2 # Copyright 2014-2016 The OpenSSL Project Authors. All Rights Reserved.
4 # Licensed under the Apache License 2.0 (the "License"). You may not use
5 # this file except in compliance with the License. You can obtain a copy
6 # in the file LICENSE in the source distribution or at
7 # https://www.openssl.org/source/license.html
10 # ====================================================================
11 # Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
12 # project. The module is, however, dual licensed under OpenSSL and
13 # CRYPTOGAMS licenses depending on where you obtain it. For further
14 # details see http://www.openssl.org/~appro/cryptogams/.
15 # ====================================================================
17 # This module implements support for ARMv8 AES instructions. The
18 # module is endian-agnostic in sense that it supports both big- and
19 # little-endian cases. As does it support both 32- and 64-bit modes
20 # of operation. Latter is achieved by limiting amount of utilized
21 # registers to 16, which implies additional NEON load and integer
22 # instructions. This has no effect on mighty Apple A7, where results
23 # are literally equal to the theoretical estimates based on AES
24 # instruction latencies and issue rates. On Cortex-A53, an in-order
25 # execution core, this costs up to 10-15%, which is partially
26 # compensated by implementing dedicated code path for 128-bit
27 # CBC encrypt case. On Cortex-A57 parallelizable mode performance
28 # seems to be limited by sheer amount of NEON instructions...
30 # Performance in cycles per byte processed with 128-bit key:
33 # Apple A7 2.39 1.20 1.20
34 # Cortex-A53 1.32 1.29 1.46
35 # Cortex-A57(*) 1.95 0.85 0.93
36 # Denver 1.96 0.86 0.80
37 # Mongoose 1.33 1.20 1.20
40 # (*) original 3.64/1.34/1.32 results were for r0p0 revision
41 # and are still same even for updated module;
46 $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
47 ( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or
48 ( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or
49 die "can't locate arm-xlate.pl";
51 open OUT,"| \"$^X\" $xlate $flavour $output";
56 $_byte = ($flavour =~ /win/ ? "DCB" : ".byte");
61 #if __ARM_MAX_ARCH__>=7
63 $code.=".arch armv8-a+crypto\n.text\n" if ($flavour =~ /64/);
64 $code.=<<___ if ($flavour !~ /64/);
65 .arch armv7-a // don't confuse not-so-latest binutils with argv8 :-)
70 # define INST(a,b,c,d) $_byte c,d|0xc,a,b
73 # define INST(a,b,c,d) $_byte a,b,c,d
79 # Assembler mnemonics are an eclectic mix of 32- and 64-bit syntax,
80 # NEON is mostly 32-bit mnemonics, integer - mostly 64. Goal is to
81 # maintain both 32- and 64-bit codes within single module and
82 # transliterate common code to either flavour with regex vodoo.
85 my ($inp,$bits,$out,$ptr,$rounds)=("x0","w1","x2","x3","w12");
86 my ($zero,$rcon,$mask,$in0,$in1,$tmp,$key)=
87 $flavour=~/64/? map("q$_",(0..6)) : map("q$_",(0..3,8..10));
93 .long 0x01,0x01,0x01,0x01
94 .long 0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d // rotate-n-splat
95 .long 0x1b,0x1b,0x1b,0x1b
97 .globl ${prefix}_set_encrypt_key
98 .type ${prefix}_set_encrypt_key,%function
100 ${prefix}_set_encrypt_key:
103 $code.=<<___ if ($flavour =~ /64/);
104 stp x29,x30,[sp,#-16]!
