ML-DSA: add build support and importer for x86_64 assembly backend

Add CMake support to compile mldsa-native x86_64 assembly files,
a custom mldsa_x86_64_meta.h declaring only the assembly-backed
native operations (NTT, INTT, nttunpack, pointwise,
polyvecl_pointwise_acc), and the importer script to pull them
from upstream.

Author: jakemas

crypto/fipsmodule/CMakeLists.txt

@@ -397,6 +397,24 @@ if((ARCH STREQUAL "x86_64") AND UNIX AND NOT MY_ASSEMBLER_IS_TOO_OLD_FOR_AVX)
 
 endif()
 
+# mldsa-native assembly files can be compiled on Unix platforms for x86_64 only.
+if((ARCH STREQUAL "x86_64") AND UNIX AND NOT MY_ASSEMBLER_IS_TOO_OLD_FOR_AVX)
+
+  set(MLDSA_NATIVE_DIR "${AWSLC_SOURCE_DIR}/crypto/fipsmodule/ml_dsa")
+
+  # Every .S file in this directory is imported by importer.sh and must be
+  # compiled; glob so that refreshes which add/remove files don't need a
+  # matching edit here. CONFIGURE_DEPENDS makes CMake re-run when the set of
+  # matching files changes.
+  file(GLOB MLDSA_NATIVE_X86_64_ASM_SOURCES CONFIGURE_DEPENDS
+    "${MLDSA_NATIVE_DIR}/mldsa/native/x86_64/src/*.S")
+
+  list(APPEND BCM_ASM_SOURCES ${MLDSA_NATIVE_X86_64_ASM_SOURCES})
+
+  set(S2N_BIGNUM_INCLUDE_DIR "${AWSLC_SOURCE_DIR}/third_party/s2n-bignum/s2n-bignum-imported/include")
+
+endif()
+
 
 if(FIPS_DELOCATE)
   if(FIPS_SHARED)

crypto/fipsmodule/ml_dsa/importer.sh

@@ -72,22 +72,57 @@ popd
 
 echo "Pull source code from remote repository..."
 
-# Copy mldsa-native source tree -- C source only (no native backends for now)
+# Copy mldsa-native source tree -- C source
 mkdir $SRC
-cp $TMP/mldsa/src/* $SRC
+# Copy only files (not subdirectories like native/ and fips202/)
+find $TMP/mldsa/src -maxdepth 1 -type f -exec cp {} $SRC \;
+
+# Copy x86_64 backend
+# We import only the assembly-backed operations (NTT, INTT, nttunpack,
+# pointwise, polyvecl_pointwise_acc). The AVX2 C-intrinsic operations
+# (rej_uniform, decompose, use_hint, chknorm, caddq, polyz_unpack) are
+# intentionally excluded.
+#
+# The upstream meta.h advertises both assembly and C-intrinsic operations.
+# Rather than modify it, we keep a hand-maintained replacement in
+# ../mldsa_x86_64_meta.h (referenced via MLD_CONFIG_ARITH_BACKEND_FILE) that
+# declares only the assembly-backed subset. Upstream meta.h is not copied.
+mkdir -p $SRC/native/x86_64/src
+# Backend API and specification assumed by mldsa-native frontend
+cp $TMP/mldsa/src/native/api.h $SRC/native
+# Backend header -- unused C-intrinsic declarations are harmless and left intact
+cp $TMP/mldsa/src/native/x86_64/src/arith_native_x86_64.h $SRC/native/x86_64/src
+# Shared constants (zetas table); needed by the assembly kernels
+cp $TMP/mldsa/src/native/x86_64/src/consts.h $SRC/native/x86_64/src
+cp $TMP/mldsa/src/native/x86_64/src/consts.c $SRC/native/x86_64/src
+# Assembly source files for the operations we import (NTT, INTT, nttunpack,
+# pointwise, polyvecl_pointwise_acc). Only files with verified proofs are
+# included.
+cp $TMP/mldsa/src/native/x86_64/src/ntt_avx2_asm.S $SRC/native/x86_64/src
+cp $TMP/mldsa/src/native/x86_64/src/intt_avx2_asm.S $SRC/native/x86_64/src
+cp $TMP/mldsa/src/native/x86_64/src/nttunpack_avx2_asm.S $SRC/native/x86_64/src
+cp $TMP/mldsa/src/native/x86_64/src/pointwise_avx2_asm.S $SRC/native/x86_64/src
+cp $TMP/mldsa/src/native/x86_64/src/pointwise_acc_l4_avx2_asm.S $SRC/native/x86_64/src
+cp $TMP/mldsa/src/native/x86_64/src/pointwise_acc_l5_avx2_asm.S $SRC/native/x86_64/src
+cp $TMP/mldsa/src/native/x86_64/src/pointwise_acc_l7_avx2_asm.S $SRC/native/x86_64/src
 
