all: REVERSE MERGE dev.boringcrypto (cdcb4b6) into master

This commit is a REVERSE MERGE.
It merges dev.boringcrypto back into its parent branch, master.
This marks the end of development on dev.boringcrypto.

Manual Changes:
- git rm README.boringcrypto.md
- git rm -r misc/boring
- git rm src/cmd/internal/notsha256/sha256block_arm64.s
- git cherry-pick -n 5856aa74  # remove GOEXPERIMENT=boringcrypto forcing in cmd/dist

There are some minor cleanups like merging import statements
that I will apply in a follow-up CL.

Merge List:

+ 2022-04-29 cdcb4b6ef3 [dev.boringcrypto] cmd/compile: remove the awful boringcrypto kludge
+ 2022-04-29 e845f572ec [dev.boringcrypto] crypto/ecdsa, crypto/rsa: use boring.Cache
+ 2022-04-29 a840bf871e [dev.boringcrypto] crypto/internal/boring: add GC-aware cache
+ 2022-04-29 0184fe5ece [dev.boringcrypto] crypto/x509: remove VerifyOptions.IsBoring
+ 2022-04-29 9e9c7a0aec [dev.boringcrypto] crypto/..., go/build: align deps test with standard rules
+ 2022-04-29 0ec08283c8 [dev.boringcrypto] crypto/internal/boring: make SHA calls allocation-free
+ 2022-04-29 3cb10d14b7 [dev.boringcrypto] crypto/internal/boring: avoid allocation in big.Int conversion
+ 2022-04-29 509776be5d [dev.boringcrypto] cmd/dist: default to use of boringcrypto
+ 2022-04-29 f4c0f42f99 [dev.boringcrypto] all: add boringcrypto build tags
+ 2022-04-29 1f0547c4ec [dev.boringcrypto] cmd/go: pass dependency syso to cgo too
+ 2022-04-29 e5407501cb [dev.boringcrypto] cmd: use notsha256 instead of md5, sha1, sha256
+ 2022-04-29 fe006d6410 [dev.boringcrypto] cmd/internal/notsha256: add new package
+ 2022-04-27 ec7f5165dd [dev.boringcrypto] all: merge master into dev.boringcrypto
+ 2022-04-22 ca6fd39cf6 [dev.boringcrypto] misc/boring: skip long tests during build.release
+ 2022-04-21 19e4b10f2f [dev.boringcrypto] all: merge master into dev.boringcrypto
+ 2022-04-20 e07d63964b [dev.boringcrypto] all: merge master into dev.boringcrypto
+ 2022-04-13 1f11660f54 [dev.boringcrypto] misc/boring: add new releases to RELEASES file
+ 2022-04-13 bc3e5d0ab7 [dev.boringcrypto] misc/boring: remove -trust and individual reviewers
+ 2022-04-05 4739b353bb [dev.boringcrypto] all: merge master into dev.boringcrypto
+ 2022-03-30 9d6ab825f6 [dev.boringcrypto] make.bash: disable GOEXPERIMENT when using bootstrap toolchain
+ 2022-03-30 d1405d7410 [dev.boringcrypto] crypto/internal/boring: update build instructions to use podman
+ 2022-03-29 50b8f490e1 [dev.boringcrypto] all: merge master into dev.boringcrypto
+ 2022-03-15 0af0e19368 [dev.boringcrypto] misc/boring: add new releases to RELEASES file
+ 2022-03-07 f492793839 [dev.boringcrypto] all: merge master into dev.boringcrypto
+ 2022-03-07 768804dfdd [dev.boringcrypto] misc/boring: add new releases to RELEASES file
+ 2022-02-11 8521d1ea34 [dev.boringcrypto] misc/boring: use go install cmd@latest for installing command
+ 2022-02-11 b75258fdd8 [dev.boringcrypto] misc/boring: add new releases to RELEASES file
+ 2022-02-08 74d25c624c [dev.boringcrypto] all: merge master into dev.boringcrypto
+ 2022-02-03 e14fee553a [dev.boringcrypto] all: merge master into dev.boringcrypto
+ 2022-01-14 d382493a20 [dev.boringcrypto] misc/boring: add new releases to RELEASES file
+ 2021-12-09 069bbf5434 [dev.boringcrypto] misc/boring: add new releases to RELEASES file
+ 2021-12-06 21fa0b2199 [dev.boringcrypto] crypto/internal/boring: add -pthread linker flag
+ 2021-12-03 a38b43e4ab [dev.boringcrypto] misc/boring: add new releases to RELEASES file
+ 2021-11-09 16215e5340 [dev.boringcrypto] cmd/compile: disable version test on boringcrypto
+ 2021-11-08 c9858c7bdc [dev.boringcrypto] all: merge master into dev.boringcrypto
+ 2021-11-05 ed07c49cb6 [dev.boringcrypto] all: merge master into dev.boringcrypto
+ 2021-11-05 dc2658558d [dev.boringcrypto] misc/boring: add new releases to RELEASES file
+ 2021-10-28 69d5e469a4 [dev.boringcrypto] all: convert +build to //go:build lines in boring-specific files
+ 2021-10-08 2840ccbc05 [dev.boringcrypto] misc/boring: add new releases to RELEASES file
+ 2021-10-08 114aa69932 [dev.boringcrypto] misc/boring: fix Docker Hub references
+ 2021-10-08 7d26add6d5 [dev.boringcrypto] misc/boring: publish to Artifact Registry
+ 2021-08-27 5ae200d526 [dev.boringcrypto] crypto/tls: permit P-521 in FIPS mode
+ 2021-08-26 083811d079 [dev.boringcrypto] crypto/tls: use correct config in TestBoringClientHello
+ 2021-08-16 c7e7ce5ec1 [dev.boringcrypto] all: merge commit 57c115e1 into dev.boringcrypto
+ 2021-08-10 1fb58d6cad [dev.boringcrypto] misc/boring: add new releases to RELEASES file
+ 2021-07-14 934db9f0d6 [dev.boringcrypto] misc/boring: add new releases to RELEASES file
+ 2021-06-08 a890a4de30 [dev.boringcrypto] misc/boring: add new releases to RELEASES file
+ 2021-05-13 ed1f812cef [dev.boringcrypto] all: merge commit 9d0819b27c (CL 314609) into dev.boringcrypto
+ 2021-05-10 ad1b6f3ee0 [dev.boringcrypto] misc/boring: add new releases to RELEASES file
+ 2021-04-21 11061407d6 [dev.boringcrypto] misc/boring: add new releases to RELEASES file
+ 2021-03-23 b397e0c028 [dev.boringcrypto] misc/boring: add new releases to RELEASES file
+ 2021-03-15 128cecc70b [dev.boringcrypto] misc/boring: add new releases to RELEASES file
+ 2021-03-10 5e2f5a38c4 [dev.boringcrypto] misc/boring: add new releases to RELEASES file
+ 2021-02-26 42089e72fd [dev.boringcrypto] api: add crypto/boring.Enabled
+ 2021-02-24 03cd666173 [dev.boringcrypto] all: merge master (5b76343) into dev.boringcrypto
+ 2021-02-17 0f210b75f9 [dev.boringcrypto] all: merge master (2f0da6d) into dev.boringcrypto
+ 2021-02-12 1aea1b199f [dev.boringcrypto] misc/boring: support codereview.cfg in merge.sh
+ 2021-02-07 0d34d85dee [dev.boringcrypto] crypto/internal/boring: remove .llvm_addrsig section
+ 2021-02-07 325e03a64f [dev.boringcrypto] all: add codereview.cfg
+ 2021-02-05 d4f73546c8 [dev.boringcrypto] misc/boring: add new releases to RELEASES file
+ 2021-01-20 cf8ed7cca4 [dev.boringcrypto] misc/boring: add new releases to RELEASES file
+ 2021-01-20 f22137d785 [dev.boringcrypto] misc/boring: add -trust and roland@ to merge.sh and release.sh
+ 2020-12-12 e5c7bd0efa [dev.boringcrypto] misc/boring: add new releases to RELEASES file
+ 2020-12-02 5934c434c1 [dev.boringcrypto] all: merge master into dev.boringcrypto
+ 2020-12-01 dea96ada17 [dev.boringcrypto] all: merge master into dev.boringcrypto
+ 2020-11-18 906d6e362b [dev.boringcrypto] all: merge master into dev.boringcrypto
+ 2020-11-18 95ceba18d3 [dev.boringcrypto] crypto/hmac: merge up to 2a206c7 and skip test
+ 2020-11-17 0985c1bd2d [dev.boringcrypto] all: merge master into dev.boringcrypto
+ 2020-11-16 af814af6e7 [dev.boringcrypto] misc/boring: add new releases to RELEASES file
+ 2020-11-05 f42bd50779 [dev.boringcrypto] crypto/internal/boring: update BoringCrypto module to certificate 3678
+ 2020-10-19 ceda58bfd0 [dev.boringcrypto] misc/boring: add new releases to RELEASES file
+ 2020-09-29 af85c47233 [dev.boringcrypto] misc/boring: bump version to b6
+ 2020-09-29 f9b86a6562 [dev.boringcrypto] go/build: satisfy the boringcrypto build tag
+ 2020-09-29 ef2b318974 [dev.boringcrypto] crypto/boring: expose boring.Enabled()
+ 2020-09-14 3782421230 [dev.boringcrypto] misc/boring: add new releases to RELEASES file
+ 2020-08-18 6bbe47ccb6 [dev.boringcrypto] misc/boring: add new releases to RELEASES file
+ 2020-07-21 6e6e0b73d6 [dev.boringcrypto] misc/boring: add new releases to RELEASES file
+ 2020-07-09 d85ef2b979 [dev.boringcrypto] all: merge master into dev.boringcrypto
+ 2020-07-09 a91ad4250c [dev.boringcrypto] all: merge master into dev.boringcrypto
+ 2020-06-10 5beb39baf8 [dev.boringcrypto] misc/boring: add new releases to RELEASES file
+ 2020-05-07 dd98c0ca3f [dev.boringcrypto] all: merge master into dev.boringcrypto
+ 2020-05-07 a9d2e3abf7 [dev.boringcrypto] all: merge master into dev.boringcrypto
+ 2020-05-07 c19c0a047b [dev.boringcrypto] misc/boring: add new releases to RELEASES file
+ 2020-05-07 36c94f8421 [dev.boringcrypto] crypto/internal/boring: reject short signatures in VerifyRSAPKCS1v15
+ 2020-05-07 ee159d2f35 [dev.boringcrypto] misc/boring: add new releases to RELEASES file
+ 2020-04-08 e067ce5225 [dev.boringcrypto] all: merge master into dev.boringcrypto
+ 2020-03-03 79284c2873 [dev.boringcrypto] crypto/internal/boring: make accesses to RSA types with finalizers safer
+ 2020-03-02 6c64b188a5 [dev.boringcrypto] crypto/internal/boring: update BoringCrypto module to certificate 3318
+ 2020-02-28 13355c78ff [dev.boringcrypto] misc/boring: add go1.14b4 to RELEASES file
+ 2020-02-28 4980c6b317 [dev.boringcrypto] misc/boring: x/build/cmd/release doesn't take subrepo flags anymore
+ 2020-02-28 601da81916 [dev.boringcrypto] misc/boring: make merge.sh and release.sh a little more robust
+ 2020-02-14 09bc5e8723 [dev.boringcrypto] misc/boring: add new releases to RELEASES file
+ 2020-02-06 f96dfe6b73 [dev.boringcrypto] misc/boring: add go1.13.7b4 and go1.12.16b4 releases to RELEASES file
+ 2020-02-05 2f9b2e75c4 [dev.boringcrypto] misc/docker: update Dockerfile to match recent Buster based golang images
+ 2020-02-05 527880d05c [dev.boringcrypto] misc/boring: update default CL reviewer to katie@golang.org
+ 2019-11-25 50ada481fb [dev.boringcrypto] misc/boring: add new releases to RELEASES file
+ 2019-11-20 6657395adf [dev.boringcrypto] all: merge master into dev.boringcrypto
+ 2019-11-20 ab0a649d44 [dev.boringcrypto] all: merge master into dev.boringcrypto
+ 2019-11-19 62ce702c77 [dev.boringcrypto] all: merge master into dev.boringcrypto
+ 2019-10-25 e8f14494a0 [dev.boringcrypto] misc/boring: add go1.13.3b4 and go1.12.12b4 to RELEASES file
+ 2019-10-17 988e4d832e [dev.boringcrypto] misc/boring: add go1.13.2b4 and go1.12.11b4 to RELEASES file
+ 2019-10-11 974fd1301a [dev.boringcrypto] misc/boring: publish to Docker Hub all releases, not only the latest
+ 2019-09-27 62ce8cd3ad [dev.boringcrypto] misc/boring: add go1.13.1b4 and go1.12.10b4 to RELEASES file
+ 2019-09-10 489d268683 [dev.boringcrypto] misc/boring: add Go+BoringCrypto 1.13b4 to RELEASES file
+ 2019-09-04 e0ee09095c [dev.boringcrypto] all: merge master into dev.boringcrypto
+ 2019-09-03 ff197f326f [dev.boringcrypto] all: merge master into dev.boringcrypto
+ 2019-08-21 5a1705286e [dev.boringcrypto] misc/boring: add go1.12.9b4 to RELEASES
+ 2019-08-15 1ebc594b3c [dev.boringcrypto] misc/boring: add go1.12.8b4 and go1.11.13b4 to RELEASES
+ 2019-08-13 9417029290 [dev.boringcrypto] misc/boring: remove download of releaselet.go in build.release
+ 2019-08-05 2691091a4a misc/boring: add Go 1.11.12b4 and 1.12.7b4 to RELEASES
+ 2019-07-19 6eccf6a6cd [dev.boringcrypto] misc/boring: add scripts to automate merges and releases
+ 2019-06-27 98188f3001 [dev.boringcrypto] all: merge master into dev.boringcrypto
+ 2019-06-13 5c354e66d1 [dev.boringcrypto] misc/boring: add go1.12.6b4 and go1.11.11b4 releases
+ 2019-06-09 9bf9e7d4b2 [dev.boringcrypto] crypto: move crypto/internal/boring imports to reduce merge conflicts
+ 2019-06-05 324f8365be [dev.boringcrypto] all: merge master into dev.boringcrypto
+ 2019-05-28 e48f228c9b [dev.boringcrypto] all: merge master into dev.boringcrypto
+ 2019-05-14 42e353245c [dev.boringcrypto] misc/boring: add go1.12.5b4 release
+ 2019-03-29 211a13fd44 [dev.boringcrypto] misc/boring: add go1.11.6b4 to RELEASES
+ 2019-03-28 347af7f060 [dev.boringcrypto] misc/boring: add go1.12.1b4 and update build scripts
+ 2019-02-27 a10558f870 [dev.boringcrypto] all: merge master into dev.boringcrypto
+ 2019-02-08 4ed8ad4d69 [dev.boringcrypto] all: merge master into dev.boringcrypto
+ 2019-01-24 14c64dbc4a [dev.boringcrypto] misc/boring: add go1.10.8b4 and go1.11.5b4
+ 2018-12-15 3f9e53f346 [dev.boringcrypto] misc/boring: add go1.10.7b4 and go1.11.4b4 releases
+ 2018-12-14 92d975e906 [dev.boringcrypto] misc/boring: add go1.11.2b4 release
+ 2018-11-14 c524da4917 [dev.boringcrypto] crypto/tls: test for TLS 1.3 to be disabled in FIPS mode
+ 2018-11-14 bfd6d30118 [dev.boringcrypto] all: merge master into dev.boringcrypto
+ 2018-11-14 0007017f96 [dev.boringcrypto] all: merge master into dev.boringcrypto
+ 2018-11-14 3169778c15 [dev.boringcrypto] all: merge master into dev.boringcrypto
+ 2018-11-14 ab37582eb0 [dev.boringcrypto] all: merge master into dev.boringcrypto
+ 2018-11-14 e8b3500d5c [dev.boringcrypto] all: merge master into dev.boringcrypto
+ 2018-11-14 de153ac2a1 [dev.boringcrypto] all: merge master into dev.boringcrypto
+ 2018-11-14 0cbb11c720 [dev.boringcrypto] cmd/compile: by default accept any language
+ 2018-11-13 11e916773e [dev.boringcrypto] all: merge master into dev.boringcrypto
+ 2018-11-13 af07f7734b [dev.boringcrypto] all: merge master into dev.boringcrypto
+ 2018-10-25 13bf5b80e8 [dev.boringcrypto] all: merge master into dev.boringcrypto
+ 2018-10-15 623650b27a [dev.boringcrypto] all: merge master into dev.boringcrypto
+ 2018-10-01 36c789b1fd [dev.boringcrypto] misc/boring: add go1.10.4b4 and go1.11b4 releases
+ 2018-09-07 693875e3f2 [dev.boringcrypto] crypto/internal/boring: avoid an allocation in AES-GCM Seal and Open
+ 2018-09-06 4d1aa482b8 [dev.boringcrypto] all: merge master into dev.boringcrypto
+ 2018-08-04 7eb1677c01 [dev.boringcrypto] crypto/internal/boring: fix aesCipher implementation of gcmAble
+ 2018-07-11 eaa3e94eb8 [dev.boringcrypto] misc/boring: add go1.9.7b4 and go1.10.3b4 releases
+ 2018-07-11 5f0402a26b [dev.boringcrypto] misc/boring: support build.release on macOS
+ 2018-07-03 77db076129 [dev.boringcrypto] all: merge master into dev.boringcrypto
+ 2018-06-13 b77f5e4c85 [dev.boringcrypto] crypto/rsa: drop random source reading emulation
+ 2018-06-08 a4b7722ffa [dev.boringcrypto] all: merge master into dev.boringcrypto
+ 2018-05-29 18db93d7e6 [dev.boringcrypto] crypto/tls: restore AES-GCM priority when BoringCrypto is enabled
+ 2018-05-25 3d9a6ac709 [dev.boringcrypto] all: merge master into dev.boringcrypto
+ 2018-05-18 019a994e32 [dev.boringcrypto] crypto/rsa: fix boringFakeRandomBlind to work with (*big.Int).ModInverse
+ 2018-05-17 a3f9ce3313 [dev.boringcrypto] all: merge master into dev.boringcrypto
+ 2018-02-09 528dad8c72 [dev.cryptoboring] misc/boring: update README for Bazel
+ 2018-02-06 c3d83ee31c [dev.boringcrypto] misc/boring: add go1.9.3b4 to RELEASES
+ 2017-12-13 f62a24349d [dev.boringcrypto] all: merge go1.10beta1 into dev.boringcrypto
+ 2017-12-06 3e52f22ece [dev.boringcrypto] crypto/internal/boring: add MarshalBinary/UnmarshalBinary to hashes
+ 2017-12-06 5379f7847f [dev.boringcrypto] all: merge master (more nearly Go 1.10 beta 1) into dev.boringcrypto
+ 2017-12-06 185e6094fd [dev.boringcrypto] all: merge master (nearly Go 1.10 beta 1) into dev.boringcrypto
+ 2017-11-20 c36033a379 [dev.boringcrypto] misc/boring: add go1.9.2b4 release
+ 2017-11-20 cda3c6f91d [dev.boringcrypto] all: merge go1.9.2 into dev.boringcrypto
+ 2017-10-25 2ea7d3461b [release-branch.go1.9] go1.9.2
+ 2017-10-25 d93cb46280 [release-branch.go1.9] runtime: use simple, more robust fastrandn
+ 2017-10-25 78952c06c5 [release-branch.go1.9] cmd/compile: fix sign-extension merging rules
+ 2017-10-25 79996e4a1d [release-branch.go1.9] cmd/compile: avoid generating large offsets
+ 2017-10-25 f36b12657c [release-branch.go1.9] runtime: in cpuProfile.addExtra, set p.lostExtra to 0 after flush
+ 2017-10-25 dffc9319f1 [release-branch.go1.9] cmd/cgo: support large unsigned macro again
+ 2017-10-25 33ce1682c7 [release-branch.go1.9] cmd/cgo: avoid using common names for sniffing
+ 2017-10-25 f69668e1d0 [release-branch.go1.9] os: skip TestPipeThreads as flaky for 1.9
+ 2017-10-25 9be38a15e4 [release-branch.go1.9] runtime: avoid monotonic time zero on systems with low-res timers
+ 2017-10-25 8bb333a9c0 [release-branch.go1.9] doc: document Go 1.9.2
+ 2017-10-25 0758d2b9da [release-branch.go1.9] cmd/go: clean up x.exe properly in TestImportMain
+ 2017-10-25 d487b15a61 [release-branch.go1.9] cmd/compile: omit ICE diagnostics after normal error messages
+ 2017-10-25 fd17253587 [release-branch.go1.9] database/sql: prevent race in driver by locking dc in Next
+ 2017-10-25 7e7cb30475 [release-branch.go1.9] internal/poll: only call SetFileCompletionNotificationModes for sockets
+ 2017-10-25 f259aed082 [release-branch.go1.9] internal/poll: do not call SetFileCompletionNotificationModes if it is broken
+ 2017-10-25 39d4bb9c0f [release-branch.go1.9] cmd/go: correct directory used in checkNestedVCS test
+ 2017-10-25 bfc22319aa [release-branch.go1.9] crypto/x509: reject intermediates with unknown critical extensions.
+ 2017-10-25 a1e34abfb3 [release-branch.go1.9] net/smtp: NewClient: set tls field to true when already using a TLS connection
+ 2017-10-25 7dadd8d517 [release-branch.go1.9] net: increase expected time to dial a closed port on all Darwin ports
+ 2017-10-25 d80889341c [release-branch.go1.9] cmd/compile: fix merge rules for panic calls
+ 2017-10-25 87b3a27839 [release-branch.go1.9] net: bump TestDialerDualStackFDLeak timeout on iOS
+ 2017-10-25 ebfcdef901 [release-branch.go1.9] runtime: make runtime.GC() trigger GC even if GOGC=off
+ 2017-10-25 0ab99b396d [release-branch.go1.9] cmd/compile: fix regression in PPC64.rules move zero
+ 2017-10-25 8d4279c111 [release-branch.go1.9] internal/poll: be explicit when using runtime netpoller
+ 2017-10-25 1ded8334f7 [release-branch.go1.9] cmd/compile/internal/syntax: fix source buffer refilling
+ 2017-10-25 ff8289f879 [release-branch.go1.9] reflect: fix pointer past-the-end in Call with zero-sized return value
+ 2017-10-25 bd34e74134 [release-branch.go1.9] log: fix data race on log.Output
+ 2017-10-25 0b55d8dbfc [release-branch.go1.9] cmd/compile: replace GOROOT in //line directives
+ 2017-10-25 5c48811aec [release-branch.go1.9] cmd/compile: limit the number of simultaneously opened files to avoid EMFILE/ENFILE errors
+ 2017-10-25 8c7fa95ad3 [release-branch.go1.9] expvar: make (*Map).Init clear existing keys
+ 2017-10-25 ccd5abc105 [release-branch.go1.9] cmd/compile: simplify "missing function body" error message
+ 2017-10-25 2e4358c960 [release-branch.go1.9] time: fix documentation of Round, Truncate behavior for d <= 0
+ 2017-10-25 c6388d381e [release-branch.go1.9] runtime: capture runtimeInitTime after nanotime is initialized
+ 2017-10-25 724638c9d8 [release-branch.go1.9] crypto/x509: skip TestSystemRoots
+ 2017-10-25 ed3b0d63b7 [release-branch.go1.9] internal/poll: add tests for Windows file and serial ports
+ 2017-10-04 93322a5b3d [release-branch.go1.9] doc: add missing "Minor revisions" header for 1.9
+ 2017-10-04 7f40c1214d [release-branch.go1.9] go1.9.1
+ 2017-10-04 598433b17a [release-branch.go1.9] doc: document go1.9.1 and go1.8.4
+ 2017-10-04 815cad3ed0 [release-branch.go1.9] doc/1.9: add mention of net/http.LocalAddrContextKey
+ 2017-10-04 1900d34a10 [release-branch.go1.9] net/smtp: fix PlainAuth to refuse to send passwords to non-TLS servers
+ 2017-10-04 a39bcecea6 [release-branch.go1.9] cmd/go: reject update of VCS inside VCS
+ 2017-10-04 d9e64910af [release-branch.go1.9] runtime: deflake TestPeriodicGC
+ 2017-09-28 adc1f587ac [dev.boringcrypto] misc/boring: add src releases
+ 2017-09-25 4038503543 [dev.boringcrypto] misc/boring: add go1.8.3b4
+ 2017-09-25 d724c60b4d [dev.boringcrypto] misc/boring: update README
+ 2017-09-22 70bada9db3 [dev.boringcrypto] misc/boring: add go1.9b4 release
+ 2017-09-22 e6ad24cde7 [dev.boringcrypto] all: merge go1.9 into dev.boringcrypto
+ 2017-09-22 431e071eed [dev.boringcrypto] misc/boring: add go1.9rc2b4 release
+ 2017-09-22 cc6e26b2e1 [dev.boringcrypto] api: add crypto/x509.VerifyOptions.IsBoring to make release builder happy
+ 2017-09-22 bac02b14b5 [dev.boringcrypto] misc/boring: update VERSION
+ 2017-09-22 3ed08db261 [dev.boringcrypto] crypto/tls/fipsonly: new package to force FIPS-allowed TLS settings
+ 2017-09-20 2ba76155cd [dev.boringcrypto] crypto/internal/boring: fix finalizer-induced crashes
+ 2017-09-18 32dc9b247f [dev.boringcrypto] cmd/go: exclude SysoFiles when using -msan
+ 2017-09-18 9f025cbdeb [dev.boringcrypto] crypto/internal/boring: fall back to standard crypto when using -msan
+ 2017-09-18 89ba9e3541 [dev.boringcrypto] crypto/aes: panic on invalid dst, src overlap
+ 2017-09-18 a929f3a04d [dev.boringcrypto] crypto/rsa: fix boring GenerateKey to set non-nil Precomputed.CRTValues
+ 2017-09-18 aa4a4a80ff [dev.boringcrypto] crypto/internal/boring: fix detection of tests to allow *.test and *_test
+ 2017-09-18 c9e2d9eb06 [dev.boringcrypto] crypto/rsa: add test for, fix observable reads from custom randomness
+ 2017-09-18 e773ea9aa3 [dev.boringcrypto] crypto/hmac: add test for Write/Sum after Sum
+ 2017-09-18 8fa8f42cb3 [dev.boringcrypto] crypto/internal/boring: allow hmac operations after Sum
+ 2017-09-18 07f6ce9d39 [dev.boringcrypto] crypto/internal/boring: handle RSA verification of short signatures
+ 2017-09-14 e8eec3fbdb [dev.boringcrypto] cmd/compile: refine BoringCrypto kludge
+ 2017-08-30 7b49445d0f [dev.boringcrypto] cmd/compile: hide new boring fields from reflection
+ 2017-08-30 81b9d733b0 [dev.boringcrypto] crypto/hmac: test empty key
+ 2017-08-30 f6358bdb6c [dev.boringcrypto] crypto/internal/boring: fix NewHMAC with empty key
+ 2017-08-30 9c307d8039 [dev.boringcrypto] crypto/internal/cipherhw: fix AESGCMSupport for BoringCrypto
+ 2017-08-26 f48a9fb815 [dev.boringcrypto] misc/boring: release packaging
+ 2017-08-25 94fb8224b2 [dev.boringcrypto] crypto/internal/boring: disable for android & non-cgo builds
+ 2017-08-25 7ff9fcafbd [dev.boringcrypto] crypto/internal/boring: clear "executable stack" bit from syso
+ 2017-08-24 c8aec4095e [release-branch.go1.9] go1.9
+ 2017-08-24 b8c9ef9f09 [release-branch.go1.9] doc: add go1.9 to golang.org/project
+ 2017-08-24 136f4a6b2a [release-branch.go1.9] doc: document go1.9
+ 2017-08-24 867be4c60c [release-branch.go1.9] doc/go1.9: fix typo in Moved GOROOT
+ 2017-08-24 d1351fbc31 [dev.boringcrypto] cmd/link: allow internal linking for crypto/internal/boring
+ 2017-08-24 991652dcf0 [dev.boringcrypto] cmd/link: work around DWARF symbol bug
+ 2017-08-22 9a4e7942ea [release-branch.go1.9] cmd/compile: remove gc.Sysfunc calls from 387 backend
+ 2017-08-22 ff38035a62 [release-branch.go1.9] doc/go1.9: fix typo in crypto/x509 of "Minor changes to the library".
+ 2017-08-19 7e9e3a06cb [dev.boringcrypto] crypto/rsa: use BoringCrypto
+ 2017-08-19 bc38fda367 [dev.boringcrypto] crypto/ecdsa: use unsafe.Pointer instead of atomic.Value
+ 2017-08-18 42046e8989 [release-branch.go1.9] runtime: fix false positive race in profile label reading
+ 2017-08-18 fbf7e1f295 [release-branch.go1.9] testing: don't fail all tests after racy test failure
+ 2017-08-18 21312a4b5e [release-branch.go1.9] cmd/dist: update deps.go for current dependencies
+ 2017-08-18 5927854f7d [release-branch.go1.9] cmd/compile: add rules handling unsigned div/mod by constant 1<<63
+ 2017-08-18 65717b2dca [release-branch.go1.9] runtime: fix usleep by correctly setting nanoseconds parameter for pselect6
+ 2017-08-17 b1f201e951 [dev.boringcrypto] crypto/ecdsa: use BoringCrypto
+ 2017-08-17 2efded1cd2 [dev.boringcrypto] crypto/tls: use TLS-specific AES-GCM mode if available
+ 2017-08-17 335a0f87bf [dev.boringcrypto] crypto/aes: implement TLS-specific AES-GCM mode from BoringCrypto
+ 2017-08-17 8d05ec9e58 [dev.boringcrypto] crypto/aes: use BoringCrypto
+ 2017-08-17 74e33c43e9 [dev.boringcrypto] crypto/hmac: use BoringCrypto
+ 2017-08-17 96d6718e4f [dev.boringcrypto] crypto/sha1,sha256,sha512: use BoringCrypto
+ 2017-08-17 e0e2bbdd00 [dev.boringcrypto] runtime/race: move TestRaceIssue5567 from sha1 to crc32
+ 2017-08-17 fe02ba30f1 [dev.boringcrypto] crypto/rand: use BoringCrypto
+ 2017-08-17 6e70f88f84 [dev.boringcrypto] crypto/internal/boring: add initial BoringCrypto access
+ 2017-08-16 dcdcc38440 [dev.boringcrypto] add README.boringcrypto.md, update VERSION
+ 2017-08-16 19b89a22df [dev.boringcrypto] cmd/link: implement R_X86_64_PC64 relocations
+ 2017-08-07 048c9cfaac [release-branch.go1.9] go1.9rc2
+ 2017-08-07 cff0de3da3 [release-branch.go1.9] all: merge master into release-branch.go1.9
+ 2017-07-31 196492a299 [release-branch.go1.9] runtime: map bitmap and spans during heap initialization
+ 2017-07-31 1a6d87d4bf [release-branch.go1.9] runtime: fall back to small mmaps if we fail to grow reservation
+ 2017-07-27 7320506bc5 [release-branch.go1.9] cmd/dist: skip moved GOROOT on Go's Windows builders when not sharding tests
+ 2017-07-24 65c6c88a94 [release-branch.go1.9] go1.9rc1
+ 2017-07-24 fbc9b49790 [release-branch.go1.9] cmd/compile: consider exported flag in namedata

