Re: libcrypto for powerpc g5 xonly

[Mark Kettenis]

> Date: Tue, 31 Jan 2023 20:19:19 -0500
> From: George Koehler 
> 
> OpenBSD/macppc can enforce xonly on the PowerPC G5.  libcrypto linked
> with cc -Wl,--execute-only will SIGSEGV as the PowerPC asm of sha256
> tries to read a table from text.  The fix is to move the table to
> rodata.  To find the table, I would do
> 
>   bcl 20, 31, 1f
> 1:mflr%r7
>   addis   %r7, %r7, .Ltable-1b@ha
>   addi%r7, %r7, .Ltable-1b@l
> 
> This diff does so in perlasm syntax.  The literal "@ha" and "@l" in
> this diff are for an ELF platform (like OpenBSD) and might break the
> build for AIX or Mac OS, but I suspect that nobody builds this asm
> for those platforms.  (PowerPC Mac OS is long obsolete, ended at
> Mac OS X 10.5.8.)  If someone wants to try the PowerPC asm on a
> not-ELF platform, please tell me.
> 
> aes-ppc.pl would have the same problem, but we don't use aes-ppc.pl,
> so I provide no fix.  ports/security/openssl/{1.0.2,1.1,3.0} has
> copies of aes-ppc.pl and sha512-ppc.pl with the same problem, but
> doesn't enable them on OpenBSD, so I don't plan to edit them.
> 
> sha512-ppc.pl can emit code for sha256 or sha512, but we only use it
> for sha256.  The code uses simple ops (add, subtract, bit logic,
> bit rotation), nothing more fancy.  I don't know why it runs faster
> than the (not asm) sha256 in ports/security/openssl.
> 
> ok for this diff in src/lib/libcrypto?

ok kettenis@

> Index: sha/asm/sha512-ppc.pl
> ===
> RCS file: /cvs/src/lib/libcrypto/sha/asm/sha512-ppc.pl,v
> retrieving revision 1.3
> diff -u -p -r1.3 sha512-ppc.pl
> --- sha/asm/sha512-ppc.pl 14 Nov 2015 14:53:13 -  1.3
> +++ sha/asm/sha512-ppc.pl 31 Jan 2023 22:03:47 -
> @@ -220,8 +220,11 @@ $func:
>   $LD $G,`6*$SZ`($ctx)
>   $LD $H,`7*$SZ`($ctx)
>  
> - bl  LPICmeup
> -LPICedup:
> + bcl 20,31,Lpc
> +Lpc:
> + mflr$Tbl
> + addis   $Tbl,$Tbl,Ltable-Lpc\@ha
> + addi$Tbl,$Tbl,Ltable-Lpc\@l
>   andi.   r0,$inp,3
>   bne Lunaligned
>  Laligned:
> @@ -377,22 +380,8 @@ $code.=<<___;
>   blr
>   .long   0
>   .byte   0,12,0x14,0,0,0,0,0
> -___
> -
> -# Ugly hack here, because PPC assembler syntax seem to vary too
> -# much from platforms to platform...
> -$code.=<<___;
> -.align   6
> -LPICmeup:
> - mflrr0
> - bcl 20,31,\$+4
> - mflr$Tbl; vv "distance" between . and 1st data entry
> - addi$Tbl,$Tbl,`64-8`
> - mtlrr0
> - blr
> - .long   0
> - .byte   0,12,0x14,0,0,0,0,0
> - .space  `64-9*4`
> + .rodata
> +Ltable:
>  ___
>  $code.=<<___ if ($SZ==8);
>   .long   0x428a2f98,0xd728ae22,0x71374491,0x23ef65cd
> 
> 

Re: libcrypto for powerpc g5 xonly

[Theo de Raadt]

All the functions in libcrypto need to be fixed, or for the ones which
are not fixed, they need to be disabled to use the C versions instead.

There should be no broken functions in the library.  It's not about
what you manage to use, it's about what something else will eventually
use.

The same can be done in the ports tree.

It is a rarely used architecture, so I think a brutish approach is fine.

libcrypto for powerpc g5 xonly

[George Koehler]

OpenBSD/macppc can enforce xonly on the PowerPC G5.  libcrypto linked
with cc -Wl,--execute-only will SIGSEGV as the PowerPC asm of sha256
tries to read a table from text.  The fix is to move the table to
rodata.  To find the table, I would do

bcl 20, 31, 1f
1:  mflr%r7
addis   %r7, %r7, .Ltable-1b@ha
addi%r7, %r7, .Ltable-1b@l

This diff does so in perlasm syntax.  The literal "@ha" and "@l" in
this diff are for an ELF platform (like OpenBSD) and might break the
build for AIX or Mac OS, but I suspect that nobody builds this asm
for those platforms.  (PowerPC Mac OS is long obsolete, ended at
Mac OS X 10.5.8.)  If someone wants to try the PowerPC asm on a
not-ELF platform, please tell me.

aes-ppc.pl would have the same problem, but we don't use aes-ppc.pl,
so I provide no fix.  ports/security/openssl/{1.0.2,1.1,3.0} has
copies of aes-ppc.pl and sha512-ppc.pl with the same problem, but
doesn't enable them on OpenBSD, so I don't plan to edit them.

sha512-ppc.pl can emit code for sha256 or sha512, but we only use it
for sha256.  The code uses simple ops (add, subtract, bit logic,
bit rotation), nothing more fancy.  I don't know why it runs faster
than the (not asm) sha256 in ports/security/openssl.

ok for this diff in src/lib/libcrypto?

--George

Index: sha/asm/sha512-ppc.pl
===
RCS file: /cvs/src/lib/libcrypto/sha/asm/sha512-ppc.pl,v
retrieving revision 1.3
diff -u -p -r1.3 sha512-ppc.pl
--- sha/asm/sha512-ppc.pl   14 Nov 2015 14:53:13 -  1.3
+++ sha/asm/sha512-ppc.pl   31 Jan 2023 22:03:47 -
@@ -220,8 +220,11 @@ $func:
$LD $G,`6*$SZ`($ctx)
$LD $H,`7*$SZ`($ctx)
 
-   bl  LPICmeup
-LPICedup:
+   bcl 20,31,Lpc
+Lpc:
+   mflr$Tbl
+   addis   $Tbl,$Tbl,Ltable-Lpc\@ha
+   addi$Tbl,$Tbl,Ltable-Lpc\@l
andi.   r0,$inp,3
bne Lunaligned
 Laligned:
@@ -377,22 +380,8 @@ $code.=<<___;
blr
.long   0
.byte   0,12,0x14,0,0,0,0,0
-___
-
-# Ugly hack here, because PPC assembler syntax seem to vary too
-# much from platforms to platform...
-$code.=<<___;
-.align 6
-LPICmeup:
-   mflrr0
-   bcl 20,31,\$+4
-   mflr$Tbl; vv "distance" between . and 1st data entry
-   addi$Tbl,$Tbl,`64-8`
-   mtlrr0
-   blr
-   .long   0
-   .byte   0,12,0x14,0,0,0,0,0
-   .space  `64-9*4`
+   .rodata
+Ltable:
 ___
 $code.=<<___ if ($SZ==8);
.long   0x428a2f98,0xd728ae22,0x71374491,0x23ef65cd