tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

lib/crypto: s390/sha3: Add optimized Keccak functions

Implement sha3_absorb_blocks() and sha3_keccakf() using the hardware-
accelerated SHA-3 support in Message-Security-Assist Extension 6.

This accelerates the SHA3-224, SHA3-256, SHA3-384, SHA3-512, and
SHAKE256 library functions.

Note that arch/s390/crypto/ already has SHA-3 code that uses this
extension, but it is exposed only via crypto_shash. This commit brings
the same acceleration to the SHA-3 library. The arch/s390/crypto/
version will become redundant and be removed in later changes.

Tested-by: Harald Freudenberger <freude@linux.ibm.com>
Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
Link: https://lore.kernel.org/r/20251026055032.1413733-11-ebiggers@kernel.org
Signed-off-by: Eric Biggers <ebiggers@kernel.org>

Eric Biggers 04171105 1e29a750

+89
+1
lib/crypto/Kconfig
··· 206 206 bool 207 207 depends on CRYPTO_LIB_SHA3 && !UML 208 208 default y if ARM64 && KERNEL_MODE_NEON 209 + default y if S390 209 210 210 211 config CRYPTO_LIB_SM3 211 212 tristate
+88
lib/crypto/s390/sha3.h
··· 1 + /* SPDX-License-Identifier: GPL-2.0-or-later */ 2 + /* 3 + * SHA-3 optimized using the CP Assist for Cryptographic Functions (CPACF) 4 + * 5 + * Copyright 2025 Google LLC 6 + */ 7 + #include <asm/cpacf.h> 8 + #include <linux/cpufeature.h> 9 + 10 + static __ro_after_init DEFINE_STATIC_KEY_FALSE(have_sha3); 11 + 12 + static void sha3_absorb_blocks(struct sha3_state *state, const u8 *data, 13 + size_t nblocks, size_t block_size) 14 + { 15 + if (static_branch_likely(&have_sha3)) { 16 + /* 17 + * Note that KIMD assumes little-endian order of the state 18 + * words. sha3_state already uses that order, though, so 19 + * there's no need for a byteswap. 20 + */ 21 + switch (block_size) { 22 + case SHA3_224_BLOCK_SIZE: 23 + cpacf_kimd(CPACF_KIMD_SHA3_224, state, 24 + data, nblocks * block_size); 25 + return; 26 + case SHA3_256_BLOCK_SIZE: 27 + /* 28 + * This case handles both SHA3-256 and SHAKE256, since 29 + * they have the same block size. 30 + */ 31 + cpacf_kimd(CPACF_KIMD_SHA3_256, state, 32 + data, nblocks * block_size); 33 + return; 34 + case SHA3_384_BLOCK_SIZE: 35 + cpacf_kimd(CPACF_KIMD_SHA3_384, state, 36 + data, nblocks * block_size); 37 + return; 38 + case SHA3_512_BLOCK_SIZE: 39 + cpacf_kimd(CPACF_KIMD_SHA3_512, state, 40 + data, nblocks * block_size); 41 + return; 42 + } 43 + } 44 + sha3_absorb_blocks_generic(state, data, nblocks, block_size); 45 + } 46 + 47 + static void sha3_keccakf(struct sha3_state *state) 48 + { 49 + if (static_branch_likely(&have_sha3)) { 50 + /* 51 + * Passing zeroes into any of CPACF_KIMD_SHA3_* gives the plain 52 + * Keccak-f permutation, which is what we want here. Use 53 + * SHA3-512 since it has the smallest block size. 54 + */ 55 + static const u8 zeroes[SHA3_512_BLOCK_SIZE]; 56 + 57 + cpacf_kimd(CPACF_KIMD_SHA3_512, state, zeroes, sizeof(zeroes)); 58 + } else { 59 + sha3_keccakf_generic(state); 60 + } 61 + } 62 + 63 + #define sha3_mod_init_arch sha3_mod_init_arch 64 + static void sha3_mod_init_arch(void) 65 + { 66 + int num_present = 0; 67 + int num_possible = 0; 68 + 69 + if (!cpu_have_feature(S390_CPU_FEATURE_MSA)) 70 + return; 71 + /* 72 + * Since all the SHA-3 functions are in Message-Security-Assist 73 + * Extension 6, just treat them as all or nothing. This way we need 74 + * only one static_key. 75 + */ 76 + #define QUERY(opcode, func) \ 77 + ({ num_present += !!cpacf_query_func(opcode, func); num_possible++; }) 78 + QUERY(CPACF_KIMD, CPACF_KIMD_SHA3_224); 79 + QUERY(CPACF_KIMD, CPACF_KIMD_SHA3_256); 80 + QUERY(CPACF_KIMD, CPACF_KIMD_SHA3_384); 81 + QUERY(CPACF_KIMD, CPACF_KIMD_SHA3_512); 82 + #undef QUERY 83 + 84 + if (num_present == num_possible) 85 + static_branch_enable(&have_sha3); 86 + else if (num_present != 0) 87 + pr_warn("Unsupported combination of SHA-3 facilities\n"); 88 + }