Re: [PATCH] lib/crypto: arm64/sha512-ce: Drop compatibility macros for older binutils

Ard Biesheuvel <ardb@xxxxxxxxxx> · Mon, 21 Jul 2025 13:31:47 +1000

On Sat, 19 Jul 2025 at 08:07, Eric Biggers <ebiggers@xxxxxxxxxx> wrote:
>
> Now that the oldest supported binutils version is 2.30, the macros that
> emit the SHA-512 instructions as '.inst' words are no longer needed.  So
> drop them.  No change in the generated machine code.
>
> Changed from the original patch by Ard Biesheuvel:
> (https://lore.kernel.org/r/20250515142702.2592942-2-ardb+git@xxxxxxxxxx):
>  - Reduced scope to just SHA-512
>  - Added comment that explains why "sha3" is used instead of "sha2"
>
> Signed-off-by: Eric Biggers <ebiggers@xxxxxxxxxx>

Acked-by: Ard Biesheuvel <ardb@xxxxxxxxxx>

Nit below

> ---
>
> This patch is targeting libcrypto-next
>
>  lib/crypto/arm64/sha512-ce-core.S | 27 +++++++--------------------
>  1 file changed, 7 insertions(+), 20 deletions(-)
>
> diff --git a/lib/crypto/arm64/sha512-ce-core.S b/lib/crypto/arm64/sha512-ce-core.S
> index 7d870a435ea38..eaa485244af52 100644
> --- a/lib/crypto/arm64/sha512-ce-core.S
> +++ b/lib/crypto/arm64/sha512-ce-core.S
> @@ -10,30 +10,17 @@
>   */
>
>  #include <linux/linkage.h>
>  #include <asm/assembler.h>
>
> -       .irp            b,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19
> -       .set            .Lq\b, \b
> -       .set            .Lv\b\().2d, \b
> -       .endr
> -
> -       .macro          sha512h, rd, rn, rm
> -       .inst           0xce608000 | .L\rd | (.L\rn << 5) | (.L\rm << 16)
> -       .endm
> -
> -       .macro          sha512h2, rd, rn, rm
> -       .inst           0xce608400 | .L\rd | (.L\rn << 5) | (.L\rm << 16)
> -       .endm
> -
> -       .macro          sha512su0, rd, rn
> -       .inst           0xcec08000 | .L\rd | (.L\rn << 5)
> -       .endm
> -
> -       .macro          sha512su1, rd, rn, rm
> -       .inst           0xce608800 | .L\rd | (.L\rn << 5) | (.L\rm << 16)
> -       .endm
> +       /*
> +        * While SHA-512 is part of the SHA-2 family of algorithms, the
> +        * corresponding arm64 instructions are actually part of the "sha3" CPU
> +        * feature.  (Except in binutils 2.30 through 2.42, which used "sha2".

Nit: the ARM ARM describes these features as FEAT_SHA256, FEAT_SHA512
and FEAT_SHA3, and the latter two happen to have appeared in the same
architecture revision. So this is likely just the GCC/binutils devs
getting confused, and assuming a) that SHA-3 implies SHA-2 (which is
silly if you know the difference) and b) SHA512 has anything to do
with SHA-3.

> +        * But "sha3" implies "sha2", so "sha3" still works in those versions.)
> +        */
> +       .arch           armv8-a+sha3
>
>         /*
>          * The SHA-512 round constants
>          */
>         .section        ".rodata", "a"
>
> base-commit: 66be847cc4c2e82fb50190b52b05b3bb0ef57999
> --
> 2.50.1
>