Re: [PATCH 0/7] arm: crypto: sha256: fix generation of thumb2 assembly

mail archive of the barebox mailing list
 help / color / mirror / Atom feed

From: Ahmad Fatoum <a.fatoum@pengutronix.de>
To: Stefan Kerkmann <s.kerkmann@pengutronix.de>,
	Sascha Hauer <s.hauer@pengutronix.de>,
	BAREBOX <barebox@lists.infradead.org>
Subject: Re: [PATCH 0/7] arm: crypto: sha256: fix generation of thumb2 assembly
Date: Thu, 7 Nov 2024 10:19:32 +0100	[thread overview]
Message-ID: <ed49b6bd-d44c-4727-b403-35e902ac5ca7@pengutronix.de> (raw)
In-Reply-To: <86a81980-3811-4c2e-b85b-12cff2370634@pengutronix.de>

Hello Stefan,

On 07.11.24 10:12, Stefan Kerkmann wrote:
> Hi Sascha,
> 
> On 06.11.24 17:34, Stefan Kerkmann wrote:
>> The checked in `sha256-core.S_shipped` assembly file has a thumb2
>> specific workaround applied[1]. This fix wasn't backported to the perl
>> script `sha256-armv4.pl` used to generate the assembly, thus when the
>> script is run it would regenerate the buggy code.
>>
>> In-tree builds were not affected as the assembly file already exists in
>> the source tree. However in the context of an out-of-tree build (make
>> O=xyz) the file isn't present from the pov of make - triggering a
>> regeneration. This happens by default during Yocto builds - leading to a
>> broken sha256 sum function on ARMv7 compiled with Thumb2 support. The
>> bug expresses itself not in crashes but wrong sha256 sums.
> 
> I just (re-)tested this part without the patch applied, and I'm unable to
> reproduce it in a cleanly checked out state of my BSP. The full chain of events
> and conditions that lead to the regeneration of the file is thus not fully
> understood (yet) — but it clearly happened for me.

Try manually touching arch/arch/crypto/sha256-armv4.pl, so it's more
recent than sha256-core.S_shipped. The modification timestamps after a
git checkout order are non-deterministic and that's probably what bites you.

The kernel used to consult an environment variable to determine whether
to rebuild the shipped files exactly to avoid this.

In recent kernel versions, this has been replaced by unconditionally
running the Perl script. I don't know what's the reason behind that.

