wip: ppc64/ppc support #819
Conversation
q66
force-pushed
the
ppc64
branch
3 times, most recently
from
689e362
to
0720c76
Compare
|
Build now supports all perlasm formats for ppc64 correctly. Still need to test though (and maybe fill in missing code). I think this may also work on FreeBSD ppc64 (assuming linux 64-bit big endian does), by the way (the assembly code should not differ, the ELF ABIs are the same). Someone would have to test it, though. |
|
The |
|
See the previous issue I opened about PPC32 support: #532 Most PPC32s cannot do constant time multiplication, and provide a "fast" multiply by 0 and 1. Together with their generally low clock speed, this can be leveraged as an exploitable timing sidechannel. |
|
I guess the options are either to leave the 32-bit support out, or conditionally leave out the specific parts for ppc32 then. The latter seemed like it would take a fair amount of changes. |
q66
force-pushed
the
ppc64
branch
3 times, most recently
from
d7b11fc
to
c694afa
Compare
|
The newly added commit "fixes" testsuite on ppc64be. I kinda doubt that this solution is correct or anything, but it's where it fails. A better (or well, actual) solution would be much appreciated. |
q66
force-pushed
the
ppc64
branch
3 times, most recently
from
9d0a3c4
to
7a09426
Compare
q66
force-pushed
the
ppc64
branch
2 times, most recently
from
0a51d26
to
0d03c03
Compare
This imports the necessary assembly code as well as modifies the ring code to match and does the necessary build system integration and CI bits addition. I agree to license my contributions to each file under the terms given at the top of each file I changed.
There was a problem hiding this comment.
Thanks. This is impressive work.
I see three main phases of this:
- Add big-endian support to ring.
- Support some PowerPC targets in CI.
- Provide optimized implementations of some algorithms for which there is a non-assembly fallback (e.g. AES).
- Provide an implementation of the algorithms that are normally only available in assembly language in ring.
#4 is the one I have the most concern about because people are just now finding and fixing bugs in the PPC assembly code in OpenSSL, and BoringSSL is not even trying to use that assembly code, even though they do try to support PPC.
I suggest we break this up into four pieces:
-
One PR that changes
base.hand adds the CI changes. For now the CI should be marked "failures allowed". -
Another PR that implements all the changes to get big-endian mode to work. I am hoping the PowerPC and MIPS people can work together on this. I was surprised how little needed to be changed to do this.
-
Another PR that adds just the VPAES encryption, comprised of two commits: 1. The original OpenSSL code and then the diff that removes everything not needed by VPAES encrypt.
-
We'll need to investigate more regarding who is using the rest of the assembly code and how confident they are that it works. We may want to explore some alternatives to using the assembly code.
I propose we do #1, #2, and #3 while we figure out #4.
WDYT?
| @@ -0,0 +1,9542 @@ | |||
| /* | |||
There was a problem hiding this comment.
This table is already in ring and we won't need this file.
The PPC select functions are using the scatter/gather technique, which we don't need in ring. It will be better to just remove the "scatter-gather subroutines" section of the ecp_nistz256-ppc64.pl file and then remove ecp_nistz256_table.c too.
| @@ -85,11 +85,17 @@ | |||
| #elif defined(__mips__) && defined(__LP64__) | |||
| #define OPENSSL_64_BIT | |||
| #define OPENSSL_MIPS64 | |||
| #elif defined(__powerpc64__) | |||
There was a problem hiding this comment.
Please split the changes to this file out into the "base PR."
| @@ -10,3 +10,4 @@ path = "../build.rs" | |||
| # Keep this in sync with `[build-dependencies]` in ../Cargo.toml. | |||
| [dependencies] | |||
| cc = "1.0.26" | |||
| tempfile = "3.0" | |||
There was a problem hiding this comment.
Please add a comment explaining why this dependency was added. If it is only needed for PPC then the dependency should be limited to PPC.
| GFp_ChaCha20_ctr32(output, input, in_out_len, &key, &ctr); | ||
| } else { | ||
| GFp_ChaCha20_ctr32(output, input, in_out_len, key, ctr); | ||
| } |
There was a problem hiding this comment.
