1 /* SPDX-License-Identifier: GPL-2.0-only */ 2 /* 3 * Bit sliced AES using NEON instructions 4 * 5 * Copyright (C) 2016 Linaro Ltd <ard.biesheuvel@linaro.org> 6 */ 7 8 /* 9 * The algorithm implemented here is described in detail by the paper 10 * 'Faster and Timing-Attack Resistant AES-GCM' by Emilia Kaesper and 11 * Peter Schwabe (https://eprint.iacr.org/2009/129.pdf) 12 * 13 * This implementation is based primarily on the OpenSSL implementation 14 * for 32-bit ARM written by Andy Polyakov <appro@openssl.org> 15 */ 16 17 #include <linux/linkage.h> 18 #include <linux/cfi_types.h> 19 #include <asm/assembler.h> 20 21 .text 22 23 rounds .req x11 24 bskey .req x12 25 26 .macro in_bs_ch, b0, b1, b2, b3, b4, b5, b6, b7 27 eor \b2, \b2, \b1 28 eor \b5, \b5, \b6 29 eor \b3, \b3, \b0 30 eor \b6, \b6, \b2 31 eor \b5, \b5, \b0 32 eor \b6, \b6, \b3 33 eor \b3, \b3, \b7 34 eor \b7, \b7, \b5 35 eor \b3, \b3, \b4 36 eor \b4, \b4, \b5 37 eor \b2, \b2, \b7 38 eor \b3, \b3, \b1 39 eor \b1, \b1, \b5 40 .endm 41 42 .macro out_bs_ch, b0, b1, b2, b3, b4, b5, b6, b7 43 eor \b0, \b0, \b6 44 eor \b1, \b1, \b4 45 eor \b4, \b4, \b6 46 eor \b2, \b2, \b0 47 eor \b6, \b6, \b1 48 eor \b1, \b1, \b5 49 eor \b5, \b5, \b3 50 eor \b3, \b3, \b7 51 eor \b7, \b7, \b5 52 eor \b2, \b2, \b5 53 eor \b4, \b4, \b7 54 .endm 55 56 .macro inv_in_bs_ch, b6, b1, b2, b4, b7, b0, b3, b5 57 eor \b1, \b1, \b7 58 eor \b4, \b4, \b7 59 eor \b7, \b7, \b5 60 eor \b1, \b1, \b3 61 eor \b2, \b2, \b5 62 eor \b3, \b3, \b7 63 eor \b6, \b6, \b1 64 eor \b2, \b2, \b0 65 eor \b5, \b5, \b3 66 eor \b4, \b4, \b6 67 eor \b0, \b0, \b6 68 eor \b1, \b1, \b4 69 .endm 70 71 .macro inv_out_bs_ch, b6, b5, b0, b3, b7, b1, b4, b2 72 eor \b1, \b1, \b5 73 eor \b2, \b2, \b7 74 eor \b3, \b3, \b1 75 eor \b4, \b4, \b5 76 eor \b7, \b7, \b5 77 eor \b3, \b3, \b4 78 eor \b5, \b5, \b0 79 eor \b3, \b3, \b7 80 eor \b6, \b6, \b2 81 eor \b2, \b2, \b1 82 eor \b6, \b6, \b3 83 eor \b3, \b3, \b0 84 eor \b5, \b5, \b6 85 .endm 86 87 .macro mul_gf4, x0, x1, y0, y1, t0, t1 88 eor \t0, \y0, \y1 89 and \t0, \t0, \x0 90 eor \x0, \x0, \x1 91 and \t1, \x1, \y0 92 and \x0, \x0, \y1 93 eor \x1, \t1, \t0 94 eor \x0, \x0, \t1 95 .endm 96 97 .macro mul_gf4_n_gf4, x0, x1, y0, y1, t0, x2, x3, y2, y3, t1 98 eor \t0, \y0, \y1 99 eor \t1, \y2, \y3 100 and \t0, \t0, \x0 101 and \t1, \t1, \x2 102 eor \x0, \x0, \x1 103 eor \x2, \x2, \x3 104 and \x1, \x1, \y0 105 and \x3, \x3, \y2 106 and \x0, \x0, \y1 107 and \x2, \x2, \y3 108 eor \x1, \x1, \x0 109 eor \x2, \x2, \x3 110 eor \x0, \x0, \t0 111 eor \x3, \x3, \t1 112 .endm 113 114 .macro mul_gf16_2, x0, x1, x2, x3, x4, x5, x6, x7, \ 115 y0, y1, y2, y3, t0, t1, t2, t3 116 eor \t0, \x0, \x2 117 eor \t1, \x1, \x3 118 mul_gf4 \x0, \x1, \y0, \y1, \t2, \t3 119 eor \y0, \y0, \y2 120 eor \y1, \y1, \y3 121 mul_gf4_n_gf4 \t0, \t1, \y0, \y1, \t3, \x2, \x3, \y2, \y3, \t2 122 eor \x0, \x0, \t0 123 eor \x2, \x2, \t0 124 eor \x1, \x1, \t1 125 eor \x3, \x3, \t1 126 eor \t0, \x4, \x6 127 eor \t1, \x5, \x7 128 mul_gf4_n_gf4 \t0, \t1, \y0, \y1, \t3, \x6, \x7, \y2, \y3, \t2 129 eor \y0, \y0, \y2 130 eor \y1, \y1, \y3 131 mul_gf4 \x4, \x5, \y0, \y1, \t2, \t3 132 eor \x4, \x4, \t0 133 eor \x6, \x6, \t0 134 eor \x5, \x5, \t1 135 eor \x7, \x7, \t1 136 .endm 137 138 .macro inv_gf256, x0, x1, x2, x3, x4, x5, x6, x7, \ 139 t0, t1, t2, t3, s0, s1, s2, s3 140 eor \t3, \x4, \x6 141 eor \t0, \x5, \x7 142 eor \t1, \x1, \x3 143 eor \s1, \x7, \x6 144 eor \s0, \x0, \x2 145 eor \s3, \t3, \t0 146 orr \t2, \t0, \t1 147 and \s2, \t3, \s0 148 orr \t3, \t3, \s0 149 eor \s0, \s0, \t1 150 and \t0, \t0, \t1 151 eor \t1, \x3, \x2 152 and \s3, \s3, \s0 153 and \s1, \s1, \t1 154 eor \t1, \x4, \x5 155 eor \s0, \x1, \x0 156 eor \t3, \t3, \s1 157 eor \t2, \t2, \s1 158 and \s1, \t1, \s0 159 orr \t1, \t1, \s0 160 eor \t3, \t3, \s3 161 eor \t0, \t0, \s1 162 eor \t2, \t2, \s2 163 eor \t1, \t1, \s3 164 eor \t0, \t0, \s2 165 and \s0, \x7, \x3 166 eor \t1, \t1, \s2 167 and \s1, \x6, \x2 168 and \s2, \x5, \x1 169 orr \s3, \x4, \x0 170 eor \t3, \t3, \s0 171 eor \t1, \t1, \s2 172 eor \s0, \t0, \s3 173 eor \t2, \t2, \s1 174 and \s2, \t3, \t1 175 eor \s1, \t2, \s2 176 eor \s3, \s0, \s2 177 bsl \s1, \t1, \s0 178 not \t0, \s0 179 bsl \s0, \s1, \s3 180 bsl \t0, \s1, \s3 181 bsl \s3, \t3, \t2 182 eor \t3, \t3, \t2 183 and \s2, \s0, \s3 184 eor \t1, \t1, \t0 185 eor \s2, \s2, \t3 186 mul_gf16_2 \x0, \x1, \x2, \x3, \x4, \x5, \x6, \x7, \ 187 \s3, \s2, \s1, \t1, \s0, \t0, \t2, \t3 188 .endm 189 190 .macro sbox, b0, b1, b2, b3, b4, b5, b6, b7, \ 191 t0, t1, t2, t3, s0, s1, s2, s3 192 in_bs_ch \b0\().16b, \b1\().16b, \b2\().16b, \b3\().16b, \ 193 \b4\().16b, \b5\().16b, \b6\().16b, \b7\().16b 194 inv_gf256 \b6\().16b, \b5\().16b, \b0\().16b, \b3\().16b, \ 195 \b7\().16b, \b1\().16b, \b4\().16b, \b2\().16b, \ 196 \t0\().16b, \t1\().16b, \t2\().16b, \t3\().16b, \ 197 \s0\().16b, \s1\().16b, \s2\().16b, \s3\().16b 198 out_bs_ch \b7\().16b, \b1\().16b, \b4\().16b, \b2\().16b, \ 199 \b6\().16b, \b5\().16b, \b0\().16b, \b3\().16b 200 .endm 201 202 .macro inv_sbox, b0, b1, b2, b3, b4, b5, b6, b7, \ 203 t0, t1, t2, t3, s0, s1, s2, s3 204 inv_in_bs_ch \b0\().16b, \b1\().16b, \b2\().16b, \b3\().16b, \ 205 \b4\().16b, \b5\().16b, \b6\().16b, \b7\().16b 206 inv_gf256 \b5\().16b, \b1\().16b, \b2\().16b, \b6\().16b, \ 207 \b3\().16b, \b7\().16b, \b0\().16b, \b4\().16b, \ 208 \t0\().16b, \t1\().16b, \t2\().16b, \t3\().16b, \ 209 \s0\().16b, \s1\().16b, \s2\().16b, \s3\().16b 210 inv_out_bs_ch \b3\().16b, \b7\().16b, \b0\().16b, \b4\().16b, \ 211 \b5\().16b, \b1\().16b, \b2\().16b, \b6\().16b 212 .endm 213 214 .macro enc_next_rk 215 ldp q16, q17, [bskey], #128 216 ldp q18, q19, [bskey, #-96] 217 ldp q20, q21, [bskey, #-64] 218 ldp q22, q23, [bskey, #-32] 219 .endm 220 221 .macro dec_next_rk 222 ldp q16, q17, [bskey, #-128]! 