2
0

vpaes-armv8.pl 43 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259
  1. #! /usr/bin/env perl
  2. # Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
  3. #
  4. # Licensed under the OpenSSL license (the "License"). You may not use
  5. # this file except in compliance with the License. You can obtain a copy
  6. # in the file LICENSE in the source distribution or at
  7. # https://www.openssl.org/source/license.html
  8. ######################################################################
  9. ## Constant-time SSSE3 AES core implementation.
  10. ## version 0.1
  11. ##
  12. ## By Mike Hamburg (Stanford University), 2009
  13. ## Public domain.
  14. ##
  15. ## For details see http://shiftleft.org/papers/vector_aes/ and
  16. ## http://crypto.stanford.edu/vpaes/.
  17. ##
  18. ######################################################################
  19. # ARMv8 NEON adaptation by <appro@openssl.org>
  20. #
  21. # Reason for undertaken effort is that there is at least one popular
  22. # SoC based on Cortex-A53 that doesn't have crypto extensions.
  23. #
  24. # CBC enc ECB enc/dec(*) [bit-sliced enc/dec]
  25. # Cortex-A53 21.5 18.1/20.6 [17.5/19.8 ]
  26. # Cortex-A57 36.0(**) 20.4/24.9(**) [14.4/16.6 ]
  27. # X-Gene 45.9(**) 45.8/57.7(**) [33.1/37.6(**) ]
  28. # Denver(***) 16.6(**) 15.1/17.8(**) [8.80/9.93 ]
  29. # Apple A7(***) 22.7(**) 10.9/14.3 [8.45/10.0 ]
  30. # Mongoose(***) 26.3(**) 21.0/25.0(**) [13.3/16.8 ]
  31. #
  32. # (*) ECB denotes approximate result for parallelizable modes
  33. # such as CBC decrypt, CTR, etc.;
  34. # (**) these results are worse than scalar compiler-generated
  35. # code, but it's constant-time and therefore preferred;
  36. # (***) presented for reference/comparison purposes;
  37. $flavour = shift;
  38. while (($output=shift) && ($output!~/\w[\w\-]*\.\w+$/)) {}
  39. $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
  40. ( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or
  41. ( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or
  42. die "can't locate arm-xlate.pl";
  43. open OUT,"| \"$^X\" $xlate $flavour $output";
  44. *STDOUT=*OUT;
  45. $code.=<<___;
  46. .text
  47. .type _vpaes_consts,%object
  48. .align 7 // totally strategic alignment
  49. _vpaes_consts:
  50. .Lk_mc_forward: // mc_forward
  51. .quad 0x0407060500030201, 0x0C0F0E0D080B0A09
  52. .quad 0x080B0A0904070605, 0x000302010C0F0E0D
  53. .quad 0x0C0F0E0D080B0A09, 0x0407060500030201
  54. .quad 0x000302010C0F0E0D, 0x080B0A0904070605
  55. .Lk_mc_backward:// mc_backward
  56. .quad 0x0605040702010003, 0x0E0D0C0F0A09080B
  57. .quad 0x020100030E0D0C0F, 0x0A09080B06050407
  58. .quad 0x0E0D0C0F0A09080B, 0x0605040702010003
  59. .quad 0x0A09080B06050407, 0x020100030E0D0C0F
  60. .Lk_sr: // sr
  61. .quad 0x0706050403020100, 0x0F0E0D0C0B0A0908
  62. .quad 0x030E09040F0A0500, 0x0B06010C07020D08
  63. .quad 0x0F060D040B020900, 0x070E050C030A0108
  64. .quad 0x0B0E0104070A0D00, 0x0306090C0F020508
  65. //
  66. // "Hot" constants
  67. //
  68. .Lk_inv: // inv, inva
  69. .quad 0x0E05060F0D080180, 0x040703090A0B0C02
  70. .quad 0x01040A060F0B0780, 0x030D0E0C02050809
  71. .Lk_ipt: // input transform (lo, hi)
  72. .quad 0xC2B2E8985A2A7000, 0xCABAE09052227808
  73. .quad 0x4C01307D317C4D00, 0xCD80B1FCB0FDCC81
  74. .Lk_sbo: // sbou, sbot
  75. .quad 0xD0D26D176FBDC700, 0x15AABF7AC502A878
  76. .quad 0xCFE474A55FBB6A00, 0x8E1E90D1412B35FA
  77. .Lk_sb1: // sb1u, sb1t
  78. .quad 0x3618D415FAE22300, 0x3BF7CCC10D2ED9EF
  79. .quad 0xB19BE18FCB503E00, 0xA5DF7A6E142AF544
  80. .Lk_sb2: // sb2u, sb2t
  81. .quad 0x69EB88400AE12900, 0xC2A163C8AB82234A
  82. .quad 0xE27A93C60B712400, 0x5EB7E955BC982FCD
  83. //
  84. // Decryption stuff
  85. //
  86. .Lk_dipt: // decryption input transform
  87. .quad 0x0F505B040B545F00, 0x154A411E114E451A
  88. .quad 0x86E383E660056500, 0x12771772F491F194
  89. .Lk_dsbo: // decryption sbox final output
  90. .quad 0x1387EA537EF94000, 0xC7AA6DB9D4943E2D
  91. .quad 0x12D7560F93441D00, 0xCA4B8159D8C58E9C
  92. .Lk_dsb9: // decryption sbox output *9*u, *9*t
  93. .quad 0x851C03539A86D600, 0xCAD51F504F994CC9
  94. .quad 0xC03B1789ECD74900, 0x725E2C9EB2FBA565
  95. .Lk_dsbd: // decryption sbox output *D*u, *D*t
  96. .quad 0x7D57CCDFE6B1A200, 0xF56E9B13882A4439
  97. .quad 0x3CE2FAF724C6CB00, 0x2931180D15DEEFD3
  98. .Lk_dsbb: // decryption sbox output *B*u, *B*t
  99. .quad 0xD022649296B44200, 0x602646F6B0F2D404
  100. .quad 0xC19498A6CD596700, 0xF3FF0C3E3255AA6B
  101. .Lk_dsbe: // decryption sbox output *E*u, *E*t
  102. .quad 0x46F2929626D4D000, 0x2242600464B4F6B0
  103. .quad 0x0C55A6CDFFAAC100, 0x9467F36B98593E32
  104. //
  105. // Key schedule constants
  106. //
  107. .Lk_dksd: // decryption key schedule: invskew x*D
  108. .quad 0xFEB91A5DA3E44700, 0x0740E3A45A1DBEF9
  109. .quad 0x41C277F4B5368300, 0x5FDC69EAAB289D1E
  110. .Lk_dksb: // decryption key schedule: invskew x*B
  111. .quad 0x9A4FCA1F8550D500, 0x03D653861CC94C99
  112. .quad 0x115BEDA7B6FC4A00, 0xD993256F7E3482C8
  113. .Lk_dkse: // decryption key schedule: invskew x*E + 0x63
  114. .quad 0xD5031CCA1FC9D600, 0x53859A4C994F5086
  115. .quad 0xA23196054FDC7BE8, 0xCD5EF96A20B31487
  116. .Lk_dks9: // decryption key schedule: invskew x*9
  117. .quad 0xB6116FC87ED9A700, 0x4AED933482255BFC
  118. .quad 0x4576516227143300, 0x8BB89FACE9DAFDCE
  119. .Lk_rcon: // rcon
  120. .quad 0x1F8391B9AF9DEEB6, 0x702A98084D7C7D81
  121. .Lk_opt: // output transform
  122. .quad 0xFF9F4929D6B66000, 0xF7974121DEBE6808
  123. .quad 0x01EDBD5150BCEC00, 0xE10D5DB1B05C0CE0
  124. .Lk_deskew: // deskew tables: inverts the sbox's "skew"
  125. .quad 0x07E4A34047A4E300, 0x1DFEB95A5DBEF91A
  126. .quad 0x5F36B5DC83EA6900, 0x2841C2ABF49D1E77
  127. .asciz "Vector Permutation AES for ARMv8, Mike Hamburg (Stanford University)"
  128. .size _vpaes_consts,.-_vpaes_consts
  129. .align 6
  130. ___
  131. {
  132. my ($inp,$out,$key) = map("x$_",(0..2));
  133. my ($invlo,$invhi,$iptlo,$ipthi,$sbou,$sbot) = map("v$_.16b",(18..23));
  134. my ($sb1u,$sb1t,$sb2u,$sb2t) = map("v$_.16b",(24..27));
  135. my ($sb9u,$sb9t,$sbdu,$sbdt,$sbbu,$sbbt,$sbeu,$sbet)=map("v$_.16b",(24..31));
  136. $code.=<<___;
  137. ##
  138. ## _aes_preheat
  139. ##
  140. ## Fills register %r10 -> .aes_consts (so you can -fPIC)
  141. ## and %xmm9-%xmm15 as specified below.
  142. ##
  143. .type _vpaes_encrypt_preheat,%function
  144. .align 4
  145. _vpaes_encrypt_preheat:
  146. adr x10, .Lk_inv
  147. movi v17.16b, #0x0f
  148. ld1 {v18.2d-v19.2d}, [x10],#32 // .Lk_inv
  149. ld1 {v20.2d-v23.2d}, [x10],#64 // .Lk_ipt, .Lk_sbo
  150. ld1 {v24.2d-v27.2d}, [x10] // .Lk_sb1, .Lk_sb2
  151. ret
  152. .size _vpaes_encrypt_preheat,.-_vpaes_encrypt_preheat
  153. ##
  154. ## _aes_encrypt_core
  155. ##
  156. ## AES-encrypt %xmm0.
