1 /* SPDX-License-Identifier: GPL-2.0-or-later */
3 * Implement AES algorithm in Intel AES-NI instructions.
5 * The white paper of AES-NI instructions can be downloaded from:
6 * http://softwarecommunity.intel.com/isn/downloads/intelavx/AES-Instructions-Set_WP.pdf
8 * Copyright (C) 2008, Intel Corp.
9 * Author: Huang Ying <ying.huang@intel.com>
10 * Vinodh Gopal <vinodh.gopal@intel.com>
13 * Added RFC4106 AES-GCM support for 128-bit keys under the AEAD
14 * interface for 64-bit kernels.
15 * Authors: Erdinc Ozturk (erdinc.ozturk@intel.com)
16 * Aidan O'Mahony (aidan.o.mahony@intel.com)
17 * Adrian Hoban <adrian.hoban@intel.com>
18 * James Guilford (james.guilford@intel.com)
19 * Gabriele Paoloni <gabriele.paoloni@intel.com>
20 * Tadeusz Struk (tadeusz.struk@intel.com)
21 * Wajdi Feghali (wajdi.k.feghali@intel.com)
22 * Copyright (c) 2010, Intel Corporation.
24 * Ported x86_64 version to x86:
25 * Author: Mathias Krause <minipli@googlemail.com>
28 #include <linux/linkage.h>
29 #include <asm/frame.h>
30 #include <asm/nospec-branch.h>
33 * The following macros are used to move an (un)aligned 16 byte value to/from
34 * an XMM register. This can done for either FP or integer values, for FP use
35 * movaps (move aligned packed single) or integer use movdqa (move double quad
36 * aligned). It doesn't make a performance difference which instruction is used
37 * since Nehalem (original Core i7) was released. However, the movaps is a byte
38 * shorter, so that is the one we'll use for now. (same for unaligned).
45 # constants in mergeable sections, linker can reorder and merge
46 .section .rodata.cst16.POLY, "aM", @progbits, 16
48 POLY: .octa 0xC2000000000000000000000000000001
49 .section .rodata.cst16.TWOONE, "aM", @progbits, 16
51 TWOONE: .octa 0x00000001000000000000000000000001
53 .section .rodata.cst16.SHUF_MASK, "aM", @progbits, 16
55 SHUF_MASK: .octa 0x000102030405060708090A0B0C0D0E0F
56 .section .rodata.cst16.MASK1, "aM", @progbits, 16
58 MASK1: .octa 0x0000000000000000ffffffffffffffff
59 .section .rodata.cst16.MASK2, "aM", @progbits, 16
61 MASK2: .octa 0xffffffffffffffff0000000000000000
62 .section .rodata.cst16.ONE, "aM", @progbits, 16
64 ONE: .octa 0x00000000000000000000000000000001
65 .section .rodata.cst16.F_MIN_MASK, "aM", @progbits, 16
67 F_MIN_MASK: .octa 0xf1f2f3f4f5f6f7f8f9fafbfcfdfeff0
68 .section .rodata.cst16.dec, "aM", @progbits, 16
71 .section .rodata.cst16.enc, "aM", @progbits, 16
75 # order of these constants should not change.
76 # more specifically, ALL_F should follow SHIFT_MASK,
77 # and zero should follow ALL_F
78 .section .rodata, "a", @progbits
80 SHIFT_MASK: .octa 0x0f0e0d0c0b0a09080706050403020100
81 ALL_F: .octa 0xffffffffffffffffffffffffffffffff
82 .octa 0x00000000000000000000000000000000
87 #define STACK_OFFSET 8*3
91 #define InLen (16*1)+8
92 #define PBlockEncKey 16*2
95 #define PBlockLen 16*5
96 #define HashKey 16*6 // store HashKey <<1 mod poly here
97 #define HashKey_2 16*7 // store HashKey^2 <<1 mod poly here
98 #define HashKey_3 16*8 // store HashKey^3 <<1 mod poly here
99 #define HashKey_4 16*9 // store HashKey^4 <<1 mod poly here
100 #define HashKey_k 16*10 // store XOR of High 64 bits and Low 64
101 // bits of HashKey <<1 mod poly here
102 //(for Karatsuba purposes)
103 #define HashKey_2_k 16*11 // store XOR of High 64 bits and Low 64
104 // bits of HashKey^2 <<1 mod poly here
105 // (for Karatsuba purposes)
106 #define HashKey_3_k 16*12 // store XOR of High 64 bits and Low 64
107 // bits of HashKey^3 <<1 mod poly here
108 // (for Karatsuba purposes)
109 #define HashKey_4_k 16*13 // store XOR of High 64 bits and Low 64
110 // bits of HashKey^4 <<1 mod poly here
111 // (for Karatsuba purposes)
119 #define arg7 STACK_OFFSET+8(%rsp)
120 #define arg8 STACK_OFFSET+16(%rsp)
121 #define arg9 STACK_OFFSET+24(%rsp)
122 #define arg10 STACK_OFFSET+32(%rsp)
123 #define arg11 STACK_OFFSET+40(%rsp)
124 #define keysize 2*15*16(%arg1)
141 #define BSWAP_MASK %xmm10
145 #define GF128MUL_MASK %xmm7
178 # states of %xmm registers %xmm6:%xmm15 not saved
179 # all %xmm registers are clobbered
190 # Precompute hashkeys.
191 # Input: Hash subkey.
192 # Output: HashKeys stored in gcm_context_data. Only needs to be called
194 # clobbers r12, and tmp xmm registers.
195 .macro PRECOMPUTE SUBKEY TMP1 TMP2 TMP3 TMP4 TMP5 TMP6 TMP7
198 movdqa SHUF_MASK(%rip), \TMP2
201 # precompute HashKey<<1 mod poly from the HashKey (required for GHASH)
213 pshufd $0x24, \TMP1, \TMP2
214 pcmpeqd TWOONE(%rip), \TMP2
215 pand POLY(%rip), \TMP2
217 movdqu \TMP3, HashKey(%arg2)
220 pshufd $78, \TMP3, \TMP1
222 movdqu \TMP1, HashKey_k(%arg2)
224 GHASH_MUL \TMP5, \TMP3, \TMP1, \TMP2, \TMP4, \TMP6, \TMP7
225 # TMP5 = HashKey^2<<1 (mod poly)
226 movdqu \TMP5, HashKey_2(%arg2)
227 # HashKey_2 = HashKey^2<<1 (mod poly)
228 pshufd $78, \TMP5, \TMP1
230 movdqu \TMP1, HashKey_2_k(%arg2)
232 GHASH_MUL \TMP5, \TMP3, \TMP1, \TMP2, \TMP4, \TMP6, \TMP7
233 # TMP5 = HashKey^3<<1 (mod poly)
234 movdqu \TMP5, HashKey_3(%arg2)
235 pshufd $78, \TMP5, \TMP1
237 movdqu \TMP1, HashKey_3_k(%arg2)
239 GHASH_MUL \TMP5, \TMP3, \TMP1, \TMP2, \TMP4, \TMP6, \TMP7
240 # TMP5 = HashKey^3<<1 (mod poly)
241 movdqu \TMP5, HashKey_4(%arg2)
242 pshufd $78, \TMP5, \TMP1
244 movdqu \TMP1, HashKey_4_k(%arg2)
247 # GCM_INIT initializes a gcm_context struct to prepare for encoding/decoding.
248 # Clobbers rax, r10-r13 and xmm0-xmm6, %xmm13
249 .macro GCM_INIT Iv SUBKEY AAD AADLEN
251 mov %r11, AadLen(%arg2) # ctx_data.aad_length = aad_length
253 mov %r11, InLen(%arg2) # ctx_data.in_length = 0
254 mov %r11, PBlockLen(%arg2) # ctx_data.partial_block_length = 0
255 mov %r11, PBlockEncKey(%arg2) # ctx_data.partial_block_enc_key = 0
258 movdqu %xmm0, OrigIV(%arg2) # ctx_data.orig_IV = iv
260 movdqa SHUF_MASK(%rip), %xmm2
262 movdqu %xmm0, CurCount(%arg2) # ctx_data.current_counter = iv
264 PRECOMPUTE \SUBKEY, %xmm1, %xmm2, %xmm3, %xmm4, %xmm5, %xmm6, %xmm7
265 movdqu HashKey(%arg2), %xmm13
267 CALC_AAD_HASH %xmm13, \AAD, \AADLEN, %xmm0, %xmm1, %xmm2, %xmm3, \
271 # GCM_ENC_DEC Encodes/Decodes given data. Assumes that the passed gcm_context
272 # struct has been initialized by GCM_INIT.
