From alex at linutronix.de Fri Dec 3 11:59:46 2021 From: alex at linutronix.de (Alexander Kanavin) Date: Fri, 3 Dec 2021 11:59:46 +0100 Subject: [PATCH] cipher/Makefile.am, doc/Makefile.am: add a missing space Message-ID: <20211203105946.1102107-1-alex@linutronix.de> From: Alexander Kanavin Signed-off-by: Alexander Kanavin --- cipher/Makefile.am | 2 +- doc/Makefile.am | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/cipher/Makefile.am b/cipher/Makefile.am index 51306d0a..6c5d48b9 100644 --- a/cipher/Makefile.am +++ b/cipher/Makefile.am @@ -148,7 +148,7 @@ gost-sb.h: gost-s-box gost-s-box: gost-s-box.c $(CC_FOR_BUILD) $(CFLAGS_FOR_BUILD) $(LDFLAGS_FOR_BUILD) \ - $(CPPFLAGS_FOR_BUILD)-o $@ $(srcdir)/gost-s-box.c + $(CPPFLAGS_FOR_BUILD) -o $@ $(srcdir)/gost-s-box.c if ENABLE_O_FLAG_MUNGING diff --git a/doc/Makefile.am b/doc/Makefile.am index 91c0ed7b..706afdc9 100644 --- a/doc/Makefile.am +++ b/doc/Makefile.am @@ -41,7 +41,7 @@ man_MANS = $(myman_pages) yat2m: yat2m.c $(CC_FOR_BUILD) $(CFLAGS_FOR_BUILD) $(LDFLAGS_FOR_BUILD) \ - $(CPPFLAGS_FOR_BUILD)-o $@ $(srcdir)/yat2m.c + $(CPPFLAGS_FOR_BUILD) -o $@ $(srcdir)/yat2m.c .fig.png: fig2dev -L png `test -f '$<' || echo '$(srcdir)/'`$< $@ -- 2.20.1 From gniibe at fsij.org Tue Dec 7 08:08:50 2021 From: gniibe at fsij.org (NIIBE Yutaka) Date: Tue, 07 Dec 2021 16:08:50 +0900 Subject: [PATCH] cipher/Makefile.am, doc/Makefile.am: add a missing space In-Reply-To: <20211203105946.1102107-1-alex@linutronix.de> References: <20211203105946.1102107-1-alex@linutronix.de> Message-ID: <87pmq8dh8d.fsf@akagi.fsij.org> Alexander Kanavin wrote: > From: Alexander Kanavin > > Signed-off-by: Alexander Kanavin > --- > cipher/Makefile.am | 2 +- > doc/Makefile.am | 2 +- > 2 files changed, 2 insertions(+), 2 deletions(-) Thank you, applied. -- From jussi.kivilinna at iki.fi Sun Dec 12 15:49:55 2021 From: jussi.kivilinna at iki.fi (Jussi Kivilinna) Date: Sun, 12 Dec 2021 16:49:55 +0200 Subject: [PATCH] Add SM3 x86-64 AVX/BMI2 assembly implementation Message-ID: <20211212144955.3681432-1-jussi.kivilinna@iki.fi> * cipher/Makefile.am: Add 'sm3-avx-bmi2-amd64.S'. * cipher/sm3-avx-bmi2-amd64.S: New. * cipher/sm3.c (USE_AVX_BMI2, ASM_FUNC_ABI, ASM_EXTRA_STACK): New. (SM3_CONTEXT): Define 'h' as array instead of separate fields 'h1', 'h2', etc. [USE_AVX_BMI2] (_gcry_sm3_transform_amd64_avx_bmi2) (do_sm3_transform_amd64_avx_bmi2): New. (sm3_init): Select AVX/BMI2 transform function if support by HW; Update to use 'hd->h' as array. (transform_blk, sm3_final): Update to use 'hd->h' as array. * configure.ac: Add 'sm3-avx-bmi2-amd64.lo'. -- Benchmark on AMD Zen3: Before: | nanosecs/byte mebibytes/sec cycles/byte auto Mhz SM3 | 2.18 ns/B 436.6 MiB/s 10.59 c/B 4850 After (~43% faster): | nanosecs/byte mebibytes/sec cycles/byte auto Mhz SM3 | 1.52 ns/B 627.4 MiB/s 7.37 c/B 4850 Benchmark on Intel Skylake: Before: | nanosecs/byte mebibytes/sec cycles/byte auto Mhz SM3 | 4.35 ns/B 219.2 MiB/s 13.48 c/B 3098 After (~34% faster): | nanosecs/byte mebibytes/sec cycles/byte auto Mhz SM3 | 3.24 ns/B 294.4 MiB/s 10.04 c/B 3098 Benchmark on AMD Zen2: Before: | nanosecs/byte mebibytes/sec cycles/byte auto Mhz SM3 | 2.73 ns/B 348.9 MiB/s 11.86 c/B 4339 After (~38% faster): | nanosecs/byte mebibytes/sec cycles/byte auto Mhz SM3 | 1.97 ns/B 483.0 MiB/s 8.52 c/B 4318 Signed-off-by: Jussi Kivilinna --- cipher/Makefile.am | 2 +- cipher/sm3-avx-bmi2-amd64.S | 560 ++++++++++++++++++++++++++++++++++++ cipher/sm3.c | 99 +++++-- configure.ac | 19 +- 4 files changed, 647 insertions(+), 33 deletions(-) create mode 100644 cipher/sm3-avx-bmi2-amd64.S diff --git a/cipher/Makefile.am b/cipher/Makefile.am index 6c5d48b9..73457a91 100644 --- a/cipher/Makefile.am +++ b/cipher/Makefile.am @@ -128,7 +128,7 @@ EXTRA_libcipher_la_SOURCES = \ sha512-avx2-bmi2-amd64.S \ sha512-armv7-neon.S sha512-arm.S \ sha512-ppc.c sha512-ssse3-i386.c \ - sm3.c \ + sm3.c sm3-avx-bmi2-amd64.S \ keccak.c keccak_permute_32.h keccak_permute_64.h keccak-armv7-neon.S \ stribog.c \ tiger.c \ diff --git a/cipher/sm3-avx-bmi2-amd64.S b/cipher/sm3-avx-bmi2-amd64.S new file mode 100644 index 00000000..5be83ca4 --- /dev/null +++ b/cipher/sm3-avx-bmi2-amd64.S @@ -0,0 +1,560 @@ +/* sm3-avx-bmi2-amd64.S - Intel AVX/BMI2 accelerated SM3 transform function + * Copyright (C) 2021 Jussi Kivilinna + * + * This file is part of Libgcrypt. + * + * Libgcrypt is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as + * published by the Free Software Foundation; either version 2.1 of + * the License, or (at your option) any later version. + * + * Libgcrypt is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this program; if not, see . + */ + +#ifdef __x86_64__ +#include + +#if (defined(HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS) || \ + defined(HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS)) && \ + defined(HAVE_GCC_INLINE_ASM_AVX) && defined(HAVE_GCC_INLINE_ASM_BMI2) && \ + defined(USE_SM3) + +#include "asm-common-amd64.h" + + +/* Context structure */ + +#define state_h0 0 +#define state_h1 4 +#define state_h2 8 +#define state_h3 12 +#define state_h4 16 +#define state_h5 20 +#define state_h6 24 +#define state_h7 28 + +/* Constants */ + +.text +.align 16 +ELF(.type _gcry_sm3_avx2_consts, at object) +_gcry_sm3_avx2_consts: +.Lbe32mask: + .long 0x00010203, 0x04050607, 0x08090a0b, 0x0c0d0e0f +ELF(.size _gcry_sm3_avx2_consts,.-_gcry_sm3_avx2_consts) + +/* Round constant macros */ + +#define K0 0x79cc4519 +#define K1 0xf3988a32 +#define K2 0xe7311465 +#define K3 0xce6228cb +#define K4 0x9cc45197 +#define K5 0x3988a32f +#define K6 0x7311465e +#define K7 0xe6228cbc +#define K8 0xcc451979 +#define K9 0x988a32f3 +#define K10 0x311465e7 +#define K11 0x6228cbce +#define K12 0xc451979c +#define K13 0x88a32f39 +#define K14 0x11465e73 +#define K15 0x228cbce6 +#define K16 0x9d8a7a87 +#define K17 0x3b14f50f +#define K18 0x7629ea1e +#define K19 0xec53d43c +#define K20 0xd8a7a879 +#define K21 0xb14f50f3 +#define K22 0x629ea1e7 +#define K23 0xc53d43ce +#define K24 0x8a7a879d +#define K25 0x14f50f3b +#define K26 0x29ea1e76 +#define K27 0x53d43cec +#define K28 0xa7a879d8 +#define K29 0x4f50f3b1 +#define K30 0x9ea1e762 +#define K31 0x3d43cec5 +#define K32 0x7a879d8a +#define K33 0xf50f3b14 +#define K34 0xea1e7629 +#define K35 0xd43cec53 +#define K36 0xa879d8a7 +#define K37 0x50f3b14f +#define K38 0xa1e7629e +#define K39 0x43cec53d +#define K40 0x879d8a7a +#define K41 0x0f3b14f5 +#define K42 0x1e7629ea +#define K43 0x3cec53d4 +#define K44 0x79d8a7a8 +#define K45 0xf3b14f50 +#define K46 0xe7629ea1 +#define K47 0xcec53d43 +#define K48 0x9d8a7a87 +#define K49 0x3b14f50f +#define K50 0x7629ea1e +#define K51 0xec53d43c +#define K52 0xd8a7a879 +#define K53 0xb14f50f3 +#define K54 0x629ea1e7 +#define K55 0xc53d43ce +#define K56 0x8a7a879d +#define K57 0x14f50f3b +#define K58 0x29ea1e76 +#define K59 0x53d43cec +#define K60 0xa7a879d8 +#define K61 0x4f50f3b1 +#define K62 0x9ea1e762 +#define K63 0x3d43cec5 + +/* Register macros */ + +#define RSTATE %rdi +#define RDATA %rsi +#define RNBLKS %rdx + +#define t0 %eax +#define t1 %ebx +#define t2 %ecx + +#define a %r8d +#define b %r9d +#define c %r10d +#define d %r11d +#define e %r12d +#define f %r13d +#define g %r14d +#define h %r15d + +#define W0 %xmm0 +#define W1 %xmm1 +#define W2 %xmm2 +#define W3 %xmm3 +#define W4 %xmm4 +#define W5 %xmm5 + +#define XTMP0 %xmm6 +#define XTMP1 %xmm7 +#define XTMP2 %xmm8 +#define XTMP3 %xmm9 +#define XTMP4 %xmm10 +#define XTMP5 %xmm11 +#define XTMP6 %xmm12 +#define XTMP7 %xmm13 +#define XTMP8 %xmm14 + +#define BSWAP_REG %xmm15 + +/* Stack structure */ + +#define STACK_W_SIZE (32 * 2 * 3) +#define STACK_REG_SAVE_SIZE (64) + +#define STACK_W (0) +#define STACK_REG_SAVE (STACK_W + STACK_W_SIZE) +#define STACK_SIZE (STACK_REG_SAVE + STACK_REG_SAVE_SIZE) + +/* Instruction helpers. */ + +#define roll2(v, reg) \ + roll $(v), reg; + +#define roll3mov(v, src, dst) \ + movl src, dst; \ + roll $(v), dst; + +#define roll3(v, src, dst) \ + rorxl $(32-(v)), src, dst; + +#define addl2(a, out) \ + leal (a, out), out; + +#define addl3(a, b, out) \ + leal (b, a), out; + +/* Round function macros. */ + +#define GG1(x, y, z, o, t) \ + movl x, o; \ + xorl y, o; \ + xorl z, o; + +#define FF1(x, y, z, o, t) GG1(x, y, z, o, t) + +#define GG2(x, y, z, o, t) \ + andnl z, x, o; \ + movl y, t; \ + andl x, t; \ + addl2(t, o); + +#define FF2(x, y, z, o, t) \ + movl y, o; \ + xorl x, o; \ + movl y, t; \ + andl x, t; \ + andl z, o; \ + xorl t, o; + +#define R(i, a, b, c, d, e, f, g, h, round, widx, wtype) \ + /* rol(a, 12) => t0 */ \ + roll3mov(12, a, t0); /* rorxl here would reduce perf by 6% on zen3 */ \ + /* rol (t0 + e + t), 7) => t1 */ \ + leal K##round(t0, e, 1), t1; \ + roll2(7, t1); \ + /* h + w1 => h */ \ + addl wtype##_W1_ADDR(round, widx), h; \ + /* h + t1 => h */ \ + addl2(t1, h); \ + /* t1 ^ t0 => t0 */ \ + xorl t1, t0; \ + /* w1w2 + d => d */ \ + addl wtype##_W1W2_ADDR(round, widx), d; \ + /* FF##i(a,b,c) => t1 */ \ + FF##i(a, b, c, t1, t2); \ + /* d + t1 => d */ \ + addl2(t1, d); \ + /* GG#i(e,f,g) => t2 */ \ + GG##i(e, f, g, t2, t1); \ + /* h + t2 => h */ \ + addl2(t2, h); \ + /* rol (f, 19) => f */ \ + roll2(19, f); \ + /* d + t0 => d */ \ + addl2(t0, d); \ + /* rol (b, 9) => b */ \ + roll2(9, b); \ + /* P0(h) => h */ \ + roll3(9, h, t2); \ + roll3(17, h, t1); \ + xorl t2, h; \ + xorl t1, h; + +#define R1(a, b, c, d, e, f, g, h, round, widx, wtype) \ + R(1, a, b, c, d, e, f, g, h, round, widx, wtype) + +#define R2(a, b, c, d, e, f, g, h, round, widx, wtype) \ + R(2, a, b, c, d, e, f, g, h, round, widx, wtype) + +/* Input expansion macros. */ + +/* Byte-swapped input address. */ +#define IW_W_ADDR(round, widx, offs) \ + (STACK_W + ((round) / 4) * 