Cheers,
Ahmad

> 
> Here is the output of a CI[1] run with the assembly file (forcefully) generated
> from the script, that shoes the errors I ran into:
> 
>   test_digests_sha12:153: mismatch calculating sha224-asm(zeroes7):
>   	got: c56f57826fa8cc1cae10a3450b90162677ba55cdbaa3d2a72810853e
>   	but: fbf6df85218ac5632461a8a17c6f294e6f35264cbfc0a9774a4f665b expected
>   test_digests_sha12:153: mismatch calculating sha224-asm(one32):
>   	got: 3a81d42a638cf434f5b002ead1252be963880bd3eec627a8b3278bb4
>   	but: 343cb3950305e6e6331e294b0a4925739d09ecbd2b43a2fc87c09941 expected
>   test_digests_sha12:153: mismatch calculating sha224-asm(inc4097):
>   	got: 2e6565a91ff0e4f0d316067ad66eaa3b76d71317171adfd0ec6bbcd4
>   	but: 6596b5dcfbd857f4246d6b94508b8a1a5b715a4f644a0c1e7d54c4f7 expected
>   test_digests_sha12:164: mismatch calculating sha256-asm(zeroes7):
>   	got: 71ab8ff93158c3b8863460dac03e9049bd5d3ec1a2ec4a1ba6e434d0fd33eb5f
>   	but: 837885c8f8091aeaeb9ec3c3f85a6ff470a415e610b8ba3e49f9b33c9cf9d619 expected
>   test_digests_sha12:164: mismatch calculating sha256-asm(one32):
>   	got: bcbd77ba0128aed7df96f75788fefa5e8da2501bfd3e0fe14753d4b5c27b1564
>   	but: 01d0fabd251fcbbe2b93b4b927b26ad2a1a99077152e45ded1e678afa45dbec5 expected
>   test_digests_sha12:164: mismatch calculating sha256-asm(inc4097):
>   	got: 4dd697b3bf8f7f0630b583356d48dcc7a1c345e62fe189c1d4843a38cd7d59a9
>   	but: 1e973d029df2b2c66cb42a942c5edb45966f02abaff29fe99410e44d271d0efc expected
>   test_digests_sha12:153: mismatch calculating sha224(zeroes7):
>   	got: c56f57826fa8cc1cae10a3450b90162677ba55cdbaa3d2a72810853e
>   	but: fbf6df85218ac5632461a8a17c6f294e6f35264cbfc0a9774a4f665b expected
>   test_digests_sha12:153: mismatch calculating sha224(one32):
>   	got: 3a81d42a638cf434f5b002ead1252be963880bd3eec627a8b3278bb4
>   	but: 343cb3950305e6e6331e294b0a4925739d09ecbd2b43a2fc87c09941 expected
>   test_digests_sha12:153: mismatch calculating sha224(inc4097):
>   	got: 2e6565a91ff0e4f0d316067ad66eaa3b76d71317171adfd0ec6bbcd4
>   	but: 6596b5dcfbd857f4246d6b94508b8a1a5b715a4f644a0c1e7d54c4f7 expected
>   test_digests_sha12:164: mismatch calculating sha256(zeroes7):
>   	got: 71ab8ff93158c3b8863460dac03e9049bd5d3ec1a2ec4a1ba6e434d0fd33eb5f
>   	but: 837885c8f8091aeaeb9ec3c3f85a6ff470a415e610b8ba3e49f9b33c9cf9d619 expected
>   test_digests_sha12:164: mismatch calculating sha256(one32):
>   	got: bcbd77ba0128aed7df96f75788fefa5e8da2501bfd3e0fe14753d4b5c27b1564
>   	but: 01d0fabd251fcbbe2b93b4b927b26ad2a1a99077152e45ded1e678afa45dbec5 expected
>   test_digests_sha12:164: mismatch calculating sha256(inc4097):
>   	got: 4dd697b3bf8f7f0630b583356d48dcc7a1c345e62fe189c1d4843a38cd7d59a9
>   	but: 1e973d029df2b2c66cb42a942c5edb45966f02abaff29fe99410e44d271d0efc expected
>   ERROR: digest: failed 12 out of 45 tests
> 
> [1]: https://github.com/KarlK90/barebox/actions/runs/11704376345/job/32596699159
> 
> 
> So the patch is still valid, but this paragraph should be replaced with:
> 
> Under rare circumstances, in my case it was a Yocto build of barebox from an
> external source tree, the assembly file was regenerated. Leading to a broken
> sha256 sum function on ARMv7 compiled with Thumb2 support. The bug expressed
> itself not in crashes but wrong sha256 sums.
> 
> Should I send a v2 for the updated message?
> 
>> The mentioned problem in[1] was fixed and explained further in upstream
>> commit[2]. Thus this series updates the script and generated assembly to
>> the most recent Kernel commit[3].
>>
>> To better catch regressions in the future the existing digest tests now
>> exercise the optimized implementations for ARMv5/v6/v7/v8 and the ARMv7
>> test binaries are compiled in thumb2 mode.
>>
>> [1]: b73bc6e303 (arm: crypto: fix SHA256 shipped assembler code, 2018-10-05)
>> [2]: 69216a545cf8 (crypto: sha256/arm - fix crash bug in Thumb2 build, 2019-02-16)
>> [3]: 54781938ec34 (crypto: arm/sha256-neon - avoid ADRL pseudo instruction, 2020-09-16)
>>
>> Signed-off-by: Stefan Kerkmann <s.kerkmann@pengutronix.de>
>> ---
>> Stefan Kerkmann (7):
>>       arm: crypto: sha256: fix generation of thumb2 assembly
>>       arm: configs: multi_v5_v6_defconfig: move rpi1 armv6 targets
>>       arm: configs: multi_v5_v6_defconfig: enable arm optimized sha1/sha256 digest
>>       arm: configs: multi_v7_defconfig: compile for thumb2
>>       arm: configs: multi_v7_defconfig: enable arm optimized sha256 digest
>>       arm: configs: multi_v8_defconfig: enable arm optimized sha1/sha256 digest
>>       test: arm: rpi: run tests against multi_v5_v6_defconfig
>>
>>  .github/workflows/test-labgrid-pytest.yml          |  4 ++
>>  arch/arm/configs/multi_v5_v6_defconfig             |  6 ++-
>>  arch/arm/configs/multi_v7_defconfig                |  7 +--
>>  arch/arm/configs/multi_v8_defconfig                |  5 +-
>>  arch/arm/crypto/sha256-armv4.pl                    | 25 ++++++----
>>  arch/arm/crypto/sha256-core.S_shipped              | 55 ++++++++++++++++++----
>>  ...yaml => qemu-raspi0@multi_v5_v6_defconfig.yaml} |  0
>>  ...ml => qemu-raspi1ap@multi_v5_v6_defconfig.yaml} |  0
>>  8 files changed, 74 insertions(+), 28 deletions(-)
>> ---
>> base-commit: d9f7f6d930069df35e28fedb35719bfd12fbd6e4
>> change-id: 20241106-fix-sha256-assembly-ad3d25bf5a9f
>>
>> Best regards,
> 
> Cheers,
> Stefan
> 


