1// This file is generated from a similarly-named Perl script in the BoringSSL 2// source tree. Do not edit by hand. 3 4#if !defined(__has_feature) 5#define __has_feature(x) 0 6#endif 7#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) 8#define OPENSSL_NO_ASM 9#endif 10 11#if !defined(OPENSSL_NO_ASM) 12#if defined(__arm__) 13#if defined(BORINGSSL_PREFIX) 14#include <boringssl_prefix_symbols_asm.h> 15#endif 16.syntax unified 17 18.arch armv7-a 19.fpu neon 20 21#if defined(__thumb2__) 22.thumb 23#else 24.code 32 25#endif 26 27.text 28 29.type _vpaes_consts,%object 30.align 7 @ totally strategic alignment 31_vpaes_consts: 32.Lk_mc_forward:@ mc_forward 33.quad 0x0407060500030201, 0x0C0F0E0D080B0A09 34.quad 0x080B0A0904070605, 0x000302010C0F0E0D 35.quad 0x0C0F0E0D080B0A09, 0x0407060500030201 36.quad 0x000302010C0F0E0D, 0x080B0A0904070605 37.Lk_mc_backward:@ mc_backward 38.quad 0x0605040702010003, 0x0E0D0C0F0A09080B 39.quad 0x020100030E0D0C0F, 0x0A09080B06050407 40.quad 0x0E0D0C0F0A09080B, 0x0605040702010003 41.quad 0x0A09080B06050407, 0x020100030E0D0C0F 42.Lk_sr:@ sr 43.quad 0x0706050403020100, 0x0F0E0D0C0B0A0908 44.quad 0x030E09040F0A0500, 0x0B06010C07020D08 45.quad 0x0F060D040B020900, 0x070E050C030A0108 46.quad 0x0B0E0104070A0D00, 0x0306090C0F020508 47 48@ 49@ "Hot" constants 50@ 51.Lk_inv:@ inv, inva 52.quad 0x0E05060F0D080180, 0x040703090A0B0C02 53.quad 0x01040A060F0B0780, 0x030D0E0C02050809 54.Lk_ipt:@ input transform (lo, hi) 55.quad 0xC2B2E8985A2A7000, 0xCABAE09052227808 56.quad 0x4C01307D317C4D00, 0xCD80B1FCB0FDCC81 57.Lk_sbo:@ sbou, sbot 58.quad 0xD0D26D176FBDC700, 0x15AABF7AC502A878 59.quad 0xCFE474A55FBB6A00, 0x8E1E90D1412B35FA 60.Lk_sb1:@ sb1u, sb1t 61.quad 0x3618D415FAE22300, 0x3BF7CCC10D2ED9EF 62.quad 0xB19BE18FCB503E00, 0xA5DF7A6E142AF544 63.Lk_sb2:@ sb2u, sb2t 64.quad 0x69EB88400AE12900, 0xC2A163C8AB82234A 65.quad 0xE27A93C60B712400, 0x5EB7E955BC982FCD 66 67.byte 86,101,99,116,111,114,32,80,101,114,109,117,116,97,116,105,111,110,32,65,69,83,32,102,111,114,32,65,82,77,118,55,32,78,69,79,78,44,32,77,105,107,101,32,72,97,109,98,117,114,103,32,40,83,116,97,110,102,111,114,100,32,85,110,105,118,101,114,115,105,116,121,41,0 68.align 2 69.size _vpaes_consts,.-_vpaes_consts 70.align 6 71@@ 72@@ _aes_preheat 73@@ 74@@ Fills q9-q15 as specified below. 75@@ 76.type _vpaes_preheat,%function 77.align 4 78_vpaes_preheat: 79 adr r10, .Lk_inv 80 vmov.i8 q9, #0x0f @ .Lk_s0F 81 vld1.64 {q10,q11}, [r10]! @ .Lk_inv 82 add r10, r10, #64 @ Skip .Lk_ipt, .Lk_sbo 83 vld1.64 {q12,q13}, [r10]! @ .Lk_sb1 84 vld1.64 {q14,q15}, [r10] @ .Lk_sb2 85 bx lr 86 87@@ 88@@ _aes_encrypt_core 89@@ 90@@ AES-encrypt q0. 91@@ 92@@ Inputs: 93@@ q0 = input 94@@ q9-q15 as in _vpaes_preheat 95@@ [r2] = scheduled keys 96@@ 97@@ Output in q0 98@@ Clobbers q1-q5, r8-r11 99@@ Preserves q6-q8 so you get some local vectors 100@@ 101@@ 102.type _vpaes_encrypt_core,%function 103.align 4 104_vpaes_encrypt_core: 105 mov r9, r2 106 ldr r8, [r2,#240] @ pull rounds 107 adr r11, .Lk_ipt 108 @ vmovdqa .Lk_ipt(%rip), %xmm2 # iptlo 109 @ vmovdqa .Lk_ipt+16(%rip), %xmm3 # ipthi 110 vld1.64 {q2, q3}, [r11] 111 adr r11, .Lk_mc_forward+16 112 vld1.64 {q5}, [r9]! @ vmovdqu (%r9), %xmm5 # round0 key 113 vand q1, q0, q9 @ vpand %xmm9, %xmm0, %xmm1 114 vshr.u8 q0, q0, #4 @ vpsrlb $4, %xmm0, %xmm0 115 vtbl.8 d2, {q2}, d2 @ vpshufb %xmm1, %xmm2, %xmm1 116 vtbl.8 d3, {q2}, d3 117 vtbl.8 d4, {q3}, d0 @ vpshufb %xmm0, %xmm3, %xmm2 118 vtbl.8 d5, {q3}, d1 119 veor q0, q1, q5 @ vpxor %xmm5, %xmm1, %xmm0 120 veor q0, q0, q2 @ vpxor %xmm2, %xmm0, %xmm0 121 122 @ .Lenc_entry ends with a bnz instruction which is normally paired with 123 @ subs in .Lenc_loop. 124 tst r8, r8 125 b .Lenc_entry 126 127.align 4 128.Lenc_loop: 129 @ middle of middle round 130 add r10, r11, #0x40 131 vtbl.8 d8, {q13}, d4 @ vpshufb %xmm2, %xmm13, %xmm4 # 4 = sb1u 132 vtbl.8 d9, {q13}, d5 133 vld1.64 {q1}, [r11]! @ vmovdqa -0x40(%r11,%r10), %xmm1 # .Lk_mc_forward[] 134 vtbl.8 d0, {q12}, d6 @ vpshufb %xmm3, %xmm12, %xmm0 # 0 = sb1t 135 vtbl.8 d1, {q12}, d7 136 veor q4, q4, q5 @ vpxor %xmm5, %xmm4, %xmm4 # 4 = sb1u + k 137 vtbl.8 d10, {q15}, d4 @ vpshufb %xmm2, %xmm15, %xmm5 # 4 = sb2u 138 vtbl.8 d11, {q15}, d5 139 veor q0, q0, q4 @ vpxor %xmm4, %xmm0, %xmm0 # 0 = A 140 vtbl.8 d4, {q14}, d6 @ vpshufb %xmm3, %xmm14, %xmm2 # 2 = sb2t 141 vtbl.8 d5, {q14}, d7 142 vld1.64 {q4}, [r10] @ vmovdqa (%r11,%r10), %xmm4 # .Lk_mc_backward[] 143 vtbl.8 d6, {q0}, d2 @ vpshufb %xmm1, %xmm0, %xmm3 # 0 = B 144 vtbl.8 d7, {q0}, d3 145 veor q2, q2, q5 @ vpxor %xmm5, %xmm2, %xmm2 # 2 = 2A 146 @ Write to q5 instead of q0, so the table and destination registers do 147 @ not overlap. 