Change-Id: I5344e8e4813a9a0900f6633499a3ddf22895a4d5

32 files changed, 1830 insertions, 40 deletions

diff --git a/src/cmd/api/goapi_boring_test.go b/src/cmd/api/goapi_boring_test.go
new file mode 100644
index 0000000000..f0e3575637
--- /dev/null
+++ b/src/cmd/api/goapi_boring_test.go
@@ -0,0 +1,17 @@
+// Copyright 2022 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build boringcrypto
+
+package main
+
+import (
+	"fmt"
+	"os"
+)
+
+func init() {
+	fmt.Printf("SKIP with boringcrypto enabled\n")
+	os.Exit(0)
+}
diff --git a/src/cmd/cgo/main.go b/src/cmd/cgo/main.go
index 21d895be26..e3434598b2 100644
--- a/src/cmd/cgo/main.go
+++ b/src/cmd/cgo/main.go
@@ -11,7 +11,6 @@
 package main
 
 import (
-	"crypto/md5"
 	"flag"
 	"fmt"
 	"go/ast"
@@ -28,6 +27,7 @@ import (
 	"strings"
 
 	"cmd/internal/edit"
+	"cmd/internal/notsha256"
 	"cmd/internal/objabi"
 )
 
@@ -331,8 +331,8 @@ func main() {
 	// we use to coordinate between gcc and ourselves.
 	// We already put _cgo_ at the beginning, so the main
 	// concern is other cgo wrappers for the same functions.
-	// Use the beginning of the md5 of the input to disambiguate.
-	h := md5.New()
+	// Use the beginning of the notsha256 of the input to disambiguate.
+	h := notsha256.New()
 	io.WriteString(h, *importPath)
 	fs := make([]*File, len(goFiles))
 	for i, input := range goFiles {
diff --git a/src/cmd/compile/internal/amd64/versions_test.go b/src/cmd/compile/internal/amd64/versions_test.go
index 248f07067f..2ac6e95c91 100644
--- a/src/cmd/compile/internal/amd64/versions_test.go
+++ b/src/cmd/compile/internal/amd64/versions_test.go
@@ -2,6 +2,10 @@
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.
 
+// When using GOEXPERIMENT=boringcrypto, the test program links in the boringcrypto syso,
+// which does not respect GOAMD64, so we skip the test if boringcrypto is enabled.
+//go:build !boringcrypto
+
 package amd64_test
 
 import (
diff --git a/src/cmd/compile/internal/liveness/plive.go b/src/cmd/compile/internal/liveness/plive.go
index bd0a6fa1a3..93f49fad45 100644
--- a/src/cmd/compile/internal/liveness/plive.go
+++ b/src/cmd/compile/internal/liveness/plive.go
@@ -15,7 +15,6 @@
 package liveness
 
 import (
-	"crypto/sha1"
 	"fmt"
 	"os"
 	"sort"
@@ -30,6 +29,7 @@ import (
 	"cmd/compile/internal/ssa"
 	"cmd/compile/internal/typebits"
 	"cmd/compile/internal/types"
+	"cmd/internal/notsha256"
 	"cmd/internal/obj"
 	"cmd/internal/objabi"
 	"cmd/internal/src"
@@ -959,7 +959,7 @@ func (lv *liveness) enableClobber() {
 		// Clobber only functions where the hash of the function name matches a pattern.
 		// Useful for binary searching for a miscompiled function.
 		hstr := ""
-		for _, b := range sha1.Sum([]byte(lv.f.Name)) {
+		for _, b := range notsha256.Sum256([]byte(lv.f.Name)) {
 			hstr += fmt.Sprintf("%08b", b)
 		}
 		if !strings.HasSuffix(hstr, h) {
diff --git a/src/cmd/compile/internal/ssa/func.go b/src/cmd/compile/internal/ssa/func.go
index 35a9382663..75f17634ec 100644
--- a/src/cmd/compile/internal/ssa/func.go
+++ b/src/cmd/compile/internal/ssa/func.go
@@ -8,8 +8,8 @@ import (
 	"cmd/compile/internal/abi"
 	"cmd/compile/internal/base"
 	"cmd/compile/internal/types"
+	"cmd/internal/notsha256"
 	"cmd/internal/src"
-	"crypto/sha1"
 	"fmt"
 	"io"
 	"math"
@@ -854,7 +854,7 @@ func (f *Func) DebugHashMatch(evname string) bool {
 	// We use this feature to do a binary search to
 	// find a function that is incorrectly compiled.
 	hstr := ""
-	for _, b := range sha1.Sum([]byte(name)) {
+	for _, b := range notsha256.Sum256([]byte(name)) {
 		hstr += fmt.Sprintf("%08b", b)
 	}
 
diff --git a/src/cmd/compile/internal/ssa/print.go b/src/cmd/compile/internal/ssa/print.go
index 96cd2c7c90..aea9ce9e33 100644
--- a/src/cmd/compile/internal/ssa/print.go
+++ b/src/cmd/compile/internal/ssa/print.go
@@ -6,10 +6,11 @@ package ssa
 
 import (
 	"bytes"
-	"cmd/internal/src"
-	"crypto/sha256"
 	"fmt"
 	"io"
+
+	"cmd/internal/notsha256"
+	"cmd/internal/src"
 )
 
 func printFunc(f *Func) {
@@ -17,7 +18,7 @@ func printFunc(f *Func) {
 }
 
 func hashFunc(f *Func) []byte {
-	h := sha256.New()
+	h := notsha256.New()
 	p := stringFuncPrinter{w: h, printDead: true}
 	fprintFunc(p, f)
 	return h.Sum(nil)
@@ -32,7 +33,7 @@ func (f *Func) String() string {
 
 // rewriteHash returns a hash of f suitable for detecting rewrite cycles.
 func (f *Func) rewriteHash() string {
-	h := sha256.New()
+	h := notsha256.New()
 	p := stringFuncPrinter{w: h, printDead: false}
 	fprintFunc(p, f)
 	return fmt.Sprintf("%x", h.Sum(nil))
diff --git a/src/cmd/compile/internal/staticdata/data.go b/src/cmd/compile/internal/staticdata/data.go
index b114bb2df6..b8b645f246 100644
--- a/src/cmd/compile/internal/staticdata/data.go
+++ b/src/cmd/compile/internal/staticdata/data.go
@@ -5,7 +5,6 @@
 package staticdata
 
 import (
-	"crypto/sha256"
 	"fmt"
 	"go/constant"
 	"io"
@@ -20,6 +19,7 @@ import (
 	"cmd/compile/internal/objw"
 	"cmd/compile/internal/typecheck"
 	"cmd/compile/internal/types"
+	"cmd/internal/notsha256"
 	"cmd/internal/obj"
 	"cmd/internal/objabi"
 	"cmd/internal/src"
@@ -73,7 +73,7 @@ func StringSym(pos src.XPos, s string) (data *obj.LSym) {
 		// Indulge in some paranoia by writing the length of s, too,
 		// as protection against length extension attacks.
 		// Same pattern is known to fileStringSym below.
-		h := sha256.New()
+		h := notsha256.New()
 		io.WriteString(h, s)
 		symname = fmt.Sprintf(stringSymPattern, len(s), h.Sum(nil))
 	} else {
@@ -131,7 +131,7 @@ func fileStringSym(pos src.XPos, file string, readonly bool, hash []byte) (*obj.
 			sym = slicedata(pos, string(data)).Linksym()
 		}
 		if len(hash) > 0 {
-			sum := sha256.Sum256(data)
+			sum := notsha256.Sum256(data)
 			copy(hash, sum[:])
 		}
 		return sym, size, nil
@@ -148,7 +148,7 @@ func fileStringSym(pos src.XPos, file string, readonly bool, hash []byte) (*obj.
 	// Compute hash if needed for read-only content hashing or if the caller wants it.
 	var sum []byte
 	if readonly || len(hash) > 0 {
-		h := sha256.New()
+		h := notsha256.New()
 		n, err := io.Copy(h, f)
 		if err != nil {
 			return nil, 0, err
diff --git a/src/cmd/compile/internal/typecheck/iexport.go b/src/cmd/compile/internal/typecheck/iexport.go
index f273d26fb0..bf721d6495 100644
--- a/src/cmd/compile/internal/typecheck/iexport.go
+++ b/src/cmd/compile/internal/typecheck/iexport.go
@@ -236,7 +236,6 @@ package typecheck
 
 import (
 	"bytes"
-	"crypto/md5"
 	"encoding/binary"
 	"fmt"
 	"go/constant"
@@ -250,6 +249,7 @@ import (
 	"cmd/compile/internal/ir"
 	"cmd/compile/internal/types"
 	"cmd/internal/goobj"
+	"cmd/internal/notsha256"
 	"cmd/internal/src"
 )
 
