[PATCH] crypto: arm64 - Drop asm fallback macros for older binutils

Eric Biggers ebiggers at kernel.org
Thu May 15 11:52:54 PDT 2025 

On Thu, May 15, 2025 at 04:27:03PM +0200, Ard Biesheuvel wrote:
> diff --git a/arch/arm64/crypto/sha512-ce-core.S b/arch/arm64/crypto/sha512-ce-core.S
> index 91ef68b15fcc..deb2469ab631 100644
> --- a/arch/arm64/crypto/sha512-ce-core.S
> +++ b/arch/arm64/crypto/sha512-ce-core.S
> @@ -12,26 +12,7 @@
>  #include <linux/linkage.h>
>  #include <asm/assembler.h>
>  
> -	.irp		b,0,1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19
> -	.set		.Lq\b, \b
> -	.set		.Lv\b\().2d, \b
> -	.endr
> -
> -	.macro		sha512h, rd, rn, rm
> -	.inst		0xce608000 | .L\rd | (.L\rn << 5) | (.L\rm << 16)
> -	.endm
> -
> -	.macro		sha512h2, rd, rn, rm
> -	.inst		0xce608400 | .L\rd | (.L\rn << 5) | (.L\rm << 16)
> -	.endm
> -
> -	.macro		sha512su0, rd, rn
> -	.inst		0xcec08000 | .L\rd | (.L\rn << 5)
> -	.endm
> -
> -	.macro		sha512su1, rd, rn, rm
> -	.inst		0xce608800 | .L\rd | (.L\rn << 5) | (.L\rm << 16)
> -	.endm
> +	.arch	armv8-a+sha3

This looked like a mistake: SHA-512 is part of SHA-2, not SHA-3.  However, the
current versions of binutils and clang do indeed put it under sha3.  There
should be a comment that mentions this unfortunate quirk.

However, there's also the following commit which went into binutils 2.43:

    commit 0aac62aa3256719c37be9e0ce6af8b190f45c928
    Author: Andrew Carlotti <andrew.carlotti at arm.com>
    Date:   Fri Jan 19 13:01:40 2024 +0000

        aarch64: move SHA512 instructions to +sha3

        SHA512 instructions were added to the architecture at the same time as SHA3
        instructions, but later than the SHA1 and SHA256 instructions.  Furthermore,
        implementations must support either both or neither of the SHA512 and SHA3
        instruction sets.  However, SHA512 instructions were originally (and
        incorrectly) added to Binutils under the +sha2 flag.

        This patch moves SHA512 instructions under the +sha3 flag, which matches the
        architecture constraints and existing GCC and LLVM behaviour.

So probably we need ".arch armv8-a+sha2+sha3" to support binutils 2.30 through
2.42, as well as clang and the latest version of binutils?  (I didn't test it
yet, but it seems likely...)

- Eric

More information about the linux-arm-kernel mailing list