2 * Copyright 2011-2022 The OpenSSL Project Authors. All Rights Reserved.
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
15 #include <openssl/crypto.h>
17 #include <sys/sysctl.h>
19 #include "internal/cryptlib.h"
24 unsigned int OPENSSL_armcap_P
= 0;
25 unsigned int OPENSSL_arm_midr
= 0;
26 unsigned int OPENSSL_armv8_rsa_neonized
= 0;
28 #if __ARM_MAX_ARCH__<7
29 void OPENSSL_cpuid_setup(void)
33 uint32_t OPENSSL_rdtsc(void)
38 static sigset_t all_masked
;
40 static sigjmp_buf ill_jmp
;
41 static void ill_handler(int sig
)
43 siglongjmp(ill_jmp
, sig
);
47 * Following subroutines could have been inlined, but it's not all
48 * ARM compilers support inline assembler...
50 void _armv7_neon_probe(void);
51 void _armv8_aes_probe(void);
52 void _armv8_sha1_probe(void);
53 void _armv8_sha256_probe(void);
54 void _armv8_pmull_probe(void);
56 void _armv8_sm3_probe(void);
57 void _armv8_sm4_probe(void);
58 void _armv8_sha512_probe(void);
59 unsigned int _armv8_cpuid_probe(void);
60 void _armv8_sve_probe(void);
61 void _armv8_sve2_probe(void);
62 void _armv8_rng_probe(void);
64 size_t OPENSSL_rndr_asm(unsigned char *buf
, size_t len
);
65 size_t OPENSSL_rndrrs_asm(unsigned char *buf
, size_t len
);
67 size_t OPENSSL_rndr_bytes(unsigned char *buf
, size_t len
);
68 size_t OPENSSL_rndrrs_bytes(unsigned char *buf
, size_t len
);
70 static size_t OPENSSL_rndr_wrapper(size_t (*func
)(unsigned char *, size_t), unsigned char *buf
, size_t len
)
72 size_t buffer_size
= 0;
75 for (i
= 0; i
< 8; i
++) {
76 buffer_size
= func(buf
, len
);
77 if (buffer_size
== len
)
79 usleep(5000); /* 5000 microseconds (5 milliseconds) */
84 size_t OPENSSL_rndr_bytes(unsigned char *buf
, size_t len
)
86 return OPENSSL_rndr_wrapper(OPENSSL_rndr_asm
, buf
, len
);
89 size_t OPENSSL_rndrrs_bytes(unsigned char *buf
, size_t len
)
91 return OPENSSL_rndr_wrapper(OPENSSL_rndrrs_asm
, buf
, len
);
94 uint32_t _armv7_tick(void);
96 uint32_t OPENSSL_rdtsc(void)
98 if (OPENSSL_armcap_P
& ARMV7_TICK
)
104 # if defined(__GNUC__) && __GNUC__>=2
105 void OPENSSL_cpuid_setup(void) __attribute__ ((constructor
));
108 # if defined(__GLIBC__) && defined(__GLIBC_PREREQ)
109 # if __GLIBC_PREREQ(2, 16)
110 # include <sys/auxv.h>
111 # define OSSL_IMPLEMENT_GETAUXVAL
113 # elif defined(__ANDROID_API__)
114 /* see https://developer.android.google.cn/ndk/guides/cpu-features */
115 # if __ANDROID_API__ >= 18
116 # include <sys/auxv.h>
117 # define OSSL_IMPLEMENT_GETAUXVAL
120 # if defined(__FreeBSD__)
121 # include <sys/param.h>
122 # if __FreeBSD_version >= 1200000
123 # include <sys/auxv.h>
124 # define OSSL_IMPLEMENT_GETAUXVAL
126 static unsigned long getauxval(unsigned long key
)
128 unsigned long val
= 0ul;
130 if (elf_aux_info((int)key
, &val
, sizeof(val
)) != 0)
139 * Android: according to https://developer.android.com/ndk/guides/cpu-features,
140 * getauxval is supported starting with API level 18
142 # if defined(__ANDROID__) && defined(__ANDROID_API__) && __ANDROID_API__ >= 18
143 # include <sys/auxv.h>
144 # define OSSL_IMPLEMENT_GETAUXVAL
148 * ARM puts the feature bits for Crypto Extensions in AT_HWCAP2, whereas
149 * AArch64 used AT_HWCAP.
