385b31fd54e4d7477e00b5616f0b79062f74b4e2
[openssl.git] / crypto / aes / asm / aesv8-armx.pl
1 #! /usr/bin/env perl
2 # Copyright 2014-2016 The OpenSSL Project Authors. All Rights Reserved.
3 #
4 # Licensed under the OpenSSL license (the "License").  You may not use
5 # this file except in compliance with the License.  You can obtain a copy
6 # in the file LICENSE in the source distribution or at
7 # https://www.openssl.org/source/license.html
8
9 #
10 # ====================================================================
11 # Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
12 # project. The module is, however, dual licensed under OpenSSL and
13 # CRYPTOGAMS licenses depending on where you obtain it. For further
14 # details see http://www.openssl.org/~appro/cryptogams/.
15 # ====================================================================
16 #
17 # This module implements support for ARMv8 AES instructions. The
18 # module is endian-agnostic in sense that it supports both big- and
19 # little-endian cases. As does it support both 32- and 64-bit modes
20 # of operation. Latter is achieved by limiting amount of utilized
21 # registers to 16, which implies additional NEON load and integer
22 # instructions. This has no effect on mighty Apple A7, where results
23 # are literally equal to the theoretical estimates based on AES
24 # instruction latencies and issue rates. On Cortex-A53, an in-order
25 # execution core, this costs up to 10-15%, which is partially
26 # compensated by implementing dedicated code path for 128-bit
27 # CBC encrypt case. On Cortex-A57 parallelizable mode performance
28 # seems to be limited by sheer amount of NEON instructions...
29 #
30 # Performance in cycles per byte processed with 128-bit key:
31 #
32 #               CBC enc         CBC dec         CTR
33 # Apple A7      2.39            1.20            1.20
34 # Cortex-A53    1.32            1.29            1.46
35 # Cortex-A57(*) 1.95            0.85            0.93
36 # Denver        1.96            0.86            0.80
37 # Mongoose      1.33            1.20            1.20
38 #
39 # (*)   original 3.64/1.34/1.32 results were for r0p0 revision
40 #       and are still same even for updated module;
41
42 $flavour = shift;
43 $output  = shift;
44
45 $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
46 ( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or
47 ( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or
48 die "can't locate arm-xlate.pl";
49
50 open OUT,"| \"$^X\" $xlate $flavour $output";
51 *STDOUT=*OUT;
52
53 $prefix="aes_v8";
54
55 $code=<<___;
56 #include "arm_arch.h"
57
58 #if __ARM_MAX_ARCH__>=7
59 .text
60 ___
61 $code.=".arch   armv8-a+crypto\n"                       if ($flavour =~ /64/);
62 $code.=<<___                                            if ($flavour !~ /64/);
63 .arch   armv7-a // don't confuse not-so-latest binutils with argv8 :-)
64 .fpu    neon
65 .code   32
66 #undef  __thumb2__
67 ___
68
69 # Assembler mnemonics are an eclectic mix of 32- and 64-bit syntax,
70 # NEON is mostly 32-bit mnemonics, integer - mostly 64. Goal is to
71 # maintain both 32- and 64-bit codes within single module and
72 # transliterate common code to either flavour with regex vodoo.
73 #
74 {{{
75 my ($inp,$bits,$out,$ptr,$rounds)=("x0","w1","x2","x3","w12");
76 my ($zero,$rcon,$mask,$in0,$in1,$tmp,$key)=
77         $flavour=~/64/? map("q$_",(0..6)) : map("q$_",(0..3,8..10));
78
79
80 $code.=<<___;
81 .align  5
82 .Lrcon:
83 .long   0x01,0x01,0x01,0x01
84 .long   0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d     // rotate-n-splat
85 .long   0x1b,0x1b,0x1b,0x1b
86
87 .globl  ${prefix}_set_encrypt_key
88 .type   ${prefix}_set_encrypt_key,%function
89 .align  5
90 ${prefix}_set_encrypt_key:
91 .Lenc_key:
92 ___
93 $code.=<<___    if ($flavour =~ /64/);
94         stp     x29,x30,[sp,#-16]!
