From: Harald Freudenberger <freude@linux.ibm.com>
To: richard.henderson@linaro.org, iii@linux.ibm.com,
david@kernel.org, thuth@redhat.com, berrange@redhat.com
Cc: qemu-s390x@nongnu.org, qemu-devel@nongnu.org,
linux390-list@tuxmaker.boeblingen.de.ibm.com,
linux-s390@vger.kernel.org, dengler@linux.ibm.com,
borntraeger@linux.ibm.com, fcallies@linux.ibm.com,
cohuck@redhat.com
Subject: [PATCH v7 03/17] target/s390x: Support cpacf sha256
Date: Wed, 17 Jun 2026 11:48:06 +0200 [thread overview]
Message-ID: <20260617094820.34402-4-freude@linux.ibm.com> (raw)
In-Reply-To: <20260617094820.34402-1-freude@linux.ibm.com>
Add a new file cpacf_sha256.c which implements sha256.
Add support for the sha256 subfuction for CPACF kimd and klmd.
Signed-off-by: Harald Freudenberger <freude@linux.ibm.com>
Tested-by: Holger Dengler <dengler@linux.ibm.com>
---
target/s390x/gen-features.c | 2 +
target/s390x/tcg/cpacf.h | 5 +
target/s390x/tcg/cpacf_sha256.c | 232 +++++++++++++++++++++++++++++++
target/s390x/tcg/crypto_helper.c | 8 ++
target/s390x/tcg/meson.build | 1 +
5 files changed, 248 insertions(+)
create mode 100644 target/s390x/tcg/cpacf_sha256.c
diff --git a/target/s390x/gen-features.c b/target/s390x/gen-features.c
index 8218e6470e..5cf5b92c37 100644
--- a/target/s390x/gen-features.c
+++ b/target/s390x/gen-features.c
@@ -916,7 +916,9 @@ static uint16_t qemu_V7_1[] = {
*/
static uint16_t qemu_MAX[] = {
S390_FEAT_MSA_EXT_5,
+ S390_FEAT_KIMD_SHA_256,
S390_FEAT_KIMD_SHA_512,
+ S390_FEAT_KLMD_SHA_256,
S390_FEAT_KLMD_SHA_512,
S390_FEAT_PRNO_TRNG,
};
diff --git a/target/s390x/tcg/cpacf.h b/target/s390x/tcg/cpacf.h
index d27839ddd9..e2c36306b2 100644
--- a/target/s390x/tcg/cpacf.h
+++ b/target/s390x/tcg/cpacf.h
@@ -8,6 +8,11 @@
#ifndef S390X_CPACF_H
#define S390X_CPACF_H
+/* from crypto_sha256.c */
+int cpacf_sha256(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
+ uint64_t param_addr, uint64_t *message_reg, uint64_t *len_reg,
+ uint32_t type);
+
/* from crypto_sha512.c */
int cpacf_sha512(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
uint64_t param_addr, uint64_t *message_reg, uint64_t *len_reg,
diff --git a/target/s390x/tcg/cpacf_sha256.c b/target/s390x/tcg/cpacf_sha256.c
new file mode 100644
index 0000000000..baffa2f44b
--- /dev/null
+++ b/target/s390x/tcg/cpacf_sha256.c
@@ -0,0 +1,232 @@
+/*
+ * s390 cpacf sha256
+ *
+ * Authors:
+ * Harald Freudenberger <freude@linux.ibm.com>
+ *
+ * The sha256 implementation here is more or less a copy-and-paste
+ * from Jason A. Donenfeld's implementation of sha 512 with adaptions
+ * for sha 256.
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or later.
+ * See the COPYING file in the top-level directory.