64 + (offs) + ((widx) * 4))(%rsp) + +/* Expanded input address. */ +#define XW_W_ADDR(round, widx, offs) \ + (STACK_W + ((((round) / 3) - 4) % 2) * 64 + (offs) + ((widx) * 4))(%rsp) + +/* Rounds 1-12, byte-swapped input block addresses. */ +#define IW_W1_ADDR(round, widx) IW_W_ADDR(round, widx, 0) +#define IW_W1W2_ADDR(round, widx) IW_W_ADDR(round, widx, 32) + +/* Rounds 1-12, expanded input block addresses. */ +#define XW_W1_ADDR(round, widx) XW_W_ADDR(round, widx, 0) +#define XW_W1W2_ADDR(round, widx) XW_W_ADDR(round, widx, 32) + +/* Input block loading. */ +#define LOAD_W_XMM_1() \ + vmovdqu 0*16(RDATA), XTMP0; \ + vmovdqu 1*16(RDATA), XTMP1; \ + vmovdqu 2*16(RDATA), XTMP2; \ + vmovdqu 3*16(RDATA), XTMP3; \ + vpshufb BSWAP_REG, XTMP0, XTMP0; \ + vpshufb BSWAP_REG, XTMP1, XTMP1; \ + vpshufb BSWAP_REG, XTMP2, XTMP2; \ + vpshufb BSWAP_REG, XTMP3, XTMP3; \ + vpxor XTMP0, XTMP1, XTMP4; \ + vpxor XTMP1, XTMP2, XTMP5; \ + vpxor XTMP2, XTMP3, XTMP6; \ + leaq 64(RDATA), RDATA; \ + vmovdqa XTMP0, IW_W1_ADDR(0, 0); \ + vmovdqa XTMP4, IW_W1W2_ADDR(0, 0); \ + vmovdqa XTMP1, IW_W1_ADDR(4, 0); \ + vmovdqa XTMP5, IW_W1W2_ADDR(4, 0); + +#define LOAD_W_XMM_2() \ + vmovdqa XTMP2, IW_W1_ADDR(8, 0); \ + vmovdqa XTMP6, IW_W1W2_ADDR(8, 0); + +#define LOAD_W_XMM_3() \ + vpshufd $0b00000000, XTMP0, W0; \ + vpshufd $0b11111001, XTMP0, W1; \ + vmovdqa XTMP1, W2; \ + vpalignr $12, XTMP1, XTMP2, W3; \ + vpalignr $8, XTMP2, XTMP3, W4; \ + vpshufd $0b11111001, XTMP3, W5; + +/* Message scheduling. Note: 3 words per XMM register. */ +#define SCHED_W_0(round, w0, w1, w2, w3, w4, w5) \ + /* Load (w[i - 16]) => XTMP0 */ \ + vpshufd $0b10111111, w0, XTMP0; \ + vpalignr $12, XTMP0, w1, XTMP0; \ + /* Load (w[i - 13]) => XTMP1 */ \ + vpshufd $0b10111111, w1, XTMP1; \ + vpalignr $12, XTMP1, w2, XTMP1; \ + /* w[i - 9] == w3 */ \ + /* XMM3 ^ XTMP0 => XTMP0 */ \ + vpxor w3, XTMP0, XTMP0; + +#define SCHED_W_1(round, w0, w1, w2, w3, w4, w5) \ + /* w[i - 3] == w5 */ \ + /* rol(XMM5, 15) ^ XTMP0 => XTMP0 */ \ + vpslld $15, w5, XTMP2; \ + vpsrld $(32-15), w5, XTMP3; \ + vpxor XTMP2, XTMP3, XTMP3; \ + vpxor XTMP3, XTMP0, XTMP0; \ + /* rol(XTMP1, 7) => XTMP1 */ \ + vpslld $7, XTMP1, XTMP5; \ + vpsrld $(32-7), XTMP1, XTMP1; \ + vpxor XTMP5, XTMP1, XTMP1; \ + /* XMM4 ^ XTMP1 => XTMP1 */ \ + vpxor w4, XTMP1, XTMP1; \ + /* w[i - 6] == XMM4 */ \ + /* P1(XTMP0) ^ XTMP1 => XMM0 */ \ + vpslld $15, XTMP0, XTMP5; \ + vpsrld $(32-15), XTMP0, XTMP6; \ + vpslld $23, XTMP0, XTMP2; \ + vpsrld $(32-23), XTMP0, XTMP3; \ + vpxor XTMP0, XTMP1, XTMP1; \ + vpxor XTMP6, XTMP5, XTMP5; \ + vpxor XTMP3, XTMP2, XTMP2; \ + vpxor XTMP2, XTMP5, XTMP5; \ + vpxor XTMP5, XTMP1, w0; + +#define SCHED_W_2(round, w0, w1, w2, w3, w4, w5) \ + /* W1 in XMM12 */ \ + vpshufd $0b10111111, w4, XTMP4; \ + vpalignr $12, XTMP4, w5, XTMP4; \ + vmovdqa XTMP4, XW_W1_ADDR((round), 0); \ + /* W1 ^ W2 => XTMP1 */ \ + vpxor w0, XTMP4, XTMP1; \ + vmovdqa XTMP1, XW_W1W2_ADDR((round), 0); + +/* + * Transform nblks*64 bytes (nblks*16 32-bit words) at DATA. + * + * unsigned int + * _gcry_sm3_transform_amd64_avx_bmi2 (void *ctx, const unsigned char *data, + * size_t nblks) + */ +.globl _gcry_sm3_transform_amd64_avx_bmi2 +ELF(.type _gcry_sm3_transform_amd64_avx_bmi2, at function) +.align 16 +_gcry_sm3_transform_amd64_avx_bmi2: + /* input: + * %rdi: ctx, CTX + * %rsi: data (64*nblks bytes) + * %rdx: nblks + */ + CFI_STARTPROC(); + + vzeroupper; + + pushq %rbp; + CFI_PUSH(%rbp); + movq %rsp, %rbp; + CFI_DEF_CFA_REGISTER(%rbp); + + movq %rdx, RNBLKS; + + subq $STACK_SIZE, %rsp; + andq $(~63), %rsp; + + movq %rbx, (STACK_REG_SAVE + 0 * 8)(%rsp); + CFI_REL_OFFSET(%rbx, STACK_REG_SAVE + 0 * 8); + movq %r15, (STACK_REG_SAVE + 1 * 8)(%rsp); + CFI_REL_OFFSET(%r15, STACK_REG_SAVE + 1 * 8); + movq %r14, (STACK_REG_SAVE + 2 * 8)(%rsp); + CFI_REL_OFFSET(%r14, STACK_REG_SAVE + 2 * 8); + movq %r13, (STACK_REG_SAVE + 3 * 8)(%rsp); + CFI_REL_OFFSET(%r13, STACK_REG_SAVE + 3 * 8); + movq %r12, (STACK_REG_SAVE + 4 * 8)(%rsp); + CFI_REL_OFFSET(%r12, STACK_REG_SAVE + 4 * 8); + + vmovdqa .Lbe32mask rRIP, BSWAP_REG; + + /* Get the values of the chaining variables. */ + movl state_h0(RSTATE), a; + movl state_h1(RSTATE), b; + movl state_h2(RSTATE), c; + movl state_h3(RSTATE), d; + movl state_h4(RSTATE), e; + movl state_h5(RSTATE), f; + movl state_h6(RSTATE), g; + movl state_h7(RSTATE), h; + +.align 16 +.Loop: + /* Load data part1. */ + LOAD_W_XMM_1(); + + leaq -1(RNBLKS), RNBLKS; + + /* Transform 0-3 + Load data part2. */ + R1(a, b, c, d, e, f, g, h, 0, 0, IW); LOAD_W_XMM_2(); + R1(d, a, b, c, h, e, f, g, 1, 1, IW); + R1(c, d, a, b, g, h, e, f, 2, 2, IW); + R1(b, c, d, a, f, g, h, e, 3, 3, IW); LOAD_W_XMM_3(); + + /* Transform 4-7 + Load data[48-63]. */ + R1(a, b, c, d, e, f, g, h, 4, 0, IW); + R1(d, a, b, c, h, e, f, g, 5, 1, IW); + R1(c, d, a, b, g, h, e, f, 6, 2, IW); SCHED_W_0(12, W0, W1, W2, W3, W4, W5); + R1(b, c, d, a, f, g, h, e, 7, 3, IW); SCHED_W_1(12, W0, W1, W2, W3, W4, W5); + + /* Transform 8-11 + Precalc 12-14. */ + R1(a, b, c, d, e, f, g, h, 8, 0, IW); SCHED_W_2(12, W0, W1, W2, W3, W4, W5); + R1(d, a, b, c, h, e, f, g, 9, 1, IW); SCHED_W_0(15, W1, W2, W3, W4, W5, W0); + R1(c, d, a, b, g, h, e, f, 10, 2, IW); SCHED_W_1(15, W1, W2, W3, W4, W5, W0); + R1(b, c, d, a, f, g, h, e, 11, 3, IW); SCHED_W_2(15, W1, W2, W3, W4, W5, W0); + + /* Transform 12-14 + Precalc 15-17 */ + R1(a, b, c, d, e, f, g, h, 12, 0, XW); SCHED_W_0(18, W2, W3, W4, W5, W0, W1); + R1(d, a, b, c, h, e, f, g, 13, 1, XW); SCHED_W_1(18, W2, W3, W4, W5, W0, W1); + R1(c, d, a, b, g, h, e, f, 14, 2, XW); SCHED_W_2(18, W2, W3, W4, W5, W0, W1); + + /* Transform 15-17 + Precalc 18-20 */ + R1(b, c, d, a, f, g, h, e, 15, 0, XW); SCHED_W_0(21, W3, W4, W5, W0, W1, W2); + R2(a, b, c, d, e, f, g, h, 16, 1, XW); SCHED_W_1(21, W3, W4, W5, W0, W1, W2); + R2(d, a, b, c, h, e, f, g, 17, 2, XW); SCHED_W_2(21, W3, W4, W5, W0, W1, W2); + + /* Transform 18-20 + Precalc 21-23 */ + R2(c, d, a, b, g, h, e, f, 18, 0, XW); SCHED_W_0(24, W4, W5, W0, W1, W2, W3); + R2(b, c, d, a, f, g, h, e, 19, 1, XW); SCHED_W_1(24, W4, W5, W0, W1, W2, W3); + R2(a, b, c, d, e, f, g, h, 20, 2, XW); SCHED_W_2(24, W4, W5, W0, W1, W2, W3); + + /* Transform 21-23 + Precalc 24-26 */ + R2(d, a, b, c, h, e, f, g, 21, 0, XW); SCHED_W_0(27, W5, W0, W1, W2, W3, W4); + R2(c, d, a, b, g, h, e, f, 22, 1, XW); SCHED_W_1(27, W5, W0, W1, W2, W3, W4); + R2(b, c, d, a, f, g, h, e, 23, 2, XW); SCHED_W_2(27, W5, W0, W1, W2, W3, W4); + + /* Transform 24-26 + Precalc 27-29 */ + R2(a, b, c, d, e, f, g, h, 24, 0, XW); SCHED_W_0(30, W0, W1, W2, W3, W4, W5); + R2(d, a, b, c, h, e, f, g, 25, 1, XW); SCHED_W_1(30, W0, W1, W2, W3, W4, W5); + R2(c, d, a, b, g, h, e, f, 26, 2, XW); SCHED_W_2(30, W0, W1, W2, W3, W4, W5); + + /* Transform 27-29 + Precalc 30-32 */ + R2(b, c, d, a, f, g, h, e, 27, 0, XW); SCHED_W_0(33, W1, W2, W3, W4, W5, W0); + R2(a, b, c, d, e, f, g, h, 28, 1, XW); SCHED_W_1(33, W1, W2, W3, W4, W5, W0); + R2(d, a, b, c, h, e, f, g, 29, 2, XW); SCHED_W_2(33, W1, W2, W3, W4, W5, W0); + + /* Transform 30-32 + Precalc 33-35 */ + R2(c, d, a, b, g, h, e, f, 30, 0, XW); SCHED_W_0(36, W2, W3, W4, W5, W0, W1); + R2(b, c, d, a, f, g, h, e, 31, 1, XW); SCHED_W_1(36, W2, W3, W4, W5, W0, W1); + R2(a, b, c, d, e, f, g, h, 32, 2, XW); SCHED_W_2(36, W2, W3, W4, W5, W0, W1); + + /* Transform 33-35 + Precalc 36-38 */ + R2(d, a, b, c, h, e, f, g, 33, 0, XW); SCHED_W_0(39, W3, W4, W5, W0, W1, W2); + R2(c, d, a, b, g, h, e, f, 34, 1, XW); SCHED_W_1(39, W3, W4, W5, W0, W1, W2); + R2(b, c, d, a, f, g, h, e, 35, 2, XW); SCHED_W_2(39, W3, W4, W5, W0, W1, W2); + + /* Transform 36-38 + Precalc 39-41 */ + R2(a, b, c, d, e, f, g, h, 36, 0, XW); SCHED_W_0(42, W4, W5, W0, W1, W2, W3); + R2(d, a, b, c, h, e, f, g, 37, 1, XW); SCHED_W_1(42, W4, W5, W0, W1, W2, W3); + R2(c, d, a, b, g, h, e, f, 38, 2, XW); SCHED_W_2(42, W4, W5, W0, W1, W2, W3); + + /* Transform 39-41 + Precalc 42-44 */ + R2(b, c, d, a, f, g, h, e, 39, 0, XW); SCHED_W_0(45, W5, W0, W1, W2, W3, W4); + R2(a, b, c, d, e, f, g, h, 40, 1, XW); SCHED_W_1(45, W5, W0, W1, W2, W3, W4); + R2(d, a, b, c, h, e, f, g, 41, 2, XW); SCHED_W_2(45, W5, W0, W1, W2, W3, W4); + + /* Transform 42-44 + Precalc 45-47 */ + R2(c, d, a, b, g, h, e, f, 42, 0, XW); SCHED_W_0(48, W0, W1, W2, W3, W4, W5); + R2(b, c, d, a, f, g, h, e, 43, 1, XW); SCHED_W_1(48, W0, W1, W2, W3, W4, W5); + R2(a, b, c, d, e, f, g, h, 44, 2, XW); SCHED_W_2(48, W0, W1, W2, W3, W4, W5); + + /* Transform 45-47 + Precalc 48-50 */ + R2(d, a, b, c, h, e, f, g, 45, 0, XW); SCHED_W_0(51, W1, W2, W3, W4, W5, W0); + R2(c, d, a, b, g, h, e, f, 46, 1, XW); SCHED_W_1(51, W1, W2, W3, W4, W5, W0); + R2(b, c, d, a, f, g, h, e, 47, 2, XW); SCHED_W_2(51, W1, W2, W3, W4, W5, W0); + + /* Transform 48-50 + Precalc 51-53 */ + R2(a, b, c, d, e, f, g, h, 48, 0, XW); SCHED_W_0(54, W2, W3, W4, W5, W0, W1); + R2(d, a, b, c, h, e, f, g, 49, 1, XW); SCHED_W_1(54, W2, W3, W4, W5, W0, W1); + R2(c, d, a, b, g, h, e, f, 50, 2, XW); SCHED_W_2(54, W2, W3, W4, W5, W0, W1); + + /* Transform 51-53 + Precalc 54-56 */ + R2(b, c, d, a, f, g, h, e, 51, 0, XW); SCHED_W_0(57, W3, W4, W5, W0, W1, W2); + R2(a, b, c, d, e, f, g, h, 52, 1, XW); SCHED_W_1(57, W3, W4, W5, W0, W1, W2); + R2(d, a, b, c, h, e, f, g, 53, 2, XW); SCHED_W_2(57, W3, W4, W5, W0, W1, W2); + + /* Transform 54-56 + Precalc 57-59 */ + R2(c, d, a, b, g, h, e, f, 54, 0, XW); SCHED_W_0(60, W4, W5, W0, W1, W2, W3); + R2(b, c, d, a, f, g, h, e, 55, 1, XW); SCHED_W_1(60, W4, W5, W0, W1, W2, W3); + R2(a, b, c, d, e, f, g, h, 56, 2, XW); SCHED_W_2(60, W4, W5, W0, W1, W2, W3); + + /* Transform 57-59 + Precalc 60-62 */ + R2(d, a, b, c, h, e, f, g, 57, 0, XW); SCHED_W_0(63, W5, W0, W1, W2, W3, W4); + R2(c, d, a, b, g, h, e, f, 58, 1, XW); + R2(b, c, d, a, f, g, h, e, 