@@ -353,7 +353,7 @@ func WriteExports(out io.Writer, extensions bool) {
 	hdr.uint64(dataLen)
 
 	// Flush output.
-	h := md5.New()
+	h := notsha256.New()
 	wr := io.MultiWriter(out, h)
 	io.Copy(wr, &hdr)
 	io.Copy(wr, &p.strings)
diff --git a/src/cmd/compile/internal/types/fmt.go b/src/cmd/compile/internal/types/fmt.go
index bdd3ca1d28..3c02cb8681 100644
--- a/src/cmd/compile/internal/types/fmt.go
+++ b/src/cmd/compile/internal/types/fmt.go
@@ -6,7 +6,6 @@ package types
 
 import (
 	"bytes"
-	"crypto/md5"
 	"encoding/binary"
 	"fmt"
 	"go/constant"
@@ -15,6 +14,7 @@ import (
 	"sync"
 
 	"cmd/compile/internal/base"
+	"cmd/internal/notsha256"
 )
 
 // BuiltinPkg is a fake package that declares the universe block.
@@ -771,7 +771,7 @@ func FmtConst(v constant.Value, sharp bool) string {
 func TypeHash(t *Type) uint32 {
 	p := tconv(t, 0, fmtTypeIDHash)
 
-	// Using MD5 is overkill, but reduces accidental collisions.
-	h := md5.Sum([]byte(p))
+	// Using SHA256 is overkill, but reduces accidental collisions.
+	h := notsha256.Sum256([]byte(p))
 	return binary.LittleEndian.Uint32(h[:4])
 }
diff --git a/src/cmd/dist/buildtool.go b/src/cmd/dist/buildtool.go
index 8afa7f7867..f1f3d50b6f 100644
--- a/src/cmd/dist/buildtool.go
+++ b/src/cmd/dist/buildtool.go
@@ -44,6 +44,7 @@ var bootstrapDirs = []string{
 	"cmd/internal/edit",
 	"cmd/internal/gcprog",
 	"cmd/internal/goobj",
+	"cmd/internal/notsha256",
 	"cmd/internal/obj/...",
 	"cmd/internal/objabi",
 	"cmd/internal/pkgpath",
diff --git a/src/cmd/go/go_boring_test.go b/src/cmd/go/go_boring_test.go
new file mode 100644
index 0000000000..ed0fbf3d53
--- /dev/null
+++ b/src/cmd/go/go_boring_test.go
@@ -0,0 +1,22 @@
+// Copyright 2015 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build boringcrypto
+
+package main_test
+
+import "testing"
+
+func TestBoringInternalLink(t *testing.T) {
+	tg := testgo(t)
+	defer tg.cleanup()
+	tg.parallel()
+	tg.tempFile("main.go", `package main
+		import "crypto/sha1"
+		func main() {
+			sha1.New()
+		}`)
+	tg.run("build", "-ldflags=-w -extld=false", tg.path("main.go"))
+	tg.run("build", "-ldflags=-extld=false", tg.path("main.go"))
+}
diff --git a/src/cmd/go/go_test.go b/src/cmd/go/go_test.go
index b17c776650..905dd68274 100644
--- a/src/cmd/go/go_test.go
+++ b/src/cmd/go/go_test.go
@@ -1903,8 +1903,12 @@ func TestBinaryOnlyPackages(t *testing.T) {
 	tg.grepStdout("p2: false", "p2 listed as BinaryOnly")
 }
 
-// Issue 16050.
-func TestAlwaysLinkSysoFiles(t *testing.T) {
+// Issue 16050 and 21884.
+func TestLinkSysoFiles(t *testing.T) {
+	if runtime.GOOS != "linux" || runtime.GOARCH != "amd64" {
+		t.Skip("not linux/amd64")
+	}
+
 	tg := testgo(t)
 	defer tg.cleanup()
 	tg.parallel()
@@ -1923,6 +1927,10 @@ func TestAlwaysLinkSysoFiles(t *testing.T) {
 	tg.setenv("CGO_ENABLED", "0")
 	tg.run("list", "-f", "{{.SysoFiles}}", "syso")
 	tg.grepStdout("a.syso", "missing syso file with CGO_ENABLED=0")
+
+	tg.setenv("CGO_ENABLED", "1")
+	tg.run("list", "-msan", "-f", "{{.SysoFiles}}", "syso")
+	tg.grepStdoutNot("a.syso", "unexpected syso file with -msan")
 }
 
 // Issue 16120.
diff --git a/src/cmd/go/internal/load/pkg.go b/src/cmd/go/internal/load/pkg.go
index 51bf7176d1..7f2ce324d2 100644
--- a/src/cmd/go/internal/load/pkg.go
+++ b/src/cmd/go/internal/load/pkg.go
@@ -401,6 +401,12 @@ func (p *Package) copyBuild(opts PackageOpts, pp *build.Package) {
 	p.SwigFiles = pp.SwigFiles
 	p.SwigCXXFiles = pp.SwigCXXFiles
 	p.SysoFiles = pp.SysoFiles
+	if cfg.BuildMSan {
+		// There's no way for .syso files to be built both with and without
+		// support for memory sanitizer. Assume they are built without,
+		// and drop them.
+		p.SysoFiles = nil
+	}
 	p.CgoCFLAGS = pp.CgoCFLAGS
 	p.CgoCPPFLAGS = pp.CgoCPPFLAGS
 	p.CgoCXXFLAGS = pp.CgoCXXFLAGS
diff --git a/src/cmd/go/internal/work/exec.go b/src/cmd/go/internal/work/exec.go
index 7f5fb774ea..15b9e1ef45 100644
--- a/src/cmd/go/internal/work/exec.go
+++ b/src/cmd/go/internal/work/exec.go
@@ -22,6 +22,7 @@ import (
 	"path/filepath"
 	"regexp"
 	"runtime"
+	"sort"
 	"strconv"
 	"strings"
 	"sync"
@@ -2993,7 +2994,26 @@ func (b *Builder) dynimport(a *Action, p *load.Package, objdir, importGo, cgoExe
 		return err
 	}
 
-	linkobj := str.StringList(ofile, outObj, mkAbsFiles(p.Dir, p.SysoFiles))
+	// Gather .syso files from this package and all (transitive) dependencies.
+	var syso []string
+	seen := make(map[*Action]bool)
+	var gatherSyso func(*Action)
+	gatherSyso = func(a1 *Action) {
+		if seen[a1] {
+			return
+		}
+		seen[a1] = true
+		if p1 := a1.Package; p1 != nil {
+			syso = append(syso, mkAbsFiles(p1.Dir, p1.SysoFiles)...)
+		}
+		for _, a2 := range a1.Deps {
+			gatherSyso(a2)
+		}
+	}
+	gatherSyso(a)
+	sort.Strings(syso)
+	str.Uniq(&syso)
+	linkobj := str.StringList(ofile, outObj, syso)
 	dynobj := objdir + "_cgo_.o"
 
 	ldflags := cgoLDFLAGS
diff --git a/src/cmd/go/testdata/script/link_syso_deps.txt b/src/cmd/go/testdata/script/link_syso_deps.txt
new file mode 100644
index 0000000000..7b458b0826
--- /dev/null
+++ b/src/cmd/go/testdata/script/link_syso_deps.txt
@@ -0,0 +1,54 @@
+# Test that syso in deps is available to cgo.
+
+[!gc] skip
+[!cgo] skip
+
+# External linking is not supported on linux/ppc64.
+# See: https://github.com/golang/go/issues/8912
+[linux] [ppc64] skip
+
+cc -c -o syso/x.syso syso/x.c
+cc -c -o syso2/x.syso syso2/x.c
+go build m/cgo
+
+-- go.mod --
+module m
+
+go 1.18
+-- cgo/x.go --
+package cgo
+
+// extern void f(void);
+// extern void g(void);
+import "C"
+
+func F() {
+	C.f()
+}
+
+func G() {
+	C.g()
+}
+
+-- cgo/x2.go --
+package cgo
+
+import _ "m/syso"
+
+-- syso/x.c --
+//go:build ignore
+
+void f() {}
+
+-- syso/x.go --
+package syso
+
+import _ "m/syso2"
+
+-- syso2/x.c --
+//go:build ignore
+
+void g() {}
+
+-- syso2/x.go --
+package syso2
diff --git a/src/cmd/internal/codesign/codesign.go b/src/cmd/internal/codesign/codesign.go
index 0517a10640..1116393b5c 100644
--- a/src/cmd/internal/codesign/codesign.go
+++ b/src/cmd/internal/codesign/codesign.go
@@ -11,10 +11,11 @@
 package codesign
 
 import (
-	"crypto/sha256"
 	"debug/macho"
 	"encoding/binary"
 	"io"
+
+	"cmd/internal/notsha256"
 )
 
 // Code signature layout.
@@ -190,7 +191,7 @@ func Size(codeSize int64, id string) int64 {
 	nhashes := (codeSize + pageSize - 1) / pageSize
 	idOff := int64(codeDirectorySize)
 	hashOff := idOff + int64(len(id)+1)
-	cdirSz := hashOff + nhashes*sha256.Size
+	cdirSz := hashOff + nhashes*notsha256.Size
 	return int64(superBlobSize+blobSize) + cdirSz
 }
 
@@ -226,7 +227,7 @@ func Sign(out []byte, data io.Reader, id string, codeSize, textOff, textSize int
 		identOffset:  uint32(idOff),
 		nCodeSlots:   uint32(nhashes),
 		codeLimit:    uint32(codeSize),
-		hashSize:     sha256.Size,
+		hashSize:     notsha256.Size,
 		hashType:     CS_HASHTYPE_SHA256,
 		pageSize:     uint8(pageSizeBits),
 		execSegBase:  uint64(textOff),
@@ -245,8 +246,12 @@ func Sign(out []byte, data io.Reader, id string, codeSize, textOff, textSize int
 	outp = puts(outp, []byte(id+"\000"))
 
 	// emit hashes
+	// NOTE(rsc): These must be SHA256, but for cgo bootstrap reasons
+	// we cannot import crypto/sha256 when GOEXPERIMENT=boringcrypto
+	// and the host is linux/amd64. So we use NOT-SHA256
+	// and then apply a NOT ourselves to get SHA256. Sigh.
 	var buf [pageSize]byte
-	h := sha256.New()
+	h := notsha256.New()
 	p := 0
 	for p < int(codeSize) {
 		n, err := io.ReadFull(data, buf[:])
@@ -263,6 +268,9 @@ func Sign(out []byte, data io.Reader, id string, codeSize, textOff, textSize int
 		h.Reset()
 		h.Write(buf[:n])
 		b := h.Sum(nil)
+		for i := range b {
+			b[i] ^= 0xFF // convert notsha256 to sha256
+		}
 		outp = puts(outp, b[:])
 	}
 }
diff --git a/src/cmd/internal/goobj/objfile.go b/src/cmd/internal/goobj/objfile.go
index 3e36c461fa..e58be66e59 100644
--- a/src/cmd/internal/goobj/objfile.go
+++ b/src/cmd/internal/goobj/objfile.go
@@ -20,7 +20,7 @@ package goobj
 
 import (
 	"cmd/internal/bio"
-	"crypto/sha1"
+	"cmd/internal/notsha256"
 	"encoding/binary"
 	"errors"
 	"fmt"
@@ -367,7 +367,7 @@ const Hash64Size = 8
 // Hash
 type HashType [HashSize]byte
 
