From 0ef74f6d6d89bdc68280b05a54d9b821aaca279b Mon Sep 17 00:00:00 2001 From: Ard Biesheuvel Date: Wed, 7 Mar 2018 08:35:52 -0500 Subject: [PATCH] target/arm: implement SHA-512 instructions This implements emulation of the new SHA-512 instructions that have been added as an optional extensions to the ARMv8 Crypto Extensions in ARM v8.2. Backports commit 90b827d131812d7f0a8abb13dba1942a2bcee821 from qemu --- qemu/aarch64.h | 4 ++ qemu/aarch64eb.h | 4 ++ qemu/arm.h | 4 ++ qemu/armeb.h | 4 ++ qemu/header_gen.py | 4 ++ qemu/m68k.h | 4 ++ qemu/mips.h | 4 ++ qemu/mips64.h | 4 ++ qemu/mips64el.h | 4 ++ qemu/mipsel.h | 4 ++ qemu/powerpc.h | 4 ++ qemu/sparc.h | 4 ++ qemu/sparc64.h | 4 ++ qemu/target/arm/cpu.h | 1 + qemu/target/arm/crypto_helper.c | 90 ++++++++++++++++++++++++- qemu/target/arm/helper.h | 5 ++ qemu/target/arm/translate-a64.c | 112 ++++++++++++++++++++++++++++++++ qemu/x86_64.h | 4 ++ 18 files changed, 263 insertions(+), 1 deletion(-) diff --git a/qemu/aarch64.h b/qemu/aarch64.h index d75b3cf4..e0a1415f 100644 --- a/qemu/aarch64.h +++ b/qemu/aarch64.h @@ -1597,6 +1597,10 @@ #define helper_crypto_sha256h2 helper_crypto_sha256h2_aarch64 #define helper_crypto_sha256su0 helper_crypto_sha256su0_aarch64 #define helper_crypto_sha256su1 helper_crypto_sha256su1_aarch64 +#define helper_crypto_sha512h helper_crypto_sha512h_aarch64 +#define helper_crypto_sha512h2 helper_crypto_sha512h2_aarch64 +#define helper_crypto_sha512su0 helper_crypto_sha512su0_aarch64 +#define helper_crypto_sha512su1 helper_crypto_sha512su1_aarch64 #define helper_dc_zva helper_dc_zva_aarch64 #define helper_div_i32 helper_div_i32_aarch64 #define helper_div_i64 helper_div_i64_aarch64 diff --git a/qemu/aarch64eb.h b/qemu/aarch64eb.h index cb685d57..3990dcf2 100644 --- a/qemu/aarch64eb.h +++ b/qemu/aarch64eb.h @@ -1597,6 +1597,10 @@ #define helper_crypto_sha256h2 helper_crypto_sha256h2_aarch64eb #define helper_crypto_sha256su0 helper_crypto_sha256su0_aarch64eb #define helper_crypto_sha256su1 helper_crypto_sha256su1_aarch64eb +#define helper_crypto_sha512h helper_crypto_sha512h_aarch64eb +#define helper_crypto_sha512h2 helper_crypto_sha512h2_aarch64eb +#define helper_crypto_sha512su0 helper_crypto_sha512su0_aarch64eb +#define helper_crypto_sha512su1 helper_crypto_sha512su1_aarch64eb #define helper_dc_zva helper_dc_zva_aarch64eb #define helper_div_i32 helper_div_i32_aarch64eb #define helper_div_i64 helper_div_i64_aarch64eb diff --git a/qemu/arm.h b/qemu/arm.h index 291d82be..849132d2 100644 --- a/qemu/arm.h +++ b/qemu/arm.h @@ -1597,6 +1597,10 @@ #define helper_crypto_sha256h2 helper_crypto_sha256h2_arm #define helper_crypto_sha256su0 helper_crypto_sha256su0_arm #define helper_crypto_sha256su1 helper_crypto_sha256su1_arm +#define helper_crypto_sha512h helper_crypto_sha512h_arm +#define helper_crypto_sha512h2 helper_crypto_sha512h2_arm +#define helper_crypto_sha512su0 helper_crypto_sha512su0_arm +#define helper_crypto_sha512su1 helper_crypto_sha512su1_arm #define