3 # ====================================================================
4 # Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
5 # project. The module is, however, dual licensed under OpenSSL and
6 # CRYPTOGAMS licenses depending on where you obtain it. For further
7 # details see http://www.openssl.org/~appro/cryptogams/.
8 # ====================================================================
10 # This module implements support for ARMv8 AES instructions. The
11 # module is endian-agnostic in sense that it supports both big- and
12 # little-endian cases. As does it support both 32- and 64-bit modes
13 # of operation. Latter is achieved by limiting amount of utilized
14 # registers to 16, which implies additional NEON load and integer
15 # instructions. This has no effect on mighty Apple A7, where results
16 # are literally equal to the theoretical estimates based on AES
17 # instruction latencies and issue rates. On Cortex-A53, an in-order
18 # execution core, this costs up to 10-15%, which is partially
19 # compensated by implementing dedicated code path for 128-bit
20 # CBC encrypt case. On Cortex-A57 parallelizable mode performance
21 # seems to be limited by sheer amount of NEON instructions...
23 # Performance in cycles per byte processed with 128-bit key:
26 # Apple A7 2.39 1.20 1.20
27 # Cortex-A53 2.45 1.87 1.94
28 # Cortex-A57 3.64 1.34 1.32
31 open STDOUT,">".shift;
41 $code.=".arch armv8-a+crypto\n" if ($flavour =~ /64/);
42 $code.=".fpu neon\n.code 32\n" if ($flavour !~ /64/);
44 # Assembler mnemonics are an eclectic mix of 32- and 64-bit syntax,
45 # NEON is mostly 32-bit mnemonics, integer - mostly 64. Goal is to
46 # maintain both 32- and 64-bit codes within single module and
47 # transliterate common code to either flavour with regex vodoo.
50 my ($inp,$bits,$out,$ptr,$rounds)=("x0","w1","x2","x3","w12");
51 my ($zero,$rcon,$mask,$in0,$in1,$tmp,$key)=
52 $flavour=~/64/? map("q$_",(0..6)) : map("q$_",(0..3,8..10));
58 .long 0x01,0x01,0x01,0x01
59 .long 0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d // rotate-n-splat
60 .long 0x1b,0x1b,0x1b,0x1b
62 .globl ${prefix}_set_encrypt_key
63 .type ${prefix}_set_encrypt_key,%function
65 ${prefix}_set_encrypt_key:
68 $code.=<<___ if ($flavour =~ /64/);
69 stp x29,x30,[sp,#-16]!
89 veor $zero,$zero,$zero
90 vld1.8 {$in0},[$inp],#16
91 mov $bits,#8 // reuse $bits
92 vld1.32 {$rcon,$mask},[$ptr],#32
100 vtbl.8 $key,{$in0},$mask
101 vext.8 $tmp,$zero,$in0,#12
102 vst1.32 {$in0},[$out],#16
107 vext.8 $tmp,$zero,$tmp,#12
109 vext.8 $tmp,$zero,$tmp,#12
112 vshl.u8 $rcon,$rcon,#1
116 vld1.32 {$rcon},[$ptr]
118 vtbl.8 $key,{$in0},$mask
119 vext.8 $tmp,$zero,$in0,#12
120 vst1.32 {$in0},[$out],#16
124 vext.8 $tmp,$zero,$tmp,#12
126 vext.8 $tmp,$zero,$tmp,#12
129 vshl.u8 $rcon,$rcon,#1
132 vtbl.8 $key,{$in0},$mask
133 vext.8 $tmp,$zero,$in0,#12
134 vst1.32 {$in0},[$out],#16
138 vext.8 $tmp,$zero,$tmp,#12
140 vext.8 $tmp,$zero,$tmp,#12