  157. ##
  158. ## Inputs:
  159. ## %xmm0 = input
  160. ## %xmm9-%xmm15 as in _vpaes_preheat
  161. ## (%rdx) = scheduled keys
  162. ##
  163. ## Output in %xmm0
  164. ## Clobbers %xmm1-%xmm5, %r9, %r10, %r11, %rax
  165. ## Preserves %xmm6 - %xmm8 so you get some local vectors
  166. ##
  167. ##
  168. .type _vpaes_encrypt_core,%function
  169. .align 4
  170. _vpaes_encrypt_core:
  171. mov x9, $key
  172. ldr w8, [$key,#240] // pull rounds
  173. adr x11, .Lk_mc_forward+16
  174. // vmovdqa .Lk_ipt(%rip), %xmm2 # iptlo
  175. ld1 {v16.2d}, [x9], #16 // vmovdqu (%r9), %xmm5 # round0 key
  176. and v1.16b, v7.16b, v17.16b // vpand %xmm9, %xmm0, %xmm1
  177. ushr v0.16b, v7.16b, #4 // vpsrlb \$4, %xmm0, %xmm0
  178. tbl v1.16b, {$iptlo}, v1.16b // vpshufb %xmm1, %xmm2, %xmm1
  179. // vmovdqa .Lk_ipt+16(%rip), %xmm3 # ipthi
  180. tbl v2.16b, {$ipthi}, v0.16b // vpshufb %xmm0, %xmm3, %xmm2
  181. eor v0.16b, v1.16b, v16.16b // vpxor %xmm5, %xmm1, %xmm0
  182. eor v0.16b, v0.16b, v2.16b // vpxor %xmm2, %xmm0, %xmm0
  183. b .Lenc_entry
  184. .align 4
  185. .Lenc_loop:
  186. // middle of middle round
  187. add x10, x11, #0x40
  188. tbl v4.16b, {$sb1t}, v2.16b // vpshufb %xmm2, %xmm13, %xmm4 # 4 = sb1u
  189. ld1 {v1.2d}, [x11], #16 // vmovdqa -0x40(%r11,%r10), %xmm1 # .Lk_mc_forward[]
  190. tbl v0.16b, {$sb1u}, v3.16b // vpshufb %xmm3, %xmm12, %xmm0 # 0 = sb1t
  191. eor v4.16b, v4.16b, v16.16b // vpxor %xmm5, %xmm4, %xmm4 # 4 = sb1u + k
  192. tbl v5.16b, {$sb2t}, v2.16b // vpshufb %xmm2, %xmm15, %xmm5 # 4 = sb2u
  193. eor v0.16b, v0.16b, v4.16b // vpxor %xmm4, %xmm0, %xmm0 # 0 = A
  194. tbl v2.16b, {$sb2u}, v3.16b // vpshufb %xmm3, %xmm14, %xmm2 # 2 = sb2t
  195. ld1 {v4.2d}, [x10] // vmovdqa (%r11,%r10), %xmm4 # .Lk_mc_backward[]
  196. tbl v3.16b, {v0.16b}, v1.16b // vpshufb %xmm1, %xmm0, %xmm3 # 0 = B
  197. eor v2.16b, v2.16b, v5.16b // vpxor %xmm5, %xmm2, %xmm2 # 2 = 2A
  198. tbl v0.16b, {v0.16b}, v4.16b // vpshufb %xmm4, %xmm0, %xmm0 # 3 = D
  199. eor v3.16b, v3.16b, v2.16b // vpxor %xmm2, %xmm3, %xmm3 # 0 = 2A+B
  200. tbl v4.16b, {v3.16b}, v1.16b // vpshufb %xmm1, %xmm3, %xmm4 # 0 = 2B+C
  201. eor v0.16b, v0.16b, v3.16b // vpxor %xmm3, %xmm0, %xmm0 # 3 = 2A+B+D
  202. and x11, x11, #~(1<<6) // and \$0x30, %r11 # ... mod 4
  203. eor v0.16b, v0.16b, v4.16b // vpxor %xmm4, %xmm0, %xmm0 # 0 = 2A+3B+C+D
  204. sub w8, w8, #1 // nr--
  205. .Lenc_entry:
  206. // top of round
  207. and v1.16b, v0.16b, v17.16b // vpand %xmm0, %xmm9, %xmm1 # 0 = k
  208. ushr v0.16b, v0.16b, #4 // vpsrlb \$4, %xmm0, %xmm0 # 1 = i
  209. tbl v5.16b, {$invhi}, v1.16b // vpshufb %xmm1, %xmm11, %xmm5 # 2 = a/k
  210. eor v1.16b, v1.16b, v0.16b // vpxor %xmm0, %xmm1, %xmm1 # 0 = j
  211. tbl v3.16b, {$invlo}, v0.16b // vpshufb %xmm0, %xmm10, %xmm3 # 3 = 1/i
  212. tbl v4.16b, {$invlo}, v1.16b // vpshufb %xmm1, %xmm10, %xmm4 # 4 = 1/j
  213. eor v3.16b, v3.16b, v5.16b // vpxor %xmm5, %xmm3, %xmm3 # 3 = iak = 1/i + a/k
  214. eor v4.16b, v4.16b, v5.16b // vpxor %xmm5, %xmm4, %xmm4 # 4 = jak = 1/j + a/k
  215. tbl v2.16b, {$invlo}, v3.16b // vpshufb %xmm3, %xmm10, %xmm2 # 2 = 1/iak
  216. tbl v3.16b, {$invlo}, v4.16b // vpshufb %xmm4, %xmm10, %xmm3 # 3 = 1/jak
  217. eor v2.16b, v2.16b, v1.16b // vpxor %xmm1, %xmm2, %xmm2 # 2 = io
  218. eor v3.16b, v3.16b, v0.16b // vpxor %xmm0, %xmm3, %xmm3 # 3 = jo
  219. ld1 {v16.2d}, [x9],#16 // vmovdqu (%r9), %xmm5
  220. cbnz w8, .Lenc_loop
  221. // middle of last round
  222. add x10, x11, #0x80
  223. // vmovdqa -0x60(%r10), %xmm4 # 3 : sbou .Lk_sbo
  224. // vmovdqa -0x50(%r10), %xmm0 # 0 : sbot .Lk_sbo+16
  225. tbl v4.16b, {$sbou}, v2.16b // vpshufb %xmm2, %xmm4, %xmm4 # 4 = sbou
  226. ld1 {v1.2d}, [x10] // vmovdqa 0x40(%r11,%r10), %xmm1 # .Lk_sr[]
  227. tbl v0.16b, {$sbot}, v3.16b // vpshufb %xmm3, %xmm0, %xmm0 # 0 = sb1t
  228. eor v4.16b, v4.16b, v16.16b // vpxor %xmm5, %xmm4, %xmm4 # 4 = sb1u + k
  229. eor v0.16b, v0.16b, v4.16b // vpxor %xmm4, %xmm0, %xmm0 # 0 = A
  230. tbl v0.16b, {v0.16b}, v1.16b // vpshufb %xmm1, %xmm0, %xmm0
  231. ret
  232. .size _vpaes_encrypt_core,.-_vpaes_encrypt_core
  233. .globl vpaes_encrypt
  234. .type vpaes_encrypt,%function
  235. .align 4
  236. vpaes_encrypt:
  237. stp x29,x30,[sp,#-16]!