 # We use the custom `mldsa_native_config.h`, so can remove the default one
-rm $SRC/config.h
+rm -f $SRC/config.h
 
 # Copy formatting file
 cp $TMP/.clang-format $SRC
 
+# ================================================================
+# Process mldsa_native_bcm.c
+# ================================================================
+
 # Copy and statically simplify BCM file
 # The static simplification is not necessary, but improves readability
 # by removing directives related to the FIPS-202 backend that we provide
 # via our own glue layer.
 unifdef -DMLD_CONFIG_FIPS202_CUSTOM_HEADER                             \
         -UMLD_CONFIG_USE_NATIVE_BACKEND_FIPS202                        \
+        -UMLD_SYS_AARCH64                                              \
         $TMP/mldsa/mldsa_native.c                                      \
         > $SRC/mldsa_native_bcm.c
 
@@ -110,6 +145,51 @@ cp $TMP/mldsa/mldsa_native.h $SRC
 echo "Fixup include paths"
 sed "${SED_I[@]}" 's/#include "src\/\([^"]*\)"/#include "\1"/' $SRC/mldsa_native_bcm.c
 
+# Drop #include directives for the C-intrinsic .c files we did not import.
+# Only consts.c (shared with the assembly backend) needs to be compiled.
+echo "Strip C-intrinsic includes from mldsa_native_bcm.c"
+BCM=$SRC/mldsa_native_bcm.c
+sed "${SED_I[@]}" '/^#include "native\/x86_64\/src\/poly_caddq_avx2\.c"/d'      "$BCM"
+sed "${SED_I[@]}" '/^#include "native\/x86_64\/src\/poly_chknorm_avx2\.c"/d'    "$BCM"
+sed "${SED_I[@]}" '/^#include "native\/x86_64\/src\/poly_decompose_32_avx2\.c"/d' "$BCM"
+sed "${SED_I[@]}" '/^#include "native\/x86_64\/src\/poly_decompose_88_avx2\.c"/d' "$BCM"
+sed "${SED_I[@]}" '/^#include "native\/x86_64\/src\/poly_use_hint_32_avx2\.c"/d'  "$BCM"
+sed "${SED_I[@]}" '/^#include "native\/x86_64\/src\/poly_use_hint_88_avx2\.c"/d'  "$BCM"
+sed "${SED_I[@]}" '/^#include "native\/x86_64\/src\/polyz_unpack_17_avx2\.c"/d'   "$BCM"
+sed "${SED_I[@]}" '/^#include "native\/x86_64\/src\/polyz_unpack_19_avx2\.c"/d'   "$BCM"
+sed "${SED_I[@]}" '/^#include "native\/x86_64\/src\/rej_uniform_avx2\.c"/d'       "$BCM"
+sed "${SED_I[@]}" '/^#include "native\/x86_64\/src\/rej_uniform_eta2_avx2\.c"/d'  "$BCM"
+sed "${SED_I[@]}" '/^#include "native\/x86_64\/src\/rej_uniform_eta4_avx2\.c"/d'  "$BCM"
+sed "${SED_I[@]}" '/^#include "native\/x86_64\/src\/rej_uniform_table\.c"/d'      "$BCM"
+
+# ================================================================
+# Fixup x86_64 assembly backend to use s2n-bignum macros
+# ================================================================
+
+echo "Fixup x86_64 assembly backend to use s2n-bignum macros"
+for file in $SRC/native/x86_64/src/*.S; do
+  echo "Processing $file"
+  tmp_file=$(mktemp)
+
+  backend_define="MLD_ARITH_BACKEND_X86_64_DEFAULT"
+
+  # Flatten multiline preprocessor directives, then process with unifdef
+  sed -e ':a' -e 'N' -e '$!ba' -e 's/\\\n/ /g' "$file" | \
+    unifdef -D$backend_define -UMLD_CONFIG_MULTILEVEL_NO_SHARED -DMLD_CONFIG_MULTILEVEL_WITH_SHARED > "$tmp_file"
+  mv "$tmp_file" "$file"
+
+  # Replace common.h include and assembly macros
+  s2n_header="_internal_s2n_bignum_x86_att.h"
+  sed "${SED_I[@]}" "s/#include \"\.\.\/\.\.\/\.\.\/common\.h\"/#include \"$s2n_header\"/" "$file"
+
+  func_name=$(grep -o '\.global MLD_ASM_NAMESPACE(\([^)]*\))' "$file" | sed 's/\.global MLD_ASM_NAMESPACE(\([^)]*\))/\1/')
+  if [ -n "$func_name" ]; then
+    sed "${SED_I[@]}" "s/\.global MLD_ASM_NAMESPACE($func_name)/        S2N_BN_SYM_VISIBILITY_DIRECTIVE(mldsa_$func_name)\n        S2N_BN_SYM_PRIVACY_DIRECTIVE(mldsa_$func_name)/" "$file"
+    sed "${SED_I[@]}" "s/MLD_ASM_FN_SYMBOL($func_name)/S2N_BN_SYMBOL(mldsa_$func_name):/" "$file"
+    sed "${SED_I[@]}" "s/MLD_ASM_FN_SIZE($func_name)/S2N_BN_SIZE_DIRECTIVE(mldsa_$func_name)/" "$file"
+  fi
+done
+
 echo "Remove temporary artifacts ..."
 rm -rf $TMP
 

