[Qemu-devel] [PATCH v5 0/4] target-arm: add SHA-3, SM3 and SHA512 instruction support

[Qemu-devel] [PATCH v5 0/4] target-arm: add SHA-3, SM3 and SHA512 instruction support

[Ard Biesheuvel]

Changes sinve v4:
- restructure code changes to make it easier on the reviewer
- add Peter's R-b to #4

Changes since v3:
- don't bother with helpers for the SHA3 instructions: they are simple enough
  to be emitted as TCG ops directly
- rebase onto Richard's pending SVE work

Changes since v2:
- fix thinko in big-endian aware handling of 64-bit quantities: this is not
  needed given that the NEON registers are represented as arrays of uint64_t
  so they always appear in the correct order.
- add support for SM3 instructions (Chinese SHA derivative)

Changes since v1:
- update SHA512 patch to adhere more closely to the existing style, and to
  the way the instruction encodings are classified in the ARM ARM (#1)
- add patch implementing the new SHA3 instructions EOR3/RAX1/XAR/BCAX (#2)
- enable support for these instructions in user mode emulation (#3)

Ard Biesheuvel (4):
  target/arm: implement SHA-512 instructions
  target/arm: implement SHA-3 instructions
  target/arm: implement SM3 instructions
  target/arm: enable user-mode SHA-3, SM3 and SHA-512 instruction
    support

 linux-user/elfload.c       |  18 ++
 target/arm/cpu.h           |   3 +
 target/arm/cpu64.c         |   3 +
 target/arm/crypto_helper.c | 192 +++++++++++-
 target/arm/helper.h        |  10 +
 target/arm/translate-a64.c | 319 ++++++++++++++++++++
 6 files changed, 544 insertions(+), 1 deletion(-)

-- 
2.11.0

[Qemu-devel] [PATCH v5 1/4] target/arm: implement SHA-512 instructions

[Ard Biesheuvel]

This implements emulation of the new SHA-512 instructions that have
been added as an optional extensions to the ARMv8 Crypto Extensions
in ARM v8.2.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
---
 target/arm/cpu.h           |   1 +
 target/arm/crypto_helper.c |  75 ++++++++++++-
 target/arm/helper.h        |   5 +
 target/arm/translate-a64.c | 110 ++++++++++++++++++++
 4 files changed, 190 insertions(+), 1 deletion(-)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index 0a923e42d8bf..32a18510e70b 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -1372,6 +1372,7 @@ enum arm_features {
     ARM_FEATURE_M_SECURITY, /* M profile Security Extension */
     ARM_FEATURE_JAZELLE, /* has (trivial) Jazelle implementation */
     ARM_FEATURE_SVE, /* has Scalable Vector Extension */
+    ARM_FEATURE_V8_SHA512, /* implements SHA512 part of v8 Crypto Extensions */
 };
 
 static inline int arm_feature(CPUARMState *env, int feature)
diff --git a/target/arm/crypto_helper.c b/target/arm/crypto_helper.c
index 9ca0bdead7bb..fb45948e9f13 100644
--- a/target/arm/crypto_helper.c
+++ b/target/arm/crypto_helper.c
@@ -1,7 +1,7 @@
 /*
  * crypto_helper.c - emulate v8 Crypto Extensions instructions
  *
- * Copyright (C) 2013 - 2014 Linaro Ltd <ard.biesheuvel@linaro.org>
+ * Copyright (C) 2013 - 2018 Linaro Ltd <ard.biesheuvel@linaro.org>
  *
  * This library is free software; you can redistribute it and/or
  * modify it under the terms of the GNU Lesser General Public
@@ -419,3 +419,76 @@ void HELPER(crypto_sha256su1)(void *vd, void *vn, void *vm)
     rd[0] = d.l[0];
     rd[1] = d.l[1];
 }
+
+/*
+ * The SHA-512 logical functions (same as above but using 64-bit operands)
+ */
+
+static uint64_t cho512(uint64_t x, uint64_t y, uint64_t z)
+{
+    return (x & (y ^ z)) ^ z;
+}
+
+static uint64_t maj512(uint64_t x, uint64_t y, uint64_t z)
+{
+    return (x & y) | ((x | y) & z);
+}
+
+static uint64_t S0_512(uint64_t x)
+{
+    return ror64(x, 28) ^ ror64(x, 34) ^ ror64(x, 39);
+}
+
+static uint64_t S1_512(uint64_t x)
+{
+    return ror64(x, 14) ^ ror64(x, 18) ^ ror64(x, 41);
+}
+
+static uint64_t s0_512(uint64_t x)
+{
+    return ror64(x, 1) ^ ror64(x, 8) ^ (x >> 7);
+}
+
+static uint64_t s1_512(uint64_t x)
+{
+    return ror64(x, 19) ^ ror64(x, 61) ^ (x >> 6);
+}
+
+void HELPER(crypto_sha512h)(void *vd, void *vn, void *vm)
+{
+    uint64_t *rd = vd;
+    uint64_t *rn = vn;
+    uint64_t *rm = vm;
+
+    rd[1] += S1_512(rm[1]) + cho512(rm[1], rn[0], rn[1]);
+    rd[0] += S1_512(rd[1] + rm[0]) + cho512(rd[1] + rm[0], rm[1], rn[0]);
+}
+
+void HELPER(crypto_sha512h2)(void *vd, void *vn, void *vm)
+{
+    uint64_t *rd = vd;
+    uint64_t *rn = vn;
+    uint64_t *rm = vm;
+
+    rd[1] += S0_512(rm[0]) + maj512(rn[0], rm[1], rm[0]);
+    rd[0] += S0_512(rd[1]) + maj512(rd[1], rm[0], rm[1]);
+}
+
+void HELPER(crypto_sha512su0)(void *vd, void *vn)
+{
+    uint64_t *rd = vd;
+    uint64_t *rn = vn;
+
+    rd[0] += s0_512(rd[1]);
+    rd[1] += s0_512(rn[0]);
+}
+
+void HELPER(crypto_sha512su1)(void *vd, void *vn, void *vm)
+{
+    uint64_t *rd = vd;
+    uint64_t *rn = vn;
+    uint64_t *rm = vm;
+
+    rd[0] += s1_512(rn[0]) + rm[0];
+    rd[1] += s1_512(rn[1]) + rm[1];
+}
diff --git a/target/arm/helper.h b/target/arm/helper.h
index 5dec2e62626b..81d460702867 100644
--- a/target/arm/helper.h
+++ b/target/arm/helper.h
@@ -534,6 +534,11 @@ DEF_HELPER_FLAGS_3(crypto_sha256h2, TCG_CALL_NO_RWG, void, ptr, ptr, ptr)
 DEF_HELPER_FLAGS_2(crypto_sha256su0, TCG_CALL_NO_RWG, void, ptr, ptr)
 DEF_HELPER_FLAGS_3(crypto_sha256su1, TCG_CALL_NO_RWG, void, ptr, ptr, ptr)
 
+DEF_HELPER_FLAGS_3(crypto_sha512h, TCG_CALL_NO_RWG, void, ptr, ptr, ptr)
+DEF_HELPER_FLAGS_3(crypto_sha512h2, TCG_CALL_NO_RWG, void, ptr, ptr, ptr)
+DEF_HELPER_FLAGS_2(crypto_sha512su0, TCG_CALL_NO_RWG, void, ptr, ptr)
+DEF_HELPER_FLAGS_3(crypto_sha512su1, TCG_CALL_NO_RWG, void, ptr, ptr, ptr)
+
 DEF_HELPER_FLAGS_3(crc32, TCG_CALL_NO_RWG_SE, i32, i32, i32, i32)
 DEF_HELPER_FLAGS_3(crc32c, TCG_CALL_NO_RWG_SE, i32, i32, i32, i32)
 DEF_HELPER_2(dc_zva, void, env, i64)
diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index 10eef870fee2..888f5a39a283 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -11132,6 +11132,114 @@ static void disas_crypto_two_reg_sha(DisasContext *s, uint32_t insn)
     tcg_temp_free_ptr(tcg_rn_ptr);
 }
 