155 # define AT_HWCAP2 26
157 # if defined(__arm__) || defined (__arm)
158 # define HWCAP AT_HWCAP
159 # define HWCAP_NEON (1 << 12)
161 # define HWCAP_CE AT_HWCAP2
162 # define HWCAP_CE_AES (1 << 0)
163 # define HWCAP_CE_PMULL (1 << 1)
164 # define HWCAP_CE_SHA1 (1 << 2)
165 # define HWCAP_CE_SHA256 (1 << 3)
166 # elif defined(__aarch64__)
167 # define HWCAP AT_HWCAP
168 # define HWCAP_NEON (1 << 1)
170 # define HWCAP_CE HWCAP
171 # define HWCAP_CE_AES (1 << 3)
172 # define HWCAP_CE_PMULL (1 << 4)
173 # define HWCAP_CE_SHA1 (1 << 5)
174 # define HWCAP_CE_SHA256 (1 << 6)
175 # define HWCAP_CPUID (1 << 11)
176 # define HWCAP_SHA3 (1 << 17)
177 # define HWCAP_CE_SM3 (1 << 18)
178 # define HWCAP_CE_SM4 (1 << 19)
179 # define HWCAP_CE_SHA512 (1 << 21)
180 # define HWCAP_SVE (1 << 22)
183 # define HWCAP2_SVE2 (1 << 1)
184 # define HWCAP2_RNG (1 << 16)
187 void OPENSSL_cpuid_setup(void)
190 struct sigaction ill_oact
, ill_act
;
192 static int trigger
= 0;
198 OPENSSL_armcap_P
= 0;
200 if ((e
= getenv("OPENSSL_armcap"))) {
201 OPENSSL_armcap_P
= (unsigned int)strtoul(e
, NULL
, 0);
205 # if defined(__APPLE__)
206 # if !defined(__aarch64__)
208 * Capability probing by catching SIGILL appears to be problematic
209 * on iOS. But since Apple universe is "monocultural", it's actually
210 * possible to simply set pre-defined processor capability mask.
213 OPENSSL_armcap_P
= ARMV7_NEON
;
217 * One could do same even for __aarch64__ iOS builds. It's not done
218 * exclusively for reasons of keeping code unified across platforms.
219 * Unified code works because it never triggers SIGILL on Apple
224 unsigned int feature
;
225 size_t len
= sizeof(feature
);
228 if (sysctlbyname("hw.optional.armv8_2_sha512", &feature
, &len
, NULL
, 0) == 0 && feature
== 1)
229 OPENSSL_armcap_P
|= ARMV8_SHA512
;
231 if (sysctlbyname("hw.optional.armv8_2_sha3", &feature
, &len
, NULL
, 0) == 0 && feature
== 1) {
232 OPENSSL_armcap_P
|= ARMV8_SHA3
;
234 if ((sysctlbyname("machdep.cpu.brand_string", uarch
, &len
, NULL
, 0) == 0) &&
235 (strncmp(uarch
, "Apple M1", 8) == 0))
236 OPENSSL_armcap_P
|= ARMV8_UNROLL8_EOR3
;
242 # ifdef OSSL_IMPLEMENT_GETAUXVAL
243 if (getauxval(HWCAP
) & HWCAP_NEON
) {
244 unsigned long hwcap
= getauxval(HWCAP_CE
);
246 OPENSSL_armcap_P
|= ARMV7_NEON
;
248 if (hwcap
& HWCAP_CE_AES
)
249 OPENSSL_armcap_P
|= ARMV8_AES
;
251 if (hwcap
& HWCAP_CE_PMULL
)
252 OPENSSL_armcap_P
|= ARMV8_PMULL
;
254 if (hwcap
& HWCAP_CE_SHA1
)
255 OPENSSL_armcap_P
|= ARMV8_SHA1
;
257 if (hwcap
& HWCAP_CE_SHA256
)
258 OPENSSL_armcap_P
|= ARMV8_SHA256
;
261 if (hwcap
& HWCAP_CE_SM4
)
262 OPENSSL_armcap_P
|= ARMV8_SM4
;
264 if (hwcap
& HWCAP_CE_SHA512
)
265 OPENSSL_armcap_P
|= ARMV8_SHA512
;
267 if (hwcap
& HWCAP_CPUID
)
268 OPENSSL_armcap_P
|= ARMV8_CPUID
;
270 if (hwcap
& HWCAP_CE_SM3
