Enable the SHA extension implementation of SHA-256/512 on x86 (#81)

* Enable the SHA extension implementation of SHA-256/512 on x86

This change enables the implementation of SHA-256/512 with
SHA extension instruction set on x86 platforms.

Signed-off-by: Kostic <[email protected]>

* Fix the duplicate symbol build error when compiling in FIPS mode

* Add dispatch test for SHA extension instructions

This commit adds a dispatch test for SHA extension instructions.
Dispatch tests are meant to ensure that the expected assembly
functions are triggered by high-level API calls.

* Small readability improvement

* Run tests with Intel® Software Development Emulator.

* Correct echo message.

Co-authored-by: Kostic <[email protected]>
Co-authored-by: Bryce Shang <[email protected]>
Co-authored-by: Bryce Shang <[email protected]>

CMakeLists.txt

@@ -688,6 +688,14 @@ add_custom_target(
     DEPENDS all_tests
     ${MAYBE_USES_TERMINAL})
 
+add_custom_target(
+    run_tests_with_sde
+    COMMAND ${GO_EXECUTABLE} run util/all_tests.go -build-dir
+            ${CMAKE_BINARY_DIR} -sde true -sde-path "$ENV{SDEROOT}/sde"
+    WORKING_DIRECTORY ${CMAKE_SOURCE_DIR}
+    DEPENDS all_tests
+    ${MAYBE_USES_TERMINAL})
+
 # Copy awslc-config.cmake to build artifacts. 
 configure_file("cmake/awslc-config.cmake"
     "${CMAKE_CURRENT_BINARY_DIR}/awslc-config.cmake"

crypto/fipsmodule/sha/asm/sha512-x86_64.pl

@@ -130,11 +130,7 @@
 # necessary to disable AVX2 code when SHA Extensions code is disabled? Upstream
 # did not tie them together until after $shaext was added.
 $avx = 1;
-
-# TODO(davidben): Consider enabling the Intel SHA Extensions code once it's
-# been tested.
-$shaext=0;	### set to zero if compiling for 1.0.1
-$avx=1		if (!$shaext && $avx);
+$shaext=1;	### set to zero if compiling for 1.0.1
 
 open OUT,"| \"$^X\" \"$xlate\" $flavour \"$output\"";
 *STDOUT=*OUT;
@@ -275,7 +271,7 @@ ()
 ___
 $code.=<<___ if ($SZ==4 && $shaext);
 	test	\$`1<<29`,%r11d		# check for SHA
-	jnz	_shaext_shortcut
+	jnz	.Lshaext_shortcut
 ___
     # XOP codepath removed.
 $code.=<<___ if ($avx>1);
@@ -559,7 +555,12 @@ ()
 .type	sha256_block_data_order_shaext,\@function,3
 .align	64
 sha256_block_data_order_shaext:
-_shaext_shortcut:
+.Lshaext_shortcut:
+.cfi_startproc
+#ifdef BORINGSSL_DISPATCH_TEST
+.extern BORINGSSL_function_hit
+	movb \$1,BORINGSSL_function_hit+6(%rip)
+#endif
 ___
 $code.=<<___ if ($win64);
 	lea	`-8-5*16`(%rsp),%rsp
@@ -703,6 +704,7 @@ ()
 ___
 $code.=<<___;
 	ret
+.cfi_endproc
 .size	sha256_block_data_order_shaext,.-sha256_block_data_order_shaext
 ___
 }}}

crypto/impl_dispatch_test.cc

@@ -22,6 +22,7 @@
 
 #include <openssl/aead.h>
 #include <openssl/aes.h>
+#include <openssl/sha.h>
 #include <openssl/cpu.h>
 #include <openssl/mem.h>
 
@@ -37,6 +38,7 @@ class ImplDispatchTest : public ::testing::Test {
     aesni_ = OPENSSL_ia32cap_P[1] & (1 << (57 - 32));
     avx_movbe_ = ((OPENSSL_ia32cap_P[1] >> 22) & 0x41) == 0x41;
     ssse3_ = OPENSSL_ia32cap_P[1] & (1 << (41 - 32));
+    sha_ext_ = OPENSSL_ia32cap_P[2] & (1 << 29);
     is_x86_64_ =
 #if defined(OPENSSL_X86_64)
         true;
@@ -75,6 +77,7 @@ class ImplDispatchTest : public ::testing::Test {
   bool aesni_ = false;
   bool avx_movbe_ = false;
   bool ssse3_ = false;
+  bool sha_ext_ = false;
   bool is_x86_64_ = false;
 #endif
 };
@@ -88,6 +91,7 @@ constexpr size_t kFlag_aesni_gcm_encrypt = 2;
 constexpr size_t kFlag_aes_hw_set_encrypt_key = 3;
 constexpr size_t kFlag_vpaes_encrypt = 4;
 constexpr size_t kFlag_vpaes_set_encrypt_key = 5;
+constexpr size_t kFlag_sha256_shaext = 6;
 