+/* Crypto three-reg SHA512
+ *  31                   21 20  16 15  14  13 12  11  10  9    5 4    0
+ * +-----------------------+------+---+---+-----+--------+------+------+
+ * | 1 1 0 0 1 1 1 0 0 1 1 |  Rm  | 1 | O | 0 0 | opcode |  Rn  |  Rd  |
+ * +-----------------------+------+---+---+-----+--------+------+------+
+ */
+static void disas_crypto_three_reg_sha512(DisasContext *s, uint32_t insn)
+{
+    int opcode = extract32(insn, 10, 2);
+    int o =  extract32(insn, 14, 1);
+    int rm = extract32(insn, 16, 5);
+    int rn = extract32(insn, 5, 5);
+    int rd = extract32(insn, 0, 5);
+    int feature;
+    CryptoThreeOpFn *genfn;
+
+    if (o == 0) {
+        switch (opcode) {
+        case 0: /* SHA512H */
+            feature = ARM_FEATURE_V8_SHA512;
+            genfn = gen_helper_crypto_sha512h;
+            break;
+        case 1: /* SHA512H2 */
+            feature = ARM_FEATURE_V8_SHA512;
+            genfn = gen_helper_crypto_sha512h2;
+            break;
+        case 2: /* SHA512SU1 */
+            feature = ARM_FEATURE_V8_SHA512;
+            genfn = gen_helper_crypto_sha512su1;
+            break;
+        default:
+            unallocated_encoding(s);
+            return;
+        }
+    } else {
+        unallocated_encoding(s);
+        return;
+    }
+
+    if (!arm_dc_feature(s, feature)) {
+        unallocated_encoding(s);
+        return;
+    }
+
+    if (!fp_access_check(s)) {
+        return;
+    }
+
+    if (genfn) {
+        TCGv_ptr tcg_rd_ptr, tcg_rn_ptr, tcg_rm_ptr;
+
+        tcg_rd_ptr = vec_full_reg_ptr(s, rd);
+        tcg_rn_ptr = vec_full_reg_ptr(s, rn);
+        tcg_rm_ptr = vec_full_reg_ptr(s, rm);
+
+        genfn(tcg_rd_ptr, tcg_rn_ptr, tcg_rm_ptr);
+
+        tcg_temp_free_ptr(tcg_rd_ptr);
+        tcg_temp_free_ptr(tcg_rn_ptr);
+        tcg_temp_free_ptr(tcg_rm_ptr);
+    } else {
+        g_assert_not_reached();
+    }
+}
+
+/* Crypto two-reg SHA512
+ *  31                                     12  11  10  9    5 4    0
+ * +-----------------------------------------+--------+------+------+
+ * | 1 1 0 0 1 1 1 0 1 1 0 0 0 0 0 0 1 0 0 0 | opcode |  Rn  |  Rd  |
+ * +-----------------------------------------+--------+------+------+
+ */
+static void disas_crypto_two_reg_sha512(DisasContext *s, uint32_t insn)
+{
+    int opcode = extract32(insn, 10, 2);
+    int rn = extract32(insn, 5, 5);
+    int rd = extract32(insn, 0, 5);
+    TCGv_ptr tcg_rd_ptr, tcg_rn_ptr;
+    int feature;
+    CryptoTwoOpFn *genfn;
+
+    switch (opcode) {
+    case 0: /* SHA512SU0 */
+        feature = ARM_FEATURE_V8_SHA512;
+        genfn = gen_helper_crypto_sha512su0;
+        break;
+    default:
+        unallocated_encoding(s);
+        return;
+    }
+
+    if (!arm_dc_feature(s, feature)) {
+        unallocated_encoding(s);
+        return;
+    }
+
+    if (!fp_access_check(s)) {
+        return;
+    }
+
+    tcg_rd_ptr = vec_full_reg_ptr(s, rd);
+    tcg_rn_ptr = vec_full_reg_ptr(s, rn);
+
+    genfn(tcg_rd_ptr, tcg_rn_ptr);
+
+    tcg_temp_free_ptr(tcg_rd_ptr);
+    tcg_temp_free_ptr(tcg_rn_ptr);
+}
+
 /* C3.6 Data processing - SIMD, inc Crypto
  *
  * As the decode gets a little complex we are using a table based
@@ -11161,6 +11269,8 @@ static const AArch64DecodeTable data_proc_simd[] = {
     { 0x4e280800, 0xff3e0c00, disas_crypto_aes },
     { 0x5e000000, 0xff208c00, disas_crypto_three_reg_sha },
     { 0x5e280800, 0xff3e0c00, disas_crypto_two_reg_sha },
+    { 0xce608000, 0xffe0b000, disas_crypto_three_reg_sha512 },
+    { 0xcec08000, 0xfffff000, disas_crypto_two_reg_sha512 },
     { 0x00000000, 0x00000000, NULL }
 };
 
-- 
2.11.0

[Qemu-devel] [PATCH v5 2/4] target/arm: implement SHA-3 instructions

[Ard Biesheuvel]

This implements emulation of the new SHA-3 instructions that have
been added as an optional extensions to the ARMv8 Crypto Extensions
in ARM v8.2.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
---
 target/arm/cpu.h           |   1 +
 target/arm/translate-a64.c | 148 +++++++++++++++++++-
 2 files changed, 145 insertions(+), 4 deletions(-)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index 32a18510e70b..d0b19e0cbc88 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -1373,6 +1373,7 @@ enum arm_features {
     ARM_FEATURE_JAZELLE, /* has (trivial) Jazelle implementation */
     ARM_FEATURE_SVE, /* has Scalable Vector Extension */
     ARM_FEATURE_V8_SHA512, /* implements SHA512 part of v8 Crypto Extensions */
+    ARM_FEATURE_V8_SHA3, /* implements SHA3 part of v8 Crypto Extensions */
 };
 
 static inline int arm_feature(CPUARMState *env, int feature)
diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index 888f5a39a283..10f2e518f303 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -11162,9 +11162,10 @@ static void disas_crypto_three_reg_sha512(DisasContext *s, uint32_t insn)
             feature = ARM_FEATURE_V8_SHA512;
             genfn = gen_helper_crypto_sha512su1;
             break;
-        default:
-            unallocated_encoding(s);
-            return;
+        case 3: /* RAX1 */
+            feature = ARM_FEATURE_V8_SHA3;
+            genfn = NULL;
+            break;
         }
     } else {
         unallocated_encoding(s);
@@ -11193,7 +11194,28 @@ static void disas_crypto_three_reg_sha512(DisasContext *s, uint32_t insn)
         tcg_temp_free_ptr(tcg_rn_ptr);
         tcg_temp_free_ptr(tcg_rm_ptr);
     } else {
-        g_assert_not_reached();
+        TCGv_i64 tcg_op1, tcg_op2, tcg_res[2];
+        int pass;
+
+        tcg_op1 = tcg_temp_new_i64();
+        tcg_op2 = tcg_temp_new_i64();
+        tcg_res[0] = tcg_temp_new_i64();
+        tcg_res[1] = tcg_temp_new_i64();
+
+        for (pass = 0; pass < 2; pass++) {
+            read_vec_element(s, tcg_op1, rn, pass, MO_64);
+            read_vec_element(s, tcg_op2, rm, pass, MO_64);
+
+            tcg_gen_rotli_i64(tcg_res[pass], tcg_op2, 1);
+            tcg_gen_xor_i64(tcg_res[pass], tcg_res[pass], tcg_op1);
+        }
+        write_vec_element(s, tcg_res[0], rd, 0, MO_64);
+        write_vec_element(s, tcg_res[1], rd, 1, MO_64);
+
+        tcg_temp_free(tcg_op1);
+        tcg_temp_free(tcg_op2);
+        tcg_temp_free(tcg_res[0]);
+        tcg_temp_free(tcg_res[1]);
     }
 }
 
@@ -11240,6 +11262,122 @@ static void disas_crypto_two_reg_sha512(DisasContext *s, uint32_t insn)
     tcg_temp_free_ptr(tcg_rn_ptr);
 }
 