-const HashSize = sha1.Size
+const HashSize = notsha256.Size
 
 // Relocation.
 //
diff --git a/src/cmd/internal/notsha256/example_test.go b/src/cmd/internal/notsha256/example_test.go
new file mode 100644
index 0000000000..06e9c379c9
--- /dev/null
+++ b/src/cmd/internal/notsha256/example_test.go
@@ -0,0 +1,41 @@
+// Copyright 2016 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package notsha256_test
+
+import (
+	"crypto/sha256"
+	"fmt"
+	"io"
+	"log"
+	"os"
+)
+
+func ExampleSum256() {
+	sum := sha256.Sum256([]byte("hello world\n"))
+	fmt.Printf("%x", sum)
+	// Output: a948904f2f0f479b8f8197694b30184b0d2ed1c1cd2a1ec0fb85d299a192a447
+}
+
+func ExampleNew() {
+	h := sha256.New()
+	h.Write([]byte("hello world\n"))
+	fmt.Printf("%x", h.Sum(nil))
+	// Output: a948904f2f0f479b8f8197694b30184b0d2ed1c1cd2a1ec0fb85d299a192a447
+}
+
+func ExampleNew_file() {
+	f, err := os.Open("file.txt")
+	if err != nil {
+		log.Fatal(err)
+	}
+	defer f.Close()
+
+	h := sha256.New()
+	if _, err := io.Copy(h, f); err != nil {
+		log.Fatal(err)
+	}
+
+	fmt.Printf("%x", h.Sum(nil))
+}
diff --git a/src/cmd/internal/notsha256/sha256.go b/src/cmd/internal/notsha256/sha256.go
new file mode 100644
index 0000000000..080b344979
--- /dev/null
+++ b/src/cmd/internal/notsha256/sha256.go
@@ -0,0 +1,141 @@
+// Copyright 2009 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package notsha256 implements the NOTSHA256 algorithm,
+// a hash defined as bitwise NOT of SHA256.
+// It is used in situations where exact fidelity to SHA256 is unnecessary.
+// In particular, it is used in the compiler toolchain,
+// which cannot depend directly on cgo when GOEXPERIMENT=boringcrypto
+// (and in that mode the real sha256 uses cgo).
+package notsha256
+
+import (
+	"encoding/binary"
+	"hash"
+)
+
+// The size of a checksum in bytes.
+const Size = 32
+
+// The blocksize in bytes.
+const BlockSize = 64
+
+const (
+	chunk = 64
+	init0 = 0x6A09E667
+	init1 = 0xBB67AE85
+	init2 = 0x3C6EF372
+	init3 = 0xA54FF53A
+	init4 = 0x510E527F
+	init5 = 0x9B05688C
+	init6 = 0x1F83D9AB
+	init7 = 0x5BE0CD19
+)
+
+// digest represents the partial evaluation of a checksum.
+type digest struct {
+	h   [8]uint32
+	x   [chunk]byte
+	nx  int
+	len uint64
+}
+
+func (d *digest) Reset() {
+	d.h[0] = init0
+	d.h[1] = init1
+	d.h[2] = init2
+	d.h[3] = init3
+	d.h[4] = init4
+	d.h[5] = init5
+	d.h[6] = init6
+	d.h[7] = init7
+	d.nx = 0
+	d.len = 0
+}
+
+// New returns a new hash.Hash computing the NOTSHA256 checksum.
+// state of the hash.
+func New() hash.Hash {
+	d := new(digest)
+	d.Reset()
+	return d
+}
+
+func (d *digest) Size() int {
+	return Size
+}
+
+func (d *digest) BlockSize() int { return BlockSize }
+
+func (d *digest) Write(p []byte) (nn int, err error) {
+	nn = len(p)
+	d.len += uint64(nn)
+	if d.nx > 0 {
+		n := copy(d.x[d.nx:], p)
+		d.nx += n
+		if d.nx == chunk {
+			block(d, d.x[:])
+			d.nx = 0
+		}
+		p = p[n:]
+	}
+	if len(p) >= chunk {
+		n := len(p) &^ (chunk - 1)
+		block(d, p[:n])
+		p = p[n:]
+	}
+	if len(p) > 0 {
+		d.nx = copy(d.x[:], p)
+	}
+	return
+}
+
+func (d *digest) Sum(in []byte) []byte {
+	// Make a copy of d so that caller can keep writing and summing.
+	d0 := *d
+	hash := d0.checkSum()
+	return append(in, hash[:]...)
+}
+
+func (d *digest) checkSum() [Size]byte {
+	len := d.len
+	// Padding. Add a 1 bit and 0 bits until 56 bytes mod 64.
+	var tmp [64]byte
+	tmp[0] = 0x80
+	if len%64 < 56 {
+		d.Write(tmp[0 : 56-len%64])
+	} else {
+		d.Write(tmp[0 : 64+56-len%64])
+	}
+
+	// Length in bits.
+	len <<= 3
+	binary.BigEndian.PutUint64(tmp[:], len)
+	d.Write(tmp[0:8])
+
+	if d.nx != 0 {
+		panic("d.nx != 0")
+	}
+
+	var digest [Size]byte
+
+	binary.BigEndian.PutUint32(digest[0:], d.h[0]^0xFFFFFFFF)
+	binary.BigEndian.PutUint32(digest[4:], d.h[1]^0xFFFFFFFF)
+	binary.BigEndian.PutUint32(digest[8:], d.h[2]^0xFFFFFFFF)
+	binary.BigEndian.PutUint32(digest[12:], d.h[3]^0xFFFFFFFF)
+	binary.BigEndian.PutUint32(digest[16:], d.h[4]^0xFFFFFFFF)
+	binary.BigEndian.PutUint32(digest[20:], d.h[5]^0xFFFFFFFF)
+	binary.BigEndian.PutUint32(digest[24:], d.h[6]^0xFFFFFFFF)
+	binary.BigEndian.PutUint32(digest[28:], d.h[7]^0xFFFFFFFF)
+
+	return digest
+}
+
+// Sum256 returns the SHA256 checksum of the data.
+func Sum256(data []byte) [Size]byte {
+	var d digest
+	d.Reset()
+	d.Write(data)
+	return d.checkSum()
+}
diff --git a/src/cmd/internal/notsha256/sha256_test.go b/src/cmd/internal/notsha256/sha256_test.go
new file mode 100644
index 0000000000..fa38e56506
--- /dev/null
+++ b/src/cmd/internal/notsha256/sha256_test.go
@@ -0,0 +1,175 @@
+// Copyright 2009 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// SHA256 hash algorithm. See FIPS 180-2.
+
+package notsha256
+
+import (
+	"crypto/rand"
+	"fmt"
+	"io"
+	"strings"
+	"testing"
+)
+
+type sha256Test struct {
+	out    string
+	in     string
+	unused string // marshal state, to keep table in sync with crypto/sha256
+}
+
+var golden = []sha256Test{
+	{"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855", "", "sha\x03j\t\xe6g\xbbg\xae\x85<n\xf3r\xa5O\xf5:Q\x0eR\u007f\x9b\x05h\x8c\x1f\x83٫[\xe0\xcd\x19\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"},
+	{"ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb", "a", "sha\x03j\t\xe6g\xbbg\xae\x85<n\xf3r\xa5O\xf5:Q\x0eR\u007f\x9b\x05h\x8c\x1f\x83٫[\xe0\xcd\x19\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"},
+	{"fb8e20fc2e4c3f248c60c39bd652f3c1347298bb977b8b4d5903b85055620603", "ab", "sha\x03j\t\xe6g\xbbg\xae\x85<n\xf3r\xa5O\xf5:Q\x0eR\u007f\x9b\x05h\x8c\x1f\x83٫[\xe0\xcd\x19a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01"},
+	{"ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad", "abc", "sha\x03j\t\xe6g\xbbg\xae\x85<n\xf3r\xa5O\xf5:Q\x0eR\u007f\x9b\x05h\x8c\x1f\x83٫[\xe0\xcd\x19a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01"},
+	{"88d4266fd4e6338d13b845fcf289579d209c897823b9217da3e161936f031589", "abcd", "sha\x03j\t\xe6g\xbbg\xae\x85<n\xf3r\xa5O\xf5:Q\x0eR\u007f\x9b\x05h\x8c\x1f\x83٫[\xe0\xcd\x19ab\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02"},
+	{"36bbe50ed96841d10443bcb670d6554f0a34b761be67ec9c4a8ad2c0c44ca42c", "abcde", "sha\x03j\t\xe6g\xbbg\xae\x85<n\xf3r\xa5O\xf5:Q\x0eR\u007f\x9b\x05h\x8c\x1f\x83٫[\xe0\xcd\x19ab\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02"},
+	{"bef57ec7f53a6d40beb640a780a639c83bc29ac8a9816f1fc6c5c6dcd93c4721", "abcdef", "sha\x03j\t\xe6g\xbbg\xae\x85<n\xf3r\xa5O\xf5:Q\x0eR\u007f\x9b\x05h\x8c\x1f\x83٫[\xe0\xcd\x19abc\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03"},
+	{"7d1a54127b222502f5b79b5fb0803061152a44f92b37e23c6527baf665d4da9a", "abcdefg", "sha\x03j\t\xe6g\xbbg\xae\x85<n\xf3r\xa5O\xf5:Q\x0eR\u007f\x9b\x05h\x8c\x1f\x83٫[\xe0\xcd\x19abc\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x03"},
+	{"9c56cc51b374c3ba189210d5b6d4bf57790d351c96c47c02190ecf1e430635ab", "abcdefgh", "sha\x03j\t\xe6g\xbbg\xae\x85<n\xf3r\xa5O\xf5:Q\x0eR\u007f\x9b\x05h\x8c\x1f\x83٫[\xe0\xcd\x19abcd\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04"},
+	{"19cc02f26df43cc571bc9ed7b0c4d29224a3ec229529221725ef76d021c8326f", "abcdefghi", "sha\x03j\t\xe6g\xbbg\xae\x85<n\xf3r\xa5O\xf5:Q\x0eR\u007f\x9b\x05h\x8c\x1f\x83٫[\xe0\xcd\x19abcd\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04"},
+	{"72399361da6a7754fec986dca5b7cbaf1c810a28ded4abaf56b2106d06cb78b0", "abcdefghij", "sha\x03j\t\xe6g\xbbg\xae\x85<n\xf3r\xa5O\xf5:Q\x0eR\u007f\x9b\x05h\x8c\x1f\x83٫[\xe0\xcd\x19abcde\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x05"},
+	{"a144061c271f152da4d151034508fed1c138b8c976339de229c3bb6d4bbb4fce", "Discard medicine more than two years old.", "sha\x03j\t\xe6g\xbbg\xae\x85<n\xf3r\xa5O\xf5:Q\x0eR\u007f\x9b\x05h\x8c\x1f\x83٫[\xe0\xcd\x19Discard medicine mor\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x14"},
+	{"6dae5caa713a10ad04b46028bf6dad68837c581616a1589a265a11288d4bb5c4", "He who has a shady past knows that nice guys finish last.", "sha\x03j\t\xe6g\xbbg\xae\x85<n\xf3r\xa5O\xf5:Q\x0eR\u007f\x9b\x05h\x8c\x1f\x83٫[\xe0\xcd\x19He who has a shady past know\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1c"},
+	{"ae7a702a9509039ddbf29f0765e70d0001177914b86459284dab8b348c2dce3f", "I wouldn't marry him with a ten foot pole.", "sha\x03j\t\xe6g\xbbg\xae\x85<n\xf3r\xa5O\xf5:Q\x0eR\u007f\x9b\x05h\x8c\x1f\x83٫[\xe0\xcd\x19I wouldn't marry him \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x15"},
+	{"6748450b01c568586715291dfa3ee018da07d36bb7ea6f180c1af6270215c64f", "Free! Free!/A trip/to Mars/for 900/empty jars/Burma Shave", "sha\x03j\t\xe6g\xbbg\xae\x85<n\xf3r\xa5O\xf5:Q\x0eR\u007f\x9b\x05h\x8c\x1f\x83٫[\xe0\xcd\x19Free! Free!/A trip/to Mars/f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1c"},
+	{"14b82014ad2b11f661b5ae6a99b75105c2ffac278cd071cd6c05832793635774", "The days of the digital watch are numbered.  -Tom Stoppard", "sha\x03j\t\xe6g\xbbg\xae\x85<n\xf3r\xa5O\xf5:Q\x0eR\u007f\x9b\x05h\x8c\x1f\x83٫[\xe0\xcd\x19The days of the digital watch\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1d"},
+	{"7102cfd76e2e324889eece5d6c41921b1e142a4ac5a2692be78803097f6a48d8", "Nepal premier won't resign.", "sha\x03j\t\xe6g\xbbg\xae\x85<n\xf3r\xa5O\xf5:Q\x0eR\u007f\x9b\x05h\x8c\x1f\x83٫[\xe0\xcd\x19Nepal premier\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\r"},
+	{"23b1018cd81db1d67983c5f7417c44da9deb582459e378d7a068552ea649dc9f", "For every action there is an equal and opposite government program.", "sha\x03j\t\xe6g\xbbg\xae\x85<n\xf3r\xa5O\xf5:Q\x0eR\u007f\x9b\x05h\x8c\x1f\x83٫[\xe0\xcd\x19For every action there is an equa\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00!"},
+	{"8001f190dfb527261c4cfcab70c98e8097a7a1922129bc4096950e57c7999a5a", "His money is twice tainted: 'taint yours and 'taint mine.", "sha\x03j\t\xe6g\xbbg\xae\x85<n\xf3r\xa5O\xf5:Q\x0eR\u007f\x9b\x05h\x8c\x1f\x83٫[\xe0\xcd\x19His money is twice tainted: \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1c"},
+	{"8c87deb65505c3993eb24b7a150c4155e82eee6960cf0c3a8114ff736d69cad5", "There is no reason for any individual to have a computer in their home. -Ken Olsen, 1977", "sha\x03j\t\xe6g\xbbg\xae\x85<n\xf3r\xa5O\xf5:Q\x0eR\u007f\x9b\x05h\x8c\x1f\x83٫[\xe0\xcd\x19There is no reason for any individual to hav\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00,"},
+	{"bfb0a67a19cdec3646498b2e0f751bddc41bba4b7f30081b0b932aad214d16d7", "It's a tiny change to the code and not completely disgusting. - Bob Manchek", "sha\x03j\t\xe6g\xbbg\xae\x85<n\xf3r\xa5O\xf5:Q\x0eR\u007f\x9b\x05h\x8c\x1f\x83٫[\xe0\xcd\x19It's a tiny change to the code and no\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00%"},
+	{"7f9a0b9bf56332e19f5a0ec1ad9c1425a153da1c624868fda44561d6b74daf36", "size:  a.out:  bad magic", "sha\x03j\t\xe6g\xbbg\xae\x85<n\xf3r\xa5O\xf5:Q\x0eR\u007f\x9b\x05h\x8c\x1f\x83٫[\xe0\xcd\x19size:  a.out\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\f"},
+	{"b13f81b8aad9e3666879af19886140904f7f429ef083286195982a7588858cfc", "The major problem is with sendmail.  -Mark Horton", "sha\x03j\t\xe6g\xbbg\xae\x85<n\xf3r\xa5O\xf5:Q\x0eR\u007f\x9b\x05h\x8c\x1f\x83٫[\xe0\xcd\x19The major problem is wit\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x18"},
+	{"b26c38d61519e894480c70c8374ea35aa0ad05b2ae3d6674eec5f52a69305ed4", "Give me a rock, paper and scissors and I will move the world.  CCFestoon", "sha\x03j\t\xe6g\xbbg\xae\x85<n\xf3r\xa5O\xf5:Q\x0eR\u007f\x9b\x05h\x8c\x1f\x83٫[\xe0\xcd\x19Give me a rock, paper and scissors a\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00$"},
+	{"049d5e26d4f10222cd841a119e38bd8d2e0d1129728688449575d4ff42b842c1", "If the enemy is within range, then so are you.", "sha\x03j\t\xe6g\xbbg\xae\x85<n\xf3r\xa5O\xf5:Q\x0eR\u007f\x9b\x05h\x8c\x1f\x83٫[\xe0\xcd\x19If the enemy is within \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x17"},
+	{"0e116838e3cc1c1a14cd045397e29b4d087aa11b0853fc69ec82e90330d60949", "It's well we cannot hear the screams/That we create in others' dreams.", "sha\x03j\t\xe6g\xbbg\xae\x85<n\xf3r\xa5O\xf5:Q\x0eR\u007f\x9b\x05h\x8c\x1f\x83٫[\xe0\xcd\x19It's well we cannot hear the scream\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00#"},
+	{"4f7d8eb5bcf11de2a56b971021a444aa4eafd6ecd0f307b5109e4e776cd0fe46", "You remind me of a TV show, but that's all right: I watch it anyway.", "sha\x03j\t\xe6g\xbbg\xae\x85<n\xf3r\xa5O\xf5:Q\x0eR\u007f\x9b\x05h\x8c\x1f\x83٫[\xe0\xcd\x19You remind me of a TV show, but th\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\""},
+	{"61c0cc4c4bd8406d5120b3fb4ebc31ce87667c162f29468b3c779675a85aebce", "C is as portable as Stonehedge!!", "sha\x03j\t\xe6g\xbbg\xae\x85<n\xf3r\xa5O\xf5:Q\x0eR\u007f\x9b\x05h\x8c\x1f\x83٫[\xe0\xcd\x19C is as portable\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10"},
+	{"1fb2eb3688093c4a3f80cd87a5547e2ce940a4f923243a79a2a1e242220693ac", "Even if I could be Shakespeare, I think I should still choose to be Faraday. - A. Huxley", "sha\x03j\t\xe6g\xbbg\xae\x85<n\xf3r\xa5O\xf5:Q\x0eR\u007f\x9b\x05h\x8c\x1f\x83٫[\xe0\xcd\x19Even if I could be Shakespeare, I think I sh\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00,"},
+	{"395585ce30617b62c80b93e8208ce866d4edc811a177fdb4b82d3911d8696423", "The fugacity of a constituent in a mixture of gases at a given temperature is proportional to its mole fraction.  Lewis-Randall Rule", "sha\x03\x93\x14\xc8z\x87\x0e\vo\xf1E\x0f\xa4V\xb2a\x00\x87\xb5ǔ\xfc\xeaV\u009eg\xbc\x17\xb1\x85њem\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00B"},
+	{"4f9b189a13d030838269dce846b16a1ce9ce81fe63e65de2f636863336a98fe6", "How can you write a big system without C++?  -Paul Glick", "sha\x03j\t\xe6g\xbbg\xae\x85<n\xf3r\xa5O\xf5:Q\x0eR\u007f\x9b\x05h\x8c\x1f\x83٫[\xe0\xcd\x19How can you write a big syst\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x1c"},
+}
+
+var not = strings.NewReplacer(
+	"0", "f",
+	"1", "e",
+	"2", "d",
+	"3", "c",
+	"4", "b",
+	"5", "a",
+	"6", "9",
+	"7", "8",
+	"8", "7",
+	"9", "6",
+	"a", "5",
+	"b", "4",
+	"c", "3",
+	"d", "2",
+	"e", "1",
+	"f", "0",
+)
+
+func TestGolden(t *testing.T) {
+	for i := 0; i < len(golden); i++ {
+		g := golden[i]
+		gout := not.Replace(g.out)
+		s := fmt.Sprintf("%x", Sum256([]byte(g.in)))
+		if s != gout {
+			t.Fatalf("Sum256 function: sha256(%s) = %s want %s", g.in, s, gout)
+		}
+		c := New()
+		for j := 0; j < 3; j++ {
+			if j < 2 {
+				io.WriteString(c, g.in)
+			} else {
+				io.WriteString(c, g.in[0:len(g.in)/2])
+				c.Sum(nil)
+				io.WriteString(c, g.in[len(g.in)/2:])
+			}
+			s := fmt.Sprintf("%x", c.Sum(nil))
+			if s != gout {
+				t.Fatalf("sha256[%d](%s) = %s want %s", j, g.in, s, gout)
+			}
+			c.Reset()
+		}
+	}
+}
+
+func TestSize(t *testing.T) {
+	c := New()
+	if got := c.Size(); got != Size {
