: lsa_required: 0, lsa_enabled: 0, direct mapping: 1
[    7.439012] lpfc 0014:70:00.1: 3:2574 IO channels: hdwQ 32 IRQ 32 MRQ: 0
[    7.462405] scsi host4: Emulex LPe32000 16Gb PCIe Fibre Channel Adapter on PCI bus 70 device 01 irq 0 BSG PCI resettable
[    7.564950] lpfc 0014:70:00.1: 3:6468 Set host date / time: Status x10:
[    8.171045] lpfc 0014:70:00.1: 3:3176 Port Name 1 Physical Link is functional
[    8.171445] lpfc 0014:70:00.2: enabling device (0144 -> 0146)
[    8.174393] lpfc 0014:70:00.2: lsa_required: 0, lsa_enabled: 0, direct mapping: 1
[    8.174406] lpfc 0014:70:00.2: lsa_required: 0, lsa_enabled: 0, direct mapping: 1
[    8.269013] lpfc 0014:70:00.2: 4:2574 IO channels: hdwQ 32 IRQ 32 MRQ: 0
[    8.292246] scsi host5: Emulex LPe32000 16Gb PCIe Fibre Channel Adapter on PCI bus 70 device 02 irq 0 BSG PCI resettable
[    8.374958] lpfc 0014:70:00.2: 4:6468 Set host date / time: Status x10:
[    8.991024] lpfc 0014:70:00.2: 4:3176 Port Name 2 Physical Link is functional
[    8.991508] lpfc 0014:70:00.3: enabling device (0144 -> 0146)
[    8.994453] lpfc 0014:70:00.3: lsa_required: 0, lsa_enabled: 0, direct mapping: 1
[    8.994466] lpfc 0014:70:00.3: lsa_required: 0, lsa_enabled: 0, direct mapping: 1
[*     ] Job systemd-udevd.service/stop runn… (2s / 1min 30s): Shutting down...
[    9.089014] lpfc 0014:70:00.3: 5:2574 IO channels: hdwQ 32 IRQ 32 MRQ: 0
[    9.112740] scsi host6: Emulex LPe32000 16Gb PCIe Fibre Channel Adapter on PCI bus 70 device 03 irq 0 BSG PCI resettable
[**    ] Job systemd-udevd.service/stop runn… (2s / 1min 30s): Shutting down...
[  OK  ] Stopped systemd-udevd.service - Ru…anager for Device Events and Files.
[  OK  ] Closed systemd-udevd-control.socket - udev Control Socket.
[  OK  ] Closed systemd-udevd-kernel.socket - udev Kernel Socket.
[  OK  ] Stopped dracut-pre-udev.service - dracut pre-udev hook.
[  OK  ] Stopped dracut-cmdline.service - dracut cmdline hook.
         Starting initrd-udevadm-cleanup-db.service - Cleanup udev Database...
[  OK  ] Stopped systemd-tmpfiles-setup-dev…Create Static Device Nodes in /dev.
[  OK  ] Stopped systemd-sysusers.service - Create System Users.
[  OK  ] Stopped systemd-tmpfiles-setup-dev…ic Device Nodes in /dev gracefully.
[  OK  ] Stopped kmod-static-nodes.service …Create List of Static Device Nodes.
[  OK  ] Finished initrd-udevadm-cleanup-db.service - Cleanup udev Database.
[  OK  ] Reached target initrd-switch-root.target - Switch Root.
         Starting initrd-switch-root.service - Switch Root...
[   10.231874] systemd-journald[387]: Received SIGTERM from PID 1 (systemd).
[   10.515359] audit: type=1404 audit(1749002028.280:2): enforcing=1 old_enforcing=0 auid=4294967295 ses=4294967295 enabled=1 old-enabled=1 lsm=selinux res=1
[   10.883270] SELinux:  Permission firmware_load in class system not defined in policy.
[   10.883281] SELinux:  Permission kexec_image_load in class system not defined in policy.
[   10.883286] SELinux:  Permission kexec_initramfs_load in class system not defined in policy.
[   10.883291] SELinux:  Permission policy_load in class system not defined in policy.
[   10.883296] SELinux:  Permission x509_certificate_load in class system not defined in policy.
[   10.883306] SELinux:  Permission watch_mountns in class file not defined in policy.
[   10.883312] SELinux:  Permission watch_mountns in class dir not defined in policy.
[   10.883318] SELinux:  Permission watch_mountns in class lnk_file not defined in policy.
[   10.883323] SELinux:  Permission watch_mountns in class chr_file not defined in policy.
[   10.883328] SELinux:  Permission watch_mountns in class blk_file not defined in policy.
[   10.883333] SELinux:  Permission watch_mountns in class sock_file not defined in policy.
[   10.883338] SELinux:  Permission watch_mountns in class fifo_file not defined in policy.
[   10.883353] SELinux:  Permission nlmsg in class netlink_route_socket not defined in policy.
[   10.883358] SELinux:  Permission nlmsg in class netlink_tcpdiag_socket not defined in policy.
[   10.883365] SELinux:  Permission nlmsg in class netlink_xfrm_socket not defined in policy.
[   10.883371] SELinux:  Permission nlmsg in class netlink_audit_socket not defined in policy.
[   10.883405] SELinux:  Permission watch_mountns in class anon_inode not defined in policy.
[   10.883409] SELinux:  Permission allowed in class io_uring not defined in policy.
[   10.883414] SELinux: the above unknown classes and permissions will be allowed
[   10.886259] SELinux:  policy capability network_peer_controls=1
[   10.886264] SELinux:  policy capability open_perms=1
[   10.886268] SELinux:  policy capability extended_socket_class=1
[   10.886272] SELinux:  policy capability always_check_network=0
[   10.886276] SELinux:  policy capability cgroup_seclabel=1
[   10.886280] SELinux:  policy capability nnp_nosuid_transition=1
[   10.886283] SELinux:  policy capability genfs_seclabel_symlinks=1
[   10.886287] SELinux:  policy capability ioctl_skip_cloexec=0
[   10.886291] SELinux:  policy capability userspace_initial_context=0
[   10.886295] SELinux:  policy capability netlink_xperm=0
[   10.886298] SELinux:  policy capability netif_wildcard=0
[   10.886302] SELinux:  policy capability genfs_seclabel_wildcard=0
[   11.355531] audit: type=1403 audit(1749002029.120:3): auid=4294967295 ses=4294967295 lsm=selinux res=1
[   11.363360] systemd[1]: Successfully loaded SELinux policy in 850.443ms.
[   11.548951] systemd[1]: Relabeled /dev/, /dev/shm/, /run/ in 16.703ms.
[   11.559102] systemd[1]: systemd 257-9.el10_0.1-gd1d3a11 running in system mode (+PAM +AUDIT +SELINUX -APPARMOR +IMA +IPE +SMACK +SECCOMP -GCRYPT -GNUTLS +OPENSSL +ACL +BLKID +CURL +ELFUTILS +FIDO2 +IDN2 -IDN -IPTC +KMOD +LIBCRYPTSETUP +LIBCRYPTSETUP_PLUGINS +LIBFDISK +PCRE2 +PWQUALITY +P11KIT -QRENCODE +TPM2 +BZIP2 +LZ4 +XZ +ZLIB +ZSTD +BPF_FRAMEWORK -BTF +XKBCOMMON +UTMP +SYSVINIT +LIBARCHIVE)
[   11.559120] systemd[1]: Detected virtualization powervm.
[   11.559128] systemd[1]: Detected architecture ppc64-le.

Welcome to Red Hat Enterprise Linux 10.0 Beta (Coughlan)!

[   12.248672] systemd[1]: bpf-restrict-fs: LSM BPF program attached
[   13.016877] systemd[1]: initrd-switch-root.service: Deactivated successfully.
[   13.017242] systemd[1]: Stopped initrd-switch-root.service - Switch Root.
[  OK  ] Stopped initrd-switch-root.service - Switch Root.
[   13.018595] systemd[1]: systemd-journald.service: Scheduled restart job, restart counter is at 1.
[   13.021273] systemd[1]: Created slice system-getty.slice - Slice /system/getty.
[  OK  ] Created slice system-getty.slice - Slice /system/getty.
[   13.024068] systemd[1]: Created slice system-serial\x2dgetty.slice - Slice /system/serial-getty.
[  OK  ] Created slice system-serial\x2dget…slice - Slice /system/serial-getty.
[   13.026697] systemd[1]: Created slice system-sshd\x2dkeygen.slice - Slice /system/sshd-keygen.
[  OK  ] Created slice system-sshd\x2dkeygen.slice - Slice /system/sshd-keygen.
[   13.029322] systemd[1]: Created slice user.slice - User and Session Slice.
[  OK  ] Created slice user.slice - User and Session Slice.
[   13.029634] systemd[1]: Started systemd-ask-password-console.path - Dispatch Password Requests to Console Directory Watch.
[  OK  ] Started systemd-ask-password-conso…equests to Console Directory Watch.
[   13.029853] systemd[1]: Started systemd-ask-password-wall.path - Forward Password Requests to Wall Directory Watch.
[  OK  ] Started systemd-ask-password-wall.…d Requests to Wall Directory Watch.
[   13.030505] systemd[1]: Set up automount proc-sys-fs-binfmt_misc.automount - Arbitrary Executable File Formats File System Automount Point.
[  OK  ] Set up automount proc-sys-fs-binfm…ormats File System Automount Point.
[   13.030648] systemd[1]: Expecting device dev-disk-by\x2duuid-cfd51a62\x2dac52\x2d4fdf\x2da198\x2dad57f5a6b44e.device - /dev/disk/by-uuid/cfd51a62-ac52-4fdf-a198-ad57f5a6b44e...
         Expecting device dev-disk-by\x2duu…1a62-ac52-4fdf-a198-ad57f5a6b44e...
[   13.030776] systemd[1]: Expecting device dev-hvc0.device - /dev/hvc0...
         Expecting device dev-hvc0.device - /dev/hvc0...
[   13.030906] systemd[1]: Reached target cryptsetup.target - Local Encrypted Volumes.
[  OK  ] Reached target cryptsetup.target - Local Encrypted Volumes.
[   13.031054] systemd[1]: Stopped target initrd-switch-root.target - Switch Root.
[  OK  ] Stopped target initrd-switch-root.target - Switch Root.
[   13.031189] systemd[1]: Stopped target initrd-fs.target - Initrd File Systems.
[  OK  ] Stopped target initrd-fs.target - Initrd File Systems.
[   13.031321] systemd[1]: Stopped target initrd-root-fs.target - Initrd Root File System.
[  OK  ] Stopped target initrd-root-fs.target - Initrd Root File System.
[   13.031458] systemd[1]: Reached target integritysetup.target - Local Integrity Protected Volumes.
[  OK  ] Reached target integritysetup.targ… Local Integrity Protected Volumes.
[   13.031620] systemd[1]: Reached target paths.target - Path Units.
[  OK  ] Reached target paths.target - Path Units.
[   13.031758] systemd[1]: Reached target remote-cryptsetup.target - Remote Encrypted Volumes.
[  OK  ] Reached target remote-cryptsetup.target - Remote Encrypted Volumes.
[   13.031890] systemd[1]: Reached target remote-fs.target - Remote File Systems.
[  OK  ] Reached target remote-fs.target - Remote File Systems.
[   13.032022] systemd[1]: Reached target slices.target - Slice Units.
[  OK  ] Reached target slices.target - Slice Units.
[   13.032191] systemd[1]: Reached target veritysetup.target - Local Verity Protected Volumes.
[  OK  ] Reached target veritysetup.target - Local Verity Protected Volumes.
[   13.032755] systemd[1]: Listening on dm-event.socket - Device-mapper event daemon FIFOs.
[  OK  ] Listening on dm-event.socket - Device-mapper event daemon FIFOs.
[   13.034213] systemd[1]: Listening on lvm2-lvmpolld.socket - LVM2 poll daemon socket.
[  OK  ] Listening on lvm2-lvmpolld.socket - LVM2 poll daemon socket.
[   13.036806] systemd[1]: Listening on systemd-coredump.socket - Process Core Dump Socket.
[  OK  ] Listening on systemd-coredump.socket - Process Core Dump Socket.
[   13.038478] systemd[1]: Listening on systemd-creds.socket - Credential Encryption/Decryption.
[  OK  ] Listening on systemd-creds.socket - Credential Encryption/Decryption.
[   13.038739] systemd[1]: Listening on systemd-initctl.socket - initctl Compatibility Named Pipe.
[  OK  ] Listening on systemd-initctl.socke…- initctl Compatibility Named Pipe.
[   13.041772] systemd[1]: Listening on systemd-udevd-control.socket - udev Control Socket.
[  OK  ] Listening on systemd-udevd-control.socket - udev Control Socket.
[   13.042175] systemd[1]: Listening on systemd-udevd-kernel.socket - udev Kernel Socket.
[  OK  ] Listening on systemd-udevd-kernel.socket - udev Kernel Socket.
[   13.047534] systemd[1]: Listening on systemd-userdbd.socket - User Database Manager Socket.
[  OK  ] Listening on systemd-userdbd.socket - User Database Manager Socket.
[   13.051783] systemd[1]: Mounting dev-hugepages.mount - Huge Pages File System...
         Mounting dev-hugepages.mount - Huge Pages File System...
[   13.054914] systemd[1]: Mounting dev-mqueue.mount - POSIX Message Queue File System...
         Mounting dev-mqueue.mount - POSIX Message Queue File System...
[   13.058357] systemd[1]: Mounting sys-kernel-debug.mount - Kernel Debug File System...
         Mounting sys-kernel-debug.mount - Kernel Debug File System...
[   13.062315] systemd[1]: Mounting sys-kernel-tracing.mount - Kernel Trace File System...
         Mounting sys-kernel-tracing.mount - Kernel Trace File System...
[   13.062645] systemd[1]: fips-crypto-policy-overlay.service - Bind-mount FIPS crypto-policy in FIPS mode was skipped because of an unmet condition check (ConditionKernelCommandLine=fips=1).
[   13.066229] systemd[1]: Starting kmod-static-nodes.service - Create List of Static Device Nodes...
         Starting kmod-static-nodes.service…eate List of Static Device Nodes...
[   13.071082] systemd[1]: Starting lvm2-monitor.service - Monitoring of LVM2 mirrors, snapshots etc. using dmeventd or progress polling...
         Starting lvm2-monitor.service - Mo…ing dmeventd or progress polling...
[   13.268634] systemd[1]: Starting modprobe@configfs.service - Load Kernel Module configfs...
         Starting modprobe@configfs.service - Load Kernel Module configfs...
[   13.273161] systemd[1]: Starting modprobe@dm_mod.service - Load Kernel Module dm_mod...
         Starting modprobe@dm_mod.service - Load Kernel Module dm_mod...
[   13.277234] systemd[1]: Starting modprobe@drm.service - Load Kernel Module drm...
         Starting modprobe@drm.service - Load Kernel Module drm...
[   13.281475] systemd[1]: Starting modprobe@efi_pstore.service - Load Kernel Module efi_pstore...
         Starting modprobe@efi_pstore.servi… - Load Kernel Module efi_pstore...
[   13.287401] systemd[1]: Starting modprobe@fuse.service - Load Kernel Module fuse...
         Starting modprobe@fuse.service - Load Kernel Module fuse...
[   13.291900] systemd[1]: Starting modprobe@loop.service - Load Kernel Module loop...
         Starting modprobe@loop.service - Load Kernel Module loop...
[   13.292350] systemd[1]: systemd-fsck-root.service: Deactivated successfully.
[   13.292433] systemd[1]: Stopped systemd-fsck-root.service - File System Check on Root Device.
[  OK  ] Stopped systemd-fsck-root.service - File System Check on Root Device.
[   13.292697] systemd[1]: systemd-hibernate-clear.service - Clear Stale Hibernate Storage Info was skipped because of an unmet condition check (ConditionPathExists=/sys/firmware/efi/efivars/HibernateLocation-8cf2644b-4b0b-428f-9387-6d876050dc67).
[   13.297863] systemd[1]: Starting systemd-journald.service - Journal Service...
         Starting systemd-journald.service - Journal Service...
[   13.298325] systemd[1]: systemd-modules-load.service - Load Kernel Modules was skipped because no trigger condition checks were met.
[   13.303319] systemd[1]: Starting systemd-network-generator.service - Generate network units from Kernel command line...
         Starting systemd-network-generator…k units from Kernel command line...
[   13.307178] systemd[1]: Starting systemd-remount-fs.service - Remount Root and Kernel File Systems...
         Starting systemd-remount-fs.servic…unt Root and Kernel File Systems...
[   13.311915] systemd[1]: Starting systemd-sysctl.service - Apply Kernel Variables...
         Starting systemd-sysctl.service - Apply Kernel Variables...
[   13.317089] systemd[1]: Starting systemd-udev-load-credentials.service - Load udev Rules from Credentials...
         Starting systemd-udev-load-credent…Load udev Rules from Credentials...
[   13.322818] systemd[1]: Starting systemd-udev-trigger.service - Coldplug All udev Devices...
         Starting systemd-udev-trigger.service - Coldplug All udev Devices...
[   13.330354] systemd[1]: Mounted dev-hugepages.mount - Huge Pages File System.
[  OK  ] Mounted dev-hugepages.mount - Huge Pages File System.
[   13.330673] systemd[1]: Mounted dev-mqueue.mount - POSIX Message Queue File System.
[  OK  ] Mounted dev-mqueue.mount - POSIX Message Queue File System.
[   13.330919] systemd[1]: Mounted sys-kernel-debug.mount - Kernel Debug File System.
[  OK  ] Mounted sys-kernel-debug.mount - Kernel Debug File System.
[   13.331165] systemd[1]: Mounted sys-kernel-tracing.mount - Kernel Trace File System.
[  OK  ] Mounted sys-kernel-tracing.mount - Kernel Trace File System.
[   13.332077] systemd[1]: Finished kmod-static-nodes.service - Create List of Static Device Nodes.
[  OK  ] Finished kmod-static-nodes.service…Create List of Static Device Nodes.
[   13.332651] systemd[1]: modprobe@configfs.service: Deactivated successfully.
[   13.333162] systemd[1]: Finished modprobe@configfs.service - Load Kernel Module configfs.
[  OK  ] Finished modprobe@configfs.service - Load Kernel Module configfs.
[   13.333730] systemd[1]: modprobe@efi_pstore.service: Deactivated successfully.
[   13.334213] systemd[1]: Finished modprobe@efi_pstore.service - Load Kernel Module efi_pstore.
[  OK  ] Finished modprobe@efi_pstore.service - Load Kernel Module efi_pstore.
[   13.334707] systemd[1]: modprobe@loop.service: Deactivated successfully.
[   13.335073] systemd[1]: Finished modprobe@loop.service - Load Kernel Module loop.
[  OK  ] Finished modprobe@loop.service - Load Kernel Module loop.
[   13.335992] systemd[1]: Finished systemd-network-generator.service - Generate network units from Kernel command line.
[  OK  ] Finished systemd-network-generator…ork units from Kernel command line.
[   13.340949] systemd[1]: Starting systemd-tmpfiles-setup-dev-early.service - Create Static Device Nodes in /dev gracefully...
         Starting systemd-tmpfiles-setup-de… Device Nodes in /dev gracefully...
[   13.427129] systemd-journald[941]: Collecting audit messages is disabled.
[   13.456874] systemd[1]: Started systemd-journald.service - Journal Service.
[  OK  ] Started systemd-journald.service - Journal Service.
[   13.459416] device-mapper: core: CONFIG_IMA_DISABLE_HTABLE is disabled. Duplicate IMA measurements will not be recorded in the IMA log.
[   13.459579] device-mapper: uevent: version 1.0.3
[   13.460427] device-mapper: ioctl: 4.50.0-ioctl (2025-04-28) initialised: dm-devel@lists.linux.dev
[  OK  ] Finished modprobe@dm_mod.service - Load Kernel Module dm_mod.
[  OK  ] Finished systemd-remount-fs.servic…mount Root and Kernel File Systems.
         Starting systemd-journal-flush.ser…sh Journal to Persistent Storage...
         Starting systemd-pstore.service - …form Persistent Storage Archival...
         Starting systemd-random-seed.service - Load/Save OS Random Seed...
[   13.556083] systemd-journald[941]: Received client request to flush runtime journal.
[  OK  ] Finished systemd-udev-load-credent…- Load udev Rules from Credentials.
[  OK  ] Finished systemd-sysctl.service - Apply Kernel Variables.
[   13.581312] fuse: init (API version 7.44)
[  OK  ] Finished modprobe@fuse.service - Load Kernel Module fuse.
[  OK  ] Finished systemd-journal-flush.ser…lush Journal to Persistent Storage.
[  OK  ] Finished systemd-random-seed.service - Load/Save OS Random Seed.
[  OK  ] Finished systemd-pstore.service - …atform Persistent Storage Archival.
         Starting systemd-userdbd.service - User Database Manager...
[  OK  ] Finished modprobe@drm.service - Load Kernel Module drm.
         Mounting sys-fs-fuse-connections.mount - FUSE Control File System...
[  OK  ] Mounted sys-fs-fuse-connections.mount - FUSE Control File System.
[  OK  ] Started systemd-userdbd.service - User Database Manager.
[  OK  ] Finished systemd-udev-trigger.service - Coldplug All udev Devices.
[  OK  ] Finished systemd-tmpfiles-setup-de…ic Device Nodes in /dev gracefully.
         Starting systemd-tmpfiles-setup-de…eate Static Device Nodes in /dev...
[  OK  ] Finished lvm2-monitor.service - Mo…using dmeventd or progress polling.
[  OK  ] Finished systemd-tmpfiles-setup-de…Create Static Device Nodes in /dev.
         Starting systemd-udevd.service - R…ager for Device Events and Files...
[  OK  ] Started systemd-udevd.service - Ru…anager for Device Events and Files.
         Starting nvmefc-boot-connections.s…C-NVME devices found during boot...
         Starting modprobe@configfs.service - Load Kernel Module configfs...
[  OK  ] Finished modprobe@configfs.service - Load Kernel Module configfs.
[  OK  ] Finished nvmefc-boot-connections.s… FC-NVME devices found during boot.
[  OK  ] Reached target local-fs-pre.target…Preparation for Local File Systems.
[  OK  ] Reached target local-fs.target - Local File Systems.
[  OK  ] Listening on systemd-sysext.socket… System Extension Image Management.
         Starting systemd-tmpfiles-setup.se…ate System Files and Directories...
[   14.634917] sd 0:0:1:0: Attached scsi generic sg0 type 0
[   14.635139] sr 0:0:2:0: Attached scsi generic sg1 type 5
[   14.825549] be2net 001a:50:00.0: enabling device (0140 -> 0142)
[   14.826443] be2net 001a:50:00.0: lsa_required: 0, lsa_enabled: 0, direct mapping: 1
[   14.826457] be2net 001a:50:00.0: lsa_required: 0, lsa_enabled: 0, direct mapping: 1
[   14.830633] pseries_rng: Registering IBM pSeries RNG driver
         Starting systemd-vconsole-setup.service - Virtual Console Setup...
[   15.092061] HVCS: vty-server@30000004 added to the vio bus.
[   15.092145] HVCS: Driver registered.
[   15.143558] ibmveth 30000002 net0: renamed from eth0
         Activating swap dev-disk-by\x2duui…1a62-ac52-4fdf-a198-ad57f5a6b44e...
[   15.192550] Adding 2097088k swap on /dev/sda8.  Priority:-2 extents:1 across:2097088k 
[  OK  ] Activated swap dev-disk-by\x2duuid…d51a62-ac52-4fdf-a198-ad57f5a6b44e.
[  OK  ] Reached target swap.target - Swaps.
[   15.256301] bnx2x 0021:01:00.0: msix capability found
[   15.256603] bnx2x 0021:01:00.0: enabling device (0140 -> 0142)
[   15.259734] bnx2x 0021:01:00.0: ibm,query-pe-dma-windows(53) 10000 8000000 20000021 returned 0, lb=1000000 ps=3 wn=1
[   15.322465] bnx2x 0021:01:00.0: ibm,create-pe-dma-window(54) 10000 8000000 20000021 10 25 returned 0 (liobn = 0x70000021 starting addr = 8000000 0)
[   15.406051] bnx2x 0021:01:00.0: lsa_required: 0, lsa_enabled: 0, direct mapping: 1
[   15.406082] bnx2x 0021:01:00.0: lsa_required: 0, lsa_enabled: 0, direct mapping: 1
[   15.406272] bnx2x 0021:01:00.0: part number 0-0-0-0
[  OK  ] Finished systemd-vconsole-setup.service - Virtual Console Setup.
[   15.492370] bnx2x 0021:01:00.0: 0.000 Gb/s available PCIe bandwidth (Unknown x8 link)
[   15.492457] bnx2x 0021:01:00.1: msix capability found
[   15.492676] bnx2x 0021:01:00.1: enabling device (0140 -> 0142)
[   15.495496] bnx2x 0021:01:00.1: lsa_required: 0, lsa_enabled: 0, direct mapping: 1
[   15.495510] bnx2x 0021:01:00.1: lsa_required: 0, lsa_enabled: 0, direct mapping: 1
[   15.495675] bnx2x 0021:01:00.1: part number 0-0-0-0
[   15.561848] bnx2x 0021:01:00.1: 0.000 Gb/s available PCIe bandwidth (Unknown x8 link)
[   15.561906] bnx2x 0021:01:00.2: msix capability found
[   15.562084] bnx2x 0021:01:00.2: enabling device (0140 -> 0142)
[   15.564896] bnx2x 0021:01:00.2: lsa_required: 0, lsa_enabled: 0, direct mapping: 1
[   15.564910] bnx2x 0021:01:00.2: lsa_required: 0, lsa_enabled: 0, direct mapping: 1
[   15.565076] bnx2x 0021:01:00.2: part number 0-0-0-0
[  OK  ] Finished systemd-tmpfiles-setup.se…reate System Files and Directories.
         Starting auditd.service - Security Audit Logging Service...
[   15.632302] bnx2x 0021:01:00.2: 0.000 Gb/s available PCIe bandwidth (Unknown x8 link)
[   15.632369] bnx2x 0021:01:00.3: msix capability found
[   15.632570] bnx2x 0021:01:00.3: enabling device (0140 -> 0142)
[   15.635357] bnx2x 0021:01:00.3: lsa_required: 0, lsa_enabled: 0, direct mapping: 1
[   15.635370] bnx2x 0021:01:00.3: lsa_required: 0, lsa_enabled: 0, direct mapping: 1
[   15.635535] bnx2x 0021:01:00.3: part number 0-0-0-0
[   15.701796] bnx2x 0021:01:00.3: 0.000 Gb/s available PCIe bandwidth (Unknown x8 link)
[   15.718280] bnx2x 0021:01:00.3 enP33p1s0f3: renamed from eth3
[   15.718811] bnx2x 0021:01:00.1 enP33p1s0f1: renamed from eth1
[   15.719119] bnx2x 0021:01:00.0 enP33p1s0f0: renamed from eth0
[   15.719404] bnx2x 0021:01:00.2 enP33p1s0f2: renamed from eth2
[  OK  ] Started auditd.service - Security Audit Logging Service.
         Starting audit-rules.service - Load Audit Rules...
         Starting systemd-update-utmp.servi…ord System Boot/Shutdown in UTMP...
[  OK  ] Finished systemd-update-utmp.servi…ecord System Boot/Shutdown in UTMP.
[  OK  ] Reached target sysinit.target - System Initialization.
[  OK  ] Started dnf-makecache.timer - dnf makecache --timer.
[  OK  ] Started fstrim.timer - Discard unused filesystem blocks once a week.
[  OK  ] Started logrotate.timer - Daily rotation of log files.
[  OK  ] Started plocate-updatedb.timer - Update the plocate database daily.
[  OK  ] Started raid-check.timer - Weekly RAID setup health check.
[  OK  ] Started systemd-tmpfiles-clean.tim…y Cleanup of Temporary Directories.
         Starting cockpit.socket - Cockpit Web Service Socket...
[  OK  ] Listening on dbus.socket - D-Bus System Message Bus Socket.
[  OK  ] Listening on pcscd.socket - PC/SC Smart Card Daemon Activation Socket.
[  OK  ] Listening on sshd-unix-local.socke…temd-ssh-generator, AF_UNIX Local).
[  OK  ] Listening on sshd-vsock.socket - O… (systemd-ssh-generator, AF_VSOCK).
[  OK  ] Reached target ssh-access.target - SSH Access Available.
[  OK  ] Listening on sssd-kcm.socket - SSS…ros Cache Manager responder socket.
[  OK  ] Listening on systemd-hostnamed.socket - Hostname Service Socket.
         Starting dbus-broker.service - D-Bus System Message Bus...
[  OK  ] Finished audit-rules.service - Load Audit Rules.
[  OK  ] Listening on cockpit.socket - Cockpit Web Service Socket.
[  OK  ] Reached target sockets.target - Socket Units.
[   16.156791] be2net 001a:50:00.0: FW config: function_mode=0x2, function_caps=0x874006
[  OK  ] Started dbus-broker.service - D-Bus System Message Bus.
[  OK  ] Reached target basic.target - Basic System.
         Starting chronyd.service - NTP client/server...
         Starting dracut-shutdown.service -…store /run/initramfs on shutdown...
         Starting firewalld.service - firewalld - dynamic firewall daemon...
[  OK  ] Started irqbalance.service - irqbalance daemon.
         Starting rtas_errd.service - ppc64…platform error handling) Service...
[  OK  ] Reached target sshd-keygen.target.
[  OK  ] Reached target nss-user-lookup.target - User and Group Name Lookups.
[   16.326785] be2net 001a:50:00.0: Using profile 0x29
         Starting systemd-logind.service - User Login Management...
[  OK  ] Finished dracut-shutdown.service - Restore /run/initramfs on shutdown.
[   16.416783] be2net 001a:50:00.0: Max: txqs 18, rxqs 18, rss 17, eqs 20, vfs 80
[   16.416798] be2net 001a:50:00.0: Max: uc-macs 16, mc-macs 40, vlans 16
[   16.428575] be2net 001a:50:00.0: enabled 2 MSI-x vector(s) for NIC
[  OK  ] Started rtas_errd.service - ppc64-… (platform error handling) Service.
[  OK  ] Started systemd-logind.service - User Login Management.
[   16.706804] be2net 001a:50:00.0: created 2 TX queue(s)
[  OK  ] Started chronyd.service - NTP client/server.
[   16.826782] be2net 001a:50:00.0: created 3 RX queue(s)
[   16.907394] be2net 001a:50:00.0: FW version is 11.2.211.21
[   16.907602] be2net 001a:50:00.0: opcode 36-1 failed:status 68-0
[   16.907808] be2net 001a:50:00.0: HW Flow control - TX:0 RX:0
[   16.920740] be2net 001a:50:00.0: Emulex OneConnect(Lancer): PF  port 0
[   16.920967] be2net 001a:50:00.1: enabling device (0140 -> 0142)
[   16.921959] be2net 001a:50:00.1: lsa_required: 0, lsa_enabled: 0, direct mapping: 1
[   16.921973] be2net 001a:50:00.1: lsa_required: 0, lsa_enabled: 0, direct mapping: 1
[  OK  ] Started firewalld.service - firewalld - dynamic firewall daemon.
[  OK  ] Reached target network-pre.target - Preparation for Network.
         Starting NetworkManager.service - Network Manager...
[   18.306796] be2net 001a:50:00.1: FW config: function_mode=0x2, function_caps=0x874006
[   18.446768] be2net 001a:50:00.1: Using profile 0x29
[   18.536782] be2net 001a:50:00.1: Max: txqs 18, rxqs 18, rss 17, eqs 20, vfs 80
[   18.536793] be2net 001a:50:00.1: Max: uc-macs 16, mc-macs 40, vlans 16
[   18.548437] be2net 001a:50:00.1: enabled 2 MSI-x vector(s) for NIC
[   18.856809] be2net 001a:50:00.1: created 2 TX queue(s)
[   18.976808] be2net 001a:50:00.1: created 3 RX queue(s)
[   19.066787] be2net 001a:50:00.1: Port 1: Physical Link is functional 
[   19.067401] be2net 001a:50:00.1: FW version is 11.2.211.21
[   19.067607] be2net 001a:50:00.1: opcode 36-1 failed:status 68-0
[   19.067813] be2net 001a:50:00.1: HW Flow control - TX:0 RX:0
[   19.080551] be2net 001a:50:00.1: Emulex OneConnect(Lancer): PF  port 1
[   19.080748] be2net 001a:50:00.2: enabling device (0140 -> 0142)
[   19.081664] be2net 001a:50:00.2: lsa_required: 0, lsa_enabled: 0, direct mapping: 1
[   19.081677] be2net 001a:50:00.2: lsa_required: 0, lsa_enabled: 0, direct mapping: 1
         Starting systemd-hostnamed.service - Hostname Service...
[  OK  ] Started systemd-hostnamed.service - Hostname Service.
[  OK  ] Listening on systemd-rfkill.socket…ll Switch Status /dev/rfkill Watch.
         Starting NetworkManager-dispatcher…anager Script Dispatcher Service...
[  OK  ] Started NetworkManager-dispatcher.… Manager Script Dispatcher Service.
         Starting polkit.service - Authorization Manager...
[   20.436786] be2net 001a:50:00.2: FW config: function_mode=0x2, function_caps=0x874006
[   20.457527] bnx2x 0021:01:00.0 enP33p1s0f0: using MSI-X  IRQs: sp 218  fp[0] 220 ... fp[1] 221
[   20.586786] be2net 001a:50:00.2: Using profile 0x29
[   20.676785] be2net 001a:50:00.2: Max: txqs 18, rxqs 18, rss 17, eqs 20, vfs 20
[   20.676799] be2net 001a:50:00.2: Max: uc-macs 16, mc-macs 40, vlans 16
[   20.688587] be2net 001a:50:00.2: enabled 2 MSI-x vector(s) for NIC
[  OK  ] Started polkit.service - Authorization Manager.
[   21.127514] bnx2x 0021:01:00.1 enP33p1s0f1: using MSI-X  IRQs: sp 222  fp[0] 224 ... fp[1] 225
[   21.536815] be2net 001a:50:00.2: created 2 TX queue(s)
[   21.666809] be2net 001a:50:00.2: created 3 RX queue(s)
[   21.746811] be2net 001a:50:00.2: Port 2: Physical Link is functional 
[   21.747432] be2net 001a:50:00.2: FW version is 11.2.211.21
[   21.748441] be2net 001a:50:00.2: HW Flow control - TX:1 RX:1
[   21.754242] be2net 001a:50:00.2: Emulex OneConnect(Lancer): PF  port 2
[   21.754500] be2net 001a:50:00.3: enabling device (0140 -> 0142)
[   21.755578] be2net 001a:50:00.3: lsa_required: 0, lsa_enabled: 0, direct mapping: 1
[   21.755599] be2net 001a:50:00.3: lsa_required: 0, lsa_enabled: 0, direct mapping: 1
[   21.957510] bnx2x 0021:01:00.2 enP33p1s0f2: using MSI-X  IRQs: sp 226  fp[0] 228 ... fp[1] 229
[   22.397511] bnx2x 0021:01:00.3 enP33p1s0f3: using MSI-X  IRQs: sp 230  fp[0] 232 ... fp[1] 233
[  OK  ] Started NetworkManager.service - Network Manager.
[  OK  ] Reached target network.target - Network.
         Starting NetworkManager-wait-onlin…ce - Network Manager Wait Online...
         Starting hcn-init.service - hybrid…an and config for NetworkManager...
         Starting rhsmcertd.service - Enabl…ate of entitlement certificates....
         Starting sshd.service - OpenSSH server daemon...
         Starting systemd-user-sessions.service - Permit User Sessions...
         Starting tuned.service - Dynamic System Tuning Daemon...
[  OK  ] Finished systemd-user-sessions.service - Permit User Sessions.
[  OK  ] Started atd.service - Deferred execution scheduler.
[  OK  ] Started crond.service - Command Scheduler.
[  OK  ] Started getty@tty1.service - Getty on tty1.
[  OK  ] Started serial-getty@hvc0.service - Serial Getty on hvc0.
[  OK  ] Reached target getty.target - Login Prompts.
[  OK  ] Started rhsmcertd.service - Enable…pdate of entitlement certificates..
[   23.086793] be2net 001a:50:00.3: FW config: function_mode=0x2, function_caps=0x874006
[  OK  ] Started sshd.service - OpenSSH server daemon.
[   23.236786] be2net 001a:50:00.3: Using profile 0x29
[   23.356791] be2net 001a:50:00.3: Max: txqs 18, rxqs 18, rss 17, eqs 20, vfs 20
[   23.356808] be2net 001a:50:00.3: Max: uc-macs 16, mc-macs 40, vlans 16
[   23.369139] be2net 001a:50:00.3: enabled 2 MSI-x vector(s) for NIC
[   23.726794] be2net 001a:50:00.3: created 2 TX queue(s)
[   23.906770] be2net 001a:50:00.3: created 3 RX queue(s)
[   24.006813] be2net 001a:50:00.3: Port 3: Physical Link is functional 
[   24.007439] be2net 001a:50:00.3: FW version is 11.2.211.21
[   24.008546] be2net 001a:50:00.3: HW Flow control - TX:1 RX:1
[   24.012126] be2net 001a:50:00.3: Emulex OneConnect(Lancer): PF  port 3
[  OK  ] Finished hcn-init.service - hybrid…scan and config for NetworkManager.
[   24.062678] be2net 001a:50:00.2 enP26p80s0f2: renamed from eth2
[   24.063147] be2net 001a:50:00.0 enP26p80s0f0: renamed from eth0
[   24.063634] be2net 001a:50:00.1 enP26p80s0f1: renamed from eth1
[   24.064391] be2net 001a:50:00.3 enP26p80s0f3: renamed from eth3
[   24.084584] be2net 001a:50:00.3 enP26p80s0f3: Link is Down
[   24.102903] be2net 001a:50:00.1 enP26p80s0f1: Link is Down
[   24.117863] be2net 001a:50:00.0 enP26p80s0f0: Link is Down
[   24.132700] be2net 001a:50:00.2 enP26p80s0f2: Link is Down
[  OK  ] Started tuned.service - Dynamic System Tuning Daemon.
                                                                                                                                                                                         

Re: [PATCH] crypto: powerpc/poly1305 - Add missing poly1305_emit_arch

[Herbert Xu]

On Thu, May 08, 2025 at 03:31:25PM +0530, Venkat Rao Bagalkote wrote:
>
> Attached is the complete boot up logs.

Thanks.  Can you please try the Crypto API chacha20poly1305 and
see what happens there? If you have it built as a module you can
load it with

	modprobe chacha20poly1305

Cheers,
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: [PATCH] crypto: powerpc/poly1305 - Add missing poly1305_emit_arch

[Herbert Xu]

On Thu, May 08, 2025 at 02:46:06PM +0530, Venkat Rao Bagalkote wrote:
>
> I tested this patch by applying on next-20250507, though it fixes the build
> issue, it has introduced a boot warning.

What was the last next tree that's known to be good on this machine?

Thanks,
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: [PATCH] crypto: powerpc/poly1305 - Add missing poly1305_emit_arch

[Venkat Rao Bagalkote]

On 08/05/25 5:09 pm, Herbert Xu wrote:
> On Thu, May 08, 2025 at 02:46:06PM +0530, Venkat Rao Bagalkote wrote:
>> I tested this patch by applying on next-20250507, though it fixes the build
>> issue, it has introduced a boot warning.
> What was the last next tree that's known to be good on this machine?
>
> Thanks,

Yes, its was on the same machine, next-20250506 passed.


Also, modporbe works fine.


]# modprobe chacha20poly1305
]#


Regards,

Venkat.

Re: [PATCH] crypto: powerpc/poly1305 - Add missing poly1305_emit_arch

[Herbert Xu]

On Thu, May 08, 2025 at 05:27:13PM +0530, Venkat Rao Bagalkote wrote:
>
> Yes, its was on the same machine, next-20250506 passed.

Great!
> 
> 
> Also, modporbe works fine.
> 
> 
> ]# modprobe chacha20poly1305
> ]#

Did you check dmesg?

Self-test failures will only show up there.

Thanks,
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

[PATCH] crypto: powerpc/poly1305 - Restore crypto_simd_usable test

[Herbert Xu]

On Thu, May 08, 2025 at 05:27:13PM +0530, Venkat Rao Bagalkote wrote:
>
> Yes, its was on the same machine, next-20250506 passed.

OK I found one bug in my patches, I incorrectly removed the simd
tests for powerpc.  Does this patch help?

---8<---
Restore the crypto_simd_usable test as powerpc needs it.

Fixes: 14d31979145d ("crypto: powerpc/poly1305 - Add block-only interface")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

diff --git a/arch/powerpc/lib/crypto/poly1305-p10-glue.c b/arch/powerpc/lib/crypto/poly1305-p10-glue.c
index 7cea0ebcc6bc..154eced0bf9e 100644
--- a/arch/powerpc/lib/crypto/poly1305-p10-glue.c
+++ b/arch/powerpc/lib/crypto/poly1305-p10-glue.c
@@ -6,6 +6,7 @@
  */
 #include <asm/switch_to.h>
 #include <crypto/internal/poly1305.h>
+#include <crypto/internal/simd.h>
 #include <linux/cpufeature.h>
 #include <linux/jump_label.h>
 #include <linux/kernel.h>
@@ -51,7 +52,7 @@ void poly1305_blocks_arch(struct poly1305_block_state *state, const u8 *src,
 	if (!static_key_enabled(&have_p10))
 		return poly1305_blocks_generic(state, src, len, padbit);
 	vsx_begin();
-	if (len >= POLY1305_BLOCK_SIZE * 4) {
+	if (crypto_simd_usable() && len >= POLY1305_BLOCK_SIZE * 4) {
 		poly1305_p10le_4blocks(state, src, len);
 		src += len - (len % (POLY1305_BLOCK_SIZE * 4));
 		len %= POLY1305_BLOCK_SIZE * 4;
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: [PATCH] crypto: powerpc/poly1305 - Restore crypto_simd_usable test

[Venkat Rao Bagalkote]

On 08/05/25 5:53 pm, Herbert Xu wrote:
> On Thu, May 08, 2025 at 05:27:13PM +0530, Venkat Rao Bagalkote wrote:
>> Yes, its was on the same machine, next-20250506 passed.
> OK I found one bug in my patches, I incorrectly removed the simd
> tests for powerpc.  Does this patch help?
>
> ---8<---
> Restore the crypto_simd_usable test as powerpc needs it.
>
> Fixes: 14d31979145d ("crypto: powerpc/poly1305 - Add block-only interface")
> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
>
> diff --git a/arch/powerpc/lib/crypto/poly1305-p10-glue.c b/arch/powerpc/lib/crypto/poly1305-p10-glue.c
> index 7cea0ebcc6bc..154eced0bf9e 100644
> --- a/arch/powerpc/lib/crypto/poly1305-p10-glue.c
> +++ b/arch/powerpc/lib/crypto/poly1305-p10-glue.c
> @@ -6,6 +6,7 @@
>    */
>   #include <asm/switch_to.h>
>   #include <crypto/internal/poly1305.h>
> +#include <crypto/internal/simd.h>
>   #include <linux/cpufeature.h>
>   #include <linux/jump_label.h>
>   #include <linux/kernel.h>
> @@ -51,7 +52,7 @@ void poly1305_blocks_arch(struct poly1305_block_state *state, const u8 *src,
>   	if (!static_key_enabled(&have_p10))
>   		return poly1305_blocks_generic(state, src, len, padbit);
>   	vsx_begin();
> -	if (len >= POLY1305_BLOCK_SIZE * 4) {
> +	if (crypto_simd_usable() && len >= POLY1305_BLOCK_SIZE * 4) {
>   		poly1305_p10le_4blocks(state, src, len);
>   		src += len - (len % (POLY1305_BLOCK_SIZE * 4));
>   		len %= POLY1305_BLOCK_SIZE * 4;


Unfortunately, above patch dosent fix the boot warning.


Regards,

Venkat.

Re: [PATCH] crypto: powerpc/poly1305 - Add missing poly1305_emit_arch

[Eric Biggers]

On Thu, May 08, 2025 at 05:45:28PM +0800, Herbert Xu wrote:
> On Thu, May 08, 2025 at 02:46:06PM +0530, Venkat Rao Bagalkote wrote:
> >
> > I tested this patch by applying on next-20250507, though it fixes the build
> > issue, it has introduced a boot warning.
> 
> Looking at the history of this code it was never used as lib/crypto
> prior to commit 378a337ab40f88d63ba71d68ff578ead7f5ac8f1.  So either
> this code simply doesn't work as lib/crypto for some reason, or my
> subsequent blockhash change broke it.
> 
> Could you please revert back to commit 378a337ab40f and see if the
> lib/crypto chacha20poly1305 self-test passes with that?
> 

My patchsets "Remove per-architecture poly1305 shash glue code" and
"Finish disentangling ChaCha, Poly1305, and BLAKE2s from CRYPTO", which included
commit 378a337ab40f, passed testing with qemu-system-ppc64 with -M pseries and
-cpu in [POWER7, POWER8, POWER9, Power10].  These issues, both the build failure
and test failure, were introduced by your patchset
"crypto: lib - Add partial block helper".

- Eric

Re: [PATCH] crypto: powerpc/poly1305 - Add missing poly1305_emit_arch

[Herbert Xu]

On Thu, May 08, 2025 at 09:29:54AM -0700, Eric Biggers wrote:
>
> My patchsets "Remove per-architecture poly1305 shash glue code" and
> "Finish disentangling ChaCha, Poly1305, and BLAKE2s from CRYPTO", which included
> commit 378a337ab40f, passed testing with qemu-system-ppc64 with -M pseries and
> -cpu in [POWER7, POWER8, POWER9, Power10].  These issues, both the build failure
> and test failure, were introduced by your patchset
> "crypto: lib - Add partial block helper".

Thanks.  I'll try to reproduce this.
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

[PATCH] crypto: powerpc/poly1305 - Fix input mixup in poly1305_emit_arch

[Herbert Xu]

On Thu, May 08, 2025 at 08:35:48PM +0530, Venkat Rao Bagalkote wrote:
>
> Unfortunately, above patch dosent fix the boot warning.

This works for me:

---8<---
Swap the order of the arguments in poly1305_emit_arch to match
the prototype.

Fixes: 14d31979145d ("crypto: powerpc/poly1305 - Add block-only interface")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

diff --git a/arch/powerpc/lib/crypto/poly1305-p10le_64.S b/arch/powerpc/lib/crypto/poly1305-p10le_64.S
index 2ba2911b8038..5b368baf96d2 100644
--- a/arch/powerpc/lib/crypto/poly1305-p10le_64.S
+++ b/arch/powerpc/lib/crypto/poly1305-p10le_64.S
@@ -1027,7 +1027,7 @@ Out_no_poly1305_64:
 SYM_FUNC_END(poly1305_64s)
 
 #
-# Input: r3 = h, r4 = s, r5 = mac
+# Input: r3 = h, r4 = mac, r5 = s
 # mac = h + s
 #
 SYM_FUNC_START(poly1305_emit_arch)
@@ -1051,14 +1051,14 @@ SYM_FUNC_START(poly1305_emit_arch)
 	mr	12, 8
 
 Skip_h64:
-	ld	6, 0(4)
-	ld	7, 8(4)
+	ld	6, 0(5)
+	ld	7, 8(5)
 	addc	10, 10, 6
 	adde	11, 11, 7
 	addze	12, 12
 
-	std	10, 0(5)
-	std	11, 8(5)
+	std	10, 0(4)
+	std	11, 8(4)
 	blr
 SYM_FUNC_END(poly1305_emit_arch)
 
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: [PATCH] crypto: powerpc/poly1305 - Restore crypto_simd_usable test

[Herbert Xu]

On Thu, May 08, 2025 at 08:23:17PM +0800, Herbert Xu wrote:
>
> @@ -51,7 +52,7 @@ void poly1305_blocks_arch(struct poly1305_block_state *state, const u8 *src,
>  	if (!static_key_enabled(&have_p10))
>  		return poly1305_blocks_generic(state, src, len, padbit);
>  	vsx_begin();
> -	if (len >= POLY1305_BLOCK_SIZE * 4) {
> +	if (crypto_simd_usable() && len >= POLY1305_BLOCK_SIZE * 4) {

This patch is obviously broken.  However, I think this code was
always broken in the SIMD-fallback case.  AFAICS the fallback
uses vector instructions so it can't be used in softirqs either.

A proper fallback would have to convert the state to the format
used by the generic poly1305 implementation, call that, and then
convert it back.

Of course it would be a lot easier if ppc could make VSX usable
in softirq context.

Cheers,
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: [PATCH] crypto: powerpc/poly1305 - Fix input mixup in poly1305_emit_arch

[Eric Biggers]

On Fri, May 09, 2025 at 08:29:00PM +0800, Herbert Xu wrote:
> On Thu, May 08, 2025 at 08:35:48PM +0530, Venkat Rao Bagalkote wrote:
> >
> > Unfortunately, above patch dosent fix the boot warning.
> 
> This works for me:
> 
> ---8<---
> Swap the order of the arguments in poly1305_emit_arch to match
> the prototype.
> 
> Fixes: 14d31979145d ("crypto: powerpc/poly1305 - Add block-only interface")
> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

This fixes "-cpu Power10", but older CPUs (e.g. "-cpu POWER9") are still
failing.

- Eric

[v2 PATCH] crypto: powerpc/poly1305 - Add poly1305_emit_arch wrapper

[Herbert Xu]

On Fri, May 09, 2025 at 09:44:50PM -0700, Eric Biggers wrote:
>
> This fixes "-cpu Power10", but older CPUs (e.g. "-cpu POWER9") are still
> failing.

You're right.  I'll revert this and apply the following patch
instead.

BTW this thing is still hopelessly broken if it's called from
softirq context because there is no SIMD fallback.  Yes I removed
the SIMD check but it was already broken before that as it simply
switched from the 4-block version to the 1-block version if SIMD
is not available rather than actually doing something that is
safe in softirq context.

Perhaps we should just remove this altogether until it's fixed.

---8<---
Add poly1305_emit_arch with fallback instead of calling assembly
directly.  This is because the state format differs between p10
and that of the generic implementation.