148 vtbl.8 d10, {q0}, d8 @ vpshufb %xmm4, %xmm0, %xmm0 # 3 = D 149 vtbl.8 d11, {q0}, d9 150 veor q3, q3, q2 @ vpxor %xmm2, %xmm3, %xmm3 # 0 = 2A+B 151 vtbl.8 d8, {q3}, d2 @ vpshufb %xmm1, %xmm3, %xmm4 # 0 = 2B+C 152 vtbl.8 d9, {q3}, d3 153 @ Here we restore the original q0/q5 usage. 154 veor q0, q5, q3 @ vpxor %xmm3, %xmm0, %xmm0 # 3 = 2A+B+D 155 and r11, r11, #~(1<<6) @ and $0x30, %r11 # ... mod 4 156 veor q0, q0, q4 @ vpxor %xmm4, %xmm0, %xmm0 # 0 = 2A+3B+C+D 157 subs r8, r8, #1 @ nr-- 158 159.Lenc_entry: 160 @ top of round 161 vand q1, q0, q9 @ vpand %xmm0, %xmm9, %xmm1 # 0 = k 162 vshr.u8 q0, q0, #4 @ vpsrlb $4, %xmm0, %xmm0 # 1 = i 163 vtbl.8 d10, {q11}, d2 @ vpshufb %xmm1, %xmm11, %xmm5 # 2 = a/k 164 vtbl.8 d11, {q11}, d3 165 veor q1, q1, q0 @ vpxor %xmm0, %xmm1, %xmm1 # 0 = j 166 vtbl.8 d6, {q10}, d0 @ vpshufb %xmm0, %xmm10, %xmm3 # 3 = 1/i 167 vtbl.8 d7, {q10}, d1 168 vtbl.8 d8, {q10}, d2 @ vpshufb %xmm1, %xmm10, %xmm4 # 4 = 1/j 169 vtbl.8 d9, {q10}, d3 170 veor q3, q3, q5 @ vpxor %xmm5, %xmm3, %xmm3 # 3 = iak = 1/i + a/k 171 veor q4, q4, q5 @ vpxor %xmm5, %xmm4, %xmm4 # 4 = jak = 1/j + a/k 172 vtbl.8 d4, {q10}, d6 @ vpshufb %xmm3, %xmm10, %xmm2 # 2 = 1/iak 173 vtbl.8 d5, {q10}, d7 174 vtbl.8 d6, {q10}, d8 @ vpshufb %xmm4, %xmm10, %xmm3 # 3 = 1/jak 175 vtbl.8 d7, {q10}, d9 176 veor q2, q2, q1 @ vpxor %xmm1, %xmm2, %xmm2 # 2 = io 177 veor q3, q3, q0 @ vpxor %xmm0, %xmm3, %xmm3 # 3 = jo 178 vld1.64 {q5}, [r9]! @ vmovdqu (%r9), %xmm5 179 bne .Lenc_loop 180 181 @ middle of last round 182 add r10, r11, #0x80 183 184 adr r11, .Lk_sbo 185 @ Read to q1 instead of q4, so the vtbl.8 instruction below does not 186 @ overlap table and destination registers. 187 vld1.64 {q1}, [r11]! @ vmovdqa -0x60(%r10), %xmm4 # 3 : sbou 188 vld1.64 {q0}, [r11] @ vmovdqa -0x50(%r10), %xmm0 # 0 : sbot .Lk_sbo+16 189 vtbl.8 d8, {q1}, d4 @ vpshufb %xmm2, %xmm4, %xmm4 # 4 = sbou 190 vtbl.8 d9, {q1}, d5 191 vld1.64 {q1}, [r10] @ vmovdqa 0x40(%r11,%r10), %xmm1 # .Lk_sr[] 192 @ Write to q2 instead of q0 below, to avoid overlapping table and 193 @ destination registers. 194 vtbl.8 d4, {q0}, d6 @ vpshufb %xmm3, %xmm0, %xmm0 # 0 = sb1t 195 vtbl.8 d5, {q0}, d7 196 veor q4, q4, q5 @ vpxor %xmm5, %xmm4, %xmm4 # 4 = sb1u + k 197 veor q2, q2, q4 @ vpxor %xmm4, %xmm0, %xmm0 # 0 = A 198 @ Here we restore the original q0/q2 usage. 199 vtbl.8 d0, {q2}, d2 @ vpshufb %xmm1, %xmm0, %xmm0 200 vtbl.8 d1, {q2}, d3 201 bx lr 202.size _vpaes_encrypt_core,.-_vpaes_encrypt_core 203 204.globl vpaes_encrypt 205.hidden vpaes_encrypt 206.type vpaes_encrypt,%function 207.align 4 208vpaes_encrypt: 209 @ _vpaes_encrypt_core uses r8-r11. Round up to r7-r11 to maintain stack 210 @ alignment. 211 stmdb sp!, {r7,r8,r9,r10,r11,lr} 212 @ _vpaes_encrypt_core uses q4-q5 (d8-d11), which are callee-saved. 213 vstmdb sp!, {d8,d9,d10,d11} 214 215 vld1.64 {q0}, [r0] 216 bl _vpaes_preheat 217 bl _vpaes_encrypt_core 218 vst1.64 {q0}, [r1] 219 220 vldmia sp!, {d8,d9,d10,d11} 221 ldmia sp!, {r7,r8,r9,r10,r11, pc} @ return 222.size vpaes_encrypt,.-vpaes_encrypt 223 224@ 225@ Decryption stuff 226@ 227.type _vpaes_decrypt_consts,%object 228.align 4 229_vpaes_decrypt_consts: 230.Lk_dipt:@ decryption input transform 231.quad 0x0F505B040B545F00, 0x154A411E114E451A 232.quad 0x86E383E660056500, 0x12771772F491F194 233.Lk_dsbo:@ decryption sbox final output 234.quad 0x1387EA537EF94000, 0xC7AA6DB9D4943E2D 235.quad 0x12D7560F93441D00, 0xCA4B8159D8C58E9C 236.Lk_dsb9:@ decryption sbox output *9*u, *9*t 237.quad 0x851C03539A86D600, 0xCAD51F504F994CC9 238.quad 0xC03B1789ECD74900, 0x725E2C9EB2FBA565 239.Lk_dsbd:@ decryption sbox output *D*u, *D*t 240.quad 0x7D57CCDFE6B1A200, 0xF56E9B13882A4439 241.quad 0x3CE2FAF724C6CB00, 0x2931180D15DEEFD3 242.Lk_dsbb:@ decryption sbox output *B*u, *B*t 243.quad 0xD022649296B44200, 0x602646F6B0F2D404 244.quad 0xC19498A6CD596700, 0xF3FF0C3E3255AA6B 245.Lk_dsbe:@ decryption sbox output *E*u, *E*t 246.quad 0x46F2929626D4D000, 0x2242600464B4F6B0 247.quad 0x0C55A6CDFFAAC100, 0x9467F36B98593E32 248.size _vpaes_decrypt_consts,.-_vpaes_decrypt_consts 249 250@@ 251@@ Decryption core 252@@ 253@@ Same API as encryption core, except it clobbers q12-q15 rather than using 254@@ the values from _vpaes_preheat. q9-q11 must still be set from 255@@ _vpaes_preheat. 