-- 
Pengutronix e.K.                           |                             |
Steuerwalder Str. 21                       | http://www.pengutronix.de/  |
31137 Hildesheim, Germany                  | Phone: +49-5121-206917-0    |
Amtsgericht Hildesheim, HRA 2686           | Fax:   +49-5121-206917-5555 |

next prev parent reply	other threads:[~2024-11-07  9:20 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-11-06 16:34 Stefan Kerkmann
2024-11-06 16:34 ` [PATCH 1/7] " Stefan Kerkmann
2024-11-06 16:34 ` [PATCH 2/7] arm: configs: multi_v5_v6_defconfig: move rpi1 armv6 targets Stefan Kerkmann
2024-11-06 16:35 ` [PATCH 3/7] arm: configs: multi_v5_v6_defconfig: enable arm optimized sha1/sha256 digest Stefan Kerkmann
2024-11-06 16:35 ` [PATCH 4/7] arm: configs: multi_v7_defconfig: compile for thumb2 Stefan Kerkmann
2024-11-06 16:35 ` [PATCH 5/7] arm: configs: multi_v7_defconfig: enable arm optimized sha256 digest Stefan Kerkmann
2024-11-06 16:35 ` [PATCH 6/7] arm: configs: multi_v8_defconfig: enable arm optimized sha1/sha256 digest Stefan Kerkmann
2024-11-06 16:35 ` [PATCH 7/7] test: arm: rpi: run tests against multi_v5_v6_defconfig Stefan Kerkmann
2024-11-07  9:12 ` [PATCH 0/7] arm: crypto: sha256: fix generation of thumb2 assembly Stefan Kerkmann
2024-11-07  9:19   ` Ahmad Fatoum [this message]
2024-11-07 14:03     ` Stefan Kerkmann

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ed49b6bd-d44c-4727-b403-35e902ac5ca7@pengutronix.de \
    --to=a.fatoum@pengutronix.de \
    --cc=barebox@lists.infradead.org \
    --cc=s.hauer@pengutronix.de \
    --cc=s.kerkmann@pengutronix.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox