Closed
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #2096 +/- ##
==========================================
+ Coverage 78.75% 78.93% +0.18%
==========================================
Files 598 610 +12
Lines 103657 105195 +1538
Branches 14720 14908 +188
==========================================
+ Hits 81637 83039 +1402
- Misses 21368 21503 +135
- Partials 652 653 +1 ☔ View full report in Codecov by Sentry. |
nebeid
reviewed
Jan 8, 2025
Contributor
Author
|
PAUSE on this PR. Removing flag in #2105 |
andrewhop
pushed a commit
that referenced
this pull request
Feb 11, 2025
…errors (#2177) ### Issues: Resolves CI failures around delocator in #2175 ### Description of changes: The FIPS static builds for ARM are failing CI: ``` [57%] Building ASM object crypto/fipsmodule/CMakeFiles/bcm_hashunset.dir/bcm-delocated.S.o bcm.c: Assembler messages: bcm.c:125130: Error: shift expression expected at operand 2 -- movi v4.4s,0xf,.Lbcm_redirector_msl,8' bcm.c:125133: Error: shift expression expected at operand 2 -- mvni v3.4s,0x1f,.Lbcm_redirector_msl,8' bcm.c:130233: Error: shift expression expected at operand 2 -- movi v4.4s,0xf,.Lbcm_redirector_msl,8' bcm.c:130236: Error: shift expression expected at operand 2 -- mvni v3.4s,0x1f,.Lbcm_redirector_msl,8' bcm.c:190061: Error: shift expression expected at operand 2 -- movi v4.4s,0xf,.Lbcm_redirector_msl,8' bcm.c:190064: Error: shift expression expected at operand 2 -- mvni v3.4s,0x1f,.Lbcm_redirector_msl,8' bcm.c:206492: Error: shift expression expected at operand 2 -- movi v4.4s,0xf,.Lbcm_redirector_msl,8' bcm.c:206495: Error: shift expression expected at operand 2 -- mvni v3.4s,0x1f,.Lbcm_redirector_msl,8' ``` This was discussed back in #2096 but not merged due to the PR being closed. The Arm instruction has a special argument `msl` (https://developer.arm.com/documentation/100069/0606/SIMD-Vector-Instructions/MOVI--vector-). The delocator is intepreting `msl` as a function (or global symbol). Since it’s not defined in the fipsmodule, it creates a jump function `bcm_redirector_msl` outside the fipsmodule that removes a potential relocation. The suffix of `bcm_redirector_msl` is the original token, which matches `msl`. We fix by adding `msl` to the list of `ARMConstantTweak` and regenerate the `delocate.peg.go` file. After testing this fix, I begin to see a second error in `amazonlinux2023_clang15x_aarch_fips`: ``` [339/575] Generating bcm-delocated.S FAILED: crypto/fipsmodule/bcm-delocated.S /codebuild/output/src1965601223/src/github.com/aws/aws-lc/test_build_dir/crypto/fipsmodule/bcm-delocated.S panic: Symbol reference outside of ldr instruction [recovered] panic: error while processing "\tldrsw\tx9, [x9, :lo12:ml_dsa_zetas+4]\n" on line 120399: "Symbol reference outside of ldr instruction" ``` It seems that `ldrsw` is not recognised as `ldr`. We already have `ldrsw` in our code, so we extend the delocate.go to accept `ldrsw` in addition to `ldr`. ### Call-outs: Unblocks progress on work in the FIPS module, such as ED25519 and ML-DSA. By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Issues:
It's time. (also we need to do this to add ML-DSA to the FIPS module)
Description of changes:
enable_dilithiumflagCall-outs:
Removing the flag has little consequence -- other than it makes the APIs we expose in
include/openssl/evp.hthat much more "final". We should consider how much we like them before we commit to them. We made a point to refer to asymmetric keypairs as public and private keys, rather than public and secret keys -- but there is inconsistency withEVP_PKEY_kem_new_raw_secret_key. After internal discussions, we'd also like to change the name ofEVP_PKEY_kem_new_raw_public_keyandEVP_PKEY_kem_new_raw_secret_keytoEVP_PKEY_kem_new_raw_encapsulation_keyandEVP_PKEY_kem_new_raw_decapsulation_keyto match the names within FIPS 203. Thus, we should stick withprivate.We did consider the use of an experimental flag (by using the OPENSSL_DEPRECATED alias), but, this seems a little over the top. Alternatively, we could place the EVP APIs in
include/openssl/experimental/. The arguments ofEVP_PKEY_pqdsa_new_raw_secret_key,EVP_PKEY_pqdsa_new_raw_public_key, andEVP_PKEY_CTX_pqdsa_set_paramsare stable and consistant withKEMandECvariants (see EVP_PKEY_CTX_kem_set_params, EVP_PKEY_CTX_set_dh_paramgen_prime_len, and EVP_PKEY_CTX_set_ec_param_enc, EVP_PKEY_new_raw_private_key, EVP_PKEY_new_raw_public_key, EVP_PKEY_kem_new_raw_public_key).By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.