+		t.Errorf("Size = %d; want %d", got, Size)
+	}
+}
+
+func TestBlockSize(t *testing.T) {
+	c := New()
+	if got := c.BlockSize(); got != BlockSize {
+		t.Errorf("BlockSize = %d want %d", got, BlockSize)
+	}
+}
+
+// Tests that blockGeneric (pure Go) and block (in assembly for some architectures) match.
+func TestBlockGeneric(t *testing.T) {
+	gen, asm := New().(*digest), New().(*digest)
+	buf := make([]byte, BlockSize*20) // arbitrary factor
+	rand.Read(buf)
+	blockGeneric(gen, buf)
+	block(asm, buf)
+	if *gen != *asm {
+		t.Error("block and blockGeneric resulted in different states")
+	}
+}
+
+func TestAllocations(t *testing.T) {
+	in := []byte("hello, world!")
+	out := make([]byte, 0, Size)
+	h := New()
+	n := int(testing.AllocsPerRun(10, func() {
+		h.Reset()
+		h.Write(in)
+		out = h.Sum(out[:0])
+	}))
+	if n > 0 {
+		t.Errorf("allocs = %d, want 0", n)
+	}
+}
+
+var bench = New()
+var buf = make([]byte, 8192)
+
+func benchmarkSize(b *testing.B, size int) {
+	sum := make([]byte, bench.Size())
+	b.Run("New", func(b *testing.B) {
+		b.ReportAllocs()
+		b.SetBytes(int64(size))
+		for i := 0; i < b.N; i++ {
+			bench.Reset()
+			bench.Write(buf[:size])
+			bench.Sum(sum[:0])
+		}
+	})
+	b.Run("Sum256", func(b *testing.B) {
+		b.ReportAllocs()
+		b.SetBytes(int64(size))
+		for i := 0; i < b.N; i++ {
+			Sum256(buf[:size])
+		}
+	})
+}
+
+func BenchmarkHash8Bytes(b *testing.B) {
+	benchmarkSize(b, 8)
+}
+
+func BenchmarkHash1K(b *testing.B) {
+	benchmarkSize(b, 1024)
+}
+
+func BenchmarkHash8K(b *testing.B) {
+	benchmarkSize(b, 8192)
+}
diff --git a/src/cmd/internal/notsha256/sha256block.go b/src/cmd/internal/notsha256/sha256block.go
new file mode 100644
index 0000000000..57cdf2efd5
--- /dev/null
+++ b/src/cmd/internal/notsha256/sha256block.go
@@ -0,0 +1,128 @@
+// Copyright 2009 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// SHA256 block step.
+// In its own file so that a faster assembly or C version
+// can be substituted easily.
+
+package notsha256
+
+import "math/bits"
+
+var _K = []uint32{
+	0x428a2f98,
+	0x71374491,
+	0xb5c0fbcf,
+	0xe9b5dba5,
+	0x3956c25b,
+	0x59f111f1,
+	0x923f82a4,
+	0xab1c5ed5,
+	0xd807aa98,
+	0x12835b01,
+	0x243185be,
+	0x550c7dc3,
+	0x72be5d74,
+	0x80deb1fe,
+	0x9bdc06a7,
+	0xc19bf174,
+	0xe49b69c1,
+	0xefbe4786,
+	0x0fc19dc6,
+	0x240ca1cc,
+	0x2de92c6f,
+	0x4a7484aa,
+	0x5cb0a9dc,
+	0x76f988da,
+	0x983e5152,
+	0xa831c66d,
+	0xb00327c8,
+	0xbf597fc7,
+	0xc6e00bf3,
+	0xd5a79147,
+	0x06ca6351,
+	0x14292967,
+	0x27b70a85,
+	0x2e1b2138,
+	0x4d2c6dfc,
+	0x53380d13,
+	0x650a7354,
+	0x766a0abb,
+	0x81c2c92e,
+	0x92722c85,
+	0xa2bfe8a1,
+	0xa81a664b,
+	0xc24b8b70,
+	0xc76c51a3,
+	0xd192e819,
+	0xd6990624,
+	0xf40e3585,
+	0x106aa070,
+	0x19a4c116,
+	0x1e376c08,
+	0x2748774c,
+	0x34b0bcb5,
+	0x391c0cb3,
+	0x4ed8aa4a,
+	0x5b9cca4f,
+	0x682e6ff3,
+	0x748f82ee,
+	0x78a5636f,
+	0x84c87814,
+	0x8cc70208,
+	0x90befffa,
+	0xa4506ceb,
+	0xbef9a3f7,
+	0xc67178f2,
+}
+
+func blockGeneric(dig *digest, p []byte) {
+	var w [64]uint32
+	h0, h1, h2, h3, h4, h5, h6, h7 := dig.h[0], dig.h[1], dig.h[2], dig.h[3], dig.h[4], dig.h[5], dig.h[6], dig.h[7]
+	for len(p) >= chunk {
+		// Can interlace the computation of w with the
+		// rounds below if needed for speed.
+		for i := 0; i < 16; i++ {
+			j := i * 4
+			w[i] = uint32(p[j])<<24 | uint32(p[j+1])<<16 | uint32(p[j+2])<<8 | uint32(p[j+3])
+		}
+		for i := 16; i < 64; i++ {
+			v1 := w[i-2]
+			t1 := (bits.RotateLeft32(v1, -17)) ^ (bits.RotateLeft32(v1, -19)) ^ (v1 >> 10)
+			v2 := w[i-15]
+			t2 := (bits.RotateLeft32(v2, -7)) ^ (bits.RotateLeft32(v2, -18)) ^ (v2 >> 3)
+			w[i] = t1 + w[i-7] + t2 + w[i-16]
+		}
+
+		a, b, c, d, e, f, g, h := h0, h1, h2, h3, h4, h5, h6, h7
+
+		for i := 0; i < 64; i++ {
+			t1 := h + ((bits.RotateLeft32(e, -6)) ^ (bits.RotateLeft32(e, -11)) ^ (bits.RotateLeft32(e, -25))) + ((e & f) ^ (^e & g)) + _K[i] + w[i]
+
+			t2 := ((bits.RotateLeft32(a, -2)) ^ (bits.RotateLeft32(a, -13)) ^ (bits.RotateLeft32(a, -22))) + ((a & b) ^ (a & c) ^ (b & c))
+
+			h = g
+			g = f
+			f = e
+			e = d + t1
+			d = c
+			c = b
+			b = a
+			a = t1 + t2
+		}
+
+		h0 += a
+		h1 += b
+		h2 += c
+		h3 += d
+		h4 += e
+		h5 += f
+		h6 += g
+		h7 += h
+
+		p = p[chunk:]
+	}
+
+	dig.h[0], dig.h[1], dig.h[2], dig.h[3], dig.h[4], dig.h[5], dig.h[6], dig.h[7] = h0, h1, h2, h3, h4, h5, h6, h7
+}
diff --git a/src/cmd/internal/notsha256/sha256block_386.s b/src/cmd/internal/notsha256/sha256block_386.s
new file mode 100644
index 0000000000..086a0ab25c
--- /dev/null
+++ b/src/cmd/internal/notsha256/sha256block_386.s
@@ -0,0 +1,283 @@
+// Copyright 2013 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// SHA256 block routine. See sha256block.go for Go equivalent.
+//
+// The algorithm is detailed in FIPS 180-4:
+//
+//  https://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf
+//
+// Wt = Mt; for 0 <= t <= 15
+// Wt = SIGMA1(Wt-2) + SIGMA0(Wt-15) + Wt-16; for 16 <= t <= 63
+//
+// a = H0
+// b = H1
+// c = H2
+// d = H3
+// e = H4
+// f = H5
+// g = H6
+// h = H7
+//
+// for t = 0 to 63 {
+//    T1 = h + BIGSIGMA1(e) + Ch(e,f,g) + Kt + Wt
+//    T2 = BIGSIGMA0(a) + Maj(a,b,c)
+//    h = g
+//    g = f
+//    f = e
+//    e = d + T1
+//    d = c
+//    c = b
+//    b = a
+//    a = T1 + T2
+// }
+//
+// H0 = a + H0
+// H1 = b + H1
+// H2 = c + H2
+// H3 = d + H3
+// H4 = e + H4
+// H5 = f + H5
+// H6 = g + H6
+// H7 = h + H7
+
+// Wt = Mt; for 0 <= t <= 15
+#define MSGSCHEDULE0(index) \
+	MOVL	(index*4)(SI), AX; \
+	BSWAPL	AX; \
+	MOVL	AX, (index*4)(BP)
+
+// Wt = SIGMA1(Wt-2) + Wt-7 + SIGMA0(Wt-15) + Wt-16; for 16 <= t <= 63
+//   SIGMA0(x) = ROTR(7,x) XOR ROTR(18,x) XOR SHR(3,x)
+//   SIGMA1(x) = ROTR(17,x) XOR ROTR(19,x) XOR SHR(10,x)
+#define MSGSCHEDULE1(index) \
+	MOVL	((index-2)*4)(BP), AX; \
+	MOVL	AX, CX; \
+	RORL	$17, AX; \
+	MOVL	CX, DX; \
+	RORL	$19, CX; \
+	SHRL	$10, DX; \
+	MOVL	((index-15)*4)(BP), BX; \
+	XORL	CX, AX; \
+	MOVL	BX, CX; \
+	XORL	DX, AX; \
+	RORL	$7, BX; \
+	MOVL	CX, DX; \
+	SHRL	$3, DX; \
+	RORL	$18, CX; \
+	ADDL	((index-7)*4)(BP), AX; \
+	XORL	CX, BX; \
+	XORL	DX, BX; \
+	ADDL	((index-16)*4)(BP), BX; \
+	ADDL	BX, AX; \
+	MOVL	AX, ((index)*4)(BP)
+
+// Calculate T1 in AX - uses AX, BX, CX and DX registers.
+// Wt is passed in AX.
+//   T1 = h + BIGSIGMA1(e) + Ch(e, f, g) + Kt + Wt
+//     BIGSIGMA1(x) = ROTR(6,x) XOR ROTR(11,x) XOR ROTR(25,x)
+//     Ch(x, y, z) = (x AND y) XOR (NOT x AND z)
+#define SHA256T1(const, e, f, g, h) \
+	MOVL	(h*4)(DI), BX; \
+	ADDL	AX, BX; \
+	MOVL	(e*4)(DI), AX; \
+	ADDL	$const, BX; \
+	MOVL	(e*4)(DI), CX; \
+	RORL	$6, AX; \
+	MOVL	(e*4)(DI), DX; \
+	RORL	$11, CX; \
+	XORL	CX, AX; \
+	MOVL	(e*4)(DI), CX; \
+	RORL	$25, DX; \
+	ANDL	(f*4)(DI), CX; \
+	XORL	AX, DX; \
+	MOVL	(e*4)(DI), AX; \
+	NOTL	AX; \
+	ADDL	DX, BX; \
+	ANDL	(g*4)(DI), AX; \
+	XORL	CX, AX; \
+	ADDL	BX, AX
+
+// Calculate T2 in BX - uses AX, BX, CX and DX registers.
+//   T2 = BIGSIGMA0(a) + Maj(a, b, c)
+//     BIGSIGMA0(x) = ROTR(2,x) XOR ROTR(13,x) XOR ROTR(22,x)
+//     Maj(x, y, z) = (x AND y) XOR (x AND z) XOR (y AND z)
+#define SHA256T2(a, b, c) \
+	MOVL	(a*4)(DI), AX; \
+	MOVL	(c*4)(DI), BX; \
+	RORL	$2, AX; \
+	MOVL	(a*4)(DI), DX; \
+	ANDL	(b*4)(DI), BX; \
+	RORL	$13, DX; \
+	MOVL	(a*4)(DI), CX; \
+	ANDL	(c*4)(DI), CX; \
+	XORL	DX, AX; \
+	XORL	CX, BX; \
+	MOVL	(a*4)(DI), DX; \
+	MOVL	(b*4)(DI), CX; \
+	RORL	$22, DX; \
+	ANDL	(a*4)(DI), CX; \
+	XORL	CX, BX; \
+	XORL	DX, AX; \
+	ADDL	AX, BX
+
+// Calculate T1 and T2, then e = d + T1 and a = T1 + T2.
+// The values for e and a are stored in d and h, ready for rotation.
+#define SHA256ROUND(index, const, a, b, c, d, e, f, g, h) \
+	SHA256T1(const, e, f, g, h); \
+	MOVL	AX, 292(SP); \
+	SHA256T2(a, b, c); \
+	MOVL	292(SP), AX; \
+	ADDL	AX, BX; \
+	ADDL	AX, (d*4)(DI); \
+	MOVL	BX, (h*4)(DI)
+
+#define SHA256ROUND0(index, const, a, b, c, d, e, f, g, h) \
+	MSGSCHEDULE0(index); \
+	SHA256ROUND(index, const, a, b, c, d, e, f, g, h)
+
+#define SHA256ROUND1(index, const, a, b, c, d, e, f, g, h) \
+	MSGSCHEDULE1(index); \
+	SHA256ROUND(index, const, a, b, c, d, e, f, g, h)
+
+TEXT ·block(SB),0,$296-16
+	MOVL	p_base+4(FP), SI
+	MOVL	p_len+8(FP), DX
+	SHRL	$6, DX
+	SHLL	$6, DX
+
+	LEAL	(SI)(DX*1), DI
+	MOVL	DI, 288(SP)
+	CMPL	SI, DI
+	JEQ	end
+
+	LEAL	256(SP), DI		// variables
+
+	MOVL	dig+0(FP), BP
+	MOVL	(0*4)(BP), AX		// a = H0
+	MOVL	AX, (0*4)(DI)
+	MOVL	(1*4)(BP), BX		// b = H1
+	MOVL	BX, (1*4)(DI)
+	MOVL	(2*4)(BP), CX		// c = H2
+	MOVL	CX, (2*4)(DI)
+	MOVL	(3*4)(BP), DX		// d = H3
+	MOVL	DX, (3*4)(DI)
+	MOVL	(4*4)(BP), AX		// e = H4
+	MOVL	AX, (4*4)(DI)
+	MOVL	(5*4)(BP), BX		// f = H5
+	MOVL	BX, (5*4)(DI)
+	MOVL	(6*4)(BP), CX		// g = H6
+	MOVL	CX, (6*4)(DI)
+	MOVL	(7*4)(BP), DX		// h = H7
+	MOVL	DX, (7*4)(DI)
+
+loop:
+	MOVL	SP, BP			// message schedule
+
+	SHA256ROUND0(0, 0x428a2f98, 0, 1, 2, 3, 4, 5, 6, 7)
+	SHA256ROUND0(1, 0x71374491, 7, 0, 1, 2, 3, 4, 5, 6)
+	SHA256ROUND0(2, 0xb5c0fbcf, 6, 7, 0, 1, 2, 3, 4, 5)
+	SHA256ROUND0(3, 0xe9b5dba5, 5, 6, 7, 0, 1, 2, 3, 4)
+	SHA256ROUND0(4, 0x3956c25b, 4, 5, 6, 7, 0, 1, 2, 3)
+	SHA256ROUND0(5, 0x59f111f1, 3, 4, 5, 6, 7, 0, 1, 2)
+	SHA256ROUND0(6, 0x923f82a4, 2, 3, 4, 5, 6, 7, 0, 1)
+	SHA256ROUND0(7, 0xab1c5ed5, 1, 2, 3, 4, 5, 6, 7, 0)
+	SHA256ROUND0(8, 0xd807aa98, 0, 1, 2, 3, 4, 5, 6, 7)
+	SHA256ROUND0(9, 0x12835b01, 7, 0, 1, 2, 3, 4, 5, 6)
+	SHA256ROUND0(10, 0x243185be, 6, 7, 0, 1, 2, 3, 4, 5)
+	SHA256ROUND0(11, 0x550c7dc3, 5, 6, 7, 0, 1, 2, 3, 4)
+	SHA256ROUND0(12, 0x72be5d74, 4, 5, 6, 7, 0, 1, 2, 3)
+	SHA256ROUND0(13, 0x80deb1fe, 3, 4, 5, 6, 7, 0, 1, 2)
+	SHA256ROUND0(14, 0x9bdc06a7, 2, 3, 4, 5, 6, 7, 0, 1)
+	SHA256ROUND0(15, 0xc19bf174, 1, 2, 3, 4, 5, 6, 7, 0)
+
+	SHA256ROUND1(16, 0xe49b69c1, 0, 1, 2, 3, 4, 5, 6, 7)
+	SHA256ROUND1(17, 0xefbe4786, 7, 0, 1, 2, 3, 4, 5, 6)
+	SHA256ROUND1(18, 0x0fc19dc6, 6, 7, 0, 1, 2, 3, 4, 5)
+	SHA256ROUND1(19, 0x240ca1cc, 5, 6, 7, 0, 1, 2, 3, 4)
+	SHA256ROUND1(20, 0x2de92c6f, 4, 5, 6, 7, 0, 1, 2, 3)
+	SHA256ROUND1(21, 0x4a7484aa, 3, 4, 5, 6, 7, 0, 1, 2)
+	SHA256ROUND1(22, 0x5cb0a9dc, 2, 3, 4, 5, 6, 7, 0, 1)
+	SHA256ROUND1(23, 0x76f988da, 1, 2, 3, 4, 5, 6, 7, 0)
+	SHA256ROUND1(24, 0x983e5152, 0, 1, 2, 3, 4, 5, 6, 7)
+	SHA256ROUND1(25, 0xa831c66d, 7, 0, 1, 2, 3, 4, 5, 6)
+	SHA256ROUND1(26, 0xb00327c8, 6, 7, 0, 1, 2, 3, 4, 5)
+	SHA256ROUND1(27, 0xbf597fc7, 5, 6, 7, 0, 1, 2, 3, 4)
+	SHA256ROUND1(28, 0xc6e00bf3, 4, 5, 6, 7, 0, 1, 2, 3)
+	SHA256ROUND1(29, 0xd5a79147, 3, 4, 5, 6, 7, 0, 1, 2)
+	SHA256ROUND1(30, 0x06ca6351, 2, 3, 4, 5, 6, 7, 0, 1)
+	SHA256ROUND1(31, 0x14292967, 1, 2, 3, 4, 5, 6, 7, 0)
+	SHA256ROUND1(32, 0x27b70a85, 0, 1, 2, 3, 4, 5, 6, 7)
+	SHA256ROUND1(33, 0x2e1b2138, 7, 0, 1, 2, 3, 4, 5, 6)
+	SHA256ROUND1(34, 0x4d2c6dfc, 6, 7, 0, 1, 2, 3, 4, 5)
+	SHA256ROUND1(35, 0x53380d13, 5, 6, 7, 0, 1, 2, 3, 4)
+	SHA256ROUND1(36, 0x650a7354, 4, 5, 6, 7, 0, 1, 2, 3)
+	SHA256ROUND1(37, 0x766a0abb, 3, 4, 5, 6, 7, 0, 1, 2)
+	SHA256ROUND1(38, 0x81c2c92e, 2, 3, 4, 5, 6, 7, 0, 1)
+	SHA256ROUND1(39, 0x92722c85, 1, 2, 3, 4, 5, 6, 7, 0)
+	SHA256ROUND1(40, 0xa2bfe8a1, 0, 1, 2, 3, 4, 5, 6, 7)
+	SHA256ROUND1(41, 0xa81a664b, 7, 0, 1, 2, 3, 4, 5, 6)
+	SHA256ROUND1(42, 0xc24b8b70, 6, 7, 0, 1, 2, 3, 4, 5)
+	SHA256ROUND1(43, 0xc76c51a3, 5, 6, 7, 0, 1, 2, 3, 4)
+	SHA256ROUND1(44, 0xd192e819, 4, 5, 6, 7, 0, 1, 2, 3)
+	SHA256ROUND1(45, 0xd6990624, 3, 4, 5, 6, 7, 0, 1, 2)
+	SHA256ROUND1(46, 0xf40e3585, 2, 3, 4, 5, 6, 7, 0, 1)
+	SHA256ROUND1(47, 0x106aa070, 1, 2, 3, 4, 5, 6, 7, 0)
+	SHA256ROUND1(48, 0x19a4c116, 0, 1, 2, 3, 4, 5, 6, 7)
+	SHA256ROUND1(49, 0x1e376c08, 7, 0, 1, 2, 3, 4, 5, 6)
+	SHA256ROUND1(50, 0x2748774c, 6, 7, 0, 1, 2, 3, 4, 5)
+	SHA256ROUND1(51, 0x34b0bcb5, 5, 6, 7, 0, 1, 2, 3, 4)
+	SHA256ROUND1(52, 0x391c0cb3, 4, 5, 6, 7, 0, 1, 2, 3)
+	SHA256ROUND1(53, 0x4ed8aa4a, 3, 4, 5, 6, 7, 0, 1, 2)
+	SHA256ROUND1(54, 0x5b9cca4f, 2, 3, 4, 5, 6, 7, 0, 1)
+	SHA256ROUND1(55, 0x682e6ff3, 1, 2, 3, 4, 5, 6, 7, 0)
+	SHA256ROUND1(56, 0x748f82ee, 0, 1, 2, 3, 4, 5, 6, 7)
+	SHA256ROUND1(57, 0x78a5636f, 7, 0, 1, 2, 3, 4, 5, 6)
+	SHA256ROUND1(58, 0x84c87814, 6, 7, 0, 1, 2, 3, 4, 5)
+	SHA256ROUND1(59, 0x8cc70208, 5, 6, 7, 0, 1, 2, 3, 4)
+	SHA256ROUND1(60, 0x90befffa, 4, 5, 6, 7, 0, 1, 2, 3)
+	SHA256ROUND1(61, 0xa4506ceb, 3, 4, 5, 6, 7, 0, 1, 2)
+	SHA256ROUND1(62, 0xbef9a3f7, 2, 3, 4, 5, 6, 7, 0, 1)
+	SHA256ROUND1(63, 0xc67178f2, 1, 2, 3, 4, 5, 6, 7, 0)
+
+	MOVL	dig+0(FP), BP
+	MOVL	(0*4)(BP), AX		// H0 = a + H0
+	ADDL	(0*4)(DI), AX
+	MOVL	AX, (0*4)(DI)
+	MOVL	AX, (0*4)(BP)
+	MOVL	(1*4)(BP), BX		// H1 = b + H1
+	ADDL	(1*4)(DI), BX
+	MOVL	BX, (1*4)(DI)
+	MOVL	BX, (1*4)(BP)
+	MOVL	(2*4)(BP), CX		// H2 = c + H2
+	ADDL	(2*4)(DI), CX
+	MOVL	CX, (2*4)(DI)
+	MOVL	CX, (2*4)(BP)
+	MOVL	(3*4)(BP), DX		// H3 = d + H3
+	ADDL	(3*4)(DI), DX
+	MOVL	DX, (3*4)(DI)
+	MOVL	DX, (3*4)(BP)
+	MOVL	(4*4)(BP), AX		// H4 = e + H4
+	ADDL	(4*4)(DI), AX
+	MOVL	AX, (4*4)(DI)
+	MOVL	AX, (4*4)(BP)
+	MOVL	(5*4)(BP), BX		// H5 = f + H5
+	ADDL	(5*4)(DI), BX
+	MOVL	BX, (5*4)(DI)
+	MOVL	BX, (5*4)(BP)
+	MOVL	(6*4)(BP), CX		// H6 = g + H6
+	ADDL	(6*4)(DI), CX
+	MOVL	CX, (6*4)(DI)
+	MOVL	CX, (6*4)(BP)
+	MOVL	(7*4)(BP), DX		// H7 = h + H7
+	ADDL	(7*4)(DI), DX
+	MOVL	DX, (7*4)(DI)
+	MOVL	DX, (7*4)(BP)
+
+	ADDL	$64, SI
+	CMPL	SI, 288(SP)
+	JB	loop
+
+end:
+	RET
diff --git a/src/cmd/internal/notsha256/sha256block_amd64.go b/src/cmd/internal/notsha256/sha256block_amd64.go
new file mode 100644
index 0000000000..676c4f70d9
--- /dev/null
+++ b/src/cmd/internal/notsha256/sha256block_amd64.go
@@ -0,0 +1,7 @@
+// Copyright 2017 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package notsha256
+
+var useAVX2 = false
diff --git a/src/cmd/internal/notsha256/sha256block_amd64.s b/src/cmd/internal/notsha256/sha256block_amd64.s
new file mode 100644
index 0000000000..b2ae7c5fc9
--- /dev/null
+++ b/src/cmd/internal/notsha256/sha256block_amd64.s
@@ -0,0 +1,424 @@
+// Copyright 2013 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+#include "textflag.h"
+
+// SHA256 block routine. See sha256block.go for Go equivalent.
+//
+// The algorithm is detailed in FIPS 180-4:
+//
+//  https://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf
+
+// Wt = Mt; for 0 <= t <= 15
+// Wt = SIGMA1(Wt-2) + SIGMA0(Wt-15) + Wt-16; for 16 <= t <= 63
+//
+// a = H0
+// b = H1
+// c = H2
+// d = H3
+// e = H4
+// f = H5
+// g = H6
+// h = H7
+//
+// for t = 0 to 63 {
+//    T1 = h + BIGSIGMA1(e) + Ch(e,f,g) + Kt + Wt
+//    T2 = BIGSIGMA0(a) + Maj(a,b,c)
+//    h = g
+//    g = f
+//    f = e
+//    e = d + T1
+//    d = c
+//    c = b
+//    b = a
+//    a = T1 + T2
+// }
+//
+// H0 = a + H0
+// H1 = b + H1
+// H2 = c + H2
+// H3 = d + H3
+// H4 = e + H4
+// H5 = f + H5
+// H6 = g + H6
+// H7 = h + H7
+
+// Wt = Mt; for 0 <= t <= 15
+#define MSGSCHEDULE0(index) \
+	MOVL	(index*4)(SI), AX; \
+	BSWAPL	AX; \
+	MOVL	AX, (index*4)(BP)
+
+// Wt = SIGMA1(Wt-2) + Wt-7 + SIGMA0(Wt-15) + Wt-16; for 16 <= t <= 63