124 veor $zero,$zero,$zero
125 vld1.8 {$in0},[$inp],#16
126 mov $bits,#8 // reuse $bits
127 vld1.32 {$rcon,$mask},[$ptr],#32
135 vtbl.8 $key,{$in0},$mask
136 vext.8 $tmp,$zero,$in0,#12
137 vst1.32 {$in0},[$out],#16
142 vext.8 $tmp,$zero,$tmp,#12
144 vext.8 $tmp,$zero,$tmp,#12
147 vshl.u8 $rcon,$rcon,#1
151 vld1.32 {$rcon},[$ptr]
153 vtbl.8 $key,{$in0},$mask
154 vext.8 $tmp,$zero,$in0,#12
155 vst1.32 {$in0},[$out],#16
159 vext.8 $tmp,$zero,$tmp,#12
161 vext.8 $tmp,$zero,$tmp,#12
164 vshl.u8 $rcon,$rcon,#1
167 vtbl.8 $key,{$in0},$mask
168 vext.8 $tmp,$zero,$in0,#12
169 vst1.32 {$in0},[$out],#16
173 vext.8 $tmp,$zero,$tmp,#12
175 vext.8 $tmp,$zero,$tmp,#12
179 vst1.32 {$in0},[$out]
187 vld1.8 {$in1},[$inp],#8
188 vmov.i8 $key,#8 // borrow $key
189 vst1.32 {$in0},[$out],#16
190 vsub.i8 $mask,$mask,$key // adjust the mask
193 vtbl.8 $key,{$in1},$mask
194 vext.8 $tmp,$zero,$in0,#12
195 vst1.32 {$in1},[$out],#8
200 vext.8 $tmp,$zero,$tmp,#12
202 vext.8 $tmp,$zero,$tmp,#12
205 vdup.32 $tmp,${in0}[3]
208 vext.8 $in1,$zero,$in1,#12
209 vshl.u8 $rcon,$rcon,#1
213 vst1.32 {$in0},[$out],#16
225 vst1.32 {$in0},[$out],#16
228 vtbl.8 $key,{$in1},$mask
229 vext.8 $tmp,$zero,$in0,#12
230 vst1.32 {$in1},[$out],#16
235 vext.8 $tmp,$zero,$tmp,#12
237 vext.8 $tmp,$zero,$tmp,#12
240 vshl.u8 $rcon,$rcon,#1
242 vst1.32 {$in0},[$out],#16
245 vdup.32 $key,${in0}[3] // just splat
246 vext.8 $tmp,$zero,$in1,#12
250 vext.8 $tmp,$zero,$tmp,#12
252 vext.8 $tmp,$zero,$tmp,#12
263 mov x0,$ptr // return value
264 `"ldr x29,[sp],#16" if ($flavour =~ /64/)`
266 .size ${prefix}_set_encrypt_key,.-${prefix}_set_encrypt_key
268 .globl ${prefix}_set_decrypt_key
269 .type ${prefix}_set_decrypt_key,%function
271 ${prefix}_set_decrypt_key:
273 $code.=<<___ if ($flavour =~ /64/);
274 .inst 0xd503233f // paciasp
275 stp x29,x30,[sp,#-16]!
278 $code.=<<___ if ($flavour !~ /64/);
287 sub $out,$out,#240 // restore original $out
289 add $inp,$out,x12,lsl#4 // end of key schedule
291 vld1.32 {v0.16b},[$out]
292 vld1.32 {v1.16b},[$inp]
293 vst1.32 {v0.16b},[$inp],x4
294 vst1.32 {v1.16b},[$out],#16
297 vld1.32 {v0.16b},[$out]
298 vld1.32 {v1.16b},[$inp]
301 vst1.32 {v0.16b},[$inp],x4
302 vst1.32 {v1.16b},[$out],#16
306 vld1.32 {v0.16b},[$out]
308 vst1.32 {v0.16b},[$inp]
310 eor x0,x0,x0 // return value
313 $code.=<<___ if ($flavour !~ /64/);
316 $code.=<<___ if ($flavour =~ /64/);
318 .inst 0xd50323bf // autiasp
322 .size ${prefix}_set_decrypt_key,.-${prefix}_set_decrypt_key
328 my ($e,$mc) = $dir eq "en" ? ("e","mc") : ("d","imc");
329 my ($inp,$out,$key)=map("x$_",(0..2));
331 my ($rndkey0,$rndkey1,$inout)=map("q$_",(0..3));
334 .globl ${prefix}_${dir}crypt
335 .type ${prefix}_${dir}crypt,%function
337 ${prefix}_${dir}crypt:
338 ldr $rounds,[$key,#240]
339 vld1.32 {$rndkey0},[$key],#16
340 vld1.8 {$inout},[$inp]
341 sub $rounds,$rounds,#2
342 vld1.32 {$rndkey1},[$key],#16
345 aes$e $inout,$rndkey0
347 vld1.32 {$rndkey0},[$key],#16
348 subs $rounds,$rounds,#2
349 aes$e $inout,$rndkey1
351 vld1.32 {$rndkey1},[$key],#16
354 aes$e $inout,$rndkey0
356 vld1.32 {$rndkey0},[$key]
357 aes$e $inout,$rndkey1
358 veor $inout,$inout,$rndkey0
360 vst1.8 {$inout},[$out]
362 .size ${prefix}_${dir}crypt,.-${prefix}_${dir}crypt
369 my ($inp,$out,$len,$key,$ivp)=map("x$_",(0..4)); my $enc="w5";
370 my ($rounds,$cnt,$key_,$step,$step1)=($enc,"w6","x7","x8","x12");
371 my ($dat0,$dat1,$in0,$in1,$tmp0,$tmp1,$ivec,$rndlast)=map("q$_",(0..7));
373 my ($dat,$tmp,$rndzero_n_last)=($dat0,$tmp0,$tmp1);
374 my ($key4,$key5,$key6,$key7)=("x6","x12","x14",$key);
376 ### q8-q15 preloaded key schedule
379 .globl ${prefix}_cbc_encrypt
380 .type ${prefix}_cbc_encrypt,%function
382 ${prefix}_cbc_encrypt:
384 $code.=<<___ if ($flavour =~ /64/);
385 stp x29,x30,[sp,#-16]!
