Armv8.1-M: Add CFI directives for stack unwinding

mkannwischer · mkannwischer · commit a34c79833980 · 2026-04-20T15:02:40.000+08:00
Ports pq-code-package/mlkem-native#1558 Signed-off-by: Matthias J. Kannwischer <matthias@zerorisc.com>
diff --git a/dev/fips202/armv81m/src/keccak_f1600_x4_mve.S b/dev/fips202/armv81m/src/keccak_f1600_x4_mve.S
@@ -7,15 +7,15 @@
 
 /*yaml
   Name: keccak_f1600_x4_mve_asm
-  Description: Armv8.1-M MVE implementation of 4-way parallel Keccak-f[1600] permutation using bit-interleaved state
+  Description: Armv8.1-M MVE implementation of batched (x4) Keccak-f[1600] permutation using bit-interleaved state
   Signature: void mld_keccak_f1600_x4_mve_asm(void *state, void *tmpstate, const uint32_t *rc)
   ABI:
     r0:
       type: buffer
       size_bytes: 800
       permissions: read/write
       c_parameter: void *state
-      description: Four bit-interleaved Keccak states (low halves followed by high halves)
+      description: Bit-interleaved state for 4 Keccak instances (even halves followed by odd halves)
     r1:
       type: buffer
       size_bytes: 800
@@ -29,10 +29,40 @@
       c_parameter: const uint32_t *rc
       description: Keccak round constants in bit-interleaved form (24 pairs of 32-bit words)
   Stack:
-    bytes: 236
-    description: register preservation (44) + SIMD registers (64) + temporary storage (128)
+    bytes: 228
+    description: register preservation (36) + SIMD registers (64) + temporary storage (128)
 */
 
+// ---------------------------------------------------------------------------
+// Bit-interleaving background
+// ---------------------------------------------------------------------------
+// Each 64-bit Keccak lane is stored as two 32-bit words:
+//   even half -- bits 0, 2, 4, ..., 62 of the lane
+//   odd half  -- bits 1, 3, 5, ..., 63 of the lane
+// This representation allows 64-bit lane rotations (used in the Keccak
+// round function) to be implemented as pairs of 32-bit rotations.
+//
+// Batched (x4) processing:
+//   Four Keccak instances are processed as a batch.  Their states are
+//   stored interleaved in a single 800-byte buffer: first the even
+//   halves of all 25 lanes (400 bytes), then the odd halves (400 bytes).
+//   Within each 16-byte row, the four u32 words correspond to
+//   instances 0..3 of the same lane, enabling SIMD-parallel operations
+//   across all four instances.
+//
+// State memory layout (25 lanes x 4 instances x 2 halves):
+//   S[i][l]_even/odd = even/odd half of lane l, instance i  (u32)
+//   Each row is 16 bytes (one Q-register).
+//   Offset  Contents
+//     0     S[0][ 0]_even, S[1][ 0]_even, S[2][ 0]_even, S[3][ 0]_even
+//    16     S[0][ 1]_even, S[1][ 1]_even, S[2][ 1]_even, S[3][ 1]_even
+//    ...
+//   384     S[0][24]_even, S[1][24]_even, S[2][24]_even, S[3][24]_even
+//   400     S[0][ 0]_odd,  S[1][ 0]_odd,  S[2][ 0]_odd,  S[3][ 0]_odd
+//   416     S[0][ 1]_odd,  S[1][ 1]_odd,  S[2][ 1]_odd,  S[3][ 1]_odd
+//    ...
+//   784     S[0][24]_odd,  S[1][24]_odd,  S[2][24]_odd,  S[3][24]_odd
+
 #include "../../../../common.h"
 #if defined(MLD_FIPS202_ARMV81M_NEED_X4) && \
     !defined(MLD_CONFIG_MULTILEVEL_NO_SHARED)
@@ -426,12 +456,12 @@ qA20_l .req q2
 .endm
 
 .text
-.balign 8
+.balign 4
 .type MLD_ASM_NAMESPACE(keccak_f1600_x4_mve_asm), %function
 .global MLD_ASM_NAMESPACE(keccak_f1600_x4_mve_asm)
 MLD_ASM_FN_SYMBOL(keccak_f1600_x4_mve_asm)
 
