2 # Copyright 2014-2018 The OpenSSL Project Authors. All Rights Reserved.
4 # Licensed under the Apache License 2.0 (the "License"). You may not use
5 # this file except in compliance with the License. You can obtain a copy
6 # in the file LICENSE in the source distribution or at
7 # https://www.openssl.org/source/license.html
10 # ====================================================================
11 # Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
12 # project. The module is, however, dual licensed under OpenSSL and
13 # CRYPTOGAMS licenses depending on where you obtain it. For further
14 # details see http://www.openssl.org/~appro/cryptogams/.
15 # ====================================================================
17 # GHASH for for PowerISA v2.07.
21 # Accurate performance measurements are problematic, because it's
22 # always virtualized setup with possibly throttled processor.
23 # Relative comparison is therefore more informative. This initial
24 # version is ~2.1x slower than hardware-assisted AES-128-CTR, ~12x
25 # faster than "4-bit" integer-only compiler-generated 64-bit code.
26 # "Initial version" means that there is room for further improvement.
30 # 2x aggregated reduction improves performance by 50% (resulting
31 # performance on POWER8 is 1 cycle per processed byte), and 4x
32 # aggregated reduction - by 170% or 2.7x (resulting in 0.55 cpb).
33 # POWER9 delivers 0.51 cpb.
35 # $output is the last argument if it looks like a file (it has an extension)
36 # $flavour is the first argument if it doesn't look like a file
37 $output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef;
38 $flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef;
40 if ($flavour =~ /64/) {
48 } elsif ($flavour =~ /32/) {
56 } else { die "nonsense $flavour"; }
59 $FRAME=6*$SIZE_T+13*16; # 13*16 is for v20-v31 offload
61 $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
62 ( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or
63 ( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or
64 die "can't locate ppc-xlate.pl";
66 open STDOUT,"| $^X $xlate $flavour \"$output\""
67 or die "can't call $xlate: $!";
69 my ($Xip,$Htbl,$inp,$len)=map("r$_",(3..6)); # argument block
71 my ($Xl,$Xm,$Xh,$IN)=map("v$_",(0..3));
72 my ($zero,$t0,$t1,$t2,$xC2,$H,$Hh,$Hl,$lemask)=map("v$_",(4..12));
73 my ($Xl1,$Xm1,$Xh1,$IN1,$H2,$H2h,$H2l)=map("v$_",(13..19));
90 lvx_u $H,0,r4 # load H
92 vspltisb $xC2,-16 # 0xf0
94 vaddubm $xC2,$xC2,$xC2 # 0xe0
95 vxor $zero,$zero,$zero
96 vor $xC2,$xC2,$t0 # 0xe1
97 vsldoi $xC2,$xC2,$zero,15 # 0xe1...
98 vsldoi $t1,$zero,$t0,1 # ...1
99 vaddubm $xC2,$xC2,$xC2 # 0xc2...
101 vor $xC2,$xC2,$t1 # 0xc2....01
102 vspltb $t1,$H,0 # most significant byte
103 vsl $H,$H,$t0 # H<<=1
104 vsrab $t1,$t1,$t2 # broadcast carry bit
106 vxor $IN,$H,$t1 # twisted H
108 vsldoi $H,$IN,$IN,8 # twist even more ...