  238. add x29,sp,#0
  239. ld1 {v7.16b}, [$inp]
  240. bl _vpaes_encrypt_preheat
  241. bl _vpaes_encrypt_core
  242. st1 {v0.16b}, [$out]
  243. ldp x29,x30,[sp],#16
  244. ret
  245. .size vpaes_encrypt,.-vpaes_encrypt
  246. .type _vpaes_encrypt_2x,%function
  247. .align 4
  248. _vpaes_encrypt_2x:
  249. mov x9, $key
  250. ldr w8, [$key,#240] // pull rounds
  251. adr x11, .Lk_mc_forward+16
  252. // vmovdqa .Lk_ipt(%rip), %xmm2 # iptlo
  253. ld1 {v16.2d}, [x9], #16 // vmovdqu (%r9), %xmm5 # round0 key
  254. and v1.16b, v14.16b, v17.16b // vpand %xmm9, %xmm0, %xmm1
  255. ushr v0.16b, v14.16b, #4 // vpsrlb \$4, %xmm0, %xmm0
  256. and v9.16b, v15.16b, v17.16b
  257. ushr v8.16b, v15.16b, #4
  258. tbl v1.16b, {$iptlo}, v1.16b // vpshufb %xmm1, %xmm2, %xmm1
  259. tbl v9.16b, {$iptlo}, v9.16b
  260. // vmovdqa .Lk_ipt+16(%rip), %xmm3 # ipthi
  261. tbl v2.16b, {$ipthi}, v0.16b // vpshufb %xmm0, %xmm3, %xmm2
  262. tbl v10.16b, {$ipthi}, v8.16b
  263. eor v0.16b, v1.16b, v16.16b // vpxor %xmm5, %xmm1, %xmm0
  264. eor v8.16b, v9.16b, v16.16b
  265. eor v0.16b, v0.16b, v2.16b // vpxor %xmm2, %xmm0, %xmm0
  266. eor v8.16b, v8.16b, v10.16b
  267. b .Lenc_2x_entry
  268. .align 4
  269. .Lenc_2x_loop:
  270. // middle of middle round
  271. add x10, x11, #0x40
  272. tbl v4.16b, {$sb1t}, v2.16b // vpshufb %xmm2, %xmm13, %xmm4 # 4 = sb1u
  273. tbl v12.16b, {$sb1t}, v10.16b
  274. ld1 {v1.2d}, [x11], #16 // vmovdqa -0x40(%r11,%r10), %xmm1 # .Lk_mc_forward[]
  275. tbl v0.16b, {$sb1u}, v3.16b // vpshufb %xmm3, %xmm12, %xmm0 # 0 = sb1t
  276. tbl v8.16b, {$sb1u}, v11.16b
  277. eor v4.16b, v4.16b, v16.16b // vpxor %xmm5, %xmm4, %xmm4 # 4 = sb1u + k
  278. eor v12.16b, v12.16b, v16.16b
  279. tbl v5.16b, {$sb2t}, v2.16b // vpshufb %xmm2, %xmm15, %xmm5 # 4 = sb2u
  280. tbl v13.16b, {$sb2t}, v10.16b
  281. eor v0.16b, v0.16b, v4.16b // vpxor %xmm4, %xmm0, %xmm0 # 0 = A
  282. eor v8.16b, v8.16b, v12.16b
  283. tbl v2.16b, {$sb2u}, v3.16b // vpshufb %xmm3, %xmm14, %xmm2 # 2 = sb2t
  284. tbl v10.16b, {$sb2u}, v11.16b
  285. ld1 {v4.2d}, [x10] // vmovdqa (%r11,%r10), %xmm4 # .Lk_mc_backward[]
  286. tbl v3.16b, {v0.16b}, v1.16b // vpshufb %xmm1, %xmm0, %xmm3 # 0 = B
  287. tbl v11.16b, {v8.16b}, v1.16b
  288. eor v2.16b, v2.16b, v5.16b // vpxor %xmm5, %xmm2, %xmm2 # 2 = 2A
  289. eor v10.16b, v10.16b, v13.16b
  290. tbl v0.16b, {v0.16b}, v4.16b // vpshufb %xmm4, %xmm0, %xmm0 # 3 = D
  291. tbl v8.16b, {v8.16b}, v4.16b
  292. eor v3.16b, v3.16b, v2.16b // vpxor %xmm2, %xmm3, %xmm3 # 0 = 2A+B
  293. eor v11.16b, v11.16b, v10.16b
  294. tbl v4.16b, {v3.16b}, v1.16b // vpshufb %xmm1, %xmm3, %xmm4 # 0 = 2B+C
  295. tbl v12.16b, {v11.16b},v1.16b
  296. eor v0.16b, v0.16b, v3.16b // vpxor %xmm3, %xmm0, %xmm0 # 3 = 2A+B+D
  297. eor v8.16b, v8.16b, v11.16b
  298. and x11, x11, #~(1<<6) // and \$0x30, %r11 # ... mod 4
  299. eor v0.16b, v0.16b, v4.16b // vpxor %xmm4, %xmm0, %xmm0 # 0 = 2A+3B+C+D
  300. eor v8.16b, v8.16b, v12.16b
  301. sub w8, w8, #1 // nr--
  302. .Lenc_2x_entry:
  303. // top of round
  304. and v1.16b, v0.16b, v17.16b // vpand %xmm0, %xmm9, %xmm1 # 0 = k
  305. ushr v0.16b, v0.16b, #4 // vpsrlb \$4, %xmm0, %xmm0 # 1 = i
  306. and v9.16b, v8.16b, v17.16b
  307. ushr v8.16b, v8.16b, #4
  308. tbl v5.16b, {$invhi},v1.16b // vpshufb %xmm1, %xmm11, %xmm5 # 2 = a/k
  309. tbl v13.16b, {$invhi},v9.16b
  310. eor v1.16b, v1.16b, v0.16b // vpxor %xmm0, %xmm1, %xmm1 # 0 = j
  311. eor v9.16b, v9.16b, v8.16b
  312. tbl v3.16b, {$invlo},v0.16b // vpshufb %xmm0, %xmm10, %xmm3 # 3 = 1/i
  313. tbl v11.16b, {$invlo},v8.16b
  314. tbl v4.16b, {$invlo},v1.16b // vpshufb %xmm1, %xmm10, %xmm4 # 4 = 1/j
  315. tbl v12.16b, {$invlo},v9.16b
  316. eor v3.16b, v3.16b, v5.16b // vpxor %xmm5, %xmm3, %xmm3 # 3 = iak = 1/i + a/k
  317. eor v11.16b, v11.16b, v13.16b
  318. eor v4.16b, v4.16b, v5.16b // vpxor %xmm5, %xmm4, %xmm4 # 4 = jak = 1/j + a/k
  319. eor v12.16b, v12.16b, v13.16b
  320. tbl v2.16b, {$invlo},v3.16b // vpshufb %xmm3, %xmm10, %xmm2 # 2 = 1/iak
  321. tbl v10.16b, {$invlo},v11.16b
  322. tbl v3.16b, {$invlo},v4.16b // vpshufb %xmm4, %xmm10, %xmm3 # 3 = 1/jak
  323. tbl v11.16b, {$invlo},v12.16b
  324. eor v2.16b, v2.16b, v1.16b // vpxor %xmm1, %xmm2, %xmm2 # 2 = io
  325. eor v10.16b, v10.16b, v9.16b
  326. eor v3.16b, v3.16b, v0.16b // vpxor %xmm0, %xmm3, %xmm3 # 3 = jo
  327. eor v11.16b, v11.16b, v8.16b
  328. ld1 {v16.2d}, [x9],#16 // vmovdqu (%r9), %xmm5
  329. cbnz w8, .Lenc_2x_loop
  330. // middle of last round
  331. add x10, x11, #0x80
  332. // vmovdqa -0x60(%r10), %xmm4 # 3 : sbou .Lk_sbo
  333. // vmovdqa -0x50(%r10), %xmm0 # 0 : sbot .Lk_sbo+16
  334. tbl v4.16b, {$sbou}, v2.16b // vpshufb %xmm2, %xmm4, %xmm4 # 4 = sbou
  335. tbl v12.16b, {$sbou}, v10.16b
  336. ld1 {v1.2d}, [x10] // vmovdqa 0x40(%r11,%r10), %xmm1 # .Lk_sr[]
  337. tbl v0.16b, {$sbot}, v3.16b // vpshufb %xmm3, %xmm0, %xmm0 # 0 = sb1t
  338. tbl v8.16b, {$sbot}, v11.16b
  339. eor v4.16b, v4.16b, v16.16b // vpxor %xmm5, %xmm4, %xmm4 # 4 = sb1u + k
  340. eor v12.16b, v12.16b, v16.16b
  341. eor v0.16b, v0.16b, v4.16b // vpxor %xmm4, %xmm0, %xmm0 # 0 = A
  342. eor v8.16b, v8.16b, v12.16b
  343. tbl v0.16b, {v0.16b},v1.16b // vpshufb %xmm1, %xmm0, %xmm0
  344. tbl v1.16b, {v8.16b},v1.16b
  345. ret
  346. .size _vpaes_encrypt_2x,.-_vpaes_encrypt_2x
  347. .type _vpaes_decrypt_preheat,%function
  348. .align 4
  349. _vpaes_decrypt_preheat:
  350. adr x10, .Lk_inv
  351. movi v17.16b, #0x0f
  352. adr x11, .Lk_dipt
  353. ld1 {v18.2d-v19.2d}, [x10],#32 // .Lk_inv
  354. ld1 {v20.2d-v23.2d}, [x11],#64 // .Lk_dipt, .Lk_dsbo
  355. ld1 {v24.2d-v27.2d}, [x11],#64 // .Lk_dsb9, .Lk_dsbd
  356. ld1 {v28.2d-v31.2d}, [x11] // .Lk_dsbb, .Lk_dsbe
  357. ret
  358. .size _vpaes_decrypt_preheat,.-_vpaes_decrypt_preheat
  359. ##
  360. ## Decryption core
  361. ##
  362. ## Same API as encryption core.