144 vst1.32 {$in0},[$out]
152 vld1.8 {$in1},[$inp],#8
153 vmov.i8 $key,#8 // borrow $key
154 vst1.32 {$in0},[$out],#16
155 vsub.i8 $mask,$mask,$key // adjust the mask
158 vtbl.8 $key,{$in1},$mask
159 vext.8 $tmp,$zero,$in0,#12
160 vst1.32 {$in1},[$out],#8
165 vext.8 $tmp,$zero,$tmp,#12
167 vext.8 $tmp,$zero,$tmp,#12
170 vdup.32 $tmp,${in0}[3]
173 vext.8 $in1,$zero,$in1,#12
174 vshl.u8 $rcon,$rcon,#1
178 vst1.32 {$in0},[$out],#16
190 vst1.32 {$in0},[$out],#16
193 vtbl.8 $key,{$in1},$mask
194 vext.8 $tmp,$zero,$in0,#12
195 vst1.32 {$in1},[$out],#16
200 vext.8 $tmp,$zero,$tmp,#12
202 vext.8 $tmp,$zero,$tmp,#12
205 vshl.u8 $rcon,$rcon,#1
207 vst1.32 {$in0},[$out],#16
210 vdup.32 $key,${in0}[3] // just splat
211 vext.8 $tmp,$zero,$in1,#12
215 vext.8 $tmp,$zero,$tmp,#12
217 vext.8 $tmp,$zero,$tmp,#12
228 mov x0,$ptr // return value
229 `"ldr x29,[sp],#16" if ($flavour =~ /64/)`
231 .size ${prefix}_set_encrypt_key,.-${prefix}_set_encrypt_key
233 .globl ${prefix}_set_decrypt_key
234 .type ${prefix}_set_decrypt_key,%function
236 ${prefix}_set_decrypt_key:
238 $code.=<<___ if ($flavour =~ /64/);
239 stp x29,x30,[sp,#-16]!
242 $code.=<<___ if ($flavour !~ /64/);
251 sub $out,$out,#240 // restore original $out
253 add $inp,$out,x12,lsl#4 // end of key schedule
255 vld1.32 {v0.16b},[$out]
256 vld1.32 {v1.16b},[$inp]
257 vst1.32 {v0.16b},[$inp],x4
258 vst1.32 {v1.16b},[$out],#16
261 vld1.32 {v0.16b},[$out]
262 vld1.32 {v1.16b},[$inp]
265 vst1.32 {v0.16b},[$inp],x4
266 vst1.32 {v1.16b},[$out],#16
270 vld1.32 {v0.16b},[$out]
272 vst1.32 {v0.16b},[$inp]
274 eor x0,x0,x0 // return value
277 $code.=<<___ if ($flavour !~ /64/);
280 $code.=<<___ if ($flavour =~ /64/);
285 .size ${prefix}_set_decrypt_key,.-${prefix}_set_decrypt_key
291 my ($e,$mc) = $dir eq "en" ? ("e","mc") : ("d","imc");
292 my ($inp,$out,$key)=map("x$_",(0..2));
294 my ($rndkey0,$rndkey1,$inout)=map("q$_",(0..3));
297 .globl ${prefix}_${dir}crypt
298 .type ${prefix}_${dir}crypt,%function
300 ${prefix}_${dir}crypt:
301 ldr $rounds,[$key,#240]
302 vld1.32 {$rndkey0},[$key],#16
303 vld1.8 {$inout},[$inp]
304 sub $rounds,$rounds,#2
305 vld1.32 {$rndkey1},[$key],#16
308 aes$e $inout,$rndkey0
309 vld1.32 {$rndkey0},[$key],#16
311 subs $rounds,$rounds,#2
312 aes$e $inout,$rndkey1
313 vld1.32 {$rndkey1},[$key],#16
317 aes$e $inout,$rndkey0
318 vld1.32 {$rndkey0},[$key]
320 aes$e $inout,$rndkey1
321 veor $inout,$inout,$rndkey0
323 vst1.8 {$inout},[$out]
325 .size ${prefix}_${dir}crypt,.-${prefix}_${dir}crypt
332 my ($inp,$out,$len,$key,$ivp)=map("x$_",(0..4)); my $enc="w5";
333 my ($rounds,$cnt,$key_,$step,$step1)=($enc,"w6","x7","x8","x12");
334 my ($dat0,$dat1,$in0,$in1,$tmp0,$tmp1,$ivec,$rndlast)=map("q$_",(0..7));
336 my ($dat,$tmp,$rndzero_n_last)=($dat0,$tmp0,$tmp1);
338 ### q8-q15 preloaded key schedule
341 .globl ${prefix}_cbc_encrypt
342 .type ${prefix}_cbc_encrypt,%function
344 ${prefix}_cbc_encrypt:
346 $code.=<<___ if ($flavour =~ /64/);
347 stp x29,x30,[sp,#-16]!
