Hi Gert


thanks for testing!


That means, doing the computations using regular (not the cryptographic ones) emulated z/Arch instructions on Hercules is roughly three times slower than having the computations done using native (x86) instructions on the host system. Or, the other way round, dyncrypt brings almost a factor 3 performance gain on that specific mix of cryptographic instructions.


It should be noted, that from an OpenSSL point of view, dyncrypt provides "hardware" support similar to specialized instructions like PCLMULQDQ on Intel processors. However, dyncrypt doesn't try to make use of those instructions on the host processor, it is a mere software implementation. Thus, the performance gain basically comes from eliminating the emulation overhead.


One could of course think about making dyncrypt use hardware support if available on the underlying host system. Doing this directly would require lots of checking at configure time and lots of conditional compilation depending on which host architecture is targeted. Or, one could simply interface to OpenSSL as a configuration option, requiring libssl and libcrypto to be available on the host. The latter probably isn't too difficult to do (modulo details), but might easily result in unintended deviations from the POP.


Anyway, given that up to now nobody realized the bugs in dyncrypt and nobody reported performance problems, I think it should suffice to just fix the bugs (which is hard enough ;-).


Cheers
JÃŒrgen


---In hercules-***@yahoogroups.com, <***@...> wrote :


Hello,

A quick test (with the OpenSSL builtin tests) to measure the performance difference between z/Arch and ESAME (= Facility(MSA_EXTENSIONs) enabled or disabled) reveals that

with MSA_EXTENSION facilities (z/arch) = 100
without MSA_EXTENSION facilities (ESAME) = 274

Just a quick test but still indicative I believe.

Regards,
Gert

On 2016-04-24 14:47, ***@... mailto:***@... [hercules-390] wrote:

Hi Gert


thanks for checking this!


So, as expected, this boils down to:
OpenSSL under S/390 Linux uses the z/Arch cryptographic instructions, if they are available. If they are not available, it reverts to its own internal software implementation of the functions provided by these instructions. The latter will for sure come with a performance penalty, which would be interesting to measure on occasion. Given that Hercules' ESAME level disables the z/Arch cryptographic instructions, this can be used to easily force OpenSSL to use its own internal software implementation of the functions provided by these instructions. This can be used as a workaround until the z/Arch cryptographic instructions are fixed such that they provide the results expected by OpenSSL's installation verification tests. One should expect a performance penalty when using this workaround.
I just managed to implement changes to the PCC and KM z/Arch cryptographic instructions that are supposed to fix the problem reported by OpenSSL. This time the changes passed my own test cases . I'll publish the respective patch shortly. Once tested satisfactorily this patch will make the workaround obsolete.


Cheers
JÃŒrgen

---In hercules-***@yahoogroups.com mailto:hercules-***@yahoogroups.com, <***@...> mailto:***@... wrote :


Hello,



On 2016-04-23 11:54, ***@... mailto:***@... [hercules-390] wrote:

Hi Gert


thanks for your reply! At the current stage I think it fully suffices to do exactly what you did: Run the standard tests that come with OpenSSL, i.e. it isn't yet necessary to build a dedicated test case (which doesn't mean that this might not become necessary when digging deeper).


However, the output of your archlvl commands below already gives a nice indication on the behavior of OpenSSL: One sees that the cryptographic instructions are disabled: They hide behind facilities MSA_EXTENSION_n (n being 1 to 4) and MSG_SECURITY. That means, in your Hyperion configuration OpenSSL has to use "its own code" instead of the instructions, which explains why you don't see any errors.


If you like, you could now investigate why the cryptographic instructions are disabled on your system. This would require you to verify that the following #defines are in your feat900.h:


#define FEATURE_MESSAGE_SECURITY_ASSIST
#define FEATURE_MESSAGE_SECURITY_ASSIST_EXTENSION_1
#define FEATURE_MESSAGE_SECURITY_ASSIST_EXTENSION_2
#define FEATURE_MESSAGE_SECURITY_ASSIST_EXTENSION_3
#define FEATURE_MESSAGE_SECURITY_ASSIST_EXTENSION_4

These features are enabled in my feat900.h file but it turns out they were not activated in the running system as I used an old Hercules config file with Archlvl=ESAME

Changing this to z/Arch did enable them (checked with archlvl query all) and sure enough like you predicted the errors were also present in Hyperion.