+//   SIGMA0(x) = ROTR(7,x) XOR ROTR(18,x) XOR SHR(3,x)
+//   SIGMA1(x) = ROTR(17,x) XOR ROTR(19,x) XOR SHR(10,x)
+#define MSGSCHEDULE1(index) \
+	MOVL	((index-2)*4)(BP), AX; \
+	MOVL	AX, CX; \
+	RORL	$17, AX; \
+	MOVL	CX, DX; \
+	RORL	$19, CX; \
+	SHRL	$10, DX; \
+	MOVL	((index-15)*4)(BP), BX; \
+	XORL	CX, AX; \
+	MOVL	BX, CX; \
+	XORL	DX, AX; \
+	RORL	$7, BX; \
+	MOVL	CX, DX; \
+	SHRL	$3, DX; \
+	RORL	$18, CX; \
+	ADDL	((index-7)*4)(BP), AX; \
+	XORL	CX, BX; \
+	XORL	DX, BX; \
+	ADDL	((index-16)*4)(BP), BX; \
+	ADDL	BX, AX; \
+	MOVL	AX, ((index)*4)(BP)
+
+// Calculate T1 in AX - uses AX, CX and DX registers.
+// h is also used as an accumulator. Wt is passed in AX.
+//   T1 = h + BIGSIGMA1(e) + Ch(e, f, g) + Kt + Wt
+//     BIGSIGMA1(x) = ROTR(6,x) XOR ROTR(11,x) XOR ROTR(25,x)
+//     Ch(x, y, z) = (x AND y) XOR (NOT x AND z)
+#define SHA256T1(const, e, f, g, h) \
+	ADDL	AX, h; \
+	MOVL	e, AX; \
+	ADDL	$const, h; \
+	MOVL	e, CX; \
+	RORL	$6, AX; \
+	MOVL	e, DX; \
+	RORL	$11, CX; \
+	XORL	CX, AX; \
+	MOVL	e, CX; \
+	RORL	$25, DX; \
+	ANDL	f, CX; \
+	XORL	AX, DX; \
+	MOVL	e, AX; \
+	NOTL	AX; \
+	ADDL	DX, h; \
+	ANDL	g, AX; \
+	XORL	CX, AX; \
+	ADDL	h, AX
+
+// Calculate T2 in BX - uses BX, CX, DX and DI registers.
+//   T2 = BIGSIGMA0(a) + Maj(a, b, c)
+//     BIGSIGMA0(x) = ROTR(2,x) XOR ROTR(13,x) XOR ROTR(22,x)
+//     Maj(x, y, z) = (x AND y) XOR (x AND z) XOR (y AND z)
+#define SHA256T2(a, b, c) \
+	MOVL	a, DI; \
+	MOVL	c, BX; \
+	RORL	$2, DI; \
+	MOVL	a, DX; \
+	ANDL	b, BX; \
+	RORL	$13, DX; \
+	MOVL	a, CX; \
+	ANDL	c, CX; \
+	XORL	DX, DI; \
+	XORL	CX, BX; \
+	MOVL	a, DX; \
+	MOVL	b, CX; \
+	RORL	$22, DX; \
+	ANDL	a, CX; \
+	XORL	CX, BX; \
+	XORL	DX, DI; \
+	ADDL	DI, BX
+
+// Calculate T1 and T2, then e = d + T1 and a = T1 + T2.
+// The values for e and a are stored in d and h, ready for rotation.
+#define SHA256ROUND(index, const, a, b, c, d, e, f, g, h) \
+	SHA256T1(const, e, f, g, h); \
+	SHA256T2(a, b, c); \
+	MOVL	BX, h; \
+	ADDL	AX, d; \
+	ADDL	AX, h
+
+#define SHA256ROUND0(index, const, a, b, c, d, e, f, g, h) \
+	MSGSCHEDULE0(index); \
+	SHA256ROUND(index, const, a, b, c, d, e, f, g, h)
+
+#define SHA256ROUND1(index, const, a, b, c, d, e, f, g, h) \
+	MSGSCHEDULE1(index); \
+	SHA256ROUND(index, const, a, b, c, d, e, f, g, h)
+
+TEXT ·block(SB), 0, $536-32
+	MOVQ p_base+8(FP), SI
+	MOVQ p_len+16(FP), DX
+	SHRQ $6, DX
+	SHLQ $6, DX
+
+	LEAQ (SI)(DX*1), DI
+	MOVQ DI, 256(SP)
+	CMPQ SI, DI
+	JEQ  end
+
+	MOVQ dig+0(FP), BP
+	MOVL (0*4)(BP), R8  // a = H0
+	MOVL (1*4)(BP), R9  // b = H1
+	MOVL (2*4)(BP), R10 // c = H2
+	MOVL (3*4)(BP), R11 // d = H3
+	MOVL (4*4)(BP), R12 // e = H4
+	MOVL (5*4)(BP), R13 // f = H5
+	MOVL (6*4)(BP), R14 // g = H6
+	MOVL (7*4)(BP), R15 // h = H7
+
+loop:
+	MOVQ SP, BP
+
+	SHA256ROUND0(0, 0x428a2f98, R8, R9, R10, R11, R12, R13, R14, R15)
+	SHA256ROUND0(1, 0x71374491, R15, R8, R9, R10, R11, R12, R13, R14)
+	SHA256ROUND0(2, 0xb5c0fbcf, R14, R15, R8, R9, R10, R11, R12, R13)
+	SHA256ROUND0(3, 0xe9b5dba5, R13, R14, R15, R8, R9, R10, R11, R12)
+	SHA256ROUND0(4, 0x3956c25b, R12, R13, R14, R15, R8, R9, R10, R11)
+	SHA256ROUND0(5, 0x59f111f1, R11, R12, R13, R14, R15, R8, R9, R10)
+	SHA256ROUND0(6, 0x923f82a4, R10, R11, R12, R13, R14, R15, R8, R9)
+	SHA256ROUND0(7, 0xab1c5ed5, R9, R10, R11, R12, R13, R14, R15, R8)
+	SHA256ROUND0(8, 0xd807aa98, R8, R9, R10, R11, R12, R13, R14, R15)
+	SHA256ROUND0(9, 0x12835b01, R15, R8, R9, R10, R11, R12, R13, R14)
+	SHA256ROUND0(10, 0x243185be, R14, R15, R8, R9, R10, R11, R12, R13)
+	SHA256ROUND0(11, 0x550c7dc3, R13, R14, R15, R8, R9, R10, R11, R12)
+	SHA256ROUND0(12, 0x72be5d74, R12, R13, R14, R15, R8, R9, R10, R11)
+	SHA256ROUND0(13, 0x80deb1fe, R11, R12, R13, R14, R15, R8, R9, R10)
+	SHA256ROUND0(14, 0x9bdc06a7, R10, R11, R12, R13, R14, R15, R8, R9)
+	SHA256ROUND0(15, 0xc19bf174, R9, R10, R11, R12, R13, R14, R15, R8)
+
+	SHA256ROUND1(16, 0xe49b69c1, R8, R9, R10, R11, R12, R13, R14, R15)
+	SHA256ROUND1(17, 0xefbe4786, R15, R8, R9, R10, R11, R12, R13, R14)
+	SHA256ROUND1(18, 0x0fc19dc6, R14, R15, R8, R9, R10, R11, R12, R13)
+	SHA256ROUND1(19, 0x240ca1cc, R13, R14, R15, R8, R9, R10, R11, R12)
+	SHA256ROUND1(20, 0x2de92c6f, R12, R13, R14, R15, R8, R9, R10, R11)
+	SHA256ROUND1(21, 0x4a7484aa, R11, R12, R13, R14, R15, R8, R9, R10)
+	SHA256ROUND1(22, 0x5cb0a9dc, R10, R11, R12, R13, R14, R15, R8, R9)
+	SHA256ROUND1(23, 0x76f988da, R9, R10, R11, R12, R13, R14, R15, R8)
+	SHA256ROUND1(24, 0x983e5152, R8, R9, R10, R11, R12, R13, R14, R15)
+	SHA256ROUND1(25, 0xa831c66d, R15, R8, R9, R10, R11, R12, R13, R14)
+	SHA256ROUND1(26, 0xb00327c8, R14, R15, R8, R9, R10, R11, R12, R13)
+	SHA256ROUND1(27, 0xbf597fc7, R13, R14, R15, R8, R9, R10, R11, R12)
+	SHA256ROUND1(28, 0xc6e00bf3, R12, R13, R14, R15, R8, R9, R10, R11)
+	SHA256ROUND1(29, 0xd5a79147, R11, R12, R13, R14, R15, R8, R9, R10)
+	SHA256ROUND1(30, 0x06ca6351, R10, R11, R12, R13, R14, R15, R8, R9)
+	SHA256ROUND1(31, 0x14292967, R9, R10, R11, R12, R13, R14, R15, R8)
+	SHA256ROUND1(32, 0x27b70a85, R8, R9, R10, R11, R12, R13, R14, R15)
+	SHA256ROUND1(33, 0x2e1b2138, R15, R8, R9, R10, R11, R12, R13, R14)
+	SHA256ROUND1(34, 0x4d2c6dfc, R14, R15, R8, R9, R10, R11, R12, R13)
+	SHA256ROUND1(35, 0x53380d13, R13, R14, R15, R8, R9, R10, R11, R12)
+	SHA256ROUND1(36, 0x650a7354, R12, R13, R14, R15, R8, R9, R10, R11)
+	SHA256ROUND1(37, 0x766a0abb, R11, R12, R13, R14, R15, R8, R9, R10)
+	SHA256ROUND1(38, 0x81c2c92e, R10, R11, R12, R13, R14, R15, R8, R9)
+	SHA256ROUND1(39, 0x92722c85, R9, R10, R11, R12, R13, R14, R15, R8)
+	SHA256ROUND1(40, 0xa2bfe8a1, R8, R9, R10, R11, R12, R13, R14, R15)
+	SHA256ROUND1(41, 0xa81a664b, R15, R8, R9, R10, R11, R12, R13, R14)
+	SHA256ROUND1(42, 0xc24b8b70, R14, R15, R8, R9, R10, R11, R12, R13)
+	SHA256ROUND1(43, 0xc76c51a3, R13, R14, R15, R8, R9, R10, R11, R12)
+	SHA256ROUND1(44, 0xd192e819, R12, R13, R14, R15, R8, R9, R10, R11)
+	SHA256ROUND1(45, 0xd6990624, R11, R12, R13, R14, R15, R8, R9, R10)
+	SHA256ROUND1(46, 0xf40e3585, R10, R11, R12, R13, R14, R15, R8, R9)
+	SHA256ROUND1(47, 0x106aa070, R9, R10, R11, R12, R13, R14, R15, R8)
+	SHA256ROUND1(48, 0x19a4c116, R8, R9, R10, R11, R12, R13, R14, R15)
+	SHA256ROUND1(49, 0x1e376c08, R15, R8, R9, R10, R11, R12, R13, R14)
+	SHA256ROUND1(50, 0x2748774c, R14, R15, R8, R9, R10, R11, R12, R13)
+	SHA256ROUND1(51, 0x34b0bcb5, R13, R14, R15, R8, R9, R10, R11, R12)
+	SHA256ROUND1(52, 0x391c0cb3, R12, R13, R14, R15, R8, R9, R10, R11)
+	SHA256ROUND1(53, 0x4ed8aa4a, R11, R12, R13, R14, R15, R8, R9, R10)
+	SHA256ROUND1(54, 0x5b9cca4f, R10, R11, R12, R13, R14, R15, R8, R9)
+	SHA256ROUND1(55, 0x682e6ff3, R9, R10, R11, R12, R13, R14, R15, R8)
+	SHA256ROUND1(56, 0x748f82ee, R8, R9, R10, R11, R12, R13, R14, R15)
+	SHA256ROUND1(57, 0x78a5636f, R15, R8, R9, R10, R11, R12, R13, R14)
+	SHA256ROUND1(58, 0x84c87814, R14, R15, R8, R9, R10, R11, R12, R13)
+	SHA256ROUND1(59, 0x8cc70208, R13, R14, R15, R8, R9, R10, R11, R12)
+	SHA256ROUND1(60, 0x90befffa, R12, R13, R14, R15, R8, R9, R10, R11)
+	SHA256ROUND1(61, 0xa4506ceb, R11, R12, R13, R14, R15, R8, R9, R10)
+	SHA256ROUND1(62, 0xbef9a3f7, R10, R11, R12, R13, R14, R15, R8, R9)
+	SHA256ROUND1(63, 0xc67178f2, R9, R10, R11, R12, R13, R14, R15, R8)
+
+	MOVQ dig+0(FP), BP
+	ADDL (0*4)(BP), R8  // H0 = a + H0
+	MOVL R8, (0*4)(BP)
+	ADDL (1*4)(BP), R9  // H1 = b + H1
+	MOVL R9, (1*4)(BP)
+	ADDL (2*4)(BP), R10 // H2 = c + H2
+	MOVL R10, (2*4)(BP)
+	ADDL (3*4)(BP), R11 // H3 = d + H3
+	MOVL R11, (3*4)(BP)
+	ADDL (4*4)(BP), R12 // H4 = e + H4
+	MOVL R12, (4*4)(BP)
+	ADDL (5*4)(BP), R13 // H5 = f + H5
+	MOVL R13, (5*4)(BP)
+	ADDL (6*4)(BP), R14 // H6 = g + H6
+	MOVL R14, (6*4)(BP)
+	ADDL (7*4)(BP), R15 // H7 = h + H7
+	MOVL R15, (7*4)(BP)
+
+	ADDQ $64, SI
+	CMPQ SI, 256(SP)
+	JB   loop
+
+end:
+	RET
+
+// shuffle byte order from LE to BE
+DATA flip_mask<>+0x00(SB)/8, $0x0405060700010203
+DATA flip_mask<>+0x08(SB)/8, $0x0c0d0e0f08090a0b
+DATA flip_mask<>+0x10(SB)/8, $0x0405060700010203
+DATA flip_mask<>+0x18(SB)/8, $0x0c0d0e0f08090a0b
+GLOBL flip_mask<>(SB), 8, $32
+
+// shuffle xBxA -> 00BA
+DATA shuff_00BA<>+0x00(SB)/8, $0x0b0a090803020100
+DATA shuff_00BA<>+0x08(SB)/8, $0xFFFFFFFFFFFFFFFF
+DATA shuff_00BA<>+0x10(SB)/8, $0x0b0a090803020100
+DATA shuff_00BA<>+0x18(SB)/8, $0xFFFFFFFFFFFFFFFF
+GLOBL shuff_00BA<>(SB), 8, $32
+
+// shuffle xDxC -> DC00
+DATA shuff_DC00<>+0x00(SB)/8, $0xFFFFFFFFFFFFFFFF
+DATA shuff_DC00<>+0x08(SB)/8, $0x0b0a090803020100
+DATA shuff_DC00<>+0x10(SB)/8, $0xFFFFFFFFFFFFFFFF
+DATA shuff_DC00<>+0x18(SB)/8, $0x0b0a090803020100
+GLOBL shuff_DC00<>(SB), 8, $32
+
+// Round specific constants
+DATA K256<>+0x00(SB)/4, $0x428a2f98 // k1
+DATA K256<>+0x04(SB)/4, $0x71374491 // k2
+DATA K256<>+0x08(SB)/4, $0xb5c0fbcf // k3
+DATA K256<>+0x0c(SB)/4, $0xe9b5dba5 // k4
+DATA K256<>+0x10(SB)/4, $0x428a2f98 // k1
+DATA K256<>+0x14(SB)/4, $0x71374491 // k2
+DATA K256<>+0x18(SB)/4, $0xb5c0fbcf // k3
+DATA K256<>+0x1c(SB)/4, $0xe9b5dba5 // k4
+
+DATA K256<>+0x20(SB)/4, $0x3956c25b // k5 - k8
+DATA K256<>+0x24(SB)/4, $0x59f111f1
+DATA K256<>+0x28(SB)/4, $0x923f82a4
+DATA K256<>+0x2c(SB)/4, $0xab1c5ed5
+DATA K256<>+0x30(SB)/4, $0x3956c25b
+DATA K256<>+0x34(SB)/4, $0x59f111f1
+DATA K256<>+0x38(SB)/4, $0x923f82a4
+DATA K256<>+0x3c(SB)/4, $0xab1c5ed5
+
+DATA K256<>+0x40(SB)/4, $0xd807aa98 // k9 - k12
+DATA K256<>+0x44(SB)/4, $0x12835b01
+DATA K256<>+0x48(SB)/4, $0x243185be
+DATA K256<>+0x4c(SB)/4, $0x550c7dc3
+DATA K256<>+0x50(SB)/4, $0xd807aa98
+DATA K256<>+0x54(SB)/4, $0x12835b01
+DATA K256<>+0x58(SB)/4, $0x243185be
+DATA K256<>+0x5c(SB)/4, $0x550c7dc3
+
+DATA K256<>+0x60(SB)/4, $0x72be5d74 // k13 - k16
+DATA K256<>+0x64(SB)/4, $0x80deb1fe
+DATA K256<>+0x68(SB)/4, $0x9bdc06a7
+DATA K256<>+0x6c(SB)/4, $0xc19bf174
+DATA K256<>+0x70(SB)/4, $0x72be5d74
+DATA K256<>+0x74(SB)/4, $0x80deb1fe
+DATA K256<>+0x78(SB)/4, $0x9bdc06a7
+DATA K256<>+0x7c(SB)/4, $0xc19bf174
+
+DATA K256<>+0x80(SB)/4, $0xe49b69c1 // k17 - k20
+DATA K256<>+0x84(SB)/4, $0xefbe4786
+DATA K256<>+0x88(SB)/4, $0x0fc19dc6
+DATA K256<>+0x8c(SB)/4, $0x240ca1cc
+DATA K256<>+0x90(SB)/4, $0xe49b69c1
+DATA K256<>+0x94(SB)/4, $0xefbe4786
+DATA K256<>+0x98(SB)/4, $0x0fc19dc6
+DATA K256<>+0x9c(SB)/4, $0x240ca1cc
+
+DATA K256<>+0xa0(SB)/4, $0x2de92c6f // k21 - k24
+DATA K256<>+0xa4(SB)/4, $0x4a7484aa
+DATA K256<>+0xa8(SB)/4, $0x5cb0a9dc
+DATA K256<>+0xac(SB)/4, $0x76f988da
+DATA K256<>+0xb0(SB)/4, $0x2de92c6f
+DATA K256<>+0xb4(SB)/4, $0x4a7484aa
+DATA K256<>+0xb8(SB)/4, $0x5cb0a9dc
+DATA K256<>+0xbc(SB)/4, $0x76f988da
+
+DATA K256<>+0xc0(SB)/4, $0x983e5152 // k25 - k28
+DATA K256<>+0xc4(SB)/4, $0xa831c66d
+DATA K256<>+0xc8(SB)/4, $0xb00327c8
+DATA K256<>+0xcc(SB)/4, $0xbf597fc7
+DATA K256<>+0xd0(SB)/4, $0x983e5152
+DATA K256<>+0xd4(SB)/4, $0xa831c66d
+DATA K256<>+0xd8(SB)/4, $0xb00327c8
+DATA K256<>+0xdc(SB)/4, $0xbf597fc7
+
+DATA K256<>+0xe0(SB)/4, $0xc6e00bf3 // k29 - k32
+DATA K256<>+0xe4(SB)/4, $0xd5a79147
+DATA K256<>+0xe8(SB)/4, $0x06ca6351
+DATA K256<>+0xec(SB)/4, $0x14292967
+DATA K256<>+0xf0(SB)/4, $0xc6e00bf3
+DATA K256<>+0xf4(SB)/4, $0xd5a79147
+DATA K256<>+0xf8(SB)/4, $0x06ca6351
+DATA K256<>+0xfc(SB)/4, $0x14292967
+
+DATA K256<>+0x100(SB)/4, $0x27b70a85
+DATA K256<>+0x104(SB)/4, $0x2e1b2138
+DATA K256<>+0x108(SB)/4, $0x4d2c6dfc
+DATA K256<>+0x10c(SB)/4, $0x53380d13
+DATA K256<>+0x110(SB)/4, $0x27b70a85
+DATA K256<>+0x114(SB)/4, $0x2e1b2138
+DATA K256<>+0x118(SB)/4, $0x4d2c6dfc
+DATA K256<>+0x11c(SB)/4, $0x53380d13
+
+DATA K256<>+0x120(SB)/4, $0x650a7354
+DATA K256<>+0x124(SB)/4, $0x766a0abb
+DATA K256<>+0x128(SB)/4, $0x81c2c92e
+DATA K256<>+0x12c(SB)/4, $0x92722c85
+DATA K256<>+0x130(SB)/4, $0x650a7354
+DATA K256<>+0x134(SB)/4, $0x766a0abb
+DATA K256<>+0x138(SB)/4, $0x81c2c92e
+DATA K256<>+0x13c(SB)/4, $0x92722c85
+
+DATA K256<>+0x140(SB)/4, $0xa2bfe8a1
+DATA K256<>+0x144(SB)/4, $0xa81a664b
+DATA K256<>+0x148(SB)/4, $0xc24b8b70
+DATA K256<>+0x14c(SB)/4, $0xc76c51a3
+DATA K256<>+0x150(SB)/4, $0xa2bfe8a1
+DATA K256<>+0x154(SB)/4, $0xa81a664b
+DATA K256<>+0x158(SB)/4, $0xc24b8b70
+DATA K256<>+0x15c(SB)/4, $0xc76c51a3
+
+DATA K256<>+0x160(SB)/4, $0xd192e819
+DATA K256<>+0x164(SB)/4, $0xd6990624
+DATA K256<>+0x168(SB)/4, $0xf40e3585
+DATA K256<>+0x16c(SB)/4, $0x106aa070
+DATA K256<>+0x170(SB)/4, $0xd192e819
+DATA K256<>+0x174(SB)/4, $0xd6990624
+DATA K256<>+0x178(SB)/4, $0xf40e3585
+DATA K256<>+0x17c(SB)/4, $0x106aa070
+
+DATA K256<>+0x180(SB)/4, $0x19a4c116
+DATA K256<>+0x184(SB)/4, $0x1e376c08
+DATA K256<>+0x188(SB)/4, $0x2748774c
+DATA K256<>+0x18c(SB)/4, $0x34b0bcb5
+DATA K256<>+0x190(SB)/4, $0x19a4c116
+DATA K256<>+0x194(SB)/4, $0x1e376c08
+DATA K256<>+0x198(SB)/4, $0x2748774c
+DATA K256<>+0x19c(SB)/4, $0x34b0bcb5
+
+DATA K256<>+0x1a0(SB)/4, $0x391c0cb3
+DATA K256<>+0x1a4(SB)/4, $0x4ed8aa4a
+DATA K256<>+0x1a8(SB)/4, $0x5b9cca4f
+DATA K256<>+0x1ac(SB)/4, $0x682e6ff3
+DATA K256<>+0x1b0(SB)/4, $0x391c0cb3
+DATA K256<>+0x1b4(SB)/4, $0x4ed8aa4a
+DATA K256<>+0x1b8(SB)/4, $0x5b9cca4f
+DATA K256<>+0x1bc(SB)/4, $0x682e6ff3
+
+DATA K256<>+0x1c0(SB)/4, $0x748f82ee
+DATA K256<>+0x1c4(SB)/4, $0x78a5636f
+DATA K256<>+0x1c8(SB)/4, $0x84c87814
+DATA K256<>+0x1cc(SB)/4, $0x8cc70208
+DATA K256<>+0x1d0(SB)/4, $0x748f82ee
+DATA K256<>+0x1d4(SB)/4, $0x78a5636f
+DATA K256<>+0x1d8(SB)/4, $0x84c87814
+DATA K256<>+0x1dc(SB)/4, $0x8cc70208
+
+DATA K256<>+0x1e0(SB)/4, $0x90befffa
+DATA K256<>+0x1e4(SB)/4, $0xa4506ceb
+DATA K256<>+0x1e8(SB)/4, $0xbef9a3f7
+DATA K256<>+0x1ec(SB)/4, $0xc67178f2
+DATA K256<>+0x1f0(SB)/4, $0x90befffa
+DATA K256<>+0x1f4(SB)/4, $0xa4506ceb
+DATA K256<>+0x1f8(SB)/4, $0xbef9a3f7
+DATA K256<>+0x1fc(SB)/4, $0xc67178f2
+
+GLOBL K256<>(SB), (NOPTR + RODATA), $512
diff --git a/src/cmd/internal/notsha256/sha256block_decl.go b/src/cmd/internal/notsha256/sha256block_decl.go
new file mode 100644
index 0000000000..5a822ee479
--- /dev/null
+++ b/src/cmd/internal/notsha256/sha256block_decl.go
@@ -0,0 +1,12 @@
+// Copyright 2013 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build 386 || amd64 || ppc64le || ppc64
+// +build 386 amd64 ppc64le ppc64
+
+package notsha256
+
+//go:noescape
+
+func block(dig *digest, p []byte)
diff --git a/src/cmd/internal/notsha256/sha256block_generic.go b/src/cmd/internal/notsha256/sha256block_generic.go
new file mode 100644
index 0000000000..20ae841383
--- /dev/null
+++ b/src/cmd/internal/notsha256/sha256block_generic.go
@@ -0,0 +1,12 @@
+// Copyright 2016 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build !amd64 && !386 && !ppc64le && !ppc64
+// +build !amd64,!386,!ppc64le,!ppc64
+
+package notsha256
+
+func block(dig *digest, p []byte) {
+	blockGeneric(dig, p)
+}
diff --git a/src/cmd/internal/notsha256/sha256block_ppc64x.s b/src/cmd/internal/notsha256/sha256block_ppc64x.s
new file mode 100644
index 0000000000..f534c26aa0
--- /dev/null
+++ b/src/cmd/internal/notsha256/sha256block_ppc64x.s
