3 # ====================================================================
4 # Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
5 # project. The module is, however, dual licensed under OpenSSL and
6 # CRYPTOGAMS licenses depending on where you obtain it. For further
7 # details see http://www.openssl.org/~appro/cryptogams/.
8 # ====================================================================
10 # This module implements support for ARMv8 AES instructions. The
11 # module is endian-agnostic in sense that it supports both big- and
12 # little-endian cases. As does it support both 32- and 64-bit modes
13 # of operation. Latter is achieved by limiting amount of utilized
14 # registers to 16, which implies additional instructions. This has
15 # no effect on mighty Apple A7, as results are literally equal to
16 # the theoretical estimates based on instruction latencies and issue
17 # rate. It remains to be seen how does it affect other platforms...
19 # Performance in cycles per byte processed with 128-bit key:
29 $code.=".arch armv8-a+crypto\n" if ($flavour =~ /64/);
30 $code.=".fpu neon\n.code 32\n" if ($flavour !~ /64/);
32 # Assembler mnemonics are an eclectic mix of 32- and 64-bit syntax,
33 # NEON is mostly 32-bit mnemonics, integer - mostly 64. Goal is to
34 # maintain both 32- and 64-bit codes within single module and
35 # transliterate common code to either flavour with regex vodoo.
38 my ($inp,$bits,$out,$ptr,$rounds)=("x0","w1","x2","x3","w12");
39 my ($zero,$rcon,$mask,$in0,$in1,$tmp,$key)=
40 $flavour=~/64/? map("q$_",(0..6)) : map("q$_",(0..3,8..10));
46 .long 0x01,0x01,0x01,0x01
47 .long 0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d // rotate-n-splat
48 .long 0x1b,0x1b,0x1b,0x1b
50 .globl ${prefix}_set_encrypt_key
51 .type ${prefix}_set_encrypt_key,%function
53 ${prefix}_set_encrypt_key:
56 $code.=<<___ if ($flavour =~ /64/);
57 stp x29,x30,[sp,#-16]!
64 veor $zero,$zero,$zero
65 vld1.8 {$in0},[$inp],#16
66 mov $bits,#8 // reuse $bits
67 vld1.32 {$rcon,$mask},[$ptr],#32
75 vtbl.8 $key,{$in0},$mask
76 vext.8 $tmp,$zero,$in0,#12
77 vst1.32 {$in0},[$out],#16
82 vext.8 $tmp,$zero,$tmp,#12
84 vext.8 $tmp,$zero,$tmp,#12
87 vshl.u8 $rcon,$rcon,#1
91 vld1.32 {$rcon},[$ptr]
93 vtbl.8 $key,{$in0},$mask
94 vext.8 $tmp,$zero,$in0,#12
95 vst1.32 {$in0},[$out],#16
99 vext.8 $tmp,$zero,$tmp,#12
101 vext.8 $tmp,$zero,$tmp,#12
104 vshl.u8 $rcon,$rcon,#1
107 vtbl.8 $key,{$in0},$mask
108 vext.8 $tmp,$zero,$in0,#12
109 vst1.32 {$in0},[$out],#16
113 vext.8 $tmp,$zero,$tmp,#12
115 vext.8 $tmp,$zero,$tmp,#12
119 vst1.32 {$in0},[$out]
127 vld1.8 {$in1},[$inp],#8
128 vmov.i8 $key,#8 // borrow $key
129 vst1.32 {$in0},[$out],#16
130 vsub.i8 $mask,$mask,$key // adjust the mask
133 vtbl.8 $key,{$in1},$mask
134 vext.8 $tmp,$zero,$in0,#12
135 vst1.32 {$in1},[$out],#8
140 vext.8 $tmp,$zero,$tmp,#12
142 vext.8 $tmp,$zero,$tmp,#12
145 vdup.32 $tmp,${in0}[3]
148 vext.8 $in1,$zero,$in1,#12
149 vshl.u8 $rcon,$rcon,#1
153 vst1.32 {$in0},[$out],#16
165 vst1.32 {$in0},[$out],#16
168 vtbl.8 $key,{$in1},$mask
169 vext.8 $tmp,$zero,$in0,#12
170 vst1.32 {$in1},[$out],#16
175 vext.8 $tmp,$zero,$tmp,#12
177 vext.8 $tmp,$zero,$tmp,#12
180 vshl.u8 $rcon,$rcon,#1
182 vst1.32 {$in0},[$out],#16
185 vdup.32 $key,${in0}[3] // just splat
186 vext.8 $tmp,$zero,$in1,#12
190 vext.8 $tmp,$zero,$tmp,#12
192 vext.8 $tmp,$zero,$tmp,#12
201 eor x0,x0,x0 // return value
202 `"ldr x29,[sp],#16" if ($flavour =~ /64/)`
204 .size ${prefix}_set_encrypt_key,.-${prefix}_set_encrypt_key
206 .globl ${prefix}_set_decrypt_key
207 .type ${prefix}_set_decrypt_key,%function
209 ${prefix}_set_decrypt_key:
211 $code.=<<___ if ($flavour =~ /64/);
212 stp x29,x30,[sp,#-16]!