273 # Requires the input data be at least 1 byte long because of READ_PARTIAL_BLOCK
274 # Clobbers rax, r10-r13, and xmm0-xmm15
275 .macro GCM_ENC_DEC operation
276 movdqu AadHash(%arg2), %xmm8
277 movdqu HashKey(%arg2), %xmm13
278 add %arg5, InLen(%arg2)
280 xor %r11d, %r11d # initialise the data pointer offset as zero
281 PARTIAL_BLOCK %arg3 %arg4 %arg5 %r11 %xmm8 \operation
283 sub %r11, %arg5 # sub partial block data used
284 mov %arg5, %r13 # save the number of bytes
286 and $-16, %r13 # %r13 = %r13 - (%r13 mod 16)
288 # Encrypt/Decrypt first few blocks
291 jz .L_initial_num_blocks_is_0_\@
293 jb .L_initial_num_blocks_is_1_\@
294 je .L_initial_num_blocks_is_2_\@
295 .L_initial_num_blocks_is_3_\@:
296 INITIAL_BLOCKS_ENC_DEC %xmm9, %xmm10, %xmm13, %xmm11, %xmm12, %xmm0, \
297 %xmm1, %xmm2, %xmm3, %xmm4, %xmm8, %xmm5, %xmm6, 5, 678, \operation
299 jmp .L_initial_blocks_\@
300 .L_initial_num_blocks_is_2_\@:
301 INITIAL_BLOCKS_ENC_DEC %xmm9, %xmm10, %xmm13, %xmm11, %xmm12, %xmm0, \
302 %xmm1, %xmm2, %xmm3, %xmm4, %xmm8, %xmm5, %xmm6, 6, 78, \operation
304 jmp .L_initial_blocks_\@
305 .L_initial_num_blocks_is_1_\@:
306 INITIAL_BLOCKS_ENC_DEC %xmm9, %xmm10, %xmm13, %xmm11, %xmm12, %xmm0, \
307 %xmm1, %xmm2, %xmm3, %xmm4, %xmm8, %xmm5, %xmm6, 7, 8, \operation
309 jmp .L_initial_blocks_\@
310 .L_initial_num_blocks_is_0_\@:
311 INITIAL_BLOCKS_ENC_DEC %xmm9, %xmm10, %xmm13, %xmm11, %xmm12, %xmm0, \
312 %xmm1, %xmm2, %xmm3, %xmm4, %xmm8, %xmm5, %xmm6, 8, 0, \operation
313 .L_initial_blocks_\@:
315 # Main loop - Encrypt/Decrypt remaining blocks
318 je .L_zero_cipher_left_\@
320 je .L_four_cipher_left_\@
322 GHASH_4_ENCRYPT_4_PARALLEL_\operation %xmm9, %xmm10, %xmm11, %xmm12, \
323 %xmm13, %xmm14, %xmm0, %xmm1, %xmm2, %xmm3, %xmm4, %xmm5, %xmm6, \
328 .L_four_cipher_left_\@:
329 GHASH_LAST_4 %xmm9, %xmm10, %xmm11, %xmm12, %xmm13, %xmm14, \
330 %xmm15, %xmm1, %xmm2, %xmm3, %xmm4, %xmm8
331 .L_zero_cipher_left_\@:
332 movdqu %xmm8, AadHash(%arg2)
333 movdqu %xmm0, CurCount(%arg2)
336 and $15, %r13 # %r13 = arg5 (mod 16)
337 je .L_multiple_of_16_bytes_\@
339 mov %r13, PBlockLen(%arg2)
341 # Handle the last <16 Byte block separately
342 paddd ONE(%rip), %xmm0 # INCR CNT to get Yn
343 movdqu %xmm0, CurCount(%arg2)
344 movdqa SHUF_MASK(%rip), %xmm10
347 ENCRYPT_SINGLE_BLOCK %xmm0, %xmm1 # Encrypt(K, Yn)
348 movdqu %xmm0, PBlockEncKey(%arg2)
351 jge .L_large_enough_update_\@
353 lea (%arg4,%r11,1), %r10
355 READ_PARTIAL_BLOCK %r10 %r12 %xmm2 %xmm1
358 .L_large_enough_update_\@:
362 # receive the last <16 Byte block
363 movdqu (%arg4, %r11, 1), %xmm1
368 lea SHIFT_MASK+16(%rip), %r12
369 # adjust the shuffle mask pointer to be able to shift 16-r13 bytes
370 # (r13 is the number of bytes in plaintext mod 16)
372 # get the appropriate shuffle mask
374 # shift right 16-r13 bytes
378 lea ALL_F+16(%rip), %r12
384 pxor %xmm1, %xmm0 # XOR Encrypt(K, Yn)
386 # get the appropriate mask to mask out top 16-r13 bytes of xmm0
387 pand %xmm1, %xmm0 # mask out top 16-r13 bytes of xmm0
390 movdqa SHUF_MASK(%rip), %xmm10
395 movdqa SHUF_MASK(%rip), %xmm10
401 movdqu %xmm8, AadHash(%arg2)
403 # GHASH computation for the last <16 byte block
404 movdqa SHUF_MASK(%rip), %xmm10
405 # shuffle xmm0 back to output as ciphertext
412 jle .L_less_than_8_bytes_left_\@
413 mov %rax, (%arg3 , %r11, 1)
418 .L_less_than_8_bytes_left_\@:
419 mov %al, (%arg3, %r11, 1)
423 jne .L_less_than_8_bytes_left_\@
424 .L_multiple_of_16_bytes_\@:
427 # GCM_COMPLETE Finishes update of tag of last partial block
428 # Output: Authorization Tag (AUTH_TAG)
429 # Clobbers rax, r10-r12, and xmm0, xmm1, xmm5-xmm15
430 .macro GCM_COMPLETE AUTHTAG AUTHTAGLEN
431 movdqu AadHash(%arg2), %xmm8
432 movdqu HashKey(%arg2), %xmm13
434 mov PBlockLen(%arg2), %r12
439 GHASH_MUL %xmm8, %xmm13, %xmm9, %xmm10, %xmm11, %xmm5, %xmm6
442 mov AadLen(%arg2), %r12 # %r13 = aadLen (number of bytes)
443 shl $3, %r12 # convert into number of bits
444 movd %r12d, %xmm15 # len(A) in %xmm15
445 mov InLen(%arg2), %r12
446 shl $3, %r12 # len(C) in bits (*128)
449 pslldq $8, %xmm15 # %xmm15 = len(A)||0x0000000000000000
450 pxor %xmm1, %xmm15 # %xmm15 = len(A)||len(C)
452 GHASH_MUL %xmm8, %xmm13, %xmm9, %xmm10, %xmm11, %xmm5, %xmm6
453 # final GHASH computation
454 movdqa SHUF_MASK(%rip), %xmm10
457 movdqu OrigIV(%arg2), %xmm0 # %xmm0 = Y0
458 ENCRYPT_SINGLE_BLOCK %xmm0, %xmm1 # E(K, Y0)
461 mov \AUTHTAG, %r10 # %r10 = authTag
462 mov \AUTHTAGLEN, %r11 # %r11 = auth_tag_len
474 je .L_return_T_done_\@
482 je .L_return_T_done_\@
489 je .L_return_T_done_\@
494 jmp .L_return_T_done_\@
501 /* GHASH_MUL MACRO to implement: Data*HashKey mod (128,127,126,121,0)
504 * Input: A and B (128-bits each, bit-reflected)
505 * Output: C = A*B*x mod poly, (i.e. >>1 )
506 * To compute GH = GH*HashKey mod poly, give HK = HashKey<<1 mod poly as input
507 * GH = GH * HK * x mod poly which is equivalent to GH*HashKey mod poly.
510 .macro GHASH_MUL GH HK TMP1 TMP2 TMP3 TMP4 TMP5
512 pshufd $78, \GH, \TMP2
513 pshufd $78, \HK, \TMP3
514 pxor \GH, \TMP2 # TMP2 = a1+a0
515 pxor \HK, \TMP3 # TMP3 = b1+b0
516 pclmulqdq $0x11, \HK, \TMP1 # TMP1 = a1*b1
517 pclmulqdq $0x00, \HK, \GH # GH = a0*b0
518 pclmulqdq $0x00, \TMP3, \TMP2 # TMP2 = (a0+a1)*(b1+b0)
520 pxor \TMP1, \TMP2 # TMP2 = (a0*b0)+(a1*b0)
522 pslldq $8, \TMP3 # left shift TMP3 2 DWs
523 psrldq $8, \TMP2 # right shift TMP2 2 DWs
525 pxor \TMP2, \TMP1 # TMP2:GH holds the result of GH*HK
527 # first phase of the reduction
531 movdqa \GH, \TMP4 # copy GH into TMP2,TMP3 and TMP4
532 # in in order to perform
534 pslld $31, \TMP2 # packed right shift <<31
535 pslld $30, \TMP3 # packed right shift <<30
536 pslld $25, \TMP4 # packed right shift <<25
537 pxor \TMP3, \TMP2 # xor the shifted versions
540 psrldq $4, \TMP5 # right shift TMP5 1 DW
541 pslldq $12, \TMP2 # left shift TMP2 3 DWs
544 # second phase of the reduction
546 movdqa \GH,\TMP2 # copy GH into TMP2,TMP3 and TMP4
547 # in in order to perform
551 psrld $1,\TMP2 # packed left shift >>1
552 psrld $2,\TMP3 # packed left shift >>2
553 psrld $7,\TMP4 # packed left shift >>7
554 pxor \TMP3,\TMP2 # xor the shifted versions
558 pxor \TMP1, \GH # result is in TMP1
561 # Reads DLEN bytes starting at DPTR and stores in XMMDst
562 # where 0 < DLEN < 16
563 # Clobbers %rax, DLEN and XMM1
564 .macro READ_PARTIAL_BLOCK DPTR DLEN XMM1 XMMDst
570 jz .L_done_read_partial_block_\@
572 .L_read_next_byte_\@:
574 mov 7(\DPTR, \DLEN, 1), %al
576 jnz .L_read_next_byte_\@
580 jmp .L_done_read_partial_block_\@
583 .L_read_next_byte_lt8_\@:
585 mov -1(\DPTR, \DLEN, 1), %al
587 jnz .L_read_next_byte_lt8_\@
589 .L_done_read_partial_block_\@:
592 # CALC_AAD_HASH: Calculates the hash of the data which will not be encrypted.
593 # clobbers r10-11, xmm14
594 .macro CALC_AAD_HASH HASHKEY AAD AADLEN TMP1 TMP2 TMP3 TMP4 TMP5 \
596 MOVADQ SHUF_MASK(%rip), %xmm14
597 mov \AAD, %r10 # %r10 = AAD
598 mov \AADLEN, %r11 # %r11 = aadLen
606 pshufb %xmm14, \TMP7 # byte-reflect the AAD data
608 GHASH_MUL \TMP6, \HASHKEY, \TMP1, \TMP2, \TMP3, \TMP4, \TMP5
612 jge .L_get_AAD_blocks\@
616 /* read the last <16B of AAD */
621 READ_PARTIAL_BLOCK %r10, %r11, \TMP1, \TMP7
622 pshufb %xmm14, \TMP7 # byte-reflect the AAD data
624 GHASH_MUL \TMP7, \HASHKEY, \TMP1, \TMP2, \TMP3, \TMP4, \TMP5
628 movdqu \TMP6, AadHash(%arg2)
631 # PARTIAL_BLOCK: Handles encryption/decryption and the tag partial blocks
632 # between update calls.