59, 2, XW); SCHED_W_1(63, W5, W0, W1, W2, W3, W4); + + /* Transform 60-62 + Precalc 63-65 */ + R2(a, b, c, d, e, f, g, h, 60, 0, XW); + R2(d, a, b, c, h, e, f, g, 61, 1, XW); SCHED_W_2(63, W5, W0, W1, W2, W3, W4); + R2(c, d, a, b, g, h, e, f, 62, 2, XW); + + /* Transform 63 */ + R2(b, c, d, a, f, g, h, e, 63, 0, XW); + + /* Update the chaining variables. */ + xorl state_h0(RSTATE), a; + xorl state_h1(RSTATE), b; + xorl state_h2(RSTATE), c; + xorl state_h3(RSTATE), d; + movl a, state_h0(RSTATE); + movl b, state_h1(RSTATE); + movl c, state_h2(RSTATE); + movl d, state_h3(RSTATE); + xorl state_h4(RSTATE), e; + xorl state_h5(RSTATE), f; + xorl state_h6(RSTATE), g; + xorl state_h7(RSTATE), h; + movl e, state_h4(RSTATE); + movl f, state_h5(RSTATE); + movl g, state_h6(RSTATE); + movl h, state_h7(RSTATE); + + cmpq $0, RNBLKS; + jne .Loop; + +.align 16 +.Lend: + vzeroall; + + movq (STACK_REG_SAVE + 0 * 8)(%rsp), %rbx; + CFI_RESTORE(%rbx); + movq (STACK_REG_SAVE + 1 * 8)(%rsp), %r15; + CFI_RESTORE(%r15); + movq (STACK_REG_SAVE + 2 * 8)(%rsp), %r14; + CFI_RESTORE(%r14); + movq (STACK_REG_SAVE + 3 * 8)(%rsp), %r13; + CFI_RESTORE(%r13); + movq (STACK_REG_SAVE + 4 * 8)(%rsp), %r12; + CFI_RESTORE(%r12); + + vmovdqa %xmm0, IW_W1_ADDR(0, 0); + vmovdqa %xmm0, IW_W1W2_ADDR(0, 0); + vmovdqa %xmm0, IW_W1_ADDR(4, 0); + vmovdqa %xmm0, IW_W1W2_ADDR(4, 0); + vmovdqa %xmm0, IW_W1_ADDR(8, 0); + vmovdqa %xmm0, IW_W1W2_ADDR(8, 0); + xorl %eax, %eax; /* stack burned */ + + leave; + CFI_LEAVE(); + ret; + CFI_ENDPROC(); +ELF(.size _gcry_sm3_transform_amd64_avx_bmi2, + .-_gcry_sm3_transform_amd64_avx_bmi2;) + +#endif +#endif diff --git a/cipher/sm3.c b/cipher/sm3.c index d52a7494..05b7b259 100644 --- a/cipher/sm3.c +++ b/cipher/sm3.c @@ -47,12 +47,54 @@ #include "hash-common.h" +/* USE_AVX_BMI2 indicates whether to compile with Intel AVX/BMI2 code. */ +#undef USE_AVX_BMI2 +#if defined(__x86_64__) && defined(HAVE_GCC_INLINE_ASM_AVX) && \ + defined(HAVE_GCC_INLINE_ASM_BMI2) && \ + (defined(HAVE_COMPATIBLE_GCC_AMD64_PLATFORM_AS) || \ + defined(HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS)) +# define USE_AVX_BMI2 1 +#endif + + typedef struct { gcry_md_block_ctx_t bctx; - u32 h0,h1,h2,h3,h4,h5,h6,h7; + u32 h[8]; } SM3_CONTEXT; +/* AMD64 assembly implementations use SystemV ABI, ABI conversion and additional + * stack to store XMM6-XMM15 needed on Win64. */ +#undef ASM_FUNC_ABI +#undef ASM_EXTRA_STACK +#if defined(USE_AVX_BMI2) +# ifdef HAVE_COMPATIBLE_GCC_WIN64_PLATFORM_AS +# define ASM_FUNC_ABI __attribute__((sysv_abi)) +# define ASM_EXTRA_STACK (10 * 16 + 4 * sizeof(void *)) +# else +# define ASM_FUNC_ABI +# define ASM_EXTRA_STACK 0 +# endif +#endif + + +#ifdef USE_AVX_BMI2 +unsigned int _gcry_sm3_transform_amd64_avx_bmi2(void *state, + const void *input_data, + size_t num_blks) ASM_FUNC_ABI; + +static unsigned int +do_sm3_transform_amd64_avx_bmi2(void *context, const unsigned char *data, + size_t nblks) +{ + SM3_CONTEXT *hd = context; + unsigned int nburn = _gcry_sm3_transform_amd64_avx_bmi2 (hd->h, data, nblks); + nburn += nburn ? ASM_EXTRA_STACK : 0; + return nburn; +} +#endif /* USE_AVX_BMI2 */ + + static unsigned int transform (void *c, const unsigned char *data, size_t nblks); @@ -65,14 +107,14 @@ sm3_init (void *context, unsigned int flags) (void)flags; - hd->h0 = 0x7380166f; - hd->h1 = 0x4914b2b9; - hd->h2 = 0x172442d7; - hd->h3 = 0xda8a0600; - hd->h4 = 0xa96f30bc; - hd->h5 = 0x163138aa; - hd->h6 = 0xe38dee4d; - hd->h7 = 0xb0fb0e4e; + hd->h[0] = 0x7380166f; + hd->h[1] = 0x4914b2b9; + hd->h[2] = 0x172442d7; + hd->h[3] = 0xda8a0600; + hd->h[4] = 0xa96f30bc; + hd->h[5] = 0x163138aa; + hd->h[6] = 0xe38dee4d; + hd->h[7] = 0xb0fb0e4e; hd->bctx.nblocks = 0; hd->bctx.nblocks_high = 0; @@ -80,6 +122,11 @@ sm3_init (void *context, unsigned int flags) hd->bctx.blocksize_shift = _gcry_ctz(64); hd->bctx.bwrite = transform; +#ifdef USE_AVX_BMI2 + if ((features & HWF_INTEL_AVX2) && (features & HWF_INTEL_BMI2)) + hd->bctx.bwrite = do_sm3_transform_amd64_avx_bmi2; +#endif + (void)features; } @@ -146,14 +193,14 @@ transform_blk (void *ctx, const unsigned char *data) u32 a,b,c,d,e,f,g,h,ss1,ss2; u32 w[16]; - a = hd->h0; - b = hd->h1; - c = hd->h2; - d = hd->h3; - e = hd->h4; - f = hd->h5; - g = hd->h6; - h = hd->h7; + a = hd->h[0]; + b = hd->h[1]; + c = hd->h[2]; + d = hd->h[3]; + e = hd->h[4]; + f = hd->h[5]; + g = hd->h[6]; + h = hd->h[7]; R1(a, b, c, d, e, f, g, h, K[0], I(0), I(4)); R1(d, a, b, c, h, e, f, g, K[1], I(1), I(5)); @@ -223,14 +270,14 @@ transform_blk (void *ctx, const unsigned char *data) R2(c, d, a, b, g, h, e, f, K[62], W1(62), W2(66)); R2(b, c, d, a, f, g, h, e, K[63], W1(63), W2(67)); - hd->h0 ^= a; - hd->h1 ^= b; - hd->h2 ^= c; - hd->h3 ^= d; - hd->h4 ^= e; - hd->h5 ^= f; - hd->h6 ^= g; - hd->h7 ^= h; + hd->h[0] ^= a; + hd->h[1] ^= b; + hd->h[2] ^= c; + hd->h[3] ^= d; + hd->h[4] ^= e; + hd->h[5] ^= f; + hd->h[6] ^= g; + hd->h[7] ^= h; return /*burn_stack*/ 26*4+32; } @@ -313,7 +360,7 @@ sm3_final(void *context) } p = hd->bctx.buf; -#define X(a) do { buf_put_be32(p, hd->h##a); p += 4; } while(0) +#define X(a) do { buf_put_be32(p, hd->h[a]); p += 4; } while(0) X(0); X(1); X(2); diff --git a/configure.ac b/configure.ac index 952da248..50a52015 100644 --- a/configure.ac +++ b/configure.ac @@ -3026,6 +3026,19 @@ if test "$found" = "1" ; then esac fi +LIST_MEMBER(sm3, $enabled_digests) +if test "$found" = "1" ; then + GCRYPT_DIGESTS="$GCRYPT_DIGESTS sm3.lo" + AC_DEFINE(USE_SM3, 1, [Defined if this module should be included]) + + case "${host}" in + x86_64-*-*) + # Build with the assembly implementation + GCRYPT_ASM_DIGESTS="$GCRYPT_ASM_DIGESTS sm3-avx-bmi2-amd64.lo" + ;; + esac +fi + # SHA-1 needs to be included always for example because it is used by # random-csprng.c. GCRYPT_DIGESTS="$GCRYPT_DIGESTS sha1.lo" @@ -3081,12 +3094,6 @@ case "${host}" in ;; esac -LIST_MEMBER(sm3, $enabled_digests) -if test "$found" = "1" ; then - GCRYPT_DIGESTS="$GCRYPT_DIGESTS sm3.lo" - AC_DEFINE(USE_SM3, 1, [Defined if this module should be included]) -fi - LIST_MEMBER(scrypt, $enabled_kdfs) if test "$found" = "1" ; then GCRYPT_KDFS="$GCRYPT_KDFS scrypt.lo" -- 2.32.0 From tianjia.zhang at linux.alibaba.com Tue Dec 14 08:21:56 2021 From: tianjia.zhang at linux.alibaba.com (Tianjia Zhang) Date: Tue, 14 Dec 2021 15:21:56 +0800 Subject: [PATCH] Add SM3 x86-64 AVX/BMI2 assembly implementation In-Reply-To: <20211212144955.3681432-1-jussi.kivilinna@iki.fi> References: <20211212144955.3681432-1-jussi.kivilinna@iki.fi> Message-ID: <878fe778-fc1e-a4a6-abcb-2aa938add808@linux.alibaba.com> Hi Jussi, On 12/12/21 10:49 PM, Jussi Kivilinna wrote: > * cipher/Makefile.am: Add 'sm3-avx-bmi2-amd64.S'. > * cipher/sm3-avx-bmi2-amd64.S: New. > * cipher/sm3.c (USE_AVX_BMI2, ASM_FUNC_ABI, ASM_EXTRA_STACK): New. > (SM3_CONTEXT): Define 'h' as array instead of separate fields 'h1', > 'h2', etc. > [USE_AVX_BMI2] (_gcry_sm3_transform_amd64_avx_bmi2) > (do_sm3_transform_amd64_avx_bmi2): New. > (sm3_init): Select AVX/BMI2 transform function if support by HW; Update > to use 'hd->h' as array. > (transform_blk, sm3_final): Update to use 'hd->h' as array. > * configure.ac: Add 'sm3-avx-bmi2-amd64.lo'. > -- > > Benchmark on AMD Zen3: > > Before: > | nanosecs/byte mebibytes/sec cycles/byte auto Mhz > SM3 | 2.18 ns/B 436.6 MiB/s 10.59 c/B 4850 > > After (~43% faster): > | nanosecs/byte mebibytes/sec cycles/byte auto Mhz > SM3 | 1.52 ns/B 627.4 MiB/s 7.37 c/B 4850 > > > Benchmark on Intel Skylake: > > Before: > | nanosecs/byte mebibytes/sec cycles/byte auto Mhz > SM3 | 4.35 ns/B 219.2 MiB/s 13.48 c/B 3098 > > After (~34% faster): > | nanosecs/byte mebibytes/sec cycles/byte auto Mhz > SM3 | 3.24 ns/B 294.4 MiB/s 10.04 c/B 3098 > > > Benchmark on AMD Zen2: > > Before: > | nanosecs/byte mebibytes/sec cycles/byte auto Mhz > SM3 | 2.73 ns/B 348.9 MiB/s 11.86 c/B 4339 > > After (~38% faster): > | nanosecs/byte mebibytes/sec cycles/byte auto Mhz > SM3 | 1.97 ns/B 483.0 MiB/s 8.52 c/B 4318 > > > Signed-off-by: Jussi Kivilinna > --- Great job, it is very valuable to us, if possible, add this tag: Reviewed-and-tested-by: Tianjia Zhang Best regards, Tianjia From jussi.kivilinna at iki.fi Tue Dec 14 18:58:59 2021 From: jussi.kivilinna at iki.fi (Jussi Kivilinna) Date: Tue, 14 Dec 2021 19:58:59 +0200 Subject: [PATCH] Add SM3 x86-64 AVX/BMI2 assembly implementation In-Reply-To: <878fe778-fc1e-a4a6-abcb-2aa938add808@linux.alibaba.com> References: <20211212144955.3681432-1-jussi.kivilinna@iki.fi> <878fe778-fc1e-a4a6-abcb-2aa938add808@linux.alibaba.com> Message-ID: <72fad772-de3a-bda8-9a59-6b54924558a0@iki.fi> Hello, On 14.12.2021 9.21, Tianjia Zhang via Gcrypt-devel wrote: > > Great job, it is very valuable to us, if possible, add this tag: > > Reviewed-and-tested-by: Tianjia Zhang Thanks. Pushed commit to master with few changes to inline code comments. -Jussi From dtsen at us.ibm.com Tue Dec 14 21:16:24 2021 From: dtsen at us.ibm.com (Danny Tsen) Date: Tue, 14 Dec 2021 20:16:24 +0000 Subject: DCO for T5700 Message-ID: An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: DCO Type: application/octet-stream Size: 1276 bytes Desc: not available URL: From dtsen at us.ibm.com Wed Dec 15 20:04:15 2021 From: dtsen at us.ibm.com (Danny Tsen) Date: Wed, 15 Dec 2021 19:04:15 +0000 Subject: DCO for T5700 Message-ID: An HTML attachment was scrubbed... URL: From tianjia.zhang at linux.alibaba.com Thu Dec 16 13:43:49 2021 From: tianjia.zhang at linux.alibaba.com (Tianjia Zhang) Date: Thu, 16 Dec 2021 20:43:49 +0800 Subject: [PATCH] Add SM3 x86-64 AVX/BMI2 assembly implementation In-Reply-To: <72fad772-de3a-bda8-9a59-6b54924558a0@iki.fi> References: <20211212144955.3681432-1-jussi.kivilinna@iki.fi> <878fe778-fc1e-a4a6-abcb-2aa938add808@linux.alibaba.com> <72fad772-de3a-bda8-9a59-6b54924558a0@iki.fi> Message-ID: Hi Jussi, On 12/15/21 1:58 AM, Jussi Kivilinna wrote: > Hello, > > On 14.12.2021 9.21, Tianjia Zhang via Gcrypt-devel wrote: >> >> Great job, it is very valuable to us, if possible, add this tag: >> >> Reviewed-and-tested-by: Tianjia Zhang > > Thanks. Pushed commit to master with few changes to inline code comments. > > -Jussi Thanks for your contribution. If possible, I will also port this accelerated implementation to the linux kernel in the future. Best regards, Tianjia From dtsen at us.ibm.com Thu Dec 16 18:37:24 2021 From: dtsen at us.ibm.com (Danny Tsen) Date: Thu, 16 Dec 2021 17:37:24 +0000 Subject: DCO for T5700 with signature Message-ID: An HTML attachment was scrubbed... URL: From jcb62281 at gmail.com Fri Dec 17 00:55:11 2021 From: jcb62281 at gmail.com (Jacob Bachmeyer) Date: Thu, 16 Dec 2021 17:55:11 -0600 Subject: [PATCH] Add SM3 x86-64 AVX/BMI2 assembly implementation In-Reply-To: References: <20211212144955.3681432-1-jussi.kivilinna@iki.fi> <878fe778-fc1e-a4a6-abcb-2aa938add808@linux.alibaba.com> <72fad772-de3a-bda8-9a59-6b54924558a0@iki.fi> Message-ID: <61BBD1DF.5040302@gmail.com> Tianjia Zhang via Gcrypt-devel wrote: > Hi Jussi, > > On 12/15/21 1:58 AM, Jussi Kivilinna wrote: >> Hello, >> >> On 14.12.2021 9.21, Tianjia Zhang via Gcrypt-devel wrote: >>> >>> Great job, it is very valuable to us, if possible, add this tag: >>> >>> Reviewed-and-tested-by: Tianjia Zhang >> >> Thanks. Pushed commit to master with few changes to inline code >> comments. >> >> -Jussi > > Thanks for your contribution. If possible, I will also port this > accelerated implementation to the linux kernel in the future. Uh, check license compatibility on that: off the top of my head, I suspect GPG is GPLv3+, while Linux is GPLv2. You may need additional permission to distribute that code under GPLv2 to port it to the Linux kernel. -- Jacob From tianjia.zhang at linux.alibaba.com Fri Dec 17 10:19:58 2021 From: tianjia.zhang at linux.alibaba.com (Tianjia Zhang) Date: Fri, 17 Dec 2021 17:19:58 +0800 Subject: [PATCH] Add SM3 x86-64 AVX/BMI2 assembly implementation In-Reply-To: <61BBD1DF.5040302@gmail.com> References: <20211212144955.3681432-1-jussi.kivilinna@iki.fi> <878fe778-fc1e-a4a6-abcb-2aa938add808@linux.alibaba.com> <72fad772-de3a-bda8-9a59-6b54924558a0@iki.fi> <61BBD1DF.5040302@gmail.com> Message-ID: Hi Jacob, On 12/17/21 7:55 AM, Jacob Bachmeyer wrote: > Tianjia Zhang via Gcrypt-devel wrote: >> Hi Jussi, >> >> On 12/15/21 1:58 AM, Jussi Kivilinna wrote: >>> Hello, >>> >>> On 14.12.2021 9.21, Tianjia Zhang via Gcrypt-devel wrote: >>>> >>>> Great job, it is very valuable to us, if possible, add this tag: >>>> >>>> Reviewed-and-tested-by: Tianjia Zhang >>> >>> Thanks. Pushed commit to master with few changes to inline code >>> comments. >>> >>> -Jussi >> >> Thanks for your contribution. If possible, I will also port this >> accelerated implementation to the linux kernel in the future. > > Uh, check license compatibility on that:? off the top of my head, I > suspect GPG is GPLv3+, while Linux is GPLv2.? You may need additional > permission to distribute that code under GPLv2 to port it to the Linux > kernel. > > > -- Jacob Thanks for your reminder, I will properly handle this license compatibility. Best regards, Tianjia From jussi.kivilinna at iki.fi Fri Dec 17 16:47:26 2021 From: jussi.kivilinna at iki.fi (Jussi Kivilinna) Date: Fri, 17 Dec 2021 17:47:26 +0200 Subject: [PATCH] Add SM3 x86-64 AVX/BMI2 assembly implementation In-Reply-To: <61BBD1DF.5040302@gmail.com> References: <20211212144955.3681432-1-jussi.kivilinna@iki.fi> <878fe778-fc1e-a4a6-abcb-2aa938add808@linux.alibaba.com> <72fad772-de3a-bda8-9a59-6b54924558a0@iki.fi> <61BBD1DF.5040302@gmail.com> Message-ID: <81f6f4d3-ed79-15f6-df85-d29f23a18475@iki.fi> On 17.12.2021 1.55, Jacob Bachmeyer via Gcrypt-devel wrote: > Tianjia Zhang via Gcrypt-devel wrote: >> Hi Jussi, >> >> On 12/15/21 1:58 AM, Jussi Kivilinna wrote: >>> Hello, >>> >>> On 14.12.2021 9.21, Tianjia Zhang via Gcrypt-devel wrote: >>>> >>>> Great job, it is very valuable to us, if possible, add this tag: >>>> >>>> Reviewed-and-tested-by: Tianjia Zhang >>> >>> Thanks. Pushed commit to master with few changes to inline code comments. >>> >>> -Jussi >> >> Thanks for your contribution. If possible, I will also port this accelerated implementation to the linux kernel in the future. > > Uh, check license compatibility on that:? off the top of my head, I suspect GPG is GPLv3+, while Linux is GPLv2.? You may need additional permission to distribute that code under GPLv2 to port it to the Linux kernel. > libgcrypt license is LGPL2.1+, so no issues with moving code to Linux kernel / GPLv2. -Jussi From dtsen at us.ibm.com Fri Dec 17 18:09:20 2021 From: dtsen at us.ibm.com (Danny Tsen) Date: Fri, 17 Dec 2021 17:09:20 +0000 Subject: DCO for T5700 with signature Message-ID: An HTML attachment was scrubbed... URL: From dtsen at us.ibm.com Fri Dec 17 18:25:11 2021 From: dtsen at us.ibm.com (Danny Tsen) Date: Fri, 17 Dec 2021 17:25:11 +0000 Subject: DCO for T5700 with signature Message-ID: An HTML attachment was scrubbed... URL: From jcb62281 at gmail.com Fri Dec 17 21:54:39 2021 From: jcb62281 at gmail.com (Jacob Bachmeyer) Date: Fri, 17 Dec 2021 14:54:39 -0600 Subject: [PATCH] Add SM3 x86-64 AVX/BMI2 assembly implementation In-Reply-To: <81f6f4d3-ed79-15f6-df85-d29f23a18475@iki.fi> References: <20211212144955.3681432-1-jussi.kivilinna@iki.fi> <878fe778-fc1e-a4a6-abcb-2aa938add808@linux.alibaba.com> <72fad772-de3a-bda8-9a59-6b54924558a0@iki.fi> <61BBD1DF.5040302@gmail.com> <81f6f4d3-ed79-15f6-df85-d29f23a18475@iki.fi> Message-ID: <61BCF90F.4060109@gmail.com> Jussi Kivilinna wrote: > On 17.12.2021 1.55, Jacob Bachmeyer via Gcrypt-devel wrote: >> Tianjia Zhang via Gcrypt-devel wrote: >>> Hi Jussi, >>> >>> On 12/15/21 1:58 AM, Jussi Kivilinna wrote: >>>> Hello, >>>> >>>> On 14.12.2021 9.21, Tianjia Zhang via Gcrypt-devel wrote: >>>>> >>>>> Great job, it is very valuable to us, if possible, add this tag: >>>>> >>>>> Reviewed-and-tested-by: Tianjia Zhang >>>>> >>>> >>>> Thanks. Pushed commit to master with few changes to inline code >>>> comments. >>>> >>>> -Jussi >>> >>> Thanks for your contribution. If possible, I will also port this >>> accelerated implementation to the linux kernel in the future. >> >> Uh, check license compatibility on that: off the top of my head, I >> suspect GPG is GPLv3+, while Linux is GPLv2. You may need additional >> permission to distribute that code under GPLv2 to port it to the >> Linux kernel. >> > > libgcrypt license is LGPL2.1+, so no issues with moving code to Linux > kernel / GPLv2. Well, then I misremembered and there is no problem after all. -- Jacob From tianjia.zhang at linux.alibaba.com Mon Dec 20 04:23:00 2021 From: tianjia.zhang at linux.alibaba.com (Tianjia Zhang) Date: Mon, 20 Dec 2021 11:23:00 +0800 Subject: [PATCH] cipher: Fix SM3 avx/bmi2 compilation error Message-ID: <20211220032300.50584-1-tianjia.zhang@linux.alibaba.com> * cipher/sm3-avx-bmi2-amd64.S: Fix assembler errors. -- There are a lot of the following errors compiling with GNU assembler version 2.27-41: sm3-avx-bmi2-amd64.S: Assembler messages: sm3-avx-bmi2-amd64.S:402: Error: 0xf3988a32 out range of signed 32bit displacement The newer GNU assembler does not have this issue. It is likely that the old version of the assembler did not handle it well, but in order to allow libgcrypt to be compiled on more systems, I still fixed this problem, an additional add operation is added to the lea instruction to calculate the sum of three elements. I did a benchmark test on an Intel i5-6200U 2.30GHz CPU and found no significant performance difference. Signed-off-by: Tianjia Zhang --- cipher/sm3-avx-bmi2-amd64.S | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/cipher/sm3-avx-bmi2-amd64.S b/cipher/sm3-avx-bmi2-amd64.S index 93aecacb..4a075d76 100644 --- a/cipher/sm3-avx-bmi2-amd64.S +++ b/cipher/sm3-avx-bmi2-amd64.S @@ -206,7 +206,8 @@ ELF(.size _gcry_sm3_avx2_consts,.-_gcry_sm3_avx2_consts) /* rol(a, 12) => t0 */ \ roll3mov(12, a, t0); /* rorxl here would reduce perf by 6% on zen3 */ \ /* rol (t0 + e + t), 7) => t1 */ \ - leal K##round(t0, e, 1), t1; \ + addl3(t0, e, t1); \ + addl $K##round, t1; \ roll2(7, t1); \ /* h + w1 => h */ \ addl wtype##_W1_ADDR(round, widx), h; \ -- 2.19.1.3.ge56e4f7 From dtsen at us.ibm.com Mon Dec 20 13:08:48 2021 From: dtsen at us.ibm.com (Danny Tsen) Date: Mon, 20 Dec 2021 12:08:48 +0000 Subject: Signed DCO for T5700 Message-ID: An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: DCO Type: application/octet-stream Size: 2158 bytes Desc: not available URL: From jussi.kivilinna at iki.fi Mon Dec 20 17:49:48 2021 From: jussi.kivilinna at iki.fi (Jussi Kivilinna) Date: Mon, 20 Dec 2021 18:49:48 +0200 Subject: [PATCH] cipher: Fix SM3 avx/bmi2 compilation error In-Reply-To: <20211220032300.50584-1-tianjia.zhang@linux.alibaba.com> References: <20211220032300.50584-1-tianjia.zhang@linux.alibaba.com> Message-ID: Hello, On 20.12.2021 5.23, Tianjia Zhang via Gcrypt-devel wrote: > * cipher/sm3-avx-bmi2-amd64.S: Fix assembler errors. > > -- > > There are a lot of the following errors compiling with GNU assembler > version 2.27-41: > > sm3-avx-bmi2-amd64.S: Assembler messages: > sm3-avx-bmi2-amd64.S:402: Error: 0xf3988a32 out range of signed > 32bit displacement > > The newer GNU assembler does not have this issue. It is likely that > the old version of the assembler did not handle it well, but in order > to allow libgcrypt to be compiled on more systems, I still fixed this > problem, an additional add operation is added to the lea instruction > to calculate the sum of three elements. I did a benchmark test on an > Intel i5-6200U 2.30GHz CPU and found no significant performance > difference. Thanks for reporting. However, I think this can be fixed by changing K0-K63 macros from hex-format to signed decimal values. Patch attached. > > Signed-off-by: Tianjia Zhang > --- > cipher/sm3-avx-bmi2-amd64.S | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/cipher/sm3-avx-bmi2-amd64.S b/cipher/sm3-avx-bmi2-amd64.S > index 93aecacb..4a075d76 100644 > --- a/cipher/sm3-avx-bmi2-amd64.S > +++ b/cipher/sm3-avx-bmi2-amd64.S > @@ -206,7 +206,8 @@ ELF(.size _gcry_sm3_avx2_consts,.