+/* Crypto four-register
+ *  31               23 22 21 20  16 15  14  10 9    5 4    0
+ * +-------------------+-----+------+---+------+------+------+
+ * | 1 1 0 0 1 1 1 0 0 | Op0 |  Rm  | 0 |  Ra  |  Rn  |  Rd  |
+ * +-------------------+-----+------+---+------+------+------+
+ */
+static void disas_crypto_four_reg(DisasContext *s, uint32_t insn)
+{
+    int op0 = extract32(insn, 21, 2);
+    int rm = extract32(insn, 16, 5);
+    int ra = extract32(insn, 10, 5);
+    int rn = extract32(insn, 5, 5);
+    int rd = extract32(insn, 0, 5);
+    int feature;
+
+    switch (op0) {
+    case 0: /* EOR3 */
+    case 1: /* BCAX */
+        feature = ARM_FEATURE_V8_SHA3;
+        break;
+    default:
+        unallocated_encoding(s);
+        return;
+    }
+
+    if (!arm_dc_feature(s, feature)) {
+        unallocated_encoding(s);
+        return;
+    }
+
+    if (!fp_access_check(s)) {
+        return;
+    }
+
+    if (op0 < 2) {
+        TCG_i64 tcg_op1, tcg_op2, tcg_op3, tcg_res[2];
+        int pass;
+
+        tcg_op1 = tcg_temp_new_i64();
+        tcg_op2 = tcg_temp_new_i64();
+        tcg_op3 = tcg_temp_new_i64();
+        tcg_res[0] = tcg_temp_new_i64();
+        tcg_res[1] = tcg_temp_new_i64();
+
+        for (pass = 0; pass < 2; pass++) {
+            read_vec_element(s, tcg_op1, rn, pass, MO_64);
+            read_vec_element(s, tcg_op2, rm, pass, MO_64);
+            read_vec_element(s, tcg_op3, ra, pass, MO_64);
+
+            if (op0 == 0) {
+                /* EOR3 */
+                tcg_gen_xor_i64(tcg_res[pass], tcg_op2, tcg_op3);
+            } else {
+                /* BCAX */
+                tcg_gen_andc_i64(tcg_res[pass], tcg_op2, tcg_op3);
+            }
+            tcg_gen_xor_i64(tcg_res[pass], tcg_res[pass], tcg_op1);
+        }
+        write_vec_element(s, tcg_res[0], rd, 0, MO_64);
+        write_vec_element(s, tcg_res[1], rd, 1, MO_64);
+
+        tcg_temp_free(tcg_op1);
+        tcg_temp_free(tcg_op2);
+        tcg_temp_free(tcg_op3);
+        tcg_temp_free(tcg_res[0]);
+        tcg_temp_free(tcg_res[1]);
+    } else {
+        g_assert_not_reached();
+    }
+}
+
+/* Crypto XAR
+ *  31                   21 20  16 15    10 9    5 4    0
+ * +-----------------------+------+--------+------+------+
+ * | 1 1 0 0 1 1 1 0 1 0 0 |  Rm  |  imm6  |  Rn  |  Rd  |
+ * +-----------------------+------+--------+------+------+
+ */
+static void disas_crypto_xar(DisasContext *s, uint32_t insn)
+{
+    int rm = extract32(insn, 16, 5);
+    int imm6 = extract32(insn, 10, 6);
+    int rn = extract32(insn, 5, 5);
+    int rd = extract32(insn, 0, 5);
+    TCGv_i64 tcg_op1, tcg_op2, tcg_res[2];
+    int pass;
+
+    if (!arm_dc_feature(s, ARM_FEATURE_V8_SHA3)) {
+        unallocated_encoding(s);
+        return;
+    }
+
+    if (!fp_access_check(s)) {
+        return;
+    }
+
+    tcg_op1 = tcg_temp_new_i64();
+    tcg_op2 = tcg_temp_new_i64();
+    tcg_res[0] = tcg_temp_new_i64();
+    tcg_res[1] = tcg_temp_new_i64();
+
+    for (pass = 0; pass < 2; pass++) {
+        read_vec_element(s, tcg_op1, rn, pass, MO_64);
+        read_vec_element(s, tcg_op2, rm, pass, MO_64);
+
+        tcg_gen_xor_i64(tcg_res[pass], tcg_op1, tcg_op2);
+        tcg_gen_rotri_i64(tcg_res[pass], tcg_res[pass], imm6);
+    }
+    write_vec_element(s, tcg_res[0], rd, 0, MO_64);
+    write_vec_element(s, tcg_res[1], rd, 1, MO_64);
+
+    tcg_temp_free(tcg_op1);
+    tcg_temp_free(tcg_op2);
+    tcg_temp_free(tcg_res[0]);
+    tcg_temp_free(tcg_res[1]);
+}
+
 /* C3.6 Data processing - SIMD, inc Crypto
  *
  * As the decode gets a little complex we are using a table based
@@ -11271,6 +11409,8 @@ static const AArch64DecodeTable data_proc_simd[] = {
     { 0x5e280800, 0xff3e0c00, disas_crypto_two_reg_sha },
     { 0xce608000, 0xffe0b000, disas_crypto_three_reg_sha512 },
     { 0xcec08000, 0xfffff000, disas_crypto_two_reg_sha512 },
+    { 0xce000000, 0xff808000, disas_crypto_four_reg },
+    { 0xce800000, 0xffe00000, disas_crypto_xar },
     { 0x00000000, 0x00000000, NULL }
 };
 
-- 
2.11.0

[Qemu-devel] [PATCH v5 3/4] target/arm: implement SM3 instructions

[Ard Biesheuvel]

This implements emulation of the new SM3 instructions that have
been added as an optional extension to the ARMv8 Crypto Extensions
in ARM v8.2.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
---
 target/arm/cpu.h           |   1 +
 target/arm/crypto_helper.c | 117 ++++++++++++++++++++
 target/arm/helper.h        |   5 +
 target/arm/translate-a64.c |  75 ++++++++++++-
 4 files changed, 195 insertions(+), 3 deletions(-)

diff --git a/target/arm/cpu.h b/target/arm/cpu.h
index d0b19e0cbc88..18383666e02d 100644
--- a/target/arm/cpu.h
+++ b/target/arm/cpu.h
@@ -1374,6 +1374,7 @@ enum arm_features {
     ARM_FEATURE_SVE, /* has Scalable Vector Extension */
     ARM_FEATURE_V8_SHA512, /* implements SHA512 part of v8 Crypto Extensions */
     ARM_FEATURE_V8_SHA3, /* implements SHA3 part of v8 Crypto Extensions */
+    ARM_FEATURE_V8_SM3, /* implements SM3 part of v8 Crypto Extensions */
 };
 
