Add AES with armv8 crypto extension

[yuhaoth]

Description

fix #5387

Add aes with Armv8 crypto extension

Gatekeeper checklist

• changelog provided in Changelog and terminology tidy-up for AESCE #7313
• backport not required
• tests provided

[yuhaoth]

local tests pass at d0f7759. with gcc 11.3 on ubuntu 22.04

[yanesca]

This is true for every function in library/, only functions declared in include/ are part of the public API.

[yanesca]

The general direction looks good to me.

Do you think we could split this into two consecutive PRs? (Eg. the first just dealing with AES and the second adding AES-GCM.) I mean, it would make review slightly easier, but if it makes development more inconvenient for you then it doesn't worth it.

[daverodgman]

Suggested change

	vst1q_u8( &output[0], aesce_decrypt_block( in, keys, ctx->nr ) );;
	vst1q_u8( &output[0], aesce_decrypt_block( in, keys, ctx->nr ) );

[yuhaoth]

Oops, will fix it in exists commit.

[yuhaoth]

The general direction looks good to me.

Do you think we could split this into two consecutive PRs? (Eg. the first just dealing with AES and the second adding AES-GCM.) I mean, it would make review slightly easier, but if it makes development more inconvenient for you then it doesn't worth it.

Yes. I will split it if I think it is ready for review.

Beside GCM and AES, I plan to finish some works before review.

• Clang and GCC versions compatible tests.
• Add tests for aarch64. Base on qemu or Arm64 node.
• Improve compile time architecture detection.
• Improve runtime CPU feature sets detection.

[tom-cosgrove-arm]

We did this the other way round with the SHA-2 acceleration: when the option is enabled, we check that we've been given the correct compiler flags, rather than silently updating the target from what is specified on the command line

[yuhaoth]

With arch=armv8.2-a+sha3+crypto and -O3, eor3 instruction is generated in assembly code of aesce.c . That cause illegal instruction error. So I disable SHA512 in .travis.yml . But that is not expected.

For time being, I think

• We should set arch flags per file or per function
• We should not force user enable the compiler flags. Those flags is only used for building library. If user only want to user library, why he must set the flags?

That is not finalized, I am still thinking and testing the issues. I might change above points :)

[yuhaoth]

I have posted issues at #5387 (comment)

[yuhaoth]

I have removed it.

And I think we should re-consider the rule due to the illegal instruction error when runtime detection enabled

[gilles-peskine-arm]

As I've also mentioned on the architecture document, we can't just decide to compile for a different target. If the user wants to compile for a particular processor, we can't decide to compile for a different processor!

And I think we should re-consider the rule due to the illegal instruction error when runtime detection enabled

I'm sorry, I have no idea 1. what rule you're referring to and 2. what this has to do with an error when compiling some code (?) using a particular compiler option (?).

[yanesca]

I believe the problem is with runtime detection:

1. You compile in both SHA acceleration (sha3 extension) and AES acceleration (crypto extension) with the intent of shipping it and trusting runtime detection to decide whether it is safe to run the optimised code.
2. The compiler with -O3 option uses an instruction in the AES code that is only present in the sha3 extension but not in the generic crypto extension.
3. On a platform where crypto extension is present but sha3 is not, the runtime detection will pass and run the accelerated AES code which uses an instruction that is not present.

(@yuhaoth please correct me if I am wrong.)

[yuhaoth]

@yanesca , Yes, it is the problem.

And if sha3 extension is present, with sha3 compiler options, we can got best optimization. That's one another point I am thinking about in #7004 .

[yuhaoth]

I'm sorry, I have no idea 1.
GCC and clang support two method to define target CPU modifier.

• Option 1 with pragma

/* GCC */
#pragma GCC target ("arch=armv8-a+crypto")
/* Clang */
#pragma clang attribute push (__attribute__((target("crypto"))), apply_to=function)

• Option2 with attribute

/* GCC */
__attribute__((target("arch=armv8-a+crypto")) void function(void);
/* Clang */
__attribute__((target("crypto")) void function(void);

what rule you're referring to and 2. what this has to do with an error when compiling some code (?) using a particular compiler option (?).

mbedtls/include/mbedtls/check_config.h

Line 734 in daa6595

# error "Must use minimum -march=armv8.2-a+sha3 for MBEDTLS_SHA512_USE_A64_CRYPTO_*"

and

mbedtls/include/mbedtls/check_config.h

Line 767 in daa6595

#error "Must use minimum -march=armv8-a+crypto for MBEDTLS_SHA256_USE_A64_CRYPTO_*"

. Compiler options are forced . If command line does not include the cpu modifier flags, the place will report error.

I prefer does not force them. And if users need best code size optimization, they should compile application and library with same cpu modifier flags.

[yanesca]

LGTM

[yanesca]

LGTM

[tom-cosgrove-arm]

LGTM

[tom-cosgrove-arm]

CI is fully green

[tom-cosgrove-arm]

@xkqian Have the changes you requested been addressed?

All requested changes have been performed.

[gilles-peskine-arm]

@xkqian Given that this is very-high-priority and all the changes you requested have been addressed, I'm going ahead and merging this pull request. If you want more changes, we can do them in a follow-up PR.

[xkqian]

@xkqian Have the changes you requested been addressed?

Yes, all of them have been addressed, thanks for the reminder.

[xkqian]

@xkqian Given that this is very-high-priority and all the changes you requested have been addressed, I'm going ahead and merging this pull request. If you want more changes, we can do them in a follow-up PR.

Sure, all of my requests have been addressed. go ahead!