crypto/fipsmodule/ml_dsa/mldsa_native_backend.h

@@ -0,0 +1,18 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0 OR ISC
+
+#ifndef MLDSA_NATIVE_BACKEND_H
+#define MLDSA_NATIVE_BACKEND_H
+
+#include <openssl/target.h>
+
+#if !defined(OPENSSL_NO_ASM) &&				\
+    (defined(OPENSSL_LINUX) || defined(OPENSSL_APPLE))
+
+#if defined(OPENSSL_X86_64) && !defined(MY_ASSEMBLER_IS_TOO_OLD_FOR_AVX)
+#include "mldsa_x86_64_meta.h"
+#endif
+
+#endif
+
+#endif /* MLDSA_NATIVE_BACKEND_H */

crypto/fipsmodule/ml_dsa/mldsa_native_config.h

@@ -116,4 +116,8 @@ static MLD_INLINE void *mld_memset(void *s, int c, size_t n) {
 #define MLD_CONFIG_NO_ASM
 #endif
 
+// Enable x86_64 arithmetic backend and set path
+#define MLD_CONFIG_USE_NATIVE_BACKEND_ARITH
+#define MLD_CONFIG_ARITH_BACKEND_FILE "../mldsa_native_backend.h"
+
 #endif // MLD_CONFIG_H