So for PADE i think we can conclude that for a workaround put ESAME as architecture and the openssl test should pass also on 3.11 with SLES

I guess the difference between z/Arch and ESAME is explained here:

http://hercules-390.github.io/html/hercconf.html#ARCHLVL http://hercules-390.github.io/html/hercconf.html#ARCHLVL


Regards,
Gert

JÃŒrgen ,
Works in 3.12! Openssl tests run all the way through. Thank you very much for your work. It is a bit ironic that I typically do not run the OpenSSL tests after building because I simply need the .so files for linking but decided to do so with Linux s390x. Again, great work and thank you very much.
Regards,
Paul

Hi All


From Paul's feedback (successful execution of the OpenSSL installation tests on z/Linux) I assume my below mentioned patches to the dyncrypt module fix the broken instructions. However, this is an indirect verification only, as it is not transparent, to what extent OpenSSL prefers using the cryptographic instructions over its own internal computations.


Thus, from my point of view, it is necessary to also do at least a minimal set of direct comparisons of the dyncrypt results with the results the cryptographic instructions produce on real iron. And, for once, I mean real iron: No virtualization, no z/PDT, no Hercules. Just real z/OS on real IBM iron.


I strongly assume there are members in this group who have access to a real z/OS system (at work, for example) and I would very much appreciate if volunteers helped me out by running a very simple test on their system:


The idea basically is, to run the test program I developed while debugging dyncrypt. This program executes each of the cryptographic instructions provided by the Message-Security-Assist with Extensions 1-4 at least once, such that in total each function code is also called at least once. The results are compared with those obtained using OpenSSL on Intel Linux, which I consider being a sufficiently independent path for this purpose.


Of course this is by far not a comprehensive testing. But if it delivers the same results on real iron as on Hercules this is a strong indication that the dyncrypt implementation now is algorithmically correct.


The program will produce absolutely no output, if everything runs smoothly and the results compare as expected. If a discrepancy is found, it is reported to SYSPRINT. So, in general one can say: If the program produces any output, something went wrong.


The program can be found at


https://polybox.ethz.ch/index.php/s/gmBgvNlxGx6RUza https://polybox.ethz.ch/index.php/s/gmBgvNlxGx6RUza


The ZIP archive contains the source, a sample JCL to run it, an XMITted load library containing the readily linked program and an assembly listing of the program. It is not necessary to assemble and link the program yourself, you can just use it from the provided loadlib. I personally guarantee the program will do no harm to your system .


As one of the cryptographic instructions (PCKMO) is privileged the program calls the modeset macro to enter supervisor state before testing this instruction, which also is the final test. So, while I'd of course like you to run the program from an authorized library, I'm fully aware that this will not be allowable in most production style environments. In this case, simply run the program unauthorized. It will then abend with the usual S047, but the results will be complete, except for the PCKMO test, of course, which on the other hand has no algorithmic component not already tested with the other instructions. So, in short, I don't mind if it abends, the run is still very valuable for me.


Thanks a lot in advance for any help!


Cheers
JÃŒrgen

---In hercules-***@yahoogroups.com, <***@...> wrote :


Hi All


Finally, I think the problem originally reported by Paul is solved. The solution requires changes to the PCC and to the KM instructions, which is why I changed the subject of this thread. A tentative patch is now available for download at


https://polybox.ethz.ch/index.php/s/o2knBR1aHwVCcV3 https://polybox.ethz.ch/index.php/s/o2knBR1aHwVCcV3


As usual, the archive contains two versions of the patch, one matching dyncrypt.c as found in Spinhawk (at the Hercules 3.12 release level) and another matching the current Hyperion. Before applying this patch please make sure that my earlier patch to dyncrypt (see the first mail of this thread at https://groups.yahoo.com/neo/groups/hercules-390/conversations/messages/78887 https://groups.yahoo.com/neo/groups/hercules-390/conversations/messages/78887) is applied. Currently, Hyperion has it applied, but it isn't yet in Spinhawk.


Given that the patch is non trivial, I don't recommend as of yet to commit it to any of the repositories. Instead I'd appreciate it being tested by users of the cryptographic instructions (if there are any). In particular I'd be grateful for feedback from Paul and Gert concerning the behavior of the OpenSSL installation tests after applying the patch.


Problem description:


The XTS related functions (codes 50, 52, 58 and 60 of the KM and the PCC instructions) deliver invalid results. Results are stable, except for PCC function codes 58 and 60, which deliver arbitrary results. None of the functions ever delivers a correct result.