223 ldp q18, q19, [bskey, #32] 224 ldp q20, q21, [bskey, #64] 225 ldp q22, q23, [bskey, #96] 226 .endm 227 228 .macro add_round_key, x0, x1, x2, x3, x4, x5, x6, x7 229 eor \x0\().16b, \x0\().16b, v16.16b 230 eor \x1\().16b, \x1\().16b, v17.16b 231 eor \x2\().16b, \x2\().16b, v18.16b 232 eor \x3\().16b, \x3\().16b, v19.16b 233 eor \x4\().16b, \x4\().16b, v20.16b 234 eor \x5\().16b, \x5\().16b, v21.16b 235 eor \x6\().16b, \x6\().16b, v22.16b 236 eor \x7\().16b, \x7\().16b, v23.16b 237 .endm 238 239 .macro shift_rows, x0, x1, x2, x3, x4, x5, x6, x7, mask 240 tbl \x0\().16b, {\x0\().16b}, \mask\().16b 241 tbl \x1\().16b, {\x1\().16b}, \mask\().16b 242 tbl \x2\().16b, {\x2\().16b}, \mask\().16b 243 tbl \x3\().16b, {\x3\().16b}, \mask\().16b 244 tbl \x4\().16b, {\x4\().16b}, \mask\().16b 245 tbl \x5\().16b, {\x5\().16b}, \mask\().16b 246 tbl \x6\().16b, {\x6\().16b}, \mask\().16b 247 tbl \x7\().16b, {\x7\().16b}, \mask\().16b 248 .endm 249 250 .macro mix_cols, x0, x1, x2, x3, x4, x5, x6, x7, \ 251 t0, t1, t2, t3, t4, t5, t6, t7, inv 252 ext \t0\().16b, \x0\().16b, \x0\().16b, #12 253 ext \t1\().16b, \x1\().16b, \x1\().16b, #12 254 eor \x0\().16b, \x0\().16b, \t0\().16b 255 ext \t2\().16b, \x2\().16b, \x2\().16b, #12 256 eor \x1\().16b, \x1\().16b, \t1\().16b 257 ext \t3\().16b, \x3\().16b, \x3\().16b, #12 258 eor \x2\().16b, \x2\().16b, \t2\().16b 259 ext \t4\().16b, \x4\().16b, \x4\().16b, #12 260 eor \x3\().16b, \x3\().16b, \t3\().16b 261 ext \t5\().16b, \x5\().16b, \x5\().16b, #12 262 eor \x4\().16b, \x4\().16b, \t4\().16b 263 ext \t6\().16b, \x6\().16b, \x6\().16b, #12 264 eor \x5\().16b, \x5\().16b, \t5\().16b 265 ext \t7\().16b, \x7\().16b, \x7\().16b, #12 266 eor \x6\().16b, \x6\().16b, \t6\().16b 267 eor \t1\().16b, \t1\().16b, \x0\().16b 268 eor \x7\().16b, \x7\().16b, \t7\().16b 269 ext \x0\().16b, \x0\().16b, \x0\().16b, #8 270 eor \t2\().16b, \t2\().16b, \x1\().16b 271 eor \t0\().16b, \t0\().16b, \x7\().16b 272 eor \t1\().16b, \t1\().16b, \x7\().16b 273 ext \x1\().16b, \x1\().16b, \x1\().16b, #8 274 eor \t5\().16b, \t5\().16b, \x4\().16b 275 eor \x0\().16b, \x0\().16b, \t0\().16b 276 eor \t6\().16b, \t6\().16b, \x5\().16b 277 eor \x1\().16b, \x1\().16b, \t1\().16b 278 ext \t0\().16b, \x4\().16b, \x4\().16b, #8 279 eor \t4\().16b, \t4\().16b, \x3\().16b 280 ext \t1\().16b, \x5\().16b, \x5\().16b, #8 281 eor \t7\().16b, \t7\().16b, \x6\().16b 282 ext \x4\().16b, \x3\().16b, \x3\().16b, #8 283 eor \t3\().16b, \t3\().16b, \x2\().16b 284 ext \x5\().16b, \x7\().16b, \x7\().16b, #8 285 eor \t4\().16b, \t4\().16b, \x7\().16b 286 ext \x3\().16b, \x6\().16b, \x6\().16b, #8 287 eor \t3\().16b, \t3\().16b, \x7\().16b 288 ext \x6\().16b, \x2\().16b, \x2\().16b, #8 289 eor \x7\().16b, \t1\().16b, \t5\().16b 290 .ifb \inv 291 eor \x2\().16b, \t0\().16b, \t4\().16b 292 eor \x4\().16b, \x4\().16b, \t3\().16b 293 eor \x5\().16b, \x5\().16b, \t7\().16b 294 eor \x3\().16b, \x3\().16b, \t6\().16b 295 eor \x6\().16b, \x6\().16b, \t2\().16b 296 .else 297 eor \t3\().16b, \t3\().16b, \x4\().16b 298 eor \x5\().16b, \x5\().16b, \t7\().16b 299 eor \x2\().16b, \x3\().16b, \t6\().16b 300 eor \x3\().16b, \t0\().16b, \t4\().16b 301 eor \x4\().16b, \x6\().16b, \t2\().16b 