 TEST_F(ImplDispatchTest, AEAD_AES_GCM) {
   AssertFunctionsHit(
@@ -145,6 +149,18 @@ TEST_F(ImplDispatchTest, AES_single_block) {
       });
 }
 
+TEST_F(ImplDispatchTest, SHA256) {
+  AssertFunctionsHit(
+      {
+          {kFlag_sha256_shaext, sha_ext_},
+      },
+      [] {
+        const uint8_t in[32] = {0};
+        uint8_t out[SHA256_DIGEST_LENGTH];
+        SHA256(in, 32, out);
+      });
+}
+
 #endif  // X86 || X86_64
 
 #endif  // DISPATCH_TEST && !SHARED_LIBRARY

include/openssl/cpu.h

@@ -201,6 +201,7 @@ extern unsigned long OPENSSL_ppc64le_hwcap2;
 //   3: aes_hw_set_encrypt_key
 //   4: vpaes_encrypt
 //   5: vpaes_set_encrypt_key
+//   6: sha256_block_data_order_shaext
 extern uint8_t BORINGSSL_function_hit[7];
 #endif  // BORINGSSL_DISPATCH_TEST
 

tests/ci/cdk/cdk/codebuild/github_ci_linux_x86_omnibus.yaml

@@ -94,6 +94,14 @@ batch:
         compute-type: BUILD_GENERAL1_LARGE
         image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_X86_PLACEHOLDER:amazonlinux-2_gcc-7x_latest
 
+    - identifier: amazonlinux2_gcc7x_intel_sde_x86_64
+      buildspec: ./tests/ci/codebuild/linux-x86/amazonlinux-2_gcc-7x_intel-sde.yml
+      env:
+        type: LINUX_CONTAINER
+        privileged-mode: true
+        compute-type: BUILD_GENERAL1_LARGE
+        image: AWS_ACCOUNT_ID_PLACEHOLDER.dkr.ecr.AWS_REGION_PLACEHOLDER.amazonaws.com/ECR_REPO_X86_PLACEHOLDER:amazonlinux-2_gcc-7x_intel-sde_latest
+
     - identifier: amazonlinux2_gcc7x_x86_64_valgrind
       buildspec: ./tests/ci/codebuild/linux-x86/amazonlinux-2_gcc-7x_valgrind.yml
       env:

tests/ci/cdk/run-cdk.sh

@@ -171,6 +171,7 @@ function deploy() {
     "ubuntu-20.04_clang-10x_formal-verification_latest"
     "centos-7_gcc-4x_latest"
     "amazonlinux-2_gcc-7x_latest"
+    "amazonlinux-2_gcc-7x_intel-sde_latest"
     "s2n_integration_clang-9x_latest")
   images_pushed_to_ecr "${ECR_LINUX_X86_REPO_NAME}" "${linux_x86_img_tags[@]}"
   windows_img_tags=("vs2015_latest" "vs2017_latest")

tests/ci/codebuild/linux-x86/amazonlinux-2_gcc-7x_intel-sde.yml

@@ -0,0 +1,18 @@
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+version: 0.2
+
+phases:
+  pre_build:
+    commands:
+      - if [ $(gcc -dumpfullversion) == 7.3.1 ]; then echo "Found correct gcc version 7"; else gcc --version && echo "gcc version mismatch" && exit 1; fi
+      # Based on Intel SDE README, SELinux should be turned off to allow pin to work.
+      # https://software.intel.com/content/www/us/en/develop/articles/intel-software-development-emulator.html#system-configuration
+      - if [ $(getenforce) == 'Disabled' ]; then echo "SELinux is disabled. Disabling SELinux is needed by sde to allow pin work." ; else echo "SELinux should be turned off to allow sde pin to work." && exit 1; fi
+      - export CC=gcc
+      - export CXX=g++
+      - export GO111MODULE=on
+  build:
+    commands:
+      - ./tests/ci/run_tests_with_sde.sh

tests/ci/common_posix_setup.sh

@@ -46,3 +46,12 @@ function build_and_test_valgrind {
   run_build "$@"
   run_test_valgrind
 }
+
+function run_test_with_sde {
+  $BUILD_COMMAND -C test_build_dir run_tests_with_sde
+}
+
+function build_and_test_with_sde {
+  run_build "$@"
+  run_test_with_sde
+}