633 # Requires the input data be at least 1 byte long due to READ_PARTIAL_BLOCK
634 # Outputs encrypted bytes, and updates hash and partial info in gcm_data_context
635 # Clobbers rax, r10, r12, r13, xmm0-6, xmm9-13
636 .macro PARTIAL_BLOCK CYPH_PLAIN_OUT PLAIN_CYPH_IN PLAIN_CYPH_LEN DATA_OFFSET \
638 mov PBlockLen(%arg2), %r13
640 je .L_partial_block_done_\@ # Leave Macro if no partial blocks
641 # Read in input data without over reading
642 cmp $16, \PLAIN_CYPH_LEN
643 jl .L_fewer_than_16_bytes_\@
644 movups (\PLAIN_CYPH_IN), %xmm1 # If more than 16 bytes, just fill xmm
647 .L_fewer_than_16_bytes_\@:
648 lea (\PLAIN_CYPH_IN, \DATA_OFFSET, 1), %r10
649 mov \PLAIN_CYPH_LEN, %r12
650 READ_PARTIAL_BLOCK %r10 %r12 %xmm0 %xmm1
652 mov PBlockLen(%arg2), %r13
654 .L_data_read_\@: # Finished reading in data
656 movdqu PBlockEncKey(%arg2), %xmm9
657 movdqu HashKey(%arg2), %xmm13
659 lea SHIFT_MASK(%rip), %r12
661 # adjust the shuffle mask pointer to be able to shift r13 bytes
662 # r16-r13 is the number of bytes in plaintext mod 16)
664 movdqu (%r12), %xmm2 # get the appropriate shuffle mask
665 pshufb %xmm2, %xmm9 # shift right r13 bytes
669 pxor %xmm1, %xmm9 # Ciphertext XOR E(K, Yn)
671 mov \PLAIN_CYPH_LEN, %r10
673 # Set r10 to be the amount of data left in CYPH_PLAIN_IN after filling
675 # Determine if partial block is not being filled and
676 # shift mask accordingly
677 jge .L_no_extra_mask_1_\@
679 .L_no_extra_mask_1_\@:
681 movdqu ALL_F-SHIFT_MASK(%r12), %xmm1
682 # get the appropriate mask to mask out bottom r13 bytes of xmm9
683 pand %xmm1, %xmm9 # mask out bottom r13 bytes of xmm9
686 movdqa SHUF_MASK(%rip), %xmm10
689 pxor %xmm3, \AAD_HASH
692 jl .L_partial_incomplete_1_\@
694 # GHASH computation for the last <16 Byte block
695 GHASH_MUL \AAD_HASH, %xmm13, %xmm0, %xmm10, %xmm11, %xmm5, %xmm6
698 mov %rax, PBlockLen(%arg2)
700 .L_partial_incomplete_1_\@:
701 add \PLAIN_CYPH_LEN, PBlockLen(%arg2)
703 movdqu \AAD_HASH, AadHash(%arg2)
705 pxor %xmm1, %xmm9 # Plaintext XOR E(K, Yn)
707 mov \PLAIN_CYPH_LEN, %r10
709 # Set r10 to be the amount of data left in CYPH_PLAIN_IN after filling
711 # Determine if partial block is not being filled and
712 # shift mask accordingly
713 jge .L_no_extra_mask_2_\@
715 .L_no_extra_mask_2_\@:
717 movdqu ALL_F-SHIFT_MASK(%r12), %xmm1
718 # get the appropriate mask to mask out bottom r13 bytes of xmm9
721 movdqa SHUF_MASK(%rip), %xmm1
724 pxor %xmm9, \AAD_HASH
727 jl .L_partial_incomplete_2_\@
729 # GHASH computation for the last <16 Byte block
730 GHASH_MUL \AAD_HASH, %xmm13, %xmm0, %xmm10, %xmm11, %xmm5, %xmm6
733 mov %rax, PBlockLen(%arg2)
734 jmp .L_encode_done_\@
735 .L_partial_incomplete_2_\@:
736 add \PLAIN_CYPH_LEN, PBlockLen(%arg2)
738 movdqu \AAD_HASH, AadHash(%arg2)
740 movdqa SHUF_MASK(%rip), %xmm10
741 # shuffle xmm9 back to output as ciphertext
745 # output encrypted Bytes
747 jl .L_partial_fill_\@
750 # Set r13 to be the number of bytes to write out
754 mov \PLAIN_CYPH_LEN, %r13
759 jle .L_less_than_8_bytes_left_\@
761 mov %rax, (\CYPH_PLAIN_OUT, \DATA_OFFSET, 1)
766 .L_less_than_8_bytes_left_\@:
767 movb %al, (\CYPH_PLAIN_OUT, \DATA_OFFSET, 1)
771 jne .L_less_than_8_bytes_left_\@
772 .L_partial_block_done_\@:
773 .endm # PARTIAL_BLOCK
776 * if a = number of total plaintext bytes
778 * num_initial_blocks = b mod 4
779 * encrypt the initial num_initial_blocks blocks and apply ghash on
781 * %r10, %r11, %r12, %rax, %xmm5, %xmm6, %xmm7, %xmm8, %xmm9 registers
783 * arg1, %arg2, %arg3 are used as a pointer only, not modified
787 .macro INITIAL_BLOCKS_ENC_DEC TMP1 TMP2 TMP3 TMP4 TMP5 XMM0 XMM1 \
788 XMM2 XMM3 XMM4 XMMDst TMP6 TMP7 i i_seq operation
789 MOVADQ SHUF_MASK(%rip), %xmm14
791 movdqu AadHash(%arg2), %xmm\i # XMM0 = Y0
793 # start AES for num_initial_blocks blocks
795 movdqu CurCount(%arg2), \XMM0 # XMM0 = Y0
797 .if (\i == 5) || (\i == 6) || (\i == 7)
799 MOVADQ ONE(%RIP),\TMP1
800 MOVADQ 0(%arg1),\TMP2
802 paddd \TMP1, \XMM0 # INCR Y0
804 movdqa \XMM0, %xmm\index
806 MOVADQ \XMM0, %xmm\index
808 pshufb %xmm14, %xmm\index # perform a 16 byte swap
809 pxor \TMP2, %xmm\index
813 shr $2,%eax # 128->4, 192->6, 256->8
814 add $5,%eax # 128->9, 192->11, 256->13
816 .Laes_loop_initial_\@:
819 aesenc \TMP1, %xmm\index
823 jnz .Laes_loop_initial_\@
827 aesenclast \TMP1, %xmm\index # Last Round
830 movdqu (%arg4 , %r11, 1), \TMP1
831 pxor \TMP1, %xmm\index
832 movdqu %xmm\index, (%arg3 , %r11, 1)
833 # write back plaintext/ciphertext for num_initial_blocks
837 movdqa \TMP1, %xmm\index
839 pshufb %xmm14, %xmm\index
841 # prepare plaintext/ciphertext for GHASH computation
845 # apply GHASH on num_initial_blocks blocks
849 GHASH_MUL %xmm6, \TMP3, \TMP1, \TMP2, \TMP4, \TMP5, \XMM1
851 GHASH_MUL %xmm7, \TMP3, \TMP1, \TMP2, \TMP4, \TMP5, \XMM1
853 GHASH_MUL %xmm8, \TMP3, \TMP1, \TMP2, \TMP4, \TMP5, \XMM1
856 GHASH_MUL %xmm7, \TMP3, \TMP1, \TMP2, \TMP4, \TMP5, \XMM1
858 GHASH_MUL %xmm8, \TMP3, \TMP1, \TMP2, \TMP4, \TMP5, \XMM1
861 GHASH_MUL %xmm8, \TMP3, \TMP1, \TMP2, \TMP4, \TMP5, \XMM1
864 jl .L_initial_blocks_done\@
865 # no need for precomputed values
868 * Precomputations for HashKey parallel with encryption of first 4 blocks.
869 * Haskey_i_k holds XORed values of the low and high parts of the Haskey_i
871 MOVADQ ONE(%RIP),\TMP1
872 paddd \TMP1, \XMM0 # INCR Y0
874 pshufb %xmm14, \XMM1 # perform a 16 byte swap
876 paddd \TMP1, \XMM0 # INCR Y0
878 pshufb %xmm14, \XMM2 # perform a 16 byte swap
880 paddd \TMP1, \XMM0 # INCR Y0
882 pshufb %xmm14, \XMM3 # perform a 16 byte swap
884 paddd \TMP1, \XMM0 # INCR Y0
886 pshufb %xmm14, \XMM4 # perform a 16 byte swap
888 MOVADQ 0(%arg1),\TMP1
893 .irpc index, 1234 # do 4 rounds
894 movaps 0x10*\index(%arg1), \TMP1
900 .irpc index, 56789 # do next 5 rounds
901 movaps 0x10*\index(%arg1), \TMP1
909 shr $2,%eax # 128->4, 192->6, 256->8
910 sub $4,%eax # 128->0, 192->2, 256->4
911 jz .Laes_loop_pre_done\@
916 aesenc \TMP2, %xmm\index
920 jnz .Laes_loop_pre_\@
922 .Laes_loop_pre_done\@:
924 aesenclast \TMP2, \XMM1
925 aesenclast \TMP2, \XMM2
926 aesenclast \TMP2, \XMM3
927 aesenclast \TMP2, \XMM4
928 movdqu 16*0(%arg4 , %r11 , 1), \TMP1
931 movdqu \XMM1, 16*0(%arg3 , %r11 , 1)
934 movdqu 16*1(%arg4 , %r11 , 1), \TMP1
937 movdqu \XMM2, 16*1(%arg3 , %r11 , 1)
940 movdqu 16*2(%arg4 , %r11 , 1), \TMP1
943 movdqu \XMM3, 16*2(%arg3 , %r11 , 1)
946 movdqu 16*3(%arg4 , %r11 , 1), \TMP1
949 movdqu \XMM4, 16*3(%arg3 , %r11 , 1)
952 movdqu \XMM1, 16*0(%arg3 , %r11 , 1)
953 movdqu \XMM2, 16*1(%arg3 , %r11 , 1)
954 movdqu \XMM3, 16*2(%arg3 , %r11 , 1)
955 movdqu \XMM4, 16*3(%arg3 , %r11 , 1)
959 pshufb %xmm14, \XMM1 # perform a 16 byte swap
961 # combine GHASHed value with the corresponding ciphertext
962 pshufb %xmm14, \XMM2 # perform a 16 byte swap
963 pshufb %xmm14, \XMM3 # perform a 16 byte swap
964 pshufb %xmm14, \XMM4 # perform a 16 byte swap
966 .L_initial_blocks_done\@:
971 * encrypt 4 blocks at a time