302 mov \x6\().16b, \t3\().16b 303 .endif 304 .endm 305 306 .macro inv_mix_cols, x0, x1, x2, x3, x4, x5, x6, x7, \ 307 t0, t1, t2, t3, t4, t5, t6, t7 308 ext \t0\().16b, \x0\().16b, \x0\().16b, #8 309 ext \t6\().16b, \x6\().16b, \x6\().16b, #8 310 ext \t7\().16b, \x7\().16b, \x7\().16b, #8 311 eor \t0\().16b, \t0\().16b, \x0\().16b 312 ext \t1\().16b, \x1\().16b, \x1\().16b, #8 313 eor \t6\().16b, \t6\().16b, \x6\().16b 314 ext \t2\().16b, \x2\().16b, \x2\().16b, #8 315 eor \t7\().16b, \t7\().16b, \x7\().16b 316 ext \t3\().16b, \x3\().16b, \x3\().16b, #8 317 eor \t1\().16b, \t1\().16b, \x1\().16b 318 ext \t4\().16b, \x4\().16b, \x4\().16b, #8 319 eor \t2\().16b, \t2\().16b, \x2\().16b 320 ext \t5\().16b, \x5\().16b, \x5\().16b, #8 321 eor \t3\().16b, \t3\().16b, \x3\().16b 322 eor \t4\().16b, \t4\().16b, \x4\().16b 323 eor \t5\().16b, \t5\().16b, \x5\().16b 324 eor \x0\().16b, \x0\().16b, \t6\().16b 325 eor \x1\().16b, \x1\().16b, \t6\().16b 326 eor \x2\().16b, \x2\().16b, \t0\().16b 327 eor \x4\().16b, \x4\().16b, \t2\().16b 328 eor \x3\().16b, \x3\().16b, \t1\().16b 329 eor \x1\().16b, \x1\().16b, \t7\().16b 330 eor \x2\().16b, \x2\().16b, \t7\().16b 331 eor \x4\().16b, \x4\().16b, \t6\().16b 332 eor \x5\().16b, \x5\().16b, \t3\().16b 333 eor \x3\().16b, \x3\().16b, \t6\().16b 334 eor \x6\().16b, \x6\().16b, \t4\().16b 335 eor \x4\().16b, \x4\().16b, \t7\().16b 336 eor \x5\().16b, \x5\().16b, \t7\().16b 337 eor \x7\().16b, \x7\().16b, \t5\().16b 338 mix_cols \x0, \x1, \x2, \x3, \x4, \x5, \x6, \x7, \ 339 \t0, \t1, \t2, \t3, \t4, \t5, \t6, \t7, 1 340 .endm 341 342 .macro swapmove_2x, a0, b0, a1, b1, n, mask, t0, t1 343 ushr \t0\().2d, \b0\().2d, #\n 344 ushr \t1\().2d, \b1\().2d, #\n 345 eor \t0\().16b, \t0\().16b, \a0\().16b 346 eor \t1\().16b, \t1\().16b, \a1\().16b 347 and \t0\().16b, \t0\().16b, \mask\().16b 348 and \t1\().16b, \t1\().16b, \mask\().16b 349 eor \a0\().16b, \a0\().16b, \t0\().16b 350 shl \t0\().2d, \t0\().2d, #\n 351 eor \a1\().16b, \a1\().16b, \t1\().16b 352 shl \t1\().2d, \t1\().2d, #\n 353 eor \b0\().16b, \b0\().16b, \t0\().16b 354 eor \b1\().16b, \b1\().16b, \t1\().16b 355 .endm 356 357 .macro bitslice, x7, x6, x5, x4, x3, x2, x1, x0, t0, t1, t2, t3 358 movi \t0\().16b, #0x55 359 movi \t1\().16b, #0x33 360 swapmove_2x \x0, \x1, \x2, \x3, 1, \t0, \t2, \t3 361 swapmove_2x \x4, \x5, \x6, \x7, 1, \t0, \t2, \t3 362 movi \t0\().16b, #0x0f 363 swapmove_2x \x0, \x2, \x1, \x3, 2, \t1, \t2, \t3 364 swapmove_2x \x4, \x6, \x5, \x7, 2, \t1, \t2, \t3 365 swapmove_2x \x0, \x4, \x1, \x5, 4, \t0, \t2, \t3 366 swapmove_2x \x2, \x6, \x3, \x7, 4, \t0, \t2, \t3 367 .endm 368 369 370 .align 6 371 M0: .octa 0x0004080c0105090d02060a0e03070b0f 372 373 M0SR: .octa 0x0004080c05090d010a0e02060f03070b 374 SR: .octa 0x0f0e0d0c0a09080b0504070600030201 375 SRM0: .octa 0x01060b0c0207080d0304090e00050a0f 376 377 M0ISR: .octa 0x0004080c0d0105090a0e0206070b0f03 378 ISR: .octa 0x0f0e0d0c080b0a090504070602010003 379 ISRM0: .octa 0x0306090c00070a0d01040b0e0205080f 