1 /* SPDX-License-Identifier: GPL-2.0-or-later */ 2 # 3 # Accelerated poly1305 implementation for ppc64le. 4 # 5 # Copyright 2023- IBM Corp. All rights reserved 6 # 7 #=================================================================================== 8 # Written by Danny Tsen <dtsen@us.ibm.com> 9 # 10 # Poly1305 - this version mainly using vector/VSX/Scalar 11 # - 26 bits limbs 12 # - Handle multiple 64 byte blcok. 13 # 14 # Block size 16 bytes 15 # key = (r, s) 16 # clamp r &= 0x0FFFFFFC0FFFFFFC 0x0FFFFFFC0FFFFFFF 17 # p = 2^130 - 5 18 # a += m 19 # a = (r + a) % p 20 # a += s 21 # 22 # Improve performance by breaking down polynominal to the sum of products with 23 # h4 = m1 * r⁴ + m2 * r³ + m3 * r² + m4 * r 24 # 25 # 07/22/21 - this revison based on the above sum of products. Setup r^4, r^3, r^2, r and s3, s2, s1, s0 26 # to 9 vectors for multiplications. 27 # 28 # setup r^4, r^3, r^2, r vectors 29 # vs [r^1, r^3, r^2, r^4] 30 # vs0 = [r0,.....] 31 # vs1 = [r1,.....] 32 # vs2 = [r2,.....] 33 # vs3 = [r3,.....] 34 # vs4 = [r4,.....] 35 # vs5 = [r1*5,...] 36 # vs6 = [r2*5,...] 37 # vs7 = [r2*5,...] 38 # vs8 = [r4*5,...] 39 # 40 # Each word in a vector consists a member of a "r/s" in [a * r/s]. 41 # 42 # r0, r4*5, r3*5, r2*5, r1*5; 43 # r1, r0, r4*5, r3*5, r2*5; 44 # r2, r1, r0, r4*5, r3*5; 45 # r3, r2, r1, r0, r4*5; 46 # r4, r3, r2, r1, r0 ; 47 # 48 # 49 # poly1305_p10le_4blocks( uint8_t *k, uint32_t mlen, uint8_t *m) 50 # k = 32 bytes key 51 # r3 = k (r, s) 52 # r4 = mlen 53 # r5 = m 54 # 55 #include <asm/ppc_asm.h> 56 #include <asm/asm-offsets.h> 57 #include <asm/asm-compat.h> 58 #include <linux/linkage.h> 59 60 .machine "any" 61 62 .text 63 64 .macro SAVE_GPR GPR OFFSET FRAME 65 std \GPR,\OFFSET(\FRAME) 66 .endm 67 68 .macro SAVE_VRS VRS OFFSET FRAME 69 li 16, \OFFSET 70 stvx \VRS, 16, \FRAME 71 .endm 72 73 .macro SAVE_VSX VSX OFFSET FRAME 74 li 16, \OFFSET 75 stxvx \VSX, 16, \FRAME 76 .endm 77 78 .macro RESTORE_GPR GPR OFFSET FRAME 79 ld \GPR,\OFFSET(\FRAME) 80 .endm 81 82 .macro RESTORE_VRS VRS OFFSET FRAME 83 li 16, \OFFSET 84 lvx \VRS, 16, \FRAME 85 .endm 86 87 .macro RESTORE_VSX VSX OFFSET FRAME 88 li 16, \OFFSET 89 lxvx \VSX, 16, \FRAME 90 .endm 91 92 .macro SAVE_REGS 93 mflr 0 94 std 0, 16(1) 95 stdu 1,-752(1) 96 97 SAVE_GPR 14, 112, 1 98 SAVE_GPR 15, 120, 1 99 SAVE_GPR 16, 128, 1 100 SAVE_GPR 17, 136, 1 101 SAVE_GPR 18, 144, 1 102 SAVE_GPR 19, 152, 1 103 SAVE_GPR 20, 160, 1 104 SAVE_GPR 21, 168, 1 105 SAVE_GPR 22, 176, 1 106 SAVE_GPR 23, 184, 1 107 SAVE_GPR 24, 192, 1 108 SAVE_GPR 25, 200, 1 109 SAVE_GPR 26, 208, 1 110 SAVE_GPR 27, 216, 1 111 SAVE_GPR 28, 224, 1 112 SAVE_GPR 29, 232, 1 113 SAVE_GPR 30, 240, 1 114 SAVE_GPR 31, 248, 1 115 116 addi 9, 1, 256 117 SAVE_VRS 20, 0, 9 118 SAVE_VRS 21, 16, 9 119 SAVE_VRS 22, 32, 9 120 SAVE_VRS 23, 48, 9 121 SAVE_VRS 24, 64, 9 122 SAVE_VRS 25, 80, 9 123 SAVE_VRS 26, 96, 9 124 