 static inline int arm_feature(CPUARMState *env, int feature)
diff --git a/target/arm/crypto_helper.c b/target/arm/crypto_helper.c
index fb45948e9f13..c1d9f765cd40 100644
--- a/target/arm/crypto_helper.c
+++ b/target/arm/crypto_helper.c
@@ -492,3 +492,120 @@ void HELPER(crypto_sha512su1)(void *vd, void *vn, void *vm)
     rd[0] += s1_512(rn[0]) + rm[0];
     rd[1] += s1_512(rn[1]) + rm[1];
 }
+
+void HELPER(crypto_sm3partw1)(void *vd, void *vn, void *vm)
+{
+    uint64_t *rd = vd;
+    uint64_t *rn = vn;
+    uint64_t *rm = vm;
+    union CRYPTO_STATE d = { .l = { rd[0], rd[1] } };
+    union CRYPTO_STATE n = { .l = { rn[0], rn[1] } };
+    union CRYPTO_STATE m = { .l = { rm[0], rm[1] } };
+    uint32_t t;
+
+    t = CR_ST_WORD(d, 0) ^ CR_ST_WORD(n, 0) ^ ror32(CR_ST_WORD(m, 1), 17);
+    CR_ST_WORD(d, 0) = t ^ ror32(t, 17) ^ ror32(t, 9);
+
+    t = CR_ST_WORD(d, 1) ^ CR_ST_WORD(n, 1) ^ ror32(CR_ST_WORD(m, 2), 17);
+    CR_ST_WORD(d, 1) = t ^ ror32(t, 17) ^ ror32(t, 9);
+
+    t = CR_ST_WORD(d, 2) ^ CR_ST_WORD(n, 2) ^ ror32(CR_ST_WORD(m, 3), 17);
+    CR_ST_WORD(d, 2) = t ^ ror32(t, 17) ^ ror32(t, 9);
+
+    t = CR_ST_WORD(d, 3) ^ CR_ST_WORD(n, 3) ^ ror32(CR_ST_WORD(d, 0), 17);
+    CR_ST_WORD(d, 3) = t ^ ror32(t, 17) ^ ror32(t, 9);
+
+    rd[0] = d.l[0];
+    rd[1] = d.l[1];
+}
+
+void HELPER(crypto_sm3partw2)(void *vd, void *vn, void *vm)
+{
+    uint64_t *rd = vd;
+    uint64_t *rn = vn;
+    uint64_t *rm = vm;
+    union CRYPTO_STATE d = { .l = { rd[0], rd[1] } };
+    union CRYPTO_STATE n = { .l = { rn[0], rn[1] } };
+    union CRYPTO_STATE m = { .l = { rm[0], rm[1] } };
+    uint32_t t = CR_ST_WORD(n, 0) ^ ror32(CR_ST_WORD(m, 0), 25);
+
+    CR_ST_WORD(d, 0) ^= t;
+    CR_ST_WORD(d, 1) ^= CR_ST_WORD(n, 1) ^ ror32(CR_ST_WORD(m, 1), 25);
+    CR_ST_WORD(d, 2) ^= CR_ST_WORD(n, 2) ^ ror32(CR_ST_WORD(m, 2), 25);
+    CR_ST_WORD(d, 3) ^= CR_ST_WORD(n, 3) ^ ror32(CR_ST_WORD(m, 3), 25) ^
+                        ror32(t, 17) ^ ror32(t, 2) ^ ror32(t, 26);
+
+    rd[0] = d.l[0];
+    rd[1] = d.l[1];
+}
+
+void HELPER(crypto_sm3ss1)(void *vd, void *vn, void *va, void *vm)
+{
+    uint64_t *rd = vd;
+    uint64_t *rn = vn;
+    uint64_t *ra = va;
+    uint64_t *rm = vm;
+    union CRYPTO_STATE d;
+    union CRYPTO_STATE n = { .l = { rn[0], rn[1] } };
+    union CRYPTO_STATE a = { .l = { ra[0], ra[1] } };
+    union CRYPTO_STATE m = { .l = { rm[0], rm[1] } };
+
+    CR_ST_WORD(d, 0) = 0;
+    CR_ST_WORD(d, 1) = 0;
+    CR_ST_WORD(d, 2) = 0;
+    CR_ST_WORD(d, 3) = ror32(ror32(CR_ST_WORD(n, 3), 20) + CR_ST_WORD(m, 3) +
+                             CR_ST_WORD(a, 3), 25);
+
+    rd[0] = d.l[0];
+    rd[1] = d.l[1];
+}
+
+void HELPER(crypto_sm3tt)(void *vd, void *vn, void *vm, uint32_t imm2,
+                          uint32_t opcode)
+{
+    uint64_t *rd = vd;
+    uint64_t *rn = vn;
+    uint64_t *rm = vm;
+    union CRYPTO_STATE d = { .l = { rd[0], rd[1] } };
+    union CRYPTO_STATE n = { .l = { rn[0], rn[1] } };
+    union CRYPTO_STATE m = { .l = { rm[0], rm[1] } };
+    uint32_t t;
+
+    assert(imm2 < 4);
+
+    if (opcode == 0 || opcode == 2) {
+        /* SM3TT1A, SM3TT2A */
+        t = par(CR_ST_WORD(d, 3), CR_ST_WORD(d, 2), CR_ST_WORD(d, 1));
+    } else if (opcode == 1) {
+        /* SM3TT1B */
+        t = maj(CR_ST_WORD(d, 3), CR_ST_WORD(d, 2), CR_ST_WORD(d, 1));
+    } else if (opcode == 3) {
+        /* SM3TT2B */
+        t = cho(CR_ST_WORD(d, 3), CR_ST_WORD(d, 2), CR_ST_WORD(d, 1));
+    } else {
+        g_assert_not_reached();
+    }
+
+    t += CR_ST_WORD(d, 0) + CR_ST_WORD(m, imm2);
+
+    CR_ST_WORD(d, 0) = CR_ST_WORD(d, 1);
+
+    if (opcode < 2) {
+        /* SM3TT1A, SM3TT1B */
+        t += CR_ST_WORD(n, 3) ^ ror32(CR_ST_WORD(d, 3), 20);
+
+        CR_ST_WORD(d, 1) = ror32(CR_ST_WORD(d, 2), 23);
+    } else {
+        /* SM3TT2A, SM3TT2B */
+        t += CR_ST_WORD(n, 3);
+        t ^= rol32(t, 9) ^ rol32(t, 17);
+
+        CR_ST_WORD(d, 1) = ror32(CR_ST_WORD(d, 2), 13);
+    }
+
+    CR_ST_WORD(d, 2) = CR_ST_WORD(d, 3);
+    CR_ST_WORD(d, 3) = t;
+
+    rd[0] = d.l[0];
+    rd[1] = d.l[1];
+}
diff --git a/target/arm/helper.h b/target/arm/helper.h
index 81d460702867..2d0bba10c006 100644
--- a/target/arm/helper.h
+++ b/target/arm/helper.h
@@ -539,6 +539,11 @@ DEF_HELPER_FLAGS_3(crypto_sha512h2, TCG_CALL_NO_RWG, void, ptr, ptr, ptr)
 DEF_HELPER_FLAGS_2(crypto_sha512su0, TCG_CALL_NO_RWG, void, ptr, ptr)
 DEF_HELPER_FLAGS_3(crypto_sha512su1, TCG_CALL_NO_RWG, void, ptr, ptr, ptr)
 
+DEF_HELPER_FLAGS_4(crypto_sm3ss1, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, ptr)
+DEF_HELPER_FLAGS_5(crypto_sm3tt, TCG_CALL_NO_RWG, void, ptr, ptr, ptr, i32, i32)
+DEF_HELPER_FLAGS_3(crypto_sm3partw1, TCG_CALL_NO_RWG, void, ptr, ptr, ptr)
+DEF_HELPER_FLAGS_3(crypto_sm3partw2, TCG_CALL_NO_RWG, void, ptr, ptr, ptr)
+
 DEF_HELPER_FLAGS_3(crc32, TCG_CALL_NO_RWG_SE, i32, i32, i32, i32)
 DEF_HELPER_FLAGS_3(crc32c, TCG_CALL_NO_RWG_SE, i32, i32, i32, i32)
 DEF_HELPER_2(dc_zva, void, env, i64)
diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
index 10f2e518f303..57cf1ded4db7 100644
--- a/target/arm/translate-a64.c
+++ b/target/arm/translate-a64.c
@@ -11168,8 +11168,19 @@ static void disas_crypto_three_reg_sha512(DisasContext *s, uint32_t insn)
             break;
         }
     } else {
-        unallocated_encoding(s);
-        return;
+        switch (opcode) {
+        case 0: /* SM3PARTW1 */
+            feature = ARM_FEATURE_V8_SM3;
+            genfn = gen_helper_crypto_sm3partw1;
+            break;
+        case 1: /* SM3PARTW2 */
+            feature = ARM_FEATURE_V8_SM3;
+            genfn = gen_helper_crypto_sm3partw2;
+            break;
+        default:
+            unallocated_encoding(s);
+            return;
+        }
     }
 
     if (!arm_dc_feature(s, feature)) {
@@ -11282,6 +11293,9 @@ static void disas_crypto_four_reg(DisasContext *s, uint32_t insn)
     case 1: /* BCAX */
         feature = ARM_FEATURE_V8_SHA3;
         break;
+    case 2: /* SM3SS1 */
+        feature = ARM_FEATURE_V8_SM3;
+        break;
     default:
         unallocated_encoding(s);
         return;
@@ -11329,7 +11343,20 @@ static void disas_crypto_four_reg(DisasContext *s, uint32_t insn)
         tcg_temp_free(tcg_res[0]);
         tcg_temp_free(tcg_res[1]);
     } else {
-        g_assert_not_reached();
+        TCGv_ptr tcg_rd_ptr, tcg_rn_ptr, tcg_ra_ptr, tcg_rm_ptr;
+
+        tcg_rd_ptr = vec_full_reg_ptr(s, rd);
+        tcg_rn_ptr = vec_full_reg_ptr(s, rn);
+        tcg_ra_ptr = vec_full_reg_ptr(s, ra);
+        tcg_rm_ptr = vec_full_reg_ptr(s, rm);
+
+        gen_helper_crypto_sm3ss1(tcg_rd_ptr, tcg_rn_ptr, tcg_ra_ptr,
+                                 tcg_rm_ptr);
+
+        tcg_temp_free_ptr(tcg_rd_ptr);
+        tcg_temp_free_ptr(tcg_rn_ptr);
+        tcg_temp_free_ptr(tcg_ra_ptr);
+        tcg_temp_free_ptr(tcg_rm_ptr);
     }
 }
 
