1 /* SPDX-License-Identifier: GPL-2.0-only */
3 * Accelerated GHASH implementation with NEON/ARMv8 vmull.p8/64 instructions.
5 * Copyright (C) 2015 - 2017 Linaro Ltd. <ard.biesheuvel@linaro.org>
8 #include <linux/linkage.h>
9 #include <asm/assembler.h>
91 .fpu crypto-neon-fp-armv8
93 .macro __pmull_p64, rd, rn, rm, b1, b2, b3, b4
94 vmull.p64 \rd, \rn, \rm
98 * This implementation of 64x64 -> 128 bit polynomial multiplication
99 * using vmull.p8 instructions (8x8 -> 16) is taken from the paper
100 * "Fast Software Polynomial Multiplication on ARM Processors Using
101 * the NEON Engine" by Danilo Camara, Conrado Gouvea, Julio Lopez and
102 * Ricardo Dahab (https://hal.inria.fr/hal-01506572)
104 * It has been slightly tweaked for in-order performance, and to allow
105 * 'rq' to overlap with 'ad' or 'bd'.
107 .macro __pmull_p8, rq, ad, bd, b1=t4l, b2=t3l, b3=t4l, b4=t3l
108 vext.8 t0l, \ad, \ad, #1 @ A1
110 vext.8 t4l, \bd, \bd, #1 @ B1
112 vmull.p8 t0q, t0l, \bd @ F = A1*B
113 vext.8 t1l, \ad, \ad, #2 @ A2
114 vmull.p8 t4q, \ad, \b1 @ E = A*B1
116 vext.8 t3l, \bd, \bd, #2 @ B2
118 vmull.p8 t1q, t1l, \bd @ H = A2*B
119 vext.8 t2l, \ad, \ad, #3 @ A3
120 vmull.p8 t3q, \ad, \b2 @ G = A*B2
121 veor t0q, t0q, t4q @ L = E + F
123 vext.8 t4l, \bd, \bd, #3 @ B3
125 vmull.p8 t2q, t2l, \bd @ J = A3*B
126 veor t0l, t0l, t0h @ t0 = (L) (P0 + P1) << 8
127 veor t1q, t1q, t3q @ M = G + H
129 vext.8 t3l, \bd, \bd, #4 @ B4
131 vmull.p8 t4q, \ad, \b3 @ I = A*B3
132 veor t1l, t1l, t1h @ t1 = (M) (P2 + P3) << 16
133 vmull.p8 t3q, \ad, \b4 @ K = A*B4
136 veor t2q, t2q, t4q @ N = I + J
139 veor t2l, t2l, t2h @ t2 = (N) (P4 + P5) << 24
141 veor t3l, t3l, t3h @ t3 = (K) (P6 + P7) << 32
143 vext.8 t0q, t0q, t0q, #15
145 vext.8 t1q, t1q, t1q, #14
146 vmull.p8 \rq, \ad, \bd @ D = A*B
147 vext.8 t2q, t2q, t2q, #13
148 vext.8 t3q, t3q, t3q, #12
156 // PMULL (64x64->128) based reduction for CPUs that can do
157 // it in a single instruction.
159 .macro __pmull_reduce_p64
160 vmull.p64 T1, XL_L, MASK
162 veor XH_L, XH_L, XM_H
163 vext.8 T1, T1, T1, #8
164 veor XL_H, XL_H, XM_L
167 vmull.p64 XL, T1_H, MASK
171 // Alternative reduction for CPUs that lack support for the
172 // 64x64->128 PMULL instruction
174 .macro __pmull_reduce_p8
175 veor XL_H, XL_H, XM_L
176 veor XH_L, XH_L, XM_H
183 veor XL_H, XL_H, T1_L
184 veor XH_L, XH_L, T1_H
193 .macro ghash_update, pn
196 /* do the head block first, if supplied */
205 tst r0, #3 // skip until #blocks is a
206 bne 2f // round multiple of 4
208 vld1.8 {XL2-XM2}, [r2]!