-_gcry_sm3_avx2_consts) > /* rol(a, 12) => t0 */ \ > roll3mov(12, a, t0); /* rorxl here would reduce perf by 6% on zen3 */ \ > /* rol (t0 + e + t), 7) => t1 */ \ > - leal K##round(t0, e, 1), t1; \ > + addl3(t0, e, t1); \ > + addl $K##round, t1; \ This is 12% slower on AMD Zen3 (from 7.37 cycles/byte to 8.30 cpb). -Jussi > roll2(7, t1); \ > /* h + w1 => h */ \ > addl wtype##_W1_ADDR(round, widx), h; \ > -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-sm3-avx-bmi2-amd64-fix-issue-with-LEA-and-32-bit-uns.patch Type: text/x-patch Size: 4044 bytes Desc: not available URL: From tianjia.zhang at linux.alibaba.com Tue Dec 21 08:29:39 2021 From: tianjia.zhang at linux.alibaba.com (Tianjia Zhang) Date: Tue, 21 Dec 2021 15:29:39 +0800 Subject: [PATCH] cipher: Fix SM3 avx/bmi2 compilation error In-Reply-To: References: <20211220032300.50584-1-tianjia.zhang@linux.alibaba.com> Message-ID: <80621531-4022-3aeb-e159-4e1c4227b075@linux.alibaba.com> Hi Jussi, On 12/21/21 12:49 AM, Jussi Kivilinna wrote: > Hello, > > On 20.12.2021 5.23, Tianjia Zhang via Gcrypt-devel wrote: >> * cipher/sm3-avx-bmi2-amd64.S: Fix assembler errors. >> >> -- >> >> There are a lot of the following errors compiling with GNU assembler >> version 2.27-41: >> >> ?? sm3-avx-bmi2-amd64.S: Assembler messages: >> ?? sm3-avx-bmi2-amd64.S:402: Error: 0xf3988a32 out range of signed >> ???? 32bit displacement >> >> The newer GNU assembler does not have this issue. It is likely that >> the old version of the assembler did not handle it well, but in order >> to allow libgcrypt to be compiled on more systems, I still fixed this >> problem, an additional add operation is added to the lea instruction >> to calculate the sum of three elements. I did a benchmark test on an >> Intel i5-6200U 2.30GHz CPU and found no significant performance >> difference. > > > Thanks for reporting. However, I think this can be fixed by changing > K0-K63 macros from hex-format to signed decimal values. Patch attached. > Thanks for your suggestion, this method is feasible, I will try to fix this issue. Best regards, Tianjia >> >> Signed-off-by: Tianjia Zhang >> --- >> ? cipher/sm3-avx-bmi2-amd64.S | 3 ++- >> ? 1 file changed, 2 insertions(+), 1 deletion(-) >> >> diff --git a/cipher/sm3-avx-bmi2-amd64.S b/cipher/sm3-avx-bmi2-amd64.S >> index 93aecacb..4a075d76 100644 >> --- a/cipher/sm3-avx-bmi2-amd64.S >> +++ b/cipher/sm3-avx-bmi2-amd64.S >> @@ -206,7 +206,8 @@ ELF(.size >> _gcry_sm3_avx2_consts,.-_gcry_sm3_avx2_consts) >> ????????? /* rol(a, 12) => t0 */ \ >> ??????????? roll3mov(12, a, t0); /* rorxl here would reduce perf by 6% >> on zen3 */ \ >> ????????? /* rol (t0 + e + t), 7) => t1 */ \ >> -????????? leal K##round(t0, e, 1), t1; \ >> +????????? addl3(t0, e, t1); \ >> +????????? addl $K##round, t1; \ > > This is 12% slower on AMD Zen3 (from 7.37 cycles/byte to 8.30 cpb). > > -Jussi > >> ??????????? roll2(7, t1); \ >> ????????? /* h + w1 => h */ \ >> ??????????? addl wtype##_W1_ADDR(round, widx), h; \ >> From tianjia.zhang at linux.alibaba.com Tue Dec 21 08:34:04 2021 From: tianjia.zhang at linux.alibaba.com (Tianjia Zhang) Date: Tue, 21 Dec 2021 15:34:04 +0800 Subject: [PATCH v2] cipher: Fix SM3 avx/bmi2 compilation error In-Reply-To: <20211220032300.50584-1-tianjia.zhang@linux.alibaba.com> References: <20211220032300.50584-1-tianjia.zhang@linux.alibaba.com> Message-ID: <20211221073404.9598-1-tianjia.zhang@linux.alibaba.com> * cipher/sm3-avx-bmi2-amd64.S: Change K0-K63 macros to signed decimal. -- There are a lot of the following errors compiling with GNU assembler version 2.27-41: sm3-avx-bmi2-amd64.S: Assembler messages: sm3-avx-bmi2-amd64.S:402: Error: 0xf3988a32 out range of signed 32bit displacement The newer GNU assembler does not have this issue. It can be fixed by changing K0-K63 macros from hex-format to signed decimal values. Also remove unused macro 'addl3'. Signed-off-by: Tianjia Zhang --- cipher/sm3-avx-bmi2-amd64.S | 131 ++++++++++++++++++------------------ 1 file changed, 64 insertions(+), 67 deletions(-) diff --git a/cipher/sm3-avx-bmi2-amd64.S b/cipher/sm3-avx-bmi2-amd64.S index 93aecacb..46226ae6 100644 --- a/cipher/sm3-avx-bmi2-amd64.S +++ b/cipher/sm3-avx-bmi2-amd64.S @@ -51,70 +51,70 @@ ELF(.size _gcry_sm3_avx2_consts,.-_gcry_sm3_avx2_consts) /* Round constant macros */ -#define K0 0x79cc4519 -#define K1 0xf3988a32 -#define K2 0xe7311465 -#define K3 0xce6228cb -#define K4 0x9cc45197 -#define K5 0x3988a32f -#define K6 0x7311465e -#define K7 0xe6228cbc -#define K8 0xcc451979 -#define K9 0x988a32f3 -#define K10 0x311465e7 -#define K11 0x6228cbce -#define K12 0xc451979c -#define K13 0x88a32f39 -#define K14 0x11465e73 -#define K15 0x228cbce6 -#define K16 0x9d8a7a87 -#define K17 0x3b14f50f -#define K18 0x7629ea1e -#define K19 0xec53d43c -#define K20 0xd8a7a879 -#define K21 0xb14f50f3 -#define K22 0x629ea1e7 -#define K23 0xc53d43ce -#define K24 0x8a7a879d -#define K25 0x14f50f3b -#define K26 0x29ea1e76 -#define K27 0x53d43cec -#define K28 0xa7a879d8 -#define K29 0x4f50f3b1 -#define K30 0x9ea1e762 -#define K31 0x3d43cec5 -#define K32 0x7a879d8a -#define K33 0xf50f3b14 -#define K34 0xea1e7629 -#define K35 0xd43cec53 -#define K36 0xa879d8a7 -#define K37 0x50f3b14f -#define K38 0xa1e7629e -#define K39 0x43cec53d -#define K40 0x879d8a7a -#define K41 0x0f3b14f5 -#define K42 0x1e7629ea -#define K43 0x3cec53d4 -#define K44 0x79d8a7a8 -#define K45 0xf3b14f50 -#define K46 0xe7629ea1 -#define K47 0xcec53d43 -#define K48 0x9d8a7a87 -#define K49 0x3b14f50f -#define K50 0x7629ea1e -#define K51 0xec53d43c -#define K52 0xd8a7a879 -#define K53 0xb14f50f3 -#define K54 0x629ea1e7 -#define K55 0xc53d43ce -#define K56 0x8a7a879d -#define K57 0x14f50f3b -#define K58 0x29ea1e76 -#define K59 0x53d43cec -#define K60 0xa7a879d8 -#define K61 0x4f50f3b1 -#define K62 0x9ea1e762 -#define K63 0x3d43cec5 +#define K0 2043430169 /* 0x79cc4519 */ +#define K1 -208106958 /* 0xf3988a32 */ +#define K2 -416213915 /* 0xe7311465 */ +#define K3 -832427829 /* 0xce6228cb */ +#define K4 -1664855657 /* 0x9cc45197 */ +#define K5 965255983 /* 0x3988a32f */ +#define K6 1930511966 /* 0x7311465e */ +#define K7 -433943364 /* 0xe6228cbc */ +#define K8 -867886727 /* 0xcc451979 */ +#define K9 -1735773453 /* 0x988a32f3 */ +#define K10 823420391 /* 0x311465e7 */ +#define K11 1646840782 /* 0x6228cbce */ +#define K12 -1001285732 /* 0xc451979c */ +#define K13 -2002571463 /* 0x88a32f39 */ +#define K14 289824371 /* 0x11465e73 */ +#define K15 579648742 /* 0x228cbce6 */ +#define K16 -1651869049 /* 0x9d8a7a87 */ +#define K17 991229199 /* 0x3b14f50f */ +#define K18 1982458398 /* 0x7629ea1e */ +#define K19 -330050500 /* 0xec53d43c */ +#define K20 -660100999 /* 0xd8a7a879 */ +#define K21 -1320201997 /* 0xb14f50f3 */ +#define K22 1654563303 /* 0x629ea1e7 */ +#define K23 -985840690 /* 0xc53d43ce */ +#define K24 -1971681379 /* 0x8a7a879d */ +#define K25 351604539 /* 0x14f50f3b */ +#define K26 703209078 /* 0x29ea1e76 */ +#define K27 1406418156 /* 0x53d43cec */ +#define K28 -1482130984 /* 0xa7a879d8 */ +#define K29 1330705329 /* 0x4f50f3b1 */ +#define K30 -1633556638 /* 0x9ea1e762 */ +#define K31 1027854021 /* 0x3d43cec5 */ +#define K32 2055708042 /* 0x7a879d8a */ +#define K33 -183551212 /* 0xf50f3b14 */ +#define K34 -367102423 /* 0xea1e7629 */ +#define K35 -734204845 /* 0xd43cec53 */ +#define K36 -1468409689 /* 0xa879d8a7 */ +#define K37 1358147919 /* 0x50f3b14f */ +#define K38 -1578671458 /* 0xa1e7629e */ +#define K39 1137624381 /* 0x43cec53d */ +#define K40 -2019718534 /* 0x879d8a7a */ +#define K41 255530229 /* 0x0f3b14f5 */ +#define K42 511060458 /* 0x1e7629ea */ +#define K43 1022120916 /* 0x3cec53d4 */ +#define K44 2044241832 /* 0x79d8a7a8 */ +#define K45 -206483632 /* 0xf3b14f50 */ +#define K46 -412967263 /* 0xe7629ea1 */ +#define K47 -825934525 /* 0xcec53d43 */ +#define K48 -1651869049 /* 0x9d8a7a87 */ +#define K49 991229199 /* 0x3b14f50f */ +#define K50 1982458398 /* 0x7629ea1e */ +#define K51 -330050500 /* 0xec53d43c */ +#define K52 -660100999 /* 0xd8a7a879 */ +#define K53 -1320201997 /* 0xb14f50f3 */ +#define K54 1654563303 /* 0x629ea1e7 */ +#define K55 -985840690 /* 0xc53d43ce */ +#define K56 -1971681379 /* 0x8a7a879d */ +#define K57 351604539 /* 0x14f50f3b */ +#define K58 703209078 /* 0x29ea1e76 */ +#define K59 1406418156 /* 0x53d43cec */ +#define K60 -1482130984 /* 0xa7a879d8 */ +#define K61 1330705329 /* 0x4f50f3b1 */ +#define K62 -1633556638 /* 0x9ea1e762 */ +#define K63 1027854021 /* 0x3d43cec5 */ /* Register macros */ @@ -176,9 +176,6 @@ ELF(.size _gcry_sm3_avx2_consts,.-_gcry_sm3_avx2_consts) #define addl2(a, out) \ leal (a, out), out; -#define addl3(a, b, out) \ - leal (b, a), out; - /* Round function macros. */ #define GG1(x, y, z, o, t) \ -- 2.32.0 From tianjia.zhang at linux.alibaba.com Wed Dec 22 03:50:33 2021 From: tianjia.zhang at linux.alibaba.com (Tianjia Zhang) Date: Wed, 22 Dec 2021 10:50:33 +0800 Subject: [PATCH] cipher: Fix SM3 avx/bmi2 compilation error In-Reply-To: References: <20211220032300.50584-1-tianjia.zhang@linux.alibaba.com> Message-ID: Hi Jussi, On 12/21/21 12:49 AM, Jussi Kivilinna wrote: > Hello, > > On 20.12.2021 5.23, Tianjia Zhang via Gcrypt-devel wrote: >> * cipher/sm3-avx-bmi2-amd64.S: Fix assembler errors. >> >> -- >> >> There are a lot of the following errors compiling with GNU assembler >> version 2.27-41: >> >> ?? sm3-avx-bmi2-amd64.S: Assembler messages: >> ?? sm3-avx-bmi2-amd64.S:402: Error: 0xf3988a32 out range of signed >> ???? 