95         add     x29,sp,#0
96 ___
97 $code.=<<___;
98         mov     $ptr,#-1
99         cmp     $inp,#0
100         b.eq    .Lenc_key_abort
101         cmp     $out,#0
102         b.eq    .Lenc_key_abort
103         mov     $ptr,#-2
104         cmp     $bits,#128
105         b.lt    .Lenc_key_abort
106         cmp     $bits,#256
107         b.gt    .Lenc_key_abort
108         tst     $bits,#0x3f
109         b.ne    .Lenc_key_abort
110
111         adr     $ptr,.Lrcon
112         cmp     $bits,#192
113
114         veor    $zero,$zero,$zero
115         vld1.8  {$in0},[$inp],#16
116         mov     $bits,#8                // reuse $bits
117         vld1.32 {$rcon,$mask},[$ptr],#32
118
119         b.lt    .Loop128
120         b.eq    .L192
121         b       .L256
122
123 .align  4
124 .Loop128:
125         vtbl.8  $key,{$in0},$mask
126         vext.8  $tmp,$zero,$in0,#12
127         vst1.32 {$in0},[$out],#16
128         aese    $key,$zero
129         subs    $bits,$bits,#1
130
131         veor    $in0,$in0,$tmp
132         vext.8  $tmp,$zero,$tmp,#12
133         veor    $in0,$in0,$tmp
134         vext.8  $tmp,$zero,$tmp,#12
135          veor   $key,$key,$rcon
136         veor    $in0,$in0,$tmp
137         vshl.u8 $rcon,$rcon,#1
138         veor    $in0,$in0,$key
139         b.ne    .Loop128
140
141         vld1.32 {$rcon},[$ptr]
142
143         vtbl.8  $key,{$in0},$mask
144         vext.8  $tmp,$zero,$in0,#12
145         vst1.32 {$in0},[$out],#16
146         aese    $key,$zero
147
148         veor    $in0,$in0,$tmp
149         vext.8  $tmp,$zero,$tmp,#12
150         veor    $in0,$in0,$tmp
151         vext.8  $tmp,$zero,$tmp,#12
152          veor   $key,$key,$rcon
153         veor    $in0,$in0,$tmp
154         vshl.u8 $rcon,$rcon,#1
155         veor    $in0,$in0,$key
156
157         vtbl.8  $key,{$in0},$mask
158         vext.8  $tmp,$zero,$in0,#12
159         vst1.32 {$in0},[$out],#16
160         aese    $key,$zero
161
162         veor    $in0,$in0,$tmp
163         vext.8  $tmp,$zero,$tmp,#12
164         veor    $in0,$in0,$tmp
165         vext.8  $tmp,$zero,$tmp,#12
166          veor   $key,$key,$rcon
167         veor    $in0,$in0,$tmp
168         veor    $in0,$in0,$key
169         vst1.32 {$in0},[$out]
170         add     $out,$out,#0x50
171
172         mov     $rounds,#10
173         b       .Ldone
174
175 .align  4
176 .L192:
177         vld1.8  {$in1},[$inp],#8
178         vmov.i8 $key,#8                 // borrow $key
179         vst1.32 {$in0},[$out],#16
180         vsub.i8 $mask,$mask,$key        // adjust the mask
181
182 .Loop192:
183         vtbl.8  $key,{$in1},$mask
184         vext.8  $tmp,$zero,$in0,#12
185         vst1.32 {$in1},[$out],#8
186         aese    $key,$zero
187         subs    $bits,$bits,#1
188
189         veor    $in0,$in0,$tmp
190         vext.8  $tmp,$zero,$tmp,#12
191         veor    $in0,$in0,$tmp
192         vext.8  $tmp,$zero,$tmp,#12
193         veor    $in0,$in0,$tmp
194
195         vdup.32 $tmp,${in0}[3]
196         veor    $tmp,$tmp,$in1
197          veor   $key,$key,$rcon
198         vext.8  $in1,$zero,$in1,#12
199         vshl.u8 $rcon,$rcon,#1
200         veor    $in1,$in1,$tmp
201         veor    $in0,$in0,$key
202         veor    $in1,$in1,$key
203         vst1.32 {$in0},[$out],#16
204         b.ne    .Loop192
205
206         mov     $rounds,#12
207         add     $out,$out,#0x20
208         b       .Ldone
209
210 .align  4
211 .L256:
212         vld1.8  {$in1},[$inp]
213         mov     $bits,#7
214         mov     $rounds,#14
215         vst1.32 {$in0},[$out],#16
216
217 .Loop256:
218         vtbl.8  $key,{$in1},$mask
219         vext.8  $tmp,$zero,$in0,#12
220         vst1.32 {$in1},[$out],#16
221         aese    $key,$zero
222         subs    $bits,$bits,#1
223
224         veor    $in0,$in0,$tmp
225         vext.8  $tmp,$zero,$tmp,#12
226         veor    $in0,$in0,$tmp
227         vext.8  $tmp,$zero,$tmp,#12
228          veor   $key,$key,$rcon
229         veor    $in0,$in0,$tmp
230         vshl.u8 $rcon,$rcon,#1
231         veor    $in0,$in0,$key
232         vst1.32 {$in0},[$out],#16
233         b.eq    .Ldone
234
235         vdup.32 $key,${in0}[3]          // just splat
236         vext.8  $tmp,$zero,$in1,#12
237         aese    $key,$zero
238
239         veor    $in1,$in1,$tmp
240         vext.8  $tmp,$zero,$tmp,#12
241         veor    $in1,$in1,$tmp
242         vext.8  $tmp,$zero,$tmp,#12
243         veor    $in1,$in1,$tmp
244
245         veor    $in1,$in1,$key
246         b       .Loop256
247
248 .Ldone:
249         str     $rounds,[$out]
250         mov     $ptr,#0
251
252 .Lenc_key_abort:
253         mov     x0,$ptr                 // return value
254         `"ldr   x29,[sp],#16"           if ($flavour =~ /64/)`
255         ret
256 .size   ${prefix}_set_encrypt_key,.-${prefix}_set_encrypt_key
257
258 .globl  ${prefix}_set_decrypt_key
259 .type   ${prefix}_set_decrypt_key,%function
260 .align  5
261 ${prefix}_set_decrypt_key:
262 ___
263 $code.=<<___    if ($flavour =~ /64/);
264         stp     x29,x30,[sp,#-16]!
265         add     x29,sp,#0
266 ___
267 $code.=<<___    if ($flavour !~ /64/);
268         stmdb   sp!,{r4,lr}
269 ___
270 $code.=<<___;
271         bl      .Lenc_key
272
273         cmp     x0,#0
274         b.ne    .Ldec_key_abort
275
276         sub     $out,$out,#240          // restore original $out
277         mov     x4,#-16
278         add     $inp,$out,x12,lsl#4     // end of key schedule
279
280         vld1.32 {v0.16b},[$out]
281         vld1.32 {v1.16b},[$inp]
282         vst1.32 {v0.16b},[$inp],x4
283         vst1.32 {v1.16b},[$out],#16
284
285 .Loop_imc:
286         vld1.32 {v0.16b},[$out]
287         vld1.32 {v1.16b},[$inp]
288         aesimc  v0.16b,v0.16b
289         aesimc  v1.16b,v1.16b
290         vst1.32 {v0.16b},[$inp],x4
291         vst1.32 {v1.16b},[$out],#16
292         cmp     $inp,$out
293         b.hi    .Loop_imc
294
295         vld1.32 {v0.16b},[$out]
296         aesimc  v0.16b,v0.16b
297         vst1.32 {v0.16b},[$inp]
298
299         eor     x0,x0,x0                // return value
300 .Ldec_key_abort:
301 ___
302 $code.=<<___    if ($flavour !~ /64/);
303         ldmia   sp!,{r4,pc}
304 ___
305 $code.=<<___    if ($flavour =~ /64/);
306         ldp     x29,x30,[sp],#16
307         ret
308 ___
309 $code.=<<___;
310 .size   ${prefix}_set_decrypt_key,.-${prefix}_set_decrypt_key
311 ___
312 }}}
313 {{{
314 sub gen_block () {
315 my $dir = shift;
316 my ($e,$mc) = $dir eq "en" ? ("e","mc") : ("d","imc");
317 my ($inp,$out,$key)=map("x$_",(0..2));
318 my $rounds="w3";
319 my ($rndkey0,$rndkey1,$inout)=map("q$_",(0..3));
320
321 $code.=<<___;
322 .globl  ${prefix}_${dir}crypt
323 .type   ${prefix}_${dir}crypt,%function
324 .align  5
325 ${prefix}_${dir}crypt:
326         ldr     $rounds,[$key,#240]
327         vld1.32 {$rndkey0},[$key],#16
328         vld1.8  {$inout},[$inp]
329         sub     $rounds,$rounds,#2
330         vld1.32 {$rndkey1},[$key],#16
331
332 .Loop_${dir}c:
333         aes$e   $inout,$rndkey0
334         aes$mc  $inout,$inout
335         vld1.32 {$rndkey0},[$key],#16
336         subs    $rounds,$rounds,#2
337         aes$e   $inout,$rndkey1
338         aes$mc  $inout,$inout
339         vld1.32 {$rndkey1},[$key],#16
340         b.gt    .Loop_${dir}c
341
342         aes$e   $inout,$rndkey0
343         aes$mc  $inout,$inout
344         vld1.32 {$rndkey0},[$key]
345         aes$e   $inout,$rndkey1
346         veor    $inout,$inout,$rndkey0
347
348         vst1.8  {$inout},[$out]
349         ret
350 .size   ${prefix}_${dir}crypt,.-${prefix}_${dir}crypt
351 ___
352 }
353 &gen_block("en");
354 &gen_block("de");
355 }}}
356 {{{
357 my ($inp,$out,$len,$key,$ivp)=map("x$_",(0..4)); my $enc="w5";
358 my ($rounds,$cnt,$key_,$step,$step1)=($enc,"w6","x7","x8","x12");
359 my ($dat0,$dat1,$in0,$in1,$tmp0,$tmp1,$ivec,$rndlast)=map("q$_",(0..7));
360
361 my ($dat,$tmp,$rndzero_n_last)=($dat0,$tmp0,$tmp1);
362 my ($key4,$key5,$key6,$key7)=("x6","x12","x14",$key);
363
364 ### q8-q15      preloaded key schedule
365
366 $code.=<<___;
367 .globl  ${prefix}_cbc_encrypt
368 .type   ${prefix}_cbc_encrypt,%function
369 .align  5
370 ${prefix}_cbc_encrypt:
371 ___
372 $code.=<<___    if ($flavour =~ /64/);
373         stp     x29,x30,[sp,#-16]!
374         add     x29,sp,#0
375 ___
376 $code.=<<___    if ($flavour !~ /64/);
377         mov     ip,sp
378         stmdb   sp!,{r4-r8,lr}
379         vstmdb  sp!,{d8-d15}            @ ABI specification says so
380         ldmia   ip,{r4-r5}              @ load remaining args
381 ___
382 $code.=<<___;
383         subs    $len,$len,#16
384         mov     $step,#16
385         b.lo    .Lcbc_abort
386         cclr    $step,eq
387
388         cmp     $enc,#0                 // en- or decrypting?