+ */
+
+#include "qemu/osdep.h"
+#include "s390x-internal.h"
+#include "tcg_s390x.h"
+#include "exec/helper-proto.h"
+#include "accel/tcg/cpu-ldst-common.h"
+#include "accel/tcg/cpu-mmu-index.h"
+#include "cpacf.h"
+
+static uint32_t R(uint32_t x, int c)
+{
+ return (x >> c) | (x << (32 - c));
+}
+static uint32_t Ch(uint32_t x, uint32_t y, uint32_t z)
+{
+ return (x & y) ^ (~x & z);
+}
+static uint32_t Maj(uint32_t x, uint32_t y, uint32_t z)
+{
+ return (x & y) ^ (x & z) ^ (y & z);
+}
+static uint32_t Sigma0(uint32_t x)
+{
+ return R(x, 2) ^ R(x, 13) ^ R(x, 22);
+}
+static uint32_t Sigma1(uint32_t x)
+{
+ return R(x, 6) ^ R(x, 11) ^ R(x, 25);
+}
+static uint32_t sigma0(uint32_t x)
+{
+ return R(x, 7) ^ R(x, 18) ^ (x >> 3);
+}
+static uint32_t sigma1(uint32_t x)
+{
+ return R(x, 17) ^ R(x, 19) ^ (x >> 10);
+}
+
+static const uint32_t K[64] = {
+ 0x428a2f98, 0x71374491, 0xb5c0fbcf, 0xe9b5dba5, 0x3956c25b, 0x59f111f1,
+ 0x923f82a4, 0xab1c5ed5, 0xd807aa98, 0x12835b01, 0x243185be, 0x550c7dc3,
+ 0x72be5d74, 0x80deb1fe, 0x9bdc06a7, 0xc19bf174, 0xe49b69c1, 0xefbe4786,
+ 0x0fc19dc6, 0x240ca1cc, 0x2de92c6f, 0x4a7484aa, 0x5cb0a9dc, 0x76f988da,
+ 0x983e5152, 0xa831c66d, 0xb00327c8, 0xbf597fc7, 0xc6e00bf3, 0xd5a79147,
+ 0x06ca6351, 0x14292967, 0x27b70a85, 0x2e1b2138, 0x4d2c6dfc, 0x53380d13,
+ 0x650a7354, 0x766a0abb, 0x81c2c92e, 0x92722c85, 0xa2bfe8a1, 0xa81a664b,
+ 0xc24b8b70, 0xc76c51a3, 0xd192e819, 0xd6990624, 0xf40e3585, 0x106aa070,
+ 0x19a4c116, 0x1e376c08, 0x2748774c, 0x34b0bcb5, 0x391c0cb3, 0x4ed8aa4a,
+ 0x5b9cca4f, 0x682e6ff3, 0x748f82ee, 0x78a5636f, 0x84c87814, 0x8cc70208,
+ 0x90befffa, 0xa4506ceb, 0xbef9a3f7, 0xc67178f2,
+};
+
+/* a is icv/ocv, w is a single message block. w will get reused internally. */
+static void sha256_bda(uint32_t a[8], uint32_t w[16])
+{
+ uint32_t t, z[8], b[8];
+ int i, j;
+
+ memcpy(z, a, sizeof(z));
+ for (i = 0; i < 64; i++) {
+ memcpy(b, a, sizeof(b));
+
+ t = a[7] + Sigma1(a[4]) + Ch(a[4], a[5], a[6]) + K[i] + w[i % 16];
+ b[7] = t + Sigma0(a[0]) + Maj(a[0], a[1], a[2]);
+ b[3] += t;
+ for (j = 0; j < 8; ++j) {
+ a[(j + 1) % 8] = b[j];
+ }
+ if (i % 16 == 15) {
+ for (j = 0; j < 16; ++j) {
+ w[j] += w[(j + 9) % 16] + sigma0(w[(j + 1) % 16]) +
+ sigma1(w[(j + 14) % 16]);
+ }
+ }
+ }
+
+ for (i = 0; i < 8; i++) {
+ a[i] += z[i];
+ }
+}
+
+/* a is icv/ocv, w is a single message block that needs be32 conversion. */
+static void sha256_bda_be32(uint32_t a[8], uint32_t w[16])
+{
+ uint32_t t[16];
+ int i;
+
+ for (i = 0; i < 16; i++) {
+ t[i] = be32_to_cpu(w[i]);
+ }
+ sha256_bda(a, t);
+}
+
+static void sha256_read_icv(CPUS390XState *env, const int mmu_idx,
+ uint64_t addr, uint32_t a[8], uintptr_t ra)
+{
+ const MemOpIdx oi = make_memop_idx(MO_BE | MO_32 | MO_UNALN, mmu_idx);
+
+ for (int i = 0; i < 8; i++, addr += 4) {
+ addr = wrap_address(env, addr);
+ a[i] = cpu_ldl_mmu(env, addr, oi, ra);
+ }
+}
+
+static void sha256_write_ocv(CPUS390XState *env, const int mmu_idx,
+ uint64_t addr, uint32_t a[8], uintptr_t ra)