@@ -11378,6 +11405,47 @@ static void disas_crypto_xar(DisasContext *s, uint32_t insn)
     tcg_temp_free(tcg_res[1]);
 }
 
+/* Crypto three-reg imm2
+ *  31                   21 20  16 15  14 13 12  11  10  9    5 4    0
+ * +-----------------------+------+-----+------+--------+------+------+
+ * | 1 1 0 0 1 1 1 0 0 1 0 |  Rm  | 1 0 | imm2 | opcode |  Rn  |  Rd  |
+ * +-----------------------+------+-----+------+--------+------+------+
+ */
+static void disas_crypto_three_reg_imm2(DisasContext *s, uint32_t insn)
+{
+    int opcode = extract32(insn, 10, 2);
+    int imm2 = extract32(insn, 12, 2);
+    int rm = extract32(insn, 16, 5);
+    int rn = extract32(insn, 5, 5);
+    int rd = extract32(insn, 0, 5);
+    TCGv_ptr tcg_rd_ptr, tcg_rn_ptr, tcg_rm_ptr;
+    TCGv_i32 tcg_imm2, tcg_opcode;
+
+    if (!arm_dc_feature(s, ARM_FEATURE_V8_SM3)) {
+        unallocated_encoding(s);
+        return;
+    }
+
+    if (!fp_access_check(s)) {
+        return;
+    }
+
+    tcg_rd_ptr = vec_full_reg_ptr(s, rd);
+    tcg_rn_ptr = vec_full_reg_ptr(s, rn);
+    tcg_rm_ptr = vec_full_reg_ptr(s, rm);
+    tcg_imm2   = tcg_const_i32(imm2);
+    tcg_opcode = tcg_const_i32(opcode);
+
+    gen_helper_crypto_sm3tt(tcg_rd_ptr, tcg_rn_ptr, tcg_rm_ptr, tcg_imm2,
+                            tcg_opcode);
+
+    tcg_temp_free_ptr(tcg_rd_ptr);
+    tcg_temp_free_ptr(tcg_rn_ptr);
+    tcg_temp_free_ptr(tcg_rm_ptr);
+    tcg_temp_free_i32(tcg_imm2);
+    tcg_temp_free_i32(tcg_opcode);
+}
+
 /* C3.6 Data processing - SIMD, inc Crypto
  *
  * As the decode gets a little complex we are using a table based
@@ -11411,6 +11479,7 @@ static const AArch64DecodeTable data_proc_simd[] = {
     { 0xcec08000, 0xfffff000, disas_crypto_two_reg_sha512 },
     { 0xce000000, 0xff808000, disas_crypto_four_reg },
     { 0xce800000, 0xffe00000, disas_crypto_xar },
+    { 0xce408000, 0xffe0c000, disas_crypto_three_reg_imm2 },
     { 0x00000000, 0x00000000, NULL }
 };
 
-- 
2.11.0

[Qemu-devel] [PATCH v5 4/4] target/arm: enable user-mode SHA-3, SM3 and SHA-512 instruction support

[Ard Biesheuvel]

Add support for the new ARMv8.2 SHA-3, SM3 and SHA-512 instructions to
AArch64 user mode emulation.

Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
---
 linux-user/elfload.c | 18 ++++++++++++++++++
 target/arm/cpu64.c   |  3 +++
 2 files changed, 21 insertions(+)

diff --git a/linux-user/elfload.c b/linux-user/elfload.c
index 20f3d8c2c373..5d5aa26d2710 100644
--- a/linux-user/elfload.c
+++ b/linux-user/elfload.c
@@ -512,6 +512,21 @@ enum {
     ARM_HWCAP_A64_SHA1          = 1 << 5,
     ARM_HWCAP_A64_SHA2          = 1 << 6,
     ARM_HWCAP_A64_CRC32         = 1 << 7,
+    ARM_HWCAP_A64_ATOMICS       = 1 << 8,
+    ARM_HWCAP_A64_FPHP          = 1 << 9,
+    ARM_HWCAP_A64_ASIMDHP       = 1 << 10,
+    ARM_HWCAP_A64_CPUID         = 1 << 11,
+    ARM_HWCAP_A64_ASIMDRDM      = 1 << 12,
+    ARM_HWCAP_A64_JSCVT         = 1 << 13,
+    ARM_HWCAP_A64_FCMA          = 1 << 14,
+    ARM_HWCAP_A64_LRCPC         = 1 << 15,
+    ARM_HWCAP_A64_DCPOP         = 1 << 16,
+    ARM_HWCAP_A64_SHA3          = 1 << 17,
+    ARM_HWCAP_A64_SM3           = 1 << 18,
+    ARM_HWCAP_A64_SM4           = 1 << 19,
+    ARM_HWCAP_A64_ASIMDDP       = 1 << 20,
+    ARM_HWCAP_A64_SHA512        = 1 << 21,
+    ARM_HWCAP_A64_SVE           = 1 << 22,
 };
 
 #define ELF_HWCAP get_elf_hwcap()
@@ -532,6 +547,9 @@ static uint32_t get_elf_hwcap(void)
     GET_FEATURE(ARM_FEATURE_V8_SHA1, ARM_HWCAP_A64_SHA1);
     GET_FEATURE(ARM_FEATURE_V8_SHA256, ARM_HWCAP_A64_SHA2);
     GET_FEATURE(ARM_FEATURE_CRC, ARM_HWCAP_A64_CRC32);
+    GET_FEATURE(ARM_FEATURE_V8_SHA3, ARM_HWCAP_A64_SHA3);
+    GET_FEATURE(ARM_FEATURE_V8_SM3, ARM_HWCAP_A64_SM3);
+    GET_FEATURE(ARM_FEATURE_V8_SHA512, ARM_HWCAP_A64_SHA512);
 #undef GET_FEATURE
 
     return hwcaps;
diff --git a/target/arm/cpu64.c b/target/arm/cpu64.c
index 670c07ab6ed4..56d50ba57194 100644
--- a/target/arm/cpu64.c
+++ b/target/arm/cpu64.c
@@ -224,6 +224,9 @@ static void aarch64_any_initfn(Object *obj)
     set_feature(&cpu->env, ARM_FEATURE_V8_AES);
     set_feature(&cpu->env, ARM_FEATURE_V8_SHA1);
     set_feature(&cpu->env, ARM_FEATURE_V8_SHA256);
+    set_feature(&cpu->env, ARM_FEATURE_V8_SHA512);
+    set_feature(&cpu->env, ARM_FEATURE_V8_SHA3);
+    set_feature(&cpu->env, ARM_FEATURE_V8_SM3);
     set_feature(&cpu->env, ARM_FEATURE_V8_PMULL);
     set_feature(&cpu->env, ARM_FEATURE_CRC);
     cpu->ctr = 0x80038003; /* 32 byte I and D cacheline size, VIPT icache */
-- 
2.11.0

Re: [Qemu-devel] [PATCH v5 2/4] target/arm: implement SHA-3 instructions

[Ard Biesheuvel]