389         ldr     $rounds,[$key,#240]
390         and     $len,$len,#-16
391         vld1.8  {$ivec},[$ivp]
392         vld1.8  {$dat},[$inp],$step
393
394         vld1.32 {q8-q9},[$key]          // load key schedule...
395         sub     $rounds,$rounds,#6
396         add     $key_,$key,x5,lsl#4     // pointer to last 7 round keys
397         sub     $rounds,$rounds,#2
398         vld1.32 {q10-q11},[$key_],#32
399         vld1.32 {q12-q13},[$key_],#32
400         vld1.32 {q14-q15},[$key_],#32
401         vld1.32 {$rndlast},[$key_]
402
403         add     $key_,$key,#32
404         mov     $cnt,$rounds
405         b.eq    .Lcbc_dec
406
407         cmp     $rounds,#2
408         veor    $dat,$dat,$ivec
409         veor    $rndzero_n_last,q8,$rndlast
410         b.eq    .Lcbc_enc128
411
412         vld1.32 {$in0-$in1},[$key_]
413         add     $key_,$key,#16
414         add     $key4,$key,#16*4
415         add     $key5,$key,#16*5
416         aese    $dat,q8
417         aesmc   $dat,$dat
418         add     $key6,$key,#16*6
419         add     $key7,$key,#16*7
420         b       .Lenter_cbc_enc
421
422 .align  4
423 .Loop_cbc_enc:
424         aese    $dat,q8
425         aesmc   $dat,$dat
426          vst1.8 {$ivec},[$out],#16
427 .Lenter_cbc_enc:
428         aese    $dat,q9
429         aesmc   $dat,$dat
430         aese    $dat,$in0
431         aesmc   $dat,$dat
432         vld1.32 {q8},[$key4]
433         cmp     $rounds,#4
434         aese    $dat,$in1
435         aesmc   $dat,$dat
436         vld1.32 {q9},[$key5]
437         b.eq    .Lcbc_enc192
438
439         aese    $dat,q8
440         aesmc   $dat,$dat
441         vld1.32 {q8},[$key6]
442         aese    $dat,q9
443         aesmc   $dat,$dat
444         vld1.32 {q9},[$key7]
445         nop
446
447 .Lcbc_enc192:
448         aese    $dat,q8
449         aesmc   $dat,$dat
450          subs   $len,$len,#16
451         aese    $dat,q9
452         aesmc   $dat,$dat
453          cclr   $step,eq
454         aese    $dat,q10
455         aesmc   $dat,$dat
456         aese    $dat,q11
457         aesmc   $dat,$dat
458          vld1.8 {q8},[$inp],$step
459         aese    $dat,q12
460         aesmc   $dat,$dat
461          veor   q8,q8,$rndzero_n_last
462         aese    $dat,q13
463         aesmc   $dat,$dat
464          vld1.32 {q9},[$key_]           // re-pre-load rndkey[1]
465         aese    $dat,q14
466         aesmc   $dat,$dat
467         aese    $dat,q15
468         veor    $ivec,$dat,$rndlast
469         b.hs    .Loop_cbc_enc
470
471         vst1.8  {$ivec},[$out],#16
472         b       .Lcbc_done
473
474 .align  5
475 .Lcbc_enc128:
476         vld1.32 {$in0-$in1},[$key_]
477         aese    $dat,q8
478         aesmc   $dat,$dat
479         b       .Lenter_cbc_enc128
480 .Loop_cbc_enc128:
481         aese    $dat,q8
482         aesmc   $dat,$dat
483          vst1.8 {$ivec},[$out],#16
484 .Lenter_cbc_enc128:
485         aese    $dat,q9
486         aesmc   $dat,$dat
487          subs   $len,$len,#16
488         aese    $dat,$in0
489         aesmc   $dat,$dat
490          cclr   $step,eq
491         aese    $dat,$in1
492         aesmc   $dat,$dat
493         aese    $dat,q10
494         aesmc   $dat,$dat
495         aese    $dat,q11
496         aesmc   $dat,$dat
497          vld1.8 {q8},[$inp],$step
498         aese    $dat,q12
499         aesmc   $dat,$dat
500         aese    $dat,q13
501         aesmc   $dat,$dat
502         aese    $dat,q14
503         aesmc   $dat,$dat
504          veor   q8,q8,$rndzero_n_last
505         aese    $dat,q15
506         veor    $ivec,$dat,$rndlast
507         b.hs    .Loop_cbc_enc128
508
509         vst1.8  {$ivec},[$out],#16
510         b       .Lcbc_done
511 ___
512 {
513 my ($dat2,$in2,$tmp2)=map("q$_",(10,11,9));
514 $code.=<<___;
515 .align  5
516 .Lcbc_dec:
517         vld1.8  {$dat2},[$inp],#16
518         subs    $len,$len,#32           // bias
519         add     $cnt,$rounds,#2
520         vorr    $in1,$dat,$dat
521         vorr    $dat1,$dat,$dat
522         vorr    $in2,$dat2,$dat2
523         b.lo    .Lcbc_dec_tail
524
525         vorr    $dat1,$dat2,$dat2
526         vld1.8  {$dat2},[$inp],#16
527         vorr    $in0,$dat,$dat
528         vorr    $in1,$dat1,$dat1
529         vorr    $in2,$dat2,$dat2
530
531 .Loop3x_cbc_dec:
532         aesd    $dat0,q8