380 381 /* 382 * void aesbs_convert_key(u8 out[], u32 const rk[], int rounds) 383 */ 384 SYM_FUNC_START(aesbs_convert_key) 385 ld1 {v7.4s}, [x1], #16 // load round 0 key 386 ld1 {v17.4s}, [x1], #16 // load round 1 key 387 388 movi v8.16b, #0x01 // bit masks 389 movi v9.16b, #0x02 390 movi v10.16b, #0x04 391 movi v11.16b, #0x08 392 movi v12.16b, #0x10 393 movi v13.16b, #0x20 394 movi v14.16b, #0x40 395 movi v15.16b, #0x80 396 ldr q16, M0 397 398 sub x2, x2, #1 399 str q7, [x0], #16 // save round 0 key 400 401 .Lkey_loop: 402 tbl v7.16b ,{v17.16b}, v16.16b 403 ld1 {v17.4s}, [x1], #16 // load next round key 404 405 cmtst v0.16b, v7.16b, v8.16b 406 cmtst v1.16b, v7.16b, v9.16b 407 cmtst v2.16b, v7.16b, v10.16b 408 cmtst v3.16b, v7.16b, v11.16b 409 cmtst v4.16b, v7.16b, v12.16b 410 cmtst v5.16b, v7.16b, v13.16b 411 cmtst v6.16b, v7.16b, v14.16b 412 cmtst v7.16b, v7.16b, v15.16b 413 not v0.16b, v0.16b 414 not v1.16b, v1.16b 415 not v5.16b, v5.16b 416 not v6.16b, v6.16b 417 418 subs x2, x2, #1 419 stp q0, q1, [x0], #128 420 stp q2, q3, [x0, #-96] 421 stp q4, q5, [x0, #-64] 422 stp q6, q7, [x0, #-32] 423 b.ne .Lkey_loop 424 425 movi v7.16b, #0x63 // compose .L63 426 eor v17.16b, v17.16b, v7.16b 427 str q17, [x0] 428 ret 429 SYM_FUNC_END(aesbs_convert_key) 430 431 .align 4 432 SYM_FUNC_START_LOCAL(aesbs_encrypt8) 433 ldr q9, [bskey], #16 // round 0 key 434 ldr q8, M0SR 435 ldr q24, SR 436 437 eor v10.16b, v0.16b, v9.16b // xor with round0 key 438 eor v11.16b, v1.16b, v9.16b 439 tbl v0.16b, {v10.16b}, v8.16b 440 eor v12.16b, v2.16b, v9.16b 441 tbl v1.16b, {v11.16b}, v8.16b 442 eor v13.16b, v3.16b, v9.16b 443 tbl v2.16b, {v12.16b}, v8.16b 444 eor v14.16b, v4.16b, v9.16b 445 tbl v3.16b, {v13.16b}, v8.16b 446 eor v15.16b, v5.16b, v9.16b 447 tbl v4.16b, {v14.16b}, v8.16b 448 eor v10.16b, v6.16b, v9.16b 449 tbl v5.16b, {v15.16b}, v8.16b 450 eor v11.16b, v7.16b, v9.16b 451 tbl v6.16b, {v10.16b}, v8.16b 452 tbl v7.16b, {v11.16b}, v8.16b 453 454 bitslice v0, v1, v2, v3, v4, v5, v6, v7, v8, v9, v10, v11 455 456 sub rounds, rounds, #1 457 b .Lenc_sbox 458 459 .Lenc_loop: 460 shift_rows v0, v1, v2, v3, v4, v5, v6, v7, v24 461 .Lenc_sbox: 462 sbox v0, v1, v2, v3, v4, v5, v6, v7, v8, v9, v10, v11, v12, \ 463 v13, v14, v15 464 subs rounds, rounds, #1 465 b.cc .Lenc_done 466 467 enc_next_rk 468 469 mix_cols v0, v1, v4, v6, v3, v7, v2, v5, v8, v9, v10, v11, v12, \ 470 v13, v14, v15 471 472 add_round_key v0, v1, v2, v3, v4, v5, v6, v7 473 474 b.ne .Lenc_loop 475 ldr q24, SRM0 476 b .Lenc_loop 477 478 .Lenc_done: 479 ldr q12, [bskey] // last round key 480 481 bitslice v0, v1, v4, v6, v3, v7, v2, v5, v8, v9, v10, v11 482 483 eor v0.16b, v0.16b, v12.16b 484 eor v1.16b, v1.16b, v12.16b 485 eor v4.16b, v4.16b, v12.16b 486 eor v6.16b, v6.16b, v12.16b 487 eor v3.16b, v3.16b, v12.16b 488 eor v7.16b, v7.16b, v12.16b 489 eor v2.16b, v2.16b, v12.16b 490 eor v5.16b, v5.16b, v12.16b 491 ret 492 SYM_FUNC_END(aesbs_encrypt8) 493 494 .align 4 495 SYM_FUNC_START_LOCAL(aesbs_decrypt8) 496 lsl x9, rounds, #7 497 add bskey, bskey, x9 498 499 ldr q9, [bskey, #-112]! // round 0 key 500 ldr q8, M0ISR 501 ldr q24, ISR 502 503 eor v10.16b, v0.16b, v9.16b // xor with round0 key 504 eor v11.16b, v1.16b, v9.16b 505 tbl v0.16b, {v10.16b}, v8.16b 506 eor v12.16b, v2.16b, v9.16b 507 tbl v1.16b, {v11.16b}, v8.16b 508 eor v13.16b, v3.16b, v9.16b 509 tbl v2.16b, {v12.16b}, v8.16b 510 eor v14.16b, v4.16b, v9.16b 511 tbl v3.16b, {v13.16b}, v8.16b 512 eor v15.16b, v5.16b, v9.16b 513 tbl v4.16b, {v14.16b}, v8.16b 514 eor v10.16b, v6.16b, v9.16b 515 tbl v5.16b, {v15.16b}, v8.16b 516 eor v11.16b, v7.16b, v9.16b 517 tbl v6.16b, {v10.16b}, v8.16b 518 tbl v7.16b, {v11.16b}, v8.16b 519 520 bitslice v0, v1, v2, v3, v4, v5, v6, v7, v8, v9, v10, v11 521 522 sub rounds, rounds, #1 523 b .Ldec_sbox 524 525 .Ldec_loop: 526 shift_rows v0, v1, v2, v3, v4, v5, v6, v7, v24 527 .Ldec_sbox: 528 inv_sbox v0, v1, v2, v3, v4, v5, v6, v7, v8, v9, v10, v11, v12, \ 529 v13, v14, v15 530 subs rounds, rounds, #1 531 b.cc .Ldec_done 532 533 dec_next_rk 534 535 add_round_key v0, v1, v6, v4, v2, v7, v3, v5 536 537 inv_mix_cols v0, v1, v6, v4, v2, v7, v3, v5, v8, v9, v10, v11, v12, \ 538 v13, v14, v15 539 540 b.ne .Ldec_loop 541 ldr q24, ISRM0 542 b .Ldec_loop 543 .Ldec_done: 544 ldr q12, [bskey, #-16] // last round key 545 546 bitslice v0, v1, v6, v4, v2, v7, v3, v5, v8, v9, v10, v11 547 548 eor v0.16b, v0.16b, v12.16b 549 eor v1.16b, v1.16b, v12.16b 550 eor v6.16b, v6.16b, v12.16b 551 eor v4.16b, v4.16b, v12.16b 552 eor v2.16b, v2.16b, v12.16b 553 eor v7.16b, v7.16b, v12.16b 554 eor v3.16b, v3.16b, v12.16b 555 eor v5.16b, v5.16b, v12.16b 556 ret 557 SYM_FUNC_END(aesbs_decrypt8) 558 559 /* 560 * aesbs_ecb_encrypt(u8 out[], u8 const in[], u8 const rk[], int rounds, 561 * int blocks) 562 * aesbs_ecb_decrypt(u8 out[], u8 const in[], u8 const rk[], int rounds, 563 * int blocks) 564 */ 565 .macro __ecb_crypt, do8, o0, o1, o2, o3, o4, o5, o6, o7 566 frame_push 5 567 568 mov x19, x0 569 mov x20, x1 570 mov x21, x2 571 mov x22, x3 572 mov x23, x4 573 574 99: mov x5, #1 575 lsl x5, x5, x23 576 subs w23, w23, #8 577 csel x23, x23, xzr, pl 578 csel x5, x5, xzr, mi 579 580 ld1 {v0.16b}, [x20], #16 581 tbnz x5, #1, 0f 582 ld1 {v1.16b}, [x20], #16 583 tbnz x5, #2, 0f 584 ld1 {v2.16b}, [x20], #16 585 tbnz x5, #3, 0f 586 ld1 {v3.16b}, [x20], #16 587 tbnz x5, #4, 0f 588 ld1 {v4.16b}, [x20], #16 589 tbnz x5, #5, 0f 590 ld1 {v5.16b}, [x20], #16 591 tbnz x5, #6, 0f 592 ld1 {v6.16b}, [x20], #16 593 tbnz x5, #7, 0f 594 ld1 {v7.16b}, [x20], #16 595 596 0: mov bskey, x21 597 mov rounds, x22 598 bl \do8 599 600 st1 {\o0\().16b}, [x19], #16 601 tbnz x5, #1, 1f 602 st1 {\o1\().16b}, [x19], #16 603 tbnz x5, #2, 1f 604 st1 {\o2\().16b}, [x19], #16 605 tbnz x5, #3, 1f 606 st1 {\o3\().16b}, [x19], #16 607 tbnz x5, #4, 1f 608 st1 {\o4\().16b}, [x19], #16 609 tbnz x5, #5, 1f 610 st1 {\o5\().16b}, [x19], #16 611 tbnz x5, #6, 1f 612 st1 {\o6\().16b}, [x19], #16 613 tbnz x5, #7, 1f 614 st1 {\o7\().16b}, [x19], #16 615 616 cbz x23, 1f 617 b 99b 618 619 1: frame_pop 620 ret 621 .endm 622 623 .align 4 624 SYM_TYPED_FUNC_START(aesbs_ecb_encrypt) 625 __ecb_crypt aesbs_encrypt8, v0, v1, v4, v6, v3, v7, v2, v5 626 SYM_FUNC_END(aesbs_ecb_encrypt) 627 628 .align 4 629 SYM_TYPED_FUNC_START(aesbs_ecb_decrypt) 630 __ecb_crypt aesbs_decrypt8, v0, v1, v6, v4, v2, v7, v3, v5 631 SYM_FUNC_END(aesbs_ecb_decrypt) 632 633 /* 634 * aesbs_cbc_decrypt(u8 out[], u8 const in[], u8 const rk[], int rounds, 635 * int blocks, u8 iv[]) 636 */ 637 .align 4 638 SYM_FUNC_START(aesbs_cbc_decrypt) 639 frame_push 6 640 641 mov x19, x0 642 mov x20, x1 643 mov x21, x2 644 mov x22, x3 645 mov x23, x4 646 mov x24, x5 647 648 99: mov x6, #1 649 lsl x6, x6, x23 650 subs w23, w23, #8 651 csel x23, x23, xzr, pl 652 csel x6, x6, xzr, mi 653 654 ld1 {v0.16b}, [x20], #16 655 mov v25.16b, v0.16b 656 tbnz x6, #1, 0f 657 ld1 {v1.16b}, [x20], #16 658 mov v26.16b, v1.16b 659 tbnz x6, #2, 0f 660 ld1 {v2.16b}, [x20], #16 661 mov v27.16b, v2.16b 662 tbnz x6, #3, 0f 663 ld1 {v3.16b}, [x20], #16 664 mov v28.16b, v3.16b 665 tbnz x6, #4, 0f 666 ld1 {v4.16b}, [x20], #16 667 mov v29.16b, v4.16b 668 tbnz x6, #5, 0f 669 ld1 {v5.16b}, [x20], #16 670 mov v30.16b, v5.16b 671 tbnz x6, #6, 0f 672 ld1 {v6.16b}, [x20], #16 673 mov v31.16b, v6.16b 674 tbnz x6, #7, 0f 675 ld1 {v7.16b}, [x20] 676 677 0: mov bskey, x21 678 mov rounds, x22 679 bl aesbs_decrypt8 680 681 ld1 {v24.16b}, [x24] // load IV 682 683 eor v1.16b, v1.16b, v25.16b 684 eor v6.16b, v6.16b, v26.16b 685 eor v4.16b, v4.16b, v27.16b 686 eor v2.16b, v2.16b, v28.16b 687 eor v7.16b, v7.16b, v29.16b 688 eor v0.16b, v0.16b, v24.16b 689 eor v3.16b, v3.16b, v30.16b 690 eor v5.16b, v5.16b, v31.16b 691 692 st1 {v0.16b}, [x19], #16 693 mov v24.16b, v25.16b 694 tbnz x6, #1, 1f 695 st1 {v1.16b}, [x19], #16 696 mov v24.16b, v26.16b 697 tbnz x6, #2, 1f 698 st1 {v6.16b}, [x19], #16 699 mov v24.16b, v27.16b 700 tbnz x6, #3, 1f 701 st1 {v4.16b}, [x19], #16 702 mov v24.16b, v28.16b 703 tbnz x6, #4, 1f 704 st1 {v2.16b}, [x19], #16 705 mov v24.16b, v29.16b 706 tbnz x6, #5, 1f 707 st1 {v7.16b}, [x19], #16 708 mov v24.16b, v30.16b 709 tbnz x6, #6, 1f 710 st1 {v3.16b}, [x19], #16 711 mov v24.16b, v31.16b 712 tbnz x6, #7, 1f 713 ld1 {v24.16b}, [x20], #16 714 st1 {v5.16b}, [x19], #16 715 1: st1 {v24.16b}, [x24] // store IV 716 717 cbz x23, 2f 718 b 99b 719 720 2: frame_pop 721 ret 722 SYM_FUNC_END(aesbs_cbc_decrypt) 723 724 .macro next_tweak, out, in, const, tmp 725 sshr \tmp\().2d, \in\().2d, #63 726 and \tmp\().16b, \tmp\().16b, \const\().16b 727 add \out\().2d, \in\().2d, \in\().2d 728 ext \tmp\().16b, \tmp\().16b, \tmp\().16b, #8 729 eor \out\().16b, \out\().16b, \tmp\().16b 730 .endm 731 732 /* 733 * aesbs_xts_encrypt(u8 out[], u8 const in[], u8 const rk[], int rounds, 734 * int blocks, u8 iv[]) 735 * aesbs_xts_decrypt(u8 out[], u8 const in[], u8 const rk[], int rounds, 736 * int blocks, u8 iv[]) 737 */ 738 SYM_FUNC_START_LOCAL(__xts_crypt8) 739 