350 $code.=<<___ if ($flavour !~ /64/);
353 vstmdb sp!,{d8-d15} @ ABI specification says so
354 ldmia ip,{r4-r5} @ load remaining args
362 cmp $enc,#0 // en- or decrypting?
363 ldr $rounds,[$key,#240]
365 vld1.8 {$ivec},[$ivp]
366 vld1.8 {$dat},[$inp],$step
368 vld1.32 {q8-q9},[$key] // load key schedule...
369 sub $rounds,$rounds,#6
370 add $key_,$key,x5,lsl#4 // pointer to last 7 round keys
371 sub $rounds,$rounds,#2
372 vld1.32 {q10-q11},[$key_],#32
373 vld1.32 {q12-q13},[$key_],#32
374 vld1.32 {q14-q15},[$key_],#32
375 vld1.32 {$rndlast},[$key_]
383 veor $rndzero_n_last,q8,$rndlast
388 vld1.32 {q8},[$key_],#16
392 vld1.32 {q9},[$key_],#16
407 vld1.8 {q8},[$inp],$step
410 veor q8,q8,$rndzero_n_last
413 vld1.32 {q9},[$key_],#16 // re-pre-load rndkey[1]
419 veor $ivec,$dat,$rndlast
420 vst1.8 {$ivec},[$out],#16
427 vld1.32 {$in0-$in1},[$key_]
434 vst1.8 {$ivec},[$out],#16
448 vld1.8 {q8},[$inp],$step
455 veor q8,q8,$rndzero_n_last
457 veor $ivec,$dat,$rndlast
458 b.hs .Loop_cbc_enc128
460 vst1.8 {$ivec},[$out],#16
464 my ($dat2,$in2,$tmp2)=map("q$_",(10,11,9));
468 vld1.8 {$dat2},[$inp],#16
469 subs $len,$len,#32 // bias
473 vorr $in2,$dat2,$dat2
476 vorr $dat1,$dat2,$dat2
477 vld1.8 {$dat2},[$inp],#16
479 vorr $in1,$dat1,$dat1
480 vorr $in2,$dat2,$dat2
486 vld1.32 {q8},[$key_],#16
494 vld1.32 {q9},[$key_],#16
503 veor $tmp0,$ivec,$rndlast
507 veor $tmp1,$in0,$rndlast
511 veor $tmp2,$in1,$rndlast
517 mov.lo x6,$len // x6, $cnt, is zero at this point
521 add $inp,$inp,x6 // $inp is adjusted in such way that
522 // at exit from the loop $dat1-$dat2
523 // are loaded with last "words"
531 vld1.8 {$in0},[$inp],#16
535 vld1.8 {$in1},[$inp],#16
539 vld1.8 {$in2},[$inp],#16
543 vld1.32 {q8},[$key_],#16 // re-pre-load rndkey[0]
549 veor $tmp0,$tmp0,$dat0
550 veor $tmp1,$tmp1,$dat1
551 veor $dat2,$dat2,$tmp2
552 vld1.32 {q9},[$key_],#16 // re-pre-load rndkey[1]
554 vst1.8 {$tmp0},[$out],#16
556 vst1.8 {$tmp1},[$out],#16
557 vst1.8 {$dat2},[$out],#16
568 vld1.32 {q8},[$key_],#16
574 vld1.32 {q9},[$key_],#16
596 veor $tmp1,$ivec,$rndlast
601 veor $tmp2,$in1,$rndlast
605 veor $tmp1,$tmp1,$dat1
606 veor $tmp2,$tmp2,$dat2
608 vst1.8 {$tmp1},[$out],#16
609 vst1.8 {$tmp2},[$out],#16
613 veor $tmp1,$tmp1,$dat2
615 vst1.8 {$tmp1},[$out],#16
618 vst1.8 {$ivec},[$ivp]
622 $code.=<<___ if ($flavour !~ /64/);
626 $code.=<<___ if ($flavour =~ /64/);
631 .size ${prefix}_cbc_encrypt,.-${prefix}_cbc_encrypt
635 my ($inp,$out,$len,$key,$ivp)=map("x$_",(0..4));
636 my ($rounds,$cnt,$key_)=("w5","w6","x7");
637 my ($ctr,$tctr0,$tctr1,$tctr2)=map("w$_",(8..10,12));
638 my $step="x12"; # aliases with $tctr2
640 my ($dat0,$dat1,$in0,$in1,$tmp0,$tmp1,$ivec,$rndlast)=map("q$_",(0..7));
641 my ($dat2,$in2,$tmp2)=map("q$_",(10,11,9));
643 my ($dat,$tmp)=($dat0,$tmp0);
645 ### q8-q15 preloaded key schedule
648 .globl ${prefix}_ctr32_encrypt_blocks
649 .type ${prefix}_ctr32_encrypt_blocks,%function
651 ${prefix}_ctr32_encrypt_blocks:
653 $code.=<<___ if ($flavour =~ /64/);
654 stp x29,x30,[sp,#-16]!
657 $code.=<<___ if ($flavour !~ /64/);
659 stmdb sp!,{r4-r10,lr}
660 vstmdb sp!,{d8-d15} @ ABI specification says so
661 ldr r4, [ip] @ load remaining arg
664 ldr $rounds,[$key,#240]
666 ldr $ctr, [$ivp, #12]
667 vld1.32 {$dat0},[$ivp]
669 vld1.32 {q8-q9},[$key] // load key schedule...
670 sub $rounds,$rounds,#4
673 add $key_,$key,x5,lsl#4 // pointer to last 5 round keys
674 sub $rounds,$rounds,#2
675 vld1.32 {q12-q13},[$key_],#32
676 vld1.32 {q14-q15},[$key_],#32
677 vld1.32 {$rndlast},[$key_]
684 vorr $dat1,$dat0,$dat0
686 vorr $dat2,$dat0,$dat0
688 vorr $ivec,$dat0,$dat0
690 vmov.32 ${dat1}[3],$tctr1
693 sub $len,$len,#3 // bias
694 vmov.32 ${dat2}[3],$tctr2
702 vld1.32 {q8},[$key_],#16
710 vld1.32 {q9},[$key_],#16
721 vld1.8 {$in0},[$inp],#16
724 vorr $dat0,$ivec,$ivec
726 vld1.8 {$in1},[$inp],#16
729 vorr $dat1,$ivec,$ivec
731 vld1.8 {$in2},[$inp],#16
734 vorr $dat2,$ivec,$ivec
739 veor $in0,$in0,$rndlast
744 veor $in1,$in1,$rndlast
749 veor $in2,$in2,$rndlast
752 vld1.32 {q8},[$key_],#16 // re-pre-load rndkey[0]
755 vmov.32 ${dat0}[3], $tctr0
760 vmov.32 ${dat1}[3], $tctr1
765 vmov.32 ${dat2}[3], $tctr2
775 vld1.32 {q9},[$key_],#16 // re-pre-load rndkey[1]
776 vst1.8 {$in0},[$out],#16
777 vst1.8 {$in1},[$out],#16
778 vst1.8 {$in2},[$out],#16
790 vld1.32 {q8},[$key_],#16
796 vld1.32 {q9},[$key_],#16
809 vld1.8 {$in0},[$inp],$step
821 veor $in0,$in0,$rndlast
824 veor $in1,$in1,$rndlast
831 vst1.8 {$in0},[$out],#16
837 $code.=<<___ if ($flavour !~ /64/);
839 ldmia sp!,{r4-r10,pc}
841 $code.=<<___ if ($flavour =~ /64/);
846 .size ${prefix}_ctr32_encrypt_blocks,.-${prefix}_ctr32_encrypt_blocks
852 ########################################
853 if ($flavour =~ /64/) { ######## 64-bit code
855 "aesd" => 0x4e285800, "aese" => 0x4e284800,
856 "aesimc"=> 0x4e287800, "aesmc" => 0x4e286800 );
859 my ($mnemonic,$arg)=@_;
861 $arg =~ m/[qv]([0-9]+)[^,]*,\s*[qv]([0-9]+)/o &&
862 sprintf ".inst\t0x%08x\t//%s %s",
863 $opcode{$mnemonic}|$1|($2<<5),
867 foreach(split("\n",$code)) {
868 s/\`([^\`]*)\`/eval($1)/geo;
870 s/\bq([0-9]+)\b/"v".($1<8?$1:$1+8).".16b"/geo; # old->new registers