SAVE_VRS 27, 112, 9 125 SAVE_VRS 28, 128, 9 126 SAVE_VRS 29, 144, 9 127 SAVE_VRS 30, 160, 9 128 SAVE_VRS 31, 176, 9 129 130 SAVE_VSX 14, 192, 9 131 SAVE_VSX 15, 208, 9 132 SAVE_VSX 16, 224, 9 133 SAVE_VSX 17, 240, 9 134 SAVE_VSX 18, 256, 9 135 SAVE_VSX 19, 272, 9 136 SAVE_VSX 20, 288, 9 137 SAVE_VSX 21, 304, 9 138 SAVE_VSX 22, 320, 9 139 SAVE_VSX 23, 336, 9 140 SAVE_VSX 24, 352, 9 141 SAVE_VSX 25, 368, 9 142 SAVE_VSX 26, 384, 9 143 SAVE_VSX 27, 400, 9 144 SAVE_VSX 28, 416, 9 145 SAVE_VSX 29, 432, 9 146 SAVE_VSX 30, 448, 9 147 SAVE_VSX 31, 464, 9 148 .endm # SAVE_REGS 149 150 .macro RESTORE_REGS 151 addi 9, 1, 256 152 RESTORE_VRS 20, 0, 9 153 RESTORE_VRS 21, 16, 9 154 RESTORE_VRS 22, 32, 9 155 RESTORE_VRS 23, 48, 9 156 RESTORE_VRS 24, 64, 9 157 RESTORE_VRS 25, 80, 9 158 RESTORE_VRS 26, 96, 9 159 RESTORE_VRS 27, 112, 9 160 RESTORE_VRS 28, 128, 9 161 RESTORE_VRS 29, 144, 9 162 RESTORE_VRS 30, 160, 9 163 RESTORE_VRS 31, 176, 9 164 165 RESTORE_VSX 14, 192, 9 166 RESTORE_VSX 15, 208, 9 167 RESTORE_VSX 16, 224, 9 168 RESTORE_VSX 17, 240, 9 169 RESTORE_VSX 18, 256, 9 170 RESTORE_VSX 19, 272, 9 171 RESTORE_VSX 20, 288, 9 172 RESTORE_VSX 21, 304, 9 173 RESTORE_VSX 22, 320, 9 174 RESTORE_VSX 23, 336, 9 175 RESTORE_VSX 24, 352, 9 176 RESTORE_VSX 25, 368, 9 177 RESTORE_VSX 26, 384, 9 178 RESTORE_VSX 27, 400, 9 179 RESTORE_VSX 28, 416, 9 180 RESTORE_VSX 29, 432, 9 181 RESTORE_VSX 30, 448, 9 182 RESTORE_VSX 31, 464, 9 183 184 RESTORE_GPR 14, 112, 1 185 RESTORE_GPR 15, 120, 1 186 RESTORE_GPR 16, 128, 1 187 RESTORE_GPR 17, 136, 1 188 RESTORE_GPR 18, 144, 1 189 RESTORE_GPR 19, 152, 1 190 RESTORE_GPR 20, 160, 1 191 RESTORE_GPR 21, 168, 1 192 RESTORE_GPR 22, 176, 1 193 RESTORE_GPR 23, 184, 1 194 RESTORE_GPR 24, 192, 1 195 RESTORE_GPR 25, 200, 1 196 RESTORE_GPR 26, 208, 1 197 RESTORE_GPR 27, 216, 1 198 RESTORE_GPR 28, 224, 1 199 RESTORE_GPR 29, 232, 1 200 RESTORE_GPR 30, 240, 1 201 RESTORE_GPR 31, 248, 1 202 203 addi 1, 1, 752 204 ld 0, 16(1) 205 mtlr 0 206 .endm # RESTORE_REGS 207 208 # 209 # p[0] = a0*r0 + a1*r4*5 + a2*r3*5 + a3*r2*5 + a4*r1*5; 210 # p[1] = a0*r1 + a1*r0 + a2*r4*5 + a3*r3*5 + a4*r2*5; 211 # p[2] = a0*r2 + a1*r1 + a2*r0 + a3*r4*5 + a4*r3*5; 212 # p[3] = a0*r3 + a1*r2 + a2*r1 + a3*r0 + a4*r4*5; 213 # p[4] = a0*r4 + a1*r3 + a2*r2 + a3*r1 + a4*r0 ; 214 # 215 # [r^2, r^3, r^1, r^4] 216 # [m3, m2, m4, m1] 217 # 218 # multiply odd and even words 219 .macro mul_odd 220 vmulouw 14, 4, 26 221 vmulouw 10, 5, 3 222 vmulouw 11, 6, 2 223 vmulouw 12, 7, 1 224 vmulouw 13, 8, 0 225 vmulouw 15, 4, 27 226 vaddudm 14, 14, 10 227 vaddudm 14, 14, 11 228 vmulouw 10, 5, 26 229 vmulouw 11, 6, 3 230 vaddudm 14, 14, 12 231 vaddudm 14, 14, 13 # x0 232 vaddudm 15, 15, 10 233 vaddudm 15, 15, 11 234 vmulouw 12, 7, 2 235 vmulouw 13, 8, 1 236 vaddudm 15, 15, 12 237 vaddudm 15, 15, 13 # x1 238 vmulouw 16, 4, 28 239 vmulouw 10, 5, 27 240 vmulouw 11, 6, 26 241 vaddudm 16, 16, 10 242 vaddudm 16, 16, 11 243 vmulouw 12, 7, 3 244 vmulouw 13, 8, 2 245 vaddudm 16, 16, 12 246 vaddudm 16, 16, 13 # x2 247 vmulouw 17, 4, 29 248 vmulouw 10, 5, 28 249 vmulouw 11, 6, 27 250 vaddudm 17, 17, 10 251 vaddudm 17, 17, 11 252 vmulouw 12, 7, 26 253 vmulouw 13, 8, 3 254 vaddudm 17, 17, 12 255 vaddudm 17, 17, 13 # x3 256 vmulouw 18, 4, 30 257 vmulouw 10, 5, 29 258 vmulouw 11, 6, 28 259 vaddudm 18, 18, 10 260 vaddudm 18, 18, 11 261 vmulouw 12, 7, 27 262 vmulouw 13, 8, 26 263 vaddudm 18, 18, 12 264 vaddudm 18, 18, 13 # x4 265 .endm 266 267 .macro mul_even 268 vmuleuw 9, 4, 26 269 vmuleuw 10, 5, 3 270 vmuleuw 11, 6, 2 271 vmuleuw 12, 7, 1 272 vmuleuw 13, 8, 0 273 vaddudm 14, 14, 9 274 vaddudm 14, 14, 10 275 vaddudm 14, 14, 11 276 vaddudm 14, 14, 12 277 vaddudm 14, 14, 13 # x0 278 279 vmuleuw 9, 4, 27 280 vmuleuw 10, 5, 26 281 vmuleuw 11, 6, 3 282 vmuleuw 12, 7, 2 283 vmuleuw 13, 8, 1 284 vaddudm 15, 15, 9 285 vaddudm 15, 15, 10 286 vaddudm 15, 15, 11 287 vaddudm 15, 15, 12 288 vaddudm 15, 15, 13 # x1 289 290 vmuleuw 9, 4, 28 291 vmuleuw 10, 5, 27 292 vmuleuw 11, 6, 26 293 vmuleuw 12, 7, 3 294 vmuleuw 13, 8, 2 295 vaddudm 16, 16, 9 296 vaddudm 16, 16, 10 297 vaddudm 16, 16, 11 298 vaddudm 16, 16, 12 299 vaddudm 16, 16, 13 # x2 300 301 vmuleuw 9, 4, 29 302 vmuleuw 10, 5, 28 303 vmuleuw 11, 6, 27 304 vmuleuw 12, 7, 26 305 vmuleuw 13, 8, 3 306 vaddudm 17, 17, 9 307 vaddudm 17, 17, 10 308 vaddudm 17, 17, 11 309 vaddudm 17, 17, 12 310 vaddudm 17, 17, 13 # x3 311 312 vmuleuw 9, 4, 30 313 vmuleuw 10, 5, 29 314 vmuleuw 11, 6, 28 315 vmuleuw 12, 7, 27 316 vmuleuw 13, 8, 26 317 vaddudm 18, 18, 9 318 vaddudm 18, 18, 10 319 vaddudm 18, 18, 11 320 vaddudm 18, 18, 12 321 vaddudm 18, 18, 13 # x4 322 .endm 323 324 # 325 # poly1305_setup_r 326 # 327 # setup r^4, r^3, r^2, r vectors 328 # [r, r^3, r^2, r^4] 329 # vs0 = [r0,...] 330 # vs1 = [r1,...] 331 # vs2 = [r2,...] 332 # vs3 = [r3,...] 333 # vs4 = [r4,...] 334 # vs5 = [r4*5,...] 335 # vs6 = [r3*5,...] 336 # vs7 = [r2*5,...] 337 # vs8 = [r1*5,...] 338 # 339 # r0, r4*5, r3*5, r2*5, r1*5; 340 # r1, r0, r4*5, r3*5, r2*5; 341 # r2, r1, r0, r4*5, r3*5; 342 # r3, r2, r1, r0, r4*5; 343 # r4, r3, r2, r1, r0 ; 344 # 345 .macro poly1305_setup_r 346 347 # save r 348 xxlor 26, 58, 58 349 xxlor 27, 59, 59 350 xxlor 28, 60, 60 351 xxlor 29, 61, 61 352 xxlor 30, 62, 62 353 354 xxlxor 31, 31, 31 355 356 # [r, r^3, r^2, r^4] 357 # compute r^2 358 vmr 4, 26 359 vmr 5, 27 360 vmr 6, 28 361 vmr 7, 29 362 vmr 8, 30 363 bl do_mul # r^2 r^1 364 xxpermdi 58, 58, 36, 0x3 # r0 365 xxpermdi 59, 59, 37, 0x3 # r1 366 xxpermdi 60, 60, 38, 0x3 # r2 367 xxpermdi 61, 61, 39, 0x3 # r3 368 xxpermdi 62, 62, 40, 0x3 # r4 369 xxpermdi 36, 36, 36, 0x3 370 xxpermdi 37, 37, 37, 0x3 371 xxpermdi 38, 38, 38, 0x3 372 xxpermdi 39, 39, 39, 0x3 373 xxpermdi 40, 40, 40, 0x3 374 vspltisb 13, 2 375 vsld 9, 27, 13 376 vsld 10, 28, 13 377 vsld 11, 29, 13 378 vsld 12, 30, 13 379 vaddudm 0, 9, 27 380 vaddudm 1, 10, 28 381 vaddudm 2, 11, 29 382 vaddudm 3, 12, 30 383 384 bl do_mul # r^4 r^3 385 vmrgow 26, 26, 4 386 vmrgow 27, 27, 5 387 vmrgow 28, 28, 6 388 vmrgow 29, 29, 7 389 vmrgow 30, 30, 8 390 vspltisb 13, 2 391 vsld 9, 27, 13 392 vsld 10, 28, 13 393 vsld 11, 29, 13 394 vsld 12, 30, 13 395 vaddudm 0, 9, 27 396 vaddudm 1, 10, 28 397 vaddudm 2, 11, 29 398 vaddudm 3, 12, 30 399 400 # r^2 r^4 401 xxlor 0, 58, 58 402 xxlor 1, 59, 59 403 xxlor 2, 60, 60 404 xxlor 3, 61, 61 405 xxlor 4, 62, 62 406 xxlor 5, 32, 32 407 xxlor 6, 33, 33 408 xxlor 7, 34, 34 409 xxlor 8, 35, 35 410 411 vspltw 9, 26, 3 412 vspltw 10, 26, 2 413 vmrgow 26, 10, 9 414 vspltw 9, 27, 3 415 vspltw 10, 27, 2 416 vmrgow 27, 10, 9 417 vspltw 9, 28, 3 418 vspltw 10, 28, 2 419 vmrgow 28, 10, 9 420 vspltw 9, 29, 3 421 vspltw 10, 29, 2 422 vmrgow 29, 10, 9 423 vspltw 9, 30, 3 424 vspltw 10, 30, 2 425 vmrgow 30, 10, 9 426 427 vsld 9, 27, 13 428 vsld 10, 28, 13 429 vsld 11, 29, 13 430 vsld 12, 30, 13 431 vaddudm 0, 9, 27 432 vaddudm 1, 10, 28 433 vaddudm 2, 11, 29 434 vaddudm 3, 12, 30 435 .endm 436 437 SYM_FUNC_START_LOCAL(do_mul) 438 mul_odd 439 440 # do reduction ( h %= p ) 441 # carry reduction 442 vspltisb 9, 2 443 vsrd 10, 14, 31 444 vsrd 11, 17, 31 445 vand 7, 17, 25 446 vand 4, 14, 25 447 vaddudm 18, 18, 11 448 vsrd 12, 18, 31 449 vaddudm 15, 15, 10 450 451 vsrd 11, 15, 31 452 vand 8, 18, 25 453 vand 5, 15, 25 454 vaddudm 4, 4, 12 455 vsld 10, 12, 9 456 vaddudm 6, 16, 11 457 458 vsrd 13, 6, 31 459 vand 6, 6, 25 460 vaddudm 4, 4, 10 461 vsrd 10, 4, 31 462 vaddudm 7, 7, 13 463 464 vsrd 11, 7, 31 465 vand 7, 7, 25 466 vand 4, 4, 25 467 vaddudm 5, 5, 10 468 vaddudm 8, 8, 11 469 blr 470 SYM_FUNC_END(do_mul) 471 472 # 473 # init key 474 # 475 .macro do_poly1305_init 476 addis 10, 2, rmask@toc@ha 477 addi 10, 10, rmask@toc@l 478 479 ld 11, 0(10) 480 ld 12, 8(10) 481 482 li 14, 16 483 li 15, 32 484 addis 10, 2, cnum@toc@ha 485 addi 10, 10, cnum@toc@l 486 lvx 25, 0, 10 # v25 - mask 487 lvx 31, 14, 10 # v31 = 1a 488 lvx 19, 15, 10 # v19 = 1 << 24 489 lxv 24, 48(10) # vs24 490 lxv 25, 64(10) # vs25 491 492 # initialize 493 # load key from r3 to vectors 494 ld 9, 24(3) 495 ld 10, 32(3) 496 and. 9, 9, 11 497 and. 10, 10, 12 498 499 # break 26 bits 500 extrdi 14, 9, 26, 38 501 extrdi 15, 9, 26, 12 502 extrdi 16, 9, 12, 0 503 mtvsrdd 58, 0, 14 504 insrdi 16, 10, 14, 38 505 mtvsrdd 59, 0, 15 506 extrdi 17, 10, 26, 24 507 mtvsrdd 60, 0, 16 508 extrdi 18, 10, 24, 0 509 mtvsrdd 61, 0, 17 510 mtvsrdd 62, 0, 18 511 512 # r1 = r1 * 5, r2 = r2 * 5, r3 = r3 * 5, r4 = r4 * 5 513 li 9, 5 514 mtvsrdd 36, 0, 9 515 vmulouw 0, 27, 4 # v0 = rr0 516 vmulouw 1, 28, 4 # v1 = rr1 517 vmulouw 2, 29, 4 # v2 = rr2 518 vmulouw 3, 30, 4 # v3 = rr3 519 .endm 520 521 # 522 # poly1305_p10le_4blocks( uint8_t *k, uint32_t mlen, uint8_t *m) 523 # k = 32 bytes key 524 # r3 = k (r, s) 525 # r4 = mlen 526 # r5 = m 527 # 528 SYM_FUNC_START(poly1305_p10le_4blocks) 529 .align 5 530 cmpdi 5, 64 531 blt Out_no_poly1305 532 533 SAVE_REGS 534 535 do_poly1305_init 536 537 li 21, 0 # counter to message 538 539 poly1305_setup_r 540 541 # load previous H state 542 # break/convert r6 to 26 bits 543 ld 9, 0(3) 544 ld 10, 8(3) 545 ld 19, 16(3) 546 sldi 19, 19, 24 547 mtvsrdd 41, 0, 19 548 extrdi 14, 9, 26, 38 549 extrdi 15, 9, 26, 12 550 extrdi 16, 9, 12, 0 551 mtvsrdd 36, 0, 14 552 insrdi 16, 10, 14, 38 553 mtvsrdd 37, 0, 15 554 extrdi 17, 10, 26, 24 555 mtvsrdd 38, 0, 16 556 extrdi 18, 10, 24, 0 557 mtvsrdd 39, 0, 17 558 mtvsrdd 40, 0, 18 559 vor 8, 8, 9 560 561 # input m1 m2 562 add 20, 4, 21 563 xxlor 49, 24, 24 564 xxlor 50, 25, 25 565 lxvw4x 43, 0, 20 566 addi 17, 20, 16 567 lxvw4x 44, 0, 17 568 vperm 14, 11, 12, 17 569 vperm 15, 11, 12, 18 570 vand 9, 14, 25 # a0 571 vsrd 10, 14, 31 # >> 26 572 vsrd 11, 10, 31 # 12 bits left 573 vand 10, 10, 25 # a1 574 vspltisb 13, 12 575 vand 16, 15, 25 576 vsld 12, 16, 13 577 vor 11, 11, 12 578 vand 11, 11, 25 # a2 579 vspltisb 13, 14 580 vsrd 12, 15, 13 # >> 14 581 vsrd 13, 12, 31 # >> 26, a4 582 vand 12, 12, 25 # a3 583 584 vaddudm 20, 4, 9 585 vaddudm 21, 5, 10 586 vaddudm 22, 6, 11 587 vaddudm 23, 7, 12 588 vaddudm 24, 8, 13 589 590 # m3 m4 591 addi 17, 17, 16 592 lxvw4x 43, 0, 17 593 addi 17, 17, 16 594 lxvw4x 44, 0, 17 595 vperm 14, 11, 12, 17 596 vperm 15, 11, 12, 18 597 vand 9, 14, 25 # a0 598 vsrd 10, 14, 31 # >> 26 599 vsrd 11, 10, 31 # 12 bits left 600 vand 10, 10, 25 # a1 601 vspltisb 13, 12 602 vand 16, 15, 25 603 vsld 12, 16, 13 604 vspltisb 13, 14 605 vor 11, 11, 12 606 vand 11, 11, 25 # a2 607 vsrd 12, 15, 13 # >> 14 608 vsrd 13, 12, 31 # >> 26, a4 609 vand 12, 12, 25 # a3 610 611 # Smash 4 message blocks into 5 vectors of [m4, m2, m3, m1] 612 vmrgow 4, 9, 20 613 vmrgow 5, 10, 21 614 vmrgow 6, 11, 22 615 vmrgow 7, 12, 23 616 vmrgow 8, 13, 24 617 vaddudm 8, 8, 19 618 619 addi 5, 5, -64 # len -= 64 620 addi 21, 21, 64 # offset += 64 621 622 li 9, 64 623 divdu 31, 5, 9 624 625 cmpdi 31, 0 626 ble Skip_block_loop 627 628 mtctr 31 629 630 # h4 = m1 * r⁴ + m2 * r³ + m3 * r² + m4 * r 631 # Rewrite the polynominal sum of product as follows, 632 # h1 = (h0 + m1) * r^2, h2 = (h0 + m2) * r^2 633 # h3 = (h1 + m3) * r^2, h4 = (h2 + m4) * r^2 --> (h0 + m1) r*4 + (h3 + m3) r^2, (h0 + m2) r^4 + (h0 + m4) r^2 634 # .... Repeat 635 # h5 = (h3 + m5) * r^2, h6 = (h4 + m6) * r^2 --> 636 # h7 = (h5 + m7) * r^2, h8 = (h6 + m8) * r^1 --> m5 * r^4 + m6 * r^3 + m7 * r^2 + m8 * r 637 # 638 loop_4blocks: 639 640 # Multiply odd words and even words 641 mul_odd 642 mul_even 643 # carry reduction 644 vspltisb 9, 2 645 vsrd 10, 14, 31 646 vsrd 11, 17, 31 647 vand 7, 17, 25 648 vand 4, 14, 25 649 vaddudm 18, 18, 11 650 vsrd 12, 18, 31 651 vaddudm 15, 15, 10 652 653 