movi v18.2s, #0x1 740 movi v19.2s, #0x87 741 uzp1 v18.4s, v18.4s, v19.4s 742 743 ld1 {v0.16b-v3.16b}, [x1], #64 744 ld1 {v4.16b-v7.16b}, [x1], #64 745 746 next_tweak v26, v25, v18, v19 747 next_tweak v27, v26, v18, v19 748 next_tweak v28, v27, v18, v19 749 next_tweak v29, v28, v18, v19 750 next_tweak v30, v29, v18, v19 751 next_tweak v31, v30, v18, v19 752 next_tweak v16, v31, v18, v19 753 next_tweak v17, v16, v18, v19 754 755 eor v0.16b, v0.16b, v25.16b 756 eor v1.16b, v1.16b, v26.16b 757 eor v2.16b, v2.16b, v27.16b 758 eor v3.16b, v3.16b, v28.16b 759 eor v4.16b, v4.16b, v29.16b 760 eor v5.16b, v5.16b, v30.16b 761 eor v6.16b, v6.16b, v31.16b 762 eor v7.16b, v7.16b, v16.16b 763 764 stp q16, q17, [x6] 765 766 mov bskey, x2 767 mov rounds, x3 768 br x16 769 SYM_FUNC_END(__xts_crypt8) 770 771 .macro __xts_crypt, do8, o0, o1, o2, o3, o4, o5, o6, o7 772 frame_push 0, 32 773 add x6, sp, #.Lframe_local_offset 774 775 ld1 {v25.16b}, [x5] 776 777 0: adr x16, \do8 778 bl __xts_crypt8 779 780 eor v16.16b, \o0\().16b, v25.16b 781 eor v17.16b, \o1\().16b, v26.16b 782 eor v18.16b, \o2\().16b, v27.16b 783 eor v19.16b, \o3\().16b, v28.16b 784 785 ldp q24, q25, [x6] 786 787 eor v20.16b, \o4\().16b, v29.16b 788 eor v21.16b, \o5\().16b, v30.16b 789 eor v22.16b, \o6\().16b, v31.16b 790 eor v23.16b, \o7\().16b, v24.16b 791 792 st1 {v16.16b-v19.16b}, [x0], #64 793 st1 {v20.16b-v23.16b}, [x0], #64 794 795 subs x4, x4, #8 796 b.gt 0b 797 798 st1 {v25.16b}, [x5] 799 frame_pop 800 ret 801 .endm 802 803 SYM_TYPED_FUNC_START(aesbs_xts_encrypt) 804 __xts_crypt aesbs_encrypt8, v0, v1, v4, v6, v3, v7, v2, v5 805 SYM_FUNC_END(aesbs_xts_encrypt) 806 807 SYM_TYPED_FUNC_START(aesbs_xts_decrypt) 808 __xts_crypt aesbs_decrypt8, v0, v1, v6, v4, v2, v7, v3, v5 809 SYM_FUNC_END(aesbs_xts_decrypt) 810 811 .macro next_ctr, v 812 mov \v\().d[1], x8 813 adds x8, x8, #1 814 mov \v\().d[0], x7 815 adc x7, x7, xzr 816 rev64 \v\().16b, \v\().16b 817 .endm 818 819 /* 820 * aesbs_ctr_encrypt(u8 out[], u8 const in[], u8 const rk[], 821 * int rounds, int blocks, u8 iv[]) 822 */ 823 SYM_FUNC_START(aesbs_ctr_encrypt) 824 frame_push 0 825 ldp x7, x8, [x5] 826 ld1 {v0.16b}, [x5] 827 CPU_LE( rev x7, x7 ) 828 CPU_LE( rev x8, x8 ) 829 adds x8, x8, #1 830 adc x7, x7, xzr 831 832 0: next_ctr v1 833 next_ctr v2 834 next_ctr v3 835 next_ctr v4 836 next_ctr v5 837 next_ctr v6 838 next_ctr v7 839 840 mov bskey, x2 841 mov rounds, x3 842 bl aesbs_encrypt8 843 844 ld1 { v8.16b-v11.16b}, [x1], #64 845 ld1 {v12.16b-v15.16b}, [x1], #64 846 847 eor v8.16b, v0.16b, v8.16b 848 eor v9.16b, v1.16b, v9.16b 849 eor v10.16b, v4.16b, v10.16b 850 eor v11.16b, v6.16b, v11.16b 851 eor v12.16b, v3.16b, v12.16b 852 eor v13.16b, v7.16b, v13.16b 853 eor v14.16b, v2.16b, v14.16b 854 eor v15.16b, v5.16b, v15.16b 855 856 st1 { v8.16b-v11.16b}, [x0], #64 857 st1 {v12.16b-v15.16b}, [x0], #64 858 859 next_ctr v0 860 subs x4, x4, #8 861 b.gt 0b 862 863 st1 {v0.16b}, [x5] 864 frame_pop 865 ret 866 SYM_FUNC_END(aesbs_ctr_encrypt) 867