On 22 January 2018 at 17:26, Ard Biesheuvel <ard.biesheuvel@linaro.org> wrote:
> This implements emulation of the new SHA-3 instructions that have
> been added as an optional extensions to the ARMv8 Crypto Extensions
> in ARM v8.2.
>
> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
> ---
>  target/arm/cpu.h           |   1 +
>  target/arm/translate-a64.c | 148 +++++++++++++++++++-
>  2 files changed, 145 insertions(+), 4 deletions(-)
>
> diff --git a/target/arm/cpu.h b/target/arm/cpu.h
> index 32a18510e70b..d0b19e0cbc88 100644
> --- a/target/arm/cpu.h
> +++ b/target/arm/cpu.h
> @@ -1373,6 +1373,7 @@ enum arm_features {
>      ARM_FEATURE_JAZELLE, /* has (trivial) Jazelle implementation */
>      ARM_FEATURE_SVE, /* has Scalable Vector Extension */
>      ARM_FEATURE_V8_SHA512, /* implements SHA512 part of v8 Crypto Extensions */
> +    ARM_FEATURE_V8_SHA3, /* implements SHA3 part of v8 Crypto Extensions */
>  };
>
>  static inline int arm_feature(CPUARMState *env, int feature)
> diff --git a/target/arm/translate-a64.c b/target/arm/translate-a64.c
> index 888f5a39a283..10f2e518f303 100644
> --- a/target/arm/translate-a64.c
> +++ b/target/arm/translate-a64.c
> @@ -11162,9 +11162,10 @@ static void disas_crypto_three_reg_sha512(DisasContext *s, uint32_t insn)
>              feature = ARM_FEATURE_V8_SHA512;
>              genfn = gen_helper_crypto_sha512su1;
>              break;
> -        default:
> -            unallocated_encoding(s);
> -            return;
> +        case 3: /* RAX1 */
> +            feature = ARM_FEATURE_V8_SHA3;
> +            genfn = NULL;
> +            break;
>          }
>      } else {
>          unallocated_encoding(s);
> @@ -11193,7 +11194,28 @@ static void disas_crypto_three_reg_sha512(DisasContext *s, uint32_t insn)
>          tcg_temp_free_ptr(tcg_rn_ptr);
>          tcg_temp_free_ptr(tcg_rm_ptr);
>      } else {
> -        g_assert_not_reached();
> +        TCGv_i64 tcg_op1, tcg_op2, tcg_res[2];
> +        int pass;
> +
> +        tcg_op1 = tcg_temp_new_i64();
> +        tcg_op2 = tcg_temp_new_i64();
> +        tcg_res[0] = tcg_temp_new_i64();
> +        tcg_res[1] = tcg_temp_new_i64();
> +
> +        for (pass = 0; pass < 2; pass++) {
> +            read_vec_element(s, tcg_op1, rn, pass, MO_64);
> +            read_vec_element(s, tcg_op2, rm, pass, MO_64);
> +
> +            tcg_gen_rotli_i64(tcg_res[pass], tcg_op2, 1);
> +            tcg_gen_xor_i64(tcg_res[pass], tcg_res[pass], tcg_op1);
> +        }
> +        write_vec_element(s, tcg_res[0], rd, 0, MO_64);
> +        write_vec_element(s, tcg_res[1], rd, 1, MO_64);
> +
> +        tcg_temp_free(tcg_op1);
> +        tcg_temp_free(tcg_op2);
> +        tcg_temp_free(tcg_res[0]);
> +        tcg_temp_free(tcg_res[1]);
>      }
>  }
>
> @@ -11240,6 +11262,122 @@ static void disas_crypto_two_reg_sha512(DisasContext *s, uint32_t insn)
>      tcg_temp_free_ptr(tcg_rn_ptr);
>  }
>
> +/* Crypto four-register
> + *  31               23 22 21 20  16 15  14  10 9    5 4    0
> + * +-------------------+-----+------+---+------+------+------+
> + * | 1 1 0 0 1 1 1 0 0 | Op0 |  Rm  | 0 |  Ra  |  Rn  |  Rd  |
> + * +-------------------+-----+------+---+------+------+------+
> + */
> +static void disas_crypto_four_reg(DisasContext *s, uint32_t insn)
> +{
> +    int op0 = extract32(insn, 21, 2);
> +    int rm = extract32(insn, 16, 5);
> +    int ra = extract32(insn, 10, 5);
> +    int rn = extract32(insn, 5, 5);
> +    int rd = extract32(insn, 0, 5);
> +    int feature;
> +
> +    switch (op0) {
> +    case 0: /* EOR3 */
> +    case 1: /* BCAX */
> +        feature = ARM_FEATURE_V8_SHA3;
> +        break;
> +    default:
> +        unallocated_encoding(s);
> +        return;
> +    }
> +
> +    if (!arm_dc_feature(s, feature)) {
> +        unallocated_encoding(s);
> +        return;
> +    }
> +
> +    if (!fp_access_check(s)) {
> +        return;
> +    }
> +
> +    if (op0 < 2) {
> +        TCG_i64 tcg_op1, tcg_op2, tcg_op3, tcg_res[2];

Apologies, there's a typo here: TCGv_i64 not TCG_i64

Let me know if I need to resend.

> +        int pass;
> +
> +        tcg_op1 = tcg_temp_new_i64();
> +        tcg_op2 = tcg_temp_new_i64();
> +        tcg_op3 = tcg_temp_new_i64();
> +        tcg_res[0] = tcg_temp_new_i64();
> +        tcg_res[1] = tcg_temp_new_i64();
> +
> +        for (pass = 0; pass < 2; pass++) {
> +            read_vec_element(s, tcg_op1, rn, pass, MO_64);
> +            read_vec_element(s, tcg_op2, rm, pass, MO_64);
> +            read_vec_element(s, tcg_op3, ra, pass, MO_64);
> +
> +            if (op0 == 0) {
> +                /* EOR3 */
> +                tcg_gen_xor_i64(tcg_res[pass], tcg_op2, tcg_op3);
> +            } else {
> +                /* BCAX */
> +                tcg_gen_andc_i64(tcg_res[pass], tcg_op2, tcg_op3);
> +            }
> +            tcg_gen_xor_i64(tcg_res[pass], tcg_res[pass], tcg_op1);
> +        }
> +        write_vec_element(s, tcg_res[0], rd, 0, MO_64);
> +        write_vec_element(s, tcg_res[1], rd, 1, MO_64);
> +
> +        tcg_temp_free(tcg_op1);
> +        tcg_temp_free(tcg_op2);
> +        tcg_temp_free(tcg_op3);
> +        tcg_temp_free(tcg_res[0]);
> +        tcg_temp_free(tcg_res[1]);
> +    } else {
> +        g_assert_not_reached();
> +    }
> +}
> +
> +/* Crypto XAR
> + *  31                   21 20  16 15    10 9    5 4    0
> + * +-----------------------+------+--------+------+------+
> + * | 1 1 0 0 1 1 1 0 1 0 0 |  Rm  |  imm6  |  Rn  |  Rd  |
> + * +-----------------------+------+--------+------+------+
> + */
> +static void disas_crypto_xar(DisasContext *s, uint32_t insn)
> +{
> +    int rm = extract32(insn, 16, 5);
> +    int imm6 = extract32(insn, 10, 6);
> +    int rn = extract32(insn, 5, 5);
> +    int rd = extract32(insn, 0, 5);
> +    TCGv_i64 tcg_op1, tcg_op2, tcg_res[2];
> +    int pass;
> +
> +    if (!arm_dc_feature(s, ARM_FEATURE_V8_SHA3)) {
> +        unallocated_encoding(s);
> +        return;
> +    }
> +
> +    if (!fp_access_check(s)) {
> +        return;
> +    }
> +
> +    tcg_op1 = tcg_temp_new_i64();
> +    tcg_op2 = tcg_temp_new_i64();
> +    tcg_res[0] = tcg_temp_new_i64();
> +    tcg_res[1] = tcg_temp_new_i64();
> +
> +    for (pass = 0; pass < 2; pass++) {
> +        read_vec_element(s, tcg_op1, rn, pass, MO_64);
> +        read_vec_element(s, tcg_op2, rm, pass, MO_64);
> +
> +        tcg_gen_xor_i64(tcg_res[pass], tcg_op1, tcg_op2);
> +        tcg_gen_rotri_i64(tcg_res[pass], tcg_res[pass], imm6);
> +    }
> +    write_vec_element(s, tcg_res[0], rd, 0, MO_64);
> +    write_vec_element(s, tcg_res[1], rd, 1, MO_64);
> +
> +    tcg_temp_free(tcg_op1);
> +    tcg_temp_free(tcg_op2);
> +    tcg_temp_free(tcg_res[0]);
> +    tcg_temp_free(tcg_res[1]);
> +}
> +
>  /* C3.6 Data processing - SIMD, inc Crypto
>   *
>   * As the decode gets a little complex we are using a table based
> @@ -11271,6 +11409,8 @@ static const AArch64DecodeTable data_proc_simd[] = {
>      { 0x5e280800, 0xff3e0c00, disas_crypto_two_reg_sha },
>      { 0xce608000, 0xffe0b000, disas_crypto_three_reg_sha512 },
>      { 0xcec08000, 0xfffff000, disas_crypto_two_reg_sha512 },
> +    { 0xce000000, 0xff808000, disas_crypto_four_reg },
> +    { 0xce800000, 0xffe00000, disas_crypto_xar },
>      { 0x00000000, 0x00000000, NULL }
>  };
>
> --
> 2.11.0
>

Re: [Qemu-devel] [PATCH v5 2/4] target/arm: implement SHA-3 instructions

[Peter Maydell]

On 23 January 2018 at 20:09, Ard Biesheuvel <ard.biesheuvel@linaro.org> wrote:
> On 22 January 2018 at 17:26, Ard Biesheuvel <ard.biesheuvel@linaro.org> wrote:
>> This implements emulation of the new SHA-3 instructions that have
>> been added as an optional extensions to the ARMv8 Crypto Extensions
>> in ARM v8.2.