+{
+ const MemOpIdx oi = make_memop_idx(MO_BE | MO_32 | MO_UNALN, mmu_idx);
+
+ for (int i = 0; i < 8; i++, addr += 4) {
+ addr = wrap_address(env, addr);
+ cpu_stl_mmu(env, addr, a[i], oi, ra);
+ }
+}
+
+static void sha256_read_block(CPUS390XState *env, const int mmu_idx,
+ uint64_t addr, uint32_t a[16], uintptr_t ra)
+{
+ const MemOpIdx oi = make_memop_idx(MO_BE | MO_32 | MO_UNALN, mmu_idx);
+
+ for (int i = 0; i < 16; i++, addr += 4) {
+ addr = wrap_address(env, addr);
+ a[i] = cpu_ldl_mmu(env, addr, oi, ra);
+ }
+}
+
+static void sha256_read_mbl_be32(CPUS390XState *env, const int mmu_idx,
+ uint64_t addr, uint8_t a[8], uintptr_t ra)
+{
+ const MemOpIdx oi = make_memop_idx(MO_8, mmu_idx);
+
+ for (int i = 0; i < 8; i++, addr += 1) {
+ addr = wrap_address(env, addr);
+ a[i] = cpu_ldb_mmu(env, addr, oi, ra);
+ }
+}
+
+int cpacf_sha256(CPUS390XState *env, const int mmu_idx, uintptr_t ra,
+ uint64_t param_addr, uint64_t *message_reg, uint64_t *len_reg,
+ uint32_t type)
+{
+ enum { MAX_BLOCKS_PER_RUN = 128 }; /* 128 * 64 = 8K */
+ uint64_t len = *len_reg, processed = 0;
+ int i, message_reg_len = 64;
+ uint32_t a[8];
+
+ g_assert(type == S390_FEAT_TYPE_KIMD || type == S390_FEAT_TYPE_KLMD);
+
+ if (!(env->psw.mask & PSW_MASK_64)) {
+ len = (uint32_t)len;
+ message_reg_len = (env->psw.mask & PSW_MASK_32) ? 32 : 24;
+ }
+
+ /* KIMD: length has to be properly aligned. */
+ if (type == S390_FEAT_TYPE_KIMD && !QEMU_IS_ALIGNED(len, 64)) {
+ tcg_s390_program_interrupt(env, PGM_SPECIFICATION, ra);
+ }
+
+ sha256_read_icv(env, mmu_idx, param_addr, a, ra);
+
+ /* Process full blocks first. */
+ for (; len >= 64; len -= 64, processed += 64) {
+ uint32_t w[16];
+
+ if (processed >= MAX_BLOCKS_PER_RUN * 64) {
+ break;
+ }
+
+ sha256_read_block(env, mmu_idx, *message_reg + processed, w, ra);
+ sha256_bda(a, w);
+ }
+
+ /* KLMD: Process partial/empty block last. */
+ if (type == S390_FEAT_TYPE_KLMD && len < 64) {
+ const MemOpIdx oi = make_memop_idx(MO_8, mmu_idx);
+ uint8_t x[64];
+
+ /* Read the remainder of the message byte-per-byte. */
+ for (i = 0; i < len; i++) {
+ uint64_t addr = wrap_address(env, *message_reg + processed + i);
+
+ x[i] = cpu_ldb_mmu(env, addr, oi, ra);
+ }
+ /* Pad the remainder with zero and set the top bit. */
+ memset(x + len, 0, 64 - len);
+ x[len] = 0x80;
+
+ /*
+ * Place the MBL either into this block (if there is space left),
+ * or use an additional one.
+ */
+ if (len < 56) {
+ sha256_read_mbl_be32(env, mmu_idx, param_addr + 32, x + 56, ra);
+ }
+ sha256_bda_be32(a, (uint32_t *)x);
+
+ if (len >= 56) {
+ memset(x, 0, 56);
+ sha256_read_mbl_be32(env, mmu_idx, param_addr + 32, x + 56, ra);
+ sha256_bda_be32(a, (uint32_t *)x);
+ }
+
+ processed += len;
+ len = 0;
+ }
+
+ /*
+ * Modify memory after we read all inputs and modify registers only after
+ * writing memory succeeded.
+ *
+ * TODO: if writing fails halfway through (e.g., when crossing page
+ * boundaries), we're in trouble. We'd need something like access_prepare().
