2 # Copyright 2014-2016 The OpenSSL Project Authors. All Rights Reserved.
4 # Licensed under the OpenSSL license (the "License"). You may not use
5 # this file except in compliance with the License. You can obtain a copy
6 # in the file LICENSE in the source distribution or at
7 # https://www.openssl.org/source/license.html
10 # ====================================================================
11 # Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
12 # project. The module is, however, dual licensed under OpenSSL and
13 # CRYPTOGAMS licenses depending on where you obtain it. For further
14 # details see http://www.openssl.org/~appro/cryptogams/.
15 # ====================================================================
17 # GHASH for for PowerISA v2.07.
21 # Accurate performance measurements are problematic, because it's
22 # always virtualized setup with possibly throttled processor.
23 # Relative comparison is therefore more informative. This initial
24 # version is ~2.1x slower than hardware-assisted AES-128-CTR, ~12x
25 # faster than "4-bit" integer-only compiler-generated 64-bit code.
26 # "Initial version" means that there is room for futher improvement.
31 if ($flavour =~ /64/) {
37 } elsif ($flavour =~ /32/) {
43 } else { die "nonsense $flavour"; }
45 $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1;
46 ( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or
47 ( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or
48 die "can't locate ppc-xlate.pl";
50 open STDOUT,"| $^X $xlate $flavour $output" || die "can't call $xlate: $!";
52 my ($Xip,$Htbl,$inp,$len)=map("r$_",(3..6)); # argument block
54 my ($Xl,$Xm,$Xh,$IN)=map("v$_",(0..3));
55 my ($zero,$t0,$t1,$t2,$xC2,$H,$Hh,$Hl,$lemask)=map("v$_",(4..12));
72 lvx_u $H,0,r4 # load H
74 vspltisb $xC2,-16 # 0xf0
76 vaddubm $xC2,$xC2,$xC2 # 0xe0
77 vxor $zero,$zero,$zero
78 vor $xC2,$xC2,$t0 # 0xe1
79 vsldoi $xC2,$xC2,$zero,15 # 0xe1...
80 vsldoi $t1,$zero,$t0,1 # ...1
81 vaddubm $xC2,$xC2,$xC2 # 0xc2...
83 vor $xC2,$xC2,$t1 # 0xc2....01
84 vspltb $t1,$H,0 # most significant byte
86 vsrab $t1,$t1,$t2 # broadcast carry bit
88 vxor $H,$H,$t1 # twisted H
90 vsldoi $H,$H,$H,8 # twist even more ...
91 vsldoi $xC2,$zero,$xC2,8 # 0xc2.0
92 vsldoi $Hl,$zero,$H,8 # ... and split
95 stvx_u $xC2,0,r3 # save pre-computed table
103 .byte 0,12,0x14,0,0,0,2,0
105 .size .gcm_init_p8,.-.gcm_init_p8
116 lvx_u $IN,0,$Xip # load Xi
118 lvx_u $Hl,r8,$Htbl # load pre-computed table
119 le?lvsl $lemask,r0,r0
123 le?vxor $lemask,$lemask,$t0
125 le?vperm $IN,$IN,$IN,$lemask
126 vxor $zero,$zero,$zero
128 vpmsumd $Xl,$IN,$Hl # H.lo·Xi.lo
129 vpmsumd $Xm,$IN,$H # H.hi·Xi.lo+H.lo·Xi.hi
130 vpmsumd $Xh,$IN,$Hh # H.hi·Xi.hi
132 vpmsumd $t2,$Xl,$xC2 # 1st phase
134 vsldoi $t0,$Xm,$zero,8
135 vsldoi $t1,$zero,$Xm,8
142 vsldoi $t1,$Xl,$Xl,8 # 2nd phase
147 le?vperm $Xl,$Xl,$Xl,$lemask
148 stvx_u $Xl,0,$Xip # write out Xi
153 .byte 0,12,0x14,0,0,0,2,0
155 .size .gcm_gmult_p8,.-.gcm_gmult_p8
166 lvx_u $Xl,0,$Xip # load Xi
168 lvx_u $Hl,r8,$Htbl # load pre-computed table
169 le?lvsl $lemask,r0,r0
173 le?vxor $lemask,$lemask,$t0
175 le?vperm $Xl,$Xl,$Xl,$lemask
176 vxor $zero,$zero,$zero
181 le?vperm $IN,$IN,$IN,$lemask
188 vpmsumd $Xl,$IN,$Hl # H.lo·Xi.lo
189 subfe. r0,r0,r0 # borrow?-1:0
190 vpmsumd $Xm,$IN,$H # H.hi·Xi.lo+H.lo·Xi.hi
192 vpmsumd $Xh,$IN,$Hh # H.hi·Xi.hi
195 vpmsumd $t2,$Xl,$xC2 # 1st phase
197 vsldoi $t0,$Xm,$zero,8
198 vsldoi $t1,$zero,$Xm,8
207 vsldoi $t1,$Xl,$Xl,8 # 2nd phase
209 le?vperm $IN,$IN,$IN,$lemask
213 beq Loop # did $len-=16 borrow?
216 le?vperm $Xl,$Xl,$Xl,$lemask
217 stvx_u $Xl,0,$Xip # write out Xi
222 .byte 0,12,0x14,0,0,0,4,0
224 .size .gcm_ghash_p8,.-.gcm_ghash_p8
226 .asciz "GHASH for PowerISA 2.07, CRYPTOGAMS by <appro\@openssl.org>"
230 foreach (split("\n",$code)) {
231 if ($flavour =~ /le$/o) { # little-endian
241 close STDOUT; # enforce flush