  363. ##
  364. .type _vpaes_decrypt_core,%function
  365. .align 4
  366. _vpaes_decrypt_core:
  367. mov x9, $key
  368. ldr w8, [$key,#240] // pull rounds
  369. // vmovdqa .Lk_dipt(%rip), %xmm2 # iptlo
  370. lsl x11, x8, #4 // mov %rax, %r11; shl \$4, %r11
  371. eor x11, x11, #0x30 // xor \$0x30, %r11
  372. adr x10, .Lk_sr
  373. and x11, x11, #0x30 // and \$0x30, %r11
  374. add x11, x11, x10
  375. adr x10, .Lk_mc_forward+48
  376. ld1 {v16.2d}, [x9],#16 // vmovdqu (%r9), %xmm4 # round0 key
  377. and v1.16b, v7.16b, v17.16b // vpand %xmm9, %xmm0, %xmm1
  378. ushr v0.16b, v7.16b, #4 // vpsrlb \$4, %xmm0, %xmm0
  379. tbl v2.16b, {$iptlo}, v1.16b // vpshufb %xmm1, %xmm2, %xmm2
  380. ld1 {v5.2d}, [x10] // vmovdqa .Lk_mc_forward+48(%rip), %xmm5
  381. // vmovdqa .Lk_dipt+16(%rip), %xmm1 # ipthi
  382. tbl v0.16b, {$ipthi}, v0.16b // vpshufb %xmm0, %xmm1, %xmm0
  383. eor v2.16b, v2.16b, v16.16b // vpxor %xmm4, %xmm2, %xmm2
  384. eor v0.16b, v0.16b, v2.16b // vpxor %xmm2, %xmm0, %xmm0
  385. b .Ldec_entry
  386. .align 4
  387. .Ldec_loop:
  388. //
  389. // Inverse mix columns
  390. //
  391. // vmovdqa -0x20(%r10),%xmm4 # 4 : sb9u
  392. // vmovdqa -0x10(%r10),%xmm1 # 0 : sb9t
  393. tbl v4.16b, {$sb9u}, v2.16b // vpshufb %xmm2, %xmm4, %xmm4 # 4 = sb9u
  394. tbl v1.16b, {$sb9t}, v3.16b // vpshufb %xmm3, %xmm1, %xmm1 # 0 = sb9t
  395. eor v0.16b, v4.16b, v16.16b // vpxor %xmm4, %xmm0, %xmm0
  396. // vmovdqa 0x00(%r10),%xmm4 # 4 : sbdu
  397. eor v0.16b, v0.16b, v1.16b // vpxor %xmm1, %xmm0, %xmm0 # 0 = ch
  398. // vmovdqa 0x10(%r10),%xmm1 # 0 : sbdt
  399. tbl v4.16b, {$sbdu}, v2.16b // vpshufb %xmm2, %xmm4, %xmm4 # 4 = sbdu
  400. tbl v0.16b, {v0.16b}, v5.16b // vpshufb %xmm5, %xmm0, %xmm0 # MC ch
  401. tbl v1.16b, {$sbdt}, v3.16b // vpshufb %xmm3, %xmm1, %xmm1 # 0 = sbdt
  402. eor v0.16b, v0.16b, v4.16b // vpxor %xmm4, %xmm0, %xmm0 # 4 = ch
  403. // vmovdqa 0x20(%r10), %xmm4 # 4 : sbbu
  404. eor v0.16b, v0.16b, v1.16b // vpxor %xmm1, %xmm0, %xmm0 # 0 = ch
  405. // vmovdqa 0x30(%r10), %xmm1 # 0 : sbbt
  406. tbl v4.16b, {$sbbu}, v2.16b // vpshufb %xmm2, %xmm4, %xmm4 # 4 = sbbu
  407. tbl v0.16b, {v0.16b}, v5.16b // vpshufb %xmm5, %xmm0, %xmm0 # MC ch
  408. tbl v1.16b, {$sbbt}, v3.16b // vpshufb %xmm3, %xmm1, %xmm1 # 0 = sbbt
  409. eor v0.16b, v0.16b, v4.16b // vpxor %xmm4, %xmm0, %xmm0 # 4 = ch
  410. // vmovdqa 0x40(%r10), %xmm4 # 4 : sbeu
  411. eor v0.16b, v0.16b, v1.16b // vpxor %xmm1, %xmm0, %xmm0 # 0 = ch
  412. // vmovdqa 0x50(%r10), %xmm1 # 0 : sbet
  413. tbl v4.16b, {$sbeu}, v2.16b // vpshufb %xmm2, %xmm4, %xmm4 # 4 = sbeu
  414. tbl v0.16b, {v0.16b}, v5.16b // vpshufb %xmm5, %xmm0, %xmm0 # MC ch
  415. tbl v1.16b, {$sbet}, v3.16b // vpshufb %xmm3, %xmm1, %xmm1 # 0 = sbet
  416. eor v0.16b, v0.16b, v4.16b // vpxor %xmm4, %xmm0, %xmm0 # 4 = ch
  417. ext v5.16b, v5.16b, v5.16b, #12 // vpalignr \$12, %xmm5, %xmm5, %xmm5
  418. eor v0.16b, v0.16b, v1.16b // vpxor %xmm1, %xmm0, %xmm0 # 0 = ch
  419. sub w8, w8, #1 // sub \$1,%rax # nr--
  420. .Ldec_entry:
  421. // top of round
  422. and v1.16b, v0.16b, v17.16b // vpand %xmm9, %xmm0, %xmm1 # 0 = k
  423. ushr v0.16b, v0.16b, #4 // vpsrlb \$4, %xmm0, %xmm0 # 1 = i
  424. tbl v2.16b, {$invhi}, v1.16b // vpshufb %xmm1, %xmm11, %xmm2 # 2 = a/k
  425. eor v1.16b, v1.16b, v0.16b // vpxor %xmm0, %xmm1, %xmm1 # 0 = j
  426. tbl v3.16b, {$invlo}, v0.16b // vpshufb %xmm0, %xmm10, %xmm3 # 3 = 1/i
  427. tbl v4.16b, {$invlo}, v1.16b // vpshufb %xmm1, %xmm10, %xmm4 # 4 = 1/j
  428. eor v3.16b, v3.16b, v2.16b // vpxor %xmm2, %xmm3, %xmm3 # 3 = iak = 1/i + a/k
  429. eor v4.16b, v4.16b, v2.16b // vpxor %xmm2, %xmm4, %xmm4 # 4 = jak = 1/j + a/k
  430. tbl v2.16b, {$invlo}, v3.16b // vpshufb %xmm3, %xmm10, %xmm2 # 2 = 1/iak
  431. tbl v3.16b, {$invlo}, v4.16b // vpshufb %xmm4, %xmm10, %xmm3 # 3 = 1/jak
  432. eor v2.16b, v2.16b, v1.16b // vpxor %xmm1, %xmm2, %xmm2 # 2 = io
  433. eor v3.16b, v3.16b, v0.16b // vpxor %xmm0, %xmm3, %xmm3 # 3 = jo
  434. ld1 {v16.2d}, [x9],#16 // vmovdqu (%r9), %xmm0
  435. cbnz w8, .Ldec_loop
  436. // middle of last round
  437. // vmovdqa 0x60(%r10), %xmm4 # 3 : sbou
  438. tbl v4.16b, {$sbou}, v2.16b // vpshufb %xmm2, %xmm4, %xmm4 # 4 = sbou
  439. // vmovdqa 0x70(%r10), %xmm1 # 0 : sbot
  440. ld1 {v2.2d}, [x11] // vmovdqa -0x160(%r11), %xmm2 # .Lk_sr-.Lk_dsbd=-0x160
  441. tbl v1.16b, {$sbot}, v3.16b // vpshufb %xmm3, %xmm1, %xmm1 # 0 = sb1t
  442. eor v4.16b, v4.16b, v16.16b // vpxor %xmm0, %xmm4, %xmm4 # 4 = sb1u + k
  443. eor v0.16b, v1.16b, v4.16b // vpxor %xmm4, %xmm1, %xmm0 # 0 = A
  444. tbl v0.16b, {v0.16b}, v2.16b // vpshufb %xmm2, %xmm0, %xmm0
  445. ret
  446. .size _vpaes_decrypt_core,.-_vpaes_decrypt_core
  447. .globl vpaes_decrypt
  448. .type vpaes_decrypt,%function
  449. .align 4
  450. vpaes_decrypt:
  451. stp x29,x30,[sp,#-16]!
  452. add x29,sp,#0
  453. ld1 {v7.16b}, [$inp]
  454. bl _vpaes_decrypt_preheat
  455. bl _vpaes_decrypt_core
  456. st1 {v0.16b}, [$out]
  457. ldp x29,x30,[sp],#16
  458. ret
  459. .size vpaes_decrypt,.-vpaes_decrypt
  460. // v14-v15 input, v0-v1 output
  461. .type _vpaes_decrypt_2x,%function
  462. .align 4
  463. _vpaes_decrypt_2x:
  464. mov x9, $key
  465. ldr w8, [$key,#240] // pull rounds
  466. // vmovdqa .Lk_dipt(%rip), %xmm2 # iptlo
  467. lsl x11, x8, #4 // mov %rax, %r11; shl \$4, %r11
  468. eor x11, x11, #0x30 // xor \$0x30, %r11
  469. adr x10, .Lk_sr
  470. and x11, x11, #0x30 // and \$0x30, %r11
  471. add x11, x11, x10
  472. adr x10, .Lk_mc_forward+48
  473. ld1 {v16.2d}, [x9],#16 // vmovdqu (%r9), %xmm4 # round0 key
  474. and v1.16b, v14.16b, v17.16b // vpand %xmm9, %xmm0, %xmm1
  475. ushr v0.16b, v14.16b, #4 // vpsrlb \$4, %xmm0, %xmm0
  476. and v9.16b, v15.16b, v17.16b
  477. ushr v8.16b, v15.16b, #4
  478. tbl v2.16b, {$iptlo},v1.16b // vpshufb %xmm1, %xmm2, %xmm2
  479. tbl v10.16b, {$iptlo},v9.16b
  480. ld1 {v5.2d}, [x10] // vmovdqa .Lk_mc_forward+48(%rip), %xmm5
  481. // vmovdqa .Lk_dipt+16(%rip), %xmm1 # ipthi
  482. tbl v0.16b, {$ipthi},v0.16b // vpshufb %xmm0, %xmm1, %xmm0
  483. tbl v8.16b, {$ipthi},v8.16b
  484. eor v2.16b, v2.16b, v16.16b // vpxor %xmm4, %xmm2, %xmm2
  485. eor v10.16b, v10.16b, v16.16b
  486. eor v0.16b, v0.16b, v2.16b // vpxor %xmm2, %xmm0, %xmm0
  487. eor v8.16b, v8.16b, v10.16b
  488. b .Ldec_2x_entry
  489. .align 4
  490. .Ldec_2x_loop:
  491. //
  492. // Inverse mix columns
  493. //
  494. // vmovdqa -0x20(%r10),%xmm4 # 4 : sb9u
  495. // vmovdqa -0x10(%r10),%xmm1 # 0 : sb9t
  496. tbl v4.16b, {$sb9u}, v2.16b // vpshufb %xmm2, %xmm4, %xmm4 # 4 = sb9u
  497. tbl v12.16b, {$sb9u}, v10.16b
  498. tbl v1.16b, {$sb9t}, v3.16b // vpshufb %xmm3, %xmm1, %xmm1 # 0 = sb9t
  499. tbl v9.16b, {$sb9t}, v11.16b
  500. eor v0.16b, v4.16b, v16.16b // vpxor %xmm4, %xmm0, %xmm0