helper_dc_zva helper_dc_zva_arm #define helper_div_i32 helper_div_i32_arm #define helper_div_i64 helper_div_i64_arm diff --git a/qemu/armeb.h b/qemu/armeb.h index 249de3fe..b2eeec2b 100644 --- a/qemu/armeb.h +++ b/qemu/armeb.h @@ -1597,6 +1597,10 @@ #define helper_crypto_sha256h2 helper_crypto_sha256h2_armeb #define helper_crypto_sha256su0 helper_crypto_sha256su0_armeb #define helper_crypto_sha256su1 helper_crypto_sha256su1_armeb +#define helper_crypto_sha512h helper_crypto_sha512h_armeb +#define helper_crypto_sha512h2 helper_crypto_sha512h2_armeb +#define helper_crypto_sha512su0 helper_crypto_sha512su0_armeb +#define helper_crypto_sha512su1 helper_crypto_sha512su1_armeb #define helper_dc_zva helper_dc_zva_armeb #define helper_div_i32 helper_div_i32_armeb #define helper_div_i64 helper_div_i64_armeb diff --git a/qemu/header_gen.py b/qemu/header_gen.py index 10d643a0..46a70d82 100644 --- a/qemu/header_gen.py +++ b/qemu/header_gen.py @@ -1603,6 +1603,10 @@ symbols = ( 'helper_crypto_sha256h2', 'helper_crypto_sha256su0', 'helper_crypto_sha256su1', + 'helper_crypto_sha512h', + 'helper_crypto_sha512h2', + 'helper_crypto_sha512su0', + 'helper_crypto_sha512su1', 'helper_dc_zva', 'helper_div_i32', 'helper_div_i64', diff --git a/qemu/m68k.h b/qemu/m68k.h index 53928cdc..b35b937d 100644 --- a/qemu/m68k.h +++ b/qemu/m68k.h @@ -1597,6 +1597,10 @@ #define helper_crypto_sha256h2 helper_crypto_sha256h2_m68k #define helper_crypto_sha256su0 helper_crypto_sha256su0_m68k #define helper_crypto_sha256su1 helper_crypto_sha256su1_m68k +#define helper_crypto_sha512h helper_crypto_sha512h_m68k +#define helper_crypto_sha512h2 helper_crypto_sha512h2_m68k +#define helper_crypto_sha512su0 helper_crypto_sha512su0_m68k +#define helper_crypto_sha512su1 helper_crypto_sha512su1_m68k #define helper_dc_zva helper_dc_zva_m68k #define helper_div_i32 helper_div_i32_m68k #define helper_div_i64 helper_div_i64_m68k diff --git a/qemu/mips.h b/qemu/mips.h index f60af4ab..28053f8e 100644 --- a/qemu/mips.h +++ b/qemu/mips.h @@ -1597,6 +1597,10 @@ #define helper_crypto_sha256h2 helper_crypto_sha256h2_mips #define helper_crypto_sha256su0 helper_crypto_sha256su0_mips #define helper_crypto_sha256su1 helper_crypto_sha256su1_mips +#define helper_crypto_sha512h helper_crypto_sha512h_mips +#define helper_crypto_sha512h2 helper_crypto_sha512h2_mips +#define helper_crypto_sha512su0 helper_crypto_sha512su0_mips +#define helper_crypto_sha512su1 helper_crypto_sha512su1_mips #define helper_dc_zva helper_dc_zva_mips #define helper_div_i32 helper_div_i32_mips #define helper_div_i64 helper_div_i64_mips diff --git a/qemu/mips64.h b/qemu/mips64.h index edd3a0db..714caa3e 100644 --- a/qemu/mips64.h +++ b/qemu/mips64.h @@ -1597,6 +1597,10 @@ #define helper_crypto_sha256h2 helper_crypto_sha256h2_mips64 #define helper_crypto_sha256su0 helper_crypto_sha256su0_mips64 #define helper_crypto_sha256su1 helper_crypto_sha256su1_mips64 +#define helper_crypto_sha512h helper_crypto_sha512h_mips64 +#define helper_crypto_sha512h2 helper_crypto_sha512h2_mips64 +#define helper_crypto_sha512su0 helper_crypto_sha512su0_mips64 +#define helper_crypto_sha512su1 helper_crypto_sha512su1_mips64 #define helper_dc_zva helper_dc_zva_mips64 #define helper_div_i32 helper_div_i32_mips64 #define helper_div_i64 helper_div_i64_mips64 diff --git a/qemu/mips64el.h b/qemu/mips64el.h index 058b3049..a455f32f 100644 --- a/qemu/mips64el.h +++ b/qemu/mips64el.h @@ -1597,6 +1597,10 @@ #define helper_crypto_sha256h2 helper_crypto_sha256h2_mips64el #define helper_crypto_sha256su0 helper_crypto_sha256su0_mips64el #define helper_crypto_sha256su1 helper_crypto_sha256su1_mips64el +#define helper_crypto_sha512h helper_crypto_sha512h_mips64el +#define helper_crypto_sha512h2 helper_crypto_sha512h2_mips64el +#define helper_crypto_sha512su0 helper_crypto_sha512su0_mips64el +#define helper_crypto_sha512su1 helper_crypto_sha512su1_mips64el #define helper_dc_zva helper_dc_zva_mips64el #define helper_div_i32 helper_div_i32_mips64el #define helper_div_i64 helper_div_i64_mips64el diff --git a/qemu/mipsel.h b/qemu/mipsel.h index 322295d3..803dd294 100644 --- a/qemu/mipsel.h +++ b/qemu/mipsel.h @@ -1597,6 +1597,10 @@ #define helper_crypto_sha256h2 helper_crypto_sha256h2_mipsel #define helper_crypto_sha256su0 helper_crypto_sha256su0_mipsel #define helper_crypto_sha256su1 helper_crypto_sha256su1_mipsel +#define helper_crypto_sha512h helper_crypto_sha512h_mipsel +#define helper_crypto_sha512h2 helper_crypto_sha512h2_mipsel +#define helper_crypto_sha512su0 helper_crypto_sha512su0_mipsel +#define helper_crypto_sha512su1 helper_crypto_sha512su1_mipsel #define helper_dc_zva helper_dc_zva_mipsel #define helper_div_i32 helper_div_i32_mipsel #define helper_div_i64 helper_div_i64_mipsel diff --git a/qemu/powerpc.h b/qemu/powerpc.h index 6529e477..e76a2ba1 100644 --- a/qemu/powerpc.h +++ b/qemu/powerpc.h @@ -1597,6 +1597,10 @@ #define helper_crypto_sha256h2 helper_crypto_sha256h2_powerpc #define helper_crypto_sha256su0 helper_crypto_sha256su0_powerpc #define helper_crypto_sha256su1 helper_crypto_sha256su1_powerpc +#define helper_crypto_sha512h helper_crypto_sha512h_powerpc +#define helper_crypto_sha512h2 helper_crypto_sha512h2_powerpc +#define helper_crypto_sha512su0 helper_crypto_sha512su0_powerpc +#define helper_crypto_sha512su1 helper_crypto_sha512su1_powerpc #define helper_dc_zva helper_dc_zva_powerpc #define helper_div_i32 helper_div_i32_powerpc #define helper_div_i64 helper_div_i64_powerpc diff --git a/qemu/sparc.h b/qemu/sparc.h index 8df30ff4..5dc2140f 100644 --- a/qemu/sparc.h +++ b/qemu/sparc.h @@ -1597,6 +1597,10 @@ #define helper_crypto_sha256h2 helper_crypto_sha256h2_sparc #define helper_crypto_sha256su0 helper_crypto_sha256su0_sparc #define helper_crypto_sha256su1 helper_crypto_sha256su1_sparc +#define helper_crypto_sha512h helper_crypto_sha512h_sparc +#define helper_crypto_sha512h2 helper_crypto_sha512h2_sparc +#define helper_crypto_sha512su0 helper_crypto_sha512su0_sparc +#define helper_crypto_sha512su1 helper_crypto_sha512su1_sparc #define helper_dc_zva helper_dc_zva_sparc #define helper_div_i32 helper_div_i32_sparc #define helper_div_i64 helper_div_i64_sparc diff --git a/qemu/sparc64.h b/qemu/sparc64.h index 0be8ae2d..f59e4039 100644 --- a/qemu/sparc64.h +++ b/qemu/sparc64.h @@ -1597,6 +1597,10 @@ #define helper_crypto_sha256h2 helper_crypto_sha256h2_sparc64 #define helper_crypto_sha256su0 helper_crypto_sha256su0_sparc64 #define helper_crypto_sha256su1 helper_crypto_sha256su1_sparc64 +#define helper_crypto_sha512h helper_crypto_sha512h_sparc64 +#define helper_crypto_sha512h2 helper_crypto_sha512h2_sparc64 +#define helper_crypto_sha512su0 helper_crypto_sha512su0_sparc64 +#define helper_crypto_sha512su1 helper_crypto_sha512su1_sparc64 #define helper_dc_zva helper_dc_zva_sparc64 #define helper_div_i32 helper_div_i32_sparc64 #define helper_div_i64 helper_div_i64_sparc64 diff --git a/qemu/target/arm/cpu.h b/qemu/target/arm/cpu.h index fad78291..f152ea1e 100644 --- a/qemu/target/arm/cpu.h +++ b/qemu/target/arm/cpu.h @@ -1317,6 +1317,7 @@ enum arm_features { ARM_FEATURE_M_SECURITY, /* M profile Security Extension */ ARM_FEATURE_JAZELLE, /* has (trivial) Jazelle implementation */ ARM_FEATURE_SVE, /* has Scalable Vector Extension */ + ARM_FEATURE_V8_SHA512, /* implements SHA512 part of v8 Crypto Extensions */ ARM_FEATURE_V8_SHA3, /* implements SHA3 part of v8 Crypto Extensions */ }; diff --git a/qemu/target/arm/crypto_helper.c b/qemu/target/arm/crypto_helper.c index f5acd9ee..f215a8dc 100644 --- a/qemu/target/arm/crypto_helper.c +++ b/qemu/target/arm/crypto_helper.c @@ -1,7 +1,7 @@ /* * crypto_helper.c - emulate v8 Crypto Extensions instructions * - * Copyright (C) 2013 - 2014 Linaro Ltd + * Copyright (C) 2013 - 2018 Linaro Ltd * * This library is free software; you can redistribute it and/or * modify it under the terms of the GNU Lesser General Public @@ -462,3 +462,91 @@ void HELPER(crypto_sha256su1)(void *vd, void *vn, void *vm) rd[0] = d.l[0]; rd[1] = d.l[1]; } + +/* + * The SHA-512 logical functions (same as above but using 64-bit operands) + */ + +static uint64_t cho512(uint64_t x, uint64_t y, uint64_t z) +{ + return (x & (y ^ z)) ^ z; +} + +static uint64_t maj512(uint64_t x, uint64_t y, uint64_t z) +{ + return (x & y) | ((x | y) & z); +} + +static uint64_t S0_512(uint64_t x) +{ + return ror64(x, 28) ^ ror64(x, 34) ^ ror64(x, 39); +} + +static uint64_t S1_512(uint64_t x) +{ + return ror64(x, 14) ^ ror64(x, 18) ^ ror64(x, 41); +} + +static uint64_t s0_512(uint64_t x) +{ + return ror64(x, 1) ^ ror64(x, 8) ^ (x >> 7); +} + +static uint64_t s1_512(uint64_t x) +{ + return ror64(x, 19) ^ ror64(x, 61) ^ (x >> 6); +} + +void HELPER(crypto_sha512h)(void *vd, void *vn, void *vm) +{ + uint64_t *rd = vd; + uint64_t *rn = vn; + uint64_t *rm = vm; + uint64_t d0 = rd[0]; + uint64_t d1 = rd[1]; + + d1 += S1_512(rm[1]) + cho512(rm[1], rn[0], rn[1]); + d0 += S1_512(d1 + rm[0]) + cho512(d1 + rm[0], rm[1], rn[0]); + + rd[0] = d0; + rd[1] = d1; +} + +void HELPER(crypto_sha512h2)(void *vd, void *vn, void *vm) +{ + uint64_t *rd = vd; + uint64_t *rn = vn; + uint64_t *rm = vm; + uint64_t d0 = rd[0]; + uint64_t d1 = rd[1]; + + d1 += S0_512(rm[0]) + maj512(rn[0], rm[1], rm[0]); + d0 += S0_512(d1) + maj512(d1, rm[0], rm[1]); + + rd[0] = d0; + rd[1] = d1; +} + +void HELPER(crypto_sha512su0)(void *vd, void *vn) +{ + uint64_t *rd = vd; + uint64_t *rn = vn; + uint64_t d0 = rd[0]; + uint64_t d1 = rd[1]; + + d0 += s0_512(rd[1]); + d1 += s0_512(rn[0]); + + rd[0] = d0; + rd[1] = d1; +} + +void HELPER(crypto_sha512su1)(void *vd, void *vn, void *vm) +{ + uint64_t *rd = vd; + uint64_t *rn = vn; + uint64_t *rm = vm; + + rd[0] += s1_512(rn[0]) + rm[0]; + rd[1] += s1_512(rn[1]) + rm[1]; +} diff --git a/qemu/target/arm/helper.h b/qemu/target/arm/helper.h index 23f2a268..8f47813e 100644 --- a/qemu/target/arm/helper.h +++ b/qemu/target/arm/helper.h @@ -536,6 +536,11 @@ DEF_HELPER_FLAGS_3(crypto_sha256h2, TCG_CALL_NO_RWG, void, ptr, ptr, ptr) DEF_HELPER_FLAGS_2(crypto_sha256su0, TCG_CALL_NO_RWG, void, ptr, ptr) DEF_HELPER_FLAGS_3(crypto_sha256su1, TCG_CALL_NO_RWG, void, ptr, ptr, ptr) +DEF_HELPER_FLAGS_3(crypto_sha512h, TCG_CALL_NO_RWG, void, ptr, ptr, ptr) +DEF_HELPER_FLAGS_3(crypto_sha512h2, TCG_CALL_NO_RWG, void, ptr, ptr, ptr) +DEF_HELPER_FLAGS_2(crypto_sha512su0, TCG_CALL_NO_RWG, void, ptr, ptr) +DEF_HELPER_FLAGS_3(crypto_sha512su1, TCG_CALL_NO_RWG, void, ptr, ptr, ptr) + DEF_HELPER_FLAGS_3(crc32_arm, TCG_CALL_NO_RWG_SE, i32, i32, i32, i32) DEF_HELPER_FLAGS_3(crc32c, TCG_CALL_NO_RWG_SE, i32, i32, i32, i32) DEF_HELPER_2(dc_zva, void, env, i64) diff --git a/qemu/target/arm/translate-a64.c b/qemu/target/arm/translate-a64.c index 371d1ab9..69939e1c 100644 --- a/qemu/target/arm/translate-a64.c +++ b/qemu/target/arm/translate-a64.c @@ -11798,6 +11798,116 @@ static void disas_crypto_four_reg(DisasContext *s, uint32_t insn) tcg_temp_free(tcg_ctx, tcg_res[1]); } +/* Crypto three-reg SHA512 + * 31 21 20 16 15 14 13 12 11 10 9 5 4 0 + * +-----------------------+------+---+---+-----+--------+------+------+ + * | 1 1 0 0 1 1 1 0 0 1 1 | Rm | 1 | O | 0 0 | opcode | Rn | Rd | + * +-----------------------+------+---+---+-----+--------+------+------+ + */ +static void disas_crypto_three_reg_sha512(DisasContext *s, uint32_t insn) +{ + TCGContext *tcg_ctx = s->uc->tcg_ctx; + int opcode = extract32(insn, 10, 2); + int o = extract32(insn, 14, 1); + int rm = extract32(insn, 16, 5); + int rn = extract32(insn, 5, 5); + int rd = extract32(insn, 0, 5); + int feature; + CryptoThreeOpFn *genfn; + + if (o == 0) { + switch (opcode) { + case 0: /* SHA512H */ + feature = ARM_FEATURE_V8_SHA512; + genfn = gen_helper_crypto_sha512h; + break; + case 1: /* SHA512H2 */ + feature = ARM_FEATURE_V8_SHA512; + genfn = gen_helper_crypto_sha512h2; + break; + case 2: /* SHA512SU1 */ + feature = ARM_FEATURE_V8_SHA512; + genfn = gen_helper_crypto_sha512su1; + break; + default: + unallocated_encoding(s); + return; + } + } else { + unallocated_encoding(s); + return; + } + + if (!arm_dc_feature(s, feature)) { + unallocated_encoding(s); + return; + } + + if (!fp_access_check(s)) { + return; + } + + if (genfn) { + TCGv_ptr tcg_rd_ptr, tcg_rn_ptr, tcg_rm_ptr; + + tcg_rd_ptr = vec_full_reg_ptr(s, rd); + tcg_rn_ptr = vec_full_reg_ptr(s, rn); + tcg_rm_ptr = vec_full_reg_ptr(s, rm); + + genfn(tcg_ctx, tcg_rd_ptr, tcg_rn_ptr, tcg_rm_ptr); + + tcg_temp_free_ptr(tcg_ctx, tcg_rd_ptr); + tcg_temp_free_ptr(tcg_ctx, tcg_rn_ptr); + tcg_temp_free_ptr(tcg_ctx, tcg_rm_ptr); + } else { + g_assert_not_reached(); + } +} + +/* Crypto two-reg SHA512 + * 31 12 11 10 9 5 4 0 + * +-----------------------------------------+--------+------+------+ + * | 1 1 0 0 1 1 1 0 1 1 0 0 0 0 0 0 1 0 0 0 | opcode | Rn | Rd | + * +-----------------------------------------+--------+------+------+ + */ +static void disas_crypto_two_reg_sha512(DisasContext *s, uint32_t insn) +{ + TCGContext *tcg_ctx = s->uc->tcg_ctx; + int opcode = extract32(insn, 10, 2); + int rn = extract32(insn, 5, 5); + int rd = extract32(insn, 0, 5); + TCGv_ptr tcg_rd_ptr, tcg_rn_ptr; + int feature; + CryptoTwoOpFn *genfn; + + switch (opcode) { + case 0: /* SHA512SU0 */ + feature = ARM_FEATURE_V8_SHA512; + genfn = gen_helper_crypto_sha512su0; + break; + default: + unallocated_encoding(s); + return; + } + + if (!arm_dc_feature(s, feature)) { + unallocated_encoding(s); + return; + } + + if (!fp_access_check(s)) { + return; + } + + tcg_rd_ptr = vec_full_reg_ptr(s, rd); + tcg_rn_ptr = vec_full_reg_ptr(s, rn); + + genfn(tcg_ctx, tcg_rd_ptr, tcg_rn_ptr); + + tcg_temp_free_ptr(tcg_ctx, tcg_rd_ptr); + tcg_temp_free_ptr(tcg_ctx, tcg_rn_ptr); +} + /* C3.6 Data processing - SIMD, inc Crypto * * As the decode gets a little complex we are using a table based @@ -11827,6 +11937,8 @@ static const AArch64DecodeTable data_proc_simd[] = { { 0x4e280800, 0xff3e0c00, disas_crypto_aes }, { 0x5e000000, 0xff208c00, disas_crypto_three_reg_sha }, { 0x5e280800, 0xff3e0c00, disas_crypto_two_reg_sha }, + { 0xce608000, 0xffe0b000, disas_crypto_three_reg_sha512 }, + { 0xcec08000, 0xfffff000, disas_crypto_two_reg_sha512 }, { 0xce000000, 0xff808000, disas_crypto_four_reg }, { 0x00000000, 0x00000000, NULL } }; diff --git a/qemu/x86_64.h b/qemu/x86_64.h index 823bbbfd..b88a355b 100644 --- a/qemu/x86_64.h +++ b/qemu/x86_64.h @@ -1597,6 +1597,10 @@ #define helper_crypto_sha256h2 helper_crypto_sha256h2_x86_64 #define helper_crypto_sha256su0 helper_crypto_sha256su0_x86_64 #define helper_crypto_sha256su1 helper_crypto_sha256su1_x86_64 +#define helper_crypto_sha512h helper_crypto_sha512h_x86_64 +#define helper_crypto_sha512h2 helper_crypto_sha512h2_x86_64 +#define helper_crypto_sha512su0 helper_crypto_sha512su0_x86_64 +#define helper_crypto_sha512su1 helper_crypto_sha512su1_x86_64 #define helper_dc_zva helper_dc_zva_x86_64 #define helper_div_i32 helper_div_i32_x86_64 #define helper_div_i64 helper_div_i64_x86_64