256@@ 257.type _vpaes_decrypt_core,%function 258.align 4 259_vpaes_decrypt_core: 260 mov r9, r2 261 ldr r8, [r2,#240] @ pull rounds 262 263 @ This function performs shuffles with various constants. The x86_64 264 @ version loads them on-demand into %xmm0-%xmm5. This does not work well 265 @ for ARMv7 because those registers are shuffle destinations. The ARMv8 266 @ version preloads those constants into registers, but ARMv7 has half 267 @ the registers to work with. Instead, we load them on-demand into 268 @ q12-q15, registers normally use for preloaded constants. This is fine 269 @ because decryption doesn't use those constants. The values are 270 @ constant, so this does not interfere with potential 2x optimizations. 271 adr r7, .Lk_dipt 272 273 vld1.64 {q12,q13}, [r7] @ vmovdqa .Lk_dipt(%rip), %xmm2 # iptlo 274 lsl r11, r8, #4 @ mov %rax, %r11; shl $4, %r11 275 eor r11, r11, #0x30 @ xor $0x30, %r11 276 adr r10, .Lk_sr 277 and r11, r11, #0x30 @ and $0x30, %r11 278 add r11, r11, r10 279 adr r10, .Lk_mc_forward+48 280 281 vld1.64 {q4}, [r9]! @ vmovdqu (%r9), %xmm4 # round0 key 282 vand q1, q0, q9 @ vpand %xmm9, %xmm0, %xmm1 283 vshr.u8 q0, q0, #4 @ vpsrlb $4, %xmm0, %xmm0 284 vtbl.8 d4, {q12}, d2 @ vpshufb %xmm1, %xmm2, %xmm2 285 vtbl.8 d5, {q12}, d3 286 vld1.64 {q5}, [r10] @ vmovdqa .Lk_mc_forward+48(%rip), %xmm5 287 @ vmovdqa .Lk_dipt+16(%rip), %xmm1 # ipthi 288 vtbl.8 d0, {q13}, d0 @ vpshufb %xmm0, %xmm1, %xmm0 289 vtbl.8 d1, {q13}, d1 290 veor q2, q2, q4 @ vpxor %xmm4, %xmm2, %xmm2 291 veor q0, q0, q2 @ vpxor %xmm2, %xmm0, %xmm0 292 293 @ .Ldec_entry ends with a bnz instruction which is normally paired with 294 @ subs in .Ldec_loop. 295 tst r8, r8 296 b .Ldec_entry 297 298.align 4 299.Ldec_loop: 300@ 301@ Inverse mix columns 302@ 303 304 @ We load .Lk_dsb* into q12-q15 on-demand. See the comment at the top of 305 @ the function. 306 adr r10, .Lk_dsb9 307 vld1.64 {q12,q13}, [r10]! @ vmovdqa -0x20(%r10),%xmm4 # 4 : sb9u 308 @ vmovdqa -0x10(%r10),%xmm1 # 0 : sb9t 309 @ Load sbd* ahead of time. 310 vld1.64 {q14,q15}, [r10]! @ vmovdqa 0x00(%r10),%xmm4 # 4 : sbdu 311 @ vmovdqa 0x10(%r10),%xmm1 # 0 : sbdt 312 vtbl.8 d8, {q12}, d4 @ vpshufb %xmm2, %xmm4, %xmm4 # 4 = sb9u 313 vtbl.8 d9, {q12}, d5 314 vtbl.8 d2, {q13}, d6 @ vpshufb %xmm3, %xmm1, %xmm1 # 0 = sb9t 315 vtbl.8 d3, {q13}, d7 316 veor q0, q4, q0 @ vpxor %xmm4, %xmm0, %xmm0 317 318 veor q0, q0, q1 @ vpxor %xmm1, %xmm0, %xmm0 # 0 = ch 319 320 @ Load sbb* ahead of time. 321 vld1.64 {q12,q13}, [r10]! @ vmovdqa 0x20(%r10),%xmm4 # 4 : sbbu 322 @ vmovdqa 0x30(%r10),%xmm1 # 0 : sbbt 323 324 vtbl.8 d8, {q14}, d4 @ vpshufb %xmm2, %xmm4, %xmm4 # 4 = sbdu 325 vtbl.8 d9, {q14}, d5 326 @ Write to q1 instead of q0, so the table and destination registers do 327 @ not overlap. 328 vtbl.8 d2, {q0}, d10 @ vpshufb %xmm5, %xmm0, %xmm0 # MC ch 329 vtbl.8 d3, {q0}, d11 330 @ Here we restore the original q0/q1 usage. This instruction is 331 @ reordered from the ARMv8 version so we do not clobber the vtbl.8 332 @ below. 333 veor q0, q1, q4 @ vpxor %xmm4, %xmm0, %xmm0 # 4 = ch 334 vtbl.8 d2, {q15}, d6 @ vpshufb %xmm3, %xmm1, %xmm1 # 0 = sbdt 335 vtbl.8 d3, {q15}, d7 336 @ vmovdqa 0x20(%r10), %xmm4 # 4 : sbbu 337 veor q0, q0, q1 @ vpxor %xmm1, %xmm0, %xmm0 # 0 = ch 338 @ vmovdqa 0x30(%r10), %xmm1 # 0 : sbbt 339 340 @ Load sbd* ahead of time. 341 vld1.64 {q14,q15}, [r10]! @ vmovdqa 0x40(%r10),%xmm4 # 4 : sbeu 342 @ vmovdqa 0x50(%r10),%xmm1 # 0 : sbet 343 344 vtbl.8 d8, {q12}, d4 @ vpshufb %xmm2, %xmm4, %xmm4 # 4 = sbbu 345 vtbl.8 d9, {q12}, d5 346 @ Write to q1 instead of q0, so the table and destination registers do 347 @ not overlap. 348 vtbl.8 d2, {q0}, d10 @ vpshufb %xmm5, %xmm0, %xmm0 # MC ch 349 vtbl.8 d3, {q0}, d11 350 @ Here we restore the original q0/q1 usage. This instruction is 351 @ reordered from the ARMv8 version so we do not clobber the vtbl.8 352 @ below. 353 veor q0, q1, q4 @ vpxor %xmm4, %xmm0, %xmm0 # 4 = ch 354 vtbl.8 d2, {q13}, d6 @ vpshufb %xmm3, %xmm1, %xmm1 # 0 = sbbt 355 vtbl.8 d3, {q13}, d7 356 veor q0, q0, q1 @ vpxor %xmm1, %xmm0, %xmm0 # 0 = ch 357 358 vtbl.8 d8, {q14}, d4 @ vpshufb %xmm2, %xmm4, %xmm4 # 4 = sbeu 359 vtbl.8 d9, {q14}, d5 360 @ Write to q1 instead of q0, so the table and destination registers do 361 @ not overlap. 362 vtbl.8 d2, {q0}, d10 @ vpshufb %xmm5, %xmm0, %xmm0 # MC ch 363 vtbl.8 d3, {q0}, d11 364 @ Here we restore the original q0/q1 usage. This instruction is 365 @ reordered from the ARMv8 version so we do not clobber the vtbl.8 366 @ below. 