On Wed, 10 Dec 2025 at 18:22, Diederik de Haas diederik@cknow-tech.com wrote:
On Tue Dec 9, 2025 at 11:34 PM CET, Eric Biggers wrote:
Commit 9a7c987fb92b ("crypto: arm64/ghash - Use API partial block handling") made ghash_finup() pass the wrong buffer to ghash_do_simd_update(). As a result, ghash-neon now produces incorrect outputs when the message length isn't divisible by 16 bytes. Fix this.
I was hoping to not have to do a 'git bisect', but this is much better :-D I can confirm that this patch fixes the error I was seeing, so
Tested-by: Diederik de Haas diederik@cknow-tech.com
(I didn't notice this earlier because this code is reached only on CPUs that support NEON but not PMULL. I haven't yet found a way to get qemu-system-aarch64 to emulate that configuration.)
https://www.qemu.org/docs/master/system/arm/raspi.html indicates it can emulate various Raspberry Pi models. I've only tested it with RPi 3B+ (bc of its wifi+bt chip), but I wouldn't be surprised if all RPi models would have this problem? Dunno if QEMU emulates that though.
All 64-bit RPi models except the RPi5 are affected by this, as those do not implement the crypto extensions. So I would expect QEMU to do the same.
It would be nice, though, if we could emulate this on the mach-virt machine model too. It should be fairly trivial to do, so if there is demand for this I can look into it.