crypto/fipsmodule/ml_dsa/mldsa_x86_64_meta.h

@@ -0,0 +1,120 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0 OR ISC
+
+/*
+ * Custom x86_64 backend header for the mldsa-native import.
+ *
+ * mldsa-native's upstream meta.h declares native implementations for both
+ * assembly-backed operations (NTT, INTT, pointwise multiplication) and
+ * AVX2 C-intrinsic operations (rej_uniform, decompose, use_hint, chknorm,
+ * caddq, polyz_unpack). AWS-LC only imports the assembly-backed operations,
+ * so we replace the upstream meta.h with this trimmed-down version that
+ * declares only the subset we actually provide.
+ *
+ * Kept outside the imported `mldsa/` tree so that `importer.sh` does not
+ * need to modify upstream sources.
+ */
+
+#ifndef MLD_NATIVE_X86_64_META_H
+#define MLD_NATIVE_X86_64_META_H
+
+/* Identifier for this backend so that source and assembly files
+ * in the build can be appropriately guarded. */
+#define MLD_ARITH_BACKEND_X86_64_DEFAULT
+
+#define MLD_USE_NATIVE_NTT_CUSTOM_ORDER
+#define MLD_USE_NATIVE_NTT
+#define MLD_USE_NATIVE_INTT
+#define MLD_USE_NATIVE_POINTWISE_MONTGOMERY
+#define MLD_USE_NATIVE_POLYVECL_POINTWISE_ACC_MONTGOMERY_L4
+#define MLD_USE_NATIVE_POLYVECL_POINTWISE_ACC_MONTGOMERY_L5
+#define MLD_USE_NATIVE_POLYVECL_POINTWISE_ACC_MONTGOMERY_L7
+
+#if !defined(__ASSEMBLER__)
+#include "mldsa/native/api.h"
+#include "mldsa/native/x86_64/src/arith_native_x86_64.h"
+
+static MLD_INLINE void mld_poly_permute_bitrev_to_custom(int32_t data[MLDSA_N])
+{
+  if (mld_sys_check_capability(MLD_SYS_CAP_AVX2))
+  {
+    mld_nttunpack_avx2_asm(data);
+  }
+}
+
+MLD_MUST_CHECK_RETURN_VALUE
+static MLD_INLINE int mld_ntt_native(int32_t data[MLDSA_N])
+{
+  if (!mld_sys_check_capability(MLD_SYS_CAP_AVX2))
+  {
+    return MLD_NATIVE_FUNC_FALLBACK;
+  }
+  mld_ntt_avx2_asm(data, mld_qdata);
+  return MLD_NATIVE_FUNC_SUCCESS;
+}
+
+MLD_MUST_CHECK_RETURN_VALUE
+static MLD_INLINE int mld_intt_native(int32_t data[MLDSA_N])
+{
+  if (!mld_sys_check_capability(MLD_SYS_CAP_AVX2))
+  {
+    return MLD_NATIVE_FUNC_FALLBACK;
+  }
+  mld_invntt_avx2_asm(data, mld_qdata);
+  return MLD_NATIVE_FUNC_SUCCESS;
+}
+
+MLD_MUST_CHECK_RETURN_VALUE
+static MLD_INLINE int mld_poly_pointwise_montgomery_native(
+    int32_t a[MLDSA_N], const int32_t b[MLDSA_N])
+{
+  if (!mld_sys_check_capability(MLD_SYS_CAP_AVX2))
+  {
+    return MLD_NATIVE_FUNC_FALLBACK;
+  }
+  mld_pointwise_avx2_asm(a, b, mld_qdata);
+  return MLD_NATIVE_FUNC_SUCCESS;
+}
+
+MLD_MUST_CHECK_RETURN_VALUE
+static MLD_INLINE int mld_polyvecl_pointwise_acc_montgomery_l4_native(
+    int32_t w[MLDSA_N], const int32_t u[4][MLDSA_N],
+    const int32_t v[4][MLDSA_N])
+{
+  if (!mld_sys_check_capability(MLD_SYS_CAP_AVX2))
+  {
+    return MLD_NATIVE_FUNC_FALLBACK;
+  }
+  mld_pointwise_acc_l4_avx2_asm(w, u, v, mld_qdata);
+  return MLD_NATIVE_FUNC_SUCCESS;
+}
+
+MLD_MUST_CHECK_RETURN_VALUE
+static MLD_INLINE int mld_polyvecl_pointwise_acc_montgomery_l5_native(
+    int32_t w[MLDSA_N], const int32_t u[5][MLDSA_N],
+    const int32_t v[5][MLDSA_N])
+{
+  if (!mld_sys_check_capability(MLD_SYS_CAP_AVX2))
+  {
+    return MLD_NATIVE_FUNC_FALLBACK;
+  }
+  mld_pointwise_acc_l5_avx2_asm(w, u, v, mld_qdata);
+  return MLD_NATIVE_FUNC_SUCCESS;
+}
+
+MLD_MUST_CHECK_RETURN_VALUE
+static MLD_INLINE int mld_polyvecl_pointwise_acc_montgomery_l7_native(
+    int32_t w[MLDSA_N], const int32_t u[7][MLDSA_N],
+    const int32_t v[7][MLDSA_N])
+{
+  if (!mld_sys_check_capability(MLD_SYS_CAP_AVX2))
+  {
+    return MLD_NATIVE_FUNC_FALLBACK;
+  }
+  mld_pointwise_acc_l7_avx2_asm(w, u, v, mld_qdata);
+  return MLD_NATIVE_FUNC_SUCCESS;
+}
+
+#endif /* !__ASSEMBLER__ */
+
+#endif /* !MLD_NATIVE_X86_64_META_H */