209 1: vld1.8 {T3-T2}, [r2]!
215 vext.8 T1, XL2, XL2, #8
216 veor XL2_H, XL2_H, XL_L
222 vmull.p64 XH, HH4_H, XL_H // a1 * b1
223 veor XL2_H, XL2_H, XL_H
224 vmull.p64 XL, HH4_L, XL_L // a0 * b0
225 vmull.p64 XM, HH34_H, XL2_H // (a1 + a0)(b1 + b0)
227 vmull.p64 XH2, HH3_H, XM2_L // a1 * b1
228 veor XM2_L, XM2_L, XM2_H
229 vmull.p64 XL2, HH3_L, XM2_H // a0 * b0
230 vmull.p64 XM2, HH34_L, XM2_L // (a1 + a0)(b1 + b0)
236 vmull.p64 XH2, HH_H, T3_L // a1 * b1
237 veor T3_L, T3_L, T3_H
238 vmull.p64 XL2, HH_L, T3_H // a0 * b0
239 vmull.p64 XM2, SHASH2_H, T3_L // (a1 + a0)(b1 + b0)
245 vmull.p64 XH2, SHASH_H, T1_L // a1 * b1
246 veor T1_L, T1_L, T1_H
247 vmull.p64 XL2, SHASH_L, T1_H // a0 * b0
248 vmull.p64 XM2, SHASH2_p64, T1_L // (a1 + a0)(b1 + b0)
256 vld1.8 {XL2-XM2}, [r2]!
269 2: vld1.64 {T1}, [r2]!
272 3: /* multiply XL by SHASH in GF(2^128) */
273 #ifndef CONFIG_CPU_BIG_ENDIAN
276 vext.8 IN1, T1, T1, #8
277 veor T1_L, T1_L, XL_H
280 __pmull_\pn XH, XL_H, SHASH_H, s1h, s2h, s3h, s4h @ a1 * b1
282 __pmull_\pn XL, XL_L, SHASH_L, s1l, s2l, s3l, s4l @ a0 * b0
283 __pmull_\pn XM, T1_L, SHASH2_\pn @ (a1+a0)(b1+b0)
300 * void pmull_ghash_update(int blocks, u64 dg[], const char *src,
301 * struct ghash_key const *k, const char *head)
303 ENTRY(pmull_ghash_update_p64)
304 vld1.64 {SHASH}, [r3]!
306 vld1.64 {HH3-HH4}, [r3]
308 veor SHASH2_p64, SHASH_L, SHASH_H
309 veor SHASH2_H, HH_L, HH_H
310 veor HH34_L, HH3_L, HH3_H
311 veor HH34_H, HH4_L, HH4_H
314 vshl.u64 MASK, MASK, #57
317 ENDPROC(pmull_ghash_update_p64)
319 ENTRY(pmull_ghash_update_p8)
320 vld1.64 {SHASH}, [r3]
321 veor SHASH2_p8, SHASH_L, SHASH_H
323 vext.8 s1l, SHASH_L, SHASH_L, #1
324 vext.8 s2l, SHASH_L, SHASH_L, #2
325 vext.8 s3l, SHASH_L, SHASH_L, #3
326 vext.8 s4l, SHASH_L, SHASH_L, #4
327 vext.8 s1h, SHASH_H, SHASH_H, #1
328 vext.8 s2h, SHASH_H, SHASH_H, #2
329 vext.8 s3h, SHASH_H, SHASH_H, #3
330 vext.8 s4h, SHASH_H, SHASH_H, #4
332 vmov.i64 k16, #0xffff
333 vmov.i64 k32, #0xffffffff
334 vmov.i64 k48, #0xffffffffffff
337 ENDPROC(pmull_ghash_update_p8)
git.samba.org / sfrench / cifs-2.6.git / blob