388 $code.=<<___ if ($flavour !~ /64/);
391 vstmdb sp!,{d8-d15} @ ABI specification says so
392 ldmia ip,{r4-r5} @ load remaining args
400 cmp $enc,#0 // en- or decrypting?
401 ldr $rounds,[$key,#240]
403 vld1.8 {$ivec},[$ivp]
404 vld1.8 {$dat},[$inp],$step
406 vld1.32 {q8-q9},[$key] // load key schedule...
407 sub $rounds,$rounds,#6
408 add $key_,$key,x5,lsl#4 // pointer to last 7 round keys
409 sub $rounds,$rounds,#2
410 vld1.32 {q10-q11},[$key_],#32
411 vld1.32 {q12-q13},[$key_],#32
412 vld1.32 {q14-q15},[$key_],#32
413 vld1.32 {$rndlast},[$key_]
421 veor $rndzero_n_last,q8,$rndlast
424 vld1.32 {$in0-$in1},[$key_]
438 vst1.8 {$ivec},[$out],#16
470 vld1.8 {q8},[$inp],$step
473 veor q8,q8,$rndzero_n_last
476 vld1.32 {q9},[$key_] // re-pre-load rndkey[1]
480 veor $ivec,$dat,$rndlast
483 vst1.8 {$ivec},[$out],#16
488 vld1.32 {$in0-$in1},[$key_]
495 vst1.8 {$ivec},[$out],#16
509 vld1.8 {q8},[$inp],$step
516 veor q8,q8,$rndzero_n_last
518 veor $ivec,$dat,$rndlast
519 b.hs .Loop_cbc_enc128
521 vst1.8 {$ivec},[$out],#16
525 my ($dat2,$in2,$tmp2)=map("q$_",(10,11,9));
529 vld1.8 {$dat2},[$inp],#16
530 subs $len,$len,#32 // bias
534 vorr $in2,$dat2,$dat2
537 vorr $dat1,$dat2,$dat2
538 vld1.8 {$dat2},[$inp],#16
540 vorr $in1,$dat1,$dat1
541 vorr $in2,$dat2,$dat2
550 vld1.32 {q8},[$key_],#16
558 vld1.32 {q9},[$key_],#16
567 veor $tmp0,$ivec,$rndlast
569 veor $tmp1,$in0,$rndlast
570 mov.lo x6,$len // x6, $cnt, is zero at this point
577 veor $tmp2,$in1,$rndlast
578 add $inp,$inp,x6 // $inp is adjusted in such way that
579 // at exit from the loop $dat1-$dat2
580 // are loaded with last "words"
589 vld1.8 {$in0},[$inp],#16
596 vld1.8 {$in1},[$inp],#16
603 vld1.8 {$in2},[$inp],#16
607 vld1.32 {q8},[$key_],#16 // re-pre-load rndkey[0]
609 veor $tmp0,$tmp0,$dat0
610 veor $tmp1,$tmp1,$dat1
611 veor $dat2,$dat2,$tmp2
612 vld1.32 {q9},[$key_],#16 // re-pre-load rndkey[1]
613 vst1.8 {$tmp0},[$out],#16
615 vst1.8 {$tmp1},[$out],#16
617 vst1.8 {$dat2},[$out],#16
630 vld1.32 {q8},[$key_],#16
636 vld1.32 {q9},[$key_],#16
656 veor $tmp1,$ivec,$rndlast
661 veor $tmp2,$in1,$rndlast
665 veor $tmp1,$tmp1,$dat1
666 veor $tmp2,$tmp2,$dat2
668 vst1.8 {$tmp1},[$out],#16
669 vst1.8 {$tmp2},[$out],#16
673 veor $tmp1,$tmp1,$dat2
675 vst1.8 {$tmp1},[$out],#16
678 vst1.8 {$ivec},[$ivp]
682 $code.=<<___ if ($flavour !~ /64/);
686 $code.=<<___ if ($flavour =~ /64/);
691 .size ${prefix}_cbc_encrypt,.-${prefix}_cbc_encrypt