>> +    if (op0 < 2) {
>> +        TCG_i64 tcg_op1, tcg_op2, tcg_op3, tcg_res[2];
>
> Apologies, there's a typo here: TCGv_i64 not TCG_i64
>
> Let me know if I need to resend.

No, if that's the only issue I'll just fix it up locally.


>> +        tcg_temp_free(tcg_op1);
>> +        tcg_temp_free(tcg_op2);
>> +        tcg_temp_free(tcg_op3);
>> +        tcg_temp_free(tcg_res[0]);
>> +        tcg_temp_free(tcg_res[1]);

These I think should all be tcg_temp_free_i64(). The unsuffixed
version is for "TCGv", which is a value of size target_ulong.
As it happens that's always i64 for code in translate-a64.c,
so it's only a stylistic difference, but the rest of the code
explicitly uses i64. I'll fix this locally too.

thanks
-- PMM

Re: [Qemu-devel] [PATCH v5 1/4] target/arm: implement SHA-512 instructions

[Peter Maydell]

On 22 January 2018 at 17:26, Ard Biesheuvel <ard.biesheuvel@linaro.org> wrote:
> This implements emulation of the new SHA-512 instructions that have
> been added as an optional extensions to the ARMv8 Crypto Extensions
> in ARM v8.2.
>
> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>


> +void HELPER(crypto_sha512h)(void *vd, void *vn, void *vm)
> +{
> +    uint64_t *rd = vd;
> +    uint64_t *rn = vn;
> +    uint64_t *rm = vm;
> +
> +    rd[1] += S1_512(rm[1]) + cho512(rm[1], rn[0], rn[1]);
> +    rd[0] += S1_512(rd[1] + rm[0]) + cho512(rd[1] + rm[0], rm[1], rn[0]);

This gives the wrong answer if the destination register
happens to be the same as one of the inputs, because the
assignment to rd[1] will overwrite the input before the
calculation of rd[0] uses it.

Some extra temporaries should fix this. I'll try fixing
that up locally and see if it passes tests then.

thanks
-- PMM

Re: [Qemu-devel] [PATCH v5 1/4] target/arm: implement SHA-512 instructions

[Ard Biesheuvel]

On 6 February 2018 at 18:45, Peter Maydell <peter.maydell@linaro.org> wrote:
> On 22 January 2018 at 17:26, Ard Biesheuvel <ard.biesheuvel@linaro.org> wrote:
>> This implements emulation of the new SHA-512 instructions that have
>> been added as an optional extensions to the ARMv8 Crypto Extensions
>> in ARM v8.2.
>>
>> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
>
>
>> +void HELPER(crypto_sha512h)(void *vd, void *vn, void *vm)
>> +{
>> +    uint64_t *rd = vd;
>> +    uint64_t *rn = vn;
>> +    uint64_t *rm = vm;
>> +
>> +    rd[1] += S1_512(rm[1]) + cho512(rm[1], rn[0], rn[1]);
>> +    rd[0] += S1_512(rd[1] + rm[0]) + cho512(rd[1] + rm[0], rm[1], rn[0]);
>
> This gives the wrong answer if the destination register
> happens to be the same as one of the inputs, because the
> assignment to rd[1] will overwrite the input before the
> calculation of rd[0] uses it.
>

It is supposed to use the new value of rd[1], so this is expected.

> Some extra temporaries should fix this. I'll try fixing
> that up locally and see if it passes tests then.
>
> thanks
> -- PMM

Re: [Qemu-devel] [PATCH v5 1/4] target/arm: implement SHA-512 instructions

[Ard Biesheuvel]

On 6 February 2018 at 18:56, Ard Biesheuvel <ard.biesheuvel@linaro.org> wrote:
> On 6 February 2018 at 18:45, Peter Maydell <peter.maydell@linaro.org> wrote:
>> On 22 January 2018 at 17:26, Ard Biesheuvel <ard.biesheuvel@linaro.org> wrote:
>>> This implements emulation of the new SHA-512 instructions that have
>>> been added as an optional extensions to the ARMv8 Crypto Extensions
>>> in ARM v8.2.
>>>
>>> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
>>
>>
>>> +void HELPER(crypto_sha512h)(void *vd, void *vn, void *vm)
>>> +{
>>> +    uint64_t *rd = vd;
>>> +    uint64_t *rn = vn;
>>> +    uint64_t *rm = vm;
>>> +
>>> +    rd[1] += S1_512(rm[1]) + cho512(rm[1], rn[0], rn[1]);
>>> +    rd[0] += S1_512(rd[1] + rm[0]) + cho512(rd[1] + rm[0], rm[1], rn[0]);
>>
>> This gives the wrong answer if the destination register
>> happens to be the same as one of the inputs, because the
>> assignment to rd[1] will overwrite the input before the
>> calculation of rd[0] uses it.
>>
>
> It is supposed to use the new value of rd[1], so this is expected.
>

Ah hold on, I hit send too quickly, apologies.

Yes, if rd == rm, then it will assume the wrong value. I missed this
when doing the rewrite to use the new interface.

>> Some extra temporaries should fix this. I'll try fixing
>> that up locally and see if it passes tests then.
>>
>> thanks
>> -- PMM

Re: [Qemu-devel] [PATCH v5 1/4] target/arm: implement SHA-512 instructions

[Peter Maydell]

On 6 February 2018 at 18:57, Ard Biesheuvel <ard.biesheuvel@linaro.org> wrote:
> On 6 February 2018 at 18:56, Ard Biesheuvel <ard.biesheuvel@linaro.org> wrote:
>> On 6 February 2018 at 18:45, Peter Maydell <peter.maydell@linaro.org> wrote:
>>> On 22 January 2018 at 17:26, Ard Biesheuvel <ard.biesheuvel@linaro.org> wrote:
>>>> This implements emulation of the new SHA-512 instructions that have
>>>> been added as an optional extensions to the ARMv8 Crypto Extensions
>>>> in ARM v8.2.
>>>>
>>>> Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
>>>
>>>
>>>> +void HELPER(crypto_sha512h)(void *vd, void *vn, void *vm)
>>>> +{
>>>> +    uint64_t *rd = vd;
>>>> +    uint64_t *rn = vn;
>>>> +    uint64_t *rm = vm;
>>>> +
>>>> +    rd[1] += S1_512(rm[1]) + cho512(rm[1], rn[0], rn[1]);
>>>> +    rd[0] += S1_512(rd[1] + rm[0]) + cho512(rd[1] + rm[0], rm[1], rn[0]);
>>>
>>> This gives the wrong answer if the destination register
>>> happens to be the same as one of the inputs, because the
>>> assignment to rd[1] will overwrite the input before the
>>> calculation of rd[0] uses it.
>>>
>>
>> It is supposed to use the new value of rd[1], so this is expected.
>>
>
> Ah hold on, I hit send too quickly, apologies.
>
> Yes, if rd == rm, then it will assume the wrong value. I missed this
> when doing the rewrite to use the new interface.

OK. It sounds like the fix is more complicated than I thought it
was, though, so I'll leave this up to you.