32bit displacement >> >> The newer GNU assembler does not have this issue. It is likely that >> the old version of the assembler did not handle it well, but in order >> to allow libgcrypt to be compiled on more systems, I still fixed this >> problem, an additional add operation is added to the lea instruction >> to calculate the sum of three elements. I did a benchmark test on an >> Intel i5-6200U 2.30GHz CPU and found no significant performance >> difference. > > > Thanks for reporting. However, I think this can be fixed by changing > K0-K63 macros from hex-format to signed decimal values. Patch attached. > I'm very sorry, I was too careless, didn't notice that you have attached the patch. Best regards, Tianjia From vincent.torri at gmail.com Sat Dec 25 21:37:01 2021 From: vincent.torri at gmail.com (Vincent Torri) Date: Sat, 25 Dec 2021 21:37:01 +0100 Subject: warnings in libgpg-error Message-ID: Hello i'm compiling libgpg-error on Windows with msys2 + mingw-w64. I have those warnings : spawn-w32.c: In function '_gpgrt_spawn_process': spawn-w32.c:81:27: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast] 81 | #define handle_to_pid(a) ((int)(a)) | ^ spawn-w32.c:634:10: note: in expansion of macro 'handle_to_pid' 634 | *pid = handle_to_pid (pi.hProcess); | ^~~~~~~~~~~~~ spawn-w32.c: In function '_gpgrt_spawn_process_fd': spawn-w32.c:81:27: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast] 81 | #define handle_to_pid(a) ((int)(a)) | ^ spawn-w32.c:717:10: note: in expansion of macro 'handle_to_pid' 717 | *pid = handle_to_pid (pi.hProcess); | ^~~~~~~~~~~~~ a possible fix would be : #define handle_to_pid(a) ((int)(uintptr_t)(a)) best regards Vincent Torri From jussi.kivilinna at iki.fi Thu Dec 30 17:06:19 2021 From: jussi.kivilinna at iki.fi (Jussi Kivilinna) Date: Thu, 30 Dec 2021 18:06:19 +0200 Subject: [PATCH] Add SM3 ARM/AArch64 assembly implementation Message-ID: <20211230160619.2649904-1-jussi.kivilinna@iki.fi> * cipher/Makefile.am: Add 'sm3-aarch64.S'. * cipher/sm3-aarch64.S: New. * cipher/sm3.c (USE_AARCH64_SIMD): New. [USE_AARCH64_SIMD] (_gcry_sm3_transform_aarch64) (do_sm3_transform_aarch64): New. (sm3_init) [USE_AARCH64_SIMD]: New. * configure.ac: Add 'sm3-aarch64.lo'. * tests/basic.c (main): Add command-line option '--hash' for running only hash algorithm tests. -- Benchmark on AWS Graviton2: Before: | nanosecs/byte mebibytes/sec cycles/byte auto Mhz SM3 | 4.24 ns/B 224.8 MiB/s 10.61 c/B 2500 After (~34% faster): | nanosecs/byte mebibytes/sec cycles/byte auto Mhz SM3 | 3.15 ns/B 302.4 MiB/s 7.88 c/B 2500 Signed-off-by: Jussi Kivilinna --- cipher/Makefile.am | 2 +- cipher/sm3-aarch64.S | 657 +++++++++++++++++++++++++++++++++++++++++++ cipher/sm3.c | 27 ++ configure.ac | 12 +- tests/basic.c | 12 + 5 files changed, 705 insertions(+), 5 deletions(-) create mode 100644 cipher/sm3-aarch64.S diff --git a/cipher/Makefile.am b/cipher/Makefile.am index 30c39123..264b3d30 100644 --- a/cipher/Makefile.am +++ b/cipher/Makefile.am @@ -129,7 +129,7 @@ EXTRA_libcipher_la_SOURCES = \ sha512-avx2-bmi2-amd64.S \ sha512-armv7-neon.S sha512-arm.S \ sha512-ppc.c sha512-ssse3-i386.c \ - sm3.c sm3-avx-bmi2-amd64.S \ + sm3.c sm3-avx-bmi2-amd64.S sm3-aarch64.S \ keccak.c keccak_permute_32.h keccak_permute_64.h keccak-armv7-neon.S \ stribog.c \ tiger.c \ diff --git a/cipher/sm3-aarch64.S b/cipher/sm3-aarch64.S new file mode 100644 index 00000000..1e77c832 --- /dev/null +++ b/cipher/sm3-aarch64.S @@ -0,0 +1,657 @@ +/* sm3-aarch64.S - ARMv8/AArch64 accelerated SM3 transform function + * + * Copyright (C) 2021 Jussi Kivilinna + * + * This file is part of Libgcrypt. + * + * Libgcrypt is free software; you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as + * published by the Free Software Foundation; either version 2.1 of + * the License, or (at your option) any later version. + * + * Libgcrypt is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this program; if not, see . + */ + +#include "asm-common-aarch64.h" + +#if defined(__AARCH64EL__) && \ + defined(HAVE_COMPATIBLE_GCC_AARCH64_PLATFORM_AS) && \ + defined(HAVE_GCC_INLINE_ASM_AARCH64_NEON) && \ + defined(USE_SM3) + +.cpu generic+simd + +/* Constants */ + +.text +.align 4 +ELF(.type _gcry_sm3_aarch64_consts, at object) +_gcry_sm3_aarch64_consts: +.LKtable: + .long 0x79cc4519, 0xf3988a32, 0xe7311465, 0xce6228cb + .long 0x9cc45197, 0x3988a32f, 0x7311465e, 0xe6228cbc + .long 0xcc451979, 0x988a32f3, 0x311465e7, 0x6228cbce + .long 0xc451979c, 0x88a32f39, 0x11465e73, 0x228cbce6 + .long 0x9d8a7a87, 0x3b14f50f, 0x7629ea1e, 0xec53d43c + .long 0xd8a7a879, 0xb14f50f3, 0x629ea1e7, 0xc53d43ce + .long 0x8a7a879d, 0x14f50f3b, 0x29ea1e76, 0x53d43cec + .long 0xa7a879d8, 0x4f50f3b1, 0x9ea1e762, 0x3d43cec5 + .long 0x7a879d8a, 0xf50f3b14, 0xea1e7629, 0xd43cec53 + .long 0xa879d8a7, 0x50f3b14f, 0xa1e7629e, 0x43cec53d + .long 0x879d8a7a, 0x0f3b14f5, 0x1e7629ea, 0x3cec53d4 + .long 0x79d8a7a8, 0xf3b14f50, 0xe7629ea1, 0xcec53d43 + .long 0x9d8a7a87, 0x3b14f50f, 0x7629ea1e, 0xec53d43c + .long 0xd8a7a879, 0xb14f50f3, 0x629ea1e7, 0xc53d43ce + .long 0x8a7a879d, 0x14f50f3b, 0x29ea1e76, 0x53d43cec + .long 0xa7a879d8, 0x4f50f3b1, 0x9ea1e762, 0x3d43cec5 +ELF(.size _gcry_sm3_aarch64_consts,.-_gcry_sm3_aarch64_consts) + +/* Context structure */ + +#define state_h0 0 +#define state_h1 4 +#define state_h2 8 +#define state_h3 12 +#define state_h4 16 +#define state_h5 20 +#define state_h6 24 +#define state_h7 28 + +/* Stack structure */ + +#define STACK_W_SIZE (32 * 2 * 3) + +#define STACK_W (0) +#define STACK_SIZE (STACK_W + STACK_W_SIZE) + +/* Register macros */ + +#define RSTATE x0 +#define RDATA x1 +#define RNBLKS x2 +#define RKPTR x28 +#define RFRAME x29 + +#define ra w3 +#define rb w4 +#define rc w5 +#define rd w6 +#define re w7 +#define rf w8 +#define rg w9 +#define rh w10 + +#define t0 w11 +#define t1 w12 +#define t2 w13 +#define t3 w14 +#define t4 w15 +#define t5 w16 +#define t6 w17 + +#define k_even w19 +#define k_odd w20 + +#define addr0 x21 +#define addr1 x22 + +#define s0 w23 +#define s1 w24 +#define s2 w25 +#define s3 w26 + +#define W0 v0 +#define W1 v1 +#define W2 v2 +#define W3 v3 +#define W4 v4 +#define W5 v5 + +#define XTMP0 v6 +#define XTMP1 v7 +#define XTMP2 v16 +#define XTMP3 v17 +#define XTMP4 v18 +#define XTMP5 v19 +#define XTMP6 v20 + +/* Helper macros. */ + +#define _(...) /*_*/ + +#define clear_vec(x) \ + eor x.16b, x.16b, x.16b; + +#define rolw(o, a, n) \ + ror o, a, #(32 - n); + +/* Round function macros. */ + +#define GG1_1(x, y, z, o, t) \ + eor o, x, y; +#define GG1_2(x, y, z, o, t) \ + eor o, o, z; +#define GG1_3(x, y, z, o, t) + +#define FF1_1(x, y, z, o, t) GG1_1(x, y, z, o, t) +#define FF1_2(x, y, z, o, t) +#define FF1_3(x, y, z, o, t) GG1_2(x, y, z, o, t) + +#define GG2_1(x, y, z, o, t) \ + bic o, z, x; +#define GG2_2(x, y, z, o, t) \ + and t, y, x; +#define GG2_3(x, y, z, o, t) \ + eor o, o, t; + +#define FF2_1(x, y, z, o, t) \ + eor o, x, y; +#define FF2_2(x, y, z, o, t) \ + and t, x, y; \ + and o, o, z; +#define FF2_3(x, y, z, o, t) \ + eor o, o, t; + +#define R(i, a, b, c, d, e, f, g, h, k, K_LOAD, round, widx, wtype, IOP, iop_param) \ + K_LOAD(round); \ + ldr t5, [sp, #(wtype##_W1_ADDR(round, widx))]; \ + rolw(t0, a, 12); /* rol(a, 12) => t0 */ \ + IOP(1, iop_param); \ + FF##i##_1(a, b, c, t1, t2); \ + ldr t6, [sp, #(wtype##_W1W2_ADDR(round, widx))]; \ + add k, k, e; \ + IOP(2, iop_param); \ + GG##i##_1(e, f, g, t3, t4); \ + FF##i##_2(a, b, c, t1, t2); \ + IOP(3, iop_param); \ + add k, k, t0; \ + add h, h, t5; \ + add d, d, t6; /* w1w2 + d => d */ \ + IOP(4, iop_param); \ + rolw(k, k, 7); /* rol (t0 + e + t), 7) => k */ \ + GG##i##_2(e, f, g, t3, t4); \ + add h, h, k; /* h + w1 + k => h */ \ + IOP(5, iop_param); \ + FF##i##_3(a, b, c, t1, t2); \ + eor t0, t0, k; /* k ^ t0 => t0 */ \ + GG##i##_3(e, f, g, t3, t4); \ + add d, d, t1; /* FF(a,b,c) + d => d */ \ + IOP(6, iop_param); \ + add t3, t3, h; /* GG(e,f,g) + h => t3 */ \ + rolw(b, b, 9); /* rol(b, 9) => b */ \ + eor h, t3, t3, ror #(32-9); \ + IOP(7, iop_param); \ + add d, d, t0; /* t0 + d => d */ \ + rolw(f, f, 19); /* rol(f, 19) => f */ \ + IOP(8, iop_param); \ + eor h, h, t3, ror #(32-17); /* P0(t3) => h */ \ + +#define R1(a, b, c, d, e, f, g, h, k, K_LOAD, round, widx, wtype, IOP, iop_param) \ + R(1, ##a, ##b, ##c, ##d, ##e, ##f, ##g, ##h, ##k, K_LOAD, round, widx, wtype, IOP, iop_param) + +#define R2(a, b, c, d, e, f, g, h, k, K_LOAD, round, widx, wtype, IOP, iop_param) \ + R(2, ##a, ##b, ##c, ##d, ##e, ##f, ##g, ##h, ##k, K_LOAD, round, widx, wtype, IOP, iop_param) + +#define KL(round) \ + ldp k_even, k_odd, [RKPTR, #(4*(round))]; + +/* Input expansion macros. */ + +/* Byte-swapped input address. */ +#define IW_W_ADDR(round, widx, offs) \ + (STACK_W + ((round) / 4) * 64 + (offs) + ((widx) * 4)) + +/* Expanded input address. */ +#define XW_W_ADDR(round, widx, offs) \ + (STACK_W + ((((round) / 3) - 4) % 2) * 64 + (offs) + ((widx) * 4)) + +/* Rounds 1-12, byte-swapped input block addresses. */ +#define IW_W1_ADDR(round, widx) IW_W_ADDR(round, widx, 32) +#define IW_W1W2_ADDR(round, widx) IW_W_ADDR(round, widx, 48) + +/* Rounds 1-12, expanded input block addresses. */ +#define XW_W1_ADDR(round, widx) XW_W_ADDR(round, widx, 0) +#define XW_W1W2_ADDR(round, widx) XW_W_ADDR(round, widx, 16) + +/* Input block loading. + * Interleaving within round function needed for in-order