972 * ghash the 4 previously encrypted ciphertext blocks
973 * arg1, %arg3, %arg4 are used as pointers only, not modified
974 * %r11 is the data offset value
976 .macro GHASH_4_ENCRYPT_4_PARALLEL_enc TMP1 TMP2 TMP3 TMP4 TMP5 \
977 TMP6 XMM0 XMM1 XMM2 XMM3 XMM4 XMM5 XMM6 XMM7 XMM8 operation
984 movdqa SHUF_MASK(%rip), %xmm15
985 # multiply TMP5 * HashKey using karatsuba
988 pshufd $78, \XMM5, \TMP6
990 paddd ONE(%rip), \XMM0 # INCR CNT
991 movdqu HashKey_4(%arg2), \TMP5
992 pclmulqdq $0x11, \TMP5, \TMP4 # TMP4 = a1*b1
994 paddd ONE(%rip), \XMM0 # INCR CNT
996 paddd ONE(%rip), \XMM0 # INCR CNT
998 paddd ONE(%rip), \XMM0 # INCR CNT
1000 pshufb %xmm15, \XMM1 # perform a 16 byte swap
1001 pclmulqdq $0x00, \TMP5, \XMM5 # XMM5 = a0*b0
1002 pshufb %xmm15, \XMM2 # perform a 16 byte swap
1003 pshufb %xmm15, \XMM3 # perform a 16 byte swap
1004 pshufb %xmm15, \XMM4 # perform a 16 byte swap
1010 movdqu HashKey_4_k(%arg2), \TMP5
1011 pclmulqdq $0x00, \TMP5, \TMP6 # TMP6 = (a1+a0)*(b1+b0)
1012 movaps 0x10(%arg1), \TMP1
1013 aesenc \TMP1, \XMM1 # Round 1
1017 movaps 0x20(%arg1), \TMP1
1018 aesenc \TMP1, \XMM1 # Round 2
1023 pshufd $78, \XMM6, \TMP2
1025 movdqu HashKey_3(%arg2), \TMP5
1026 pclmulqdq $0x11, \TMP5, \TMP1 # TMP1 = a1 * b1
1027 movaps 0x30(%arg1), \TMP3
1028 aesenc \TMP3, \XMM1 # Round 3
1032 pclmulqdq $0x00, \TMP5, \XMM6 # XMM6 = a0*b0
1033 movaps 0x40(%arg1), \TMP3
1034 aesenc \TMP3, \XMM1 # Round 4
1038 movdqu HashKey_3_k(%arg2), \TMP5
1039 pclmulqdq $0x00, \TMP5, \TMP2 # TMP2 = (a1+a0)*(b1+b0)
1040 movaps 0x50(%arg1), \TMP3
1041 aesenc \TMP3, \XMM1 # Round 5
1046 # accumulate the results in TMP4:XMM5, TMP6 holds the middle part
1050 pshufd $78, \XMM7, \TMP2
1052 movdqu HashKey_2(%arg2), \TMP5
1054 # Multiply TMP5 * HashKey using karatsuba
1056 pclmulqdq $0x11, \TMP5, \TMP1 # TMP1 = a1*b1
1057 movaps 0x60(%arg1), \TMP3
1058 aesenc \TMP3, \XMM1 # Round 6
1062 pclmulqdq $0x00, \TMP5, \XMM7 # XMM7 = a0*b0
1063 movaps 0x70(%arg1), \TMP3
1064 aesenc \TMP3, \XMM1 # Round 7
1068 movdqu HashKey_2_k(%arg2), \TMP5
1069 pclmulqdq $0x00, \TMP5, \TMP2 # TMP2 = (a1+a0)*(b1+b0)
1070 movaps 0x80(%arg1), \TMP3
1071 aesenc \TMP3, \XMM1 # Round 8
1076 # accumulate the results in TMP4:XMM5, TMP6 holds the middle part
1080 # Multiply XMM8 * HashKey
1081 # XMM8 and TMP5 hold the values for the two operands
1084 pshufd $78, \XMM8, \TMP2
1086 movdqu HashKey(%arg2), \TMP5
1087 pclmulqdq $0x11, \TMP5, \TMP1 # TMP1 = a1*b1
1088 movaps 0x90(%arg1), \TMP3
1089 aesenc \TMP3, \XMM1 # Round 9
1093 pclmulqdq $0x00, \TMP5, \XMM8 # XMM8 = a0*b0
1094 lea 0xa0(%arg1),%r10
1096 shr $2,%eax # 128->4, 192->6, 256->8
1097 sub $4,%eax # 128->0, 192->2, 256->4
1098 jz .Laes_loop_par_enc_done\@
1100 .Laes_loop_par_enc\@:
1103 aesenc \TMP3, %xmm\index
1107 jnz .Laes_loop_par_enc\@
1109 .Laes_loop_par_enc_done\@:
1110 MOVADQ (%r10), \TMP3
1111 aesenclast \TMP3, \XMM1 # Round 10
1112 aesenclast \TMP3, \XMM2
1113 aesenclast \TMP3, \XMM3
1114 aesenclast \TMP3, \XMM4
1115 movdqu HashKey_k(%arg2), \TMP5
1116 pclmulqdq $0x00, \TMP5, \TMP2 # TMP2 = (a1+a0)*(b1+b0)
1117 movdqu (%arg4,%r11,1), \TMP3
1118 pxor \TMP3, \XMM1 # Ciphertext/Plaintext XOR EK
1119 movdqu 16(%arg4,%r11,1), \TMP3
1120 pxor \TMP3, \XMM2 # Ciphertext/Plaintext XOR EK
1121 movdqu 32(%arg4,%r11,1), \TMP3
1122 pxor \TMP3, \XMM3 # Ciphertext/Plaintext XOR EK
1123 movdqu 48(%arg4,%r11,1), \TMP3
1124 pxor \TMP3, \XMM4 # Ciphertext/Plaintext XOR EK
1125 movdqu \XMM1, (%arg3,%r11,1) # Write to the ciphertext buffer
1126 movdqu \XMM2, 16(%arg3,%r11,1) # Write to the ciphertext buffer
1127 movdqu \XMM3, 32(%arg3,%r11,1) # Write to the ciphertext buffer
1128 movdqu \XMM4, 48(%arg3,%r11,1) # Write to the ciphertext buffer
1129 pshufb %xmm15, \XMM1 # perform a 16 byte swap
1130 pshufb %xmm15, \XMM2 # perform a 16 byte swap
1131 pshufb %xmm15, \XMM3 # perform a 16 byte swap
1132 pshufb %xmm15, \XMM4 # perform a 16 byte swap
1140 pslldq $8, \TMP3 # left shift TMP3 2 DWs
1141 psrldq $8, \TMP2 # right shift TMP2 2 DWs
1143 pxor \TMP2, \TMP1 # accumulate the results in TMP1:XMM5
1145 # first phase of reduction
1150 # move XMM5 into TMP2, TMP3, TMP4 in order to perform shifts independently
1151 pslld $31, \TMP2 # packed right shift << 31
1152 pslld $30, \TMP3 # packed right shift << 30
1153 pslld $25, \TMP4 # packed right shift << 25
1154 pxor \TMP3, \TMP2 # xor the shifted versions
1157 psrldq $4, \TMP5 # right shift T5 1 DW
1158 pslldq $12, \TMP2 # left shift T2 3 DWs
1161 # second phase of reduction
1163 movdqa \XMM5,\TMP2 # make 3 copies of XMM5 into TMP2, TMP3, TMP4
1166 psrld $1, \TMP2 # packed left shift >>1
1167 psrld $2, \TMP3 # packed left shift >>2
1168 psrld $7, \TMP4 # packed left shift >>7
1169 pxor \TMP3,\TMP2 # xor the shifted versions
1173 pxor \TMP1, \XMM5 # result is in TMP1
1179 * decrypt 4 blocks at a time
1180 * ghash the 4 previously decrypted ciphertext blocks
1181 * arg1, %arg3, %arg4 are used as pointers only, not modified
1182 * %r11 is the data offset value
1184 .macro GHASH_4_ENCRYPT_4_PARALLEL_dec TMP1 TMP2 TMP3 TMP4 TMP5 \
1185 TMP6 XMM0 XMM1 XMM2 XMM3 XMM4 XMM5 XMM6 XMM7 XMM8 operation
1192 movdqa SHUF_MASK(%rip), %xmm15
1193 # multiply TMP5 * HashKey using karatsuba
1196 pshufd $78, \XMM5, \TMP6
1198 paddd ONE(%rip), \XMM0 # INCR CNT
1199 movdqu HashKey_4(%arg2), \TMP5
1200 pclmulqdq $0x11, \TMP5, \TMP4 # TMP4 = a1*b1
1202 paddd ONE(%rip), \XMM0 # INCR CNT
1204 paddd ONE(%rip), \XMM0 # INCR CNT
1206 paddd ONE(%rip), \XMM0 # INCR CNT
1208 pshufb %xmm15, \XMM1 # perform a 16 byte swap
1209 pclmulqdq $0x00, \TMP5, \XMM5 # XMM5 = a0*b0
1210 pshufb %xmm15, \XMM2 # perform a 16 byte swap
1211 pshufb %xmm15, \XMM3 # perform a 16 byte swap
1212 pshufb %xmm15, \XMM4 # perform a 16 byte swap
1218 movdqu HashKey_4_k(%arg2), \TMP5
1219 pclmulqdq $0x00, \TMP5, \TMP6 # TMP6 = (a1+a0)*(b1+b0)
1220 movaps 0x10(%arg1), \TMP1
1221 aesenc \TMP1, \XMM1 # Round 1
1225 movaps 0x20(%arg1), \TMP1
1226 aesenc \TMP1, \XMM1 # Round 2
1231 pshufd $78, \XMM6, \TMP2
1233 movdqu HashKey_3(%arg2), \TMP5
1234 pclmulqdq $0x11, \TMP5, \TMP1 # TMP1 = a1 * b1
1235 movaps 0x30(%arg1), \TMP3
1236 aesenc \TMP3, \XMM1 # Round 3
1240 pclmulqdq $0x00, \TMP5, \XMM6 # XMM6 = a0*b0
1241 movaps 0x40(%arg1), \TMP3
1242 aesenc \TMP3, \XMM1 # Round 4
1246 movdqu HashKey_3_k(%arg2), \TMP5
1247 pclmulqdq $0x00, \TMP5, \TMP2 # TMP2 = (a1+a0)*(b1+b0)
1248 movaps 0x50(%arg1), \TMP3
1249 aesenc \TMP3, \XMM1 # Round 5
1254 # accumulate the results in TMP4:XMM5, TMP6 holds the middle part
1258 pshufd $78, \XMM7, \TMP2
1260 movdqu HashKey_2(%arg2), \TMP5
1262 # Multiply TMP5 * HashKey using karatsuba
1264 pclmulqdq $0x11, \TMP5, \TMP1 # TMP1 = a1*b1
1265 movaps 0x60(%arg1), \TMP3
1266 aesenc \TMP3, \XMM1 # Round 6
1270 pclmulqdq $0x00, \TMP5, \XMM7 # XMM7 = a0*b0
1271 movaps 0x70(%arg1), \TMP3
1272 aesenc \TMP3, \XMM1 # Round 7
1276 movdqu HashKey_2_k(%arg2), \TMP5
1277 pclmulqdq $0x00, \TMP5, \TMP2 # TMP2 = (a1+a0)*(b1+b0)
1278 movaps 0x80(%arg1), \TMP3
1279 aesenc \TMP3, \XMM1 # Round 8
1284 # accumulate the results in TMP4:XMM5, TMP6 holds the middle part
1288 # Multiply XMM8 * HashKey
1289 # XMM8 and TMP5 hold the values for the two operands
1292 pshufd $78, \XMM8, \TMP2
1294 movdqu HashKey(%arg2), \TMP5
1295 pclmulqdq $0x11, \TMP5, \TMP1 # TMP1 = a1*b1
1296 movaps 0x90(%arg1), \TMP3
1297 aesenc \TMP3, \XMM1 # Round 9
1301 pclmulqdq $0x00, \TMP5, \XMM8 # XMM8 = a0*b0
1302 lea 0xa0(%arg1),%r10
1304 shr $2,%eax # 128->4, 192->6, 256->8
1305 sub $4,%eax # 128->0, 192->2, 256->4
1306 jz .Laes_loop_par_dec_done\@
1308 .Laes_loop_par_dec\@:
1311 aesenc \TMP3, %xmm\index
1315 jnz .Laes_loop_par_dec\@
1317 .Laes_loop_par_dec_done\@:
1318 MOVADQ (%r10), \TMP3
1319 aesenclast \TMP3, \XMM1 # last round
1320 aesenclast \TMP3, \XMM2
1321 aesenclast \TMP3, \XMM3
1322 aesenclast \TMP3, \XMM4
1323 movdqu HashKey_k(%arg2), \TMP5
1324 pclmulqdq $0x00, \TMP5, \TMP2 # TMP2 = (a1+a0)*(b1+b0)
1325 movdqu (%arg4,%r11,1), \TMP3
1326 pxor \TMP3, \XMM1 # Ciphertext/Plaintext XOR EK
1327 movdqu \XMM1, (%arg3,%r11,1) # Write to plaintext buffer
1329 movdqu 16(%arg4,%r11,1), \TMP3
1330 pxor \TMP3, \XMM2 # Ciphertext/Plaintext XOR EK
1331 movdqu \XMM2, 16(%arg3,%r11,1) # Write to plaintext buffer
1333 movdqu 32(%arg4,%r11,1), \TMP3
1334 pxor \TMP3, \XMM3 # Ciphertext/Plaintext XOR EK
1335 movdqu \XMM3, 32(%arg3,%r11,1) # Write to plaintext buffer
1337 movdqu 48(%arg4,%r11,1), \TMP3
1338 pxor \TMP3, \XMM4 # Ciphertext/Plaintext XOR EK
1339 movdqu \XMM4, 48(%arg3,%r11,1) # Write to plaintext buffer
1341 pshufb %xmm15, \XMM1 # perform a 16 byte swap
1342 pshufb %xmm15, \XMM2 # perform a 16 byte swap
1343 pshufb %xmm15, \XMM3 # perform a 16 byte swap
1344 pshufb %xmm15, \XMM4 # perform a 16 byte swap
1352 pslldq $8, \TMP3 # left shift TMP3 2 DWs
1353 psrldq $8, \TMP2 # right shift TMP2 2 DWs
1355 pxor \TMP2, \TMP1 # accumulate the results in TMP1:XMM5
1357 # first phase of reduction
1362 # move XMM5 into TMP2, TMP3, TMP4 in order to perform shifts independently
1363 pslld $31, \TMP2 # packed right shift << 31
1364 pslld $30, \TMP3 # packed right shift << 30
1365 pslld $25, \TMP4 # packed right shift << 25
1366 pxor \TMP3, \TMP2 # xor the shifted versions
1369 psrldq $4, \TMP5 # right shift T5 1 DW
1370 pslldq $12, \TMP2 # left shift T2 3 DWs
1373 # second phase of reduction
1375 movdqa \XMM5,\TMP2 # make 3 copies of XMM5 into TMP2, TMP3, TMP4
1378 psrld $1, \TMP2 # packed left shift >>1
1379 psrld $2, \TMP3 # packed left shift >>2
1380 psrld $7, \TMP4 # packed left shift >>7
1381 pxor \TMP3,\TMP2 # xor the shifted versions
1385 pxor \TMP1, \XMM5 # result is in TMP1
1390 /* GHASH the last 4 ciphertext blocks. */
1391 .macro GHASH_LAST_4 TMP1 TMP2 TMP3 TMP4 TMP5 TMP6 \
1392 TMP7 XMM1 XMM2 XMM3 XMM4 XMMDst
1394 # Multiply TMP6 * HashKey (using Karatsuba)
1397 pshufd $78, \XMM1, \TMP2
1399 movdqu HashKey_4(%arg2), \TMP5
1400 pclmulqdq $0x11, \TMP5, \TMP6 # TMP6 = a1*b1
1401 pclmulqdq $0x00, \TMP5, \XMM1 # XMM1 = a0*b0
1402 movdqu HashKey_4_k(%arg2), \TMP4
1403 pclmulqdq $0x00, \TMP4, \TMP2 # TMP2 = (a1+a0)*(b1+b0)
1404 movdqa \XMM1, \XMMDst
1405 movdqa \TMP2, \XMM1 # result in TMP6, XMMDst, XMM1
1407 # Multiply TMP1 * HashKey (using Karatsuba)
1410 pshufd $78, \XMM2, \TMP2
1412 movdqu HashKey_3(%arg2), \TMP5
1413 pclmulqdq $0x11, \TMP5, \TMP1 # TMP1 = a1*b1
1414 pclmulqdq $0x00, \TMP5, \XMM2 # XMM2 = a0*b0
1415 movdqu HashKey_3_k(%arg2), \TMP4
1416 pclmulqdq $0x00, \TMP4, \TMP2 # TMP2 = (a1+a0)*(b1+b0)
1420 # results accumulated in TMP6, XMMDst, XMM1
1422 # Multiply TMP1 * HashKey (using Karatsuba)
1425 pshufd $78, \XMM3, \TMP2
1427 movdqu HashKey_2(%arg2), \TMP5
1428 pclmulqdq $0x11, \TMP5, \TMP1 # TMP1 = a1*b1
1429 pclmulqdq $0x00, \TMP5, \XMM3 # XMM3 = a0*b0
1430 movdqu HashKey_2_k(%arg2), \TMP4
1431 pclmulqdq $0x00, \TMP4, \TMP2 # TMP2 = (a1+a0)*(b1+b0)
1434 pxor \TMP2, \XMM1 # results accumulated in TMP6, XMMDst, XMM1
1436 # Multiply TMP1 * HashKey (using Karatsuba)
1438 pshufd $78, \XMM4, \TMP2
1440 movdqu HashKey(%arg2), \TMP5
1441 pclmulqdq $0x11, \TMP5, \TMP1 # TMP1 = a1*b1
1442 pclmulqdq $0x00, \TMP5, \XMM4 # XMM4 = a0*b0
1443 movdqu HashKey_k(%arg2), \TMP4
1444 pclmulqdq $0x00, \TMP4, \TMP2 # TMP2 = (a1+a0)*(b1+b0)
1450 # middle section of the temp results combined as in karatsuba algorithm
1452 pslldq $8, \TMP4 # left shift TMP4 2 DWs
1453 psrldq $8, \TMP2 # right shift TMP2 2 DWs
1456 # TMP6:XMMDst holds the result of the accumulated carry-less multiplications
1457 # first phase of the reduction
1458 movdqa \XMMDst, \TMP2
1459 movdqa \XMMDst, \TMP3
1460 movdqa \XMMDst, \TMP4
1461 # move XMMDst into TMP2, TMP3, TMP4 in order to perform 3 shifts independently
1462 pslld $31, \TMP2 # packed right shifting << 31
1463 pslld $30, \TMP3 # packed right shifting << 30
1464 pslld $25, \TMP4 # packed right shifting << 25
1465 pxor \TMP3, \TMP2 # xor the shifted versions
1468 psrldq $4, \TMP7 # right shift TMP7 1 DW
1469 pslldq $12, \TMP2 # left shift TMP2 3 DWs
1472 # second phase of the reduction
1473 movdqa \XMMDst, \TMP2
1474 # make 3 copies of XMMDst for doing 3 shift operations
1475 movdqa \XMMDst, \TMP3
1476 movdqa \XMMDst, \TMP4
1477 psrld $1, \TMP2 # packed left shift >> 1
1478 psrld $2, \TMP3 # packed left shift >> 2
1479 psrld $7, \TMP4 # packed left shift >> 7
1480 pxor \TMP3, \TMP2 # xor the shifted versions
1484 pxor \TMP6, \XMMDst # reduced result is in XMMDst
1488 /* Encryption of a single block
1492 .macro ENCRYPT_SINGLE_BLOCK XMM0 TMP1
1496 shr $2,%eax # 128->4, 192->6, 256->8
1497 add $5,%eax # 128->9, 192->11, 256->13
1498 lea 16(%arg1), %r10 # get first expanded key address
1508 aesenclast \TMP1,\XMM0
1510 /*****************************************************************************
1511 * void aesni_gcm_dec(void *aes_ctx, // AES Key schedule. Starts on a 16 byte boundary.
1512 * struct gcm_context_data *data
1514 * u8 *out, // Plaintext output. Encrypt in-place is allowed.
1515 * const u8 *in, // Ciphertext input
1516 * u64 plaintext_len, // Length of data in bytes for decryption.
1517 * u8 *iv, // Pre-counter block j0: 4 byte salt (from Security Association)
1518 * // concatenated with 8 byte Initialisation Vector (from IPSec ESP Payload)
1519 * // concatenated with 0x00000001. 16-byte aligned pointer.
1520 * u8 *hash_subkey, // H, the Hash sub key input. Data starts on a 16-byte boundary.
1521 * const u8 *aad, // Additional Authentication Data (AAD)
1522 * u64 aad_len, // Length of AAD in bytes. With RFC4106 this is going to be 8 or 12 bytes
1523 * u8 *auth_tag, // Authenticated Tag output. The driver will compare this to the
1524 * // given authentication tag and only return the plaintext if they match.
1525 * u64 auth_tag_len); // Authenticated Tag Length in bytes. Valid values are 16
1526 * // (most likely), 12 or 8.
1531 * keys are pre-expanded and aligned to 16 bytes. we are using the first
1532 * set of 11 keys in the data structure void *aes_ctx
1536 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1537 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1538 * | Salt (From the SA) |
1539 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1540 * | Initialization Vector |
1541 * | (This is the sequence number from IPSec header) |
1542 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1544 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1549 * AAD padded to 128 bits with 0
1550 * for example, assume AAD is a u32 vector
1552 * if AAD is 8 bytes:
1553 * AAD[3] = {A0, A1};
1554 * padded AAD in xmm register = {A1 A0 0 0}
1557 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1558 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1560 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1561 * | 32-bit Sequence Number (A0) |
1562 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1564 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1566 * AAD Format with 32-bit Sequence Number
1568 * if AAD is 12 bytes:
1569 * AAD[3] = {A0, A1, A2};
1570 * padded AAD in xmm register = {A2 A1 A0 0}
1573 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1574 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1575 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1576 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1578 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1579 * | 64-bit Extended Sequence Number {A1,A0} |
1581 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1583 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1585 * AAD Format with 64-bit Extended Sequence Number
1587 * poly = x^128 + x^127 + x^126 + x^121 + 1
1589 *****************************************************************************/
1590 SYM_FUNC_START(aesni_gcm_dec)
1593 GCM_INIT %arg6, arg7, arg8, arg9
1595 GCM_COMPLETE arg10, arg11
1598 SYM_FUNC_END(aesni_gcm_dec)
1601 /*****************************************************************************
1602 * void aesni_gcm_enc(void *aes_ctx, // AES Key schedule. Starts on a 16 byte boundary.
1603 * struct gcm_context_data *data
1605 * u8 *out, // Ciphertext output. Encrypt in-place is allowed.
1606 * const u8 *in, // Plaintext input
1607 * u64 plaintext_len, // Length of data in bytes for encryption.
1608 * u8 *iv, // Pre-counter block j0: 4 byte salt (from Security Association)
1609 * // concatenated with 8 byte Initialisation Vector (from IPSec ESP Payload)
1610 * // concatenated with 0x00000001. 16-byte aligned pointer.
1611 * u8 *hash_subkey, // H, the Hash sub key input. Data starts on a 16-byte boundary.
1612 * const u8 *aad, // Additional Authentication Data (AAD)
1613 * u64 aad_len, // Length of AAD in bytes. With RFC4106 this is going to be 8 or 12 bytes
1614 * u8 *auth_tag, // Authenticated Tag output.
1615 * u64 auth_tag_len); // Authenticated Tag Length in bytes. Valid values are 16 (most likely),
1621 * keys are pre-expanded and aligned to 16 bytes. we are using the
1622 * first set of 11 keys in the data structure void *aes_ctx
1627 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1628 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1629 * | Salt (From the SA) |
1630 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1631 * | Initialization Vector |
1632 * | (This is the sequence number from IPSec header) |
1633 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1635 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1640 * AAD padded to 128 bits with 0
1641 * for example, assume AAD is a u32 vector
1643 * if AAD is 8 bytes:
1644 * AAD[3] = {A0, A1};
1645 * padded AAD in xmm register = {A1 A0 0 0}
1648 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1649 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1651 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1652 * | 32-bit Sequence Number (A0) |
1653 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1655 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1657 * AAD Format with 32-bit Sequence Number
1659 * if AAD is 12 bytes:
1660 * AAD[3] = {A0, A1, A2};
1661 * padded AAD in xmm register = {A2 A1 A0 0}
1664 * 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
1665 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1667 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1668 * | 64-bit Extended Sequence Number {A1,A0} |
1670 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1672 * +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
1674 * AAD Format with 64-bit Extended Sequence Number
1676 * poly = x^128 + x^127 + x^126 + x^121 + 1
1677 ***************************************************************************/
1678 SYM_FUNC_START(aesni_gcm_enc)
1681 GCM_INIT %arg6, arg7, arg8, arg9
1684 GCM_COMPLETE arg10, arg11
1687 SYM_FUNC_END(aesni_gcm_enc)
1689 /*****************************************************************************
1690 * void aesni_gcm_init(void *aes_ctx, // AES Key schedule. Starts on a 16 byte boundary.
1691 * struct gcm_context_data *data,
1693 * u8 *iv, // Pre-counter block j0: 4 byte salt (from Security Association)
1694 * // concatenated with 8 byte Initialisation Vector (from IPSec ESP Payload)
1695 * // concatenated with 0x00000001. 16-byte aligned pointer.
1696 * u8 *hash_subkey, // H, the Hash sub key input. Data starts on a 16-byte boundary.
1697 * const u8 *aad, // Additional Authentication Data (AAD)
1698 * u64 aad_len) // Length of AAD in bytes.
1700 SYM_FUNC_START(aesni_gcm_init)
1702 GCM_INIT %arg3, %arg4,%arg5, %arg6
1705 SYM_FUNC_END(aesni_gcm_init)
1707 /*****************************************************************************
1708 * void aesni_gcm_enc_update(void *aes_ctx, // AES Key schedule. Starts on a 16 byte boundary.
1709 * struct gcm_context_data *data,
1711 * u8 *out, // Ciphertext output. Encrypt in-place is allowed.
1712 * const u8 *in, // Plaintext input
1713 * u64 plaintext_len, // Length of data in bytes for encryption.
1715 SYM_FUNC_START(aesni_gcm_enc_update)
1720 SYM_FUNC_END(aesni_gcm_enc_update)
1722 /*****************************************************************************
1723 * void aesni_gcm_dec_update(void *aes_ctx, // AES Key schedule. Starts on a 16 byte boundary.
1724 * struct gcm_context_data *data,
1726 * u8 *out, // Ciphertext output. Encrypt in-place is allowed.
1727 * const u8 *in, // Plaintext input
1728 * u64 plaintext_len, // Length of data in bytes for encryption.
1730 SYM_FUNC_START(aesni_gcm_dec_update)
1735 SYM_FUNC_END(aesni_gcm_dec_update)
1737 /*****************************************************************************
1738 * void aesni_gcm_finalize(void *aes_ctx, // AES Key schedule. Starts on a 16 byte boundary.
1739 * struct gcm_context_data *data,
1741 * u8 *auth_tag, // Authenticated Tag output.
1742 * u64 auth_tag_len); // Authenticated Tag Length in bytes. Valid values are 16 (most likely),
1745 SYM_FUNC_START(aesni_gcm_finalize)
1747 GCM_COMPLETE %arg3 %arg4
1750 SYM_FUNC_END(aesni_gcm_finalize)
1754 SYM_FUNC_START_LOCAL(_key_expansion_256a)
1755 pshufd $0b11111111, %xmm1, %xmm1
1756 shufps $0b00010000, %xmm0, %xmm4
1758 shufps $0b10001100, %xmm0, %xmm4
1761 movaps %xmm0, (TKEYP)
1764 SYM_FUNC_END(_key_expansion_256a)
1765 SYM_FUNC_ALIAS_LOCAL(_key_expansion_128, _key_expansion_256a)
1767 SYM_FUNC_START_LOCAL(_key_expansion_192a)
1768 pshufd $0b01010101, %xmm1, %xmm1
1769 shufps $0b00010000, %xmm0, %xmm4
1771 shufps $0b10001100, %xmm0, %xmm4
1778 pshufd $0b11111111, %xmm0, %xmm3
1783 shufps $0b01000100, %xmm0, %xmm6
1784 movaps %xmm6, (TKEYP)
1785 shufps $0b01001110, %xmm2, %xmm1
1786 movaps %xmm1, 0x10(TKEYP)
1789 SYM_FUNC_END(_key_expansion_192a)
1791 SYM_FUNC_START_LOCAL(_key_expansion_192b)
1792 pshufd $0b01010101, %xmm1, %xmm1
1793 shufps $0b00010000, %xmm0, %xmm4
1795 shufps $0b10001100, %xmm0, %xmm4
1801 pshufd $0b11111111, %xmm0, %xmm3
1805 movaps %xmm0, (TKEYP)
1808 SYM_FUNC_END(_key_expansion_192b)
1810 SYM_FUNC_START_LOCAL(_key_expansion_256b)
1811 pshufd $0b10101010, %xmm1, %xmm1
1812 shufps $0b00010000, %xmm2, %xmm4
1814 shufps $0b10001100, %xmm2, %xmm4
1817 movaps %xmm2, (TKEYP)
1820 SYM_FUNC_END(_key_expansion_256b)
1823 * int aesni_set_key(struct crypto_aes_ctx *ctx, const u8 *in_key,
1824 * unsigned int key_len)
1826 SYM_FUNC_START(aesni_set_key)
1830 movl (FRAME_OFFSET+8)(%esp), KEYP # ctx
1831 movl (FRAME_OFFSET+12)(%esp), UKEYP # in_key
1832 movl (FRAME_OFFSET+16)(%esp), %edx # key_len
1834 movups (UKEYP), %xmm0 # user key (first 16 bytes)
1835 movaps %xmm0, (KEYP)
1836 lea 0x10(KEYP), TKEYP # key addr
1837 movl %edx, 480(KEYP)
1838 pxor %xmm4, %xmm4 # xmm4 is assumed 0 in _key_expansion_x
1842 movups 0x10(UKEYP), %xmm2 # other user key
1843 movaps %xmm2, (TKEYP)
1845 aeskeygenassist $0x1, %xmm2, %xmm1 # round 1
1846 call _key_expansion_256a
1847 aeskeygenassist $0x1, %xmm0, %xmm1
1848 call _key_expansion_256b
1849 aeskeygenassist $0x2, %xmm2, %xmm1 # round 2
1850 call _key_expansion_256a
1851 aeskeygenassist $0x2, %xmm0, %xmm1
1852 call _key_expansion_256b
1853 aeskeygenassist $0x4, %xmm2, %xmm1 # round 3
1854 call _key_expansion_256a
1855 aeskeygenassist $0x4, %xmm0, %xmm1
1856 call _key_expansion_256b
1857 aeskeygenassist $0x8, %xmm2, %xmm1 # round 4
1858 call _key_expansion_256a
1859 aeskeygenassist $0x8, %xmm0, %xmm1
1860 call _key_expansion_256b
1861 aeskeygenassist $0x10, %xmm2, %xmm1 # round 5
1862 call _key_expansion_256a
1863 aeskeygenassist $0x10, %xmm0, %xmm1
1864 call _key_expansion_256b
1865 aeskeygenassist $0x20, %xmm2, %xmm1 # round 6
1866 call _key_expansion_256a
1867 aeskeygenassist $0x20, %xmm0, %xmm1
1868 call _key_expansion_256b
1869 aeskeygenassist $0x40, %xmm2, %xmm1 # round 7
1870 call _key_expansion_256a
1873 movq 0x10(UKEYP), %xmm2 # other user key
1874 aeskeygenassist $0x1, %xmm2, %xmm1 # round 1
1875 call _key_expansion_192a
1876 aeskeygenassist $0x2, %xmm2, %xmm1 # round 2
1877 call _key_expansion_192b
1878 aeskeygenassist $0x4, %xmm2, %xmm1 # round 3
1879 call _key_expansion_192a
1880 aeskeygenassist $0x8, %xmm2, %xmm1 # round 4
1881 call _key_expansion_192b
1882 aeskeygenassist $0x10, %xmm2, %xmm1 # round 5
1883 call _key_expansion_192a
1884 aeskeygenassist $0x20, %xmm2, %xmm1 # round 6
1885 call _key_expansion_192b
1886 aeskeygenassist $0x40, %xmm2, %xmm1 # round 7
1887 call _key_expansion_192a
1888 aeskeygenassist $0x80, %xmm2, %xmm1 # round 8
1889 call _key_expansion_192b
1892 aeskeygenassist $0x1, %xmm0, %xmm1 # round 1
1893 call _key_expansion_128
1894 aeskeygenassist $0x2, %xmm0, %xmm1 # round 2
1895 call _key_expansion_128
1896 aeskeygenassist $0x4, %xmm0, %xmm1 # round 3
1897 call _key_expansion_128
1898 aeskeygenassist $0x8, %xmm0, %xmm1 # round 4
1899 call _key_expansion_128
1900 aeskeygenassist $0x10, %xmm0, %xmm1 # round 5
1901 call _key_expansion_128
1902 aeskeygenassist $0x20, %xmm0, %xmm1 # round 6
1903 call _key_expansion_128
1904 aeskeygenassist $0x40, %xmm0, %xmm1 # round 7
1905 call _key_expansion_128
1906 aeskeygenassist $0x80, %xmm0, %xmm1 # round 8
1907 call _key_expansion_128
1908 aeskeygenassist $0x1b, %xmm0, %xmm1 # round 9
1909 call _key_expansion_128
1910 aeskeygenassist $0x36, %xmm0, %xmm1 # round 10
1911 call _key_expansion_128
1914 movaps (KEYP), %xmm0
1915 movaps (TKEYP), %xmm1
1916 movaps %xmm0, 240(TKEYP)
1917 movaps %xmm1, 240(KEYP)
1919 lea 240-16(TKEYP), UKEYP
1922 movaps (KEYP), %xmm0
1924 movaps %xmm1, (UKEYP)
1935 SYM_FUNC_END(aesni_set_key)
1938 * void aesni_enc(const void *ctx, u8 *dst, const u8 *src)
1940 SYM_FUNC_START(aesni_enc)
1945 movl (FRAME_OFFSET+12)(%esp), KEYP # ctx
1946 movl (FRAME_OFFSET+16)(%esp), OUTP # dst
1947 movl (FRAME_OFFSET+20)(%esp), INP # src
1949 movl 480(KEYP), KLEN # key length
1950 movups (INP), STATE # input
1952 movups STATE, (OUTP) # output
1959 SYM_FUNC_END(aesni_enc)
1962 * _aesni_enc1: internal ABI
1964 * KEYP: key struct pointer
1966 * STATE: initial state (input)
1968 * STATE: finial state (output)
1973 SYM_FUNC_START_LOCAL(_aesni_enc1)
1974 movaps (KEYP), KEY # key
1976 pxor KEY, STATE # round 0
1980 lea 0x20(TKEYP), TKEYP
1983 movaps -0x60(TKEYP), KEY
1985 movaps -0x50(TKEYP), KEY
1989 movaps -0x40(TKEYP), KEY
1991 movaps -0x30(TKEYP), KEY
1995 movaps -0x20(TKEYP), KEY
1997 movaps -0x10(TKEYP), KEY
2001 movaps 0x10(TKEYP), KEY
2003 movaps 0x20(TKEYP), KEY
2005 movaps 0x30(TKEYP), KEY
2007 movaps 0x40(TKEYP), KEY
2009 movaps 0x50(TKEYP), KEY
2011 movaps 0x60(TKEYP), KEY
2013 movaps 0x70(TKEYP), KEY
2014 aesenclast KEY, STATE
2016 SYM_FUNC_END(_aesni_enc1)
2019 * _aesni_enc4: internal ABI
2021 * KEYP: key struct pointer
2023 * STATE1: initial state (input)
2028 * STATE1: finial state (output)
2036 SYM_FUNC_START_LOCAL(_aesni_enc4)
2037 movaps (KEYP), KEY # key
2039 pxor KEY, STATE1 # round 0
2046 lea 0x20(TKEYP), TKEYP
2049 movaps -0x60(TKEYP), KEY
2054 movaps -0x50(TKEYP), KEY
2061 movaps -0x40(TKEYP), KEY
2066 movaps -0x30(TKEYP), KEY
2073 movaps -0x20(TKEYP), KEY
2078 movaps -0x10(TKEYP), KEY
2088 movaps 0x10(TKEYP), KEY
2093 movaps 0x20(TKEYP), KEY
2098 movaps 0x30(TKEYP), KEY
2103 movaps 0x40(TKEYP), KEY
2108 movaps 0x50(TKEYP), KEY
2113 movaps 0x60(TKEYP), KEY
2118 movaps 0x70(TKEYP), KEY
2119 aesenclast KEY, STATE1 # last round
2120 aesenclast KEY, STATE2
2121 aesenclast KEY, STATE3
2122 aesenclast KEY, STATE4
2124 SYM_FUNC_END(_aesni_enc4)
2127 * void aesni_dec (const void *ctx, u8 *dst, const u8 *src)
2129 SYM_FUNC_START(aesni_dec)
2134 movl (FRAME_OFFSET+12)(%esp), KEYP # ctx
2135 movl (FRAME_OFFSET+16)(%esp), OUTP # dst
2136 movl (FRAME_OFFSET+20)(%esp), INP # src
2138 mov 480(KEYP), KLEN # key length
2140 movups (INP), STATE # input
2142 movups STATE, (OUTP) #output
2149 SYM_FUNC_END(aesni_dec)
2152 * _aesni_dec1: internal ABI
2154 * KEYP: key struct pointer
2156 * STATE: initial state (input)
2158 * STATE: finial state (output)
2163 SYM_FUNC_START_LOCAL(_aesni_dec1)
2164 movaps (KEYP), KEY # key
2166 pxor KEY, STATE # round 0
2170 lea 0x20(TKEYP), TKEYP
2173 movaps -0x60(TKEYP), KEY
2175 movaps -0x50(TKEYP), KEY
2179 movaps -0x40(TKEYP), KEY
2181 movaps -0x30(TKEYP), KEY
2185 movaps -0x20(TKEYP), KEY
2187 movaps -0x10(TKEYP), KEY
2191 movaps 0x10(TKEYP), KEY
2193 movaps 0x20(TKEYP), KEY
2195 movaps 0x30(TKEYP), KEY
2197 movaps 0x40(TKEYP), KEY
2199 movaps 0x50(TKEYP), KEY
2201 movaps 0x60(TKEYP), KEY
2203 movaps 0x70(TKEYP), KEY
2204 aesdeclast KEY, STATE
2206 SYM_FUNC_END(_aesni_dec1)
2209 * _aesni_dec4: internal ABI
2211 * KEYP: key struct pointer
2213 * STATE1: initial state (input)
2218 * STATE1: finial state (output)
2226 SYM_FUNC_START_LOCAL(_aesni_dec4)
2227 movaps (KEYP), KEY # key
2229 pxor KEY, STATE1 # round 0
2236 lea 0x20(TKEYP), TKEYP
2239 movaps -0x60(TKEYP), KEY
2244 movaps -0x50(TKEYP), KEY
2251 movaps -0x40(TKEYP), KEY
2256 movaps -0x30(TKEYP), KEY
2263 movaps -0x20(TKEYP), KEY
2268 movaps -0x10(TKEYP), KEY
2278 movaps 0x10(TKEYP), KEY
2283 movaps 0x20(TKEYP), KEY
2288 movaps 0x30(TKEYP), KEY
2293 movaps 0x40(TKEYP), KEY
2298 movaps 0x50(TKEYP), KEY
2303 movaps 0x60(TKEYP), KEY
2308 movaps 0x70(TKEYP), KEY
2309 aesdeclast KEY, STATE1 # last round
2310 aesdeclast KEY, STATE2
2311 aesdeclast KEY, STATE3
2312 aesdeclast KEY, STATE4
2314 SYM_FUNC_END(_aesni_dec4)
2317 * void aesni_ecb_enc(struct crypto_aes_ctx *ctx, const u8 *dst, u8 *src,
2320 SYM_FUNC_START(aesni_ecb_enc)
2326 movl (FRAME_OFFSET+16)(%esp), KEYP # ctx
2327 movl (FRAME_OFFSET+20)(%esp), OUTP # dst
2328 movl (FRAME_OFFSET+24)(%esp), INP # src
2329 movl (FRAME_OFFSET+28)(%esp), LEN # len
2331 test LEN, LEN # check length
2340 movups (INP), STATE1
2341 movups 0x10(INP), STATE2
2342 movups 0x20(INP), STATE3
2343 movups 0x30(INP), STATE4
2345 movups STATE1, (OUTP)
2346 movups STATE2, 0x10(OUTP)
2347 movups STATE3, 0x20(OUTP)
2348 movups STATE4, 0x30(OUTP)
2358 movups (INP), STATE1
2360 movups STATE1, (OUTP)
2374 SYM_FUNC_END(aesni_ecb_enc)