109 vsldoi $xC2,$zero,$xC2,8 # 0xc2.0
110 vsldoi $Hl,$zero,$H,8 # ... and split
111 vsldoi $Hh,$H,$zero,8
113 stvx_u $xC2,0,r3 # save pre-computed table
121 vpmsumd $Xl,$IN,$Hl # H.lo·H.lo
122 vpmsumd $Xm,$IN,$H # H.hi·H.lo+H.lo·H.hi
123 vpmsumd $Xh,$IN,$Hh # H.hi·H.hi
125 vpmsumd $t2,$Xl,$xC2 # 1st reduction phase
127 vsldoi $t0,$Xm,$zero,8
128 vsldoi $t1,$zero,$Xm,8
135 vsldoi $t1,$Xl,$Xl,8 # 2nd reduction phase
140 vsldoi $H2,$IN1,$IN1,8
141 vsldoi $H2l,$zero,$H2,8
142 vsldoi $H2h,$H2,$zero,8
144 stvx_u $H2l,r8,r3 # save H^2
152 my ($t4,$t5,$t6) = ($Hl,$H,$Hh);
154 vpmsumd $Xl,$IN,$H2l # H.lo·H^2.lo
155 vpmsumd $Xl1,$IN1,$H2l # H^2.lo·H^2.lo
156 vpmsumd $Xm,$IN,$H2 # H.hi·H^2.lo+H.lo·H^2.hi
157 vpmsumd $Xm1,$IN1,$H2 # H^2.hi·H^2.lo+H^2.lo·H^2.hi
158 vpmsumd $Xh,$IN,$H2h # H.hi·H^2.hi
159 vpmsumd $Xh1,$IN1,$H2h # H^2.hi·H^2.hi
161 vpmsumd $t2,$Xl,$xC2 # 1st reduction phase
162 vpmsumd $t6,$Xl1,$xC2 # 1st reduction phase
164 vsldoi $t0,$Xm,$zero,8
165 vsldoi $t1,$zero,$Xm,8
166 vsldoi $t4,$Xm1,$zero,8
167 vsldoi $t5,$zero,$Xm1,8
174 vsldoi $Xl1,$Xl1,$Xl1,8
178 vsldoi $t1,$Xl,$Xl,8 # 2nd reduction phase
179 vsldoi $t5,$Xl1,$Xl1,8 # 2nd reduction phase
181 vpmsumd $Xl1,$Xl1,$xC2
188 vsldoi $H2,$Xl1,$Xl1,8
189 vsldoi $Hl,$zero,$H,8
190 vsldoi $Hh,$H,$zero,8
191 vsldoi $H2l,$zero,$H2,8
192 vsldoi $H2h,$H2,$zero,8
194 stvx_u $Hl,r8,r3 # save H^3
200 stvx_u $H2l,r8,r3 # save H^4
207 .byte 0,12,0x14,0,0,0,2,0
209 .size .gcm_init_p8,.-.gcm_init_p8
222 lvx_u $IN,0,$Xip # load Xi
224 lvx_u $Hl,r8,$Htbl # load pre-computed table
225 le?lvsl $lemask,r0,r0
229 le?vxor $lemask,$lemask,$t0
231 le?vperm $IN,$IN,$IN,$lemask
232 vxor $zero,$zero,$zero
234 vpmsumd $Xl,$IN,$Hl # H.lo·Xi.lo
235 vpmsumd $Xm,$IN,$H # H.hi·Xi.lo+H.lo·Xi.hi
236 vpmsumd $Xh,$IN,$Hh # H.hi·Xi.hi
238 vpmsumd $t2,$Xl,$xC2 # 1st reduction phase
240 vsldoi $t0,$Xm,$zero,8
241 vsldoi $t1,$zero,$Xm,8
248 vsldoi $t1,$Xl,$Xl,8 # 2nd reduction phase
253 le?vperm $Xl,$Xl,$Xl,$lemask
254 stvx_u $Xl,0,$Xip # write out Xi
259 .byte 0,12,0x14,0,0,0,2,0
261 .size .gcm_gmult_p8,.-.gcm_gmult_p8
272 lvx_u $Xl,0,$Xip # load Xi
274 lvx_u $Hl,r8,$Htbl # load pre-computed table
276 le?lvsl $lemask,r0,r0
282 le?vxor $lemask,$lemask,$t0
284 le?vperm $Xl,$Xl,$Xl,$lemask
285 vxor $zero,$zero,$zero
293 le?vperm $IN,$IN,$IN,$lemask
297 lvx_u $H2l,r8,$Htbl # load H^2
300 add r9,$inp,$len # end of input
307 le?vperm $IN1,$IN1,$IN1,$lemask
310 vpmsumd $Xl,$IN,$H2l # H^2.lo·Xi.lo
311 vpmsumd $Xl1,$IN1,$Hl # H.lo·Xi+1.lo
312 subfe r0,r0,r0 # borrow?-1:0
313 vpmsumd $Xm,$IN,$H2 # H^2.hi·Xi.lo+H^2.lo·Xi.hi
314 vpmsumd $Xm1,$IN1,$H # H.hi·Xi+1.lo+H.lo·Xi+1.hi
316 vpmsumd $Xh,$IN,$H2h # H^2.hi·Xi.hi
317 vpmsumd $Xh1,$IN1,$Hh # H.hi·Xi+1.hi
323 vpmsumd $t2,$Xl,$xC2 # 1st reduction phase
325 vsldoi $t0,$Xm,$zero,8
326 vsldoi $t1,$zero,$Xm,8
336 vsldoi $t1,$Xl,$Xl,8 # 2nd reduction phase
338 le?vperm $IN,$IN,$IN,$lemask
343 bgt Loop_2x # done yet?