Please split all changes to Rust code needed to support big-endian to a separate "big endian" PR. I expect this will be used by MIPS big endian too.
| Nonce(Block::from(nonce)) | ||
| } else { | ||
| Nonce(key_and_nonce[1].clone()) | ||
| }; |
There was a problem hiding this comment.
This should go in the "big endian" PR too.
| ] | ||
| }; | ||
| } | ||
|
|
There was a problem hiding this comment.
Please move this to the "big endian" PR.
| ] | ||
| }; | ||
| } | ||
|
|
|
Hmm, as far as I can see, the only thing that does have a portable fallback in the tree is AES encryption. As for the assembly code, I think it should be safe to use, it passes OpenSSL's testsuite, What about splitting it into three, like this:
Still not sure about 32-bit ppc, I have no way to test that (only modern POWER hardware here) and AFAIK it's a pain to get a ppc32 rust toolchain running in the first place... |
|
I got a 32-bit ppc environment available now (I compiled my distribution for ppc32, then made up a chroot of that in a 64-bit big endian environment, it works fine, including Rust) so I can try handling that as well. Looks like BoringSSL has some code that will possibly enable ppc32 to work. |
|
You can request a VM or direct Jenkins CI account at OSUOSL for CI access. |
|
Building using ring v0.14.6 (/home/ubuntu/ring_q66) in a Power 9 (ppc64le) system is yielding several |
|
i don't really care for working on this anymore, sorry anyone who feels like picking up on it themselves can take my changes, but i won't be putting in any more active effort |
The powerpc64le assembly implementations for certain algorithms are not directly callable, unlike on other architectures. Therefore, they require a small amount of preprocessing handled by some C code. This commit adds a new file derived from OpenSSL's 'ppccap.c', which provides the expected entry point functions. This commit is also derived from the original ppc64 support pull request by q66: briansmith#819 I agree to license my contributions to each file under the terms given at the top of each file I changed.
The powerpc64le assembly implementations for certain algorithms are not directly callable, unlike on other architectures. Therefore, they require a small amount of preprocessing handled by some C code. This commit adds a new file derived from OpenSSL's 'ppccap.c', which provides the expected entry point functions. This commit is also derived from the original ppc64 support pull request by q66: briansmith#819 I agree to license my contributions to each file under the terms given at the top of each file I changed.
The powerpc64le assembly implementations for certain algorithms are not directly callable, unlike on other architectures. Therefore, they require a small amount of preprocessing handled by some C code. This commit adds a new file derived from OpenSSL's 'ppccap.c', which provides the expected entry point functions. This commit is also derived from the original ppc64 support pull request by q66: briansmith#819 I agree to license my contributions to each file under the terms given at the top of each file I changed.
The powerpc64le assembly implementations for certain algorithms are not directly callable, unlike on other architectures. Therefore, they require a small amount of preprocessing handled by some C code. This commit adds a new file derived from OpenSSL's 'ppccap.c', which provides the expected entry point functions. This commit is also derived from the original ppc64 support pull request by q66: briansmith#819 I agree to license my contributions to each file under the terms given at the top of each file I changed.
The powerpc64le assembly implementations for certain algorithms are not directly callable, unlike on other architectures. Therefore, they require a small amount of preprocessing handled by some C code. This commit adds a new file derived from OpenSSL's 'ppccap.c', which provides the expected entry point functions. This commit is also derived from the original ppc64 support pull request by q66: briansmith#819 I agree to license my contributions to each file under the terms given at the top of each file I changed.
The powerpc64le assembly implementations for certain algorithms are not directly callable, unlike on other architectures. Therefore, they require a small amount of preprocessing handled by some C code. This commit adds a new file derived from OpenSSL's 'ppccap.c', which provides the expected entry point functions. This commit is also derived from the original ppc64 support pull request by q66: briansmith#819 I agree to license my contributions to each file under the terms given at the top of each file I changed.