215 $code.=<<___ if ($flavour !~ /64/);
221 sub $out,$out,#240 // restore original $out
223 add $inp,$out,x12,lsl#4 // end of key schedule
225 vld1.32 {v0.16b},[$out]
226 vld1.32 {v1.16b},[$inp]
227 vst1.32 {v0.16b},[$inp],x4
228 vst1.32 {v1.16b},[$out],#16
231 vld1.32 {v0.16b},[$out]
232 vld1.32 {v1.16b},[$inp]
235 vst1.32 {v0.16b},[$inp],x4
236 vst1.32 {v1.16b},[$out],#16
240 vld1.32 {v0.16b},[$out]
242 vst1.32 {v0.16b},[$inp]
244 eor x0,x0,x0 // return value
246 $code.=<<___ if ($flavour !~ /64/);
249 $code.=<<___ if ($flavour =~ /64/);
254 .size ${prefix}_set_decrypt_key,.-${prefix}_set_decrypt_key
260 my ($e,$mc) = $dir eq "en" ? ("e","mc") : ("d","imc");
261 my ($inp,$out,$key)=map("x$_",(0..2));
263 my ($rndkey0,$rndkey1,$inout)=map("q$_",(0..3));
266 .globl ${prefix}_${dir}crypt
267 .type ${prefix}_${dir}crypt,%function
269 ${prefix}_${dir}crypt:
270 ldr $rounds,[$key,#240]
271 vld1.32 {$rndkey0},[$key],#16
272 vld1.8 {$inout},[$inp]
273 sub $rounds,$rounds,#2
274 vld1.32 {$rndkey1},[$key],#16
277 aes$e $inout,$rndkey0
278 vld1.32 {$rndkey0},[$key],#16
280 subs $rounds,$rounds,#2
281 aes$e $inout,$rndkey1
282 vld1.32 {$rndkey1},[$key],#16
286 aes$e $inout,$rndkey0
287 vld1.32 {$rndkey0},[$key]
289 aes$e $inout,$rndkey1
290 veor $inout,$inout,$rndkey0
292 vst1.8 {$inout},[$out]
294 .size ${prefix}_${dir}crypt,.-${prefix}_${dir}crypt
301 my ($inp,$out,$len,$key,$ivp)=map("x$_",(0..4)); my $enc="w5";
302 my ($rounds,$cnt,$key_,$step,$step1)=($enc,"w6","x7","x8","x12");
303 my ($dat0,$dat1,$in0,$in1,$tmp0,$tmp1,$ivec,$rndlast)=map("q$_",(0..7));
305 my ($dat,$tmp,$rndzero_n_last)=($dat0,$tmp0,$tmp1);
307 ### q8-q15 preloaded key schedule
310 .globl ${prefix}_cbc_encrypt
311 .type ${prefix}_cbc_encrypt,%function
313 ${prefix}_cbc_encrypt:
315 $code.=<<___ if ($flavour =~ /64/);
316 stp x29,x30,[sp,#-16]!
319 $code.=<<___ if ($flavour !~ /64/);
322 vstmdb sp!,{d8-d15} @ ABI specification says so
323 ldmia ip,{r4-r5} @ load remaining args
331 cmp $enc,#0 // en- or decrypting?
332 ldr $rounds,[$key,#240]
334 vld1.8 {$ivec},[$ivp]
335 vld1.8 {$dat},[$inp],$step
337 vld1.32 {q8-q9},[$key] // load key schedule...
338 sub $rounds,$rounds,#6
339 add $key_,$key,x5,lsl#4 // pointer to last 7 round keys
340 sub $rounds,$rounds,#2
341 vld1.32 {q10-q11},[$key_],#32
342 vld1.32 {q12-q13},[$key_],#32
343 vld1.32 {q14-q15},[$key_],#32
344 vld1.32 {$rndlast},[$key_]
352 veor $rndzero_n_last,q8,$rndlast
357 vld1.32 {q8},[$key_],#16
361 vld1.32 {q9},[$key_],#16
376 vld1.8 {q8},[$inp],$step
379 veor q8,q8,$rndzero_n_last
382 vld1.32 {q9},[$key_],#16 // re-pre-load rndkey[1]
388 veor $ivec,$dat,$rndlast
389 vst1.8 {$ivec},[$out],#16
396 vld1.32 {$in0-$in1},[$key_]
403 vst1.8 {$ivec},[$out],#16
417 vld1.8 {q8},[$inp],$step
424 veor q8,q8,$rndzero_n_last
426 veor $ivec,$dat,$rndlast
427 b.hs .Loop_cbc_enc128
429 vst1.8 {$ivec},[$out],#16
434 vld1.32 {$tmp0-$tmp1},[$key_]
435 veor $ivec,$ivec,$rndlast
436 veor $in0,$dat0,$rndlast
482 veor $ivec,$ivec,$dat0
483 vld1.8 {$dat0},[$inp],$step
485 vld1.8 {$dat1},[$inp],$step1
486 vst1.8 {$ivec},[$out],#16
487 veor $ivec,$in1,$rndlast
488 vst1.8 {$in0},[$out],#16
489 veor $in0,$dat0,$rndlast
490 vorr $in1,$dat1,$dat1
491 b.hs .Loop2x_cbc_dec128
494 veor $ivec,$ivec,$rndlast
496 veor $in0,$in0,$rndlast
507 vld1.8 {$dat1},[$inp],$step
508 vorr $in1,$dat1,$dat1
514 vld1.32 {q8},[$key_],#16
520 vld1.32 {q9},[$key_],#16
529 veor $tmp0,$ivec,$rndlast
530 veor $tmp1,$in0,$rndlast
546 vld1.8 {$in0},[$inp],$step
553 vld1.8 {$in1},[$inp],$step
558 vld1.32 {q8},[$key_],#16 // re-pre-load rndkey[0]
563 vld1.32 {q9},[$key_],#16 // re-pre-load rndkey[1]
568 veor $tmp0,$tmp0,$dat0
569 veor $tmp1,$tmp1,$dat1
571 vst1.8 {$tmp0},[$out],#16
573 vst1.8 {$tmp1},[$out],#16
581 vld1.32 {q8},[$key_],#16
585 vld1.32 {q9},[$key_],#16
593 veor $tmp,$ivec,$rndlast
608 vst1.8 {$tmp},[$out],#16
611 vst1.8 {$ivec},[$ivp]
614 $code.=<<___ if ($flavour !~ /64/);
618 $code.=<<___ if ($flavour =~ /64/);
623 .size ${prefix}_cbc_encrypt,.-${prefix}_cbc_encrypt
627 my ($inp,$out,$len,$key,$ivp)=map("x$_",(0..4));
628 my ($rounds,$cnt,$key_,$ctr,$tctr,$tctr1)=("w5","w6","x7","w8","w9","w10");
629 my ($dat0,$dat1,$in0,$in1,$tmp0,$tmp1,$ivec,$rndlast)=map("q$_",(0..7));
631 my ($dat,$tmp)=($dat0,$tmp0);
633 ### q8-q15 preloaded key schedule
636 .globl ${prefix}_ctr32_encrypt_blocks
637 .type ${prefix}_ctr32_encrypt_blocks,%function
639 ${prefix}_ctr32_encrypt_blocks:
641 $code.=<<___ if ($flavour =~ /64/);
642 stp x29,x30,[sp,#-16]!
645 $code.=<<___ if ($flavour !~ /64/);
647 stmdb sp!,{r4-r10,lr}
648 vstmdb sp!,{d8-d15} @ ABI specification says so
649 ldr r4, [ip] @ load remaining arg
652 ldr $rounds,[$key,#240]
654 ldr $ctr, [$ivp, #12]
655 vld1.32 {$dat0},[$ivp]
657 vld1.32 {q8-q9},[$key] // load key schedule...
658 sub $rounds,$rounds,#6
659 add $key_,$key,x5,lsl#4 // pointer to last 7 round keys
660 sub $rounds,$rounds,#2
661 vld1.32 {q10-q11},[$key_],#32
662 vld1.32 {q12-q13},[$key_],#32
663 vld1.32 {q14-q15},[$key_],#32
664 vld1.32 {$rndlast},[$key_]
675 vorr $dat1,$dat0,$dat0
677 vorr $ivec,$dat0,$dat0
680 vmov.32 ${dat1}[3],$tctr1
686 vld1.32 {q8},[$key_],#16
692 vld1.32 {q9},[$key_],#16
700 vorr $dat0,$ivec,$ivec
702 vorr $dat1,$ivec,$ivec
705 vld1.8 {$in0},[$inp],#16
707 vld1.8 {$in1},[$inp],#16
718 veor $in0,$in0,$rndlast
722 veor $in1,$in1,$rndlast
729 vld1.32 {q8},[$key_],#16 // re-pre-load rndkey[0]
734 vld1.32 {q9},[$key_],#16 // re-pre-load rndkey[1]
737 vmov.32 ${dat0}[3], $tctr
739 vmov.32 ${dat1}[3], $tctr1
747 vst1.8 {$in0},[$out],#16
748 vst1.8 {$in1},[$out],#16
756 vld1.32 {$tmp0-$tmp1},[$key_]
762 vld1.8 {$in0},[$inp],#16
764 vld1.8 {$in1},[$inp],#16
802 veor $in0,$in0,$rndlast
804 veor $in1,$in1,$rndlast
808 vorr $dat0,$ivec,$ivec
810 vorr $dat1,$ivec,$ivec
811 vst1.8 {$in0},[$out],#16
812 vmov.32 ${dat0}[3], $tctr
813 vst1.8 {$in1},[$out],#16
814 vmov.32 ${dat1}[3], $tctr1
815 b.hs .Loop2x_ctr32_128
822 vld1.32 {q8},[$key_],#16
826 vld1.32 {q9},[$key_],#16
845 veor $in0,$in0,$rndlast
853 $code.=<<___ if ($flavour !~ /64/);
855 ldmia sp!,{r4-r10,pc}
857 $code.=<<___ if ($flavour =~ /64/);
862 .size ${prefix}_ctr32_encrypt_blocks,.-${prefix}_ctr32_encrypt_blocks
865 ########################################
866 if ($flavour =~ /64/) { ######## 64-bit code
868 "aesd" => 0x4e285800, "aese" => 0x4e284800,
869 "aesimc"=> 0x4e287800, "aesmc" => 0x4e286800 );
872 my ($mnemonic,$arg)=@_;
874 $arg =~ m/[qv]([0-9]+)[^,]*,\s*[qv]([0-9]+)/o &&
875 sprintf ".long\t0x%08x\t//%s %s",
876 $opcode{$mnemonic}|$1|($2<<5),
880 foreach(split("\n",$code)) {
881 s/\`([^\`]*)\`/eval($1)/geo;
883 s/\bq([0-9]+)\b/"v".($1<8?$1:$1+8).".16b"/geo; # old->new registers
884 s/@\s/\/\//o; # old->new style commentary
886 #s/[v]?(aes\w+)\s+([qv].*)/unaes($1,$2)/geo or
887 s/cclr\s+([wx])([^,]+),\s*([a-z]+)/csel $1$2,$1zr,$1$2,$3/o or
888 s/vmov\.i8/movi/o or # fix up legacy mnemonics
890 s/vrev32\.8/rev32/o or
893 s/^(\s+)v/$1/o or # strip off v prefix
896 # fix up remainig legacy suffixes
898 m/\],#8/o and s/\.16b/\.8b/go;
899 s/\.[ui]?32//o and s/\.16b/\.4s/go;
900 s/\.[ui]?64//o and s/\.16b/\.2d/go;
901 s/\.[42]([sd])\[([0-3])\]/\.$1\[$2\]/o;
905 } else { ######## 32-bit code
907 "aesd" => 0xf3b00340, "aese" => 0xf3b00300,
908 "aesimc"=> 0xf3b003c0, "aesmc" => 0xf3b00380 );
911 my ($mnemonic,$arg)=@_;
913 $arg =~ m/[qv]([0-9]+)[^,]*,\s*[qv]([0-9]+)/o &&
914 sprintf ".long\t0x%08x\t@ %s %s",
915 $opcode{$mnemonic}|(($1&7)<<13)|(($1&8)<<19)
916 |(($2&7)<<1) |(($2&8)<<2),
923 $arg =~ m/q([0-9]+),\s*\{q([0-9]+)\},\s*q([0-9]+)/o &&
924 sprintf "vtbl.8 d%d,{q%d},d%d\n\tvtbl.8 d%d,{q%d},d%d",2*$1,$2,2*$3,2*$1+1,$2,2*$3+1;
930 $arg =~ m/q([0-9]+),\s*q([0-9]+)\[([0-3])\]/o &&
931 sprintf "vdup.32 q%d,d%d[%d]",$1,2*$2+$3>>1,$3&1;
937 $arg =~ m/q([0-9]+)\[([0-3])\],(.*)/o &&
938 sprintf "vmov.32 d%d[%d],%s",2*$1+$2>>1,$2&1,$3;
941 foreach(split("\n",$code)) {
942 s/\`([^\`]*)\`/eval($1)/geo;
944 s/\b[wx]([0-9]+)\b/r$1/go; # new->old registers
945 s/\bv([0-9])\.[12468]+[bsd]\b/q$1/go; # new->old registers
946 s/\/\/\s?/@ /o; # new->old style commentary
948 # fix up remainig new-style suffixes
951 s/[v]?(aes\w+)\s+([qv].*)/unaes($1,$2)/geo or
952 s/cclr\s+([^,]+),\s*([a-z]+)/mov$2 $1,#0/o or
953 s/vtbl\.8\s+(.*)/unvtbl($1)/geo or
954 s/vdup\.32\s+(.*)/unvdup32($1)/geo or
955 s/vmov\.32\s+(.*)/unvmov32($1)/geo or
957 s/^(\s+)ret/$1bx\tlr/o;