We support building the kernel with archaic versions of binutils which
had some confusion regarding how instructions should be encoded for .inst
which we work around with the __emit_inst() macro. Unfortunately we have
not consistently used this macro, one of the places where it's missed being
the macros that manually encode v8.2 crypto instructions. This means that
kernels built with such toolchains have never supported use of the affected
instructions correctly.
Since these toolchains are very old (some idle research suggested 2015
era) it seems more sensible to just refuse to build v8.2 crypto support
with them, in the unlikely event that someone has a need to use such a
toolchain to build a kernel which will run on a system with v8.2 crypto
support they can always fix this properly but it seems more likely that
we will deprecate support for these toolchains and remove __emit_inst()
before that happens.
Signed-off-by: Mark Brown <[email protected]>
---
arch/arm64/crypto/Kconfig | 3 +++
1 file changed, 3 insertions(+)
diff --git a/arch/arm64/crypto/Kconfig b/arch/arm64/crypto/Kconfig
index 2a965aa0188d..90dd62d46739 100644
--- a/arch/arm64/crypto/Kconfig
+++ b/arch/arm64/crypto/Kconfig
@@ -32,12 +32,14 @@ config CRYPTO_SHA2_ARM64_CE
config CRYPTO_SHA512_ARM64_CE
tristate "SHA-384/SHA-512 digest algorithm (ARMv8 Crypto Extensions)"
depends on KERNEL_MODE_NEON
+ depends on !BROKEN_GAS_INST
select CRYPTO_HASH
select CRYPTO_SHA512_ARM64
config CRYPTO_SHA3_ARM64
tristate "SHA3 digest algorithm (ARMv8.2 Crypto Extensions)"
depends on KERNEL_MODE_NEON
+ depends on !BROKEN_GAS_INST
select CRYPTO_HASH
select CRYPTO_SHA3
@@ -50,6 +52,7 @@ config CRYPTO_SM3_ARM64_CE
config CRYPTO_SM4_ARM64_CE
tristate "SM4 symmetric cipher (ARMv8.2 Crypto Extensions)"
depends on KERNEL_MODE_NEON
+ depends on !BROKEN_GAS_INST
select CRYPTO_ALGAPI
select CRYPTO_LIB_SM4
--
2.30.2
On Wed, 2 Mar 2022 at 16:54, Mark Brown <[email protected]> wrote:
>
> We support building the kernel with archaic versions of binutils which
> had some confusion regarding how instructions should be encoded for .inst
> which we work around with the __emit_inst() macro. Unfortunately we have
> not consistently used this macro, one of the places where it's missed being
> the macros that manually encode v8.2 crypto instructions. This means that
> kernels built with such toolchains have never supported use of the affected
> instructions correctly.
>
> Since these toolchains are very old (some idle research suggested 2015
> era) it seems more sensible to just refuse to build v8.2 crypto support
> with them, in the unlikely event that someone has a need to use such a
> toolchain to build a kernel which will run on a system with v8.2 crypto
> support they can always fix this properly but it seems more likely that
> we will deprecate support for these toolchains and remove __emit_inst()
> before that happens.
>
> Signed-off-by: Mark Brown <[email protected]>
IIRC this is not about .inst getting the encoding wrong, but about
confusion over the size of the generated opcode, resulting in problems
generating constants involving relative offsets between labels. (The
endian swap is there so that .long can be used on BE to emit the LE
opcodes)
This is not an issue here, so I don't think this change is necessary.
> ---
> arch/arm64/crypto/Kconfig | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/arch/arm64/crypto/Kconfig b/arch/arm64/crypto/Kconfig
> index 2a965aa0188d..90dd62d46739 100644
> --- a/arch/arm64/crypto/Kconfig
> +++ b/arch/arm64/crypto/Kconfig
> @@ -32,12 +32,14 @@ config CRYPTO_SHA2_ARM64_CE
> config CRYPTO_SHA512_ARM64_CE
> tristate "SHA-384/SHA-512 digest algorithm (ARMv8 Crypto Extensions)"
> depends on KERNEL_MODE_NEON
> + depends on !BROKEN_GAS_INST
> select CRYPTO_HASH
> select CRYPTO_SHA512_ARM64
>
> config CRYPTO_SHA3_ARM64
> tristate "SHA3 digest algorithm (ARMv8.2 Crypto Extensions)"
> depends on KERNEL_MODE_NEON
> + depends on !BROKEN_GAS_INST
> select CRYPTO_HASH
> select CRYPTO_SHA3
>
> @@ -50,6 +52,7 @@ config CRYPTO_SM3_ARM64_CE
> config CRYPTO_SM4_ARM64_CE
> tristate "SM4 symmetric cipher (ARMv8.2 Crypto Extensions)"
> depends on KERNEL_MODE_NEON
> + depends on !BROKEN_GAS_INST
> select CRYPTO_ALGAPI
> select CRYPTO_LIB_SM4
>
> --
> 2.30.2
>
On Thu, 03 Mar 2022 07:26:45 +0000,
Ard Biesheuvel <[email protected]> wrote:
>
> On Wed, 2 Mar 2022 at 16:54, Mark Brown <[email protected]> wrote:
> >
> > We support building the kernel with archaic versions of binutils which
> > had some confusion regarding how instructions should be encoded for .inst
> > which we work around with the __emit_inst() macro. Unfortunately we have
> > not consistently used this macro, one of the places where it's missed being
> > the macros that manually encode v8.2 crypto instructions. This means that
> > kernels built with such toolchains have never supported use of the affected
> > instructions correctly.
> >
> > Since these toolchains are very old (some idle research suggested 2015
> > era) it seems more sensible to just refuse to build v8.2 crypto support
> > with them, in the unlikely event that someone has a need to use such a
> > toolchain to build a kernel which will run on a system with v8.2 crypto
> > support they can always fix this properly but it seems more likely that
> > we will deprecate support for these toolchains and remove __emit_inst()
> > before that happens.
> >
> > Signed-off-by: Mark Brown <[email protected]>
>
> IIRC this is not about .inst getting the encoding wrong, but about
> confusion over the size of the generated opcode, resulting in problems
> generating constants involving relative offsets between labels. (The
> endian swap is there so that .long can be used on BE to emit the LE
> opcodes)
>
> This is not an issue here, so I don't think this change is necessary.
Indeed. The only case where the broken GAS .inst has hit us was in
combination with alternatives (see eb7c11ee3c5c for details). The
encoding itself is always correct, and it is only the label generation
that was broken. If we were affected by this, the kernel would simply
fail to build with these toolchains.
If this ever happens (because we'd add some extra alternative
sequences to the crypto code?), we can revisit this. But in the
meantime, I don't see anything warranting this extra dependency.
Thanks,
M.
--
Without deviation from the norm, progress is not possible.
On Thu, Mar 03, 2022 at 11:16:28AM +0000, Marc Zyngier wrote:
> Indeed. The only case where the broken GAS .inst has hit us was in
> combination with alternatives (see eb7c11ee3c5c for details). The
> encoding itself is always correct, and it is only the label generation
> that was broken. If we were affected by this, the kernel would simply
> fail to build with these toolchains.
> If this ever happens (because we'd add some extra alternative
> sequences to the crypto code?), we can revisit this. But in the
> meantime, I don't see anything warranting this extra dependency.
Ah, in that case the SVE code should be fine too and there's no issue
with either. I'd understood the issue to be with the actual instruction
encoding.