My tests show that these insns seem OK:
SM3PARTW1, SM3PARTW2, SM3SS1, SM3TT1A, SM3TT1B, SM3TT2A, SM3TT2B
EOR3, BCAX, XAR
SHA512SU1

These ones fail:
SHA512H, SHA512H2, SHA512SU0
SM4EKEY, SM4E

You also forgot to enable the SM4 CPU feature in the 'any' CPU
and set it in the guest elf hwcaps.

thanks
-- PMM

Re: [Qemu-devel] [PATCH v5 1/4] target/arm: implement SHA-512 instructions

[Peter Maydell]

On 6 February 2018 at 19:06, Peter Maydell <peter.maydell@linaro.org> wrote:
> SM4EKEY, SM4E

Sample SM4EKEY failure:
insn 0xce78cbdd (SM4EKEY V29.4S, V30.4S, V24.4S)
  V24   : 6ee7a2520059bd15bac75e4436b3a1bd
  V30   : a67d04e738f68da895ffd0c3e154e3e7

  V29 actual:   a67d04e7b98aaef47bf01b8158da5407
  V29 expected: 8d492252b98aaef47bf01b8158da5407

(top 32 bits are wrong)

Sample SM4E failure:
insn 0xcec087dd (SM4E V29.4S, V30.4S)
  V30   : a67d04e738f68da895ffd0c3e154e3e7
  V29 actual  : e272e88588a781b7e77a90dd5641e34b
  V29 expected: a39884af88a781b7e77a90dd5641e34b

(top 32 bits again)

My test setup doesn't capture register values from
before the insn executes, which is awkward for SM4E since
it uses Vd as input as well as output. Probably the bug
is the same as SM4EKEY, though.

thanks
-- PMM

Re: [Qemu-devel] [PATCH v5 1/4] target/arm: implement SHA-512 instructions

[Peter Maydell]

On 6 February 2018 at 19:15, Peter Maydell <peter.maydell@linaro.org> wrote:
> On 6 February 2018 at 19:06, Peter Maydell <peter.maydell@linaro.org> wrote:
>> SM4EKEY, SM4E
>
> Sample SM4EKEY failure:
> insn 0xce78cbdd (SM4EKEY V29.4S, V30.4S, V24.4S)
>   V24   : 6ee7a2520059bd15bac75e4436b3a1bd
>   V30   : a67d04e738f68da895ffd0c3e154e3e7
>
>   V29 actual:   a67d04e7b98aaef47bf01b8158da5407
>   V29 expected: 8d492252b98aaef47bf01b8158da5407
>
> (top 32 bits are wrong)
>
> Sample SM4E failure:
> insn 0xcec087dd (SM4E V29.4S, V30.4S)
>   V30   : a67d04e738f68da895ffd0c3e154e3e7
>   V29 actual  : e272e88588a781b7e77a90dd5641e34b
>   V29 expected: a39884af88a781b7e77a90dd5641e34b
>
> (top 32 bits again)
>
> My test setup doesn't capture register values from
> before the insn executes, which is awkward for SM4E since
> it uses Vd as input as well as output. Probably the bug
> is the same as SM4EKEY, though.

...and it's a pretty simple fix; we just weren't actually
doing the 4th iteration of the algorithm:

diff --git a/target/arm/crypto_helper.c b/target/arm/crypto_helper.c
index b42c7e046b..2c3af64a52 100644
--- a/target/arm/crypto_helper.c
+++ b/target/arm/crypto_helper.c
@@ -653,7 +653,7 @@ void HELPER(crypto_sm4e)(void *vd, void *vn)
     union CRYPTO_STATE n = { .l = { rn[0], rn[1] } };
     uint32_t t, i;

-    for (i = 0; i < 3; i++) {
+    for (i = 0; i < 4; i++) {
         t = CR_ST_WORD(d, (i + 1) % 4) ^
             CR_ST_WORD(d, (i + 2) % 4) ^
             CR_ST_WORD(d, (i + 3) % 4) ^
@@ -683,7 +683,7 @@ void HELPER(crypto_sm4ekey)(void *vd, void *vn, void* vm)
     uint32_t t, i;

     d = n;
-    for (i = 0; i < 3; i++) {
+    for (i = 0; i < 4; i++) {
         t = CR_ST_WORD(d, (i + 1) % 4) ^
             CR_ST_WORD(d, (i + 2) % 4) ^
             CR_ST_WORD(d, (i + 3) % 4) ^

That change is sufficient for SM4E and SM4EKEY to pass my tests.

thanks
-- PMM

Re: [Qemu-devel] [PATCH v5 1/4] target/arm: implement SHA-512 instructions

[Ard Biesheuvel]

On 6 February 2018 at 20:41, Peter Maydell <peter.maydell@linaro.org> wrote:
> On 6 February 2018 at 19:15, Peter Maydell <peter.maydell@linaro.org> wrote:
>> On 6 February 2018 at 19:06, Peter Maydell <peter.maydell@linaro.org> wrote:
>>> SM4EKEY, SM4E
>>
>> Sample SM4EKEY failure:
>> insn 0xce78cbdd (SM4EKEY V29.4S, V30.4S, V24.4S)
>>   V24   : 6ee7a2520059bd15bac75e4436b3a1bd
>>   V30   : a67d04e738f68da895ffd0c3e154e3e7
>>
>>   V29 actual:   a67d04e7b98aaef47bf01b8158da5407
>>   V29 expected: 8d492252b98aaef47bf01b8158da5407
>>
>> (top 32 bits are wrong)
>>
>> Sample SM4E failure:
>> insn 0xcec087dd (SM4E V29.4S, V30.4S)
>>   V30   : a67d04e738f68da895ffd0c3e154e3e7
>>   V29 actual  : e272e88588a781b7e77a90dd5641e34b
>>   V29 expected: a39884af88a781b7e77a90dd5641e34b
>>
>> (top 32 bits again)
>>
>> My test setup doesn't capture register values from
>> before the insn executes, which is awkward for SM4E since
>> it uses Vd as input as well as output. Probably the bug
>> is the same as SM4EKEY, though.
>
> ...and it's a pretty simple fix; we just weren't actually
> doing the 4th iteration of the algorithm:
>
> diff --git a/target/arm/crypto_helper.c b/target/arm/crypto_helper.c
> index b42c7e046b..2c3af64a52 100644
> --- a/target/arm/crypto_helper.c
> +++ b/target/arm/crypto_helper.c
> @@ -653,7 +653,7 @@ void HELPER(crypto_sm4e)(void *vd, void *vn)
>      union CRYPTO_STATE n = { .l = { rn[0], rn[1] } };
>      uint32_t t, i;
>
> -    for (i = 0; i < 3; i++) {
> +    for (i = 0; i < 4; i++) {
>          t = CR_ST_WORD(d, (i + 1) % 4) ^
>              CR_ST_WORD(d, (i + 2) % 4) ^
>              CR_ST_WORD(d, (i + 3) % 4) ^
> @@ -683,7 +683,7 @@ void HELPER(crypto_sm4ekey)(void *vd, void *vn, void* vm)
>      uint32_t t, i;
>
>      d = n;
> -    for (i = 0; i < 3; i++) {
> +    for (i = 0; i < 4; i++) {
>          t = CR_ST_WORD(d, (i + 1) % 4) ^
>              CR_ST_WORD(d, (i + 2) % 4) ^
>              CR_ST_WORD(d, (i + 3) % 4) ^
>
> That change is sufficient for SM4E and SM4EKEY to pass my tests.
>

Thanks a lot for debugging that. As I said, I don't have test vectors,
or I would have tested it myself, and most likely would have found
this as well.

Re: [Qemu-devel] [PATCH v5 1/4] target/arm: implement SHA-512 instructions

[Peter Maydell]

On 6 February 2018 at 19:59, Ard Biesheuvel <ard.biesheuvel@linaro.org> wrote:
> Thanks a lot for debugging that. As I said, I don't have test vectors,
> or I would have tested it myself, and most likely would have found
> this as well.

No problem. I spent a surprisingly long time looking at the inside
of the loop trying to check whether it matched the pseudocode and
why the fourth iteration only would misbehave, before I spotted
what was actually happening :-)

-- PMM

Re: [Qemu-devel] [PATCH v5 1/4] target/arm: implement SHA-512 instructions

[Richard Henderson]

On 02/06/2018 11:15 AM, Peter Maydell wrote:
> My test setup doesn't capture register values from
> before the insn executes...

I have patches for RISU to dump each record written
to the trace file, which does allow one to go back
and examine previous register values.


r~