Add runtime detection module

[yuhaoth]

Description

This is a demo implementation for #7004 with Arm64 AES implementation.

Preceding-PR : #7384

This is the first step for runtime detection if #7004 got approved.

We will only add runtime detection module in this PR and replace relative code in AES modules. Other part should be replace in next PRs.

I prefer follow bellow ruler.

• Compiler check and CPU modifiers should be put in accelerator module.
• Config option checks should be put in runtime.h.
• MBEDTLS_RUNTIME_HAVE_CODE will be enabled in runtime.h
  • Any algorithm module has there own option for runtime detection. like MBEDTLS_AES_RUNTIME_HAVE_CODE
  • if any algorithm module enable runtime detection, MBEDTLS_RUNTIME_HAVE_CODE will be enabled.

Gatekeeper checklist

• changelog provided, or not required
• backport done, or not required
• tests provided, or not required

Notes for the submitter

Please refer to the contributing guidelines, especially the
checklist for PR contributors.

[uncleasm]

There's nothing particularly wrong here, but reducing from uint8x16x3_t has 2-3x better throughput as follows:

uint8x16x3_t ghash_mult_128(uint8x16_t a, uint8x16_t b) {
      uint8x16x3_t ret;
      uint8x16_t c = vextq_u8(b, b);
      ret.val[1] = pmull_low(a,c);
      ret.val[0] = pmull_high(a,b);
      ret.val[2] = pmull_low(a,b);
      ret.val[1] = veorq_u8(ret.val[1], pmull_low(a,c));
      return ret;
}

uint8x16_t gmul_reduce(uint8x16x3_t a) {
    uint8x16_t const Z = vdupq_n_u8(0);
    // use 'asm' as an optimisation barrier to prevent loading R from memory
    uint64x2_t r = vreinterpretq_u64_u8(vdupq_n_u8(0x87));
    asm("" : "+w"(r));
    uint8x16_t const R = vreinterpretq_u8_u64(vshrq_n_u64(r, 64 - 8));
    uint8x16_t d = a.val[0];                //     d3:d2:00:00
    uint8x16_t j = a.val[1];                //        j2:j1
    uint8x16_t g = a.val[2];                //           g1:g0
    uint8x16_t h = pmull_high(d, R);        //        h2:h1     = reduction of d3
    uint8x16_t i = pmull_low(d, R);         //           i1:i0  = reduction of d2
    uint8x16_t k = veorq_u8(j, h);          //        k2:k1     = a0*b1 + a1*b0 + h2:h1
    uint8x16_t l = pmull_high(k, R);        //           l1:l0  = reduction of k2
    uint8x16_t m = vextq_u8(Z, k, 8);       //           m1:00  = k1:00
    uint8x16_t n = veorq_u8(g, i);          //           n1:n0  = a0*b0 + reduction of d2
    uint8x16_t o = veorq_u8(n, l);          //           o1:o0
    uint8x16_t p = veorq_u8(o, m);          //           o1:o0
    return p;
}

There's no need to shift/combine the middle partial product to the high and low (this is also beneficial with Aggregated Reduction Method (or postponed reduction, multiplying with different powers of H)).
Fewer shifts means hugely reduced dependency chain and more parallelism (I measured about 3x better throughput with this method on M1, and 2x better on a very old Nokia Android One phone).
As a general comment, I'm glad that this library is being optimised.

[yuhaoth]

Will change it in #6918. thanks @uncleasm

[gilles-peskine-arm]

I don't think including asm/hwcap.h is right. And since you're defining and using MBEDTLS_HWCAP_xxx constants manually, I don't think this header is used at all. I think we should use the system HWCAP_xxx if present though.

[yuhaoth]

Will remove <asm/hwcap.h.

And I do not think we should use the system HWCAP_* if present.

[yuhaoth]

Some thing has been changed from last review.

• The module is renamed to cpuid
• MBEDTLS_RUNTIME_HAVE_CODE is removed and add conditional build in cpuid.c due to CI failure.

Beside that, some issue should be resolve in future.

• bn_mul.h : 1) replace architecture detection macros 2) if the module need CPU feature detection.
• Should we add generic arm64 CPU feature detection ? detect with sys register or illegal instruction signal.
• AESCE is available on A32 and T32 states, it should be enabled for the CPU states( see section F2.13.11of Arm® Architecture Reference Manual for A-profile architecture)