695 my ($inp,$out,$len,$key,$ivp)=map("x$_",(0..4));
696 my ($rounds,$cnt,$key_)=("w5","w6","x7");
697 my ($ctr,$tctr0,$tctr1,$tctr2)=map("w$_",(8..10,12));
698 my $step="x12"; # aliases with $tctr2
700 my ($dat0,$dat1,$in0,$in1,$tmp0,$tmp1,$ivec,$rndlast)=map("q$_",(0..7));
701 my ($dat2,$in2,$tmp2)=map("q$_",(10,11,9));
703 my ($dat,$tmp)=($dat0,$tmp0);
705 ### q8-q15 preloaded key schedule
708 .globl ${prefix}_ctr32_encrypt_blocks
709 .type ${prefix}_ctr32_encrypt_blocks,%function
711 ${prefix}_ctr32_encrypt_blocks:
713 $code.=<<___ if ($flavour =~ /64/);
714 stp x29,x30,[sp,#-16]!
717 $code.=<<___ if ($flavour !~ /64/);
719 stmdb sp!,{r4-r10,lr}
720 vstmdb sp!,{d8-d15} @ ABI specification says so
721 ldr r4, [ip] @ load remaining arg
724 ldr $rounds,[$key,#240]
726 ldr $ctr, [$ivp, #12]
727 vld1.32 {$dat0},[$ivp]
729 vld1.32 {q8-q9},[$key] // load key schedule...
730 sub $rounds,$rounds,#4
733 add $key_,$key,x5,lsl#4 // pointer to last 5 round keys
734 sub $rounds,$rounds,#2
735 vld1.32 {q12-q13},[$key_],#32
736 vld1.32 {q14-q15},[$key_],#32
737 vld1.32 {$rndlast},[$key_]
744 vorr $dat1,$dat0,$dat0
746 vorr $dat2,$dat0,$dat0
748 vorr $ivec,$dat0,$dat0
750 vmov.32 ${dat1}[3],$tctr1
753 sub $len,$len,#3 // bias
754 vmov.32 ${dat2}[3],$tctr2
765 vld1.32 {q8},[$key_],#16
773 vld1.32 {q9},[$key_],#16
780 vld1.8 {$in0},[$inp],#16
781 vorr $dat0,$ivec,$ivec
784 vld1.8 {$in1},[$inp],#16
785 vorr $dat1,$ivec,$ivec
790 vld1.8 {$in2},[$inp],#16
794 vorr $dat2,$ivec,$ivec
800 veor $in0,$in0,$rndlast
804 veor $in1,$in1,$rndlast
810 veor $in2,$in2,$rndlast
814 vmov.32 ${dat0}[3], $tctr0
820 vmov.32 ${dat1}[3], $tctr1
824 vmov.32 ${dat2}[3], $tctr2
831 vld1.32 {q8},[$key_],#16 // re-pre-load rndkey[0]
832 vst1.8 {$in0},[$out],#16
835 vst1.8 {$in1},[$out],#16
837 vld1.32 {q9},[$key_],#16 // re-pre-load rndkey[1]
838 vst1.8 {$in2},[$out],#16
852 vld1.32 {q8},[$key_],#16
858 vld1.32 {q9},[$key_],#16
869 vld1.8 {$in0},[$inp],$step
879 veor $in0,$in0,$rndlast
884 veor $in1,$in1,$rndlast
891 vst1.8 {$in0},[$out],#16
897 $code.=<<___ if ($flavour !~ /64/);
899 ldmia sp!,{r4-r10,pc}
901 $code.=<<___ if ($flavour =~ /64/);
906 .size ${prefix}_ctr32_encrypt_blocks,.-${prefix}_ctr32_encrypt_blocks
912 ########################################
913 if ($flavour =~ /64/) { ######## 64-bit code
915 "aesd" => 0x4e285800, "aese" => 0x4e284800,
916 "aesimc"=> 0x4e287800, "aesmc" => 0x4e286800 );
919 my ($mnemonic,$arg)=@_;