The powerpc64le assembly implementations for certain algorithms are not directly callable, unlike on other architectures. Therefore, they require a small amount of preprocessing handled by some C code. This commit adds a new file derived from OpenSSL's 'ppccap.c', which provides the expected entry point functions. This commit is also derived from the original ppc64 support pull request by q66: briansmith#819 I agree to license my contributions to each file under the terms given at the top of each file I changed.
The powerpc64le assembly implementations for certain algorithms are not directly callable, unlike on other architectures. Therefore, they require a small amount of preprocessing handled by some C code. This commit adds a new file derived from OpenSSL's 'ppccap.c', which provides the expected entry point functions. This commit is also derived from the original ppc64 support pull request by q66: briansmith#819 I agree to license my contributions to each file under the terms given at the top of each file I changed.
The powerpc64le assembly implementations for certain algorithms are not directly callable, unlike on other architectures. Therefore, they require a small amount of preprocessing handled by some C code. This commit adds a new file derived from OpenSSL's 'ppccap.c', which provides the expected entry point functions. This commit is also derived from the original ppc64 support pull request by q66: briansmith#819 I agree to license my contributions to each file under the terms given at the top of each file I changed. Signed-off-by: Eric Richter <erichte@linux.ibm.com>
The powerpc64le assembly implementations for certain algorithms are not directly callable, unlike on other architectures. Therefore, they require a small amount of preprocessing handled by some C code. This commit adds a new file derived from OpenSSL's 'ppccap.c', which provides the expected entry point functions. This commit is also derived from the original ppc64 support pull request by q66: briansmith#819 I agree to license my contributions to each file under the terms given at the top of each file I changed.
The powerpc64le assembly implementations for certain algorithms are not directly callable, unlike on other architectures. Therefore, they require a small amount of preprocessing handled by some C code. This commit adds a new file derived from OpenSSL's 'ppccap.c', which provides the expected entry point functions. This commit is also derived from the original ppc64 support pull request by q66: briansmith#819 I agree to license my contributions to each file under the terms given at the top of each file I changed. Signed-off-by: Eric Richter <erichte@linux.ibm.com>
The powerpc64le assembly implementations for certain algorithms are not directly callable, unlike on other architectures. Therefore, they require a small amount of preprocessing handled by some C code. This commit adds a new file derived from OpenSSL's 'ppccap.c', which provides the expected entry point functions. This commit is also derived from the original ppc64 support pull request by q66: briansmith#819 I agree to license my contributions to each file under the terms given at the top of each file I changed.
The powerpc64le assembly implementations for certain algorithms are not directly callable, unlike on other architectures. Therefore, they require a small amount of preprocessing handled by some C code. This commit adds a new file derived from OpenSSL's 'ppccap.c', which provides the expected entry point functions. This commit is also derived from the original ppc64 support pull request by q66: briansmith#819 I agree to license my contributions to each file under the terms given at the top of each file I changed.
The powerpc64le assembly implementations for certain algorithms are not directly callable, unlike on other architectures. Therefore, they require a small amount of preprocessing handled by some C code. This commit adds a new file derived from OpenSSL's 'ppccap.c', which provides the expected entry point functions. This commit is also derived from the original ppc64 support pull request by q66: briansmith#819 I agree to license my contributions to each file under the terms given at the top of each file I changed.
The powerpc64le assembly implementations for certain algorithms are not directly callable, unlike on other architectures. Therefore, they require a small amount of preprocessing handled by some C code. This commit adds a new file derived from OpenSSL's 'ppccap.c', which provides the expected entry point functions. This commit is also derived from the original ppc64 support pull request by q66: briansmith#819 I agree to license my contributions to each file under the terms given at the top of each file I changed.
I decided to do my own take at ppc64 (and maybe 32, but comments suggest that might not be practical) support...
Current status/TODO:
ChaCha20_ctr32_vsxsegfaults [edit: it's because ring does not check length for zero and the vsx assembly assumes non-zero, fixed by checking separately inGFp_ChaCha20_ctr32]build.rsto support big endian ppc64 (ELFv2 and ELFv1) and 32-bit ppcecp_nistz256missing (no portable impl, no ppc32 assembly)The big endian byteswapping hacks in
chacha.rsandpoly1305.rsare most likely wrong. I don't know what the right fix is though.