crypto: arm64/sha1-ce - get rid of literal pool

Load the four SHA-1 round constants using immediates rather than literal
pool entries, to avoid having executable data that may be exploitable
under speculation attacks.

Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>

diff --git a/arch/arm64/crypto/sha1-ce-core.S b/arch/arm64/crypto/sha1-ce-core.S
index 8550408735a03e6657a994e3b0961d632b444818..46049850727de821b516a5a12f12a195d460f091 100644 (file)
--- a/arch/arm64/crypto/sha1-ce-core.S
+++ b/arch/arm64/crypto/sha1-ce-core.S
@@ -58,12 +58,11 @@
        sha1su1         v\s0\().4s, v\s3\().4s
        .endm
 
-       /*
-        * The SHA1 round constants
-        */
-       .align          4
-.Lsha1_rcon:
-       .word           0x5a827999, 0x6ed9eba1, 0x8f1bbcdc, 0xca62c1d6
+       .macro          loadrc, k, val, tmp
+       movz            \tmp, :abs_g0_nc:\val
+       movk            \tmp, :abs_g1:\val
+       dup             \k, \tmp
+       .endm
 
        /*
         * void sha1_ce_transform(struct sha1_ce_state *sst, u8 const *src,
@@ -71,11 +70,10 @@
         */
 ENTRY(sha1_ce_transform)
        /* load round constants */
-       adr             x6, .Lsha1_rcon
-       ld1r            {k0.4s}, [x6], #4
-       ld1r            {k1.4s}, [x6], #4
-       ld1r            {k2.4s}, [x6], #4
-       ld1r            {k3.4s}, [x6]
+       loadrc          k0.4s, 0x5a827999, w6
+       loadrc          k1.4s, 0x6ed9eba1, w6
+       loadrc          k2.4s, 0x8f1bbcdc, w6
+       loadrc          k3.4s, 0xca62c1d6, w6
 
        /* load state */
        ld1             {dgav.4s}, [x0]