349 vpmsumd $Xl,$IN,$Hl # H.lo·Xi.lo
350 vpmsumd $Xm,$IN,$H # H.hi·Xi.lo+H.lo·Xi.hi
351 vpmsumd $Xh,$IN,$Hh # H.hi·Xi.hi
353 vpmsumd $t2,$Xl,$xC2 # 1st reduction phase
355 vsldoi $t0,$Xm,$zero,8
356 vsldoi $t1,$zero,$Xm,8
363 vsldoi $t1,$Xl,$Xl,8 # 2nd reduction phase
369 le?vperm $Xl,$Xl,$Xl,$lemask
370 stvx_u $Xl,0,$Xip # write out Xi
375 .byte 0,12,0x14,0,0,0,4,0
379 my ($Xl3,$Xm2,$IN2,$H3l,$H3,$H3h,
380 $Xh3,$Xm3,$IN3,$H4l,$H4,$H4h) = map("v$_",(20..31));
382 my ($H21l,$H21h,$loperm,$hiperm) = ($Hl,$Hh,$H2l,$H2h);
388 $STU $sp,-$FRAME($sp)
389 li r10,`15+6*$SIZE_T`
390 li r11,`31+6*$SIZE_T`
415 stw $vrsave,`$FRAME-4`($sp) # save vrsave
416 mtspr 256,r0 # preserve all AltiVec registers
418 lvsl $t0,0,r8 # 0x0001..0e0f
419 #lvx_u $H2l,r8,$Htbl # load H^2
423 vspltisb $t1,8 # 0x0808..0808
424 #lvx_u $H2h,r10,$Htbl
426 lvx_u $H3l,r8,$Htbl # load H^3
432 lvx_u $H4l,r8,$Htbl # load H^4
439 vsldoi $t2,$zero,$t1,8 # 0x0000..0808
440 vaddubm $hiperm,$t0,$t2 # 0x0001..1617
441 vaddubm $loperm,$t1,$hiperm # 0x0809..1e1f
443 $SHRI $len,$len,4 # this allows to use sign bit
445 lvx_u $IN0,0,$inp # load input
451 le?vperm $IN0,$IN0,$IN0,$lemask
452 le?vperm $IN1,$IN1,$IN1,$lemask
453 le?vperm $IN2,$IN2,$IN2,$lemask
454 le?vperm $IN3,$IN3,$IN3,$lemask
458 vpmsumd $Xl1,$IN1,$H3l
459 vpmsumd $Xm1,$IN1,$H3
460 vpmsumd $Xh1,$IN1,$H3h
462 vperm $H21l,$H2,$H,$hiperm
463 vperm $t0,$IN2,$IN3,$loperm
464 vperm $H21h,$H2,$H,$loperm
465 vperm $t1,$IN2,$IN3,$hiperm
466 vpmsumd $Xm2,$IN2,$H2 # H^2.lo·Xi+2.hi+H^2.hi·Xi+2.lo
467 vpmsumd $Xl3,$t0,$H21l # H^2.lo·Xi+2.lo+H.lo·Xi+3.lo
468 vpmsumd $Xm3,$IN3,$H # H.hi·Xi+3.lo +H.lo·Xi+3.hi
469 vpmsumd $Xh3,$t1,$H21h # H^2.hi·Xi+2.hi+H.hi·Xi+3.hi
485 le?vperm $IN1,$IN1,$IN1,$lemask
486 le?vperm $IN2,$IN2,$IN2,$lemask
487 le?vperm $IN3,$IN3,$IN3,$lemask
488 le?vperm $IN0,$IN0,$IN0,$lemask
490 vpmsumd $Xl,$Xh,$H4l # H^4.lo·Xi.lo
491 vpmsumd $Xm,$Xh,$H4 # H^4.hi·Xi.lo+H^4.lo·Xi.hi
492 vpmsumd $Xh,$Xh,$H4h # H^4.hi·Xi.hi
493 vpmsumd $Xl1,$IN1,$H3l
494 vpmsumd $Xm1,$IN1,$H3