CPUs. */ +#define LOAD_W_VEC_1_1() \ + add addr0, sp, #IW_W1_ADDR(0, 0); +#define LOAD_W_VEC_1_2() \ + add addr1, sp, #IW_W1_ADDR(4, 0); +#define LOAD_W_VEC_1_3() \ + ld1 {W0.16b}, [RDATA], #16; +#define LOAD_W_VEC_1_4() \ + ld1 {W1.16b}, [RDATA], #16; +#define LOAD_W_VEC_1_5() \ + ld1 {W2.16b}, [RDATA], #16; +#define LOAD_W_VEC_1_6() \ + ld1 {W3.16b}, [RDATA], #16; +#define LOAD_W_VEC_1_7() \ + rev32 XTMP0.16b, W0.16b; +#define LOAD_W_VEC_1_8() \ + rev32 XTMP1.16b, W1.16b; +#define LOAD_W_VEC_2_1() \ + rev32 XTMP2.16b, W2.16b; +#define LOAD_W_VEC_2_2() \ + rev32 XTMP3.16b, W3.16b; +#define LOAD_W_VEC_2_3() \ + eor XTMP4.16b, XTMP1.16b, XTMP0.16b; +#define LOAD_W_VEC_2_4() \ + eor XTMP5.16b, XTMP2.16b, XTMP1.16b; +#define LOAD_W_VEC_2_5() \ + st1 {XTMP0.16b}, [addr0], #16; +#define LOAD_W_VEC_2_6() \ + st1 {XTMP4.16b}, [addr0]; \ + add addr0, sp, #IW_W1_ADDR(8, 0); +#define LOAD_W_VEC_2_7() \ + eor XTMP6.16b, XTMP3.16b, XTMP2.16b; +#define LOAD_W_VEC_2_8() \ + ext W0.16b, XTMP0.16b, XTMP0.16b, #8; /* W0: xx, w0, xx, xx */ +#define LOAD_W_VEC_3_1() \ + mov W2.16b, XTMP1.16b; /* W2: xx, w6, w5, w4 */ +#define LOAD_W_VEC_3_2() \ + st1 {XTMP1.16b}, [addr1], #16; +#define LOAD_W_VEC_3_3() \ + st1 {XTMP5.16b}, [addr1]; \ + ext W1.16b, XTMP0.16b, XTMP0.16b, #4; /* W1: xx, w3, w2, w1 */ +#define LOAD_W_VEC_3_4() \ + ext W3.16b, XTMP1.16b, XTMP2.16b, #12; /* W3: xx, w9, w8, w7 */ +#define LOAD_W_VEC_3_5() \ + ext W4.16b, XTMP2.16b, XTMP3.16b, #8; /* W4: xx, w12, w11, w10 */ +#define LOAD_W_VEC_3_6() \ + st1 {XTMP2.16b}, [addr0], #16; +#define LOAD_W_VEC_3_7() \ + st1 {XTMP6.16b}, [addr0]; +#define LOAD_W_VEC_3_8() \ + ext W5.16b, XTMP3.16b, XTMP3.16b, #4; /* W5: xx, w15, w14, w13 */ + +#define LOAD_W_VEC_1(iop_num, ...) \ + LOAD_W_VEC_1_##iop_num() +#define LOAD_W_VEC_2(iop_num, ...) \ + LOAD_W_VEC_2_##iop_num() +#define LOAD_W_VEC_3(iop_num, ...) \ + LOAD_W_VEC_3_##iop_num() + +/* Message scheduling. Note: 3 words per vector register. + * Interleaving within round function needed for in-order CPUs. */ +#define SCHED_W_1_1(round, w0, w1, w2, w3, w4, w5) \ + /* Load (w[i - 16]) => XTMP0 */ \ + /* Load (w[i - 13]) => XTMP5 */ \ + ext XTMP0.16b, w0.16b, w0.16b, #12; /* XTMP0: w0, xx, xx, xx */ +#define SCHED_W_1_2(round, w0, w1, w2, w3, w4, w5) \ + ext XTMP5.16b, w1.16b, w1.16b, #12; +#define SCHED_W_1_3(round, w0, w1, w2, w3, w4, w5) \ + ext XTMP0.16b, XTMP0.16b, w1.16b, #12; /* XTMP0: xx, w2, w1, w0 */ +#define SCHED_W_1_4(round, w0, w1, w2, w3, w4, w5) \ + ext XTMP5.16b, XTMP5.16b, w2.16b, #12; +#define SCHED_W_1_5(round, w0, w1, w2, w3, w4, w5) \ + /* w[i - 9] == w3 */ \ + /* W3 ^ XTMP0 => XTMP0 */ \ + eor XTMP0.16b, XTMP0.16b, w3.16b; +#define SCHED_W_1_6(round, w0, w1, w2, w3, w4, w5) \ + /* w[i - 3] == w5 */ \ + /* rol(XMM5, 15) ^ XTMP0 => XTMP0 */ \ + /* rol(XTMP5, 7) => XTMP1 */ \ + add addr0, sp, #XW_W1_ADDR((round), 0); \ + shl XTMP2.4s, w5.4s, #15; +#define SCHED_W_1_7(round, w0, w1, w2, w3, w4, w5) \ + shl XTMP1.4s, XTMP5.4s, #7; +#define SCHED_W_1_8(round, w0, w1, w2, w3, w4, w5) \ + sri XTMP2.4s, w5.4s, #(32-15); +#define SCHED_W_2_1(round, w0, w1, w2, w3, w4, w5) \ + sri XTMP1.4s, XTMP5.4s, #(32-7); +#define SCHED_W_2_2(round, w0, w1, w2, w3, w4, w5) \ + eor XTMP0.16b, XTMP0.16b, XTMP2.16b; +#define SCHED_W_2_3(round, w0, w1, w2, w3, w4, w5) \ + /* w[i - 6] == W4 */ \ + /* W4 ^ XTMP1 => XTMP1 */ \ + eor XTMP1.16b, XTMP1.16b, w4.16b; +#define SCHED_W_2_4(round, w0, w1, w2, w3, w4, w5) \ + /* P1(XTMP0) ^ XTMP1 => W0 */ \ + shl XTMP3.4s, XTMP0.4s, #15; +#define SCHED_W_2_5(round, w0, w1, w2, w3, w4, w5) \ + shl XTMP4.4s, XTMP0.4s, #23; +#define SCHED_W_2_6(round, w0, w1, w2, w3, w4, w5) \ + eor w0.16b, XTMP1.16b, XTMP0.16b; +#define SCHED_W_2_7(round, w0, w1, w2, w3, w4, w5) \ + sri XTMP3.4s, XTMP0.4s, #(32-15); +#define SCHED_W_2_8(round, w0, w1, w2, w3, w4, w5) \ + sri XTMP4.4s, XTMP0.4s, #(32-23); +#define SCHED_W_3_1(round, w0, w1, w2, w3, w4, w5) \ + eor w0.16b, w0.16b, XTMP3.16b; +#define SCHED_W_3_2(round, w0, w1, w2, w3, w4, w5) \ + /* Load (w[i - 3]) => XTMP2 */ \ + ext XTMP2.16b, w4.16b, w4.16b, #12; +#define SCHED_W_3_3(round, w0, w1, w2, w3, w4, w5) \ + eor w0.16b, w0.16b, XTMP4.16b; +#define SCHED_W_3_4(round, w0, w1, w2, w3, w4, w5) \ + ext XTMP2.16b, XTMP2.16b, w5.16b, #12; +#define SCHED_W_3_5(round, w0, w1, w2, w3, w4, w5) \ + /* W1 ^ W2 => XTMP3 */ \ + eor XTMP3.16b, XTMP2.16b, w0.16b; +#define SCHED_W_3_6(round, w0, w1, w2, w3, w4, w5) +#define SCHED_W_3_7(round, w0, w1, w2, w3, w4, w5) \ + st1 { XTMP2.16b-XTMP3.16b }, [addr0]; +#define SCHED_W_3_8(round, w0, w1, w2, w3, w4, w5) + +#define SCHED_W_W0W1W2W3W4W5_1(iop_num, round) \ + SCHED_W_1_##iop_num(round, W0, W1, W2, W3, W4, W5) +#define SCHED_W_W0W1W2W3W4W5_2(iop_num, round) \ + SCHED_W_2_##iop_num(round, W0, W1, W2, W3, W4, W5) +#define SCHED_W_W0W1W2W3W4W5_3(iop_num, round) \ + SCHED_W_3_##iop_num(round, W0, W1, W2, W3, W4, W5) + +#define SCHED_W_W1W2W3W4W5W0_1(iop_num, round) \ + SCHED_W_1_##iop_num(round, W1, W2, W3, W4, W5, W0) +#define SCHED_W_W1W2W3W4W5W0_2(iop_num, round) \ + SCHED_W_2_##iop_num(round, W1, W2, W3, W4, W5, W0) +#define SCHED_W_W1W2W3W4W5W0_3(iop_num, round) \ + SCHED_W_3_##iop_num(round, W1, W2, W3, W4, W5, W0) + +#define SCHED_W_W2W3W4W5W0W1_1(iop_num, round) \ + SCHED_W_1_##iop_num(round, W2, W3, W4, W5, W0, W1) +#define SCHED_W_W2W3W4W5W0W1_2(iop_num, round) \ + SCHED_W_2_##iop_num(round, W2, W3, W4, W5, W0, W1) +#define SCHED_W_W2W3W4W5W0W1_3(iop_num, round) \ + SCHED_W_3_##iop_num(round, W2, W3, W4, W5, W0, W1) + +#define SCHED_W_W3W4W5W0W1W2_1(iop_num, round) \ + SCHED_W_1_##iop_num(round, W3, W4, W5, W0, W1, W2) +#define SCHED_W_W3W4W5W0W1W2_2(iop_num, round) \ + SCHED_W_2_##iop_num(round, W3, W4, W5, W0, W1, W2) +#define SCHED_W_W3W4W5W0W1W2_3(iop_num, round) \ + SCHED_W_3_##iop_num(round, W3, W4, W5, W0, W1, W2) + +#define SCHED_W_W4W5W0W1W2W3_1(iop_num, round) \ + SCHED_W_1_##iop_num(round, W4, W5, W0, W1, W2, W3) +#define SCHED_W_W4W5W0W1W2W3_2(iop_num, round) \ + SCHED_W_2_##iop_num(round, W4, W5, W0, W1, W2, W3) +#define SCHED_W_W4W5W0W1W2W3_3(iop_num, round) \ + SCHED_W_3_##iop_num(round, W4, W5, W0, W1, W2, W3) + +#define SCHED_W_W5W0W1W2W3W4_1(iop_num, round) \ + SCHED_W_1_##iop_num(round, W5, W0, W1, W2, W3, W4) +#define SCHED_W_W5W0W1W2W3W4_2(iop_num, round) \ + SCHED_W_2_##iop_num(round, W5, W0, W1, W2, W3, W4) +#define SCHED_W_W5W0W1W2W3W4_3(iop_num, round) \ + SCHED_W_3_##iop_num(round, W5, W0, W1, W2, W3, W4) + +/* + * Transform nblks*64 bytes (nblks*16 32-bit words) at DATA. + * + * unsigned int + * _gcry_sm3_transform_aarch64 (void *ctx, const unsigned char *data, + * size_t nblks) + */ +.align 3 +.globl _gcry_sm3_transform_aarch64 +ELF(.type _gcry_sm3_transform_aarch64,%function;) +_gcry_sm3_transform_aarch64: + CFI_STARTPROC(); + + ldp ra, rb, [RSTATE, #0]; + ldp rc, rd, [RSTATE, #8]; + ldp re, rf, [RSTATE, #16]; + ldp rg, rh, [RSTATE, #24]; + + stp x28, x29, [sp, #-16]!; + CFI_ADJUST_CFA_OFFSET(16); + CFI_REG_ON_STACK(28, 0); + CFI_REG_ON_STACK(29, 8); + stp x19, x20, [sp, #-16]!; + CFI_ADJUST_CFA_OFFSET(16); + CFI_REG_ON_STACK(19, 0); + CFI_REG_ON_STACK(20, 8); + stp x21, x22, [sp, #-16]!; + CFI_ADJUST_CFA_OFFSET(16); + CFI_REG_ON_STACK(21, 0); + CFI_REG_ON_STACK(22, 8); + stp x23, x24, [sp, #-16]!; + CFI_ADJUST_CFA_OFFSET(16); + CFI_REG_ON_STACK(23, 0); + CFI_REG_ON_STACK(24, 8); + stp x25, x26, [sp, #-16]!; + CFI_ADJUST_CFA_OFFSET(16); + CFI_REG_ON_STACK(25, 0); + CFI_REG_ON_STACK(26, 8); + mov RFRAME, sp; + CFI_DEF_CFA_REGISTER(RFRAME); + + sub addr0, sp, #STACK_SIZE; + GET_DATA_POINTER(RKPTR, .LKtable); + and sp, addr0, #(~63); + + /* Preload first block. */ + LOAD_W_VEC_1(1, 0); + LOAD_W_VEC_1(2, 0); + LOAD_W_VEC_1(3, 0); + LOAD_W_VEC_1(4, 0); + LOAD_W_VEC_1(5, 0); + LOAD_W_VEC_1(6, 0); + LOAD_W_VEC_1(7, 0); + LOAD_W_VEC_1(8, 0); + LOAD_W_VEC_2(1, 0); + LOAD_W_VEC_2(2, 0); + LOAD_W_VEC_2(3, 0); + LOAD_W_VEC_2(4, 0); + LOAD_W_VEC_2(5, 0); + LOAD_W_VEC_2(6, 0); + LOAD_W_VEC_2(7, 0); + LOAD_W_VEC_2(8, 0); + LOAD_W_VEC_3(1, 0); + LOAD_W_VEC_3(2, 0); + LOAD_W_VEC_3(3, 0); + LOAD_W_VEC_3(4, 0); + LOAD_W_VEC_3(5, 0); + LOAD_W_VEC_3(6, 0); + LOAD_W_VEC_3(7, 0); + LOAD_W_VEC_3(8, 0); + +.balign 16 +.Loop: + /* Transform 0-3 */ + R1(ra, rb, rc, rd, re, rf, rg, rh, k_even, KL, 0, 0, IW, _, 0); + R1(rd, ra, rb, rc, rh, re, rf, rg, k_odd, _, 1, 1, IW, _, 0); + R1(rc, rd, ra, rb, rg, rh, re, rf, k_even, KL, 2, 2, IW, _, 0); + R1(rb, rc, rd, ra, rf, rg, rh, re, k_odd, _, 3, 3, IW, _, 0); + + /* Transform 4-7 + Precalc 12-14 */ + R1(ra, rb, rc, rd, re, rf, rg, rh, k_even, KL, 4, 0, IW, _, 0); + R1(rd, ra, rb, rc, rh, re, rf, rg, k_odd, _, 5, 1, IW, _, 0); + R1(rc, rd, ra, rb, rg, rh, re, rf, k_even, KL, 6, 2, IW, SCHED_W_W0W1W2W3W4W5_1, 12); + R1(rb, rc, rd, ra, rf, rg, rh, re, k_odd, _, 7, 3, IW, SCHED_W_W0W1W2W3W4W5_2, 12); + + /* Transform 8-11 + Precalc 12-17 */ + R1(ra, rb, rc, rd, re, rf, rg, rh, k_even, KL, 8, 0, IW, SCHED_W_W0W1W2W3W4W5_3, 12); + R1(rd, ra, rb, rc, rh, re, rf, rg, k_odd, _, 9, 1, IW, SCHED_W_W1W2W3W4W5W0_1, 15); + R1(rc, rd, ra, rb, rg, rh, re, rf, k_even, KL, 10, 2, IW, SCHED_W_W1W2W3W4W5W0_2, 15); + R1(rb, rc, rd, ra, rf, rg, rh, re, k_odd, _, 11, 3, IW, SCHED_W_W1W2W3W4W5W0_3, 15); + + /* Transform 12-14 + Precalc 18-20 */ + R1(ra, rb, rc, rd, re, rf, rg, rh, k_even, KL, 12, 0, XW, SCHED_W_W2W3W4W5W0W1_1, 18); + R1(rd, ra, rb, rc, rh, re, rf, rg, k_odd, _, 13, 1, XW, SCHED_W_W2W3W4W5W0W1_2, 18); + R1(rc, rd, ra, rb, rg, rh, re, rf, k_even, KL, 14, 2, XW, SCHED_W_W2W3W4W5W0W1_3, 18); + + /* Transform 15-17 + Precalc 21-23 */ + R1(rb, rc, rd, ra, rf, rg, rh, re, k_odd, _, 15, 0, XW, SCHED_W_W3W4W5W0W1W2_1, 21); + R2(ra, rb, rc, rd, re, rf, rg, rh, k_even, KL, 16, 1, XW, SCHED_W_W3W4W5W0W1W2_2, 