| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <ba3ff3d5183ab78b3d02d8db30223def@linux.ibm.com>
Date: Wed, 29 Oct 2025 10:30:40 +0100
From: Harald Freudenberger <freude@...ux.ibm.com>
To: Eric Biggers <ebiggers@...nel.org>
Cc: linux-crypto@...r.kernel.org, David Howells <dhowells@...hat.com>,
Ard
Biesheuvel <ardb@...nel.org>,
"Jason A . Donenfeld" <Jason@...c4.com>,
Holger Dengler <dengler@...ux.ibm.com>,
Herbert Xu
<herbert@...dor.apana.org.au>,
linux-arm-kernel@...ts.infradead.org, linux-s390@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH v2 00/15] SHA-3 library
On 2025-10-26 06:50, Eric Biggers wrote:
> This series is targeting libcrypto-next. It can also be retrieved
> from:
>
> git fetch
> https://git.kernel.org/pub/scm/linux/kernel/git/ebiggers/linux.git
> sha3-lib-v2
>
> This series adds SHA-3 support to lib/crypto/. This includes support
> for the digest algorithms SHA3-224, SHA3-256, SHA3-384, and SHA3-512,
> and also support for the extendable-output functions SHAKE128 and
> SHAKE256. The SHAKE128 and SHAKE256 support will be needed by ML-DSA.
>
> The architecture-optimized SHA-3 code for arm64 and s390 is migrated
> into lib/crypto/. (The existing s390 code couldn't really be reused,
> so
> really I rewrote it from scratch.) This makes the SHA-3 library
> functions be accelerated on these architectures.
>
> Finally, the sha3-224, sha3-256, sha3-384, and sha3-512 crypto_shash
> algorithms are reimplemented on top of the library API.
>
> If the s390 folks could re-test the s390 optimized SHA-3 code (by
> enabling CRYPTO_LIB_SHA3_KUNIT_TEST and CRYPTO_LIB_BENCHMARK), that
> would be helpful. QEMU doesn't support the instructions it uses.
> Also,
> it would be helpful to provide the benchmark output from just before
> "lib/crypto: s390/sha3: Add optimized Keccak function", just after it,
> and after "lib/crypto: s390/sha3: Add optimized one-shot SHA-3 digest
> functions". Then we can verify that each change is useful.
>
> Changed in v2:
> - Added missing selection of CRYPTO_LIB_SHA3 from CRYPTO_SHA3.
> - Fixed a bug where incorrect SHAKE output was produced if a
> zero-length squeeze was followed by a nonzero-length squeeze.
> - Improved the SHAKE tests.
> - Utilized the one-shot SHA-3 digest instructions on s390.
> - Split the s390 changes into several patches.
> - Folded some of my patches into David's.
> - Dropped some unnecessary changes from the first 2 patches.
> - Lots more cleanups, mainly to "lib/crypto: sha3: Add SHA-3
> support".
>
> Changed in v1 (vs. first 5 patches of David's v6 patchset):
> - Migrated the arm64 and s390 code into lib/crypto/
> - Simplified the library API
> - Added FIPS test
> - Many other fixes and improvements
>
> The first 5 patches are derived from David's v6 patchset
> (https://lore.kernel.org/linux-crypto/20251017144311.817771-1-dhowells@redhat.com/).
> Earlier changelogs can be found there.
