Switch VAES cfg flags from opt-out to opt-in

Author: silvanshade

.github/workflows/aes.yml

@@ -69,7 +69,7 @@ jobs:
     env:
       CARGO_INCREMENTAL: 0
       RUSTDOCFLAGS: "-C target-feature=+aes,+ssse3"
-      RUSTFLAGS: "-Dwarnings -C target-feature=+aes,+ssse3 --cfg aes_avx512_disable --cfg aes_avx256_disable"
+      RUSTFLAGS: "-Dwarnings -C target-feature=+aes,+ssse3"
     strategy:
       matrix:
         include:
@@ -103,7 +103,7 @@ jobs:
     runs-on: ubuntu-latest
     env:
       CARGO_INCREMENTAL: 0
-      RUSTFLAGS: "-Dwarnings --cfg aes_avx512_disable"
+      RUSTFLAGS: "-Dwarnings --cfg aes_avx256"
     strategy:
       matrix:
         include:
@@ -140,6 +140,7 @@ jobs:
     runs-on: ubuntu-latest
     env:
       CARGO_INCREMENTAL: 0
+      RUSTFLAGS: "-Dwarnings --cfg aes_avx512"
     strategy:
       matrix:
         include:

aes/Cargo.toml

@@ -31,7 +31,7 @@ hazmat = [] # Expose cryptographically hazardous APIs
 
 [lints.rust.unexpected_cfgs]
 level = "warn"
-check-cfg = ["cfg(aes_compact)", "cfg(aes_force_soft)", "cfg(aes_avx256_disable)", "cfg(aes_avx512_disable)"]
+check-cfg = ["cfg(aes_compact)", "cfg(aes_force_soft)", "cfg(aes_avx256)", "cfg(aes_avx512)"]
 
 [package.metadata.docs.rs]
 all-features = true

aes/src/lib.rs

@@ -45,14 +45,12 @@
 //! used or passing `RUSTFLAGS=-Ctarget-feature=+aes,+avx512f,+ssse3,+vaes`
 //! will ensure that AESNI and VAES are always used.
 //!
+//! Note: Enabling VAES256 or VAES512 still requires specifying `--cfg
+//! aes_avx256` or `--cfg aes_avx512` explicitly.
+//!
 //! Programs built in this manner will crash with an illegal instruction on
 //! CPUs which do not have AES-NI and VAES enabled.
 //!
-//! Note: It is possible to disable the use of AVX512 for the VAES backend
-//! and limiting it to AVX (256-bit) by specifying `--cfg aes_avx512_disable`.
-//! For CPUs which support VAES but not AVX512, the 256-bit VAES backend will
-//! be selected automatically without needing to specify this flag.
-//!
 //! Note: runtime detection is not possible on SGX targets. Please use the
 //! aforementioned `RUSTFLAGS` to leverage AES-NI and VAES on these targets.
 //!
@@ -97,19 +95,19 @@
 //! }
 //! ```
 //!
-//! For implementation of block cipher modes of operation see
-//! [`block-modes`] repository.
+//! For implementation of block cipher modes of operation see [`block-modes`]
+//! repository.
 //!
 //! # Configuration Flags
 //!
 //! You can modify crate using the following configuration flags:
 //!
 //! - `aes_force_soft`: force software implementation.
-//! - `aes_compact`: reduce code size at the cost of slower performance
-//!   (affects only software backend).
+//! - `aes_compact`: reduce code size at the cost of slower performance (affects
+//!   only software backend).
 //!
-//! It can be enabled using `RUSTFLAGS` environmental variable
-//! (e.g. `RUSTFLAGS="--cfg aes_compact"`) or by modifying `.cargo/config`.
+//! It can be enabled using `RUSTFLAGS` environmental variable (e.g.
+//! `RUSTFLAGS="--cfg aes_compact"`) or by modifying `.cargo/config`.
 //!
 //! [AES]: https://en.wikipedia.org/wiki/Advanced_Encryption_Standard
 //! [fixslicing]: https://eprint.iacr.org/2020/1123.pdf

aes/src/x86.rs

@@ -1,7 +1,7 @@
 pub(crate) mod ni;
-#[cfg(target_arch = "x86_64")]
+#[cfg(all(target_arch = "x86_64", any(aes_avx256, aes_avx512)))]
 pub(crate) mod vaes256;
-#[cfg(target_arch = "x86_64")]
+#[cfg(all(target_arch = "x86_64", aes_avx512))]
 pub(crate) mod vaes512;
 