@@ -0,0 +1,424 @@
+// Copyright 2016 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build ppc64 || ppc64le
+// +build ppc64 ppc64le
+
+// Based on CRYPTOGAMS code with the following comment:
+// # ====================================================================
+// # Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
+// # project. The module is, however, dual licensed under OpenSSL and
+// # CRYPTOGAMS licenses depending on where you obtain it. For further
+// # details see http://www.openssl.org/~appro/cryptogams/.
+// # ====================================================================
+
+#include "textflag.h"
+
+// SHA256 block routine. See sha256block.go for Go equivalent.
+//
+// The algorithm is detailed in FIPS 180-4:
+//
+//  https://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf
+//
+// Wt = Mt; for 0 <= t <= 15
+// Wt = SIGMA1(Wt-2) + SIGMA0(Wt-15) + Wt-16; for 16 <= t <= 63
+//
+// a = H0
+// b = H1
+// c = H2
+// d = H3
+// e = H4
+// f = H5
+// g = H6
+// h = H7
+//
+// for t = 0 to 63 {
+//    T1 = h + BIGSIGMA1(e) + Ch(e,f,g) + Kt + Wt
+//    T2 = BIGSIGMA0(a) + Maj(a,b,c)
+//    h = g
+//    g = f
+//    f = e
+//    e = d + T1
+//    d = c
+//    c = b
+//    b = a
+//    a = T1 + T2
+// }
+//
+// H0 = a + H0
+// H1 = b + H1
+// H2 = c + H2
+// H3 = d + H3
+// H4 = e + H4
+// H5 = f + H5
+// H6 = g + H6
+// H7 = h + H7
+
+#define CTX	R3
+#define INP	R4
+#define END	R5
+#define TBL	R6
+#define IDX	R7
+#define LEN	R9
+#define TEMP	R12
+
+#define HEX00	R0
+#define HEX10	R10
+
+// V0-V7 are A-H
+// V8-V23 are used for the message schedule
+#define KI	V24
+#define FUNC	V25
+#define S0	V26
+#define S1	V27
+#define s0	V28
+#define s1	V29
+#define LEMASK	V31	// Permutation control register for little endian
+
+// 4 copies of each Kt, to fill all 4 words of a vector register
+DATA  ·kcon+0x000(SB)/8, $0x428a2f98428a2f98
+DATA  ·kcon+0x008(SB)/8, $0x428a2f98428a2f98
+DATA  ·kcon+0x010(SB)/8, $0x7137449171374491
+DATA  ·kcon+0x018(SB)/8, $0x7137449171374491
+DATA  ·kcon+0x020(SB)/8, $0xb5c0fbcfb5c0fbcf
+DATA  ·kcon+0x028(SB)/8, $0xb5c0fbcfb5c0fbcf
+DATA  ·kcon+0x030(SB)/8, $0xe9b5dba5e9b5dba5
+DATA  ·kcon+0x038(SB)/8, $0xe9b5dba5e9b5dba5
+DATA  ·kcon+0x040(SB)/8, $0x3956c25b3956c25b
+DATA  ·kcon+0x048(SB)/8, $0x3956c25b3956c25b
+DATA  ·kcon+0x050(SB)/8, $0x59f111f159f111f1
+DATA  ·kcon+0x058(SB)/8, $0x59f111f159f111f1
+DATA  ·kcon+0x060(SB)/8, $0x923f82a4923f82a4
+DATA  ·kcon+0x068(SB)/8, $0x923f82a4923f82a4
+DATA  ·kcon+0x070(SB)/8, $0xab1c5ed5ab1c5ed5
+DATA  ·kcon+0x078(SB)/8, $0xab1c5ed5ab1c5ed5
+DATA  ·kcon+0x080(SB)/8, $0xd807aa98d807aa98
+DATA  ·kcon+0x088(SB)/8, $0xd807aa98d807aa98
+DATA  ·kcon+0x090(SB)/8, $0x12835b0112835b01
+DATA  ·kcon+0x098(SB)/8, $0x12835b0112835b01
+DATA  ·kcon+0x0A0(SB)/8, $0x243185be243185be
+DATA  ·kcon+0x0A8(SB)/8, $0x243185be243185be
+DATA  ·kcon+0x0B0(SB)/8, $0x550c7dc3550c7dc3
+DATA  ·kcon+0x0B8(SB)/8, $0x550c7dc3550c7dc3
+DATA  ·kcon+0x0C0(SB)/8, $0x72be5d7472be5d74
+DATA  ·kcon+0x0C8(SB)/8, $0x72be5d7472be5d74
+DATA  ·kcon+0x0D0(SB)/8, $0x80deb1fe80deb1fe
+DATA  ·kcon+0x0D8(SB)/8, $0x80deb1fe80deb1fe
+DATA  ·kcon+0x0E0(SB)/8, $0x9bdc06a79bdc06a7
+DATA  ·kcon+0x0E8(SB)/8, $0x9bdc06a79bdc06a7
+DATA  ·kcon+0x0F0(SB)/8, $0xc19bf174c19bf174
+DATA  ·kcon+0x0F8(SB)/8, $0xc19bf174c19bf174
+DATA  ·kcon+0x100(SB)/8, $0xe49b69c1e49b69c1
+DATA  ·kcon+0x108(SB)/8, $0xe49b69c1e49b69c1
+DATA  ·kcon+0x110(SB)/8, $0xefbe4786efbe4786
+DATA  ·kcon+0x118(SB)/8, $0xefbe4786efbe4786
+DATA  ·kcon+0x120(SB)/8, $0x0fc19dc60fc19dc6
+DATA  ·kcon+0x128(SB)/8, $0x0fc19dc60fc19dc6
+DATA  ·kcon+0x130(SB)/8, $0x240ca1cc240ca1cc
+DATA  ·kcon+0x138(SB)/8, $0x240ca1cc240ca1cc
+DATA  ·kcon+0x140(SB)/8, $0x2de92c6f2de92c6f
+DATA  ·kcon+0x148(SB)/8, $0x2de92c6f2de92c6f
+DATA  ·kcon+0x150(SB)/8, $0x4a7484aa4a7484aa
+DATA  ·kcon+0x158(SB)/8, $0x4a7484aa4a7484aa
+DATA  ·kcon+0x160(SB)/8, $0x5cb0a9dc5cb0a9dc
+DATA  ·kcon+0x168(SB)/8, $0x5cb0a9dc5cb0a9dc
+DATA  ·kcon+0x170(SB)/8, $0x76f988da76f988da
+DATA  ·kcon+0x178(SB)/8, $0x76f988da76f988da
+DATA  ·kcon+0x180(SB)/8, $0x983e5152983e5152
+DATA  ·kcon+0x188(SB)/8, $0x983e5152983e5152
+DATA  ·kcon+0x190(SB)/8, $0xa831c66da831c66d
+DATA  ·kcon+0x198(SB)/8, $0xa831c66da831c66d
+DATA  ·kcon+0x1A0(SB)/8, $0xb00327c8b00327c8
+DATA  ·kcon+0x1A8(SB)/8, $0xb00327c8b00327c8
+DATA  ·kcon+0x1B0(SB)/8, $0xbf597fc7bf597fc7
+DATA  ·kcon+0x1B8(SB)/8, $0xbf597fc7bf597fc7
+DATA  ·kcon+0x1C0(SB)/8, $0xc6e00bf3c6e00bf3
+DATA  ·kcon+0x1C8(SB)/8, $0xc6e00bf3c6e00bf3
+DATA  ·kcon+0x1D0(SB)/8, $0xd5a79147d5a79147
+DATA  ·kcon+0x1D8(SB)/8, $0xd5a79147d5a79147
+DATA  ·kcon+0x1E0(SB)/8, $0x06ca635106ca6351
+DATA  ·kcon+0x1E8(SB)/8, $0x06ca635106ca6351
+DATA  ·kcon+0x1F0(SB)/8, $0x1429296714292967
+DATA  ·kcon+0x1F8(SB)/8, $0x1429296714292967
+DATA  ·kcon+0x200(SB)/8, $0x27b70a8527b70a85
+DATA  ·kcon+0x208(SB)/8, $0x27b70a8527b70a85
+DATA  ·kcon+0x210(SB)/8, $0x2e1b21382e1b2138
+DATA  ·kcon+0x218(SB)/8, $0x2e1b21382e1b2138
+DATA  ·kcon+0x220(SB)/8, $0x4d2c6dfc4d2c6dfc
+DATA  ·kcon+0x228(SB)/8, $0x4d2c6dfc4d2c6dfc
+DATA  ·kcon+0x230(SB)/8, $0x53380d1353380d13
+DATA  ·kcon+0x238(SB)/8, $0x53380d1353380d13
+DATA  ·kcon+0x240(SB)/8, $0x650a7354650a7354
+DATA  ·kcon+0x248(SB)/8, $0x650a7354650a7354
+DATA  ·kcon+0x250(SB)/8, $0x766a0abb766a0abb
+DATA  ·kcon+0x258(SB)/8, $0x766a0abb766a0abb
+DATA  ·kcon+0x260(SB)/8, $0x81c2c92e81c2c92e
+DATA  ·kcon+0x268(SB)/8, $0x81c2c92e81c2c92e
+DATA  ·kcon+0x270(SB)/8, $0x92722c8592722c85
+DATA  ·kcon+0x278(SB)/8, $0x92722c8592722c85
+DATA  ·kcon+0x280(SB)/8, $0xa2bfe8a1a2bfe8a1
+DATA  ·kcon+0x288(SB)/8, $0xa2bfe8a1a2bfe8a1
+DATA  ·kcon+0x290(SB)/8, $0xa81a664ba81a664b
+DATA  ·kcon+0x298(SB)/8, $0xa81a664ba81a664b
+DATA  ·kcon+0x2A0(SB)/8, $0xc24b8b70c24b8b70
+DATA  ·kcon+0x2A8(SB)/8, $0xc24b8b70c24b8b70
+DATA  ·kcon+0x2B0(SB)/8, $0xc76c51a3c76c51a3
+DATA  ·kcon+0x2B8(SB)/8, $0xc76c51a3c76c51a3
+DATA  ·kcon+0x2C0(SB)/8, $0xd192e819d192e819
+DATA  ·kcon+0x2C8(SB)/8, $0xd192e819d192e819
+DATA  ·kcon+0x2D0(SB)/8, $0xd6990624d6990624
+DATA  ·kcon+0x2D8(SB)/8, $0xd6990624d6990624
+DATA  ·kcon+0x2E0(SB)/8, $0xf40e3585f40e3585
+DATA  ·kcon+0x2E8(SB)/8, $0xf40e3585f40e3585
+DATA  ·kcon+0x2F0(SB)/8, $0x106aa070106aa070
+DATA  ·kcon+0x2F8(SB)/8, $0x106aa070106aa070
+DATA  ·kcon+0x300(SB)/8, $0x19a4c11619a4c116
+DATA  ·kcon+0x308(SB)/8, $0x19a4c11619a4c116
+DATA  ·kcon+0x310(SB)/8, $0x1e376c081e376c08
+DATA  ·kcon+0x318(SB)/8, $0x1e376c081e376c08
+DATA  ·kcon+0x320(SB)/8, $0x2748774c2748774c
+DATA  ·kcon+0x328(SB)/8, $0x2748774c2748774c
+DATA  ·kcon+0x330(SB)/8, $0x34b0bcb534b0bcb5
+DATA  ·kcon+0x338(SB)/8, $0x34b0bcb534b0bcb5
+DATA  ·kcon+0x340(SB)/8, $0x391c0cb3391c0cb3
+DATA  ·kcon+0x348(SB)/8, $0x391c0cb3391c0cb3
+DATA  ·kcon+0x350(SB)/8, $0x4ed8aa4a4ed8aa4a
+DATA  ·kcon+0x358(SB)/8, $0x4ed8aa4a4ed8aa4a
+DATA  ·kcon+0x360(SB)/8, $0x5b9cca4f5b9cca4f
+DATA  ·kcon+0x368(SB)/8, $0x5b9cca4f5b9cca4f
+DATA  ·kcon+0x370(SB)/8, $0x682e6ff3682e6ff3
+DATA  ·kcon+0x378(SB)/8, $0x682e6ff3682e6ff3
+DATA  ·kcon+0x380(SB)/8, $0x748f82ee748f82ee
+DATA  ·kcon+0x388(SB)/8, $0x748f82ee748f82ee
+DATA  ·kcon+0x390(SB)/8, $0x78a5636f78a5636f
+DATA  ·kcon+0x398(SB)/8, $0x78a5636f78a5636f
+DATA  ·kcon+0x3A0(SB)/8, $0x84c8781484c87814
+DATA  ·kcon+0x3A8(SB)/8, $0x84c8781484c87814
+DATA  ·kcon+0x3B0(SB)/8, $0x8cc702088cc70208
+DATA  ·kcon+0x3B8(SB)/8, $0x8cc702088cc70208
+DATA  ·kcon+0x3C0(SB)/8, $0x90befffa90befffa
+DATA  ·kcon+0x3C8(SB)/8, $0x90befffa90befffa
+DATA  ·kcon+0x3D0(SB)/8, $0xa4506ceba4506ceb
+DATA  ·kcon+0x3D8(SB)/8, $0xa4506ceba4506ceb
+DATA  ·kcon+0x3E0(SB)/8, $0xbef9a3f7bef9a3f7
+DATA  ·kcon+0x3E8(SB)/8, $0xbef9a3f7bef9a3f7
+DATA  ·kcon+0x3F0(SB)/8, $0xc67178f2c67178f2
+DATA  ·kcon+0x3F8(SB)/8, $0xc67178f2c67178f2
+DATA  ·kcon+0x400(SB)/8, $0x0000000000000000
+DATA  ·kcon+0x408(SB)/8, $0x0000000000000000
+
+#ifdef GOARCH_ppc64le
+DATA  ·kcon+0x410(SB)/8, $0x1011121310111213	// permutation control vectors
+DATA  ·kcon+0x418(SB)/8, $0x1011121300010203
+DATA  ·kcon+0x420(SB)/8, $0x1011121310111213
+DATA  ·kcon+0x428(SB)/8, $0x0405060700010203
+DATA  ·kcon+0x430(SB)/8, $0x1011121308090a0b
+DATA  ·kcon+0x438(SB)/8, $0x0405060700010203
+#else
+DATA  ·kcon+0x410(SB)/8, $0x1011121300010203
+DATA  ·kcon+0x418(SB)/8, $0x1011121310111213	// permutation control vectors
+DATA  ·kcon+0x420(SB)/8, $0x0405060700010203
+DATA  ·kcon+0x428(SB)/8, $0x1011121310111213
+DATA  ·kcon+0x430(SB)/8, $0x0001020304050607
+DATA  ·kcon+0x438(SB)/8, $0x08090a0b10111213
+#endif
+
+GLOBL ·kcon(SB), RODATA, $1088
+
+#define SHA256ROUND0(a, b, c, d, e, f, g, h, xi) \
+	VSEL		g, f, e, FUNC; \
+	VSHASIGMAW	$15, e, $1, S1; \
+	VADDUWM		xi, h, h; \
+	VSHASIGMAW	$0, a, $1, S0; \
+	VADDUWM		FUNC, h, h; \
+	VXOR		b, a, FUNC; \
+	VADDUWM		S1, h, h; \
+	VSEL		b, c, FUNC, FUNC; \
+	VADDUWM		KI, g, g; \
+	VADDUWM		h, d, d; \
+	VADDUWM		FUNC, S0, S0; \
+	LVX		(TBL)(IDX), KI; \
+	ADD		$16, IDX; \
+	VADDUWM		S0, h, h
+
+#define SHA256ROUND1(a, b, c, d, e, f, g, h, xi, xj, xj_1, xj_9, xj_14) \
+	VSHASIGMAW	$0, xj_1, $0, s0; \
+	VSEL		g, f, e, FUNC; \
+	VSHASIGMAW	$15, e, $1, S1; \
+	VADDUWM		xi, h, h; \
+	VSHASIGMAW	$0, a, $1, S0; \
+	VSHASIGMAW	$15, xj_14, $0, s1; \
+	VADDUWM		FUNC, h, h; \
+	VXOR		b, a, FUNC; \
+	VADDUWM		xj_9, xj, xj; \
+	VADDUWM		S1, h, h; \
+	VSEL		b, c, FUNC, FUNC; \
+	VADDUWM		KI, g, g; \
+	VADDUWM		h, d, d; \
+	VADDUWM		FUNC, S0, S0; \
+	VADDUWM		s0, xj, xj; \
+	LVX		(TBL)(IDX), KI; \
+	ADD		$16, IDX; \
+	VADDUWM		S0, h, h; \
+	VADDUWM		s1, xj, xj
+
+#ifdef GOARCH_ppc64le
+#define VPERMLE(va,vb,vc,vt) VPERM va, vb, vc, vt
+#else
+#define VPERMLE(va,vb,vc,vt)
+#endif
+
+// func block(dig *digest, p []byte)
+TEXT ·block(SB),0,$0-32
+	MOVD	dig+0(FP), CTX
+	MOVD	p_base+8(FP), INP
+	MOVD	p_len+16(FP), LEN
+
+	SRD	$6, LEN
+	SLD	$6, LEN
+	ADD	INP, LEN, END
+
+	CMP	INP, END
+	BEQ	end
+
+	MOVD	$·kcon(SB), TBL
+	MOVWZ	$0x10, HEX10
+	MOVWZ	$8, IDX
+
+#ifdef GOARCH_ppc64le
+	LVSL	(IDX)(R0), LEMASK
+	VSPLTISB	$0x0F, KI
+	VXOR	KI, LEMASK, LEMASK
+#endif
+
+	LXVW4X	(CTX)(HEX00), VS32	// v0 = vs32
+	LXVW4X	(CTX)(HEX10), VS36	// v4 = vs36
+
+	// unpack the input values into vector registers
+	VSLDOI	$4, V0, V0, V1
+	VSLDOI	$8, V0, V0, V2
+	VSLDOI	$12, V0, V0, V3
+	VSLDOI	$4, V4, V4, V5
+	VSLDOI	$8, V4, V4, V6
+	VSLDOI	$12, V4, V4, V7
+
+loop:
+	LVX	(TBL)(HEX00), KI
+	MOVWZ	$16, IDX
+
+	LXVD2X	(INP)(R0), VS40	// load v8 (=vs40) in advance
+	ADD	$16, INP
+
+	// Offload to VSR24-31 (aka FPR24-31)
+	XXLOR	V0, V0, VS24
+	XXLOR	V1, V1, VS25
+	XXLOR	V2, V2, VS26
+	XXLOR	V3, V3, VS27
+	XXLOR	V4, V4, VS28
+	XXLOR	V5, V5, VS29
+	XXLOR	V6, V6, VS30
+	XXLOR	V7, V7, VS31
+
+	VADDUWM	KI, V7, V7	// h+K[i]
+	LVX	(TBL)(IDX), KI
+	ADD	$16, IDX
+
+	VPERMLE(V8, V8, LEMASK, V8)
+	SHA256ROUND0(V0, V1, V2, V3, V4, V5, V6, V7, V8)
+	VSLDOI	$4, V8, V8, V9
+	SHA256ROUND0(V7, V0, V1, V2, V3, V4, V5, V6, V9)
+	VSLDOI	$4, V9, V9, V10
+	SHA256ROUND0(V6, V7, V0, V1, V2, V3, V4, V5, V10)
+	LXVD2X	(INP)(R0), VS44	// load v12 (=vs44) in advance
+	ADD	$16, INP, INP
+	VSLDOI	$4, V10, V10, V11
+	SHA256ROUND0(V5, V6, V7, V0, V1, V2, V3, V4, V11)
+	VPERMLE(V12, V12, LEMASK, V12)
+	SHA256ROUND0(V4, V5, V6, V7, V0, V1, V2, V3, V12)
+	VSLDOI	$4, V12, V12, V13
+	SHA256ROUND0(V3, V4, V5, V6, V7, V0, V1, V2, V13)
+	VSLDOI	$4, V13, V13, V14
+	SHA256ROUND0(V2, V3, V4, V5, V6, V7, V0, V1, V14)
+	LXVD2X	(INP)(R0), VS48	// load v16 (=vs48) in advance
+	ADD	$16, INP, INP
+	VSLDOI	$4, V14, V14, V15
+	SHA256ROUND0(V1, V2, V3, V4, V5, V6, V7, V0, V15)
+	VPERMLE(V16, V16, LEMASK, V16)
+	SHA256ROUND0(V0, V1, V2, V3, V4, V5, V6, V7, V16)
+	VSLDOI	$4, V16, V16, V17
+	SHA256ROUND0(V7, V0, V1, V2, V3, V4, V5, V6, V17)
+	VSLDOI	$4, V17, V17, V18
+	SHA256ROUND0(V6, V7, V0, V1, V2, V3, V4, V5, V18)
+	VSLDOI	$4, V18, V18, V19
+	LXVD2X	(INP)(R0), VS52	// load v20 (=vs52) in advance
+	ADD	$16, INP, INP
+	SHA256ROUND0(V5, V6, V7, V0, V1, V2, V3, V4, V19)
+	VPERMLE(V20, V20, LEMASK, V20)
+	SHA256ROUND0(V4, V5, V6, V7, V0, V1, V2, V3, V20)
+	VSLDOI	$4, V20, V20, V21
+	SHA256ROUND0(V3, V4, V5, V6, V7, V0, V1, V2, V21)
+	VSLDOI	$4, V21, V21, V22
+	SHA256ROUND0(V2, V3, V4, V5, V6, V7, V0, V1, V22)
+	VSLDOI	$4, V22, V22, V23
+	SHA256ROUND1(V1, V2, V3, V4, V5, V6, V7, V0, V23, V8, V9, V17, V22)
+
+	MOVWZ	$3, TEMP
+	MOVWZ	TEMP, CTR
+
+L16_xx:
+	SHA256ROUND1(V0, V1, V2, V3, V4, V5, V6, V7, V8, V9, V10, V18, V23)
+	SHA256ROUND1(V7, V0, V1, V2, V3, V4, V5, V6, V9, V10, V11, V19, V8)
+	SHA256ROUND1(V6, V7, V0, V1, V2, V3, V4, V5, V10, V11, V12, V20, V9)
+	SHA256ROUND1(V5, V6, V7, V0, V1, V2, V3, V4, V11, V12, V13, V21, V10)
+	SHA256ROUND1(V4, V5, V6, V7, V0, V1, V2, V3, V12, V13, V14, V22, V11)
+	SHA256ROUND1(V3, V4, V5, V6, V7, V0, V1, V2, V13, V14, V15, V23, V12)
+	SHA256ROUND1(V2, V3, V4, V5, V6, V7, V0, V1, V14, V15, V16, V8, V13)
+	SHA256ROUND1(V1, V2, V3, V4, V5, V6, V7, V0, V15, V16, V17, V9, V14)
+	SHA256ROUND1(V0, V1, V2, V3, V4, V5, V6, V7, V16, V17, V18, V10, V15)
+	SHA256ROUND1(V7, V0, V1, V2, V3, V4, V5, V6, V17, V18, V19, V11, V16)
+	SHA256ROUND1(V6, V7, V0, V1, V2, V3, V4, V5, V18, V19, V20, V12, V17)
+	SHA256ROUND1(V5, V6, V7, V0, V1, V2, V3, V4, V19, V20, V21, V13, V18)
+	SHA256ROUND1(V4, V5, V6, V7, V0, V1, V2, V3, V20, V21, V22, V14, V19)
+	SHA256ROUND1(V3, V4, V5, V6, V7, V0, V1, V2, V21, V22, V23, V15, V20)
+	SHA256ROUND1(V2, V3, V4, V5, V6, V7, V0, V1, V22, V23, V8, V16, V21)
+	SHA256ROUND1(V1, V2, V3, V4, V5, V6, V7, V0, V23, V8, V9, V17, V22)
+
+	BC	0x10, 0, L16_xx		// bdnz
+
+	XXLOR	VS24, VS24, V10
+
+	XXLOR	VS25, VS25, V11
+	VADDUWM	V10, V0, V0
+	XXLOR	VS26, VS26, V12
+	VADDUWM	V11, V1, V1
+	XXLOR	VS27, VS27, V13
+	VADDUWM	V12, V2, V2
+	XXLOR	VS28, VS28, V14
+	VADDUWM	V13, V3, V3
+	XXLOR	VS29, VS29, V15
+	VADDUWM	V14, V4, V4
+	XXLOR	VS30, VS30, V16
+	VADDUWM	V15, V5, V5
+	XXLOR	VS31, VS31, V17
+	VADDUWM	V16, V6, V6
+	VADDUWM	V17, V7, V7
+
+	CMPU	INP, END
+	BLT	loop
+
+	LVX	(TBL)(IDX), V8
+	ADD	$16, IDX
+	VPERM	V0, V1, KI, V0
+	LVX	(TBL)(IDX), V9
+	VPERM	V4, V5, KI, V4
+	VPERM	V0, V2, V8, V0
+	VPERM	V4, V6, V8, V4
+	VPERM	V0, V3, V9, V0
+	VPERM	V4, V7, V9, V4
+	STXVD2X	VS32, (CTX+HEX00)	// v0 = vs32
+	STXVD2X	VS36, (CTX+HEX10)	// v4 = vs36
+
+end:
+	RET
+
diff --git a/src/cmd/internal/obj/objfile.go b/src/cmd/internal/obj/objfile.go
index 2f7ce061d4..2caff62702 100644
--- a/src/cmd/internal/obj/objfile.go
+++ b/src/cmd/internal/obj/objfile.go
@@ -10,9 +10,9 @@ import (
 	"bytes"
 	"cmd/internal/bio"
 	"cmd/internal/goobj"
+	"cmd/internal/notsha256"
 	"cmd/internal/objabi"
 	"cmd/internal/sys"
-	"crypto/sha1"
 	"encoding/binary"
 	"fmt"
 	"io"
@@ -460,7 +460,7 @@ func contentHash64(s *LSym) goobj.Hash64Type {
 // For now, we assume there is no circular dependencies among
 // hashed symbols.
 func (w *writer) contentHash(s *LSym) goobj.HashType {
-	h := sha1.New()
+	h := notsha256.New()
 	var tmp [14]byte
 