vsrd 11, 15, 31 654 vand 8, 18, 25 655 vand 5, 15, 25 656 vaddudm 4, 4, 12 657 vsld 10, 12, 9 658 vaddudm 6, 16, 11 659 660 vsrd 13, 6, 31 661 vand 6, 6, 25 662 vaddudm 4, 4, 10 663 vsrd 10, 4, 31 664 vaddudm 7, 7, 13 665 666 vsrd 11, 7, 31 667 vand 7, 7, 25 668 vand 4, 4, 25 669 vaddudm 5, 5, 10 670 vaddudm 8, 8, 11 671 672 # input m1 m2 m3 m4 673 add 20, 4, 21 674 xxlor 49, 24, 24 675 xxlor 50, 25, 25 676 lxvw4x 43, 0, 20 677 addi 17, 20, 16 678 lxvw4x 44, 0, 17 679 vperm 14, 11, 12, 17 680 vperm 15, 11, 12, 18 681 addi 17, 17, 16 682 lxvw4x 43, 0, 17 683 addi 17, 17, 16 684 lxvw4x 44, 0, 17 685 vperm 17, 11, 12, 17 686 vperm 18, 11, 12, 18 687 688 vand 20, 14, 25 # a0 689 vand 9, 17, 25 # a0 690 vsrd 21, 14, 31 # >> 26 691 vsrd 22, 21, 31 # 12 bits left 692 vsrd 10, 17, 31 # >> 26 693 vsrd 11, 10, 31 # 12 bits left 694 695 vand 21, 21, 25 # a1 696 vand 10, 10, 25 # a1 697 698 vspltisb 13, 12 699 vand 16, 15, 25 700 vsld 23, 16, 13 701 vor 22, 22, 23 702 vand 22, 22, 25 # a2 703 vand 16, 18, 25 704 vsld 12, 16, 13 705 vor 11, 11, 12 706 vand 11, 11, 25 # a2 707 vspltisb 13, 14 708 vsrd 23, 15, 13 # >> 14 709 vsrd 24, 23, 31 # >> 26, a4 710 vand 23, 23, 25 # a3 711 vsrd 12, 18, 13 # >> 14 712 vsrd 13, 12, 31 # >> 26, a4 713 vand 12, 12, 25 # a3 714 715 vaddudm 4, 4, 20 716 vaddudm 5, 5, 21 717 vaddudm 6, 6, 22 718 vaddudm 7, 7, 23 719 vaddudm 8, 8, 24 720 721 # Smash 4 message blocks into 5 vectors of [m4, m2, m3, m1] 722 vmrgow 4, 9, 4 723 vmrgow 5, 10, 5 724 vmrgow 6, 11, 6 725 vmrgow 7, 12, 7 726 vmrgow 8, 13, 8 727 vaddudm 8, 8, 19 728 729 addi 5, 5, -64 # len -= 64 730 addi 21, 21, 64 # offset += 64 731 732 bdnz loop_4blocks 733 734 Skip_block_loop: 735 xxlor 58, 0, 0 736 xxlor 59, 1, 1 737 xxlor 60, 2, 2 738 xxlor 61, 3, 3 739 xxlor 62, 4, 4 740 xxlor 32, 5, 5 741 xxlor 33, 6, 6 742 xxlor 34, 7, 7 743 xxlor 35, 8, 8 744 745 # Multiply odd words and even words 746 mul_odd 747 mul_even 748 749 # Sum the products. 750 xxpermdi 41, 31, 46, 0 751 xxpermdi 42, 31, 47, 0 752 vaddudm 4, 14, 9 753 xxpermdi 36, 31, 36, 3 754 vaddudm 5, 15, 10 755 xxpermdi 37, 31, 37, 3 756 xxpermdi 43, 31, 48, 0 757 vaddudm 6, 16, 11 758 xxpermdi 38, 31, 38, 3 759 xxpermdi 44, 31, 49, 0 760 vaddudm 7, 17, 12 761 xxpermdi 39, 31, 39, 3 762 xxpermdi 45, 31, 50, 0 763 vaddudm 8, 18, 13 764 xxpermdi 40, 31, 40, 3 765 766 # carry reduction 767 vspltisb 9, 2 768 vsrd 10, 4, 31 769 vsrd 11, 7, 31 770 vand 7, 7, 25 771 vand 4, 4, 25 772 vaddudm 8, 8, 11 773 vsrd 12, 8, 31 774 vaddudm 5, 5, 10 775 776 vsrd 11, 5, 31 777 vand 8, 8, 25 778 vand 5, 5, 25 779 vaddudm 4, 4, 12 780 vsld 10, 12, 9 781 vaddudm 6, 6, 11 782 783 vsrd 13, 6, 31 784 vand 6, 6, 25 785 vaddudm 4, 4, 10 786 vsrd 10, 4, 31 787 vaddudm 7, 7, 13 788 789 vsrd 11, 7, 31 790 vand 7, 7, 25 791 vand 4, 4, 25 792 vaddudm 5, 5, 10 793 vsrd 10, 5, 31 794 vand 5, 5, 25 795 vaddudm 6, 6, 10 796 vaddudm 8, 8, 11 797 798 b do_final_update 799 800 do_final_update: 801 # combine 26 bit limbs 802 # v4, v5, v6, v7 and v8 are 26 bit vectors 803 vsld 5, 5, 31 804 vor 20, 4, 5 805 vspltisb 11, 12 806 vsrd 12, 6, 11 807 vsld 6, 6, 31 808 vsld 6, 6, 31 809 vor 20, 20, 6 810 vspltisb 11, 14 811 vsld 7, 7, 11 812 vor 21, 7, 12 813 mfvsrld 16, 40 # save last 2 bytes 814 vsld 8, 8, 11 815 vsld 8, 8, 31 816 vor 21, 21, 8 817 mfvsrld 17, 52 818 mfvsrld 19, 53 819 srdi 16, 16, 24 820 821 std 17, 0(3) 822 std 19, 8(3) 823 stw 16, 16(3) 824 825 Out_loop: 826 li 3, 0 827 828 RESTORE_REGS 829 830 blr 831 832 Out_no_poly1305: 833 li 3, 0 834 blr 835 SYM_FUNC_END(poly1305_p10le_4blocks) 836 837 # 838 # ======================================================================= 839 # The following functions implement 64 x 64 bits multiplication poly1305. 840 # 841 SYM_FUNC_START_LOCAL(Poly1305_init_64) 842 # mask 0x0FFFFFFC0FFFFFFC 843 # mask 0x0FFFFFFC0FFFFFFF 844 addis 10, 2, rmask@toc@ha 845 addi 10, 10, rmask@toc@l 846 ld 11, 0(10) 847 ld 12, 8(10) 848 849 # initialize 850 # load key from r3 851 ld 9, 24(3) 852 ld 10, 32(3) 853 and. 9, 9, 11 # cramp mask r0 854 and. 10, 10, 12 # cramp mask r1 855 856 srdi 21, 10, 2 857 add 19, 21, 10 # s1: r19 - (r1 >> 2) *5 858 859 # setup r and s 860 li 25, 0 861 mtvsrdd 32+0, 9, 19 # r0, s1 862 mtvsrdd 32+1, 10, 9 # r1, r0 863 mtvsrdd 32+2, 19, 25 # s1 864 mtvsrdd 32+3, 9, 25 # r0 865 866 blr 867 SYM_FUNC_END(Poly1305_init_64) 868 869 # Poly1305_mult 870 # v6 = (h0, h1), v8 = h2 871 # v0 = (r0, s1), v1 = (r1, r0), v2 = s1, v3 = r0 872 # 873 # Output: v7, v10, v11 874 # 875 SYM_FUNC_START_LOCAL(Poly1305_mult) 876 # 877 # d0 = h0 * r0 + h1 * s1 878 vmsumudm 7, 6, 0, 9 # h0 * r0, h1 * s1 879 880 # d1 = h0 * r1 + h1 * r0 + h2 * s1 881 vmsumudm 11, 6, 1, 9 # h0 * r1, h1 * r0 882 vmsumudm 10, 8, 2, 11 # d1 += h2 * s1 883 884 # d2 = r0 885 vmsumudm 11, 8, 3, 9 # d2 = h2 * r0 886 blr 887 SYM_FUNC_END(Poly1305_mult) 888 889 # 890 # carry reduction 891 # h %=p 892 # 893 # Input: v7, v10, v11 894 # Output: r27, r28, r29 895 # 896 SYM_FUNC_START_LOCAL(Carry_reduction) 897 mfvsrld 27, 32+7 898 mfvsrld 28, 32+10 899 mfvsrld 29, 32+11 900 mfvsrd 20, 32+7 # h0.h 901 mfvsrd 21, 32+10 # h1.h 902 903 addc 28, 28, 20 904 adde 29, 29, 21 905 srdi 22, 29, 0x2 906 sldi 23, 22, 0x2 907 add 23, 23, 22 # (h2 & 3) * 5 908 addc 27, 27, 23 # h0 909 addze 28, 28 # h1 910 andi. 29, 29, 0x3 # h2 911 blr 912 SYM_FUNC_END(Carry_reduction) 913 914 # 915 # poly1305 multiplication 916 # h *= r, h %= p 917 # d0 = h0 * r0 + h1 * s1 918 # d1 = h0 * r1 + h1 * r0 + h2 * s1 919 # d2 = h0 * r0 920 # 921 # 922 # unsigned int poly1305_test_64s(unisgned char *state, const byte *src, size_t len, highbit) 923 # - no highbit if final leftover block (highbit = 0) 924 # 925 SYM_FUNC_START(poly1305_64s) 926 cmpdi 5, 0 927 ble Out_no_poly1305_64 928 929 mflr 0 930 std 0, 16(1) 931 stdu 1,-400(1) 932 933 SAVE_GPR 14, 112, 1 934 SAVE_GPR 15, 120, 1 935 SAVE_GPR 16, 128, 1 936 SAVE_GPR 17, 136, 1 937 SAVE_GPR 18, 144, 1 938 SAVE_GPR 19, 152, 1 939 SAVE_GPR 20, 160, 1 940 SAVE_GPR 21, 168, 1 941 SAVE_GPR 22, 176, 1 942 SAVE_GPR 23, 184, 1 943 SAVE_GPR 24, 192, 1 944 SAVE_GPR 25, 200, 1 945 SAVE_GPR 26, 208, 1 946 SAVE_GPR 27, 216, 1 947 SAVE_GPR 28, 224, 1 948 SAVE_GPR 29, 232, 1 949 SAVE_GPR 30, 240, 1 950 SAVE_GPR 31, 248, 1 951 952 # Init poly1305 953 bl Poly1305_init_64 954 955 li 25, 0 # offset to inp and outp 956 957 add 11, 25, 4 958 959 # load h 960 # h0, h1, h2? 961 ld 27, 0(3) 962 ld 28, 8(3) 963 lwz 29, 16(3) 964 965 li 30, 16 966 divdu 31, 5, 30 967 968 mtctr 31 969 970 mr 24, 6 # highbit 971 972 Loop_block_64: 973 vxor 9, 9, 9 974 975 ld 20, 0(11) 976 ld 21, 8(11) 977 addi 11, 11, 16 978 979 addc 27, 27, 20 980 adde 28, 28, 21 981 adde 29, 29, 24 982 983 li 22, 0 984 mtvsrdd 32+6, 27, 28 # h0, h1 985 mtvsrdd 32+8, 29, 22 # h2 986 987 bl Poly1305_mult 988 989 bl Carry_reduction 990 991 bdnz Loop_block_64 992 993 std 27, 0(3) 994 std 28, 8(3) 995 stw 29, 16(3) 996 997 li 3, 0 998 999 RESTORE_GPR 14, 112, 1 1000 RESTORE_GPR 15, 120, 1 1001 RESTORE_GPR 16, 128, 1 1002 RESTORE_GPR 17, 136, 1 1003 RESTORE_GPR 18, 144, 1 1004 RESTORE_GPR 19, 152, 1 1005 RESTORE_GPR 20, 160, 1 1006 RESTORE_GPR 21, 168, 1 1007 RESTORE_GPR 22, 176, 1 1008 RESTORE_GPR 23, 184, 1 1009 RESTORE_GPR 24, 192, 1 1010 RESTORE_GPR 25, 200, 1 1011 RESTORE_GPR 26, 208, 1 1012 RESTORE_GPR 27, 216, 1 1013 RESTORE_GPR 28, 224, 1 1014 RESTORE_GPR 29, 232, 1 1015 RESTORE_GPR 30, 240, 1 1016 RESTORE_GPR 31, 248, 1 1017 1018 addi 1, 1, 400 1019 ld 0, 16(1) 1020 mtlr 0 1021 1022 blr 1023 1024 Out_no_poly1305_64: 1025 li 3, 0 1026 blr 1027 SYM_FUNC_END(poly1305_64s) 1028 1029 # 1030 # Input: r3 = h, r4 = s, r5 = mac 1031 # mac = h + s 1032 # 1033 SYM_FUNC_START(poly1305_emit_64) 1034 ld 10, 0(3) 1035 ld 11, 8(3) 1036 ld 12, 16(3) 1037 1038 # compare modulus 1039 # h + 5 + (-p) 1040 mr 6, 10 1041 mr 7, 11 1042 mr 8, 12 1043 addic. 6, 6, 5 1044 addze 7, 7 1045 addze 8, 8 1046 srdi 9, 8, 2 # overflow? 1047 cmpdi 9, 0 1048 beq Skip_h64 1049 mr 10, 6 1050 mr 11, 7 1051 mr 12, 8 1052 1053 Skip_h64: 1054 ld 6, 0(4) 1055 ld 7, 8(4) 1056 addc 10, 10, 6 1057 adde 11, 11, 7 1058 addze 12, 12 1059 1060 std 10, 0(5) 1061 std 11, 8(5) 1062 blr 1063 SYM_FUNC_END(poly1305_emit_64) 1064 1065 SYM_DATA_START_LOCAL(RMASK) 1066 .align 5 1067 rmask: 1068 .byte 0xff, 0xff, 0xff, 0x0f, 0xfc, 0xff, 0xff, 0x0f, 0xfc, 0xff, 0xff, 0x0f, 0xfc, 0xff, 0xff, 0x0f 1069 cnum: 1070 .long 0x03ffffff, 0x00000000, 0x03ffffff, 0x00000000 1071 .long 0x1a, 0x00, 0x1a, 0x00 1072 .long 0x01000000, 0x01000000, 0x01000000, 0x01000000 1073 .long 0x00010203, 0x04050607, 0x10111213, 0x14151617 1074 .long 0x08090a0b, 0x0c0d0e0f, 0x18191a1b, 0x1c1d1e1f 1075 SYM_DATA_END(RMASK) 1076