From patchwork Thu Jan 20 11:27:17 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Richard Earnshaw <rearnsha@arm.com>
X-Patchwork-Id: 50269
Return-Path: <gcc-patches-bounces+patchwork=sourceware.org@gcc.gnu.org>
X-Original-To: patchwork@sourceware.org
Delivered-To: patchwork@sourceware.org
Received: from server2.sourceware.org (localhost [IPv6:::1])
	by sourceware.org (Postfix) with ESMTP id 186F3385841D
	for <patchwork@sourceware.org>; Thu, 20 Jan 2022 11:28:49 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 186F3385841D
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org;
	s=default; t=1642678129;
	bh=tiku0ox5xORFnvrBWH/3kGm+xmAV3qBNQszRaUqHl8M=;
	h=To:Subject:Date:List-Id:List-Unsubscribe:List-Archive:List-Post:
	 List-Help:List-Subscribe:From:Reply-To:Cc:From;
	b=rQRWcMrVfSodIKYqnJH476dmUmrCuOzdEH3HzwwfS5YFdFMr6Au06YdiJ7AlKc5Yb
	 /4habhpA7dZJOyzqOCQkkNjrQ0HGqg4WJtul83UTGQli4X88VYYBInbKlvpCmHEL0J
	 m/yYOWqD4B3ZaHwDqzIJGjXe6S1HMc4Ia8diuRz0=
X-Original-To: gcc-patches@gcc.gnu.org
Delivered-To: gcc-patches@gcc.gnu.org
Received: from foss.arm.com (foss.arm.com [217.140.110.172])
 by sourceware.org (Postfix) with ESMTP id 2A85B3858D35
 for <gcc-patches@gcc.gnu.org>; Thu, 20 Jan 2022 11:28:20 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 2A85B3858D35
Received: from usa-sjc-imap-foss1.foss.arm.com (unknown [10.121.207.14])
 by usa-sjc-mx-foss1.foss.arm.com (Postfix) with ESMTP id C6D756D;
 Thu, 20 Jan 2022 03:28:19 -0800 (PST)
Received: from e126323.arm.com (unknown [10.57.36.197])
 by usa-sjc-imap-foss1.foss.arm.com (Postfix) with ESMTPSA id 49C593F774;
 Thu, 20 Jan 2022 03:28:19 -0800 (PST)
To: GCC patches <gcc-patches@gcc.gnu.org>
Subject: [committed 0/7] Arm: mitigation for AES erratum on Cortex-a57 and
 Cortex-A72
Date: Thu, 20 Jan 2022 11:27:17 +0000
Message-Id: <20220120112724.830872-1-rearnsha@arm.com>
X-Mailer: git-send-email 2.25.1
MIME-Version: 1.0
X-Spam-Status: No, score=-7.4 required=5.0 tests=BAYES_00, KAM_DMARC_STATUS,
 KAM_NUMSUBJECT, KAM_SHORT, SPF_HELO_NONE, SPF_PASS,
 TXREP autolearn=no autolearn_force=no version=3.4.4
X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on
 server2.sourceware.org
X-BeenThere: gcc-patches@gcc.gnu.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Gcc-patches mailing list <gcc-patches.gcc.gnu.org>
List-Unsubscribe: <https://gcc.gnu.org/mailman/options/gcc-patches>,
 <mailto:gcc-patches-request@gcc.gnu.org?subject=unsubscribe>
List-Archive: <https://gcc.gnu.org/pipermail/gcc-patches/>
List-Post: <mailto:gcc-patches@gcc.gnu.org>
List-Help: <mailto:gcc-patches-request@gcc.gnu.org?subject=help>
List-Subscribe: <https://gcc.gnu.org/mailman/listinfo/gcc-patches>,
 <mailto:gcc-patches-request@gcc.gnu.org?subject=subscribe>
X-Patchwork-Original-From: Richard Earnshaw via Gcc-patches
 <gcc-patches@gcc.gnu.org>
From: Richard Earnshaw <rearnsha@arm.com>
Reply-To: Richard Earnshaw <rearnsha@arm.com>
Cc: Richard Earnshaw <rearnsha@arm.com>
Errors-To: gcc-patches-bounces+patchwork=sourceware.org@gcc.gnu.org
Sender: "Gcc-patches"
 <gcc-patches-bounces+patchwork=sourceware.org@gcc.gnu.org>

The Cortex-A57 and Cortex-A72 processors have an erratum (#1742098
and #1655431 respectively) when running in Arm (32-bit) mode where an
instruction producing a 32-bit result that feeds into an AES encode or
decode can lead to an incorrect result.  The erratum does not occur when
operating in 64-bit (aarch64) mode.

The mitigation approach taken by this patch series is in two parts.
Firstly, to ensure that this cannot happen by inserting a special
128-bit copy operation before each operand to a potentially vulnerable
sequence.  This is overkill, but safe.  The copy operations are
independent instructions, so can be migrated out of loops by the GCSE
pass or other optimizations.

Secondly, we then allow the copy operations to be merged with common
cases where the producer is known to be unaffected by the erratum.
Currently that includes other AES instructions, loads and certain move
operations.

In combination this eliminates the majority of redundant instructions
for normal use cases.  I did consider adding a custom pass to do late
insertion of the mitigation, but decided against it.  A trivial
implemenation would be unable to hoist operations out of the loop, while
a more complex implementation would require a lot of data-flow
analysis to find the optimum location for each mitigation and might
need to insert mitigation instructions on multiple paths.  The pass
would be complex and likely to have difficult to test corner cases.

The series consists of 7 patches.  The first two patches are cleanups
to the existing code.  Patch 3 adds the command line options to enable
the mitigation and the corresponding documentation.  Patch 4 adds the
basic mitigation operation and patches 5 and 6 add various additional
patterns to elide the mitigation for common cases where it is not
needed.  The final patch adds a testcase.

Richard Earnshaw (7):
  arm: Disambiguate multiple crypto patterns with the same name.
  arm: Consistently use crypto_mode attribute in crypto patterns
  arm: Add option for mitigating against Cortex-A CPU erratum for AES
  arm: add basic mitigation for Cortex-A AES errata
  arm: suppress aes erratum when forwarding from aes
  arm: elide some cases where the AES erratum workaround is not
    required.
  arm: Add test for AES erratum mitigation

 gcc/config/arm/arm-cpus.in                    |   9 +-
 gcc/config/arm/arm.cc                         |   9 +
 gcc/config/arm/arm.opt                        |  10 +
 gcc/config/arm/crypto.md                      | 227 ++++++++++++++----
 gcc/config/arm/unspecs.md                     |   1 +
 gcc/doc/invoke.texi                           |  11 +
 .../gcc.target/arm/crypto-vaese-erratum1.c    |  28 +++
 7 files changed, 242 insertions(+), 53 deletions(-)
 create mode 100644 gcc/testsuite/gcc.target/arm/crypto-vaese-erratum1.c