Adding a runtime dis/enabler of DIT Capability on AArch64.

[nebeid]

Issues:

Addresses #CryptoAlg-2503

Description of changes:

• Provide runtime functions that mask out (and back in) the DIT CPU capability by clearing (setting) an additional bit in OPENSSL_armcap_P. This mechanism was chosen for the following reasons:

  • It does not require an additional global variable.
  • It avoids extra checks on the path of setting/resetting the DIT bit.
  • It avoids re-evaluating the CPU capability if we were to clear the DIT capability bit itself. That latter bit is now left intact.
    There were write locks added around changing OPENSSL_armcap_P. However, Thread Sanitizer warned about data race possibilities when trying to run a test with concurrent threads where one disables DIT at runtime and the other tries to check for the capability. Therefore, they are documented with a warning to use them only in initialization contexts.

• Make the DIT functions (enable/disable and set/restore) available regardless of whether the build flag DENABLE_DATA_INDEPENDENT_TIMING_AARCH64=ON was used or not.

  • If the build flag was not used, then the DIT flag is not set and reset with every function and the instructions used for setting it and resetting after checking the capability are omitted and don't incur extra cost.
  • The user now has the choice, regardless of the build flag, to place armv8_set/restore_dit in the user's code.

Call-outs:

• The (external) API armv8_enable_dit is renamed to armv8_set_dit.
• armv8_enable_dit now means enable back the capability at runtime.

Testing:

• The new functions armv8_disable_dit() and arm_enable_dit() were placed in Speed(), the benchmarking function, and their effects were confirmed on Apple M2.
• There are also thread tests to confirm that the CPU DIT bit is context-switched at the thread level. The runtime dis/enabler is at the process scope because it manipulates OPENSSL_armcap_P.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.

[codecov-commenter]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 78.43%. Comparing base (7090b90) to head (434e11e).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1783      +/-   ##
==========================================
- Coverage   78.46%   78.43%   -0.03%     
==========================================
  Files         585      585              
  Lines       99457    99457              
  Branches    14236    14237       +1     
==========================================
- Hits        78038    78013      -25     
- Misses      20784    20805      +21     
- Partials      635      639       +4     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[WillChilds-Klein]

I see changes to cpu_aarch64_linux.c and cpu_aarch64_apple.c. do we need to udpate cpu_aarch64_win.c as well?

[WillChilds-Klein]

why do we need this call?

[WillChilds-Klein]

what happens if this flag is set on non-aarch64 platform?

[WillChilds-Klein]

this indicates that DIT is supported on the current CPU, right? if so, suggest making the name more descriptive like ARMV8_DIT_SUPPORTED

[WillChilds-Klein]

which DIT flag? we have two now.

[WillChilds-Klein]

do we need to make the caller track this? can we store it ourselves as a thread-local variable?

[justsmth]

IMO, armv8_set_dit and armv8_restore_dit should be internal-only implementation details. They shouldn't be declared in this file. Consumers use-cases can be handled by armv8_disable_dit and armv8_enable_dit.

[WillChilds-Klein]

Suggested change

	if (*original_dit != 1 && CRYPTO_is_ARMv8_DIT_capable()) {
	if (original_dit != NULL && *original_dit != 1 && CRYPTO_is_ARMv8_DIT_capable()) {

[WillChilds-Klein]

here and for armv8_enable_dit, is this operation thread-safe? not sure what the HIDDEN macro expands to, but it's not clear that OPENSSL_armcap_P is thread-local.

[torben-hansen]

OPENSSL_armcap_P is a global variable of type uint32_t which is shared a cross the entire address space.

Firstly, since the memory is shared it doesn't allow a thread to control whether it wants to enable DIT mode or not; its choice can be overwritten by any other thread.

Secondly, multiple writes/reads can now occur concurrently on OPENSSL_armcap_P since it's mostly just referenced directly and there therefore aren't any synchonisation. This was fine because it was only really readable after the initial construction of the memory content (the initialisation of the arm capability vector). This PR breaks that assumption.

Finally, is this a "threading issue". Well, yes and no. One thread can read the value while another writes to it. The writing operation only mutate a single byte of the 32-bit value. So, the value when read is either the bit set or not. It won't be a bogus value. So, no. On the other hand, from the first point I made above, any thread can mutate the value. So one thread can enable, while another immediately afterwards can disable the DIT. But that might just be what we can build - DIT is a process global CPU control no?

I think we weakly considered OPENSSL_armcap_P nominally const after the initial initialisation. It might not be the ideal memory to store this information.

[WillChilds-Klein]

from the first point I made above, any thread can mutate the value. So one thread can enable, while another immediately afterwards can disable the DIT.

yes, this is my concern.

But that might just be what we can build - DIT is a process global CPU control no?

My understanding from nevine's description is that it can be configured per-thread. I suppose we could leave it up to the caller to not call these functions from >1 thread, and document this limitation very clearly. I don't think this would be an issue for ACCP, as we'd just set or unset DIT once on initialization, but it could be a concern for other consumers.