2 # This file is dual-licensed, meaning that you can use it under your
3 # choice of either of the following two licenses:
5 # Copyright 2022-2023 The OpenSSL Project Authors. All Rights Reserved.
7 # Licensed under the Apache License 2.0 (the "License"). You can obtain
8 # a copy in the file LICENSE in the source distribution or at
9 # https://www.openssl.org/source/license.html
13 # Copyright (c) 2022, Hongren (Zenithal) Zheng <i@zenithal.me>
14 # All rights reserved.
16 # Redistribution and use in source and binary forms, with or without
17 # modification, are permitted provided that the following conditions
19 # 1. Redistributions of source code must retain the above copyright
20 # notice, this list of conditions and the following disclaimer.
21 # 2. Redistributions in binary form must reproduce the above copyright
22 # notice, this list of conditions and the following disclaimer in the
23 # documentation and/or other materials provided with the distribution.
25 # THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
26 # "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
27 # LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
28 # A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
29 # OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
30 # SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
31 # LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
32 # DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
33 # THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
34 # (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
35 # OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
42 use lib "$Bin/../../perlasm";
45 # $output is the last argument if it looks like a file (it has an extension)
46 # $flavour is the first argument if it doesn't look like a file
47 my $output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef;
48 my $flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef;
50 $output and open STDOUT,">$output";
52 ################################################################################
53 # Utility functions to help with keeping track of which registers to stack/
54 # unstack when entering / exiting routines.
55 ################################################################################
57 # Callee-saved registers
58 my @callee_saved = map("x$_",(2,8,9,18..27));
59 # Caller-saved registers
60 my @caller_saved = map("x$_",(1,5..7,10..17,28..31));
64 if (grep(/^$reg$/, @callee_saved)) {
65 push(@must_save, $reg);
66 } elsif (!grep(/^$reg$/, @caller_saved)) {
67 # Register is not usable!
68 die("Unusable register ".$reg);
73 return map(use_reg("x$_"), @_);
77 my $stack_reservation = ($#must_save + 1) * 8;
78 my $stack_offset = $stack_reservation;
79 if ($stack_reservation % 16) {
80 $stack_reservation += 8;
82 $ret.=" addi sp,sp,-$stack_reservation\n";
83 foreach (@must_save) {
85 $ret.=" sd $_,$stack_offset(sp)\n";
91 my $stack_reservation = ($#must_save + 1) * 8;
92 my $stack_offset = $stack_reservation;
93 if ($stack_reservation % 16) {
94 $stack_reservation += 8;
96 foreach (@must_save) {
98 $ret.=" ld $_,$stack_offset(sp)\n";
100 $ret.=" addi sp,sp,$stack_reservation\n";
108 ################################################################################
109 # Register assignment for rv64i_zkne_encrypt and rv64i_zknd_decrypt
110 ################################################################################
112 # Registers to hold AES state (called s0-s3 or y0-y3 elsewhere)
113 my ($Q0,$Q1,$Q2,$Q3) = use_regs(6..9);
115 # Function arguments (x10-x12 are a0-a2 in the ABI)
116 # Input block pointer, output block pointer, key pointer
117 my ($INP,$OUTP,$KEYP) = use_regs(10..12);
120 my ($T0,$T1) = use_regs(13..14);
123 my ($loopcntr) = use_regs(30);
125 ################################################################################
126 # void rv64i_zkne_encrypt(const unsigned char *in, unsigned char *out,
127 # const AES_KEY *key);
128 ################################################################################
132 .globl rv64i_zkne_encrypt
133 .type rv64i_zkne_encrypt,\@function
137 $code .= save_regs();
141 # Load input to block cipher
149 # Load number of rounds
150 lwu $loopcntr,240($KEYP)
152 # initial transformation
156 # The main loop only executes the first N-1 rounds.
157 add $loopcntr,$loopcntr,-1
159 # Do Nr - 1 rounds (final round is special)
161 @{[aes64esm $Q2,$Q0,$Q1]}
162 @{[aes64esm $Q3,$Q1,$Q0]}
164 # Update key ptr to point to next key in schedule
167 # Grab next key in schedule
173 add $loopcntr,$loopcntr,-1
177 @{[aes64es $Q2,$Q0,$Q1]}
178 @{[aes64es $Q3,$Q1,$Q0]}
180 # since not added 16 before
189 # Pop registers and return
192 $code .= load_regs();
198 ################################################################################
199 # void rv64i_zknd_decrypt(const unsigned char *in, unsigned char *out,
200 # const AES_KEY *key);
201 ################################################################################
205 .globl rv64i_zknd_decrypt
206 .type rv64i_zknd_decrypt,\@function
210 $code .= save_regs();
214 # Load input to block cipher
218 # Load number of rounds
219 lwu $loopcntr,240($KEYP)
230 # The main loop only executes the first N-1 rounds.
231 add $loopcntr,$loopcntr,-1
233 # Do Nr - 1 rounds (final round is special)
235 @{[aes64dsm $Q2,$Q0,$Q1]}
236 @{[aes64dsm $Q3,$Q1,$Q0]}
238 # Update key ptr to point to next key in schedule
241 # Grab next key in schedule
247 add $loopcntr,$loopcntr,-1
251 @{[aes64ds $Q2,$Q0,$Q1]}
252 @{[aes64ds $Q3,$Q1,$Q0]}
262 # Pop registers and return
265 $code .= load_regs();
273 ################################################################################
274 # Register assignment for rv64i_zkn[e/d]_set_[en/de]crypt_key
275 ################################################################################
277 # Function arguments (x10-x12 are a0-a2 in the ABI)
278 # Pointer to user key, number of bits in key, key pointer
279 my ($UKEY,$BITS,$KEYP) = use_regs(10..12);
282 my ($T0,$T1,$T2,$T3,$T4) = use_regs(6..8,13..14);
284 ################################################################################
285 # utility functions for rv64i_zkne_set_encrypt_key
286 ################################################################################
298 @{[aes64ks1i $T2,$T1,$rnum]}
299 @{[aes64ks2 $T0,$T2,$T0]}
300 @{[aes64ks2 $T1,$T0,$T1]}
323 @{[aes64ks1i $T3,$T2,$rnum]}
324 @{[aes64ks2 $T0,$T3,$T0]}
325 @{[aes64ks2 $T1,$T0,$T1]}
328 # note that (8+1)*24 = 216, (12+1)*16 = 208
329 # thus the last 8 bytes can be dropped
331 @{[aes64ks2 $T2,$T1,$T2]}
364 @{[aes64ks1i $T4,$T3,$rnum]}
365 @{[aes64ks2 $T0,$T4,$T0]}
366 @{[aes64ks2 $T1,$T0,$T1]}
372 # note that (7+1)*32 = 256, (14+1)*16 = 240
373 # thus the last 16 bytes can be dropped
375 @{[aes64ks1i $T4,$T1,0xA]}
376 @{[aes64ks2 $T2,$T4,$T2]}
377 @{[aes64ks2 $T3,$T2,$T3]}
387 ################################################################################
388 # void rv64i_zkne_set_encrypt_key(const unsigned char *userKey, const int bits,
390 ################################################################################
392 my ($ke128, $ke192, $ke256) = @_;
395 bnez $UKEY,1f # if (!userKey || !key) return -1;
400 # Determine number of rounds from key size in bits
403 li $T1,10 # key->rounds = 10 if bits == 128
404 sw $T1,240($KEYP) # store key->rounds
410 li $T1,12 # key->rounds = 12 if bits == 192
411 sw $T1,240($KEYP) # store key->rounds
415 li $T1,14 # key->rounds = 14 if bits == 256
418 li a0,-2 # If bits != 128, 192, or 256, return -2
421 sw $T1,240($KEYP) # store key->rounds
432 .globl rv64i_zkne_set_encrypt_key
433 .type rv64i_zkne_set_encrypt_key,\@function
434 rv64i_zkne_set_encrypt_key:
436 $code .= save_regs();
437 $code .= AES_set_common(ke128enc(), ke192enc(),ke256enc());
438 $code .= load_regs();
443 ################################################################################
444 # utility functions for rv64i_zknd_set_decrypt_key
445 ################################################################################
457 @{[aes64ks1i $T2,$T1,$rnum]}
458 @{[aes64ks2 $T0,$T2,$T0]}
459 @{[aes64ks2 $T1,$T0,$T1]}
462 # need to aes64im for [1:N-1] round keys
463 # this is from the fact that aes64dsm subwords first then mix column
464 # intuitively decryption needs to first mix column then subwords
465 # however, for merging datapaths (encryption first subwords then mix column)
466 # aes64dsm chooses to inverse the order of them, thus
467 # transform should then be done on the round key
500 @{[aes64ks1i $T3,$T2,$rnum]}
501 @{[aes64ks2 $T0,$T3,$T0]}
502 @{[aes64ks2 $T1,$T0,$T1]}
511 # the reason is in ke192enc
512 @{[aes64ks2 $T2,$T1,$T2]}
544 @{[aes64ks1i $T4,$T3,$rnum]}
545 @{[aes64ks2 $T0,$T4,$T0]}
546 @{[aes64ks2 $T1,$T0,$T1]}
551 @{[aes64ks1i $T4,$T1,0xA]}
552 @{[aes64ks2 $T2,$T4,$T2]}
553 @{[aes64ks2 $T3,$T2,$T3]}
567 # last two one dropped
575 ################################################################################
576 # void rv64i_zknd_set_decrypt_key(const unsigned char *userKey, const int bits,
578 ################################################################################
582 .globl rv64i_zknd_set_decrypt_key
583 .type rv64i_zknd_set_decrypt_key,\@function
584 rv64i_zknd_set_decrypt_key:
586 $code .= save_regs();
587 $code .= AES_set_common(ke128dec(), ke192dec(),ke256dec());
588 $code .= load_regs();
594 close STDOUT or die "error closing STDOUT: $!";