495 vpmsumd $Xh1,$IN1,$H3h
500 vperm $t0,$IN2,$IN3,$loperm
501 vperm $t1,$IN2,$IN3,$hiperm
503 vpmsumd $t2,$Xl,$xC2 # 1st reduction phase
504 vpmsumd $Xl3,$t0,$H21l # H.lo·Xi+3.lo +H^2.lo·Xi+2.lo
505 vpmsumd $Xh3,$t1,$H21h # H.hi·Xi+3.hi +H^2.hi·Xi+2.hi
507 vsldoi $t0,$Xm,$zero,8
508 vsldoi $t1,$zero,$Xm,8
515 vsldoi $t1,$Xl,$Xl,8 # 2nd reduction phase
516 vpmsumd $Xm2,$IN2,$H2 # H^2.hi·Xi+2.lo+H^2.lo·Xi+2.hi
517 vpmsumd $Xm3,$IN3,$H # H.hi·Xi+3.lo +H.lo·Xi+3.hi
530 vpmsumd $Xl,$Xh,$H4l # H^4.lo·Xi.lo
531 vpmsumd $Xm,$Xh,$H4 # H^4.hi·Xi.lo+H^4.lo·Xi.hi
532 vpmsumd $Xh,$Xh,$H4h # H^4.hi·Xi.hi
537 vpmsumd $t2,$Xl,$xC2 # 1st reduction phase
539 vsldoi $t0,$Xm,$zero,8
540 vsldoi $t1,$zero,$Xm,8
548 vsldoi $t1,$Xl,$Xl,8 # 2nd reduction phase
565 le?vperm $IN0,$IN0,$IN0,$lemask
566 le?vperm $IN1,$IN1,$IN1,$lemask
567 le?vperm $IN2,$IN2,$IN2,$lemask
574 vperm $t0,$IN1,$IN2,$loperm
575 vperm $t1,$IN1,$IN2,$hiperm
576 vpmsumd $Xm2,$IN1,$H2 # H^2.lo·Xi+1.hi+H^2.hi·Xi+1.lo
577 vpmsumd $Xm3,$IN2,$H # H.hi·Xi+2.lo +H.lo·Xi+2.hi
578 vpmsumd $Xl3,$t0,$H21l # H^2.lo·Xi+1.lo+H.lo·Xi+2.lo
579 vpmsumd $Xh3,$t1,$H21h # H^2.hi·Xi+1.hi+H.hi·Xi+2.hi
586 le?vperm $IN0,$IN0,$IN0,$lemask
587 le?vperm $IN1,$IN1,$IN1,$lemask
590 vperm $t0,$zero,$IN1,$loperm
591 vperm $t1,$zero,$IN1,$hiperm
593 vsldoi $H4l,$zero,$H2,8
595 vsldoi $H4h,$H2,$zero,8
597 vpmsumd $Xl3,$t0, $H21l # H.lo·Xi+1.lo
598 vpmsumd $Xm3,$IN1,$H # H.hi·Xi+1.lo+H.lo·Xi+2.hi
599 vpmsumd $Xh3,$t1, $H21h # H.hi·Xi+1.hi
605 le?vperm $IN0,$IN0,$IN0,$lemask
607 vsldoi $H4l,$zero,$H,8
609 vsldoi $H4h,$H,$zero,8
619 le?vperm $Xl,$Xl,$Xl,$lemask
620 stvx_u $Xl,0,$Xip # write out Xi
622 li r10,`15+6*$SIZE_T`
623 li r11,`31+6*$SIZE_T`
650 .byte 0,12,0x04,0,0x80,0,4,0
655 .size .gcm_ghash_p8,.-.gcm_ghash_p8
657 .asciz "GHASH for PowerISA 2.07, CRYPTOGAMS by <appro\@openssl.org>"
661 foreach (split("\n",$code)) {
662 s/\`([^\`]*)\`/eval $1/geo;
664 if ($flavour =~ /le$/o) { # little-endian
674 close STDOUT; # enforce flush
projects / openssl.git / blob