)
271 OPENSSL_armcap_P
|= ARMV8_SM3
;
272 if (hwcap
& HWCAP_SHA3
)
273 OPENSSL_armcap_P
|= ARMV8_SHA3
;
277 if (getauxval(HWCAP
) & HWCAP_SVE
)
278 OPENSSL_armcap_P
|= ARMV8_SVE
;
280 if (getauxval(HWCAP2
) & HWCAP2_SVE2
)
281 OPENSSL_armcap_P
|= ARMV8_SVE2
;
283 if (getauxval(HWCAP2
) & HWCAP2_RNG
)
284 OPENSSL_armcap_P
|= ARMV8_RNG
;
288 sigfillset(&all_masked
);
289 sigdelset(&all_masked
, SIGILL
);
290 sigdelset(&all_masked
, SIGTRAP
);
291 sigdelset(&all_masked
, SIGFPE
);
292 sigdelset(&all_masked
, SIGBUS
);
293 sigdelset(&all_masked
, SIGSEGV
);
295 memset(&ill_act
, 0, sizeof(ill_act
));
296 ill_act
.sa_handler
= ill_handler
;
297 ill_act
.sa_mask
= all_masked
;
299 sigprocmask(SIG_SETMASK
, &ill_act
.sa_mask
, &oset
);
300 sigaction(SIGILL
, &ill_act
, &ill_oact
);
302 /* If we used getauxval, we already have all the values */
303 # ifndef OSSL_IMPLEMENT_GETAUXVAL
304 if (sigsetjmp(ill_jmp
, 1) == 0) {
306 OPENSSL_armcap_P
|= ARMV7_NEON
;
307 if (sigsetjmp(ill_jmp
, 1) == 0) {
308 _armv8_pmull_probe();
309 OPENSSL_armcap_P
|= ARMV8_PMULL
| ARMV8_AES
;
310 } else if (sigsetjmp(ill_jmp
, 1) == 0) {
312 OPENSSL_armcap_P
|= ARMV8_AES
;
314 if (sigsetjmp(ill_jmp
, 1) == 0) {
316 OPENSSL_armcap_P
|= ARMV8_SHA1
;
318 if (sigsetjmp(ill_jmp
, 1) == 0) {
319 _armv8_sha256_probe();
320 OPENSSL_armcap_P
|= ARMV8_SHA256
;
322 # if defined(__aarch64__) && !defined(__APPLE__)
323 if (sigsetjmp(ill_jmp
, 1) == 0) {
325 OPENSSL_armcap_P
|= ARMV8_SM4
;
328 if (sigsetjmp(ill_jmp
, 1) == 0) {
329 _armv8_sha512_probe();
330 OPENSSL_armcap_P
|= ARMV8_SHA512
;
333 if (sigsetjmp(ill_jmp
, 1) == 0) {
335 OPENSSL_armcap_P
|= ARMV8_SM3
;
336 if (sigsetjmp(ill_jmp
, 1) == 0) {
338 OPENSSL_armcap_P
|= ARMV8_SHA3
;
343 if (sigsetjmp(ill_jmp
, 1) == 0) {
345 OPENSSL_armcap_P
|= ARMV8_SVE
;
348 if (sigsetjmp(ill_jmp
, 1) == 0) {
350 OPENSSL_armcap_P
|= ARMV8_SVE2
;
353 if (sigsetjmp(ill_jmp
, 1) == 0) {
355 OPENSSL_armcap_P
|= ARMV8_RNG
;
361 * Probing for ARMV7_TICK is known to produce unreliable results,
362 * so we will only use the feature when the user explicitly enables
363 * it with OPENSSL_armcap.
366 sigaction(SIGILL
, &ill_oact
, NULL
);
367 sigprocmask(SIG_SETMASK
, &oset
, NULL
);
370 if (OPENSSL_armcap_P
& ARMV8_CPUID
)
371 OPENSSL_arm_midr
= _armv8_cpuid_probe();
373 if ((MIDR_IS_CPU_MODEL(OPENSSL_arm_midr
, ARM_CPU_IMP_ARM
, ARM_CPU_PART_CORTEX_A72
) ||
374 MIDR_IS_CPU_MODEL(OPENSSL_arm_midr
, ARM_CPU_IMP_ARM
, ARM_CPU_PART_N1
)) &&
375 (OPENSSL_armcap_P
& ARMV7_NEON
)) {
376 OPENSSL_armv8_rsa_neonized
= 1;
378 if ((MIDR_IS_CPU_MODEL(OPENSSL_arm_midr
, ARM_CPU_IMP_ARM
, ARM_CPU_PART_V1
) ||
379 MIDR_IS_CPU_MODEL(OPENSSL_arm_midr
, ARM_CPU_IMP_ARM
, ARM_CPU_PART_N2
)) &&
380 (OPENSSL_armcap_P
& ARMV8_SHA3
))
381 OPENSSL_armcap_P
|= ARMV8_UNROLL8_EOR3
;