21); + R2(rd, ra, rb, rc, rh, re, rf, rg, k_odd, _, 17, 2, XW, SCHED_W_W3W4W5W0W1W2_3, 21); + + /* Transform 18-20 + Precalc 24-26 */ + R2(rc, rd, ra, rb, rg, rh, re, rf, k_even, KL, 18, 0, XW, SCHED_W_W4W5W0W1W2W3_1, 24) + R2(rb, rc, rd, ra, rf, rg, rh, re, k_odd, _, 19, 1, XW, SCHED_W_W4W5W0W1W2W3_2, 24) + R2(ra, rb, rc, rd, re, rf, rg, rh, k_even, KL, 20, 2, XW, SCHED_W_W4W5W0W1W2W3_3, 24) + + /* Transform 21-23 + Precalc 27-29 */ + R2(rd, ra, rb, rc, rh, re, rf, rg, k_odd, _, 21, 0, XW, SCHED_W_W5W0W1W2W3W4_1, 27) + R2(rc, rd, ra, rb, rg, rh, re, rf, k_even, KL, 22, 1, XW, SCHED_W_W5W0W1W2W3W4_2, 27) + R2(rb, rc, rd, ra, rf, rg, rh, re, k_odd, _, 23, 2, XW, SCHED_W_W5W0W1W2W3W4_3, 27) + + /* Transform 24-26 + Precalc 30-32 */ + R2(ra, rb, rc, rd, re, rf, rg, rh, k_even, KL, 24, 0, XW, SCHED_W_W0W1W2W3W4W5_1, 30) + R2(rd, ra, rb, rc, rh, re, rf, rg, k_odd, _, 25, 1, XW, SCHED_W_W0W1W2W3W4W5_2, 30) + R2(rc, rd, ra, rb, rg, rh, re, rf, k_even, KL, 26, 2, XW, SCHED_W_W0W1W2W3W4W5_3, 30) + + /* Transform 27-29 + Precalc 33-35 */ + R2(rb, rc, rd, ra, rf, rg, rh, re, k_odd, _, 27, 0, XW, SCHED_W_W1W2W3W4W5W0_1, 33) + R2(ra, rb, rc, rd, re, rf, rg, rh, k_even, KL, 28, 1, XW, SCHED_W_W1W2W3W4W5W0_2, 33) + R2(rd, ra, rb, rc, rh, re, rf, rg, k_odd, _, 29, 2, XW, SCHED_W_W1W2W3W4W5W0_3, 33) + + /* Transform 30-32 + Precalc 36-38 */ + R2(rc, rd, ra, rb, rg, rh, re, rf, k_even, KL, 30, 0, XW, SCHED_W_W2W3W4W5W0W1_1, 36) + R2(rb, rc, rd, ra, rf, rg, rh, re, k_odd, _, 31, 1, XW, SCHED_W_W2W3W4W5W0W1_2, 36) + R2(ra, rb, rc, rd, re, rf, rg, rh, k_even, KL, 32, 2, XW, SCHED_W_W2W3W4W5W0W1_3, 36) + + /* Transform 33-35 + Precalc 39-41 */ + R2(rd, ra, rb, rc, rh, re, rf, rg, k_odd, _, 33, 0, XW, SCHED_W_W3W4W5W0W1W2_1, 39) + R2(rc, rd, ra, rb, rg, rh, re, rf, k_even, KL, 34, 1, XW, SCHED_W_W3W4W5W0W1W2_2, 39) + R2(rb, rc, rd, ra, rf, rg, rh, re, k_odd, _, 35, 2, XW, SCHED_W_W3W4W5W0W1W2_3, 39) + + /* Transform 36-38 + Precalc 42-44 */ + R2(ra, rb, rc, rd, re, rf, rg, rh, k_even, KL, 36, 0, XW, SCHED_W_W4W5W0W1W2W3_1, 42) + R2(rd, ra, rb, rc, rh, re, rf, rg, k_odd, _, 37, 1, XW, SCHED_W_W4W5W0W1W2W3_2, 42) + R2(rc, rd, ra, rb, rg, rh, re, rf, k_even, KL, 38, 2, XW, SCHED_W_W4W5W0W1W2W3_3, 42) + + /* Transform 39-41 + Precalc 45-47 */ + R2(rb, rc, rd, ra, rf, rg, rh, re, k_odd, _, 39, 0, XW, SCHED_W_W5W0W1W2W3W4_1, 45) + R2(ra, rb, rc, rd, re, rf, rg, rh, k_even, KL, 40, 1, XW, SCHED_W_W5W0W1W2W3W4_2, 45) + R2(rd, ra, rb, rc, rh, re, rf, rg, k_odd, _, 41, 2, XW, SCHED_W_W5W0W1W2W3W4_3, 45) + + /* Transform 42-44 + Precalc 48-50 */ + R2(rc, rd, ra, rb, rg, rh, re, rf, k_even, KL, 42, 0, XW, SCHED_W_W0W1W2W3W4W5_1, 48) + R2(rb, rc, rd, ra, rf, rg, rh, re, k_odd, _, 43, 1, XW, SCHED_W_W0W1W2W3W4W5_2, 48) + R2(ra, rb, rc, rd, re, rf, rg, rh, k_even, KL, 44, 2, XW, SCHED_W_W0W1W2W3W4W5_3, 48) + + /* Transform 45-47 + Precalc 51-53 */ + R2(rd, ra, rb, rc, rh, re, rf, rg, k_odd, _, 45, 0, XW, SCHED_W_W1W2W3W4W5W0_1, 51) + R2(rc, rd, ra, rb, rg, rh, re, rf, k_even, KL, 46, 1, XW, SCHED_W_W1W2W3W4W5W0_2, 51) + R2(rb, rc, rd, ra, rf, rg, rh, re, k_odd, _, 47, 2, XW, SCHED_W_W1W2W3W4W5W0_3, 51) + + /* Transform 48-50 + Precalc 54-56 */ + R2(ra, rb, rc, rd, re, rf, rg, rh, k_even, KL, 48, 0, XW, SCHED_W_W2W3W4W5W0W1_1, 54) + R2(rd, ra, rb, rc, rh, re, rf, rg, k_odd, _, 49, 1, XW, SCHED_W_W2W3W4W5W0W1_2, 54) + R2(rc, rd, ra, rb, rg, rh, re, rf, k_even, KL, 50, 2, XW, SCHED_W_W2W3W4W5W0W1_3, 54) + + /* Transform 51-53 + Precalc 57-59 */ + R2(rb, rc, rd, ra, rf, rg, rh, re, k_odd, _, 51, 0, XW, SCHED_W_W3W4W5W0W1W2_1, 57) + R2(ra, rb, rc, rd, re, rf, rg, rh, k_even, KL, 52, 1, XW, SCHED_W_W3W4W5W0W1W2_2, 57) + R2(rd, ra, rb, rc, rh, re, rf, rg, k_odd, _, 53, 2, XW, SCHED_W_W3W4W5W0W1W2_3, 57) + + /* Transform 54-56 + Precalc 60-62 */ + R2(rc, rd, ra, rb, rg, rh, re, rf, k_even, KL, 54, 0, XW, SCHED_W_W4W5W0W1W2W3_1, 60) + R2(rb, rc, rd, ra, rf, rg, rh, re, k_odd, _, 55, 1, XW, SCHED_W_W4W5W0W1W2W3_2, 60) + R2(ra, rb, rc, rd, re, rf, rg, rh, k_even, KL, 56, 2, XW, SCHED_W_W4W5W0W1W2W3_3, 60) + + /* Transform 57-59 + Precalc 63 */ + R2(rd, ra, rb, rc, rh, re, rf, rg, k_odd, _, 57, 0, XW, SCHED_W_W5W0W1W2W3W4_1, 63) + R2(rc, rd, ra, rb, rg, rh, re, rf, k_even, KL, 58, 1, XW, SCHED_W_W5W0W1W2W3W4_2, 63) + R2(rb, rc, rd, ra, rf, rg, rh, re, k_odd, _, 59, 2, XW, SCHED_W_W5W0W1W2W3W4_3, 63) + + /* Transform 60 */ + R2(ra, rb, rc, rd, re, rf, rg, rh, k_even, KL, 60, 0, XW, _, _); + subs RNBLKS, RNBLKS, #1; + b.eq .Lend; + + /* Transform 61-63 + Preload next block */ + R2(rd, ra, rb, rc, rh, re, rf, rg, k_odd, _, 61, 1, XW, LOAD_W_VEC_1, _); + ldp s0, s1, [RSTATE, #0]; + R2(rc, rd, ra, rb, rg, rh, re, rf, k_even, KL, 62, 2, XW, LOAD_W_VEC_2, _); + ldp s2, s3, [RSTATE, #8]; + R2(rb, rc, rd, ra, rf, rg, rh, re, k_odd, _, 63, 0, XW, LOAD_W_VEC_3, _); + + /* Update the chaining variables. */ + eor ra, ra, s0; + eor rb, rb, s1; + ldp s0, s1, [RSTATE, #16]; + eor rc, rc, s2; + ldp k_even, k_odd, [RSTATE, #24]; + eor rd, rd, s3; + eor re, re, s0; + stp ra, rb, [RSTATE, #0]; + eor rf, rf, s1; + stp rc, rd, [RSTATE, #8]; + eor rg, rg, k_even; + stp re, rf, [RSTATE, #16]; + eor rh, rh, k_odd; + stp rg, rh, [RSTATE, #24]; + b .Loop; + +.Lend: + /* Transform 61-63 */ + R2(rd, ra, rb, rc, rh, re, rf, rg, k_odd, _, 61, 1, XW, _, _); + ldp s0, s1, [RSTATE, #0]; + R2(rc, rd, ra, rb, rg, rh, re, rf, k_even, KL, 62, 2, XW, _, _); + ldp s2, s3, [RSTATE, #8]; + R2(rb, rc, rd, ra, rf, rg, rh, re, k_odd, _, 63, 0, XW, _, _); + + /* Update the chaining variables. */ + eor ra, ra, s0; + clear_vec(W0); + eor rb, rb, s1; + clear_vec(W1); + ldp s0, s1, [RSTATE, #16]; + clear_vec(W2); + eor rc, rc, s2; + clear_vec(W3); + ldp k_even, k_odd, [RSTATE, #24]; + clear_vec(W4); + eor rd, rd, s3; + clear_vec(W5); + eor re, re, s0; + clear_vec(XTMP0); + stp ra, rb, [RSTATE, #0]; + clear_vec(XTMP1); + eor rf, rf, s1; + clear_vec(XTMP2); + stp rc, rd, [RSTATE, #8]; + clear_vec(XTMP3); + eor rg, rg, k_even; + clear_vec(XTMP4); + stp re, rf, [RSTATE, #16]; + clear_vec(XTMP5); + eor rh, rh, k_odd; + clear_vec(XTMP6); + stp rg, rh, [RSTATE, #24]; + + /* Clear message expansion area */ + add addr0, sp, #STACK_W; + eor x0, x0, x0; // stack burned + st1 {W0.16b-W3.16b}, [addr0], #64; + st1 {W0.16b-W3.16b}, [addr0], #64; + st1 {W0.16b-W3.16b}, [addr0]; + + mov sp, RFRAME; + CFI_DEF_CFA_REGISTER(sp); + + ldp x25, x26, [sp], #16; + CFI_ADJUST_CFA_OFFSET(-16); + CFI_RESTORE(x25); + CFI_RESTORE(x26); + ldp x23, x24, [sp], #16; + CFI_ADJUST_CFA_OFFSET(-16); + CFI_RESTORE(x23); + CFI_RESTORE(x24); + ldp x21, x22, [sp], #16; + CFI_ADJUST_CFA_OFFSET(-16); + CFI_RESTORE(x21); + CFI_RESTORE(x22); + ldp x19, x20, [sp], #16; + CFI_ADJUST_CFA_OFFSET(-16); + CFI_RESTORE(x19); + CFI_RESTORE(x20); + ldp x28, x29, [sp], #16; + CFI_ADJUST_CFA_OFFSET(-16); + CFI_RESTORE(x28); + CFI_RESTORE(x29); + ret + CFI_ENDPROC(); +ELF(.size _gcry_sm3_transform_aarch64, .-_gcry_sm3_transform_aarch64;) + +#endif diff --git a/cipher/sm3.c b/cipher/sm3.c index 05b7b259..ca1a5fd3 100644 --- a/cipher/sm3.c +++ b/cipher/sm3.c @@ -56,6 +56,17 @@ # define USE_AVX_BMI2 1 #endif +/* USE_AARCH64_SIMD indicates whether to enable ARMv8 SIMD assembly + * code. */ +#undef USE_AARCH64_SIMD +#ifdef ENABLE_NEON_SUPPORT +# if defined(__AARCH64EL__) \ + && defined(HAVE_COMPATIBLE_GCC_AARCH64_PLATFORM_AS) \ + && defined(HAVE_GCC_INLINE_ASM_AARCH64_NEON) +# define USE_AARCH64_SIMD 1 +# endif +#endif + typedef struct { gcry_md_block_ctx_t bctx; @@ -94,6 +105,18 @@ do_sm3_transform_amd64_avx_bmi2(void *context, const unsigned char *data, } #endif /* USE_AVX_BMI2 */ +#ifdef USE_AARCH64_SIMD +unsigned int _gcry_sm3_transform_aarch64(void *state, const void *input_data, + size_t num_blks); + +static unsigned int +do_sm3_transform_aarch64(void *context, const unsigned char *data, size_t nblks) +{ + SM3_CONTEXT *hd = context; + return _gcry_sm3_transform_aarch64 (hd->h, data, nblks); +} +#endif /* USE_AARCH64_SIMD */ + static unsigned int transform (void *c, const unsigned char *data, size_t nblks); @@ -126,6 +149,10 @@ sm3_init (void *context, unsigned int flags) if ((features & HWF_INTEL_AVX2) && (features & HWF_INTEL_BMI2)) hd->bctx.bwrite = do_sm3_transform_amd64_avx_bmi2; #endif +#ifdef USE_AARCH64_SIMD + if (features & HWF_ARM_NEON) + hd->bctx.bwrite = do_sm3_transform_aarch64; +#endif (void)features; } diff --git a/configure.ac b/configure.ac index 06629380..3cb45a38 100644 --- a/configure.ac +++ b/configure.ac @@ -3034,10 +3034,14 @@ if test "$found" = "1" ; then AC_DEFINE(USE_SM3, 1, [Defined if this module should be included]) case "${host}" in - x86_64-*-*) - # Build with the assembly implementation - GCRYPT_ASM_DIGESTS="$GCRYPT_ASM_DIGESTS sm3-avx-bmi2-amd64.lo" - ;; + x86_64-*-*) + # Build with the assembly implementation + GCRYPT_ASM_DIGESTS="$GCRYPT_ASM_DIGESTS sm3-avx-bmi2-amd64.lo" + ;; + aarch64-*-*) + # Build with the assembly implementation + GCRYPT_ASM_DIGESTS="$GCRYPT_ASM_DIGESTS sm3-aarch64.lo" + ;; esac fi diff --git a/tests/basic.c b/tests/basic.c index e619c2e3..9e0444f6 100644 --- a/tests/basic.c +++ b/tests/basic.c @@ -16285,6 +16285,7 @@ main (int argc, char **argv) int selftest_only = 0; int pubkey_only = 0; int cipher_modes_only = 0; + int hash_only = 0; int loop = 0; unsigned int loopcount = 0; @@ -16330,6 +16331,11 @@ main (int argc, char **argv) cipher_modes_only = 1; argc--; argv++; } + else if (!strcmp (*argv, "--hash")) + { + hash_only = 1; + argc--; argv++; + } else if (!strcmp (*argv, "--die")) { die_on_error = 1; @@ -16395,6 +16401,12 @@ main (int argc, char **argv) check_ciphers (); check_cipher_modes (); } + else if (hash_only) + { + check_digests (); + check_hmac (); + check_mac (); + } else if (!selftest_only) { check_ciphers (); -- 2.32.0