+ */
+ sha256_write_ocv(env, mmu_idx, param_addr, a, ra);
+ *message_reg = deposit64(*message_reg, 0, message_reg_len,
+ *message_reg + processed);
+ *len_reg -= processed;
+ return !len ? 0 : 3;
+}
diff --git a/target/s390x/tcg/crypto_helper.c b/target/s390x/tcg/crypto_helper.c
index 574a39258c..a701dd8c6f 100644
--- a/target/s390x/tcg/crypto_helper.c
+++ b/target/s390x/tcg/crypto_helper.c
@@ -53,6 +53,10 @@ static int cpacf_kimd(CPUS390XState *env, const int mmu_idx, const uintptr_t ra,
int rc = 0;
switch (fc) {
+ case 0x02: /* CPACF_KIMD_SHA_256 */
+ rc = cpacf_sha256(env, mmu_idx, ra, env->regs[1], &env->regs[r2],
+ &env->regs[r2 + 1], S390_FEAT_TYPE_KIMD);
+ break;
case 0x03: /* CPACF_KIMD_SHA_512 */
rc = cpacf_sha512(env, mmu_idx, ra, env->regs[1], &env->regs[r2],
&env->regs[r2 + 1], S390_FEAT_TYPE_KIMD);
@@ -70,6 +74,10 @@ static int cpacf_klmd(CPUS390XState *env, const int mmu_idx, const uintptr_t ra,
int rc = 0;
switch (fc) {
+ case 0x02: /* CPACF_KLMD_SHA_256 */
+ rc = cpacf_sha256(env, mmu_idx, ra, env->regs[1], &env->regs[r2],
+ &env->regs[r2 + 1], S390_FEAT_TYPE_KLMD);
+ break;
case 0x03: /* CPACF_KLMD_SHA_512 */
rc = cpacf_sha512(env, mmu_idx, ra, env->regs[1], &env->regs[r2],
&env->regs[r2 + 1], S390_FEAT_TYPE_KLMD);
diff --git a/target/s390x/tcg/meson.build b/target/s390x/tcg/meson.build
index 54a87393a3..8ae8da9708 100644
--- a/target/s390x/tcg/meson.build
+++ b/target/s390x/tcg/meson.build
@@ -5,6 +5,7 @@ s390x_ss.add(when: 'CONFIG_TCG', if_true: files(
))
s390x_common_ss.add(when: 'CONFIG_TCG', if_true: files(
'cc_helper.c',
+ 'cpacf_sha256.c',
'cpacf_sha512.c',
'crypto_helper.c',
'excp_helper.c',
--
2.43.0
next prev parent reply other threads:[~2026-06-17 9:48 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-17 9:48 [PATCH v7 00/17] target/s390x: Extend qemu CPACF support Harald Freudenberger
2026-06-17 9:48 ` [PATCH v7 01/17] target/s390x: Rework s390 cpacf implementations Harald Freudenberger
2026-06-17 9:48 ` [PATCH v7 02/17] target/s390x: Move cpacf sha512 code into a new file Harald Freudenberger
2026-06-17 9:48 ` Harald Freudenberger [this message]
2026-06-17 9:48 ` [PATCH v7 04/17] target/s390x: Support AES ECB for cpacf km instruction Harald Freudenberger
2026-06-17 9:48 ` [PATCH v7 05/17] target/s390x: Support AES CBC for cpacf kmc instruction Harald Freudenberger
2026-06-17 9:48 ` [PATCH v7 06/17] target/s390x: Support AES CTR for cpacf kmctr instruction Harald Freudenberger
2026-06-17 9:48 ` [PATCH v7 07/17] target/s390x: Minimal AES XTS support for cpacf pcc instruction Harald Freudenberger
2026-06-17 9:48 ` [PATCH v7 08/17] target/s390x: Support AES XTS for cpacf km instruction Harald Freudenberger
2026-06-17 9:48 ` [PATCH v7 09/17] target/s390x: Support pckmo encrypt AES subfunctions Harald Freudenberger
2026-06-17 9:48 ` [PATCH v7 10/17] target/s390x: Support protected key AES ECB for cpacf km instruction Harald Freudenberger
2026-06-17 9:48 ` [PATCH v7 11/17] target/s390x: Support protected key AES CBC for cpacf kmc instruction Harald Freudenberger
2026-06-17 9:48 ` [PATCH v7 12/17] target/s390x: Support protected key AES CTR for cpacf kmctr instruction Harald Freudenberger
2026-06-17 9:48 ` [PATCH v7 13/17] target/s390x: Minimal protected key AES XTS support for cpacf pcc instruction Harald Freudenberger
2026-06-17 9:48 ` [PATCH v7 14/17] target/s390x: Support protected key AES XTS for cpacf km instruction Harald Freudenberger
2026-06-17 9:48 ` [PATCH v7 15/17] docs/s390: Document CPACF instructions support Harald Freudenberger
2026-06-17 9:48 ` [PATCH v7 16/17] crypto: Add aes-helpers file to support some AES modes Harald Freudenberger
2026-06-17 9:48 ` [PATCH v7 17/17] target/s390x: Use generic AES helper functions Harald Freudenberger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260617094820.34402-4-freude@linux.ibm.com \
--to=freude@linux.ibm.com \
--cc=berrange@redhat.com \
--cc=borntraeger@linux.ibm.com \
--cc=cohuck@redhat.com \
--cc=david@kernel.org \
--cc=dengler@linux.ibm.com \
--cc=fcallies@linux.ibm.com \
--cc=iii@linux.ibm.com \
--cc=linux-s390@vger.kernel.org \
--cc=linux390-list@tuxmaker.boeblingen.de.ibm.com \
--cc=qemu-devel@nongnu.org \
--cc=qemu-s390x@nongnu.org \
--cc=richard.henderson@linaro.org \
--cc=thuth@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox