From 300c6315d2e644ae81b43fa2dd7bbf68b3afb5b2 Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Thu, 18 Nov 2021 19:02:03 +0100
Subject: [PATCH 1/2] accelerated: fix CPU feature detection for Intel CPUs

This fixes read_cpuid_vals to correctly read the CPUID quadruple, as
well as to set the bit the ustream CRYPTOGAMS uses to identify Intel
CPUs.

Suggested by Rafael Gieschke in:
https://gitlab.com/gnutls/gnutls/-/issues/1282

Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
 lib/accelerated/x86/x86-common.c | 91 +++++++++++++++++++++++++-------
 1 file changed, 71 insertions(+), 20 deletions(-)

diff --git a/lib/accelerated/x86/x86-common.c b/lib/accelerated/x86/x86-common.c
index 3845c6b4c9..cf615ef24f 100644
--- a/lib/accelerated/x86/x86-common.c
+++ b/lib/accelerated/x86/x86-common.c
@@ -81,15 +81,38 @@ unsigned int _gnutls_x86_cpuid_s[4];
 # define bit_AVX 0x10000000
 #endif
 
-#ifndef OSXSAVE_MASK
-/* OSXSAVE|FMA|MOVBE */
-# define OSXSAVE_MASK (0x8000000|0x1000|0x400000)
+#ifndef bit_AVX2
+# define bit_AVX2 0x00000020
+#endif
+
+#ifndef bit_AVX512F
+# define bit_AVX512F 0x00010000
+#endif
+
+#ifndef bit_AVX512IFMA
+# define bit_AVX512IFMA 0x00200000
+#endif
+
+#ifndef bit_AVX512BW
+# define bit_AVX512BW 0x40000000
+#endif
+
+#ifndef bit_AVX512VL
+# define bit_AVX512VL 0x80000000
+#endif
+
+#ifndef bit_OSXSAVE
+# define bit_OSXSAVE 0x8000000
 #endif
 
 #ifndef bit_MOVBE
 # define bit_MOVBE 0x00400000
 #endif
 
+#ifndef OSXSAVE_MASK
+# define OSXSAVE_MASK (bit_OSXSAVE|bit_MOVBE)
+#endif
+
 #define via_bit_PADLOCK (0x3 << 6)
 #define via_bit_PADLOCK_PHE (0x3 << 10)
 #define via_bit_PADLOCK_PHE_SHA512 (0x3 << 25)
@@ -127,7 +150,7 @@ static unsigned read_cpuid_vals(unsigned int vals[4])
 	unsigned t1, t2, t3;
 	vals[0] = vals[1] = vals[2] = vals[3] = 0;
 
-	if (!__get_cpuid(1, &t1, &vals[0], &vals[1], &t2))
+	if (!__get_cpuid(1, &t1, &t2, &vals[1], &vals[0]))
 		return 0;
 	/* suppress AVX512; it works conditionally on certain CPUs on the original code */
 	vals[1] &= 0xfffff7ff;
@@ -145,7 +168,7 @@ static unsigned check_4th_gen_intel_features(unsigned ecx)
 {
 	uint32_t xcr0;
 
-	if ((ecx & OSXSAVE_MASK) != OSXSAVE_MASK)
+	if ((ecx & bit_OSXSAVE) != bit_OSXSAVE)
 		return 0;
 
 #if defined(_MSC_VER) && !defined(__clang__)
@@ -233,10 +256,7 @@ static unsigned check_sha(void)
 #ifdef ASM_X86_64
 static unsigned check_avx_movbe(void)
 {
-	if (check_4th_gen_intel_features(_gnutls_x86_cpuid_s[1]) == 0)
-		return 0;
-
-	return ((_gnutls_x86_cpuid_s[1] & bit_AVX));
+	return (_gnutls_x86_cpuid_s[1] & bit_AVX);
 }
 
 static unsigned check_pclmul(void)
@@ -514,33 +534,47 @@ void register_x86_padlock_crypto(unsigned capabilities)
 }
 #endif
 
-static unsigned check_intel_or_amd(void)
+enum x86_cpu_vendor {
+	X86_CPU_VENDOR_OTHER,
+	X86_CPU_VENDOR_INTEL,
+	X86_CPU_VENDOR_AMD,
+};
+
+static enum x86_cpu_vendor check_x86_cpu_vendor(void)
 {
 	unsigned int a, b, c, d;
 
-	if (!__get_cpuid(0, &a, &b, &c, &d))
-		return 0;
+	if (!__get_cpuid(0, &a, &b, &c, &d)) {
+		return X86_CPU_VENDOR_OTHER;
+	}
 
-	if ((memcmp(&b, "Genu", 4) == 0 &&
-	     memcmp(&d, "ineI", 4) == 0 &&
-	     memcmp(&c, "ntel", 4) == 0) ||
-	    (memcmp(&b, "Auth", 4) == 0 &&
-	     memcmp(&d, "enti", 4) == 0 && memcmp(&c, "cAMD", 4) == 0)) {
-		return 1;
+	if (memcmp(&b, "Genu", 4) == 0 &&
+	    memcmp(&d, "ineI", 4) == 0 &&
+	    memcmp(&c, "ntel", 4) == 0) {
+		return X86_CPU_VENDOR_INTEL;
 	}
 
-	return 0;
+	if (memcmp(&b, "Auth", 4) == 0 &&
+	    memcmp(&d, "enti", 4) == 0 &&
+	    memcmp(&c, "cAMD", 4) == 0) {
+		return X86_CPU_VENDOR_AMD;
+	}
+
+	return X86_CPU_VENDOR_OTHER;
 }
 
 static
 void register_x86_intel_crypto(unsigned capabilities)
 {
 	int ret;
+	enum x86_cpu_vendor vendor;
 
 	memset(_gnutls_x86_cpuid_s, 0, sizeof(_gnutls_x86_cpuid_s));
 
-	if (check_intel_or_amd() == 0)
+	vendor = check_x86_cpu_vendor();
+	if (vendor == X86_CPU_VENDOR_OTHER) {
 		return;
+	}
 
 	if (capabilities == 0) {
 		if (!read_cpuid_vals(_gnutls_x86_cpuid_s))
@@ -549,6 +583,23 @@ void register_x86_intel_crypto(unsigned capabilities)
 		capabilities_to_intel_cpuid(capabilities);
 	}
 
+	/* CRYPTOGAMS uses the (1 << 30) bit as an indicator of Intel CPUs */
+	if (vendor == X86_CPU_VENDOR_INTEL) {
+		_gnutls_x86_cpuid_s[0] |= 1 << 30;
+	} else {
+		_gnutls_x86_cpuid_s[0] &= ~(1 << 30);
+	}
+
+	if (!check_4th_gen_intel_features(_gnutls_x86_cpuid_s[1])) {
+		_gnutls_x86_cpuid_s[1] &= ~bit_AVX;
+
+		/* Clear AVX2 bits as well, according to what OpenSSL does.
+		 * Should we clear bit_AVX512DQ, bit_AVX512PF, bit_AVX512ER, and
+		 * bit_AVX512CD? */
+		_gnutls_x86_cpuid_s[2] &= ~(bit_AVX2|bit_AVX512F|bit_AVX512IFMA|
+					    bit_AVX512BW|bit_AVX512BW);
+	}
+
 	if (check_ssse3()) {
 		_gnutls_debug_log("Intel SSSE3 was detected\n");
 
-- 
2.37.3


From cd509dac9e6d1bf76fd12c72c1fd61f1708c254a Mon Sep 17 00:00:00 2001
From: Daiki Ueno <ueno@gnu.org>
Date: Mon, 15 Aug 2022 09:39:18 +0900
Subject: [PATCH 2/2] accelerated: clear AVX bits if it cannot be queried
 through XSAVE
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The algorithm to detect AVX is described in 14.3 of "Intel® 64 and IA-32
Architectures Software Developer’s Manual".

GnuTLS previously only followed that algorithm when registering the
crypto backend, while the CRYPTOGAMS derived SHA code assembly expects
that the extension bits are propagated to _gnutls_x86_cpuid_s.

Signed-off-by: Daiki Ueno <ueno@gnu.org>
---
 lib/accelerated/x86/x86-common.c | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/lib/accelerated/x86/x86-common.c b/lib/accelerated/x86/x86-common.c
index cf615ef24f..655d0c65f2 100644
--- a/lib/accelerated/x86/x86-common.c
+++ b/lib/accelerated/x86/x86-common.c
@@ -210,7 +210,8 @@ static void capabilities_to_intel_cpuid(unsigned capabilities)
 	}
 
 	if (capabilities & INTEL_AVX) {
-		if ((a[1] & bit_AVX) && check_4th_gen_intel_features(a[1])) {
+		if ((a[1] & bit_AVX) && (a[1] & bit_MOVBE) &&
+		    check_4th_gen_intel_features(a[1])) {
 			_gnutls_x86_cpuid_s[1] |= bit_AVX|bit_MOVBE;
 		} else {
 			_gnutls_debug_log
@@ -256,7 +257,7 @@ static unsigned check_sha(void)
 #ifdef ASM_X86_64
 static unsigned check_avx_movbe(void)
 {
-	return (_gnutls_x86_cpuid_s[1] & bit_AVX);
+	return (_gnutls_x86_cpuid_s[1] & (bit_AVX|bit_MOVBE)) == (bit_AVX|bit_MOVBE);
 }
 
 static unsigned check_pclmul(void)
@@ -579,6 +580,19 @@ void register_x86_intel_crypto(unsigned capabilities)
 	if (capabilities == 0) {
 		if (!read_cpuid_vals(_gnutls_x86_cpuid_s))
 			return;
+		if (!check_4th_gen_intel_features(_gnutls_x86_cpuid_s[1])) {
+			_gnutls_x86_cpuid_s[1] &= ~bit_AVX;
+
+			/* Clear AVX2 bits as well, according to what
+			 * OpenSSL does.  Should we clear
+			 * bit_AVX512DQ, bit_AVX512PF, bit_AVX512ER,
+			 * and bit_AVX512CD? */
+			_gnutls_x86_cpuid_s[2] &= ~(bit_AVX2|
+						    bit_AVX512F|
+						    bit_AVX512IFMA|
+						    bit_AVX512BW|
+						    bit_AVX512BW);
+		}
 	} else {
 		capabilities_to_intel_cpuid(capabilities);
 	}
-- 
2.37.3