Problem is that new assembly is using VSX registers vs14-vs31 which overlap with floating-point registers f14-f31. f14-f31 are ABI callee saved, so those need to be stored and restored.

Tested patch with small change so that HWF_PPC_ARCH_3_00 is used instead of HWF_PPC_ARCH_3_10. Building bench-slope with "-O3 -flto" makes bug in new implementation visible. Without new implementations bench-slope is ok:

$ tests/bench-slope --disable-hwf ppc-arch_3_00 cipher chacha20
Cipher:
 CHACHA20       |  nanosecs/byte   mebibytes/sec   cycles/byte
     STREAM enc |      2.35 ns/B     405.0 MiB/s         - c/B
     STREAM dec |      2.32 ns/B     410.7 MiB/s         - c/B
   POLY1305 enc |      2.46 ns/B     388.0 MiB/s         - c/B
   POLY1305 dec |      2.34 ns/B     408.1 MiB/s         - c/B
  POLY1305 auth |     0.238 ns/B      4003 MiB/s         - c/B

The changes have been applied with Werner's suggested improvement with revision rG35b17550706c: gpg: Look up user ID to revoke by UID hash

-O2 problem with bench-slope seems strange. Does problem appear after this patch is applied?

Default is "yes". When Prompt: no is specified, it doesn't ask but fails.

The behavior has been changed by T5996, to ask card insertion for the consistency of the semantics of configuration.

With the change for T5996 applied, the semantics is clear. "Use-for-ssh" flag is a key not for "OpenPGP.3", but other keys (not only OpenPGP.[12], but also for normal keys.)

Files affected:

configure.ac - Added chacha20 and poly1305 assembly implementations.
cipher/chacha20-p10le-8x.s (New) - support 8 blocks (512 bytes) unrolling.
cipher/poly1305-p10le.s (New) - support 4 blocks (128 bytes) unrolling.
cipher/Makefile.am - added new chacha20 and poly1305 files.
cipher/chacha20.c - Added PPC p10 le support for 8x chacha20.
cipher/poly1305.c - Added PPC p10 le support for 4x poly1305.

This feature is implemented in different way, by T5099.