367 veor q0, q1, q4 @ vpxor %xmm4, %xmm0, %xmm0 # 4 = ch 368 vtbl.8 d2, {q15}, d6 @ vpshufb %xmm3, %xmm1, %xmm1 # 0 = sbet 369 vtbl.8 d3, {q15}, d7 370 vext.8 q5, q5, q5, #12 @ vpalignr $12, %xmm5, %xmm5, %xmm5 371 veor q0, q0, q1 @ vpxor %xmm1, %xmm0, %xmm0 # 0 = ch 372 subs r8, r8, #1 @ sub $1,%rax # nr-- 373 374.Ldec_entry: 375 @ top of round 376 vand q1, q0, q9 @ vpand %xmm9, %xmm0, %xmm1 # 0 = k 377 vshr.u8 q0, q0, #4 @ vpsrlb $4, %xmm0, %xmm0 # 1 = i 378 vtbl.8 d4, {q11}, d2 @ vpshufb %xmm1, %xmm11, %xmm2 # 2 = a/k 379 vtbl.8 d5, {q11}, d3 380 veor q1, q1, q0 @ vpxor %xmm0, %xmm1, %xmm1 # 0 = j 381 vtbl.8 d6, {q10}, d0 @ vpshufb %xmm0, %xmm10, %xmm3 # 3 = 1/i 382 vtbl.8 d7, {q10}, d1 383 vtbl.8 d8, {q10}, d2 @ vpshufb %xmm1, %xmm10, %xmm4 # 4 = 1/j 384 vtbl.8 d9, {q10}, d3 385 veor q3, q3, q2 @ vpxor %xmm2, %xmm3, %xmm3 # 3 = iak = 1/i + a/k 386 veor q4, q4, q2 @ vpxor %xmm2, %xmm4, %xmm4 # 4 = jak = 1/j + a/k 387 vtbl.8 d4, {q10}, d6 @ vpshufb %xmm3, %xmm10, %xmm2 # 2 = 1/iak 388 vtbl.8 d5, {q10}, d7 389 vtbl.8 d6, {q10}, d8 @ vpshufb %xmm4, %xmm10, %xmm3 # 3 = 1/jak 390 vtbl.8 d7, {q10}, d9 391 veor q2, q2, q1 @ vpxor %xmm1, %xmm2, %xmm2 # 2 = io 392 veor q3, q3, q0 @ vpxor %xmm0, %xmm3, %xmm3 # 3 = jo 393 vld1.64 {q0}, [r9]! @ vmovdqu (%r9), %xmm0 394 bne .Ldec_loop 395 396 @ middle of last round 397 398 adr r10, .Lk_dsbo 399 400 @ Write to q1 rather than q4 to avoid overlapping table and destination. 401 vld1.64 {q1}, [r10]! @ vmovdqa 0x60(%r10), %xmm4 # 3 : sbou 402 vtbl.8 d8, {q1}, d4 @ vpshufb %xmm2, %xmm4, %xmm4 # 4 = sbou 403 vtbl.8 d9, {q1}, d5 404 @ Write to q2 rather than q1 to avoid overlapping table and destination. 405 vld1.64 {q2}, [r10] @ vmovdqa 0x70(%r10), %xmm1 # 0 : sbot 406 vtbl.8 d2, {q2}, d6 @ vpshufb %xmm3, %xmm1, %xmm1 # 0 = sb1t 407 vtbl.8 d3, {q2}, d7 408 vld1.64 {q2}, [r11] @ vmovdqa -0x160(%r11), %xmm2 # .Lk_sr-.Lk_dsbd=-0x160 409 veor q4, q4, q0 @ vpxor %xmm0, %xmm4, %xmm4 # 4 = sb1u + k 410 @ Write to q1 rather than q0 so the table and destination registers 411 @ below do not overlap. 412 veor q1, q1, q4 @ vpxor %xmm4, %xmm1, %xmm0 # 0 = A 413 vtbl.8 d0, {q1}, d4 @ vpshufb %xmm2, %xmm0, %xmm0 414 vtbl.8 d1, {q1}, d5 415 bx lr 416.size _vpaes_decrypt_core,.-_vpaes_decrypt_core 417 418.globl vpaes_decrypt 419.hidden vpaes_decrypt 420.type vpaes_decrypt,%function 421.align 4 422vpaes_decrypt: 423 @ _vpaes_decrypt_core uses r7-r11. 424 stmdb sp!, {r7,r8,r9,r10,r11,lr} 425 @ _vpaes_decrypt_core uses q4-q5 (d8-d11), which are callee-saved. 426 vstmdb sp!, {d8,d9,d10,d11} 427 428 vld1.64 {q0}, [r0] 429 bl _vpaes_preheat 430 bl _vpaes_decrypt_core 431 vst1.64 {q0}, [r1] 432 433 vldmia sp!, {d8,d9,d10,d11} 434 ldmia sp!, {r7,r8,r9,r10,r11, pc} @ return 435.size vpaes_decrypt,.-vpaes_decrypt 436@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ 437@@ @@ 438@@ AES key schedule @@ 439@@ @@ 440@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ 441 442@ This function diverges from both x86_64 and armv7 in which constants are 443@ pinned. x86_64 has a common preheat function for all operations. aarch64 444@ separates them because it has enough registers to pin nearly all constants. 445@ armv7 does not have enough registers, but needing explicit loads and stores 446@ also complicates using x86_64's register allocation directly. 447@ 448@ We pin some constants for convenience and leave q14 and q15 free to load 449@ others on demand. 450 451@ 452@ Key schedule constants 453@ 454.type _vpaes_key_consts,%object 455.align 4 456_vpaes_key_consts: 457.Lk_dksd:@ decryption key schedule: invskew x*D 458.quad 0xFEB91A5DA3E44700, 0x0740E3A45A1DBEF9 459.quad 0x41C277F4B5368300, 0x5FDC69EAAB289D1E 460.Lk_dksb:@ decryption key schedule: invskew x*B 461.quad 0x9A4FCA1F8550D500, 0x03D653861CC94C99 462.quad 0x115BEDA7B6FC4A00, 0xD993256F7E3482C8 463.Lk_dkse:@ decryption key schedule: invskew x*E + 0x63 464.quad 0xD5031CCA1FC9D600, 0x53859A4C994F5086 465.quad 0xA23196054FDC7BE8, 0xCD5EF96A20B31487 466.Lk_dks9:@ decryption key schedule: invskew x*9 467.quad 0xB6116FC87ED9A700, 0x4AED933482255BFC 468.quad 0x4576516227143300, 0x8BB89FACE9DAFDCE 469 470.Lk_rcon:@ rcon 471.quad 0x1F8391B9AF9DEEB6, 0x702A98084D7C7D81 472 473.Lk_opt:@ output transform 474.quad 0xFF9F4929D6B66000, 0xF7974121DEBE6808 475.quad 0x01EDBD5150BCEC00, 0xE10D5DB1B05C0CE0 476.Lk_deskew:@ deskew tables: inverts the sbox's "skew" 477.quad 0x07E4A34047A4E300, 0x1DFEB95A5DBEF91A 478.quad 0x5F36B5DC83EA6900, 0x2841C2ABF49D1E77 479.size _vpaes_key_consts,.