Root cause:


The arbitrary results from PCC function codes 58 and 60 are caused by memory overlay due to an invalid length (too short) of the parameter block. Fixing this overlay makes the results stable, but equally invalid as with the other function codes.
The invalid results come from a misinterpretation of the algorithm to use for the GF(2128) multiplication. All diagrams and descriptions in the POP suggest it is the same algorithm as used with function code 65 of the KIMD instruction. However, it is not: For the GCM situation in KIMD the specification found in NIST Special Publication 800-38D, dated November 2007, is relevant, while for the XTS situation in KM and PCC the specification found in IEEE standard 1619-2007 is relevant. In fact, both algorithms are the same (and thus the POP is correct). However, the bit order of the arguments isn't the same in both standards, which isn't exactly mentioned in the POP (one can find it in the prefix pages, once one knows what to search for).
Solution:


Fix the memory overlay in PCC and use the correct algorithm for the GF(2128) multiplication in KM and PCC.


Cheers
JÃŒrgen


---In hercules-***@yahoogroups.com, <***@...> wrote :


Hi Gert


thanks for checking this!


So, as expected, this boils down to:
OpenSSL under S/390 Linux uses the z/Arch cryptographic instructions, if they are available. If they are not available, it reverts to its own internal software implementation of the functions provided by these instructions. The latter will for sure come with a performance penalty, which would be interesting to measure on occasion. Given that Hercules' ESAME level disables the z/Arch cryptographic instructions, this can be used to easily force OpenSSL to use its own internal software implementation of the functions provided by these instructions. This can be used as a workaround until the z/Arch cryptographic instructions are fixed such that they provide the results expected by OpenSSL's installation verification tests. One should expect a performance penalty when using this workaround.
I just managed to implement changes to the PCC and KM z/Arch cryptographic instructions that are supposed to fix the problem reported by OpenSSL. This time the changes passed my own test cases . I'll publish the respective patch shortly. Once tested satisfactorily this patch will make the workaround obsolete.


Cheers
JÃŒrgen

Hi All
First of all: Bear with me, if you are receiving this message twice, with slightly differing text. I already wrote it yesterday, using Yahoo Group’s Web GUI and, as so often before, it didn’t make it through to the group. Although I sometimes saw “lost” posts miraculously appearing even days after posting, I don’t want to wait much longer. Instead, I’m rewriting it now, but as I don’t have a copy of the first one, they will not be fully identical.
During the past few weeks I published a series of patches fixing various defects in z/Arch instructions emulated by Hercules, two of them concerning the cryptographic instructions provided by the dyncrypt module. All, except the final patch, were trivial in the sense that the defects they fix were easy to spot as coding errors and/or the results to be expected from the instructions in question were easy to verify.
The final patch, however, was not trivial at all, because in addition to coding errors it also had to fix errors in the algorithms used for the AES-XTS related functions of the PCC and the KM cryptographic instruction. The z/Arch POP (depending on the version one looks at) has misleading or at least ambiguous descriptions on the intended outcome of these instructions, such that it isn’t easy to determine, if my patch, above fixing the coding errors, also is algorithmically correct.
A strong indication of correctness is the fact that the installation tests of OpenSSL on z/Linux pass without errors, which they didn’t without the patch, as Paul reported. However, this indication is very indirect because it isn’t transparent, in which situations OpenSSL uses its own software implementation for the cryptographic computations, or the “hardware” implementation provided by the z/Arch cryptographic instructions.
In the course of debugging the cryptographic instructions I created a test program on MVS 3.8j, which executes the instructions and compares the results with those obtained using OpenSSL on Intel Linux for the same computations. The program executes each instruction at least once, using functions from different groups (AES & DES in their various modes, SHA, CMAC & GMAC hashes, etc.) such that in total each algorithm also gets used at least once.
Of course this is not a comprehensive test suite exercising each instruction/function combination possible, but I think it suffices to find potential implementation errors on Hercules, provided the OpenSSL results used for verification compare identical to the results of the same tests when run on real iron (if Hercules = OpenSSL & real iron z/Arch = OpenSSL, then Hercules = real iron z/Arch).
To make the long story short: Running the test program on real z/Arch systems will give a very strong indication whether the cryptographic instructions are now implemented correctly on Hercules or not, and particularly, whether or not I interpreted the ambiguities in the POP correctly.
Presumably, there are quite a few members in this group who are having access to a real z/Arch system (at work for example). I’d very much appreciate if some of you volunteered to run the test program on your systems. The most reliable results are to be expected for z/OS running first level (i.e. not under z/VM) on a z/Arch system, no older than ~2008, which has the Message-Security-Assist with Extensions 1-4 installed and active. For once, this time I really mean it: Original IBM z/OS on original IBM real iron z/Arch, i.e. no z/PDT, no Hercules (not that results from the latter wouldn’t be interesting and perhaps even surprising too, but they don’t help much with the validation attempt at hand here).
The program is very easy to run. Download the zip archive from
https://polybox.ethz.ch/index.php/s/gmBgvNlxGx6RUza https://polybox.ethz.ch/index.php/s/gmBgvNlxGx6RUza
It contains an XMITted load library (tstcrypt.load.xmi), containing the TSTCRYPT load module and a sample JCL (tstcrypt.jcl) to run it. Additionally it also contains the program’s source and assembly listing for informational purposes (except if you want to change the program, it isn’t necessary to assemble it).
To run the program, receive the load library using the TSO/E RECEIVE command, edit the JCL to reflect your installation’s requirements and submit it.
If at all possible, I’d appreciate if you ran the program from an authorized library, which allows testing of the privileged PCKMO instruction to succeed. However, if this isn’t possible or you don’t want to do this, running from an unauthorized library is fine for me too: The PCKMO test is the last one. It will abend with an S047 abend if not running authorized, but the results of the previous tests are all valid and valuable. I personally guarantee, however, that the program will not do any harm to your system when running authorized.
Except a few WTOs indicating which test is about to be run, no output is expected from successful tests. Tests not delivering the expected results will report this to SYSPRINT. Once done, please report your results here, simply by stating machine type and model, z/OS version used, and whether there was any output to SYSPRINT.
Thanks in advance for any help with this!
Cheers
JÃŒrgen