533         aesimc  $dat0,$dat0
534         aesd    $dat1,q8
535         aesimc  $dat1,$dat1
536         aesd    $dat2,q8
537         aesimc  $dat2,$dat2
538         vld1.32 {q8},[$key_],#16
539         subs    $cnt,$cnt,#2
540         aesd    $dat0,q9
541         aesimc  $dat0,$dat0
542         aesd    $dat1,q9
543         aesimc  $dat1,$dat1
544         aesd    $dat2,q9
545         aesimc  $dat2,$dat2
546         vld1.32 {q9},[$key_],#16
547         b.gt    .Loop3x_cbc_dec
548
549         aesd    $dat0,q8
550         aesimc  $dat0,$dat0
551         aesd    $dat1,q8
552         aesimc  $dat1,$dat1
553         aesd    $dat2,q8
554         aesimc  $dat2,$dat2
555          veor   $tmp0,$ivec,$rndlast
556          subs   $len,$len,#0x30
557          veor   $tmp1,$in0,$rndlast
558          mov.lo x6,$len                 // x6, $cnt, is zero at this point
559         aesd    $dat0,q9
560         aesimc  $dat0,$dat0
561         aesd    $dat1,q9
562         aesimc  $dat1,$dat1
563         aesd    $dat2,q9
564         aesimc  $dat2,$dat2
565          veor   $tmp2,$in1,$rndlast
566          add    $inp,$inp,x6            // $inp is adjusted in such way that
567                                         // at exit from the loop $dat1-$dat2
568                                         // are loaded with last "words"
569          vorr   $ivec,$in2,$in2
570          mov    $key_,$key
571         aesd    $dat0,q12
572         aesimc  $dat0,$dat0
573         aesd    $dat1,q12
574         aesimc  $dat1,$dat1
575         aesd    $dat2,q12
576         aesimc  $dat2,$dat2
577          vld1.8 {$in0},[$inp],#16
578         aesd    $dat0,q13
579         aesimc  $dat0,$dat0
580         aesd    $dat1,q13
581         aesimc  $dat1,$dat1
582         aesd    $dat2,q13
583         aesimc  $dat2,$dat2
584          vld1.8 {$in1},[$inp],#16
585         aesd    $dat0,q14
586         aesimc  $dat0,$dat0
587         aesd    $dat1,q14
588         aesimc  $dat1,$dat1
589         aesd    $dat2,q14
590         aesimc  $dat2,$dat2
591          vld1.8 {$in2},[$inp],#16
592         aesd    $dat0,q15
593         aesd    $dat1,q15
594         aesd    $dat2,q15
595          vld1.32 {q8},[$key_],#16       // re-pre-load rndkey[0]
596          add    $cnt,$rounds,#2
597         veor    $tmp0,$tmp0,$dat0
598         veor    $tmp1,$tmp1,$dat1
599         veor    $dat2,$dat2,$tmp2
600          vld1.32 {q9},[$key_],#16       // re-pre-load rndkey[1]
601         vst1.8  {$tmp0},[$out],#16
602          vorr   $dat0,$in0,$in0
603         vst1.8  {$tmp1},[$out],#16
604          vorr   $dat1,$in1,$in1
605         vst1.8  {$dat2},[$out],#16
606          vorr   $dat2,$in2,$in2
607         b.hs    .Loop3x_cbc_dec
608
609         cmn     $len,#0x30
610         b.eq    .Lcbc_done
611         nop
612
613 .Lcbc_dec_tail:
614         aesd    $dat1,q8
615         aesimc  $dat1,$dat1
616         aesd    $dat2,q8
617         aesimc  $dat2,$dat2
618         vld1.32 {q8},[$key_],#16
619         subs    $cnt,$cnt,#2
620         aesd    $dat1,q9
621         aesimc  $dat1,$dat1
622         aesd    $dat2,q9
623         aesimc  $dat2,$dat2
624         vld1.32 {q9},[$key_],#16
625         b.gt    .Lcbc_dec_tail
626
627         aesd    $dat1,q8
628         aesimc  $dat1,$dat1
629         aesd    $dat2,q8
630         aesimc  $dat2,$dat2
631         aesd    $dat1,q9
632         aesimc  $dat1,$dat1
633         aesd    $dat2,q9
634         aesimc  $dat2,$dat2
635         aesd    $dat1,q12
636         aesimc  $dat1,$dat1
637         aesd    $dat2,q12
638         aesimc  $dat2,$dat2
639          cmn    $len,#0x20
640         aesd    $dat1,q13
641         aesimc  $dat1,$dat1
642         aesd    $dat2,q13
643         aesimc  $dat2,$dat2
644          veor   $tmp1,$ivec,$rndlast
645         aesd    $dat1,q14
646         aesimc  $dat1,$dat1
647         aesd    $dat2,q14
648         aesimc  $dat2,$dat2
649          veor   $tmp2,$in1,$rndlast
650         aesd    $dat1,q15
651         aesd    $dat2,q15
652         b.eq    .Lcbc_dec_one
653         veor    $tmp1,$tmp1,$dat1
654         veor    $tmp2,$tmp2,$dat2
655          vorr   $ivec,$in2,$in2
656         vst1.8  {$tmp1},[$out],#16
657         vst1.8  {$tmp2},[$out],#16
658         b       .Lcbc_done
659
660 .Lcbc_dec_one:
661         veor    $tmp1,$tmp1,$dat2
662          vorr   $ivec,$in2,$in2
663         vst1.8  {$tmp1},[$out],#16
664
665 .Lcbc_done:
666         vst1.8  {$ivec},[$ivp]
667 .Lcbc_abort:
668 ___
669 }
670 $code.=<<___    if ($flavour !~ /64/);
671         vldmia  sp!,{d8-d15}
672         ldmia   sp!,{r4-r8,pc}
673 ___
674 $code.=<<___    if ($flavour =~ /64/);
675         ldr     x29,[sp],#16
676         ret
677 ___
678 $code.=<<___;
679 .size   ${prefix}_cbc_encrypt,.-${prefix}_cbc_encrypt
680 ___
681 }}}
682 {{{
683 my ($inp,$out,$len,$key,$ivp)=map("x$_",(0..4));
684 my ($rounds,$cnt,$key_)=("w5","w6","x7");
685 my ($ctr,$tctr0,$tctr1,$tctr2)=map("w$_",(8..10,12));
686 my $step="x12";         # aliases with $tctr2
687
688 my ($dat0,$dat1,$in0,$in1,$tmp0,$tmp1,$ivec,$rndlast)=map("q$_",(0..7));
689 my ($dat2,$in2,$tmp2)=map("q$_",(10,11,9));
690
691 my ($dat,$tmp)=($dat0,$tmp0);
692
693 ### q8-q15      preloaded key schedule
694
695 $code.=<<___;
696 .globl  ${prefix}_ctr32_encrypt_blocks
697 .type   ${prefix}_ctr32_encrypt_blocks,%function
698 .align  5
699 ${prefix}_ctr32_encrypt_blocks:
700 ___
701 $code.=<<___    if ($flavour =~ /64/);
702         stp             x29,x30,[sp,#-16]!
703         add             x29,sp,#0
704 ___
705 $code.=<<___    if ($flavour !~ /64/);
706         mov             ip,sp
707         stmdb           sp!,{r4-r10,lr}
708         vstmdb          sp!,{d8-d15}            @ ABI specification says so
709         ldr             r4, [ip]                @ load remaining arg
710 ___
711 $code.=<<___;
712         ldr             $rounds,[$key,#240]
713
714         ldr             $ctr, [$ivp, #12]
715         vld1.32         {$dat0},[$ivp]
716
717         vld1.32         {q8-q9},[$key]          // load key schedule...
718         sub             $rounds,$rounds,#4
719         mov             $step,#16
720         cmp             $len,#2
721         add             $key_,$key,x5,lsl#4     // pointer to last 5 round keys
722         sub             $rounds,$rounds,#2
723         vld1.32         {q12-q13},[$key_],#32
724         vld1.32         {q14-q15},[$key_],#32
725         vld1.32         {$rndlast},[$key_]
726         add             $key_,$key,#32
727         mov             $cnt,$rounds
728         cclr            $step,lo
729 #ifndef __ARMEB__
730         rev             $ctr, $ctr
731 #endif
732         vorr            $dat1,$dat0,$dat0
733         add             $tctr1, $ctr, #1
734         vorr            $dat2,$dat0,$dat0
735         add             $ctr, $ctr, #2
736         vorr            $ivec,$dat0,$dat0
737         rev             $tctr1, $tctr1
738         vmov.32         ${dat1}[3],$tctr1
739         b.ls            .Lctr32_tail
740         rev             $tctr2, $ctr
741         sub             $len,$len,#3            // bias
742         vmov.32         ${dat2}[3],$tctr2
743         b               .Loop3x_ctr32
744
745 .align  4
746 .Loop3x_ctr32:
747         aese            $dat0,q8
748         aesmc           $dat0,$dat0
749         aese            $dat1,q8
750         aesmc           $dat1,$dat1
751         aese            $dat2,q8
752         aesmc           $dat2,$dat2
753         vld1.32         {q8},[$key_],#16
754         subs            $cnt,$cnt,#2
755         aese            $dat0,q9
756         aesmc           $dat0,$dat0
757         aese            $dat1,q9
758         aesmc           $dat1,$dat1
759         aese            $dat2,q9
760         aesmc           $dat2,$dat2
761         vld1.32         {q9},[$key_],#16
762         b.gt            .Loop3x_ctr32
763
764         aese            $dat0,q8
765         aesmc           $tmp0,$dat0
766         aese            $dat1,q8
767         aesmc           $tmp1,$dat1
768          vld1.8         {$in0},[$inp],#16
769          vorr           $dat0,$ivec,$ivec
770         aese            $dat2,q8
771         aesmc           $dat2,$dat2
772          vld1.8         {$in1},[$inp],#16
773          vorr           $dat1,$ivec,$ivec
774         aese            $tmp0,q9
775         aesmc           $tmp0,$tmp0
776         aese            $tmp1,q9
777         aesmc           $tmp1,$tmp1
778          vld1.8         {$in2},[$inp],#16
779          mov            $key_,$key
780         aese            $dat2,q9
781         aesmc           $tmp2,$dat2
782          vorr           $dat2,$ivec,$ivec
783          add            $tctr0,$ctr,#1
784         aese            $tmp0,q12
785         aesmc           $tmp0,$tmp0
786         aese            $tmp1,q12
787         aesmc           $tmp1,$tmp1
788          veor           $in0,$in0,$rndlast
789          add            $tctr1,$ctr,#2
790         aese            $tmp2,q12
791         aesmc           $tmp2,$tmp2
792          veor           $in1,$in1,$rndlast
793          add            $ctr,$ctr,#3
794         aese            $tmp0,q13
795         aesmc           $tmp0,$tmp0
796         aese            $tmp1,q13
797         aesmc           $tmp1,$tmp1
798          veor           $in2,$in2,$rndlast
799          rev            $tctr0,$tctr0
800         aese            $tmp2,q13
801         aesmc           $tmp2,$tmp2
802          vmov.32        ${dat0}[3], $tctr0
803          rev            $tctr1,$tctr1
804         aese            $tmp0,q14
805         aesmc           $tmp0,$tmp0
806         aese            $tmp1,q14
807         aesmc           $tmp1,$tmp1
808          vmov.32        ${dat1}[3], $tctr1
809          rev            $tctr2,$ctr
810         aese            $tmp2,q14
811         aesmc           $tmp2,$tmp2
812          vmov.32        ${dat2}[3], $tctr2
813          subs           $len,$len,#3
814         aese            $tmp0,q15
815         aese            $tmp1,q15
816         aese            $tmp2,q15
817
818         veor            $in0,$in0,$tmp0
819          vld1.32         {q8},[$key_],#16       // re-pre-load rndkey[0]
820         vst1.8          {$in0},[$out],#16
821         veor            $in1,$in1,$tmp1
822          mov            $cnt,$rounds
823         vst1.8          {$in1},[$out],#16
824         veor            $in2,$in2,$tmp2
825          vld1.32         {q9},[$key_],#16       // re-pre-load rndkey[1]
826         vst1.8          {$in2},[$out],#16
827         b.hs            .Loop3x_ctr32
828
829         adds            $len,$len,#3
830         b.eq            .Lctr32_done
831         cmp             $len,#1
832         mov             $step,#16
833         cclr            $step,eq
834
835 .Lctr32_tail:
836         aese            $dat0,q8
837         aesmc           $dat0,$dat0
838         aese            $dat1,q8
839         aesmc           $dat1,$dat1
840         vld1.32         {q8},[$key_],#16
841         subs            $cnt,$cnt,#2
842         aese            $dat0,q9
843         aesmc           $dat0,$dat0
844         aese            $dat1,q9
845         aesmc           $dat1,$dat1
846         vld1.32         {q9},[$key_],#16
847         b.gt            .Lctr32_tail
848
849         aese            $dat0,q8
850         aesmc           $dat0,$dat0
851         aese            $dat1,q8
852         aesmc           $dat1,$dat1
853         aese            $dat0,q9
854         aesmc           $dat0,$dat0
855         aese            $dat1,q9
856         aesmc           $dat1,$dat1
857          vld1.8         {$in0},[$inp],$step
858         aese            $dat0,q12
859         aesmc           $dat0,$dat0
860         aese            $dat1,q12
861         aesmc           $dat1,$dat1
862          vld1.8         {$in1},[$inp]
863         aese            $dat0,q13
864         aesmc           $dat0,$dat0
865         aese            $dat1,q13
866         aesmc           $dat1,$dat1
867          veor           $in0,$in0,$rndlast
868         aese            $dat0,q14
869         aesmc           $dat0,$dat0
870         aese            $dat1,q14
871         aesmc           $dat1,$dat1
872          veor           $in1,$in1,$rndlast
873         aese            $dat0,q15
874         aese            $dat1,q15
875
876         cmp             $len,#1
877         veor            $in0,$in0,$dat0
878         veor            $in1,$in1,$dat1
879         vst1.8          {$in0},[$out],#16
880         b.eq            .Lctr32_done
881         vst1.8          {$in1},[$out]
882
883 .Lctr32_done:
884 ___
885 $code.=<<___    if ($flavour !~ /64/);
886         vldmia          sp!,{d8-d15}
887         ldmia           sp!,{r4-r10,pc}
888 ___
889 $code.=<<___    if ($flavour =~ /64/);
890         ldr             x29,[sp],#16
891         ret
892 ___
893 $code.=<<___;
894 .size   ${prefix}_ctr32_encrypt_blocks,.-${prefix}_ctr32_encrypt_blocks
895 ___
896 }}}
897 $code.=<<___;
898 #endif
899 ___
900 ########################################
901 if ($flavour =~ /64/) {                 ######## 64-bit code
902     my %opcode = (
903         "aesd"  =>      0x4e285800,     "aese"  =>      0x4e284800,
904         "aesimc"=>      0x4e287800,     "aesmc" =>      0x4e286800      );
905
906     local *unaes = sub {
907         my ($mnemonic,$arg)=@_;
908
909         $arg =~ m/[qv]([0-9]+)[^,]*,\s*[qv]([0-9]+)/o   &&
910         sprintf ".inst\t0x%08x\t//%s %s",
911                         $opcode{$mnemonic}|$1|($2<<5),
912                         $mnemonic,$arg;
913     };
914
915     foreach(split("\n",$code)) {
916         s/\`([^\`]*)\`/eval($1)/geo;
917
918         s/\bq([0-9]+)\b/"v".($1<8?$1:$1+8).".16b"/geo;  # old->new registers
919         s/@\s/\/\//o;                   # old->new style commentary
920
921         #s/[v]?(aes\w+)\s+([qv].*)/unaes($1,$2)/geo     or
922         s/cclr\s+([wx])([^,]+),\s*([a-z]+)/csel $1$2,$1zr,$1$2,$3/o     or
923         s/mov\.([a-z]+)\s+([wx][0-9]+),\s*([wx][0-9]+)/csel     $2,$3,$2,$1/o   or
924         s/vmov\.i8/movi/o       or      # fix up legacy mnemonics
925         s/vext\.8/ext/o         or
926         s/vrev32\.8/rev32/o     or
927         s/vtst\.8/cmtst/o       or
928         s/vshr/ushr/o           or
929         s/^(\s+)v/$1/o          or      # strip off v prefix
930         s/\bbx\s+lr\b/ret/o;
931
932         # fix up remaining legacy suffixes
933         s/\.[ui]?8//o;
934         m/\],#8/o and s/\.16b/\.8b/go;
935         s/\.[ui]?32//o and s/\.16b/\.4s/go;
936         s/\.[ui]?64//o and s/\.16b/\.2d/go;
937         s/\.[42]([sd])\[([0-3])\]/\.$1\[$2\]/o;
938
939         print $_,"\n";
940     }
941 } else {                                ######## 32-bit code
942     my %opcode = (
943         "aesd"  =>      0xf3b00340,     "aese"  =>      0xf3b00300,
944         "aesimc"=>      0xf3b003c0,     "aesmc" =>      0xf3b00380      );
945
946     local *unaes = sub {
947         my ($mnemonic,$arg)=@_;
948
949         if ($arg =~ m/[qv]([0-9]+)[^,]*,\s*[qv]([0-9]+)/o) {
950             my $word = $opcode{$mnemonic}|(($1&7)<<13)|(($1&8)<<19)
951                                          |(($2&7)<<1) |(($2&8)<<2);
952             # since ARMv7 instructions are always encoded little-endian.
953             # correct solution is to use .inst directive, but older
954             # assemblers don't implement it:-(
955             sprintf ".byte\t0x%02x,0x%02x,0x%02x,0x%02x\t@ %s %s",
956                         $word&0xff,($word>>8)&0xff,
957                         ($word>>16)&0xff,($word>>24)&0xff,
958                         $mnemonic,$arg;
959         }
960     };
961
962     sub unvtbl {
963         my $arg=shift;
964
965         $arg =~ m/q([0-9]+),\s*\{q([0-9]+)\},\s*q([0-9]+)/o &&
966         sprintf "vtbl.8 d%d,{q%d},d%d\n\t".
967                 "vtbl.8 d%d,{q%d},d%d", 2*$1,$2,2*$3, 2*$1+1,$2,2*$3+1;
968     }
969
970     sub unvdup32 {
971         my $arg=shift;
972
973         $arg =~ m/q([0-9]+),\s*q([0-9]+)\[([0-3])\]/o &&
974         sprintf "vdup.32        q%d,d%d[%d]",$1,2*$2+($3>>1),$3&1;
975     }
976
977     sub unvmov32 {
978         my $arg=shift;
979
980         $arg =~ m/q([0-9]+)\[([0-3])\],(.*)/o &&
981         sprintf "vmov.32        d%d[%d],%s",2*$1+($2>>1),$2&1,$3;
982     }
983
984     foreach(split("\n",$code)) {
985         s/\`([^\`]*)\`/eval($1)/geo;
986
987         s/\b[wx]([0-9]+)\b/r$1/go;              # new->old registers
988         s/\bv([0-9])\.[12468]+[bsd]\b/q$1/go;   # new->old registers
989         s/\/\/\s?/@ /o;                         # new->old style commentary
990
991         # fix up remaining new-style suffixes
992         s/\{q([0-9]+)\},\s*\[(.+)\],#8/sprintf "{d%d},[$2]!",2*$1/eo    or
993         s/\],#[0-9]+/]!/o;
994
995         s/[v]?(aes\w+)\s+([qv].*)/unaes($1,$2)/geo      or
996         s/cclr\s+([^,]+),\s*([a-z]+)/mov$2      $1,#0/o or
997         s/vtbl\.8\s+(.*)/unvtbl($1)/geo                 or
998         s/vdup\.32\s+(.*)/unvdup32($1)/geo              or
999         s/vmov\.32\s+(.*)/unvmov32($1)/geo              or
1000         s/^(\s+)b\./$1b/o                               or
1001         s/^(\s+)mov\./$1mov/o                           or
1002         s/^(\s+)ret/$1bx\tlr/o;
1003
1004         print $_,"\n";
1005     }
1006 }
1007
1008 close STDOUT;