-    push {r3,r4,r5,r6,r7,r8,r9,r10,r11,r12,lr}
+    push {r4,r5,r6,r7,r8,r9,r10,r11,lr}
     vpush {d8-d15}
     sub sp, #8*16
 
diff --git a/mldsa/src/fips202/native/armv81m/src/keccak_f1600_x4_mve.S b/mldsa/src/fips202/native/armv81m/src/keccak_f1600_x4_mve.S
@@ -7,15 +7,15 @@
 
 /*yaml
   Name: keccak_f1600_x4_mve_asm
-  Description: Armv8.1-M MVE implementation of 4-way parallel Keccak-f[1600] permutation using bit-interleaved state
+  Description: Armv8.1-M MVE implementation of batched (x4) Keccak-f[1600] permutation using bit-interleaved state
   Signature: void mld_keccak_f1600_x4_mve_asm(void *state, void *tmpstate, const uint32_t *rc)
   ABI:
     r0:
       type: buffer
       size_bytes: 800
       permissions: read/write
       c_parameter: void *state
-      description: Four bit-interleaved Keccak states (low halves followed by high halves)
+      description: Bit-interleaved state for 4 Keccak instances (even halves followed by odd halves)
     r1:
       type: buffer
       size_bytes: 800
@@ -29,10 +29,40 @@
       c_parameter: const uint32_t *rc
       description: Keccak round constants in bit-interleaved form (24 pairs of 32-bit words)
   Stack:
-    bytes: 236
-    description: register preservation (44) + SIMD registers (64) + temporary storage (128)
+    bytes: 228
+    description: register preservation (36) + SIMD registers (64) + temporary storage (128)
 */
 
+// ---------------------------------------------------------------------------
+// Bit-interleaving background
+// ---------------------------------------------------------------------------
+// Each 64-bit Keccak lane is stored as two 32-bit words:
+//   even half -- bits 0, 2, 4, ..., 62 of the lane
+//   odd half  -- bits 1, 3, 5, ..., 63 of the lane
+// This representation allows 64-bit lane rotations (used in the Keccak
+// round function) to be implemented as pairs of 32-bit rotations.
+//
+// Batched (x4) processing:
+//   Four Keccak instances are processed as a batch.  Their states are
+//   stored interleaved in a single 800-byte buffer: first the even
+//   halves of all 25 lanes (400 bytes), then the odd halves (400 bytes).
+//   Within each 16-byte row, the four u32 words correspond to
+//   instances 0..3 of the same lane, enabling SIMD-parallel operations
+//   across all four instances.
+//
+// State memory layout (25 lanes x 4 instances x 2 halves):
+//   S[i][l]_even/odd = even/odd half of lane l, instance i  (u32)
+//   Each row is 16 bytes (one Q-register).
+//   Offset  Contents
+//     0     S[0][ 0]_even, S[1][ 0]_even, S[2][ 0]_even, S[3][ 0]_even
+//    16     S[0][ 1]_even, S[1][ 1]_even, S[2][ 1]_even, S[3][ 1]_even
+//    ...
+//   384     S[0][24]_even, S[1][24]_even, S[2][24]_even, S[3][24]_even
+//   400     S[0][ 0]_odd,  S[1][ 0]_odd,  S[2][ 0]_odd,  S[3][ 0]_odd
+//   416     S[0][ 1]_odd,  S[1][ 1]_odd,  S[2][ 1]_odd,  S[3][ 1]_odd
+//    ...
+//   784     S[0][24]_odd,  S[1][24]_odd,  S[2][24]_odd,  S[3][24]_odd
+
 #include "../../../../common.h"
 #if defined(MLD_FIPS202_ARMV81M_NEED_X4) && \
     !defined(MLD_CONFIG_MULTILEVEL_NO_SHARED)
@@ -50,9 +80,30 @@
 .global MLD_ASM_NAMESPACE(keccak_f1600_x4_mve_asm)
 MLD_ASM_FN_SYMBOL(keccak_f1600_x4_mve_asm)
 