 	// Include the size of the symbol in the hash.
diff --git a/src/cmd/internal/obj/sym.go b/src/cmd/internal/obj/sym.go
index a8360527ef..95dd07d0fa 100644
--- a/src/cmd/internal/obj/sym.go
+++ b/src/cmd/internal/obj/sym.go
@@ -33,8 +33,8 @@ package obj
 
 import (
 	"cmd/internal/goobj"
+	"cmd/internal/notsha256"
 	"cmd/internal/objabi"
-	"crypto/md5"
 	"fmt"
 	"internal/buildcfg"
 	"log"
@@ -175,7 +175,7 @@ func (ctxt *Link) Int64Sym(i int64) *LSym {
 
 // GCLocalsSym generates a content-addressable sym containing data.
 func (ctxt *Link) GCLocalsSym(data []byte) *LSym {
-	return ctxt.LookupInit(fmt.Sprintf("gclocals·%x", md5.Sum(data)), func(lsym *LSym) {
+	return ctxt.LookupInit(fmt.Sprintf("gclocals·%x", notsha256.Sum256(data)), func(lsym *LSym) {
 		lsym.P = data
 		lsym.Set(AttrContentAddressable, true)
 	})
diff --git a/src/cmd/link/internal/ld/elf.go b/src/cmd/link/internal/ld/elf.go
index d93f72e112..343803b47c 100644
--- a/src/cmd/link/internal/ld/elf.go
+++ b/src/cmd/link/internal/ld/elf.go
@@ -5,11 +5,11 @@
 package ld
 
 import (
+	"cmd/internal/notsha256"
 	"cmd/internal/objabi"
 	"cmd/internal/sys"
 	"cmd/link/internal/loader"
 	"cmd/link/internal/sym"
-	"crypto/sha1"
 	"debug/elf"
 	"encoding/binary"
 	"encoding/hex"
@@ -1533,10 +1533,10 @@ func (ctxt *Link) doelf() {
 		sb.SetType(sym.SRODATA)
 		ldr.SetAttrSpecial(s, true)
 		sb.SetReachable(true)
-		sb.SetSize(sha1.Size)
+		sb.SetSize(notsha256.Size)
 
 		sort.Sort(byPkg(ctxt.Library))
-		h := sha1.New()
+		h := notsha256.New()
 		for _, l := range ctxt.Library {
 			h.Write(l.Fingerprint[:])
 		}
diff --git a/src/cmd/link/internal/ld/lib.go b/src/cmd/link/internal/ld/lib.go
index 4aefa9991d..04b2556ea1 100644
--- a/src/cmd/link/internal/ld/lib.go
+++ b/src/cmd/link/internal/ld/lib.go
@@ -34,6 +34,7 @@ import (
 	"bytes"
 	"cmd/internal/bio"
 	"cmd/internal/goobj"
+	"cmd/internal/notsha256"
 	"cmd/internal/objabi"
 	"cmd/internal/sys"
 	"cmd/link/internal/loadelf"
@@ -42,7 +43,6 @@ import (
 	"cmd/link/internal/loadpe"
 	"cmd/link/internal/loadxcoff"
 	"cmd/link/internal/sym"
-	"crypto/sha1"
 	"debug/elf"
 	"debug/macho"
 	"encoding/base64"
@@ -929,7 +929,7 @@ func typeSymbolMangle(name string) string {
 	if len(name) <= 14 && !strings.Contains(name, "@") { // Issue 19529
 		return name
 	}
-	hash := sha1.Sum([]byte(name))
+	hash := notsha256.Sum256([]byte(name))
 	prefix := "type."
 	if name[5] == '.' {
 		prefix = "type.."
@@ -1059,6 +1059,8 @@ var hostobj []Hostobj
 // These packages can use internal linking mode.
 // Others trigger external mode.
 var internalpkg = []string{
+	"crypto/internal/boring",
+	"crypto/internal/boring/syso",
 	"crypto/x509",
 	"net",
 	"os/user",
diff --git a/src/cmd/objdump/objdump_test.go b/src/cmd/objdump/objdump_test.go
index 313cc7a809..01967f3fed 100644
--- a/src/cmd/objdump/objdump_test.go
+++ b/src/cmd/objdump/objdump_test.go
@@ -5,7 +5,7 @@
 package main
 
 import (
-	"crypto/md5"
+	"cmd/internal/notsha256"
 	"flag"
 	"fmt"
 	"go/build"
@@ -142,7 +142,7 @@ func testDisasm(t *testing.T, srcfname string, printCode bool, printGnuAsm bool,
 		goarch = f[1]
 	}
 
-	hash := md5.Sum([]byte(fmt.Sprintf("%v-%v-%v-%v", srcfname, flags, printCode, printGnuAsm)))
+	hash := notsha256.Sum256([]byte(fmt.Sprintf("%v-%v-%v-%v", srcfname, flags, printCode, printGnuAsm)))
 	hello := filepath.Join(tmp, fmt.Sprintf("hello-%x.exe", hash))
 	args := []string{"build", "-o", hello}
 	args = append(args, flags...)