---In hercules-***@yahoogroups.com, <***@...> wrote :
Hi All
Finally, I think the problem originally reported by Paul is solved. The solution requires changes to the PCC and to the KM instructions, which is why I changed the subject of this thread. A tentative patch is now available for download at
https://polybox.ethz.ch/index.php/s/0dXgLYjrpUb9ulT https://polybox.ethz.ch/index.php/s/0dXgLYjrpUb9ulT
As usual, the archive contains two versions of the patch, one matching dyncrypt.c as found in Spinhawk (at the Hercules 3.12 release level) and another matching the current Hyperion. Before applying this patch please make sure that my earlier patch to dyncrypt (see the first mail of this thread at https://groups.yahoo.com/neo/groups/hercules-390/conversations/messages/78887 https://groups.yahoo.com/neo/groups/hercules-390/conversations/messages/78887) is applied. Currently, Hyperion has it applied, but it isn't yet in Spinhawk.
Given that the patch is non trivial, I don't recommend as of yet to commit it to any of the repositories. Instead I'd appreciate it being tested by users of the cryptographic instructions (if there are any). In particular I'd be grateful for feedback from Paul and Gert concerning the behavior of the OpenSSL installation tests after applying the patch.
Problem description:
The XTS related functions (codes 50, 52, 58 and 60 of the KM and the PCC instructions) deliver invalid results. Results are stable, except for PCC function codes 58 and 60, which deliver arbitrary results. None of the functions ever delivers a correct result.
Root cause:
The arbitrary results from PCC function codes 58 and 60 are caused by memory overlay due to an invalid length (too short) of the parameter block. Fixing this overlay makes the results stable, but equally invalid as with the other function codes.
The invalid results come from a misinterpretation of the algorithm to use for the GF(2128) multiplication. All diagrams and descriptions in the POP suggest it is the same algorithm as used with function code 65 of the KIMD instruction. However, it is not: For the GCM situation in KIMD the specification found in NIST Special Publication 800-38D, dated November 2007, is relevant, while for the XTS situation in KM and PCC the specification found in IEEE standard 1619-2007 is relevant. In fact, both algorithms are the same (and thus the POP is correct). However, the bit order of the arguments isn't the same in both standards, which isn't exactly mentioned in the POP (one can find it in the prefix pages, once one knows what to search for).
Solution:
Fix the memory overlay in PCC and use the correct algorithm for the GF(2128) multiplication in KM and PCC.
Cheers
JÃŒrgen
---In hercules-***@yahoogroups.com, <***@...> wrote :
Hi Gert
thanks for checking this!
So, as expected, this boils down to:
OpenSSL under S/390 Linux uses the z/Arch cryptographic instructions, if they are available. If they are not available, it reverts to its own internal software implementation of the functions provided by these instructions. The latter will for sure come with a performance penalty, which would be interesting to measure on occasion.
Given that Hercules' ESAME level disables the z/Arch cryptographic instructions, this can be used to easily force OpenSSL to use its own internal software implementation of the functions provided by these instructions. This can be used as a workaround until the z/Arch cryptographic instructions are fixed such that they provide the results expected by OpenSSL's installation verification tests. One should expect a performance penalty when using this workaround.
I just managed to implement changes to the PCC and KM z/Arch cryptographic instructions that are supposed to fix the problem reported by OpenSSL. This time the changes passed my own test cases . I'll publish the respective patch shortly. Once tested satisfactorily this patch will make the workaround obsolete.
Cheers
JÃŒrgen