xref: /linux/lib/crypto/arm64/sha256.h (revision 6bc9effb4cbf9b6eba0f51aba1c8893dfd4c8100) 
1 /* SPDX-License-Identifier: GPL-2.0-or-later */
2 /*
3  * SHA-256 optimized for ARM64
4  *
5  * Copyright 2025 Google LLC
6  */
7 #include <asm/simd.h>
8 #include <linux/cpufeature.h>
9 
10 static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_neon);
11 static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_ce);
12 
13 asmlinkage void sha256_block_data_order(struct sha256_block_state *state,
14 					const u8 *data, size_t nblocks);
15 asmlinkage void sha256_block_neon(struct sha256_block_state *state,
16 				  const u8 *data, size_t nblocks);
17 asmlinkage size_t __sha256_ce_transform(struct sha256_block_state *state,
18 					const u8 *data, size_t nblocks);
19 
20 static void sha256_blocks(struct sha256_block_state *state,
21 			  const u8 *data, size_t nblocks)
22 {
23 	if (static_branch_likely(&have_neon) && likely(may_use_simd())) {
24 		if (static_branch_likely(&have_ce)) {
25 			do {
26 				size_t rem;
27 
28 				scoped_ksimd()
29 					rem = __sha256_ce_transform(state, data,
30 								    nblocks);
31 
32 				data += (nblocks - rem) * SHA256_BLOCK_SIZE;
33 				nblocks = rem;
34 			} while (nblocks);
35 		} else {
36 			scoped_ksimd()
37 				sha256_block_neon(state, data, nblocks);
38 		}
39 	} else {
40 		sha256_block_data_order(state, data, nblocks);
41 	}
42 }
43 
44 static_assert(offsetof(struct __sha256_ctx, state) == 0);
45 static_assert(offsetof(struct __sha256_ctx, bytecount) == 32);
46 static_assert(offsetof(struct __sha256_ctx, buf) == 40);
47 asmlinkage void sha256_ce_finup2x(const struct __sha256_ctx *ctx,
48 				  const u8 *data1, const u8 *data2, int len,
49 				  u8 out1[SHA256_DIGEST_SIZE],
50 				  u8 out2[SHA256_DIGEST_SIZE]);
51 
52 #define sha256_finup_2x_arch sha256_finup_2x_arch
53 static bool sha256_finup_2x_arch(const struct __sha256_ctx *ctx,
54 				 const u8 *data1, const u8 *data2, size_t len,
55 				 u8 out1[SHA256_DIGEST_SIZE],
56 				 u8 out2[SHA256_DIGEST_SIZE])
57 {
58 	/*
59 	 * The assembly requires len >= SHA256_BLOCK_SIZE && len <= INT_MAX.
60 	 * Further limit len to 65536 to avoid spending too long with preemption
61 	 * disabled.  (Of course, in practice len is nearly always 4096 anyway.)
62 	 */
63 	if (static_branch_likely(&have_ce) && len >= SHA256_BLOCK_SIZE &&
64 	    len <= 65536 && likely(may_use_simd())) {
65 		scoped_ksimd()
66 			sha256_ce_finup2x(ctx, data1, data2, len, out1, out2);
67 		kmsan_unpoison_memory(out1, SHA256_DIGEST_SIZE);
68 		kmsan_unpoison_memory(out2, SHA256_DIGEST_SIZE);
69 		return true;
70 	}
71 	return false;
72 }
73 
74 static bool sha256_finup_2x_is_optimized_arch(void)
75 {
76 	return static_key_enabled(&have_ce);
77 }
78 
79 #define sha256_mod_init_arch sha256_mod_init_arch
80 static void sha256_mod_init_arch(void)
81 {
82 	if (cpu_have_named_feature(ASIMD)) {
83 		static_branch_enable(&have_neon);
84 		if (cpu_have_named_feature(SHA2))
85 			static_branch_enable(&have_ce);
86 	}
87 }
88