crypto/sha256: Use SHA extensions if available

dbussink · dbussink · commit ff02c85da657 · 2021-10-01T13:46:26.000+02:00
This adds a new optimized version of SHA256 computation when the SHA Intel extensions are available. Based on the reference documentation at https://software.intel.com/content/www/us/en/develop/articles/intel-sha-extensions.html Benchmarks show a close to 4x performance improvement on an AMD Ryzen 5 3600, especially on larger inputs. Even on the smallest it's at least 2x faster. name old time/op new time/op delta Sha/SHA256____16_bytes-12 248ns ± 3% 117ns ± 3% -52.84% (p=0.000 n=20+19) Sha/SHA256____64_bytes-12 384ns ± 2% 153ns ± 3% -60.10% (p=0.000 n=20+17) Sha/SHA256___256_bytes-12 786ns ± 1% 249ns ± 3% -68.29% (p=0.000 n=19+19) Sha/SHA256____1k_bytes-12 2.36µs ± 1% 0.64µs ± 3% -72.93% (p=0.000 n=19+20) Sha/SHA256____8k_bytes-12 17.0µs ± 2% 4.2µs ± 1% -75.16% (p=0.000 n=20+20) Sha/SHA256__256k_bytes-12 537µs ± 1% 131µs ± 1% -75.60% (p=0.000 n=20+20) Sha/SHA256_1024k_bytes-12 2.15ms ± 1% 0.52ms ± 1% -75.60% (p=0.000 n=20+20)
diff --git a/src/crypto/sha256/sha256block_amd64.go b/src/crypto/sha256/sha256block_amd64.go
@@ -12,10 +12,16 @@ func blockAVX2(dig *digest, p []byte)
 //go:noescape
 func blockAMD64(dig *digest, p []byte)
 
-var useAVX2 = cpu.X86.HasAVX2 && cpu.X86.HasBMI1 && cpu.X86.HasBMI2
+//go:noescape
+func blockSHA(dig *digest, p []byte)
+
+var useAVX2 = cpu.X86.HasAVX2 && cpu.X86.HasBMI2
+var useSHA = cpu.X86.HasSHA
 
 func block(dig *digest, p []byte) {
-	if useAVX2 {
+	if useSHA {
+		blockSHA(dig, p)
+	} else if useAVX2 {
 		blockAVX2(dig, p)
 	} else {
 		blockAMD64(dig, p)
diff --git a/src/crypto/sha256/sha256block_amd64.s b/src/crypto/sha256/sha256block_amd64.s
@@ -1026,3 +1026,279 @@ DATA K256<>+0x1f8(SB)/4, $0xbef9a3f7
 DATA K256<>+0x1fc(SB)/4, $0xc67178f2
 
 GLOBL K256<>(SB), (NOPTR + RODATA), $512
+
+// SHA256 implementation using the SHA extension. Implemented using the
+// reference implementation found at:
+// https://software.intel.com/content/www/us/en/develop/articles/intel-sha-extensions.html
+
+// Setup register aliases to easier follow the algorithm.
+#define MSG       X0
+#define STATE0    X1
+#define STATE1    X2
+#define MSGTMP0   X3
+#define MSGTMP1   X4
+#define MSGTMP2   X5
+#define MSGTMP3   X6
+#define MSGTMP4   X7
+#define SHUF_MASK X8
+#define ABEF_SAVE X9
+#define CDGH_SAVE X10
+#define SHA256CONSTANTS BX
+
+TEXT ·blockSHA(SB), NOSPLIT, $0-32
+
+	MOVQ		dig+0(FP), CX
+	MOVQ		p_base+8(FP), SI
+	MOVQ		p_len+16(FP), DX
+	SHRQ		$6, DX
+	SHLQ		$6, DX
+	LEAQ		(SI)(DX*1), DI
+
+	MOVOU		(CX), STATE0
+	MOVOU		16(CX), STATE1
+
+	// Byte shuffle for correct 32 bit dword order.
+	// The algorithm assumes 8 32 bit working variables called
+	// A through H. CDGH need to be stored in one XMM register &
+	// ABEF in another one. So the desired end state here is ABEF
+	// (each a 32 bit dword in that order from high to low) in
+	// STATE0 & CDGH in STATE1.
+	//
+	// We start off with DCBA in STATE0 & HGFE in STATE1
+	//
+	// First, shuffle DCBA -> CDAB
+	PSHUFD          $0xb1, STATE0, STATE0
+	// Shuffle HGFE -> EFGH
+	PSHUFD          $0x1b, STATE1, STATE1
+	// Copy EFGH into temporary register since blending would
+	// otherwise lose data.
+	MOVO        	STATE1, MSGTMP0
+	// Blend CDAB into EFGH to result in CDGH
+	PBLENDW         $0xf0, STATE0, STATE1
+	// Shift AB (8 bytes) from CDAB into EFGH to result in ABEF.
+	PALIGNR		$8, MSGTMP0, STATE0
+
+	MOVO		flip_mask<>(SB), SHUF_MASK
+
+	// Reuses the existing constant table, but it means that each
+	// time SHA256CONSTANTS is used the offset is doubled since
+	// K256 contains duplicate entries for the AVX2 path.
+	LEAQ		K256<>(SB), SHA256CONSTANTS
+
+	// Skip if we accidentally have a zero sized block.
+	CMPQ		SI, DI
+	JEQ		end
+
+loop:
+
+	// Save working variables.
+	MOVO		STATE0, ABEF_SAVE
+	MOVO		STATE1, CDGH_SAVE
+
+	// Rounds 0-3.
+	MOVOU		(SI), MSG
+	PSHUFB		SHUF_MASK, MSG
+	MOVO		MSG, MSGTMP0
+	PADDD		0*16(SHA256CONSTANTS), MSG
+	SHA256RNDS2	MSG, STATE0, STATE1
+	PSHUFD 		$0x0e, MSG, MSG
+	SHA256RNDS2	MSG, STATE1, STATE0
+
+	// Rounds 4-7.
+	MOVOU		16(SI), MSG
+	PSHUFB		SHUF_MASK, MSG
+	MOVO		MSG, MSGTMP1
+	PADDD		2*16(SHA256CONSTANTS), MSG
+	SHA256RNDS2	MSG, STATE0, STATE1
+	PSHUFD 		$0x0e, MSG, MSG
+	SHA256RNDS2	MSG, STATE1, STATE0
+	SHA256MSG1	MSGTMP1, MSGTMP0
+
+	// Rounds 8-11.
+	MOVOU		32(SI), MSG
+	PSHUFB		SHUF_MASK, MSG
+	MOVO		MSG, MSGTMP2
+	PADDD		4*16(SHA256CONSTANTS), MSG
+	SHA256RNDS2	MSG, STATE0, STATE1
+	PSHUFD 		$0x0e, MSG, MSG
+	SHA256RNDS2	MSG, STATE1, STATE0
+	SHA256MSG1	MSGTMP2, MSGTMP1
+
+	// Rounds 12-15.
+	MOVOU		48(SI), MSG
+	PSHUFB		SHUF_MASK, MSG
+	MOVO		MSG, MSGTMP3
+	PADDD		6*16(SHA256CONSTANTS), MSG
+	SHA256RNDS2	MSG, STATE0, STATE1
+	MOVO		MSGTMP3, MSGTMP4
+	PALIGNR		$4, MSGTMP2, MSGTMP4
+	PADDD		MSGTMP4, MSGTMP0
+	SHA256MSG2	MSGTMP3, MSGTMP0
+	PSHUFD 		$0x0e, MSG, MSG
+	SHA256RNDS2	MSG, STATE1, STATE0
+	SHA256MSG1	MSGTMP3, MSGTMP2
+
+	// Rounds 16-19.
+	MOVO		MSGTMP0, MSG
+	PADDD		8*16(SHA256CONSTANTS), MSG
+	SHA256RNDS2	MSG, STATE0, STATE1
+	MOVO		MSGTMP0, MSGTMP4
+	PALIGNR		$4, MSGTMP3, MSGTMP4
+	PADDD		MSGTMP4, MSGTMP1
+	SHA256MSG2	MSGTMP0, MSGTMP1
+	PSHUFD 		$0x0e, MSG, MSG
+	SHA256RNDS2	MSG, STATE1, STATE0
+	SHA256MSG1	MSGTMP0, MSGTMP3
+
+	// Rounds 20-23.
+	MOVO		MSGTMP1, MSG
+	PADDD		10*16(SHA256CONSTANTS), MSG
+	SHA256RNDS2	MSG, STATE0, STATE1
+	MOVO		MSGTMP1, MSGTMP4
+	PALIGNR		$4, MSGTMP0, MSGTMP4
+	PADDD		MSGTMP4, MSGTMP2
+	SHA256MSG2	MSGTMP1, MSGTMP2
+	PSHUFD 		$0x0e, MSG, MSG
+	SHA256RNDS2	MSG, STATE1, STATE0
+	SHA256MSG1	MSGTMP1, MSGTMP0
+
+	// Rounds 24-27.
+	MOVO		MSGTMP2, MSG
+	PADDD		12*16(SHA256CONSTANTS), MSG
+	SHA256RNDS2	MSG, STATE0, STATE1
+	MOVO		MSGTMP2, MSGTMP4
+	PALIGNR		$4, MSGTMP1, MSGTMP4
+	PADDD		MSGTMP4, MSGTMP3
+	SHA256MSG2	MSGTMP2, MSGTMP3
+	PSHUFD 		$0x0e, MSG, MSG
+	SHA256RNDS2	MSG, STATE1, STATE0
+	SHA256MSG1	MSGTMP2, MSGTMP1
+
+	// Rounds 28-31.
+	MOVO		MSGTMP3, MSG
+	PADDD		14*16(SHA256CONSTANTS), MSG
+	SHA256RNDS2	MSG, STATE0, STATE1
+	MOVO		MSGTMP3, MSGTMP4
+	PALIGNR		$4, MSGTMP2, MSGTMP4
+	PADDD		MSGTMP4, MSGTMP0
+	SHA256MSG2	MSGTMP3, MSGTMP0
+	PSHUFD 		$0x0e, MSG, MSG
+	SHA256RNDS2	MSG, STATE1, STATE0
+	SHA256MSG1	MSGTMP3, MSGTMP2
+
+	// Rounds 32-35.
+	MOVO		MSGTMP0, MSG
+	PADDD		16*16(SHA256CONSTANTS), MSG
+	SHA256RNDS2	MSG, STATE0, STATE1
+	MOVO		MSGTMP0, MSGTMP4
+	PALIGNR		$4, MSGTMP3, MSGTMP4
+	PADDD		MSGTMP4, MSGTMP1
+	SHA256MSG2	MSGTMP0, MSGTMP1
+	PSHUFD 		$0x0e, MSG, MSG
+	SHA256RNDS2	MSG, STATE1, STATE0
+	SHA256MSG1	MSGTMP0, MSGTMP3
+
+	// Rounds 36-39.
+	MOVO		MSGTMP1, MSG
+	PADDD		18*16(SHA256CONSTANTS), MSG
+	SHA256RNDS2	MSG, STATE0, STATE1
+	MOVO		MSGTMP1, MSGTMP4
+	PALIGNR		$4, MSGTMP0, MSGTMP4
+	PADDD		MSGTMP4, MSGTMP2
+	SHA256MSG2	MSGTMP1, MSGTMP2
+	PSHUFD 		$0x0e, MSG, MSG
+	SHA256RNDS2	MSG, STATE1, STATE0
+	SHA256MSG1	MSGTMP1, MSGTMP0
+
+	// Rounds 40-43.
+	MOVO		MSGTMP2, MSG
+	PADDD		20*16(SHA256CONSTANTS), MSG
+	SHA256RNDS2	MSG, STATE0, STATE1
+	MOVO		MSGTMP2, MSGTMP4
+	PALIGNR		$4, MSGTMP1, MSGTMP4
+	PADDD		MSGTMP4, MSGTMP3
+	SHA256MSG2	MSGTMP2, MSGTMP3
+	PSHUFD 		$0x0e, MSG, MSG
+	SHA256RNDS2	MSG, STATE1, STATE0
+	SHA256MSG1	MSGTMP2, MSGTMP1
+
+	// Rounds 44-47.
+	MOVO		MSGTMP3, MSG
+	PADDD		22*16(SHA256CONSTANTS), MSG
+	SHA256RNDS2	MSG, STATE0, STATE1
+	MOVO		MSGTMP3, MSGTMP4
+	PALIGNR		$4, MSGTMP2, MSGTMP4
+	PADDD		MSGTMP4, MSGTMP0
+	SHA256MSG2	MSGTMP3, MSGTMP0
+	PSHUFD 		$0x0e, MSG, MSG
+	SHA256RNDS2	MSG, STATE1, STATE0
+	SHA256MSG1	MSGTMP3, MSGTMP2
+
+	// Rounds 48-51.
+	MOVO		MSGTMP0, MSG
+	PADDD		24*16(SHA256CONSTANTS), MSG
+	SHA256RNDS2	MSG, STATE0, STATE1
+	MOVO		MSGTMP0, MSGTMP4
+	PALIGNR		$4, MSGTMP3, MSGTMP4
+	PADDD		MSGTMP4, MSGTMP1
+	SHA256MSG2	MSGTMP0, MSGTMP1
+	PSHUFD 		$0x0e, MSG, MSG
+	SHA256RNDS2	MSG, STATE1, STATE0
+	SHA256MSG1	MSGTMP0, MSGTMP3
+
+	// Rounds 52-55.
+	MOVO		MSGTMP1, MSG
+	PADDD		26*16(SHA256CONSTANTS), MSG
+	SHA256RNDS2	MSG, STATE0, STATE1
+	MOVO		MSGTMP1, MSGTMP4
+	PALIGNR		$4, MSGTMP0, MSGTMP4
+	PADDD		MSGTMP4, MSGTMP2
+	SHA256MSG2	MSGTMP1, MSGTMP2
+	PSHUFD 		$0x0e, MSG, MSG
+	SHA256RNDS2	MSG, STATE1, STATE0
+
+	// Rounds 56-59.
+	MOVO		MSGTMP2, MSG
+	PADDD		28*16(SHA256CONSTANTS), MSG
+	SHA256RNDS2	MSG, STATE0, STATE1
+	MOVO		MSGTMP2, MSGTMP4
+	PALIGNR		$4, MSGTMP1, MSGTMP4
+	PADDD		MSGTMP4, MSGTMP3
+	SHA256MSG2	MSGTMP2, MSGTMP3
+	PSHUFD 		$0x0e, MSG, MSG
+	SHA256RNDS2	MSG, STATE1, STATE0
+
+	// Rounds 60-63.
+	MOVO		MSGTMP3, MSG
+	PADDD		30*16(SHA256CONSTANTS), MSG
+	SHA256RNDS2	MSG, STATE0, STATE1
+	PSHUFD 		$0x0e, MSG, MSG
+	SHA256RNDS2	MSG, STATE1, STATE0
+
+	// Mix in previously saved values.
+	PADDD		ABEF_SAVE, STATE0
+	PADDD		CDGH_SAVE, STATE1
+
+	// Check if we need to process another block.
+	ADDQ		$64, SI
+	CMPQ		SI, DI
+	JB		loop
+
+	// Write hash values back in the correct order. This is the
+	// inverse of what was done in the setup.
+	// Shuffle ABEF -> FEBA
+	PSHUFD		$0x1b, STATE0, STATE0
+	// Shuffle CDGH -> DCHG
+	PSHUFD		$0xb1, STATE1, STATE1
+	MOVO		STATE0, MSGTMP0
+
+	// Blend DCGH & FEBA to result in DCBA
+	PBLENDW		$0xf0, STATE1, STATE0
+	// Shift FEBA into DCGH to result in GHFE
+	PALIGNR		$8, MSGTMP0, STATE1
+
+	// Update digest.
+	MOVOU		STATE0, (CX)
+	MOVOU		STATE1, 16(CX)
+end:
+	RET