 #[cfg(target_arch = "x86")]
@@ -11,26 +11,24 @@ use core::arch::x86_64 as arch;
 
 use self::arch::*;
 use crate::Block;
+#[cfg(all(target_arch = "x86_64", aes_avx512))]
+use cipher::consts::U64;
 use cipher::{
     AlgorithmName, BlockCipherDecBackend, BlockCipherDecClosure, BlockCipherDecrypt,
     BlockCipherEncBackend, BlockCipherEncClosure, BlockCipherEncrypt, BlockSizeUser, InOut, Key,
     KeyInit, KeySizeUser, ParBlocksSizeUser,
     consts::{U9, U16, U24, U32},
     crypto_common::WeakKeyError,
 };
-#[cfg(target_arch = "x86_64")]
-use cipher::{
-    Array, InOutBuf,
-    consts::{U30, U64},
-    typenum::Unsigned,
-};
-#[cfg(target_arch = "x86_64")]
+#[cfg(all(target_arch = "x86_64", any(aes_avx256, aes_avx512)))]
+use cipher::{Array, InOutBuf, consts::U30, typenum::Unsigned};
+#[cfg(all(target_arch = "x86_64", any(aes_avx256, aes_avx512)))]
 use core::cell::OnceCell;
 use core::fmt;
 
-#[cfg(target_arch = "x86_64")]
+#[cfg(all(target_arch = "x86_64", any(aes_avx256, aes_avx512)))]
 pub(crate) type Block30 = Array<Block, U30>;
-#[cfg(target_arch = "x86_64")]
+#[cfg(all(target_arch = "x86_64", aes_avx512))]
 pub(crate) type Block64 = Array<Block, U64>;
 
 pub(crate) mod features {
@@ -41,81 +39,81 @@ pub(crate) mod features {
     pub(crate) mod aes {
         pub use super::features_aes::*;
     }
-    #[cfg(target_arch = "x86_64")]
+    #[cfg(all(target_arch = "x86_64", any(aes_avx256, aes_avx512)))]
     pub(crate) mod avx {
         pub use super::features_avx::*;
     }
-    #[cfg(target_arch = "x86_64")]
+    #[cfg(all(target_arch = "x86_64", aes_avx512))]
     pub(crate) mod avx512f {
         pub use super::features_avx512f::*;
     }
-    #[cfg(target_arch = "x86_64")]
+    #[cfg(all(target_arch = "x86_64", any(aes_avx256, aes_avx512)))]
     pub(crate) mod vaes {
         pub use super::features_vaes::*;
     }
 }
 
 type Simd128RoundKeys<const ROUNDS: usize> = [__m128i; ROUNDS];
-#[cfg(target_arch = "x86_64")]
+#[cfg(all(target_arch = "x86_64", any(aes_avx256, aes_avx512)))]
 type Simd256RoundKeys<const ROUNDS: usize> = [__m256i; ROUNDS];
-#[cfg(target_arch = "x86_64")]
+#[cfg(all(target_arch = "x86_64", aes_avx512))]
 type Simd512RoundKeys<const ROUNDS: usize> = [__m512i; ROUNDS];
 
 #[derive(Clone)]
 enum Backend {
     Ni,
-    #[cfg(target_arch = "x86_64")]
+    #[cfg(all(target_arch = "x86_64", any(aes_avx256, aes_avx512)))]
     Vaes256,
-    #[cfg(target_arch = "x86_64")]
+    #[cfg(all(target_arch = "x86_64", aes_avx512))]
     Vaes512,
 }
 
 #[derive(Clone, Copy)]
 struct Features {
-    #[cfg(target_arch = "x86_64")]
+    #[cfg(all(target_arch = "x86_64", any(aes_avx256, aes_avx512)))]
     avx: self::features::avx::InitToken,
-    #[cfg(target_arch = "x86_64")]
+    #[cfg(all(target_arch = "x86_64", aes_avx512))]
     avx512f: self::features::avx512f::InitToken,
-    #[cfg(target_arch = "x86_64")]
+    #[cfg(all(target_arch = "x86_64", any(aes_avx256, aes_avx512)))]
     vaes: self::features::vaes::InitToken,
 }
 
 impl Features {
     fn new() -> Self {
         Self {
-            #[cfg(target_arch = "x86_64")]
+            #[cfg(all(target_arch = "x86_64", any(aes_avx256, aes_avx512)))]
             avx: self::features::avx::init(),
-            #[cfg(target_arch = "x86_64")]
+            #[cfg(all(target_arch = "x86_64", aes_avx512))]
             avx512f: self::features::avx512f::init(),
-            #[cfg(target_arch = "x86_64")]
+            #[cfg(all(target_arch = "x86_64", any(aes_avx256, aes_avx512)))]
             vaes: self::features::vaes::init(),
         }
     }
 
