[PATCH v1] armv8: crypto: SHA-512 using ARMv8 Crypto Extensions

Michal Simek michal.simek at amd.com
Mon Feb 12 09:55:00 CET 2024 


On 2/11/24 18:26, Igor Opaniuk wrote:
> Hi Tom,
> 
> On Sun, Feb 11, 2024 at 1:37 AM Tom Rini <trini at konsulko.com> wrote:
>>
>> On Sat, Feb 10, 2024 at 01:07:09PM +0100, Igor Opaniuk wrote:
>>
>>> From: Igor Opaniuk <igor.opaniuk at gmail.com>
>>>
>>> Add support for the SHA-512 Secure Hash Algorithm which uses ARMv8 Crypto
>>> Extensions. The CPU should support ARMv8.2 instruction set and implement
>>> SHA512H, SHA512H2, SHA512SU0, and SHA512SU1 instructions.
>>>
>>> This information can be obtained from ID_AA64ISAR0_EL1 (AArch64 Instruction
>>> Set Attribute Register 0), bits [15:12] should be 0b0010 [1], that
>>> indicates support for SHA512* instructions in AArch64 state. As not all
>>> ARMv8-base SoCs support that, ARMV8_CE_SHA512 is left disabled by
>>> default for now.
>>>
>>> Tested in QEMU for ARMv8 with compiled-in SHA-2 support.
>>> Even on emulated cpu the hashing speed increase was visible:
>>>
>>> With CE usage:
>>> => time hash sha512 0x40200000 0x2000000
>>> Calculate hash
>>> Calculate hash
>>> sha512 for 40200000 ... 421fffff ==> 1aeae269f4eb7c37...
>>>
>>> time: 0.215 seconds
>>>
>>> Without CE usage:
>>> => time hash sha512 0x40200000 0x2000000
>>> sha512 for 40200000 ... 421fffff ==> 1aeae269f4eb7c37...
>>>
>>> time: 0.356 seconds
>>>
>>> Real HW tests should provide much more improvement and objective results
>>> with 10x speed increase at least.
>>>
>>> The implementation is based on original implementation from Ard Biesheuvel in
>>> Linux kernel [2]
>>>
>>> [1] https://developer.arm.com/documentation/ddi0601/2023-12/AArch64-Registers/ID-AA64ISAR0-EL1--AArch64-Instruction-Set-Attribute-Register-0
>>> [2] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/arch/arm/crypto/sha2-ce-core.S
>>>
>>> CC: Ard Biesheuvel <ard.biesheuvel at linaro.org>
>>> CC: Loic Poulain <loic.poulain at linaro.org>
>>> Signed-off-by: Igor Opaniuk <igor.opaniuk at gmail.com>
>> [snip]
>>> diff --git a/arch/arm/cpu/armv8/Kconfig b/arch/arm/cpu/armv8/Kconfig
>>> index 9f0fb369f7..fd5c26421b 100644
>>> --- a/arch/arm/cpu/armv8/Kconfig
>>> +++ b/arch/arm/cpu/armv8/Kconfig
>>> @@ -204,6 +204,11 @@ config ARMV8_CE_SHA256
>>>        bool "SHA-256 digest algorithm (ARMv8 Crypto Extensions)"
>>>        default y if SHA256
>>>
>>> +config ARMV8_CE_SHA512
>>> +     bool "SHA-512 digest algorithm (ARMv8 Crypto Extensions)"
>>> +     depends on SHA512
>>> +     default n
>>
>> Like the sha256 one, this should be default y I think, the performance
>> improvement is likely worth the size increase.
> That was done on purpose, as SHA512* instructions (comparing to SHA256*)
> were introduced only in ARMv8.2-A, and most of the currently supported ARMv8
> SoCs in U-Boot don't support it.
> We probably would end up with most of them reporting Synchronous
> Abort crashes.
> 
> As Marc suggested in the previous email, we should have
> both versions compiled-in (sw and hw-accelerated) and dynamic selection of
> proper version in runtime based on CPU capabilities, and I plan to
> address that in future in a separate patch series.

sounds good but then remove default n from Kconfig because that's default anyway.

M

More information about the U-Boot mailing list