[PATCH v1] armv8: crypto: SHA-512 using ARMv8 Crypto Extensions

Igor Opaniuk igor.opaniuk at foundries.io
Sun Feb 11 18:26:39 CET 2024 

Hi Tom,

On Sun, Feb 11, 2024 at 1:37 AM Tom Rini <trini at konsulko.com> wrote:
>
> On Sat, Feb 10, 2024 at 01:07:09PM +0100, Igor Opaniuk wrote:
>
> > From: Igor Opaniuk <igor.opaniuk at gmail.com>
> >
> > Add support for the SHA-512 Secure Hash Algorithm which uses ARMv8 Crypto
> > Extensions. The CPU should support ARMv8.2 instruction set and implement
> > SHA512H, SHA512H2, SHA512SU0, and SHA512SU1 instructions.
> >
> > This information can be obtained from ID_AA64ISAR0_EL1 (AArch64 Instruction
> > Set Attribute Register 0), bits [15:12] should be 0b0010 [1], that
> > indicates support for SHA512* instructions in AArch64 state. As not all
> > ARMv8-base SoCs support that, ARMV8_CE_SHA512 is left disabled by
> > default for now.
> >
> > Tested in QEMU for ARMv8 with compiled-in SHA-2 support.
> > Even on emulated cpu the hashing speed increase was visible:
> >
> > With CE usage:
> > => time hash sha512 0x40200000 0x2000000
> > Calculate hash
> > Calculate hash
> > sha512 for 40200000 ... 421fffff ==> 1aeae269f4eb7c37...
> >
> > time: 0.215 seconds
> >
> > Without CE usage:
> > => time hash sha512 0x40200000 0x2000000
> > sha512 for 40200000 ... 421fffff ==> 1aeae269f4eb7c37...
> >
> > time: 0.356 seconds
> >
> > Real HW tests should provide much more improvement and objective results
> > with 10x speed increase at least.
> >
> > The implementation is based on original implementation from Ard Biesheuvel in
> > Linux kernel [2]
> >
> > [1] https://developer.arm.com/documentation/ddi0601/2023-12/AArch64-Registers/ID-AA64ISAR0-EL1--AArch64-Instruction-Set-Attribute-Register-0
> > [2] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/arm/crypto/sha2-ce-core.S
> >
> > CC: Ard Biesheuvel <ard.biesheuvel at linaro.org>
> > CC: Loic Poulain <loic.poulain at linaro.org>
> > Signed-off-by: Igor Opaniuk <igor.opaniuk at gmail.com>
> [snip]
> > diff --git a/arch/arm/cpu/armv8/Kconfig b/arch/arm/cpu/armv8/Kconfig
> > index 9f0fb369f7..fd5c26421b 100644
> > --- a/arch/arm/cpu/armv8/Kconfig
> > +++ b/arch/arm/cpu/armv8/Kconfig
> > @@ -204,6 +204,11 @@ config ARMV8_CE_SHA256
> >       bool "SHA-256 digest algorithm (ARMv8 Crypto Extensions)"
> >       default y if SHA256
> >
> > +config ARMV8_CE_SHA512
> > +     bool "SHA-512 digest algorithm (ARMv8 Crypto Extensions)"
> > +     depends on SHA512
> > +     default n
>
> Like the sha256 one, this should be default y I think, the performance
> improvement is likely worth the size increase.
That was done on purpose, as SHA512* instructions (comparing to SHA256*)
were introduced only in ARMv8.2-A, and most of the currently supported ARMv8
SoCs in U-Boot don't support it.
We probably would end up with most of them reporting Synchronous
Abort crashes.

As Marc suggested in the previous email, we should have
both versions compiled-in (sw and hw-accelerated) and dynamic selection of
proper version in runtime based on CPU capabilities, and I plan to
address that in future in a separate patch series.

>
> --
> Tom

Regards,
Igor

-- 
Best regards - Freundliche Grüsse - Meilleures salutations

Igor Opaniuk
Senior Software Engineer, Embedded & Security
E: igor.opaniuk at foundries.io
W: www.foundries.io

More information about the U-Boot mailing list