Reported-by: Venkat Rao Bagalkote <venkat88@linux.ibm.com>
Reported-by: Eric Biggers <ebiggers@google.com>
Fixes: 14d31979145d ("crypto: powerpc/poly1305 - Add block-only interface")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

diff --git a/arch/powerpc/lib/crypto/poly1305-p10-glue.c b/arch/powerpc/lib/crypto/poly1305-p10-glue.c
index 7cea0ebcc6bc..3f1664a724b6 100644
--- a/arch/powerpc/lib/crypto/poly1305-p10-glue.c
+++ b/arch/powerpc/lib/crypto/poly1305-p10-glue.c
@@ -14,10 +14,7 @@
 
 asmlinkage void poly1305_p10le_4blocks(struct poly1305_block_state *state, const u8 *m, u32 mlen);
 asmlinkage void poly1305_64s(struct poly1305_block_state *state, const u8 *m, u32 mlen, int highbit);
-asmlinkage void poly1305_emit_arch(const struct poly1305_state *state,
-				   u8 digest[POLY1305_DIGEST_SIZE],
-				   const u32 nonce[4]);
-EXPORT_SYMBOL_GPL(poly1305_emit_arch);
+asmlinkage void poly1305_emit_64(const struct poly1305_state *state, const u32 nonce[4], u8 digest[POLY1305_DIGEST_SIZE]);
 
 static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_p10);
 
@@ -65,6 +62,16 @@ void poly1305_blocks_arch(struct poly1305_block_state *state, const u8 *src,
 }
 EXPORT_SYMBOL_GPL(poly1305_blocks_arch);
 
+void poly1305_emit_arch(const struct poly1305_state *state,
+			u8 digest[POLY1305_DIGEST_SIZE],
+			const u32 nonce[4])
+{
+	if (!static_key_enabled(&have_p10))
+		return poly1305_emit_generic(state, digest, nonce);
+	poly1305_emit_64(state, nonce, digest);
+}
+EXPORT_SYMBOL_GPL(poly1305_emit_arch);
+
 bool poly1305_is_arch_optimized(void)
 {
 	return static_key_enabled(&have_p10);
diff --git a/arch/powerpc/lib/crypto/poly1305-p10le_64.S b/arch/powerpc/lib/crypto/poly1305-p10le_64.S
index 2ba2911b8038..a3c1987f1ecd 100644
--- a/arch/powerpc/lib/crypto/poly1305-p10le_64.S
+++ b/arch/powerpc/lib/crypto/poly1305-p10le_64.S
@@ -1030,7 +1030,7 @@ SYM_FUNC_END(poly1305_64s)
 # Input: r3 = h, r4 = s, r5 = mac
 # mac = h + s
 #
-SYM_FUNC_START(poly1305_emit_arch)
+SYM_FUNC_START(poly1305_emit_64)
 	ld	10, 0(3)
 	ld	11, 8(3)
 	ld	12, 16(3)
@@ -1060,7 +1060,7 @@ Skip_h64:
 	std	10, 0(5)
 	std	11, 8(5)
 	blr
-SYM_FUNC_END(poly1305_emit_arch)
+SYM_FUNC_END(poly1305_emit_64)
 
 SYM_DATA_START_LOCAL(RMASK)
 .align 5
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: [v2 PATCH] crypto: powerpc/poly1305 - Add poly1305_emit_arch wrapper

[Eric Biggers]

On Sat, May 10, 2025 at 01:10:22PM +0800, Herbert Xu wrote:
> On Fri, May 09, 2025 at 09:44:50PM -0700, Eric Biggers wrote:
> >
> > This fixes "-cpu Power10", but older CPUs (e.g. "-cpu POWER9") are still
> > failing.
> 
> You're right.  I'll revert this and apply the following patch
> instead.
> 
> BTW this thing is still hopelessly broken if it's called from
> softirq context because there is no SIMD fallback.  Yes I removed
> the SIMD check but it was already broken before that as it simply
> switched from the 4-block version to the 1-block version if SIMD
> is not available rather than actually doing something that is
> safe in softirq context.
> 
> Perhaps we should just remove this altogether until it's fixed.

Yes, the PowerPC Poly1305 code incorrectly uses VSX without first checking
crypto_simd_usable().  And PowerPC also doesn't support VSX in softirqs, or at
least it doesn't claim to (it doesn't override may_use_simd(), so it gets the
default from include/asm-generic/simd.h which returns false in softirq context).
Maybe add 'depends on BROKEN' to CRYPTO_POLY1305_P10 for now, and give the
PowerPC folks (Cc'ed) a chance to fix this before removing the code.

- Eric

Re: [v2 PATCH] crypto: powerpc/poly1305 - Add poly1305_emit_arch wrapper

[Herbert Xu]

On Fri, May 09, 2025 at 10:33:08PM -0700, Eric Biggers wrote:
>
> Yes, the PowerPC Poly1305 code incorrectly uses VSX without first checking
> crypto_simd_usable().  And PowerPC also doesn't support VSX in softirqs, or at
> least it doesn't claim to (it doesn't override may_use_simd(), so it gets the
> default from include/asm-generic/simd.h which returns false in softirq context).
> Maybe add 'depends on BROKEN' to CRYPTO_POLY1305_P10 for now, and give the
> PowerPC folks (Cc'ed) a chance to fix this before removing the code.

I just noticed something weird with this code, running a speed
test using "modprobe tcrypt mode=217" shows that the p10 version
of poly1305 is way slower than the generic:

qemu P9 CPU:

May 10 13:36:46 test-p10 kernel: [   59.585264][  T374] tcrypt: testing speed of multibuffer rfc7539esp(chacha20,poly1305) (rfc7539esp(chacha20-generic,poly1305-generic)) encryption
May 10 13:36:46 test-p10 kernel: [   59.586011][  T374] tcrypt: test 0 (288 bit key, 16 byte blocks): 1 operation in 1374 cycles (16 bytes)
May 10 13:36:46 test-p10 kernel: [   59.587446][  T374] tcrypt: test 1 (288 bit key, 64 byte blocks): 1 operation in 1359 cycles (64 bytes)
May 10 13:36:46 test-p10 kernel: [   59.588025][  T374] tcrypt: test 2 (288 bit key, 256 byte blocks): 1 operation in 1778 cycles (256 bytes)
May 10 13:36:46 test-p10 kernel: [   59.588639][  T374] tcrypt: test 3 (288 bit key, 512 byte blocks): 1 operation in 2323 cycles (512 bytes)
May 10 13:36:46 test-p10 kernel: [   59.589342][  T374] tcrypt: test 4 (288 bit key, 1024 byte blocks): 1 operation in 31624 cycles (1024 bytes)
May 10 13:36:46 test-p10 kernel: [   59.594178][  T374] tcrypt: test 5 (288 bit key, 1420 byte blocks): 1 operation in 4408 cycles (1420 bytes)
May 10 13:36:46 test-p10 kernel: [   59.595317][  T374] tcrypt: test 6 (288 bit key, 4096 byte blocks): 1 operation in 9719 cycles (4096 bytes)
May 10 13:36:46 test-p10 kernel: [   59.597512][  T374] tcrypt: test 7 (288 bit key, 8192 byte blocks): 1 operation in 20168 cycles (8192 bytes)
May 10 13:36:46 test-p10 kernel: [   59.604616][  T374] tcrypt: testing speed of multibuffer rfc7539esp(chacha20,poly1305) (rfc7539esp(chacha20-generic,poly1305-generic)) decryption
May 10 13:36:46 test-p10 kernel: [   59.604916][  T374] tcrypt: test 0 (288 bit key, 16 byte blocks): 1 operation in 1356 cycles (16 bytes)
May 10 13:36:46 test-p10 kernel: [   59.605564][  T374] tcrypt: test 1 (288 bit key, 64 byte blocks): 1 operation in 1393 cycles (64 bytes)
May 10 13:36:46 test-p10 kernel: [   59.608308][  T374] tcrypt: test 2 (288 bit key, 256 byte blocks): 1 operation in 1845 cycles (256 bytes)
May 10 13:36:46 test-p10 kernel: [   59.609002][  T374] tcrypt: test 3 (288 bit key, 512 byte blocks): 1 operation in 2392 cycles (512 bytes)
May 10 13:36:46 test-p10 kernel: [   59.612109][  T374] tcrypt: test 4 (288 bit key, 1024 byte blocks): 1 operation in 3349 cycles (1024 bytes)
May 10 13:36:46 test-p10 kernel: [   59.613289][  T374] tcrypt: test 5 (288 bit key, 1420 byte blocks): 1 operation in 4418 cycles (1420 bytes)
May 10 13:36:46 test-p10 kernel: [   59.616233][  T374] tcrypt: test 6 (288 bit key, 4096 byte blocks): 1 operation in 21600 cycles (4096 bytes)
May 10 13:36:46 test-p10 kernel: [   59.620221][  T374] tcrypt: test 7 (288 bit key, 8192 byte blocks): 1 operation in 20013 cycles (8192 bytes)

qemu P10 CPU:

May 10 13:40:56 test-p10 kernel: [   91.672877][  T392] tcrypt: testing speed of multibuffer rfc7539esp(chacha20,poly1305) (rfc7539esp(chacha20-powerpc,poly1305-generic)) encryption
May 10 13:40:56 test-p10 kernel: [   91.674615][  T392] tcrypt: test 0 (288 bit key, 16 byte blocks): 1 operation in 1471 cycles (16 bytes)
May 10 13:40:56 test-p10 kernel: [   91.680240][  T392] tcrypt: test 1 (288 bit key, 64 byte blocks): 1 operation in 1733 cycles (64 bytes)
May 10 13:40:56 test-p10 kernel: [   91.682975][  T392] tcrypt: test 2 (288 bit key, 256 byte blocks): 1 operation in 3248 cycles (256 bytes)
May 10 13:40:56 test-p10 kernel: [   91.684445][  T392] tcrypt: test 3 (288 bit key, 512 byte blocks): 1 operation in 15211 cycles (512 bytes)
May 10 13:40:56 test-p10 kernel: [   91.687603][  T392] tcrypt: test 4 (288 bit key, 1024 byte blocks): 1 operation in 20500 cycles (1024 bytes)
May 10 13:40:56 test-p10 kernel: [   91.690926][  T392] tcrypt: test 5 (288 bit key, 1420 byte blocks): 1 operation in 10159 cycles (1420 bytes)
May 10 13:40:56 test-p10 kernel: [   91.695009][  T392] tcrypt: test 6 (288 bit key, 4096 byte blocks): 1 operation in 25917 cycles (4096 bytes)
May 10 13:40:56 test-p10 kernel: [   91.701320][  T392] tcrypt: test 7 (288 bit key, 8192 byte blocks): 1 operation in 63352 cycles (8192 bytes)
May 10 13:40:56 test-p10 kernel: [   91.713863][  T392] tcrypt: testing speed of multibuffer rfc7539esp(chacha20,poly1305) (rfc7539esp(chacha20-powerpc,poly1305-generic)) decryption
May 10 13:40:56 test-p10 kernel: [   91.714182][  T392] tcrypt: test 0 (288 bit key, 16 byte blocks): 1 operation in 1502 cycles (16 bytes)
May 10 13:40:56 test-p10 kernel: [   91.714871][  T392] tcrypt: test 1 (288 bit key, 64 byte blocks): 1 operation in 1778 cycles (64 bytes)
May 10 13:40:56 test-p10 kernel: [   91.715508][  T392] tcrypt: test 2 (288 bit key, 256 byte blocks): 1 operation in 3322 cycles (256 bytes)
May 10 13:40:56 test-p10 kernel: [   91.716463][  T392] tcrypt: test 3 (288 bit key, 512 byte blocks): 1 operation in 20980 cycles (512 bytes)
May 10 13:40:56 test-p10 kernel: [   91.720775][  T392] tcrypt: test 4 (288 bit key, 1024 byte blocks): 1 operation in 8000 cycles (1024 bytes)
May 10 13:40:56 test-p10 kernel: [   91.724348][  T392] tcrypt: test 5 (288 bit key, 1420 byte blocks): 1 operation in 10155 cycles (1420 bytes)
May 10 13:40:56 test-p10 kernel: [   91.727952][  T392] tcrypt: test 6 (288 bit key, 4096 byte blocks): 1 operation in 27711 cycles (4096 bytes)
May 10 13:40:56 test-p10 kernel: [   91.735306][  T392] tcrypt: test 7 (288 bit key, 8192 byte blocks): 1 operation in 52874 cycles (8192 bytes)

Did I do something wrong?

Cheers,
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: [v2 PATCH] crypto: powerpc/poly1305 - Add poly1305_emit_arch wrapper

[Herbert Xu]

On Sat, May 10, 2025 at 01:49:13PM +0800, Herbert Xu wrote:
>
> Did I do something wrong?

OK perhaps it's just that the qemu emulation being slow.

Cheers,
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: [v2 PATCH] crypto: powerpc/poly1305 - Add poly1305_emit_arch wrapper

[Eric Biggers]

On Sat, May 10, 2025 at 01:50:02PM +0800, Herbert Xu wrote:
> On Sat, May 10, 2025 at 01:49:13PM +0800, Herbert Xu wrote:
> >
> > Did I do something wrong?
> 
> OK perhaps it's just that the qemu emulation being slow.

Yes, non-native QEMU usually isn't any good for benchmarking the
architecture-optimized code, due to the instructions it uses having to be
emulated.  Just to give another random example, in (non-native) QEMU the RISC-V
CRC code is much slower than the generic CRC code.  But when run on an actual
RISC-V processor it's much faster.

- Eric

[PATCH] crypto: powerpc/poly1305 - Add SIMD fallback

[Herbert Xu]

On Fri, May 09, 2025 at 10:33:08PM -0700, Eric Biggers wrote:
>
> Yes, the PowerPC Poly1305 code incorrectly uses VSX without first checking
> crypto_simd_usable().  And PowerPC also doesn't support VSX in softirqs, or at
> least it doesn't claim to (it doesn't override may_use_simd(), so it gets the
> default from include/asm-generic/simd.h which returns false in softirq context).
> Maybe add 'depends on BROKEN' to CRYPTO_POLY1305_P10 for now, and give the
> PowerPC folks (Cc'ed) a chance to fix this before removing the code.

OK this patch works for me:

---8<---
Add a SIMD fallback path for poly1305-p10 by converting the 2^64
based hash state into a 2^44 base.  In order to ensure that the
generic fallback is actually 2^44, add ARCH_SUPPORTS_INT128 to
powerpc and make poly1305-p10 depend on it.

Fixes: ba8f8624fde2 ("crypto: poly1305-p10 - Glue code for optmized Poly1305 implementation for ppc64le")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
index 6722625a406a..651e0c32957a 100644
--- a/arch/powerpc/Kconfig
+++ b/arch/powerpc/Kconfig
@@ -173,6 +173,7 @@ config PPC
 	select ARCH_STACKWALK
 	select ARCH_SUPPORTS_ATOMIC_RMW
 	select ARCH_SUPPORTS_DEBUG_PAGEALLOC	if PPC_BOOK3S || PPC_8xx
+	select ARCH_SUPPORTS_INT128		if PPC64 && CC_HAS_INT128
 	select ARCH_USE_BUILTIN_BSWAP
 	select ARCH_USE_CMPXCHG_LOCKREF		if PPC64
 	select ARCH_USE_MEMTEST
diff --git a/arch/powerpc/lib/crypto/Kconfig b/arch/powerpc/lib/crypto/Kconfig
index ffa541ad6d5d..6761fdb6193c 100644
--- a/arch/powerpc/lib/crypto/Kconfig
+++ b/arch/powerpc/lib/crypto/Kconfig
@@ -9,7 +9,7 @@ config CRYPTO_CHACHA20_P10
 
 config CRYPTO_POLY1305_P10
 	tristate
-	depends on PPC64 && CPU_LITTLE_ENDIAN && VSX
+	depends on PPC64 && CPU_LITTLE_ENDIAN && VSX && ARCH_SUPPORTS_INT128
 	default CRYPTO_LIB_POLY1305
 	select CRYPTO_ARCH_HAVE_LIB_POLY1305
 	select CRYPTO_LIB_POLY1305_GENERIC
diff --git a/arch/powerpc/lib/crypto/poly1305-p10-glue.c b/arch/powerpc/lib/crypto/poly1305-p10-glue.c
index 3f1664a724b6..280c10c48c53 100644
--- a/arch/powerpc/lib/crypto/poly1305-p10-glue.c
+++ b/arch/powerpc/lib/crypto/poly1305-p10-glue.c
@@ -6,6 +6,7 @@
  */
 #include <asm/switch_to.h>
 #include <crypto/internal/poly1305.h>
+#include <crypto/internal/simd.h>
 #include <linux/cpufeature.h>
 #include <linux/jump_label.h>
 #include <linux/kernel.h>
@@ -18,6 +19,11 @@ asmlinkage void poly1305_emit_64(const struct poly1305_state *state, const u32 n
 
 static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_p10);
 
+static inline bool is_state_base64(struct poly1305_block_state *state)
+{
+	return state->core_r.precomputed_s.r64[2];
+}
+
 static void vsx_begin(void)
 {
 	preempt_disable();
@@ -30,12 +36,35 @@ static void vsx_end(void)
 	preempt_enable();
 }
 
+static void convert_to_base2_44(struct poly1305_block_state *state)
+{
+	u8 raw_key[POLY1305_BLOCK_SIZE];
+	u64 h0, h1, h2;
+
+	if (!is_state_base64(state))
+		return;
+
+	state->core_r.precomputed_s.r64[2] = 0;
+	put_unaligned_le64(state->core_r.key.r64[0], raw_key + 0);
+	put_unaligned_le64(state->core_r.key.r64[1], raw_key + 8);
+	poly1305_core_setkey(&state->core_r, raw_key);
+
+	h0 = state->h.h64[0];
+	h1 = state->h.h64[1];
+	h2 = state->h.h64[2];
+	state->h.h64[0] = h0 & 0xfffffffffffULL;
+	state->h.h64[1] = h0 >> 44 | (h1 & 0xffffffULL) << 20;
+	state->h.h64[2] = h1 >> 24 | h2 << 40;
+}
+
 void poly1305_block_init_arch(struct poly1305_block_state *dctx,
 			      const u8 raw_key[POLY1305_BLOCK_SIZE])
 {
-	if (!static_key_enabled(&have_p10))
+	dctx->core_r.precomputed_s.r64[2] = 0;
+	if (!static_key_enabled(&have_p10) || !crypto_simd_usable())
 		return poly1305_block_init_generic(dctx, raw_key);
 
+	dctx->core_r.precomputed_s.r64[2] = 1;
 	dctx->h = (struct poly1305_state){};
 	dctx->core_r.key.r64[0] = get_unaligned_le64(raw_key + 0);
 	dctx->core_r.key.r64[1] = get_unaligned_le64(raw_key + 8);
@@ -45,8 +74,11 @@ EXPORT_SYMBOL_GPL(poly1305_block_init_arch);
 void poly1305_blocks_arch(struct poly1305_block_state *state, const u8 *src,
 			  unsigned int len, u32 padbit)
 {
-	if (!static_key_enabled(&have_p10))
+	if (!static_key_enabled(&have_p10) || !is_state_base64(state) ||
+	    !crypto_simd_usable()) {
+		convert_to_base2_44(state);
 		return poly1305_blocks_generic(state, src, len, padbit);
+	}
 	vsx_begin();
 	if (len >= POLY1305_BLOCK_SIZE * 4) {
 		poly1305_p10le_4blocks(state, src, len);
@@ -66,7 +98,10 @@ void poly1305_emit_arch(const struct poly1305_state *state,
 			u8 digest[POLY1305_DIGEST_SIZE],
 			const u32 nonce[4])
 {
-	if (!static_key_enabled(&have_p10))
+	struct poly1305_block_state *dctx =
+		container_of(state, struct poly1305_block_state, h);
+
+	if (!static_key_enabled(&have_p10) || !is_state_base64(dctx))
 		return poly1305_emit_generic(state, digest, nonce);
 	poly1305_emit_64(state, nonce, digest);
 }
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: [v2 PATCH] crypto: powerpc/poly1305 - Add poly1305_emit_arch wrapper

[Segher Boessenkool]

Hi!

On Fri, May 09, 2025 at 10:33:08PM -0700, Eric Biggers wrote:
> On Sat, May 10, 2025 at 01:10:22PM +0800, Herbert Xu wrote:
> > On Fri, May 09, 2025 at 09:44:50PM -0700, Eric Biggers wrote:
> > >
> > > This fixes "-cpu Power10", but older CPUs (e.g. "-cpu POWER9") are still
> > > failing.
> > 
> > You're right.  I'll revert this and apply the following patch
> > instead.
> > 
> > BTW this thing is still hopelessly broken if it's called from
> > softirq context because there is no SIMD fallback.  Yes I removed
> > the SIMD check but it was already broken before that as it simply
> > switched from the 4-block version to the 1-block version if SIMD
> > is not available rather than actually doing something that is
> > safe in softirq context.
> > 
> > Perhaps we should just remove this altogether until it's fixed.
> 
> Yes, the PowerPC Poly1305 code incorrectly uses VSX without first checking
> crypto_simd_usable().  And PowerPC also doesn't support VSX in softirqs, or at
> least it doesn't claim to (it doesn't override may_use_simd(), so it gets the
> default from include/asm-generic/simd.h which returns false in softirq context).
> Maybe add 'depends on BROKEN' to CRYPTO_POLY1305_P10 for now, and give the
> PowerPC folks (Cc'ed) a chance to fix this before removing the code.