-    #[cfg(target_arch = "x86_64")]
+    #[cfg(all(target_arch = "x86_64", any(aes_avx256, aes_avx512)))]
     fn has_vaes256(&self) -> bool {
         #[cfg(target_arch = "x86_64")]
-        if self.vaes.get() && self.avx.get() && !cfg!(aes_avx256_disable) {
+        if cfg!(aes_avx256) && self.vaes.get() && self.avx.get() {
             return true;
         }
         false
     }
 
-    #[cfg(target_arch = "x86_64")]
+    #[cfg(all(target_arch = "x86_64", aes_avx512))]
     fn has_vaes512(&self) -> bool {
         #[cfg(target_arch = "x86_64")]
-        if self.vaes.get() && self.avx512f.get() && !cfg!(aes_avx512_disable) {
+        if cfg!(aes_avx512) && self.vaes.get() && self.avx512f.get() {
             return true;
         }
         false
     }
 
     fn dispatch(&self) -> Backend {
-        #[cfg(target_arch = "x86_64")]
+        #[cfg(all(target_arch = "x86_64", aes_avx512))]
         if self.has_vaes512() {
             return self::Backend::Vaes512;
         }
-        #[cfg(target_arch = "x86_64")]
+        #[cfg(all(target_arch = "x86_64", any(aes_avx256, aes_avx512)))]
         if self.has_vaes256() {
             return self::Backend::Vaes256;
         }
@@ -141,33 +139,35 @@ macro_rules! define_aes_impl {
             pub(crate) struct Ni<'a> {
                 pub(crate) keys: &'a Simd128RoundKeys<$rounds>,
             }
-            #[cfg(target_arch = "x86_64")]
+            #[cfg(all(target_arch = "x86_64", any(aes_avx256, aes_avx512)))]
             impl<'a> Ni<'a> {
                 pub const fn par_blocks(&self) -> usize {
                     <Self as ParBlocksSizeUser>::ParBlocksSize::USIZE
                 }
             }
-            #[cfg(target_arch = "x86_64")]
+            #[cfg(all(target_arch = "x86_64", any(aes_avx256, aes_avx512)))]
             impl<'a> From<&Vaes256<'a>> for Ni<'a> {
                 fn from(backend: &Vaes256<'a>) -> Self {
                     Self { keys: backend.keys }
                 }
             }
 
+            #[cfg(all(target_arch = "x86_64", any(aes_avx256, aes_avx512)))]
             #[derive(Clone)]
-            #[cfg(target_arch = "x86_64")]
             pub(crate) struct Vaes256<'a> {
+                #[allow(unused)] // TODO: remove once cfg flags are removed
                 pub(crate) features: Features,
                 pub(crate) keys: &'a Simd128RoundKeys<$rounds>,
                 pub(crate) simd_256_keys: OnceCell<Simd256RoundKeys<$rounds>>,
             }
-            #[cfg(target_arch = "x86_64")]
+            #[cfg(all(target_arch = "x86_64", any(aes_avx256, aes_avx512)))]
             impl<'a> Vaes256<'a> {
+                #[allow(unused)] // TODO: remove once cfg flags are removed
                 pub const fn par_blocks(&self) -> usize {
                     <Self as ParBlocksSizeUser>::ParBlocksSize::USIZE
                 }
             }
-            #[cfg(target_arch = "x86_64")]
+            #[cfg(all(target_arch = "x86_64", aes_avx512))]
             impl<'a> From<&Vaes512<'a>> for Vaes256<'a> {
                 fn from(backend: &Vaes512<'a>) -> Self {
                     Self {
@@ -178,7 +178,7 @@ macro_rules! define_aes_impl {
                 }
             }
 
