crypto, internal/cpu: fix s390x AES feature detection and update SHA implementations

Hardware AES support in Go on s390x currently requires ECB, CBC
and CTR modes be available. It also requires that either the
GHASH or GCM facilities are available. The existing checks missed
some of these constraints.

While we're here simplify the cpu package on s390x, moving masking
code out of assembly and into Go code. Also, update SHA-{1,256,512}
implementations to use the cpu package since that is now trivial.

Finally I also added a test for internal/cpu on s390x which loads
/proc/cpuinfo and checks it against the flags set by internal/cpu.

Updates #25822 for changes to vet whitelist.

Change-Id: Iac4183f571643209e027f730989c60a811c928eb
Reviewed-on: https://go-review.googlesource.com/114397
Run-TryBot: Michael Munday <[email protected]>
TryBot-Result: Gobot Gobot <[email protected]>
Reviewed-by: Brad Fitzpatrick <[email protected]>

Author: mundaym

src/cmd/vet/all/whitelist/s390x.txt

@@ -5,3 +5,10 @@ runtime/memclr_s390x.s: [s390x] memclr_s390x_exrl_xc: function memclr_s390x_exrl
 runtime/memmove_s390x.s: [s390x] memmove_s390x_exrl_mvc: function memmove_s390x_exrl_mvc missing Go declaration
 runtime/tls_s390x.s: [s390x] save_g: function save_g missing Go declaration
 runtime/tls_s390x.s: [s390x] load_g: function load_g missing Go declaration
+internal/cpu/cpu_s390x.s: [s390x] stfle: invalid MOVD of ret+0(FP); cpu.facilityList is 32-byte value
+internal/cpu/cpu_s390x.s: [s390x] kmQuery: invalid MOVD of ret+0(FP); cpu.queryResult is 16-byte value
+internal/cpu/cpu_s390x.s: [s390x] kmcQuery: invalid MOVD of ret+0(FP); cpu.queryResult is 16-byte value
+internal/cpu/cpu_s390x.s: [s390x] kmctrQuery: invalid MOVD of ret+0(FP); cpu.queryResult is 16-byte value
+internal/cpu/cpu_s390x.s: [s390x] kmaQuery: invalid MOVD of ret+0(FP); cpu.queryResult is 16-byte value
+internal/cpu/cpu_s390x.s: [s390x] kimdQuery: invalid MOVD of ret+0(FP); cpu.queryResult is 16-byte value
+internal/cpu/cpu_s390x.s: [s390x] klmdQuery: invalid MOVD of ret+0(FP); cpu.queryResult is 16-byte value

src/crypto/aes/cipher_s390x.go

@@ -31,12 +31,11 @@ type aesCipherAsm struct {
 func cryptBlocks(c code, key, dst, src *byte, length int)
 
 func newCipher(key []byte) (cipher.Block, error) {
-	// Strictly speaking, this check should be for HasKM.
-	// The check for HasKMC and HasKMCTR provides compatibility
-	// with the existing optimized s390x CBC and CTR implementations
-	// in this package, which already assert that they meet the
-	// cbcEncAble, cbcDecAble, and ctrAble interfaces
-	if !(cpu.S390X.HasKM && cpu.S390X.HasKMC && cpu.S390X.HasKMCTR) {
+	// The aesCipherAsm type implements the cbcEncAble, cbcDecAble,
+	// ctrAble and gcmAble interfaces. We therefore need to check
+	// for all the features required to implement these modes.
+	// Keep in sync with crypto/tls/common.go.
+	if !(cpu.S390X.HasAES && cpu.S390X.HasAESCBC && cpu.S390X.HasAESCTR && (cpu.S390X.HasGHASH || cpu.S390X.HasAESGCM)) {
 		return newCipherGeneric(key)
 	}
 

src/crypto/aes/gcm_s390x.go

@@ -85,7 +85,7 @@ func (c *aesCipherAsm) NewGCM(nonceSize, tagSize int) (cipher.AEAD, error) {
 		nonceSize: nonceSize,
 		tagSize:   tagSize,
 	}
-	if cpu.S390X.HasKMA {
+	if cpu.S390X.HasAESGCM {
 		g := gcmKMA{g}
 		return &g, nil
 	}

src/crypto/sha1/sha1block_s390x.go

@@ -4,9 +4,6 @@
 
 package sha1
 
-// featureCheck reports whether the CPU supports the
-// SHA-1 compute intermediate message digest (KIMD)
-// function code.
-func featureCheck() bool
+import "internal/cpu"
 
-var useAsm = featureCheck()
+var useAsm = cpu.S390X.HasSHA1

src/crypto/sha1/sha1block_s390x.s

@@ -4,31 +4,17 @@
 
 #include "textflag.h"
 