  501. eor v8.16b, v12.16b, v16.16b
  502. // vmovdqa 0x00(%r10),%xmm4 # 4 : sbdu
  503. eor v0.16b, v0.16b, v1.16b // vpxor %xmm1, %xmm0, %xmm0 # 0 = ch
  504. eor v8.16b, v8.16b, v9.16b // vpxor %xmm1, %xmm0, %xmm0 # 0 = ch
  505. // vmovdqa 0x10(%r10),%xmm1 # 0 : sbdt
  506. tbl v4.16b, {$sbdu}, v2.16b // vpshufb %xmm2, %xmm4, %xmm4 # 4 = sbdu
  507. tbl v12.16b, {$sbdu}, v10.16b
  508. tbl v0.16b, {v0.16b},v5.16b // vpshufb %xmm5, %xmm0, %xmm0 # MC ch
  509. tbl v8.16b, {v8.16b},v5.16b
  510. tbl v1.16b, {$sbdt}, v3.16b // vpshufb %xmm3, %xmm1, %xmm1 # 0 = sbdt
  511. tbl v9.16b, {$sbdt}, v11.16b
  512. eor v0.16b, v0.16b, v4.16b // vpxor %xmm4, %xmm0, %xmm0 # 4 = ch
  513. eor v8.16b, v8.16b, v12.16b
  514. // vmovdqa 0x20(%r10), %xmm4 # 4 : sbbu
  515. eor v0.16b, v0.16b, v1.16b // vpxor %xmm1, %xmm0, %xmm0 # 0 = ch
  516. eor v8.16b, v8.16b, v9.16b
  517. // vmovdqa 0x30(%r10), %xmm1 # 0 : sbbt
  518. tbl v4.16b, {$sbbu}, v2.16b // vpshufb %xmm2, %xmm4, %xmm4 # 4 = sbbu
  519. tbl v12.16b, {$sbbu}, v10.16b
  520. tbl v0.16b, {v0.16b},v5.16b // vpshufb %xmm5, %xmm0, %xmm0 # MC ch
  521. tbl v8.16b, {v8.16b},v5.16b
  522. tbl v1.16b, {$sbbt}, v3.16b // vpshufb %xmm3, %xmm1, %xmm1 # 0 = sbbt
  523. tbl v9.16b, {$sbbt}, v11.16b
  524. eor v0.16b, v0.16b, v4.16b // vpxor %xmm4, %xmm0, %xmm0 # 4 = ch
  525. eor v8.16b, v8.16b, v12.16b
  526. // vmovdqa 0x40(%r10), %xmm4 # 4 : sbeu
  527. eor v0.16b, v0.16b, v1.16b // vpxor %xmm1, %xmm0, %xmm0 # 0 = ch
  528. eor v8.16b, v8.16b, v9.16b
  529. // vmovdqa 0x50(%r10), %xmm1 # 0 : sbet
  530. tbl v4.16b, {$sbeu}, v2.16b // vpshufb %xmm2, %xmm4, %xmm4 # 4 = sbeu
  531. tbl v12.16b, {$sbeu}, v10.16b
  532. tbl v0.16b, {v0.16b},v5.16b // vpshufb %xmm5, %xmm0, %xmm0 # MC ch
  533. tbl v8.16b, {v8.16b},v5.16b
  534. tbl v1.16b, {$sbet}, v3.16b // vpshufb %xmm3, %xmm1, %xmm1 # 0 = sbet
  535. tbl v9.16b, {$sbet}, v11.16b
  536. eor v0.16b, v0.16b, v4.16b // vpxor %xmm4, %xmm0, %xmm0 # 4 = ch
  537. eor v8.16b, v8.16b, v12.16b
  538. ext v5.16b, v5.16b, v5.16b, #12 // vpalignr \$12, %xmm5, %xmm5, %xmm5
  539. eor v0.16b, v0.16b, v1.16b // vpxor %xmm1, %xmm0, %xmm0 # 0 = ch
  540. eor v8.16b, v8.16b, v9.16b
  541. sub w8, w8, #1 // sub \$1,%rax # nr--
  542. .Ldec_2x_entry:
  543. // top of round
  544. and v1.16b, v0.16b, v17.16b // vpand %xmm9, %xmm0, %xmm1 # 0 = k
  545. ushr v0.16b, v0.16b, #4 // vpsrlb \$4, %xmm0, %xmm0 # 1 = i
  546. and v9.16b, v8.16b, v17.16b
  547. ushr v8.16b, v8.16b, #4
  548. tbl v2.16b, {$invhi},v1.16b // vpshufb %xmm1, %xmm11, %xmm2 # 2 = a/k
  549. tbl v10.16b, {$invhi},v9.16b
  550. eor v1.16b, v1.16b, v0.16b // vpxor %xmm0, %xmm1, %xmm1 # 0 = j
  551. eor v9.16b, v9.16b, v8.16b
  552. tbl v3.16b, {$invlo},v0.16b // vpshufb %xmm0, %xmm10, %xmm3 # 3 = 1/i
  553. tbl v11.16b, {$invlo},v8.16b
  554. tbl v4.16b, {$invlo},v1.16b // vpshufb %xmm1, %xmm10, %xmm4 # 4 = 1/j
  555. tbl v12.16b, {$invlo},v9.16b
  556. eor v3.16b, v3.16b, v2.16b // vpxor %xmm2, %xmm3, %xmm3 # 3 = iak = 1/i + a/k
  557. eor v11.16b, v11.16b, v10.16b
  558. eor v4.16b, v4.16b, v2.16b // vpxor %xmm2, %xmm4, %xmm4 # 4 = jak = 1/j + a/k
  559. eor v12.16b, v12.16b, v10.16b
  560. tbl v2.16b, {$invlo},v3.16b // vpshufb %xmm3, %xmm10, %xmm2 # 2 = 1/iak
  561. tbl v10.16b, {$invlo},v11.16b
  562. tbl v3.16b, {$invlo},v4.16b // vpshufb %xmm4, %xmm10, %xmm3 # 3 = 1/jak
  563. tbl v11.16b, {$invlo},v12.16b
  564. eor v2.16b, v2.16b, v1.16b // vpxor %xmm1, %xmm2, %xmm2 # 2 = io
  565. eor v10.16b, v10.16b, v9.16b
  566. eor v3.16b, v3.16b, v0.16b // vpxor %xmm0, %xmm3, %xmm3 # 3 = jo
  567. eor v11.16b, v11.16b, v8.16b
  568. ld1 {v16.2d}, [x9],#16 // vmovdqu (%r9), %xmm0
  569. cbnz w8, .Ldec_2x_loop
  570. // middle of last round
  571. // vmovdqa 0x60(%r10), %xmm4 # 3 : sbou
  572. tbl v4.16b, {$sbou}, v2.16b // vpshufb %xmm2, %xmm4, %xmm4 # 4 = sbou
  573. tbl v12.16b, {$sbou}, v10.16b
  574. // vmovdqa 0x70(%r10), %xmm1 # 0 : sbot
  575. tbl v1.16b, {$sbot}, v3.16b // vpshufb %xmm3, %xmm1, %xmm1 # 0 = sb1t
  576. tbl v9.16b, {$sbot}, v11.16b
  577. ld1 {v2.2d}, [x11] // vmovdqa -0x160(%r11), %xmm2 # .Lk_sr-.Lk_dsbd=-0x160
  578. eor v4.16b, v4.16b, v16.16b // vpxor %xmm0, %xmm4, %xmm4 # 4 = sb1u + k
  579. eor v12.16b, v12.16b, v16.16b
  580. eor v0.16b, v1.16b, v4.16b // vpxor %xmm4, %xmm1, %xmm0 # 0 = A
  581. eor v8.16b, v9.16b, v12.16b
  582. tbl v0.16b, {v0.16b},v2.16b // vpshufb %xmm2, %xmm0, %xmm0
  583. tbl v1.16b, {v8.16b},v2.16b
  584. ret
  585. .size _vpaes_decrypt_2x,.-_vpaes_decrypt_2x
  586. ___
  587. }
  588. {
  589. my ($inp,$bits,$out,$dir)=("x0","w1","x2","w3");
  590. my ($invlo,$invhi,$iptlo,$ipthi,$rcon) = map("v$_.16b",(18..21,8));
  591. $code.=<<___;
  592. ########################################################
  593. ## ##
  594. ## AES key schedule ##
  595. ## ##
  596. ########################################################
  597. .type _vpaes_key_preheat,%function
  598. .align 4
  599. _vpaes_key_preheat:
  600. adr x10, .Lk_inv
  601. movi v16.16b, #0x5b // .Lk_s63
  602. adr x11, .Lk_sb1
  603. movi v17.16b, #0x0f // .Lk_s0F
  604. ld1 {v18.2d-v21.2d}, [x10] // .Lk_inv, .Lk_ipt
  605. adr x10, .Lk_dksd
  606. ld1 {v22.2d-v23.2d}, [x11] // .Lk_sb1
  607. adr x11, .Lk_mc_forward
  608. ld1 {v24.2d-v27.2d}, [x10],#64 // .Lk_dksd, .Lk_dksb
  609. ld1 {v28.2d-v31.2d}, [x10],#64 // .Lk_dkse, .Lk_dks9
  610. ld1 {v8.2d}, [x10] // .Lk_rcon
  611. ld1 {v9.2d}, [x11] // .Lk_mc_forward[0]
  612. ret
  613. .size _vpaes_key_preheat,.-_vpaes_key_preheat
  614. .type _vpaes_schedule_core,%function
  615. .align 4
  616. _vpaes_schedule_core:
  617. stp x29, x30, [sp,#-16]!
  618. add x29,sp,#0
  619. bl _vpaes_key_preheat // load the tables
  620. ld1 {v0.16b}, [$inp],#16 // vmovdqu (%rdi), %xmm0 # load key (unaligned)
  621. // input transform
  622. mov v3.16b, v0.16b // vmovdqa %xmm0, %xmm3
  623. bl _vpaes_schedule_transform
  624. mov v7.16b, v0.16b // vmovdqa %xmm0, %xmm7
  625. adr x10, .Lk_sr // lea .Lk_sr(%rip),%r10
  626. add x8, x8, x10
  627. cbnz $dir, .Lschedule_am_decrypting
  628. // encrypting, output zeroth round key after transform
  629. st1 {v0.2d}, [$out] // vmovdqu %xmm0, (%rdx)
  630. b .Lschedule_go
  631. .Lschedule_am_decrypting:
  632. // decrypting, output zeroth round key after shiftrows
  633. ld1 {v1.2d}, [x8] // vmovdqa (%r8,%r10), %xmm1
  634. tbl v3.16b, {v3.16b}, v1.16b // vpshufb %xmm1, %xmm3, %xmm3
  635. st1 {v3.2d}, [$out] // vmovdqu %xmm3, (%rdx)
  636. eor x8, x8, #0x30 // xor \$0x30, %r8
  637. .Lschedule_go:
  638. cmp $bits, #192 // cmp \$192, %esi
  639. b.hi .Lschedule_256
  640. b.eq .Lschedule_192
  641. // 128: fall though
  642. ##
  643. ## .schedule_128
  644. ##
  645. ## 128-bit specific part of key schedule.