-_vpaes_key_consts 480 481.type _vpaes_key_preheat,%function 482.align 4 483_vpaes_key_preheat: 484 adr r11, .Lk_rcon 485 vmov.i8 q12, #0x5b @ .Lk_s63 486 adr r10, .Lk_inv @ Must be aligned to 8 mod 16. 487 vmov.i8 q9, #0x0f @ .Lk_s0F 488 vld1.64 {q10,q11}, [r10] @ .Lk_inv 489 vld1.64 {q8}, [r11] @ .Lk_rcon 490 bx lr 491.size _vpaes_key_preheat,.-_vpaes_key_preheat 492 493.type _vpaes_schedule_core,%function 494.align 4 495_vpaes_schedule_core: 496 @ We only need to save lr, but ARM requires an 8-byte stack alignment, 497 @ so save an extra register. 498 stmdb sp!, {r3,lr} 499 500 bl _vpaes_key_preheat @ load the tables 501 502 adr r11, .Lk_ipt @ Must be aligned to 8 mod 16. 503 vld1.64 {q0}, [r0]! @ vmovdqu (%rdi), %xmm0 # load key (unaligned) 504 505 @ input transform 506 @ Use q4 here rather than q3 so .Lschedule_am_decrypting does not 507 @ overlap table and destination. 508 vmov q4, q0 @ vmovdqa %xmm0, %xmm3 509 bl _vpaes_schedule_transform 510 adr r10, .Lk_sr @ Must be aligned to 8 mod 16. 511 vmov q7, q0 @ vmovdqa %xmm0, %xmm7 512 513 add r8, r8, r10 514 tst r3, r3 515 bne .Lschedule_am_decrypting 516 517 @ encrypting, output zeroth round key after transform 518 vst1.64 {q0}, [r2] @ vmovdqu %xmm0, (%rdx) 519 b .Lschedule_go 520 521.Lschedule_am_decrypting: 522 @ decrypting, output zeroth round key after shiftrows 523 vld1.64 {q1}, [r8] @ vmovdqa (%r8,%r10), %xmm1 524 vtbl.8 d6, {q4}, d2 @ vpshufb %xmm1, %xmm3, %xmm3 525 vtbl.8 d7, {q4}, d3 526 vst1.64 {q3}, [r2] @ vmovdqu %xmm3, (%rdx) 527 eor r8, r8, #0x30 @ xor $0x30, %r8 528 529.Lschedule_go: 530 cmp r1, #192 @ cmp $192, %esi 531 bhi .Lschedule_256 532 beq .Lschedule_192 533 @ 128: fall though 534 535@@ 536@@ .schedule_128 537@@ 538@@ 128-bit specific part of key schedule. 539@@ 540@@ This schedule is really simple, because all its parts 541@@ are accomplished by the subroutines. 542@@ 543.Lschedule_128: 544 mov r0, #10 @ mov $10, %esi 545 546.Loop_schedule_128: 547 bl _vpaes_schedule_round 548 subs r0, r0, #1 @ dec %esi 549 beq .Lschedule_mangle_last 550 bl _vpaes_schedule_mangle @ write output 551 b .Loop_schedule_128 552 553@@ 554@@ .aes_schedule_192 555@@ 556@@ 192-bit specific part of key schedule. 557@@ 558@@ The main body of this schedule is the same as the 128-bit 559@@ schedule, but with more smearing. The long, high side is 560@@ stored in q7 as before, and the short, low side is in 561@@ the high bits of q6. 562@@ 563@@ This schedule is somewhat nastier, however, because each 564@@ round produces 192 bits of key material, or 1.5 round keys. 565@@ Therefore, on each cycle we do 2 rounds and produce 3 round 566@@ keys. 567@@ 568.align 4 569.Lschedule_192: 570 sub r0, r0, #8 571 vld1.64 {q0}, [r0] @ vmovdqu 8(%rdi),%xmm0 # load key part 2 (very unaligned) 572 bl _vpaes_schedule_transform @ input transform 573 vmov q6, q0 @ vmovdqa %xmm0, %xmm6 # save short part 574 vmov.i8 d12, #0 @ vpxor %xmm4, %xmm4, %xmm4 # clear 4 575 @ vmovhlps %xmm4, %xmm6, %xmm6 # clobber low side with zeros 576 mov r0, #4 @ mov $4, %esi 577 578.Loop_schedule_192: 579 bl _vpaes_schedule_round 580 vext.8 q0, q6, q0, #8 @ vpalignr $8,%xmm6,%xmm0,%xmm0 581 bl _vpaes_schedule_mangle @ save key n 582 bl _vpaes_schedule_192_smear 583 bl _vpaes_schedule_mangle @ save key n+1 584 bl _vpaes_schedule_round 585 subs r0, r0, #1 @ dec %esi 586 beq .Lschedule_mangle_last 587 bl _vpaes_schedule_mangle @ save key n+2 588 bl _vpaes_schedule_192_smear 589 b .Loop_schedule_192 590 591@@ 592@@ .aes_schedule_256 593@@ 594@@ 256-bit specific part of key schedule. 595@@ 596@@ The structure here is very similar to the 128-bit 597@@ schedule, but with an additional "low side" in 598@@ q6. The low side's rounds are the same as the 599@@ high side's, except no rcon and no rotation. 600@@ 601.align 4 602.Lschedule_256: 603 vld1.64 {q0}, [r0] @ vmovdqu 16(%rdi),%xmm0 # load key part 2 (unaligned) 604 bl _vpaes_schedule_transform @ input transform 605 mov r0, #7 @ mov $7, %esi 606 607.Loop_schedule_256: 608 bl _vpaes_schedule_mangle @ output low result 609 vmov q6, q0 @ vmovdqa %xmm0, %xmm6 # save cur_lo in xmm6 610 611 @ high round 612 bl _vpaes_schedule_round 613 subs r0, r0, #1 @ dec %esi 614 beq .Lschedule_mangle_last 615 bl _vpaes_schedule_mangle 616 617 @ low round. swap xmm7 and xmm6 618 vdup.32 q0, d1[1] @ vpshufd $0xFF, %xmm0, %xmm0 619 vmov.i8 q4, #0 620 vmov q5, q7 @ vmovdqa %xmm7, %xmm5 621 vmov q7, q6 @ vmovdqa %xmm6, %xmm7 622 bl _vpaes_schedule_low_round 623 vmov q7, q5 @ vmovdqa %xmm5, %xmm7 624 625 b .Loop_schedule_256 626 627@@ 628@@ .aes_schedule_mangle_last 629@@ 630@@ Mangler for last round of key schedule 631@@ Mangles q0 632@@ when encrypting, outputs out(q0) ^ 63 633@@ when decrypting, outputs unskew(q0) 634@@ 635@@ Always called right before return... jumps to cleanup and exits 636@@ 637.align 4 638.Lschedule_mangle_last: 639 @ schedule last round key from xmm0 640 adr r11, .Lk_deskew @ lea .Lk_deskew(%rip),%r11 # prepare to deskew 641 tst r3, r3 642 bne .Lschedule_mangle_last_dec 643 644 @ encrypting 645 vld1.64 {q1}, [r8] @ vmovdqa (%r8,%r10),%xmm1 646 adr r11, .Lk_opt @ lea .Lk_opt(%rip), %r11 # prepare to output transform 647 add r2, r2, #32 @ add $32, %rdx 648 vmov q2, q0 649 vtbl.8 d0, {q2}, d2 @ vpshufb %xmm1, %xmm0, %xmm0 # output permute 650 vtbl.8 d1, {q2}, d3 651 652.Lschedule_mangle_last_dec: 653 sub r2, r2, #16 @ add $-16, %rdx 654 veor q0, q0, q12 @ vpxor .Lk_s63(%rip), %xmm0, %xmm0 655 bl _vpaes_schedule_transform @ output transform 656 vst1.64 {q0}, [r2] @ vmovdqu %xmm0, (%rdx) # save last key 657 658 @ cleanup 659 veor q0, q0, q0 @ vpxor %xmm0, %xmm0, %xmm0 660 veor q1, q1, q1 @ vpxor %xmm1, %xmm1, %xmm1 661 veor q2, q2, q2 @ vpxor %xmm2, %xmm2, %xmm2 662 veor q3, q3, q3 @ vpxor %xmm3, %xmm3, %xmm3 663 veor q4, q4, q4 @ vpxor %xmm4, %xmm4, %xmm4 664 veor q5, q5, q5 @ vpxor %xmm5, %xmm5, %xmm5 665 veor q6, q6, q6 @ vpxor %xmm6, %xmm6, %xmm6 666 veor q7, q7, q7 @ vpxor %xmm7, %xmm7, %xmm7 667 ldmia sp!, {r3,pc} @ return 668.size _vpaes_schedule_core,.-_vpaes_schedule_core 669 670@@ 671@@ .aes_schedule_192_smear 672@@ 673@@ Smear the short, low side in the 192-bit key schedule. 674@@ 675@@ Inputs: 676@@ q7: high side, b a x y 677@@ q6: low side, d c 0 0 678@@ 679@@ Outputs: 680@@ q6: b+c+d b+c 0 0 681@@ q0: b+c+d b+c b a 682@@ 683.type _vpaes_schedule_192_smear,%function 684.align 4 685_vpaes_schedule_192_smear: 686 vmov.i8 q1, #0 687 vdup.32 q0, d15[1] 688 vshl.i64 q1, q6, #32 @ vpshufd $0x80, %xmm6, %xmm1 # d c 0 0 -> c 0 0 0 689 vmov d0, d15 @ vpshufd $0xFE, %xmm7, %xmm0 # b a _ _ -> b b b a 690 veor q6, q6, q1 @ vpxor %xmm1, %xmm6, %xmm6 # -> c+d c 0 0 691 veor q1, q1, q1 @ vpxor %xmm1, %xmm1, %xmm1 692 veor q6, q6, q0 @ vpxor %xmm0, %xmm6, %xmm6 # -> b+c+d b+c b a 693 vmov q0, q6 @ vmovdqa %xmm6, %xmm0 694 vmov d12, d2 @ vmovhlps %xmm1, %xmm6, %xmm6 # clobber low side with zeros 695 bx lr 696.size _vpaes_schedule_192_smear,.-_vpaes_schedule_192_smear 697 698@@ 699@@ .aes_schedule_round 700@@ 701@@ Runs one main round of the key schedule on q0, q7 702@@ 703@@ Specifically, runs subbytes on the high dword of q0 704@@ then rotates it by one byte and xors into the low dword of 705@@ q7. 706@@ 707@@ Adds rcon from low byte of q8, then rotates q8 for 708@@ next rcon. 709@@ 710@@ Smears the dwords of q7 by xoring the low into the 711@@ second low, result into third, result into highest. 712@@ 713@@ Returns results in q7 = q0. 714@@ Clobbers q1-q4, r11. 715@@ 716.type _vpaes_schedule_round,%function 717.align 4 718_vpaes_schedule_round: 719 @ extract rcon from xmm8 720 vmov.i8 q4, #0 @ vpxor %xmm4, %xmm4, %xmm4 721 vext.8 q1, q8, q4, #15 @ vpalignr $15, %xmm8, %xmm4, %xmm1 722 vext.8 q8, q8, q8, #15 @ vpalignr $15, %xmm8, %xmm8, %xmm8 723 veor q7, q7, q1 @ vpxor %xmm1, %xmm7, %xmm7 724 725 @ rotate 726 vdup.32 q0, d1[1] @ vpshufd $0xFF, %xmm0, %xmm0 727 vext.8 q0, q0, q0, #1 @ vpalignr $1, %xmm0, %xmm0, %xmm0 728 729 @ fall through... 730 731 @ low round: same as high round, but no rotation and no rcon. 732_vpaes_schedule_low_round: 733 @ The x86_64 version pins .Lk_sb1 in %xmm13 and .Lk_sb1+16 in %xmm12. 734 @ We pin other values in _vpaes_key_preheat, so load them now. 735 adr r11, .Lk_sb1 736 vld1.64 {q14,q15}, [r11] 737 738 @ smear xmm7 739 vext.8 q1, q4, q7, #12 @ vpslldq $4, %xmm7, %xmm1 740 veor q7, q7, q1 @ vpxor %xmm1, %xmm7, %xmm7 741 vext.8 q4, q4, q7, #8 @ vpslldq $8, %xmm7, %xmm4 742 743 @ subbytes 744 vand q1, q0, q9 @ vpand %xmm9, %xmm0, %xmm1 # 0 = k 745 vshr.u8 q0, q0, #4 @ vpsrlb $4, %xmm0, %xmm0 # 1 = i 746 veor q7, q7, q4 @ vpxor %xmm4, %xmm7, %xmm7 747 vtbl.8 d4, {q11}, d2 @ vpshufb %xmm1, %xmm11, %xmm2 # 2 = a/k 748 vtbl.8 d5, {q11}, d3 749 veor q1, q1, q0 @ vpxor %xmm0, %xmm1, %xmm1 # 0 = j 750 vtbl.8 d6, {q10}, d0 @ vpshufb %xmm0, %xmm10, %xmm3 # 3 = 1/i 751 vtbl.8 d7, {q10}, d1 752 veor q3, q3, q2 @ vpxor %xmm2, %xmm3, %xmm3 # 3 = iak = 1/i + a/k 753 vtbl.8 d8, {q10}, d2 @ vpshufb %xmm1, %xmm10, %xmm4 # 4 = 1/j 754 vtbl.8 d9, {q10}, d3 755 veor q7, q7, q12 @ vpxor .Lk_s63(%rip), %xmm7, %xmm7 756 vtbl.8 d6, {q10}, d6 @ vpshufb %xmm3, %xmm10, %xmm3 # 2 = 1/iak 757 vtbl.8 d7, {q10}, d7 758 veor q4, q4, q2 @ vpxor %xmm2, %xmm4, %xmm4 # 4 = jak = 1/j + a/k 759 vtbl.8 d4, {q10}, d8 @ vpshufb %xmm4, %xmm10, %xmm2 # 3 = 1/jak 760 vtbl.8 d5, {q10}, d9 761 veor q3, q3, q1 @ vpxor %xmm1, %xmm3, %xmm3 # 2 = io 762 veor q2, q2, q0 @ vpxor %xmm0, %xmm2, %xmm2 # 3 = jo 763 vtbl.8 d8, {q15}, d6 @ vpshufb %xmm3, %xmm13, %xmm4 # 4 = sbou 764 vtbl.8 d9, {q15}, d7 765 vtbl.8 d2, {q14}, d4 @ vpshufb %xmm2, %xmm12, %xmm1 # 0 = sb1t 766 vtbl.8 d3, {q14}, d5 767 veor q1, q1, q4 @ vpxor %xmm4, %xmm1, %xmm1 # 0 = sbox output 768 769 @ add in smeared stuff 770 veor q0, q1, q7 @ vpxor %xmm7, %xmm1, %xmm0 771 veor q7, q1, q7 @ vmovdqa %xmm0, %xmm7 772 bx lr 773.size _vpaes_schedule_round,.-_vpaes_schedule_round 774 775@@ 776@@ .aes_schedule_transform 777@@ 778@@ Linear-transform q0 according to tables at [r11] 779@@ 780@@ Requires that q9 = 0x0F0F... as in preheat 781@@ Output in q0 782@@ Clobbers q1, q2, q14, q15 783@@ 784.type _vpaes_schedule_transform,%function 785.align 4 786_vpaes_schedule_transform: 787 vld1.64 {q14,q15}, [r11] @ vmovdqa (%r11), %xmm2 # lo 788 @ vmovdqa 16(%r11), %xmm1 # hi 789 vand q1, q0, q9 @ vpand %xmm9, %xmm0, %xmm1 790 vshr.u8 q0, q0, #4 @ vpsrlb $4, %xmm0, %xmm0 791 vtbl.8 d4, {q14}, d2 @ vpshufb %xmm1, %xmm2, %xmm2 792 vtbl.8 d5, {q14}, d3 793 vtbl.8 d0, {q15}, d0 @ vpshufb %xmm0, %xmm1, %xmm0 794 vtbl.8 d1, {q15}, d1 795 veor q0, q0, q2 @ vpxor %xmm2, %xmm0, %xmm0 796 bx lr 797.size _vpaes_schedule_transform,.-_vpaes_schedule_transform 798 799@@ 800@@ .aes_schedule_mangle 801@@ 802@@ Mangles q0 from (basis-transformed) standard version 803@@ to our version. 804@@ 805@@ On encrypt, 806@@ xor with 0x63 807@@ multiply by circulant 0,1,1,1 808@@ apply shiftrows transform 809@@ 810@@ On decrypt, 811@@ xor with 0x63 812@@ multiply by "inverse mixcolumns" circulant E,B,D,9 813@@ deskew 814@@ apply shiftrows transform 815@@ 816@@ 817@@ Writes out to [r2], and increments or decrements it 818@@ Keeps track of round number mod 4 in r8 819@@ Preserves q0 820@@ Clobbers q1-q5 821@@ 822.type _vpaes_schedule_mangle,%function 823.align 4 824_vpaes_schedule_mangle: 825 tst r3, r3 826 vmov q4, q0 @ vmovdqa %xmm0, %xmm4 # save xmm0 for later 827 adr r11, .Lk_mc_forward @ Must be aligned to 8 mod 16. 828 vld1.64 {q5}, [r11] @ vmovdqa .Lk_mc_forward(%rip),%xmm5 829 bne .Lschedule_mangle_dec 830 831 @ encrypting 832 @ Write to q2 so we do not overlap table and destination below. 833 veor q2, q0, q12 @ vpxor .Lk_s63(%rip), %xmm0, %xmm4 834 add r2, r2, #16 @ add $16, %rdx 835 vtbl.8 d8, {q2}, d10 @ vpshufb %xmm5, %xmm4, %xmm4 836 vtbl.8 d9, {q2}, d11 837 vtbl.8 d2, {q4}, d10 @ vpshufb %xmm5, %xmm4, %xmm1 838 vtbl.8 d3, {q4}, d11 839 vtbl.8 d6, {q1}, d10 @ vpshufb %xmm5, %xmm1, %xmm3 840 vtbl.8 d7, {q1}, d11 841 veor q4, q4, q1 @ vpxor %xmm1, %xmm4, %xmm4 842 vld1.64 {q1}, [r8] @ vmovdqa (%r8,%r10), %xmm1 843 veor q3, q3, q4 @ vpxor %xmm4, %xmm3, %xmm3 844 845 b .Lschedule_mangle_both 846.align 4 847.Lschedule_mangle_dec: 848 @ inverse mix columns 849 adr r11, .Lk_dksd @ lea .Lk_dksd(%rip),%r11 850 vshr.u8 q1, q4, #4 @ vpsrlb $4, %xmm4, %xmm1 # 1 = hi 851 vand q4, q4, q9 @ vpand %xmm9, %xmm4, %xmm4 # 4 = lo 852 853 vld1.64 {q14,q15}, [r11]! @ vmovdqa 0x00(%r11), %xmm2 854 @ vmovdqa 0x10(%r11), %xmm3 855 vtbl.8 d4, {q14}, d8 @ vpshufb %xmm4, %xmm2, %xmm2 856 vtbl.8 d5, {q14}, d9 857 vtbl.8 d6, {q15}, d2 @ vpshufb %xmm1, %xmm3, %xmm3 858 vtbl.8 d7, {q15}, d3 859 @ Load .Lk_dksb ahead of time. 860 vld1.64 {q14,q15}, [r11]! @ vmovdqa 0x20(%r11), %xmm2 861 @ vmovdqa 0x30(%r11), %xmm3 862 @ Write to q13 so we do not overlap table and destination. 863 veor q13, q3, q2 @ vpxor %xmm2, %xmm3, %xmm3 864 vtbl.8 d6, {q13}, d10 @ vpshufb %xmm5, %xmm3, %xmm3 865 vtbl.8 d7, {q13}, d11 866 867 vtbl.8 d4, {q14}, d8 @ vpshufb %xmm4, %xmm2, %xmm2 868 vtbl.8 d5, {q14}, d9 869 veor q2, q2, q3 @ vpxor %xmm3, %xmm2, %xmm2 870 vtbl.8 d6, {q15}, d2 @ vpshufb %xmm1, %xmm3, %xmm3 871 vtbl.8 d7, {q15}, d3 872 @ Load .Lk_dkse ahead of time. 873 vld1.64 {q14,q15}, [r11]! @ vmovdqa 0x40(%r11), %xmm2 874 @ vmovdqa 0x50(%r11), %xmm3 875 @ Write to q13 so we do not overlap table and destination. 