-        push.w	{r3, r4, r5, r6, r7, r8, r9, r10, r11, r12, lr}
+        .cfi_startproc
+        push.w	{r4, r5, r6, r7, r8, r9, r10, r11, lr}
+        .cfi_adjust_cfa_offset 0x24
+        .cfi_rel_offset r4, 0x0
+        .cfi_rel_offset r5, 0x4
+        .cfi_rel_offset r6, 0x8
+        .cfi_rel_offset r7, 0xc
+        .cfi_rel_offset r8, 0x10
+        .cfi_rel_offset r9, 0x14
+        .cfi_rel_offset r10, 0x18
+        .cfi_rel_offset r11, 0x1c
+        .cfi_rel_offset lr, 0x20
         vpush	{d8, d9, d10, d11, d12, d13, d14, d15}
+        .cfi_adjust_cfa_offset 0x40
+        .cfi_rel_offset d8, 0x0
+        .cfi_rel_offset d9, 0x8
+        .cfi_rel_offset d10, 0x10
+        .cfi_rel_offset d11, 0x18
+        .cfi_rel_offset d12, 0x20
+        .cfi_rel_offset d13, 0x28
+        .cfi_rel_offset d14, 0x30
+        .cfi_rel_offset d15, 0x38
         sub	sp, #0x80
+        .cfi_adjust_cfa_offset 0x80
         mov	r6, r2
         mov.w	lr, #0x18
         mov	r2, r0
@@ -61,9 +112,9 @@ MLD_ASM_FN_SYMBOL(keccak_f1600_x4_mve_asm)
         vldrw.u32	q0, [r3]
         vldrw.u32	q1, [r2]
         vldrw.u32	q2, [r2, #32]
-        wls	lr, lr, keccak_f1600_x4_mve_asm_roundend @ imm = #0x8c0
+        wls	lr, lr, Lkeccak_f1600_x4_mve_asm_roundend @ imm = #0x8c0
 
-keccak_f1600_x4_mve_asm_roundstart:
+Lkeccak_f1600_x4_mve_asm_roundstart:
         vldrw.u32	q6, [r2, #112]
         veor	q7, q6, q2
         vldrw.u32	q2, [r2, #80]
@@ -624,13 +675,34 @@ keccak_f1600_x4_mve_asm_roundstart:
         veor	q0, q4, q6
         vstrw.32	q0, [r5]
 
-keccak_f1600_x4_mve_asm_roundend_pre:
-        le	lr, keccak_f1600_x4_mve_asm_roundstart @ imm = #-0x8c0
+Lkeccak_f1600_x4_mve_asm_roundend_pre:
+        le	lr, Lkeccak_f1600_x4_mve_asm_roundstart @ imm = #-0x8c0
 
-keccak_f1600_x4_mve_asm_roundend:
+Lkeccak_f1600_x4_mve_asm_roundend:
         add	sp, #0x80
+        .cfi_adjust_cfa_offset -0x80
         vpop	{d8, d9, d10, d11, d12, d13, d14, d15}
+        .cfi_restore d8
+        .cfi_restore d9
+        .cfi_restore d10
+        .cfi_restore d11
+        .cfi_restore d12
+        .cfi_restore d13
+        .cfi_restore d14
+        .cfi_restore d15
+        .cfi_adjust_cfa_offset -0x40
         pop.w	{r3, r4, r5, r6, r7, r8, r9, r10, r11, r12, pc}
+        .cfi_restore r4
+        .cfi_restore r5
+        .cfi_restore r6
+        .cfi_restore r7
+        .cfi_restore r8
+        .cfi_restore r9
+        .cfi_restore r10
+        .cfi_restore r11
+        .cfi_restore lr
+        .cfi_adjust_cfa_offset -0x2c
+        .cfi_endproc
         nop
 
 MLD_ASM_FN_SIZE(keccak_f1600_x4_mve_asm)
diff --git a/scripts/autogen b/scripts/autogen
@@ -2312,9 +2312,7 @@ def update_via_simpasm(
                 "-o",
                 tmp.name,
             ]
-            # TODO: Support CFI for Armv8.1-M
-            if arch != "armv81m":
-                cmd += ["--cfify"]
+            cmd += ["--cfify"]
             if cross_prefix is not None:
                 # Stick with llvm-objdump for disassembly
                 cmd += ["--cc", cross_prefix + "gcc"]
diff --git a/scripts/cfify b/scripts/cfify