-// func featureCheck() bool
-TEXT ·featureCheck(SB),NOSPLIT,$16-1
-	LA	tmp-16(SP), R1
-	XOR	R0, R0         // query function code is 0
-	WORD    $0xB93E0006    // KIMD (R6 is ignored)
-	MOVBZ	tmp-16(SP), R4 // get the first byte
-	AND	$0x40, R4      // bit 1 (big endian) for SHA-1
-	CMPBEQ	R4, $0, nosha1
-	MOVB	$1, ret+0(FP)
-	RET
-nosha1:
-	MOVB	$0, ret+0(FP)
-	RET
-
 // func block(dig *digest, p []byte)
-TEXT ·block(SB),NOSPLIT,$0-32
-	MOVBZ	·useAsm(SB), R4
-	LMG	dig+0(FP), R1, R3 // R2 = &p[0], R3 = len(p)
-	CMPBNE	R4, $1, generic
-	MOVBZ	$1, R0        // SHA-1 function code
+TEXT ·block(SB), NOSPLIT|NOFRAME, $0-32
+	MOVBZ  ·useAsm(SB), R4
+	LMG    dig+0(FP), R1, R3            // R2 = &p[0], R3 = len(p)
+	MOVBZ  $1, R0                       // SHA-1 function code
+	CMPBEQ R4, $0, generic
+
 loop:
-	WORD	$0xB93E0002   // KIMD R2
-	BVS	loop          // continue if interrupted
-done:
-	XOR	R0, R0        // restore R0
+	WORD $0xB93E0002 // KIMD R2
+	BVS  loop        // continue if interrupted
 	RET
+
 generic:
-	BR	·blockGeneric(SB)
+	BR ·blockGeneric(SB)

src/crypto/sha256/sha256block_s390x.go

@@ -4,9 +4,6 @@
 
 package sha256
 
-// featureCheck reports whether the CPU supports the
-// SHA256 compute intermediate message digest (KIMD)
-// function code.
-func featureCheck() bool
+import "internal/cpu"
 
-var useAsm = featureCheck()
+var useAsm = cpu.S390X.HasSHA256

src/crypto/sha256/sha256block_s390x.s

@@ -4,31 +4,17 @@
 
 #include "textflag.h"
 
-// func featureCheck() bool
-TEXT ·featureCheck(SB),NOSPLIT,$16-1
-	LA	tmp-16(SP), R1
-	XOR	R0, R0         // query function code is 0
-	WORD    $0xB93E0006    // KIMD (R6 is ignored)
-	MOVBZ	tmp-16(SP), R4 // get the first byte
-	AND	$0x20, R4      // bit 2 (big endian) for SHA256
-	CMPBEQ	R4, $0, nosha256
-	MOVB	$1, ret+0(FP)
-	RET
-nosha256:
-	MOVB	$0, ret+0(FP)
-	RET
-
 // func block(dig *digest, p []byte)
-TEXT ·block(SB),NOSPLIT,$0-32
-	MOVBZ	·useAsm(SB), R4
-	LMG	dig+0(FP), R1, R3 // R2 = &p[0], R3 = len(p)
-	CMPBNE	R4, $1, generic
-	MOVBZ	$2, R0        // SHA256 function code
+TEXT ·block(SB), NOSPLIT|NOFRAME, $0-32
+	MOVBZ  ·useAsm(SB), R4
+	LMG    dig+0(FP), R1, R3            // R2 = &p[0], R3 = len(p)
+	MOVBZ  $2, R0                       // SHA-256 function code
+	CMPBEQ R4, $0, generic
+
 loop:
-	WORD	$0xB93E0002   // KIMD R2
-	BVS	loop          // continue if interrupted
-done:
-	XOR	R0, R0        // restore R0
+	WORD $0xB93E0002 // KIMD R2
+	BVS  loop        // continue if interrupted
 	RET
+
 generic:
-	BR	·blockGeneric(SB)
+	BR ·blockGeneric(SB)

src/crypto/sha512/sha512block_s390x.go

@@ -4,9 +4,6 @@
 
 package sha512
 
-// featureCheck reports whether the CPU supports the
-// SHA512 compute intermediate message digest (KIMD)
-// function code.
-func featureCheck() bool
+import "internal/cpu"
 
-var useAsm = featureCheck()
+var useAsm = cpu.S390X.HasSHA512

src/crypto/sha512/sha512block_s390x.s

@@ -4,31 +4,17 @@
 
 #include "textflag.h"
 
-// func featureCheck() bool
-TEXT ·featureCheck(SB),NOSPLIT,$16-1
-	LA	tmp-16(SP), R1
-	XOR	R0, R0         // query function code is 0
-	WORD    $0xB93E0006    // KIMD (R6 is ignored)
-	MOVBZ	tmp-16(SP), R4 // get the first byte
-	AND	$0x10, R4      // bit 3 (big endian) for SHA512
-	CMPBEQ	R4, $0, nosha512
-	MOVB	$1, ret+0(FP)
-	RET
-nosha512:
-	MOVB	$0, ret+0(FP)
-	RET
-
 // func block(dig *digest, p []byte)
-TEXT ·block(SB),NOSPLIT,$0-32
-	MOVBZ	·useAsm(SB), R4
-	LMG	dig+0(FP), R1, R3 // R2 = &p[0], R3 = len(p)
-	CMPBNE	R4, $1, generic
-	MOVBZ	$3, R0        // SHA512 function code
+TEXT ·block(SB), NOSPLIT|NOFRAME, $0-32
+	MOVBZ  ·useAsm(SB), R4
+	LMG    dig+0(FP), R1, R3            // R2 = &p[0], R3 = len(p)
+	MOVBZ  $3, R0                       // SHA-512 function code
+	CMPBEQ R4, $0, generic
+
 loop:
-	WORD	$0xB93E0002   // KIMD R2
-	BVS	loop          // continue if interrupted
-done:
-	XOR	R0, R0        // restore R0
+	WORD $0xB93E0002 // KIMD R2
+	BVS  loop        // continue if interrupted
 	RET
+
 generic:
-	BR	·blockGeneric(SB)
+	BR ·blockGeneric(SB)

src/crypto/tls/common.go

@@ -930,7 +930,8 @@ func initDefaultCipherSuites() {
 	hasGCMAsmARM64 := false
 	// hasGCMAsmARM64 := cpu.ARM64.HasAES && cpu.ARM64.HasPMULL
 
-	hasGCMAsmS390X := cpu.S390X.HasKM && (cpu.S390X.HasKMA || (cpu.S390X.HasKMCTR && cpu.S390X.HasKIMD))
+	// Keep in sync with crypto/aes/cipher_s390x.go.
+	hasGCMAsmS390X := cpu.S390X.HasAES && cpu.S390X.HasAESCBC && cpu.S390X.HasAESCTR && (cpu.S390X.HasGHASH || cpu.S390X.HasAESGCM)
 
 	hasGCMAsm := hasGCMAsmAMD64 || hasGCMAsmARM64 || hasGCMAsmS390X
 

src/internal/cpu/cpu.go

@@ -98,14 +98,24 @@ type arm64 struct {
 var S390X s390x
 
 type s390x struct {
-	_        [CacheLineSize]byte
-	HasVX    bool // vector facility. Note: the runtime sets this when it processes auxv records.
-	HasKM    bool // cipher message (KM)
-	HasKMA   bool // cipher message assist (KMA)
-	HasKMC   bool // cipher message with chaining (KMC)
-	HasKMCTR bool // cipher message with counter (KMCTR)
-	HasKIMD  bool // compute intermediate message digest (KIMD)
-	_        [CacheLineSize]byte
+	_               [CacheLineSize]byte
+	HasZArch        bool // z architecture mode is active [mandatory]
+	HasSTFLE        bool // store facility list extended [mandatory]
+	HasLDisp        bool // long (20-bit) displacements [mandatory]
+	HasEImm         bool // 32-bit immediates [mandatory]
+	HasDFP          bool // decimal floating point
+	HasETF3Enhanced bool // ETF-3 enhanced
+	HasMSA          bool // message security assist (CPACF)
+	HasAES          bool // KM-AES{128,192,256} functions
+	HasAESCBC       bool // KMC-AES{128,192,256} functions
+	HasAESCTR       bool // KMCTR-AES{128,192,256} functions
+	HasAESGCM       bool // KMA-GCM-AES{128,192,256} functions
+	HasGHASH        bool // KIMD-GHASH function
+	HasSHA1         bool // K{I,L}MD-SHA-1 functions
+	HasSHA256       bool // K{I,L}MD-SHA-256 functions
+	HasSHA512       bool // K{I,L}MD-SHA-512 functions
+	HasVX           bool // vector facility. Note: the runtime sets this when it processes auxv records.
+	_               [CacheLineSize]byte
 }
 
 // initialize examines the processor and sets the relevant variables above.

src/internal/cpu/cpu_no_init.go

@@ -8,6 +8,7 @@
 // +build !arm64
 // +build !ppc64
 // +build !ppc64le
+// +build !s390x
 
 package cpu