tests/ci/docker_images/linux-x86/amazonlinux-2_gcc-7x-intel-sde/Dockerfile

@@ -0,0 +1,38 @@
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+FROM amazonlinux-2:gcc-7x
+
+SHELL ["/bin/bash", "-c"]
+
+# Enable the EPEL repository on Amazon Linux 2 before installing packages
+# https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/add-repositories.html
+
+# gcc 7.3.1 is the latest version versions `yum --showduplicates list gcc`
+# Install Valgrind for Valgrind test target even though it is not needed for the base test target.
+RUN set -ex && \
+    yum -y update && yum install -y \
+    # Without glibc.i686, running "./sde --help" generates error "bash: ./sde: /lib/ld-linux.so.2: bad ELF interpreter: No such file or directory"
+    glibc.i686 \
+    # This provides command `getenforce`, which can tell the current status of SELinux.
+    # Based on Interl SDE README, SELinux should be turned off to allow pin to work.
+    libselinux-utils \
+    wget \
+    bzip2 \
+    tar && \
+    # Install Intel® Software Development Emulator
+    # This emulator is needed when running BoringSSL/AWS-LC code under Intel's SDE for each supported chip (like ice lake).
+    # https://software.intel.com/content/www/us/en/develop/articles/intel-software-development-emulator.html#system-configuration
+    wget https://software.intel.com/content/dam/develop/external/us/en/documents/downloads/sde-external-8.59.0-2020-10-05-lin.tar.bz2 && \
+    tar -xvjf sde-external-8.59.0-2020-10-05-lin.tar.bz2 && \
+    cd sde-external-8.59.0-2020-10-05-lin \
+    yum clean packages && \
+    yum clean metadata && \
+    yum clean all && \
+    rm -rf /tmp/* && \
+    rm -rf /var/cache/yum
+
+ENV CC=gcc
+ENV CXX=g++
+ENV SDEROOT=/sde-external-8.59.0-2020-10-05-lin
+ENV PATH="$SDEROOT:$PATH"

tests/ci/docker_images/linux-x86/build_images.sh

@@ -15,6 +15,7 @@ docker build -t ubuntu-19.10:clang-9x ubuntu-19.10_clang-9x
 docker build -t ubuntu-19.10:sanitizer ubuntu-19.10_clang-9x_sanitizer
 docker build -t centos-7:gcc-4x centos-7_gcc-4x
 docker build -t amazonlinux-2:gcc-7x amazonlinux-2_gcc-7x
+docker build -t amazonlinux-2:gcc-7x-intel-sde amazonlinux-2_gcc-7x-intel-sde
 docker build -t fedora-31:clang-9x fedora-31_clang-9x
 docker build -t integration:s2n s2n_integration_clang-9x
 docker build -t ubuntu-20.04:clang-10x ubuntu-20.04_clang-10x

tests/ci/docker_images/linux-x86/push_images.sh

@@ -63,6 +63,11 @@ docker tag amazonlinux-2:gcc-7x ${ECS_REPO}:amazonlinux-2_gcc-7x_latest
 docker push ${ECS_REPO}:amazonlinux-2_gcc-7x_latest
 docker push ${ECS_REPO}:amazonlinux-2_gcc-7x_`date +%Y-%m-%d`
 
+docker tag amazonlinux-2:gcc-7x-intel-sde ${ECS_REPO}:amazonlinux-2_gcc-7x_intel-sde_`date +%Y-%m-%d`
+docker tag amazonlinux-2:gcc-7x-intel-sde ${ECS_REPO}:amazonlinux-2_gcc-7x_intel-sde_latest
+docker push ${ECS_REPO}:amazonlinux-2_gcc-7x_intel-sde_latest
+docker push ${ECS_REPO}:amazonlinux-2_gcc-7x_intel-sde_`date +%Y-%m-%d`
+
 docker tag fedora-31:clang-9x ${ECS_REPO}:fedora-31_clang-9x_`date +%Y-%m-%d`
 docker tag fedora-31:clang-9x ${ECS_REPO}:fedora-31_clang-9x_latest
 docker push ${ECS_REPO}:fedora-31_clang-9x_latest

tests/ci/run_tests_with_sde.sh

@@ -0,0 +1,11 @@
+#!/bin/bash -ex
+# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+# SPDX-License-Identifier: Apache-2.0
+
+source tests/ci/common_posix_setup.sh
+
+echo "Testing AWS-LC in debug mode under Intel's SDE."
+build_and_test_with_sde
+
+echo "Testing AWS-LC in release mode under Intel's SDE."
+build_and_test_with_sde -DCMAKE_BUILD_TYPE=Release