  646. ##
  647. ## This schedule is really simple, because all its parts
  648. ## are accomplished by the subroutines.
  649. ##
  650. .Lschedule_128:
  651. mov $inp, #10 // mov \$10, %esi
  652. .Loop_schedule_128:
  653. sub $inp, $inp, #1 // dec %esi
  654. bl _vpaes_schedule_round
  655. cbz $inp, .Lschedule_mangle_last
  656. bl _vpaes_schedule_mangle // write output
  657. b .Loop_schedule_128
  658. ##
  659. ## .aes_schedule_192
  660. ##
  661. ## 192-bit specific part of key schedule.
  662. ##
  663. ## The main body of this schedule is the same as the 128-bit
  664. ## schedule, but with more smearing. The long, high side is
  665. ## stored in %xmm7 as before, and the short, low side is in
  666. ## the high bits of %xmm6.
  667. ##
  668. ## This schedule is somewhat nastier, however, because each
  669. ## round produces 192 bits of key material, or 1.5 round keys.
  670. ## Therefore, on each cycle we do 2 rounds and produce 3 round
  671. ## keys.
  672. ##
  673. .align 4
  674. .Lschedule_192:
  675. sub $inp, $inp, #8
  676. ld1 {v0.16b}, [$inp] // vmovdqu 8(%rdi),%xmm0 # load key part 2 (very unaligned)
  677. bl _vpaes_schedule_transform // input transform
  678. mov v6.16b, v0.16b // vmovdqa %xmm0, %xmm6 # save short part
  679. eor v4.16b, v4.16b, v4.16b // vpxor %xmm4, %xmm4, %xmm4 # clear 4
  680. ins v6.d[0], v4.d[0] // vmovhlps %xmm4, %xmm6, %xmm6 # clobber low side with zeros
  681. mov $inp, #4 // mov \$4, %esi
  682. .Loop_schedule_192:
  683. sub $inp, $inp, #1 // dec %esi
  684. bl _vpaes_schedule_round
  685. ext v0.16b, v6.16b, v0.16b, #8 // vpalignr \$8,%xmm6,%xmm0,%xmm0
  686. bl _vpaes_schedule_mangle // save key n
  687. bl _vpaes_schedule_192_smear
  688. bl _vpaes_schedule_mangle // save key n+1
  689. bl _vpaes_schedule_round
  690. cbz $inp, .Lschedule_mangle_last
  691. bl _vpaes_schedule_mangle // save key n+2
  692. bl _vpaes_schedule_192_smear
  693. b .Loop_schedule_192
  694. ##
  695. ## .aes_schedule_256
  696. ##
  697. ## 256-bit specific part of key schedule.
  698. ##
  699. ## The structure here is very similar to the 128-bit
  700. ## schedule, but with an additional "low side" in
  701. ## %xmm6. The low side's rounds are the same as the
  702. ## high side's, except no rcon and no rotation.
  703. ##
  704. .align 4
  705. .Lschedule_256:
  706. ld1 {v0.16b}, [$inp] // vmovdqu 16(%rdi),%xmm0 # load key part 2 (unaligned)
  707. bl _vpaes_schedule_transform // input transform
  708. mov $inp, #7 // mov \$7, %esi
  709. .Loop_schedule_256:
  710. sub $inp, $inp, #1 // dec %esi
  711. bl _vpaes_schedule_mangle // output low result
  712. mov v6.16b, v0.16b // vmovdqa %xmm0, %xmm6 # save cur_lo in xmm6
  713. // high round
  714. bl _vpaes_schedule_round
  715. cbz $inp, .Lschedule_mangle_last
  716. bl _vpaes_schedule_mangle
  717. // low round. swap xmm7 and xmm6
  718. dup v0.4s, v0.s[3] // vpshufd \$0xFF, %xmm0, %xmm0
  719. movi v4.16b, #0
  720. mov v5.16b, v7.16b // vmovdqa %xmm7, %xmm5
  721. mov v7.16b, v6.16b // vmovdqa %xmm6, %xmm7
  722. bl _vpaes_schedule_low_round
  723. mov v7.16b, v5.16b // vmovdqa %xmm5, %xmm7
  724. b .Loop_schedule_256
  725. ##
  726. ## .aes_schedule_mangle_last
  727. ##
  728. ## Mangler for last round of key schedule
  729. ## Mangles %xmm0
  730. ## when encrypting, outputs out(%xmm0) ^ 63
  731. ## when decrypting, outputs unskew(%xmm0)
  732. ##
  733. ## Always called right before return... jumps to cleanup and exits
  734. ##
  735. .align 4
  736. .Lschedule_mangle_last:
  737. // schedule last round key from xmm0
  738. adr x11, .Lk_deskew // lea .Lk_deskew(%rip),%r11 # prepare to deskew
  739. cbnz $dir, .Lschedule_mangle_last_dec
  740. // encrypting
  741. ld1 {v1.2d}, [x8] // vmovdqa (%r8,%r10),%xmm1
  742. adr x11, .Lk_opt // lea .Lk_opt(%rip), %r11 # prepare to output transform
  743. add $out, $out, #32 // add \$32, %rdx
  744. tbl v0.16b, {v0.16b}, v1.16b // vpshufb %xmm1, %xmm0, %xmm0 # output permute
  745. .Lschedule_mangle_last_dec:
  746. ld1 {v20.2d-v21.2d}, [x11] // reload constants
  747. sub $out, $out, #16 // add \$-16, %rdx
  748. eor v0.16b, v0.16b, v16.16b // vpxor .Lk_s63(%rip), %xmm0, %xmm0
  749. bl _vpaes_schedule_transform // output transform
  750. st1 {v0.2d}, [$out] // vmovdqu %xmm0, (%rdx) # save last key
  751. // cleanup
  752. eor v0.16b, v0.16b, v0.16b // vpxor %xmm0, %xmm0, %xmm0
  753. eor v1.16b, v1.16b, v1.16b // vpxor %xmm1, %xmm1, %xmm1
  754. eor v2.16b, v2.16b, v2.16b // vpxor %xmm2, %xmm2, %xmm2
  755. eor v3.16b, v3.16b, v3.16b // vpxor %xmm3, %xmm3, %xmm3
  756. eor v4.16b, v4.16b, v4.16b // vpxor %xmm4, %xmm4, %xmm4
  757. eor v5.16b, v5.16b, v5.16b // vpxor %xmm5, %xmm5, %xmm5
  758. eor v6.16b, v6.16b, v6.16b // vpxor %xmm6, %xmm6, %xmm6
  759. eor v7.16b, v7.16b, v7.16b // vpxor %xmm7, %xmm7, %xmm7
  760. ldp x29, x30, [sp],#16
  761. ret
  762. .size _vpaes_schedule_core,.-_vpaes_schedule_core
  763. ##
  764. ## .aes_schedule_192_smear
  765. ##
  766. ## Smear the short, low side in the 192-bit key schedule.
  767. ##
  768. ## Inputs:
  769. ## %xmm7: high side, b a x y
  770. ## %xmm6: low side, d c 0 0
  771. ## %xmm13: 0
  772. ##
  773. ## Outputs:
  774. ## %xmm6: b+c+d b+c 0 0
  775. ## %xmm0: b+c+d b+c b a
  776. ##
  777. .type _vpaes_schedule_192_smear,%function
  778. .align 4
  779. _vpaes_schedule_192_smear:
  780. movi v1.16b, #0
  781. dup v0.4s, v7.s[3]
  782. ins v1.s[3], v6.s[2] // vpshufd \$0x80, %xmm6, %xmm1 # d c 0 0 -> c 0 0 0
  783. ins v0.s[0], v7.s[2] // vpshufd \$0xFE, %xmm7, %xmm0 # b a _ _ -> b b b a
  784. eor v6.16b, v6.16b, v1.16b // vpxor %xmm1, %xmm6, %xmm6 # -> c+d c 0 0
  785. eor v1.16b, v1.16b, v1.16b // vpxor %xmm1, %xmm1, %xmm1
  786. eor v6.16b, v6.16b, v0.16b // vpxor %xmm0, %xmm6, %xmm6 # -> b+c+d b+c b a
  787. mov v0.16b, v6.16b // vmovdqa %xmm6, %xmm0
  788. ins v6.d[0], v1.d[0] // vmovhlps %xmm1, %xmm6, %xmm6 # clobber low side with zeros
  789. ret
  790. .size _vpaes_schedule_192_smear,.-_vpaes_schedule_192_smear
  791. ##
  792. ## .aes_schedule_round
  793. ##
  794. ## Runs one main round of the key schedule on %xmm0, %xmm7
  795. ##
  796. ## Specifically, runs subbytes on the high dword of %xmm0
  797. ## then rotates it by one byte and xors into the low dword of
  798. ## %xmm7.
  799. ##
  800. ## Adds rcon from low byte of %xmm8, then rotates %xmm8 for
  801. ## next rcon.
  802. ##
  803. ## Smears the dwords of %xmm7 by xoring the low into the
  804. ## second low, result into third, result into highest.
  805. ##
  806. ## Returns results in %xmm7 = %xmm0.
  807. ## Clobbers %xmm1-%xmm4, %r11.
  808. ##
  809. .type _vpaes_schedule_round,%function
  810. .align 4
  811. _vpaes_schedule_round:
  812. // extract rcon from xmm8
  813. movi v4.16b, #0 // vpxor %xmm4, %xmm4, %xmm4
  814. ext v1.16b, $rcon, v4.16b, #15 // vpalignr \$15, %xmm8, %xmm4, %xmm1
  815. ext $rcon, $rcon, $rcon, #15 // vpalignr \$15, %xmm8, %xmm8, %xmm8
  816. eor v7.16b, v7.16b, v1.16b // vpxor %xmm1, %xmm7, %xmm7
  817. // rotate
  818. dup v0.4s, v0.s[3] // vpshufd \$0xFF, %xmm0, %xmm0
  819. ext v0.16b, v0.16b, v0.16b, #1 // vpalignr \$1, %xmm0, %xmm0, %xmm0
  820. // fall through...