2377 * void aesni_ecb_dec(struct crypto_aes_ctx *ctx, const u8 *dst, u8 *src,
2380 SYM_FUNC_START(aesni_ecb_dec)
2386 movl (FRAME_OFFSET+16)(%esp), KEYP # ctx
2387 movl (FRAME_OFFSET+20)(%esp), OUTP # dst
2388 movl (FRAME_OFFSET+24)(%esp), INP # src
2389 movl (FRAME_OFFSET+28)(%esp), LEN # len
2401 movups (INP), STATE1
2402 movups 0x10(INP), STATE2
2403 movups 0x20(INP), STATE3
2404 movups 0x30(INP), STATE4
2406 movups STATE1, (OUTP)
2407 movups STATE2, 0x10(OUTP)
2408 movups STATE3, 0x20(OUTP)
2409 movups STATE4, 0x30(OUTP)
2419 movups (INP), STATE1
2421 movups STATE1, (OUTP)
2435 SYM_FUNC_END(aesni_ecb_dec)
2438 * void aesni_cbc_enc(struct crypto_aes_ctx *ctx, const u8 *dst, u8 *src,
2439 * size_t len, u8 *iv)
2441 SYM_FUNC_START(aesni_cbc_enc)
2448 movl (FRAME_OFFSET+20)(%esp), KEYP # ctx
2449 movl (FRAME_OFFSET+24)(%esp), OUTP # dst
2450 movl (FRAME_OFFSET+28)(%esp), INP # src
2451 movl (FRAME_OFFSET+32)(%esp), LEN # len
2452 movl (FRAME_OFFSET+36)(%esp), IVP # iv
2457 movups (IVP), STATE # load iv as initial state
2460 movups (INP), IN # load input
2463 movups STATE, (OUTP) # store output
2479 SYM_FUNC_END(aesni_cbc_enc)
2482 * void aesni_cbc_dec(struct crypto_aes_ctx *ctx, const u8 *dst, u8 *src,
2483 * size_t len, u8 *iv)
2485 SYM_FUNC_START(aesni_cbc_dec)
2492 movl (FRAME_OFFSET+20)(%esp), KEYP # ctx
2493 movl (FRAME_OFFSET+24)(%esp), OUTP # dst
2494 movl (FRAME_OFFSET+28)(%esp), INP # src
2495 movl (FRAME_OFFSET+32)(%esp), LEN # len
2496 movl (FRAME_OFFSET+36)(%esp), IVP # iv
2499 jb .Lcbc_dec_just_ret
2509 movups 0x10(INP), IN2
2512 movups 0x20(INP), IN3
2514 movups 0x30(INP), IN4
2517 movups 0x20(INP), IN1
2519 movups 0x30(INP), IN2
2534 movups 0x10(INP), IN2
2537 movups STATE1, (OUTP)
2538 movups STATE2, 0x10(OUTP)
2539 movups STATE3, 0x20(OUTP)
2540 movups STATE4, 0x30(OUTP)
2554 movups STATE, (OUTP)
2572 SYM_FUNC_END(aesni_cbc_dec)
2575 * void aesni_cts_cbc_enc(struct crypto_aes_ctx *ctx, const u8 *dst, u8 *src,
2576 * size_t len, u8 *iv)
2578 SYM_FUNC_START(aesni_cts_cbc_enc)
2585 movl (FRAME_OFFSET+20)(%esp), KEYP # ctx
2586 movl (FRAME_OFFSET+24)(%esp), OUTP # dst
2587 movl (FRAME_OFFSET+28)(%esp), INP # src
2588 movl (FRAME_OFFSET+32)(%esp), LEN # len
2589 movl (FRAME_OFFSET+36)(%esp), IVP # iv
2590 lea .Lcts_permute_table, T1
2592 lea .Lcts_permute_table(%rip), T1
2619 movups STATE, (OUTP)
2629 SYM_FUNC_END(aesni_cts_cbc_enc)
2632 * void aesni_cts_cbc_dec(struct crypto_aes_ctx *ctx, const u8 *dst, u8 *src,
2633 * size_t len, u8 *iv)
2635 SYM_FUNC_START(aesni_cts_cbc_dec)
2642 movl (FRAME_OFFSET+20)(%esp), KEYP # ctx
2643 movl (FRAME_OFFSET+24)(%esp), OUTP # dst
2644 movl (FRAME_OFFSET+28)(%esp), INP # src
2645 movl (FRAME_OFFSET+32)(%esp), LEN # len
2646 movl (FRAME_OFFSET+36)(%esp), IVP # iv
2647 lea .Lcts_permute_table, T1
2649 lea .Lcts_permute_table(%rip), T1
2680 movups STATE, (OUTP)
2690 SYM_FUNC_END(aesni_cts_cbc_dec)
2692 .pushsection .rodata
2694 .Lcts_permute_table:
2695 .byte 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80
2696 .byte 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80
2697 .byte 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07
2698 .byte 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
2699 .byte 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80
2700 .byte 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80, 0x80
2703 .byte 15, 14, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1, 0
2709 * _aesni_inc_init: internal ABI
2710 * setup registers used by _aesni_inc
2714 * CTR: == IV, in little endian
2715 * TCTR_LOW: == lower qword of CTR
2716 * INC: == 1, in little endian
2717 * BSWAP_MASK == endian swapping mask
2719 SYM_FUNC_START_LOCAL(_aesni_inc_init)
2720 movaps .Lbswap_mask(%rip), BSWAP_MASK
2722 pshufb BSWAP_MASK, CTR
2727 SYM_FUNC_END(_aesni_inc_init)
2730 * _aesni_inc: internal ABI
2731 * Increase IV by 1, IV is in big endian
2734 * CTR: == IV, in little endian
2735 * TCTR_LOW: == lower qword of CTR
2736 * INC: == 1, in little endian
2737 * BSWAP_MASK == endian swapping mask
2741 * CTR: == output IV, in little endian
2742 * TCTR_LOW: == lower qword of CTR
2744 SYM_FUNC_START_LOCAL(_aesni_inc)
2753 pshufb BSWAP_MASK, IV
2755 SYM_FUNC_END(_aesni_inc)
2758 * void aesni_ctr_enc(struct crypto_aes_ctx *ctx, const u8 *dst, u8 *src,
2759 * size_t len, u8 *iv)
2761 SYM_FUNC_START(aesni_ctr_enc)
2764 jb .Lctr_enc_just_ret
2767 call _aesni_inc_init
2777 movups 0x10(INP), IN2
2780 movups 0x20(INP), IN3
2783 movups 0x30(INP), IN4
2786 movups STATE1, (OUTP)
2788 movups STATE2, 0x10(OUTP)
2790 movups STATE3, 0x20(OUTP)
2792 movups STATE4, 0x30(OUTP)
2807 movups STATE, (OUTP)
2818 SYM_FUNC_END(aesni_ctr_enc)
2822 .section .rodata.cst16.gf128mul_x_ble_mask, "aM", @progbits, 16
2824 .Lgf128mul_x_ble_mask:
2825 .octa 0x00000000000000010000000000000087
2829 * _aesni_gf128mul_x_ble: internal ABI
2830 * Multiply in GF(2^128) for XTS IVs
2833 * GF128MUL_MASK == mask with 0x87 and 0x01
2837 * CTR: == temporary value
2839 #define _aesni_gf128mul_x_ble() \
2840 pshufd $0x13, IV, KEY; \
2843 pand GF128MUL_MASK, KEY; \
2847 * void aesni_xts_encrypt(const struct crypto_aes_ctx *ctx, u8 *dst,
2848 * const u8 *src, unsigned int len, le128 *iv)
2850 SYM_FUNC_START(aesni_xts_encrypt)
2857 movl (FRAME_OFFSET+20)(%esp), KEYP # ctx
2858 movl (FRAME_OFFSET+24)(%esp), OUTP # dst
2859 movl (FRAME_OFFSET+28)(%esp), INP # src
2860 movl (FRAME_OFFSET+32)(%esp), LEN # len
2861 movl (FRAME_OFFSET+36)(%esp), IVP # iv
2862 movdqa .Lgf128mul_x_ble_mask, GF128MUL_MASK
2864 movdqa .Lgf128mul_x_ble_mask(%rip), GF128MUL_MASK
2875 movdqu 0x00(INP), IN
2877 movdqu IV, 0x00(OUTP)
2879 _aesni_gf128mul_x_ble()
2881 movdqu 0x10(INP), IN
2883 movdqu IV, 0x10(OUTP)
2885 _aesni_gf128mul_x_ble()
2887 movdqu 0x20(INP), IN
2889 movdqu IV, 0x20(OUTP)
2891 _aesni_gf128mul_x_ble()
2893 movdqu 0x30(INP), IN
2895 movdqu IV, 0x30(OUTP)
2899 movdqu 0x00(OUTP), IN
2901 movdqu STATE1, 0x00(OUTP)
2903 movdqu 0x10(OUTP), IN
2905 movdqu STATE2, 0x10(OUTP)
2907 movdqu 0x20(OUTP), IN
2909 movdqu STATE3, 0x20(OUTP)
2911 movdqu 0x30(OUTP), IN
2913 movdqu STATE4, 0x30(OUTP)
2915 _aesni_gf128mul_x_ble()
2946 _aesni_gf128mul_x_ble()
2955 movdqu STATE, (OUTP)
2960 movdqu STATE, (OUTP)
2961 jmp .Lxts_enc_ret_iv
2964 movdqa STATE4, STATE
2969 lea .Lcts_permute_table, T1
2971 lea .Lcts_permute_table(%rip), T1
2973 add LEN, INP /* rewind input pointer */
2974 add $16, LEN /* # bytes in final block */
2997 movups STATE, (OUTP)
2999 SYM_FUNC_END(aesni_xts_encrypt)
3002 * void aesni_xts_decrypt(const struct crypto_aes_ctx *ctx, u8 *dst,
3003 * const u8 *src, unsigned int len, le128 *iv)
3005 SYM_FUNC_START(aesni_xts_decrypt)
3012 movl (FRAME_OFFSET+20)(%esp), KEYP # ctx
3013 movl (FRAME_OFFSET+24)(%esp), OUTP # dst
3014 movl (FRAME_OFFSET+28)(%esp), INP # src
3015 movl (FRAME_OFFSET+32)(%esp), LEN # len
3016 movl (FRAME_OFFSET+36)(%esp), IVP # iv
3017 movdqa .Lgf128mul_x_ble_mask, GF128MUL_MASK
3019 movdqa .Lgf128mul_x_ble_mask(%rip), GF128MUL_MASK
3035 movdqu 0x00(INP), IN
3037 movdqu IV, 0x00(OUTP)
3039 _aesni_gf128mul_x_ble()
3041 movdqu 0x10(INP), IN
3043 movdqu IV, 0x10(OUTP)
3045 _aesni_gf128mul_x_ble()
3047 movdqu 0x20(INP), IN
3049 movdqu IV, 0x20(OUTP)
3051 _aesni_gf128mul_x_ble()
3053 movdqu 0x30(INP), IN
3055 movdqu IV, 0x30(OUTP)
3059 movdqu 0x00(OUTP), IN
3061 movdqu STATE1, 0x00(OUTP)
3063 movdqu 0x10(OUTP), IN
3065 movdqu STATE2, 0x10(OUTP)
3067 movdqu 0x20(OUTP), IN
3069 movdqu STATE3, 0x20(OUTP)
3071 movdqu 0x30(OUTP), IN
3073 movdqu STATE4, 0x30(OUTP)
3075 _aesni_gf128mul_x_ble()
3109 _aesni_gf128mul_x_ble()
3114 movdqu STATE, (OUTP)
3119 movdqu STATE, (OUTP)
3120 jmp .Lxts_dec_ret_iv
3124 _aesni_gf128mul_x_ble()
3131 lea .Lcts_permute_table, T1
3133 lea .Lcts_permute_table(%rip), T1
3135 add LEN, INP /* rewind input pointer */
3136 add $16, LEN /* # bytes in final block */
3159 movups STATE, (OUTP)
3161 SYM_FUNC_END(aesni_xts_decrypt)
git.samba.org / sfrench / cifs-2.6.git / blob