What doe "may_use_simd" even *mean*?  At its declaration site it says
"whether it is allowable at this time to issue SIMD instructions or
access the SIMD register file", but that is 100% meaningless, you can do
SIMD in GPRs.

On PowerPC we have two separate register files dedicated to SIMD-like
stuff, the VMX and the VSX register files.  Which of those is this
function supposed to care about?

It looks like the whole "may_use_simd" thing is a misguided abstraction
unfortunately :-(


Segher

Re: [v2 PATCH] crypto: powerpc/poly1305 - Add poly1305_emit_arch wrapper

[Eric Biggers]

On Sat, May 10, 2025 at 05:34:01PM -0500, Segher Boessenkool wrote:
> Hi!
> 
> On Fri, May 09, 2025 at 10:33:08PM -0700, Eric Biggers wrote:
> > On Sat, May 10, 2025 at 01:10:22PM +0800, Herbert Xu wrote:
> > > On Fri, May 09, 2025 at 09:44:50PM -0700, Eric Biggers wrote:
> > > >
> > > > This fixes "-cpu Power10", but older CPUs (e.g. "-cpu POWER9") are still
> > > > failing.
> > > 
> > > You're right.  I'll revert this and apply the following patch
> > > instead.
> > > 
> > > BTW this thing is still hopelessly broken if it's called from
> > > softirq context because there is no SIMD fallback.  Yes I removed
> > > the SIMD check but it was already broken before that as it simply
> > > switched from the 4-block version to the 1-block version if SIMD
> > > is not available rather than actually doing something that is
> > > safe in softirq context.
> > > 
> > > Perhaps we should just remove this altogether until it's fixed.
> > 
> > Yes, the PowerPC Poly1305 code incorrectly uses VSX without first checking
> > crypto_simd_usable().  And PowerPC also doesn't support VSX in softirqs, or at
> > least it doesn't claim to (it doesn't override may_use_simd(), so it gets the
> > default from include/asm-generic/simd.h which returns false in softirq context).
> > Maybe add 'depends on BROKEN' to CRYPTO_POLY1305_P10 for now, and give the
> > PowerPC folks (Cc'ed) a chance to fix this before removing the code.
> 
> What doe "may_use_simd" even *mean*?  At its declaration site it says
> "whether it is allowable at this time to issue SIMD instructions or
> access the SIMD register file", but that is 100% meaningless, you can do
> SIMD in GPRs.
> 
> On PowerPC we have two separate register files dedicated to SIMD-like
> stuff, the VMX and the VSX register files.  Which of those is this
> function supposed to care about?
> 
> It looks like the whole "may_use_simd" thing is a misguided abstraction
> unfortunately :-(

may_use_simd() a.k.a crypto_simd_usable() is supposed to check whether vector /
SIMD registers can be used in the current context, provided that the appropriate
architecture-specific functions like kernel_fpu_begin() and kernel_fpu_end() are
used.  In the case of architectures that support the use of multiple sets of
vector / SIMD registers in kernel mode, it would have to check for the
intersection of the calling context requirements for all of them, since it
doesn't specify a particular set.

The reason that may_use_simd() a.k.a. crypto_simd_usable() got pulled out into
an abstraction shared across all architectures is that it's used by
non-architecture-specific code, such as crypto/simd.c, and also the crypto
self-tests which inject 'false' return values to test the no-SIMD code paths.

I think the users other than the self-tests are on the way out, though.  Most of
the users of crypto/simd.c just got removed, with CRYPTO_AES_GCM_P10 being the
last one.  A new non-architecture-specific user of crypto_simd_usable() just got
added in include/crypto/internal/sha2.h for some reason (despite me nacking the
patch), but that should be reverted.

So if it's really the case that VMX and VSX are both supported for kernel-mode
use but have different requirements on the calling context, you could make the
PowerPC crypto code use more precise checks like may_use_vsx().  Just the crypto
self-tests won't be able to test the no-SIMD code paths that way, unfortunately.

- Eric

Re: [v2 PATCH] crypto: powerpc/poly1305 - Add poly1305_emit_arch wrapper

[Herbert Xu]

On Sat, May 10, 2025 at 05:34:01PM -0500, Segher Boessenkool wrote:
>
> What doe "may_use_simd" even *mean*?  At its declaration site it says
> "whether it is allowable at this time to issue SIMD instructions or
> access the SIMD register file", but that is 100% meaningless, you can do
> SIMD in GPRs.
> 
> On PowerPC we have two separate register files dedicated to SIMD-like
> stuff, the VMX and the VSX register files.  Which of those is this
> function supposed to care about?
> 
> It looks like the whole "may_use_simd" thing is a misguided abstraction
> unfortunately :-(

While we may debate the name of this function, the question is
simply whether you need to save state or not when you get an
interrupt.

If you don't need to save state, then may_use_simd doesn't apply
to you.  If you need to manually save state when you get an IRQ,
then you must obey the rules.

So even if VMX and VSX registers are separate, you must assume
that in an IRQ either could be in use already and therefore you
must not use any of them without saving the state.

The ideal solution is to save the state (if necessary) in softirqs,
or simply disable softirqs when these instructions are in use.
Then the fallback path can be removed, for softirqs at least.

Cheers,
-- 
Email: Herbert Xu <herbert@gondor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Re: [v2 PATCH] crypto: powerpc/poly1305 - Add poly1305_emit_arch wrapper

[Venkat Rao Bagalkote]

On 10/05/25 10:40 am, Herbert Xu wrote:
> On Fri, May 09, 2025 at 09:44:50PM -0700, Eric Biggers wrote:
>> This fixes "-cpu Power10", but older CPUs (e.g. "-cpu POWER9") are still
>> failing.
> You're right.  I'll revert this and apply the following patch
> instead.
>
> BTW this thing is still hopelessly broken if it's called from
> softirq context because there is no SIMD fallback.  Yes I removed
> the SIMD check but it was already broken before that as it simply
> switched from the 4-block version to the 1-block version if SIMD
> is not available rather than actually doing something that is
> safe in softirq context.
>
> Perhaps we should just remove this altogether until it's fixed.
>
> ---8<---
> Add poly1305_emit_arch with fallback instead of calling assembly
> directly.  This is because the state format differs between p10
> and that of the generic implementation.
>
> Reported-by: Venkat Rao Bagalkote <venkat88@linux.ibm.com>
> Reported-by: Eric Biggers <ebiggers@google.com>
> Fixes: 14d31979145d ("crypto: powerpc/poly1305 - Add block-only interface")
> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
>
> diff --git a/arch/powerpc/lib/crypto/poly1305-p10-glue.c b/arch/powerpc/lib/crypto/poly1305-p10-glue.c
> index 7cea0ebcc6bc..3f1664a724b6 100644
> --- a/arch/powerpc/lib/crypto/poly1305-p10-glue.c
> +++ b/arch/powerpc/lib/crypto/poly1305-p10-glue.c
> @@ -14,10 +14,7 @@
>   
>   asmlinkage void poly1305_p10le_4blocks(struct poly1305_block_state *state, const u8 *m, u32 mlen);
>   asmlinkage void poly1305_64s(struct poly1305_block_state *state, const u8 *m, u32 mlen, int highbit);
> -asmlinkage void poly1305_emit_arch(const struct poly1305_state *state,
> -				   u8 digest[POLY1305_DIGEST_SIZE],
> -				   const u32 nonce[4]);
> -EXPORT_SYMBOL_GPL(poly1305_emit_arch);
> +asmlinkage void poly1305_emit_64(const struct poly1305_state *state, const u32 nonce[4], u8 digest[POLY1305_DIGEST_SIZE]);
>   
>   static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_p10);
>   
> @@ -65,6 +62,16 @@ void poly1305_blocks_arch(struct poly1305_block_state *state, const u8 *src,
>   }
>   EXPORT_SYMBOL_GPL(poly1305_blocks_arch);
>   
> +void poly1305_emit_arch(const struct poly1305_state *state,
> +			u8 digest[POLY1305_DIGEST_SIZE],
> +			const u32 nonce[4])
> +{
> +	if (!static_key_enabled(&have_p10))
> +		return poly1305_emit_generic(state, digest, nonce);
> +	poly1305_emit_64(state, nonce, digest);
> +}
> +EXPORT_SYMBOL_GPL(poly1305_emit_arch);
> +
>   bool poly1305_is_arch_optimized(void)
>   {
>   	return static_key_enabled(&have_p10);
> diff --git a/arch/powerpc/lib/crypto/poly1305-p10le_64.S b/arch/powerpc/lib/crypto/poly1305-p10le_64.S
> index 2ba2911b8038..a3c1987f1ecd 100644
> --- a/arch/powerpc/lib/crypto/poly1305-p10le_64.S
> +++ b/arch/powerpc/lib/crypto/poly1305-p10le_64.S
> @@ -1030,7 +1030,7 @@ SYM_FUNC_END(poly1305_64s)
>   # Input: r3 = h, r4 = s, r5 = mac
>   # mac = h + s
>   #
> -SYM_FUNC_START(poly1305_emit_arch)
> +SYM_FUNC_START(poly1305_emit_64)
>   	ld	10, 0(3)
>   	ld	11, 8(3)
>   	ld	12, 16(3)
> @@ -1060,7 +1060,7 @@ Skip_h64:
>   	std	10, 0(5)
>   	std	11, 8(5)
>   	blr
> -SYM_FUNC_END(poly1305_emit_arch)
> +SYM_FUNC_END(poly1305_emit_64)
>   
>   SYM_DATA_START_LOCAL(RMASK)
>   .align 5


Tested this patch, by applying on top of next-20250508 on IBM Power9 
system and it fixes the reported boot warnings. Hence,


Tested-by: Venkat Rao Bagalkote <venkat88@linux.ibm.com>



Regards,

Venkat.