871 s/@\s/\/\//o; # old->new style commentary
873 #s/[v]?(aes\w+)\s+([qv].*)/unaes($1,$2)/geo or
874 s/cclr\s+([wx])([^,]+),\s*([a-z]+)/csel $1$2,$1zr,$1$2,$3/o or
875 s/mov\.([a-z]+)\s+([wx][0-9]+),\s*([wx][0-9]+)/csel $2,$3,$2,$1/o or
876 s/vmov\.i8/movi/o or # fix up legacy mnemonics
878 s/vrev32\.8/rev32/o or
881 s/^(\s+)v/$1/o or # strip off v prefix
884 # fix up remainig legacy suffixes
886 m/\],#8/o and s/\.16b/\.8b/go;
887 s/\.[ui]?32//o and s/\.16b/\.4s/go;
888 s/\.[ui]?64//o and s/\.16b/\.2d/go;
889 s/\.[42]([sd])\[([0-3])\]/\.$1\[$2\]/o;
893 } else { ######## 32-bit code
895 "aesd" => 0xf3b00340, "aese" => 0xf3b00300,
896 "aesimc"=> 0xf3b003c0, "aesmc" => 0xf3b00380 );
899 my ($mnemonic,$arg)=@_;
901 if ($arg =~ m/[qv]([0-9]+)[^,]*,\s*[qv]([0-9]+)/o) {
902 my $word = $opcode{$mnemonic}|(($1&7)<<13)|(($1&8)<<19)
903 |(($2&7)<<1) |(($2&8)<<2);
904 # since ARMv7 instructions are always encoded little-endian.
905 # correct solution is to use .inst directive, but older
906 # assemblers don't implement it:-(
907 sprintf ".byte\t0x%02x,0x%02x,0x%02x,0x%02x\t@ %s %s",
908 $word&0xff,($word>>8)&0xff,
909 ($word>>16)&0xff,($word>>24)&0xff,
917 $arg =~ m/q([0-9]+),\s*\{q([0-9]+)\},\s*q([0-9]+)/o &&
918 sprintf "vtbl.8 d%d,{q%d},d%d\n\t".
919 "vtbl.8 d%d,{q%d},d%d", 2*$1,$2,2*$3, 2*$1+1,$2,2*$3+1;
925 $arg =~ m/q([0-9]+),\s*q([0-9]+)\[([0-3])\]/o &&
926 sprintf "vdup.32 q%d,d%d[%d]",$1,2*$2+($3>>1),$3&1;
932 $arg =~ m/q([0-9]+)\[([0-3])\],(.*)/o &&
933 sprintf "vmov.32 d%d[%d],%s",2*$1+($2>>1),$2&1,$3;
936 foreach(split("\n",$code)) {
937 s/\`([^\`]*)\`/eval($1)/geo;
939 s/\b[wx]([0-9]+)\b/r$1/go; # new->old registers
940 s/\bv([0-9])\.[12468]+[bsd]\b/q$1/go; # new->old registers
941 s/\/\/\s?/@ /o; # new->old style commentary
943 # fix up remainig new-style suffixes
944 s/\{q([0-9]+)\},\s*\[(.+)\],#8/sprintf "{d%d},[$2]!",2*$1/eo or
947 s/[v]?(aes\w+)\s+([qv].*)/unaes($1,$2)/geo or
948 s/cclr\s+([^,]+),\s*([a-z]+)/mov$2 $1,#0/o or
949 s/vtbl\.8\s+(.*)/unvtbl($1)/geo or
950 s/vdup\.32\s+(.*)/unvdup32($1)/geo or
951 s/vmov\.32\s+(.*)/unvmov32($1)/geo or
953 s/^(\s+)mov\./$1mov/o or
954 s/^(\s+)ret/$1bx\tlr/o;