  821. // low round: same as high round, but no rotation and no rcon.
  822. _vpaes_schedule_low_round:
  823. // smear xmm7
  824. ext v1.16b, v4.16b, v7.16b, #12 // vpslldq \$4, %xmm7, %xmm1
  825. eor v7.16b, v7.16b, v1.16b // vpxor %xmm1, %xmm7, %xmm7
  826. ext v4.16b, v4.16b, v7.16b, #8 // vpslldq \$8, %xmm7, %xmm4
  827. // subbytes
  828. and v1.16b, v0.16b, v17.16b // vpand %xmm9, %xmm0, %xmm1 # 0 = k
  829. ushr v0.16b, v0.16b, #4 // vpsrlb \$4, %xmm0, %xmm0 # 1 = i
  830. eor v7.16b, v7.16b, v4.16b // vpxor %xmm4, %xmm7, %xmm7
  831. tbl v2.16b, {$invhi}, v1.16b // vpshufb %xmm1, %xmm11, %xmm2 # 2 = a/k
  832. eor v1.16b, v1.16b, v0.16b // vpxor %xmm0, %xmm1, %xmm1 # 0 = j
  833. tbl v3.16b, {$invlo}, v0.16b // vpshufb %xmm0, %xmm10, %xmm3 # 3 = 1/i
  834. eor v3.16b, v3.16b, v2.16b // vpxor %xmm2, %xmm3, %xmm3 # 3 = iak = 1/i + a/k
  835. tbl v4.16b, {$invlo}, v1.16b // vpshufb %xmm1, %xmm10, %xmm4 # 4 = 1/j
  836. eor v7.16b, v7.16b, v16.16b // vpxor .Lk_s63(%rip), %xmm7, %xmm7
  837. tbl v3.16b, {$invlo}, v3.16b // vpshufb %xmm3, %xmm10, %xmm3 # 2 = 1/iak
  838. eor v4.16b, v4.16b, v2.16b // vpxor %xmm2, %xmm4, %xmm4 # 4 = jak = 1/j + a/k
  839. tbl v2.16b, {$invlo}, v4.16b // vpshufb %xmm4, %xmm10, %xmm2 # 3 = 1/jak
  840. eor v3.16b, v3.16b, v1.16b // vpxor %xmm1, %xmm3, %xmm3 # 2 = io
  841. eor v2.16b, v2.16b, v0.16b // vpxor %xmm0, %xmm2, %xmm2 # 3 = jo
  842. tbl v4.16b, {v23.16b}, v3.16b // vpshufb %xmm3, %xmm13, %xmm4 # 4 = sbou
  843. tbl v1.16b, {v22.16b}, v2.16b // vpshufb %xmm2, %xmm12, %xmm1 # 0 = sb1t
  844. eor v1.16b, v1.16b, v4.16b // vpxor %xmm4, %xmm1, %xmm1 # 0 = sbox output
  845. // add in smeared stuff
  846. eor v0.16b, v1.16b, v7.16b // vpxor %xmm7, %xmm1, %xmm0
  847. eor v7.16b, v1.16b, v7.16b // vmovdqa %xmm0, %xmm7
  848. ret
  849. .size _vpaes_schedule_round,.-_vpaes_schedule_round
  850. ##
  851. ## .aes_schedule_transform
  852. ##
  853. ## Linear-transform %xmm0 according to tables at (%r11)
  854. ##
  855. ## Requires that %xmm9 = 0x0F0F... as in preheat
  856. ## Output in %xmm0
  857. ## Clobbers %xmm1, %xmm2
  858. ##
  859. .type _vpaes_schedule_transform,%function
  860. .align 4
  861. _vpaes_schedule_transform:
  862. and v1.16b, v0.16b, v17.16b // vpand %xmm9, %xmm0, %xmm1
  863. ushr v0.16b, v0.16b, #4 // vpsrlb \$4, %xmm0, %xmm0
  864. // vmovdqa (%r11), %xmm2 # lo
  865. tbl v2.16b, {$iptlo}, v1.16b // vpshufb %xmm1, %xmm2, %xmm2
  866. // vmovdqa 16(%r11), %xmm1 # hi
  867. tbl v0.16b, {$ipthi}, v0.16b // vpshufb %xmm0, %xmm1, %xmm0
  868. eor v0.16b, v0.16b, v2.16b // vpxor %xmm2, %xmm0, %xmm0
  869. ret
  870. .size _vpaes_schedule_transform,.-_vpaes_schedule_transform
  871. ##
  872. ## .aes_schedule_mangle
  873. ##
  874. ## Mangle xmm0 from (basis-transformed) standard version
  875. ## to our version.
  876. ##
  877. ## On encrypt,
  878. ## xor with 0x63
  879. ## multiply by circulant 0,1,1,1
  880. ## apply shiftrows transform
  881. ##
  882. ## On decrypt,
  883. ## xor with 0x63
  884. ## multiply by "inverse mixcolumns" circulant E,B,D,9
  885. ## deskew
  886. ## apply shiftrows transform
  887. ##
  888. ##
  889. ## Writes out to (%rdx), and increments or decrements it
  890. ## Keeps track of round number mod 4 in %r8
  891. ## Preserves xmm0
  892. ## Clobbers xmm1-xmm5
  893. ##
  894. .type _vpaes_schedule_mangle,%function
  895. .align 4
  896. _vpaes_schedule_mangle:
  897. mov v4.16b, v0.16b // vmovdqa %xmm0, %xmm4 # save xmm0 for later
  898. // vmovdqa .Lk_mc_forward(%rip),%xmm5
  899. cbnz $dir, .Lschedule_mangle_dec
  900. // encrypting
  901. eor v4.16b, v0.16b, v16.16b // vpxor .Lk_s63(%rip), %xmm0, %xmm4
  902. add $out, $out, #16 // add \$16, %rdx
  903. tbl v4.16b, {v4.16b}, v9.16b // vpshufb %xmm5, %xmm4, %xmm4
  904. tbl v1.16b, {v4.16b}, v9.16b // vpshufb %xmm5, %xmm4, %xmm1
  905. tbl v3.16b, {v1.16b}, v9.16b // vpshufb %xmm5, %xmm1, %xmm3
  906. eor v4.16b, v4.16b, v1.16b // vpxor %xmm1, %xmm4, %xmm4
  907. ld1 {v1.2d}, [x8] // vmovdqa (%r8,%r10), %xmm1
  908. eor v3.16b, v3.16b, v4.16b // vpxor %xmm4, %xmm3, %xmm3
  909. b .Lschedule_mangle_both
  910. .align 4
  911. .Lschedule_mangle_dec:
  912. // inverse mix columns
  913. // lea .Lk_dksd(%rip),%r11
  914. ushr v1.16b, v4.16b, #4 // vpsrlb \$4, %xmm4, %xmm1 # 1 = hi
  915. and v4.16b, v4.16b, v17.16b // vpand %xmm9, %xmm4, %xmm4 # 4 = lo
  916. // vmovdqa 0x00(%r11), %xmm2
  917. tbl v2.16b, {v24.16b}, v4.16b // vpshufb %xmm4, %xmm2, %xmm2
  918. // vmovdqa 0x10(%r11), %xmm3
  919. tbl v3.16b, {v25.16b}, v1.16b // vpshufb %xmm1, %xmm3, %xmm3
  920. eor v3.16b, v3.16b, v2.16b // vpxor %xmm2, %xmm3, %xmm3
  921. tbl v3.16b, {v3.16b}, v9.16b // vpshufb %xmm5, %xmm3, %xmm3
  922. // vmovdqa 0x20(%r11), %xmm2
  923. tbl v2.16b, {v26.16b}, v4.16b // vpshufb %xmm4, %xmm2, %xmm2
  924. eor v2.16b, v2.16b, v3.16b // vpxor %xmm3, %xmm2, %xmm2
  925. // vmovdqa 0x30(%r11), %xmm3
  926. tbl v3.16b, {v27.16b}, v1.16b // vpshufb %xmm1, %xmm3, %xmm3
  927. eor v3.16b, v3.16b, v2.16b // vpxor %xmm2, %xmm3, %xmm3
  928. tbl v3.16b, {v3.16b}, v9.16b // vpshufb %xmm5, %xmm3, %xmm3
  929. // vmovdqa 0x40(%r11), %xmm2
  930. tbl v2.16b, {v28.16b}, v4.16b // vpshufb %xmm4, %xmm2, %xmm2
  931. eor v2.16b, v2.16b, v3.16b // vpxor %xmm3, %xmm2, %xmm2
  932. // vmovdqa 0x50(%r11), %xmm3
  933. tbl v3.16b, {v29.16b}, v1.16b // vpshufb %xmm1, %xmm3, %xmm3
  934. eor v3.16b, v3.16b, v2.16b // vpxor %xmm2, %xmm3, %xmm3
  935. // vmovdqa 0x60(%r11), %xmm2
  936. tbl v2.16b, {v30.16b}, v4.16b // vpshufb %xmm4, %xmm2, %xmm2
  937. tbl v3.16b, {v3.16b}, v9.16b // vpshufb %xmm5, %xmm3, %xmm3
  938. // vmovdqa 0x70(%r11), %xmm4
  939. tbl v4.16b, {v31.16b}, v1.16b // vpshufb %xmm1, %xmm4, %xmm4
  940. ld1 {v1.2d}, [x8] // vmovdqa (%r8,%r10), %xmm1
  941. eor v2.16b, v2.16b, v3.16b // vpxor %xmm3, %xmm2, %xmm2
  942. eor v3.16b, v4.16b, v2.16b // vpxor %xmm2, %xmm4, %xmm3
  943. sub $out, $out, #16 // add \$-16, %rdx
  944. .Lschedule_mangle_both:
  945. tbl v3.16b, {v3.16b}, v1.16b // vpshufb %xmm1, %xmm3, %xmm3
  946. add x8, x8, #64-16 // add \$-16, %r8
  947. and x8, x8, #~(1<<6) // and \$0x30, %r8
  948. st1 {v3.2d}, [$out] // vmovdqu %xmm3, (%rdx)
  949. ret
  950. .size _vpaes_schedule_mangle,.-_vpaes_schedule_mangle
  951. .globl vpaes_set_encrypt_key
  952. .type vpaes_set_encrypt_key,%function
  953. .align 4
  954. vpaes_set_encrypt_key:
  955. stp x29,x30,[sp,#-16]!