>
> David Howells (5):
> crypto: s390/sha3 - Rename conflicting functions
> crypto: arm64/sha3 - Rename conflicting function
> lib/crypto: sha3: Add SHA-3 support
> lib/crypto: sha3: Move SHA3 Iota step mapping into round function
> lib/crypto: tests: Add SHA3 kunit tests
>
> Eric Biggers (10):
> lib/crypto: tests: Add additional SHAKE tests
> lib/crypto: sha3: Add FIPS cryptographic algorithm self-test
> crypto: arm64/sha3 - Update sha3_ce_transform() to prepare for
> library
> lib/crypto: arm64/sha3: Migrate optimized code into library
> lib/crypto: s390/sha3: Add optimized Keccak functions
> lib/crypto: sha3: Support arch overrides of one-shot digest functions
> lib/crypto: s390/sha3: Add optimized one-shot SHA-3 digest functions
> crypto: jitterentropy - Use default sha3 implementation
> crypto: sha3 - Reimplement using library API
> crypto: s390/sha3 - Remove superseded SHA-3 code
>
> Documentation/crypto/index.rst | 1 +
> Documentation/crypto/sha3.rst | 130 ++++++
> arch/arm64/configs/defconfig | 2 +-
> arch/arm64/crypto/Kconfig | 11 -
> arch/arm64/crypto/Makefile | 3 -
> arch/arm64/crypto/sha3-ce-glue.c | 151 -------
> arch/s390/configs/debug_defconfig | 3 +-
> arch/s390/configs/defconfig | 3 +-
> arch/s390/crypto/Kconfig | 20 -
> arch/s390/crypto/Makefile | 2 -
> arch/s390/crypto/sha.h | 51 ---
> arch/s390/crypto/sha3_256_s390.c | 157 -------
> arch/s390/crypto/sha3_512_s390.c | 157 -------
> arch/s390/crypto/sha_common.c | 117 -----
> crypto/Kconfig | 1 +
> crypto/Makefile | 2 +-
> crypto/jitterentropy-kcapi.c | 12 +-
> crypto/sha3.c | 166 +++++++
> crypto/sha3_generic.c | 290 ------------
> crypto/testmgr.c | 8 +
> include/crypto/sha3.h | 306 ++++++++++++-
> lib/crypto/Kconfig | 13 +
> lib/crypto/Makefile | 10 +
> .../crypto/arm64}/sha3-ce-core.S | 67 +--
> lib/crypto/arm64/sha3.h | 62 +++
> lib/crypto/fips.h | 7 +
> lib/crypto/s390/sha3.h | 151 +++++++
> lib/crypto/sha3.c | 411 +++++++++++++++++
> lib/crypto/tests/Kconfig | 11 +
> lib/crypto/tests/Makefile | 1 +
> lib/crypto/tests/sha3-testvecs.h | 249 +++++++++++
> lib/crypto/tests/sha3_kunit.c | 422 ++++++++++++++++++
> scripts/crypto/gen-fips-testvecs.py | 4 +
> scripts/crypto/gen-hash-testvecs.py | 27 +-
> 34 files changed, 2012 insertions(+), 1016 deletions(-)
> create mode 100644 Documentation/crypto/sha3.rst
> delete mode 100644 arch/arm64/crypto/sha3-ce-glue.c
> delete mode 100644 arch/s390/crypto/sha.h
> delete mode 100644 arch/s390/crypto/sha3_256_s390.c
> delete mode 100644 arch/s390/crypto/sha3_512_s390.c
> delete mode 100644 arch/s390/crypto/sha_common.c
> create mode 100644 crypto/sha3.c
> delete mode 100644 crypto/sha3_generic.c
> rename {arch/arm64/crypto => lib/crypto/arm64}/sha3-ce-core.S (84%)
> create mode 100644 lib/crypto/arm64/sha3.h
> create mode 100644 lib/crypto/s390/sha3.h
> create mode 100644 lib/crypto/sha3.c
> create mode 100644 lib/crypto/tests/sha3-testvecs.h
> create mode 100644 lib/crypto/tests/sha3_kunit.c
>
> base-commit: e3068492d0016d0ea9a1ff07dbfa624d2ec773ca
Picked this series from your ebiggers repo branch sha3-lib-v2.
Build on s390 runs without any complains, no warnings.
As recommended I enabled the KUNIT option and also
CRYPTO_SELFTESTS_FULL.
With an "modprobe tcrypt" I enforced to run the selftests
and in parallel I checked that the s390 specific CPACF instructions
are really used (can be done with the pai command and check for
the KIMD_SHA3_* counters). Also ran some AF-alg tests to verify
all the the sha3 hashes and check for thread safety.
All this ran without any findings. However there are NO performance
related tests involved.
What's a little bit tricky here is that the sha3 lib is statically
build into the kernel. So no chance to unload/load this as a module.
For sha1 and the sha2 stuff I can understand the need to have this
statically enabled in the kernel. Sha3 is only supposed to be available
as backup in case of sha2 deficiencies. So I can't see why this is
really statically needed.
Tested-by: Harald Freudenberger <freude@...ux.ibm.com>
Powered by blists - more mailing lists