8252204: AArch64: Implement SHA3 accelerator/intrinsic

[RealFYang]

Contributed-by: ard.biesheuvel@linaro.org, dongbo4@huawei.com

This added an intrinsic for SHA3 using aarch64 v8.2 SHA3 Crypto Extensions.
Reference implementation for core SHA-3 transform using ARMv8.2 Crypto Extensions:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/arch/arm64/crypto/sha3-ce-core.S?h=v5.4.52

Trivial adaptation in SHA3. implCompress is needed for the purpose of adding the intrinsic.
For SHA3, we need to pass one extra parameter "digestLength" to the stub for the calculation of block size.
"digestLength" is also used in for the EOR loop before keccak to differentiate different SHA3 variants.

We added jtreg tests for SHA3 and used QEMU system emulator which supports SHA3 instructions to test the functionality.
Patch passed jtreg tier1-3 tests with QEMU system emulator.
Also verified with jtreg tier1-3 tests without SHA3 instructions on aarch64-linux-gnu and x86_64-linux-gnu, to make sure that there's no regression.

We used one existing JMH test for performance test: test/micro/org/openjdk/bench/java/security/MessageDigests.java
We measured the performance benefit with an aarch64 cycle-accurate simulator.
Patch delivers 20% - 40% performance improvement depending on specific SHA3 digest length and size of the message.

For now, this feature will not be enabled automatically for aarch64. We can auto-enable this when it is fully tested on real hardware. But for the above testing purposes, this is auto-enabled when the corresponding hardware feature is detected.

---

Progress

• Change must not contain extraneous whitespace
• Commit message must refer to an issue
• Change must be properly reviewed

Testing

	Linux x32	Linux x64	Windows x64	macOS x64
Build	✔️ (1/1 passed)	✔️ (5/5 passed)	✔️ (2/2 passed)	✔️ (2/2 passed)
Test (tier1)		✔️ (9/9 passed)	❌ (1/9 failed)	✔️ (9/9 passed)

Failed test task

• Windows x64 (hs/tier1 compiler)

Issue

• JDK-8252204: AArch64: Implement SHA3 accelerator/intrinsic

Reviewers

• Andrew Haley (@theRealAph - Reviewer) ⚠️ Review applies to a5810df
• Vladimir Kozlov (@vnkozlov - Reviewer)

Contributors

• Ard Biesheuvel <ard.biesheuvel@linaro.org>
• Dong Bo <dongbo4@huawei.com>

Download

$ git fetch https://git.openjdk.java.net/jdk pull/207/head:pull/207
$ git checkout pull/207

[bridgekeeper]

👋 Welcome back fyang! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

[openjdk]

@RealFYang The following labels will be automatically applied to this pull request: hotspot security.

When this pull request is ready to be reviewed, an RFR email will be sent to the corresponding mailing lists. If you would like to change these labels, use the /label (add|remove) "label" command.

[mlbridge]

Webrevs

• 10: Full - Incremental (b43f919)
• 09: Full (d32c8ad)
• 08: Full (0555170)
• 07: Full (6cd27be)
• 06: Full (70d9e84)
• 05: Full (446b468)
• 04: Full (a5810df)
• 03: Full - Incremental (04bdb42)
• 02: Full - Incremental (3e15519)
• 01: Full (32f0bdc)
• 00: Full (7da0c5e)

[RealFYang]

@ardbiesheuvel : Ard, could you please ack this patch? Thanks.

[ardbiesheuvel]

Acked-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>

[RealFYang]

/cc aarch64-port core-libs hotspot-compiler

[openjdk]

@RealFYang The label aarch64-port is not a valid label. These labels are valid:

• serviceability
• hotspot
• sound
• hotspot-compiler
• kulla
• i18n
• shenandoah
• jdk
• javadoc
• 2d
• security
• swing
• hotspot-runtime
• jmx
• build
• nio
• beans
• core-libs
• compiler
• net
• hotspot-gc
• hotspot-jfr
• awt

[RealFYang]

/cc core-libs hotspot-compiler

[openjdk]

@RealFYang
The core-libs label was successfully added.

The hotspot-compiler label was successfully added.

[RealFYang]

/contributor add Ard Biesheuvel ard.biesheuvel@linaro.org

[openjdk]

@RealFYang Could not parse Ard Biesheuvel ard.biesheuvel@linaro.org as a valid contributor.
Syntax: /contributor (add|remove) [@user | openjdk-user | Full Name <email@address>]. For example:

• /contributor add @openjdk-bot
• /contributor add duke
• /contributor add J. Duke <duke@openjdk.org>

[RealFYang]

/contributor add Bo Dong dongbo4@huawei.com

[openjdk]

@RealFYang Could not parse Bo Dong dongbo4@huawei.com as a valid contributor.
Syntax: /contributor (add|remove) [@user | openjdk-user | Full Name <email@address>]. For example:

• /contributor add @openjdk-bot
• /contributor add duke
• /contributor add J. Duke <duke@openjdk.org>

[RealFYang]

/contributor add Ard Biesheuvel ard.biesheuvel@linaro.org

[openjdk]

@RealFYang
Contributor Ard Biesheuvel <ard.biesheuvel@linaro.org> successfully added.

[RealFYang]

/contributor add Bo Dong dongbo4@huawei.com

[openjdk]

@RealFYang
Contributor Bo Dong <dongbo4@huawei.com> successfully added.

[mlbridge]

Mailing list message from Andrew Haley on security-dev:

On 17/09/2020 05:26, Fei Yang wrote:

For now, this feature will not be enabled automatically for aarch64. We can auto-enable this when it is fully tested on
real hardware. But for the above testing purposes, this is auto-enabled when the corresponding hardware feature is
detected.

Given that there's no real hardware, it's extra-important to add the
new instructions to cpu/aarch64/aarch64-asmtest.py and regenerate the
test in assembler_aarch64.cc:asm_check.

--
Andrew Haley (he/him)
Java Platform Lead Engineer
Red Hat UK Ltd. <https://www.redhat.com>
https://keybase.io/andrewhaley
EAC8 43EB D3EF DB98 CC77 2FAD A5CD 6035 332F A671

[openjdk]

@RealFYang this pull request can not be integrated into master due to one or more merge conflicts. To resolve these merge conflicts and update this pull request you can run the following commands in the local repository for your personal fork:

git checkout 8252204
git fetch https://git.openjdk.java.net/jdk master
git merge FETCH_HEAD
# resolve conflicts and follow the instructions given by git merge
git commit -m "Merge master"
git push

[vnkozlov]

Always run graalunit testing with new intrinsics. You need to adjust Graal test:
src/jdk.internal.vm.compiler/share/classes/org.graalvm.compiler.hotspot.test/src/org/graalvm/compiler/hotspot/test/CheckGraalIntrinsics.java

[RealFYang]

/test

[openjdk]

@RealFYang you need to get approval to run the tests in tier1 for commits up until 0555170

[RealFYang]

Always run graalunit testing with new intrinsics. You need to adjust Graal test:
src/jdk.internal.vm.compiler/share/classes/org.graalvm.compiler.hotspot.test/src/org/graalvm/compiler/hotspot/test/CheckGraalIntrinsics.java

Thanks for looking at this. We did run graalunit testing and added the following change in our first commit:

diff --git a/src/jdk.internal.vm.compiler/share/classes/org.graalvm.compiler.hotspot.test/src/org/graalvm/compiler/hotspot/test/CheckGraalIntrinsics.java b/src/jdk.internal.vm.compiler/share/classes/org.graalvm.compiler.hotspot.test/src/org/graalvm/compiler/hotspot/test/CheckGraalIntrinsics.java
index f0e17947460..8f3f4ed9323 100644
--- a/src/jdk.internal.vm.compiler/share/classes/org.graalvm.compiler.hotspot.test/src/org/graalvm/compiler/hotspot/test/CheckGraalIntrinsics.java
+++ b/src/jdk.internal.vm.compiler/share/classes/org.graalvm.compiler.hotspot.test/src/org/graalvm/compiler/hotspot/test/CheckGraalIntrinsics.java
@@ -601,6 +601,7 @@ public class CheckGraalIntrinsics extends GraalTest {
if (!config.useSHA512Intrinsics()) {
add(ignore, "sun/security/provider/SHA5." + shaCompressName + "([BI)V");
}

•    add(toBeInvestigated, "sun/security/provider/SHA3." + shaCompressName + "([BI)V");
  }
  

[vnkozlov]

This should be under if (isJDK16OrHigher()) check. Something like this:
https://github.com/openjdk/jdk/pull/650/files#diff-d1f378fc1b7fe041309e854d40b3a95a91e63fdecf0ecd9826b7c95eaeba314eR527
You can wait when Aleksey push it and update your changes

[RealFYang]

OK. Will update with the following change after Aleksey's PR is integrated:

--- a/src/jdk.internal.vm.compiler/share/classes/org.graalvm.compiler.hotspot.test/src/org/graalvm/compiler/hotspot/test/CheckGraalIntrinsics.java
+++ b/src/jdk.internal.vm.compiler/share/classes/org.graalvm.compiler.hotspot.test/src/org/graalvm/compiler/hotspot/test/CheckGraalIntrinsics.java
@@ -608,6 +608,10 @@ public class CheckGraalIntrinsics extends GraalTest {
         if (!config.useSHA512Intrinsics()) {
             add(ignore, "sun/security/provider/SHA5." + shaCompressName + "([BI)V");
         }
+
+        if (isJDK16OrHigher()) {
+            add(toBeInvestigated, "sun/security/provider/SHA3." + shaCompressName + "([BI)V");
+        }
     }

[vnkozlov]

Yes, please, do that.

[RealFYang]

Done.
Commit: b43f919
I think this will not conflict with Aleksey's PR as we modify in different places of CheckGraalIntrinsics.java

[vnkozlov]

Someone in Oracle have to run tier1-tier3 testing with these changes to make sure nothing is broken. I don't want to repeat 8254790.

[RealFYang]

Someone in Oracle have to run tier1-tier3 testing with these changes to make sure nothing is broken. I don't want to repeat 8254790.

That's appreciated.
On my side, I run tier1-tier3 both on aarch64 linux and x86_64 linux.
The test result on these two platforms looks good for the latest changes.

[vnkozlov]

Someone in Oracle have to run tier1-tier3 testing with these changes to make sure nothing is broken. I don't want to repeat 8254790.

That's appreciated.
On my side, I run tier1-tier3 both on aarch64 linux and x86_64 linux.
The test result on these two platforms looks good for the latest changes.

I started testing of 09: version.

[vnkozlov]

tier1,2,3 passed. I verified that new SHA3 tests were run and passed.
But because SHA3 is not enabled for now (even on aarch64), it does not test asm code.
At least testing verified that changes in shared code does not cause any issues.

[RealFYang]

/contributor remove Bo Dong dongbo4@huawei.com

[openjdk]

@RealFYang
Contributor Bo Dong <dongbo4@huawei.com> successfully removed.

[RealFYang]

/contributor add Dong Bo dongbo4@huawei.com

[openjdk]

@RealFYang
Contributor Dong Bo <dongbo4@huawei.com> successfully added.

[RealFYang]

tier1,2,3 passed. I verified that new SHA3 tests were run and passed.
But because SHA3 is not enabled for now (even on aarch64), it does not test asm code.
At least testing verified that changes in shared code does not cause any issues.

Great to hear that :-)
Thanks for the effect.
With that testing result and reviewing from three reviewers, I think it's safe to integrate.

[RealFYang]

/integrate

[openjdk]

@RealFYang Since your change was applied there have been 65 commits pushed to the master branch:

• 7d3d4da: 8240709: Enable javax/swing/UI/UnninstallUIMemoryLeaks/UnninstallUIMemoryLeaks.java on all L&F
• 5d26229: 8255174: Vector API unit tests for missed public api code coverage
• b9186be: 6606767: resexhausted00[34] fail assert(!thread->owns_locks(), "must release all locks when leaving VM")
• 1191a63: 8199697: FIPS 186-4 RSA Key Generation
• 60d3fa2: 8255022: Documentation missing for Vector API zero methods
• 9ade94b: 8206311: Add docs-javase, docs-reference to CI build
• 3445031: 8255200: ProblemList com/sun/jdi/EATests.java for ZGC
• 85a8949: 8254913: Increase InlineSmallCode default from 2000 to 2500 for x64
• 56ea490: 8233343: Deprecate -XX:+CriticalJNINatives flag which implements JavaCritical native functions
• 615b759: 8255070: Shenandoah: Use single thread for concurrent CLD liveness test
• ... and 55 more: https://git.openjdk.java.net/jdk/compare/cdc8c401b50abcf75a3c8bbe2eafdd360f3aa3be...master

Your commit was automatically rebased without conflicts.

Pushed as commit b25d894.

💡 You may see a message that your pull request was closed with unmerged commits. This can be safely ignored.

[mur47x111]

is it intentional to load 16 bytes and post-increment by 8?

[ferakocz]

Actually, with the ld1r instruction the post increment should be the same as the size of the memory accessed. So T2D requires 8 as it reads 8 bytes(and duplicates it into both halves of the SIMD register).

[mur47x111]

Thanks for the clarification!