  956. add x29,sp,#0
  957. stp d8,d9,[sp,#-16]! // ABI spec says so
  958. lsr w9, $bits, #5 // shr \$5,%eax
  959. add w9, w9, #5 // \$5,%eax
  960. str w9, [$out,#240] // mov %eax,240(%rdx) # AES_KEY->rounds = nbits/32+5;
  961. mov $dir, #0 // mov \$0,%ecx
  962. mov x8, #0x30 // mov \$0x30,%r8d
  963. bl _vpaes_schedule_core
  964. eor x0, x0, x0
  965. ldp d8,d9,[sp],#16
  966. ldp x29,x30,[sp],#16
  967. ret
  968. .size vpaes_set_encrypt_key,.-vpaes_set_encrypt_key
  969. .globl vpaes_set_decrypt_key
  970. .type vpaes_set_decrypt_key,%function
  971. .align 4
  972. vpaes_set_decrypt_key:
  973. stp x29,x30,[sp,#-16]!
  974. add x29,sp,#0
  975. stp d8,d9,[sp,#-16]! // ABI spec says so
  976. lsr w9, $bits, #5 // shr \$5,%eax
  977. add w9, w9, #5 // \$5,%eax
  978. str w9, [$out,#240] // mov %eax,240(%rdx) # AES_KEY->rounds = nbits/32+5;
  979. lsl w9, w9, #4 // shl \$4,%eax
  980. add $out, $out, #16 // lea 16(%rdx,%rax),%rdx
  981. add $out, $out, x9
  982. mov $dir, #1 // mov \$1,%ecx
  983. lsr w8, $bits, #1 // shr \$1,%r8d
  984. and x8, x8, #32 // and \$32,%r8d
  985. eor x8, x8, #32 // xor \$32,%r8d # nbits==192?0:32
  986. bl _vpaes_schedule_core
  987. ldp d8,d9,[sp],#16
  988. ldp x29,x30,[sp],#16
  989. ret
  990. .size vpaes_set_decrypt_key,.-vpaes_set_decrypt_key
  991. ___
  992. }
  993. {
  994. my ($inp,$out,$len,$key,$ivec,$dir) = map("x$_",(0..5));
  995. $code.=<<___;
  996. .globl vpaes_cbc_encrypt
  997. .type vpaes_cbc_encrypt,%function
  998. .align 4
  999. vpaes_cbc_encrypt:
  1000. cbz $len, .Lcbc_abort
  1001. cmp w5, #0 // check direction
  1002. b.eq vpaes_cbc_decrypt
  1003. stp x29,x30,[sp,#-16]!
  1004. add x29,sp,#0
  1005. mov x17, $len // reassign
  1006. mov x2, $key // reassign
  1007. ld1 {v0.16b}, [$ivec] // load ivec
  1008. bl _vpaes_encrypt_preheat
  1009. b .Lcbc_enc_loop
  1010. .align 4
  1011. .Lcbc_enc_loop:
  1012. ld1 {v7.16b}, [$inp],#16 // load input
  1013. eor v7.16b, v7.16b, v0.16b // xor with ivec
  1014. bl _vpaes_encrypt_core
  1015. st1 {v0.16b}, [$out],#16 // save output
  1016. subs x17, x17, #16
  1017. b.hi .Lcbc_enc_loop
  1018. st1 {v0.16b}, [$ivec] // write ivec
  1019. ldp x29,x30,[sp],#16
  1020. .Lcbc_abort:
  1021. ret
  1022. .size vpaes_cbc_encrypt,.-vpaes_cbc_encrypt
  1023. .type vpaes_cbc_decrypt,%function
  1024. .align 4
  1025. vpaes_cbc_decrypt:
  1026. stp x29,x30,[sp,#-16]!
  1027. add x29,sp,#0
  1028. stp d8,d9,[sp,#-16]! // ABI spec says so
  1029. stp d10,d11,[sp,#-16]!
  1030. stp d12,d13,[sp,#-16]!
  1031. stp d14,d15,[sp,#-16]!
  1032. mov x17, $len // reassign
  1033. mov x2, $key // reassign
  1034. ld1 {v6.16b}, [$ivec] // load ivec
  1035. bl _vpaes_decrypt_preheat
  1036. tst x17, #16
  1037. b.eq .Lcbc_dec_loop2x
  1038. ld1 {v7.16b}, [$inp], #16 // load input
  1039. bl _vpaes_decrypt_core
  1040. eor v0.16b, v0.16b, v6.16b // xor with ivec
  1041. orr v6.16b, v7.16b, v7.16b // next ivec value
  1042. st1 {v0.16b}, [$out], #16
  1043. subs x17, x17, #16
  1044. b.ls .Lcbc_dec_done
  1045. .align 4
  1046. .Lcbc_dec_loop2x:
  1047. ld1 {v14.16b,v15.16b}, [$inp], #32
  1048. bl _vpaes_decrypt_2x
  1049. eor v0.16b, v0.16b, v6.16b // xor with ivec
  1050. eor v1.16b, v1.16b, v14.16b
  1051. orr v6.16b, v15.16b, v15.16b
  1052. st1 {v0.16b,v1.16b}, [$out], #32
  1053. subs x17, x17, #32
  1054. b.hi .Lcbc_dec_loop2x
  1055. .Lcbc_dec_done:
  1056. st1 {v6.16b}, [$ivec]
  1057. ldp d14,d15,[sp],#16
  1058. ldp d12,d13,[sp],#16
  1059. ldp d10,d11,[sp],#16
  1060. ldp d8,d9,[sp],#16
  1061. ldp x29,x30,[sp],#16
  1062. ret
  1063. .size vpaes_cbc_decrypt,.-vpaes_cbc_decrypt
  1064. ___
  1065. if (1) {
  1066. $code.=<<___;
  1067. .globl vpaes_ecb_encrypt
  1068. .type vpaes_ecb_encrypt,%function
  1069. .align 4
  1070. vpaes_ecb_encrypt:
  1071. stp x29,x30,[sp,#-16]!
  1072. add x29,sp,#0
  1073. stp d8,d9,[sp,#-16]! // ABI spec says so
  1074. stp d10,d11,[sp,#-16]!
  1075. stp d12,d13,[sp,#-16]!
  1076. stp d14,d15,[sp,#-16]!
  1077. mov x17, $len
  1078. mov x2, $key
  1079. bl _vpaes_encrypt_preheat
  1080. tst x17, #16
  1081. b.eq .Lecb_enc_loop
  1082. ld1 {v7.16b}, [$inp],#16
  1083. bl _vpaes_encrypt_core
  1084. st1 {v0.16b}, [$out],#16
  1085. subs x17, x17, #16
  1086. b.ls .Lecb_enc_done
  1087. .align 4
  1088. .Lecb_enc_loop:
  1089. ld1 {v14.16b,v15.16b}, [$inp], #32
  1090. bl _vpaes_encrypt_2x
  1091. st1 {v0.16b,v1.16b}, [$out], #32
  1092. subs x17, x17, #32
  1093. b.hi .Lecb_enc_loop
  1094. .Lecb_enc_done:
  1095. ldp d14,d15,[sp],#16
  1096. ldp d12,d13,[sp],#16
  1097. ldp d10,d11,[sp],#16
  1098. ldp d8,d9,[sp],#16
  1099. ldp x29,x30,[sp],#16
  1100. ret
  1101. .size vpaes_ecb_encrypt,.-vpaes_ecb_encrypt
  1102. .globl vpaes_ecb_decrypt
  1103. .type vpaes_ecb_decrypt,%function
  1104. .align 4
  1105. vpaes_ecb_decrypt:
  1106. stp x29,x30,[sp,#-16]!
  1107. add x29,sp,#0
  1108. stp d8,d9,[sp,#-16]! // ABI spec says so
  1109. stp d10,d11,[sp,#-16]!
  1110. stp d12,d13,[sp,#-16]!
  1111. stp d14,d15,[sp,#-16]!
  1112. mov x17, $len
  1113. mov x2, $key
  1114. bl _vpaes_decrypt_preheat
  1115. tst x17, #16
  1116. b.eq .Lecb_dec_loop
  1117. ld1 {v7.16b}, [$inp],#16
  1118. bl _vpaes_encrypt_core
  1119. st1 {v0.16b}, [$out],#16
  1120. subs x17, x17, #16
  1121. b.ls .Lecb_dec_done
  1122. .align 4
  1123. .Lecb_dec_loop:
  1124. ld1 {v14.16b,v15.16b}, [$inp], #32
  1125. bl _vpaes_decrypt_2x
  1126. st1 {v0.16b,v1.16b}, [$out], #32
  1127. subs x17, x17, #32
  1128. b.hi .Lecb_dec_loop
  1129. .Lecb_dec_done:
  1130. ldp d14,d15,[sp],#16
  1131. ldp d12,d13,[sp],#16
  1132. ldp d10,d11,[sp],#16
  1133. ldp d8,d9,[sp],#16
  1134. ldp x29,x30,[sp],#16
  1135. ret
  1136. .size vpaes_ecb_decrypt,.-vpaes_ecb_decrypt
  1137. ___
  1138. } }
  1139. print $code;
  1140. close STDOUT;