-            #[cfg(target_arch = "x86_64")]
+            #[cfg(all(target_arch = "x86_64", aes_avx512))]
             pub(crate) struct Vaes512<'a> {
                 pub(crate) features: Features,
                 pub(crate) keys: &'a Simd128RoundKeys<$rounds>,
@@ -314,13 +314,13 @@ macro_rules! define_aes_impl {
                 let keys = &self.keys;
                 match features.dispatch() {
                     self::Backend::Ni => f.call(&mut $name_backend::Ni { keys }),
-                    #[cfg(target_arch = "x86_64")]
+                    #[cfg(all(target_arch = "x86_64", any(aes_avx256, aes_avx512)))]
                     self::Backend::Vaes256 => f.call(&mut $name_backend::Vaes256 {
                         features,
                         keys,
                         simd_256_keys: OnceCell::new(),
                     }),
-                    #[cfg(target_arch = "x86_64")]
+                    #[cfg(all(target_arch = "x86_64", aes_avx512))]
                     self::Backend::Vaes512 => f.call(&mut $name_backend::Vaes512 {
                         features,
                         keys,
@@ -406,13 +406,13 @@ macro_rules! define_aes_impl {
                 let keys = &self.keys;
                 match features.dispatch() {
                     self::Backend::Ni => f.call(&mut $name_backend::Ni { keys }),
-                    #[cfg(target_arch = "x86_64")]
+                    #[cfg(all(target_arch = "x86_64", any(aes_avx256, aes_avx512)))]
                     self::Backend::Vaes256 => f.call(&mut $name_backend::Vaes256 {
                         features,
                         keys,
                         simd_256_keys: OnceCell::new(),
                     }),
-                    #[cfg(target_arch = "x86_64")]
+                    #[cfg(all(target_arch = "x86_64", aes_avx512))]
                     self::Backend::Vaes512 => f.call(&mut $name_backend::Vaes512 {
                         features,
                         keys,
@@ -437,23 +437,23 @@ macro_rules! define_aes_impl {
         impl<'a> BlockSizeUser for $name_backend::Ni<'a> {
             type BlockSize = U16;
         }
-        #[cfg(target_arch = "x86_64")]
+        #[cfg(all(target_arch = "x86_64", any(aes_avx256, aes_avx512)))]
         impl<'a> BlockSizeUser for $name_backend::Vaes256<'a> {
             type BlockSize = U16;
         }
-        #[cfg(target_arch = "x86_64")]
+        #[cfg(all(target_arch = "x86_64", aes_avx512))]
         impl<'a> BlockSizeUser for $name_backend::Vaes512<'a> {
             type BlockSize = U16;
         }
 
         impl<'a> ParBlocksSizeUser for $name_backend::Ni<'a> {
             type ParBlocksSize = U9;
         }
-        #[cfg(target_arch = "x86_64")]
+        #[cfg(all(target_arch = "x86_64", any(aes_avx256, aes_avx512)))]
         impl<'a> ParBlocksSizeUser for $name_backend::Vaes256<'a> {
             type ParBlocksSize = U30;
         }
-        #[cfg(target_arch = "x86_64")]
+        #[cfg(all(target_arch = "x86_64", aes_avx512))]
         impl<'a> ParBlocksSizeUser for $name_backend::Vaes512<'a> {
             type ParBlocksSize = U64;
         }
@@ -472,7 +472,7 @@ macro_rules! define_aes_impl {
                 }
             }
         }
-        #[cfg(target_arch = "x86_64")]
+        #[cfg(all(target_arch = "x86_64", any(aes_avx256, aes_avx512)))]
         impl<'a> BlockCipherEncBackend for $name_backend::Vaes256<'a> {
             #[inline]
             fn encrypt_block(&self, block: InOut<'_, '_, Block>) {
@@ -514,7 +514,7 @@ macro_rules! define_aes_impl {
                 }
             }
         }
-        #[cfg(target_arch = "x86_64")]
+        #[cfg(all(target_arch = "x86_64", aes_avx512))]
         impl<'a> BlockCipherEncBackend for $name_backend::Vaes512<'a> {
             #[inline]
             fn encrypt_block(&self, block: InOut<'_, '_, Block>) {
@@ -582,7 +582,7 @@ macro_rules! define_aes_impl {
                 }
             }
         }
-        #[cfg(target_arch = "x86_64")]
+        #[cfg(all(target_arch = "x86_64", any(aes_avx256, aes_avx512)))]
         impl<'a> BlockCipherDecBackend for $name_backend::Vaes256<'a> {
             #[inline]
             fn decrypt_block(&self, block: InOut<'_, '_, Block>) {
@@ -624,7 +624,7 @@ macro_rules! define_aes_impl {
                 }
             }
         }
-        #[cfg(target_arch = "x86_64")]
+        #[cfg(all(target_arch = "x86_64", aes_avx512))]
         impl<'a> BlockCipherDecBackend for $name_backend::Vaes512<'a> {
             #[inline]
             fn decrypt_block(&self, block: InOut<'_, '_, Block>) {