921 $arg =~ m/[qv]([0-9]+)[^,]*,\s*[qv]([0-9]+)/o &&
922 sprintf ".inst\t0x%08x\t//%s %s",
923 $opcode{$mnemonic}|$1|($2<<5),
927 foreach(split("\n",$code)) {
928 s/\`([^\`]*)\`/eval($1)/geo;
930 s/\bq([0-9]+)\b/"v".($1<8?$1:$1+8).".16b"/geo; # old->new registers
931 s/@\s/\/\//o; # old->new style commentary
933 #s/[v]?(aes\w+)\s+([qv].*)/unaes($1,$2)/geo or
934 s/cclr\s+([wx])([^,]+),\s*([a-z]+)/csel $1$2,$1zr,$1$2,$3/o or
935 s/mov\.([a-z]+)\s+([wx][0-9]+),\s*([wx][0-9]+)/csel $2,$3,$2,$1/o or
936 s/vmov\.i8/movi/o or # fix up legacy mnemonics
938 s/vrev32\.8/rev32/o or
941 s/^(\s+)v/$1/o or # strip off v prefix
944 # fix up remaining legacy suffixes
946 m/\],#8/o and s/\.16b/\.8b/go;
947 s/\.[ui]?32//o and s/\.16b/\.4s/go;
948 s/\.[ui]?64//o and s/\.16b/\.2d/go;
949 s/\.[42]([sd])\[([0-3])\]/\.$1\[$2\]/o;
953 } else { ######## 32-bit code
955 "aesd" => 0xf3b00340, "aese" => 0xf3b00300,
956 "aesimc"=> 0xf3b003c0, "aesmc" => 0xf3b00380 );
959 my ($mnemonic,$arg)=@_;
961 if ($arg =~ m/[qv]([0-9]+)[^,]*,\s*[qv]([0-9]+)/o) {
962 my $word = $opcode{$mnemonic}|(($1&7)<<13)|(($1&8)<<19)
963 |(($2&7)<<1) |(($2&8)<<2);
964 # since ARMv7 instructions are always encoded little-endian.
965 # correct solution is to use .inst directive, but older
966 # assemblers don't implement it:-(
967 sprintf "INST(0x%02x,0x%02x,0x%02x,0x%02x)\t@ %s %s",
968 $word&0xff,($word>>8)&0xff,
969 ($word>>16)&0xff,($word>>24)&0xff,
977 $arg =~ m/q([0-9]+),\s*\{q([0-9]+)\},\s*q([0-9]+)/o &&
978 sprintf "vtbl.8 d%d,{q%d},d%d\n\t".
979 "vtbl.8 d%d,{q%d},d%d", 2*$1,$2,2*$3, 2*$1+1,$2,2*$3+1;
985 $arg =~ m/q([0-9]+),\s*q([0-9]+)\[([0-3])\]/o &&
986 sprintf "vdup.32 q%d,d%d[%d]",$1,2*$2+($3>>1),$3&1;
992 $arg =~ m/q([0-9]+)\[([0-3])\],(.*)/o &&
993 sprintf "vmov.32 d%d[%d],%s",2*$1+($2>>1),$2&1,$3;
996 foreach(split("\n",$code)) {
997 s/\`([^\`]*)\`/eval($1)/geo;
999 s/\b[wx]([0-9]+)\b/r$1/go; # new->old registers
1000 s/\bv([0-9])\.[12468]+[bsd]\b/q$1/go; # new->old registers
1001 s/\/\/\s?/@ /o; # new->old style commentary
1003 # fix up remaining new-style suffixes
1004 s/\{q([0-9]+)\},\s*\[(.+)\],#8/sprintf "{d%d},[$2]!",2*$1/eo or
1007 s/[v]?(aes\w+)\s+([qv].*)/unaes($1,$2)/geo or
1008 s/cclr\s+([^,]+),\s*([a-z]+)/mov.$2 $1,#0/o or
1009 s/vtbl\.8\s+(.*)/unvtbl($1)/geo or
1010 s/vdup\.32\s+(.*)/unvdup32($1)/geo or
1011 s/vmov\.32\s+(.*)/unvmov32($1)/geo or
1012 s/^(\s+)b\./$1b/o or
1013 s/^(\s+)ret/$1bx\tlr/o;
1015 if (s/^(\s+)mov\.([a-z]+)/$1mov$2/) {