876 veor q13, q3, q2 @ vpxor %xmm2, %xmm3, %xmm3 877 vtbl.8 d6, {q13}, d10 @ vpshufb %xmm5, %xmm3, %xmm3 878 vtbl.8 d7, {q13}, d11 879 880 vtbl.8 d4, {q14}, d8 @ vpshufb %xmm4, %xmm2, %xmm2 881 vtbl.8 d5, {q14}, d9 882 veor q2, q2, q3 @ vpxor %xmm3, %xmm2, %xmm2 883 vtbl.8 d6, {q15}, d2 @ vpshufb %xmm1, %xmm3, %xmm3 884 vtbl.8 d7, {q15}, d3 885 @ Load .Lk_dkse ahead of time. 886 vld1.64 {q14,q15}, [r11]! @ vmovdqa 0x60(%r11), %xmm2 887 @ vmovdqa 0x70(%r11), %xmm4 888 @ Write to q13 so we do not overlap table and destination. 889 veor q13, q3, q2 @ vpxor %xmm2, %xmm3, %xmm3 890 891 vtbl.8 d4, {q14}, d8 @ vpshufb %xmm4, %xmm2, %xmm2 892 vtbl.8 d5, {q14}, d9 893 vtbl.8 d6, {q13}, d10 @ vpshufb %xmm5, %xmm3, %xmm3 894 vtbl.8 d7, {q13}, d11 895 vtbl.8 d8, {q15}, d2 @ vpshufb %xmm1, %xmm4, %xmm4 896 vtbl.8 d9, {q15}, d3 897 vld1.64 {q1}, [r8] @ vmovdqa (%r8,%r10), %xmm1 898 veor q2, q2, q3 @ vpxor %xmm3, %xmm2, %xmm2 899 veor q3, q4, q2 @ vpxor %xmm2, %xmm4, %xmm3 900 901 sub r2, r2, #16 @ add $-16, %rdx 902 903.Lschedule_mangle_both: 904 @ Write to q2 so table and destination do not overlap. 905 vtbl.8 d4, {q3}, d2 @ vpshufb %xmm1, %xmm3, %xmm3 906 vtbl.8 d5, {q3}, d3 907 add r8, r8, #64-16 @ add $-16, %r8 908 and r8, r8, #~(1<<6) @ and $0x30, %r8 909 vst1.64 {q2}, [r2] @ vmovdqu %xmm3, (%rdx) 910 bx lr 911.size _vpaes_schedule_mangle,.-_vpaes_schedule_mangle 912 913.globl vpaes_set_encrypt_key 914.hidden vpaes_set_encrypt_key 915.type vpaes_set_encrypt_key,%function 916.align 4 917vpaes_set_encrypt_key: 918 stmdb sp!, {r7,r8,r9,r10,r11, lr} 919 vstmdb sp!, {d8,d9,d10,d11,d12,d13,d14,d15} 920 921 lsr r9, r1, #5 @ shr $5,%eax 922 add r9, r9, #5 @ $5,%eax 923 str r9, [r2,#240] @ mov %eax,240(%rdx) # AES_KEY->rounds = nbits/32+5; 924 925 mov r3, #0 @ mov $0,%ecx 926 mov r8, #0x30 @ mov $0x30,%r8d 927 bl _vpaes_schedule_core 928 eor r0, r0, r0 929 930 vldmia sp!, {d8,d9,d10,d11,d12,d13,d14,d15} 931 ldmia sp!, {r7,r8,r9,r10,r11, pc} @ return 932.size vpaes_set_encrypt_key,.-vpaes_set_encrypt_key 933 934.globl vpaes_set_decrypt_key 935.hidden vpaes_set_decrypt_key 936.type vpaes_set_decrypt_key,%function 937.align 4 938vpaes_set_decrypt_key: 939 stmdb sp!, {r7,r8,r9,r10,r11, lr} 940 vstmdb sp!, {d8,d9,d10,d11,d12,d13,d14,d15} 941 942 lsr r9, r1, #5 @ shr $5,%eax 943 add r9, r9, #5 @ $5,%eax 944 str r9, [r2,#240] @ mov %eax,240(%rdx) # AES_KEY->rounds = nbits/32+5; 945 lsl r9, r9, #4 @ shl $4,%eax 946 add r2, r2, #16 @ lea 16(%rdx,%rax),%rdx 947 add r2, r2, r9 948 949 mov r3, #1 @ mov $1,%ecx 950 lsr r8, r1, #1 @ shr $1,%r8d 951 and r8, r8, #32 @ and $32,%r8d 952 eor r8, r8, #32 @ xor $32,%r8d # nbits==192?0:32 953 bl _vpaes_schedule_core 954 955 vldmia sp!, {d8,d9,d10,d11,d12,d13,d14,d15} 956 ldmia sp!, {r7,r8,r9,r10,r11, pc} @ return 957.size vpaes_set_decrypt_key,.-vpaes_set_decrypt_key 958 959@ Additional constants for converting to bsaes. 960.type _vpaes_convert_consts,%object 961.align 4 962_vpaes_convert_consts: 963@ .Lk_opt_then_skew applies skew(opt(x)) XOR 0x63, where skew is the linear 964@ transform in the AES S-box. 0x63 is incorporated into the low half of the 965@ table. This was computed with the following script: 966@ 967@ def u64s_to_u128(x, y): 968@ return x | (y << 64) 969@ def u128_to_u64s(w): 970@ return w & ((1<<64)-1), w >> 64 971@ def get_byte(w, i): 972@ return (w >> (i*8)) & 0xff 973@ def apply_table(table, b): 974@ lo = b & 0xf 975@ hi = b >> 4 976@ return get_byte(table[0], lo) ^ get_byte(table[1], hi) 977@ def opt(b): 978@ table = [ 979@ u64s_to_u128(0xFF9F4929D6B66000, 0xF7974121DEBE6808), 980@ u64s_to_u128(0x01EDBD5150BCEC00, 0xE10D5DB1B05C0CE0), 981@ ] 982@ return apply_table(table, b) 983@ def rot_byte(b, n): 984@ return 0xff & ((b << n) | (b >> (8-n))) 985@ def skew(x): 986@ return (x ^ rot_byte(x, 1) ^ rot_byte(x, 2) ^ rot_byte(x, 3) ^ 987@ rot_byte(x, 4)) 988@ table = [0, 0] 989@ for i in range(16): 990@ table[0] |= (skew(opt(i)) ^ 0x63) << (i*8) 991@ table[1] |= skew(opt(i<<4)) << (i*8) 992@ print(" .quad 0x%016x, 0x%016x" % u128_to_u64s(table[0])) 993@ print(" .quad 0x%016x, 0x%016x" % u128_to_u64s(table[1])) 994.Lk_opt_then_skew: 995.quad 0x9cb8436798bc4763, 0x6440bb9f6044bf9b 996.quad 0x1f30062936192f00, 0xb49bad829db284ab 997 998@ .Lk_decrypt_transform is a permutation which performs an 8-bit left-rotation 999@ followed by a byte-swap on each 32-bit word of a vector. E.g., 0x11223344 1000@ becomes 0x22334411 and then 0x11443322. 1001.Lk_decrypt_transform: 1002.quad 0x0704050603000102, 0x0f0c0d0e0b08090a 1003.size _vpaes_convert_consts,.-_vpaes_convert_consts 1004 1005@ void vpaes_encrypt_key_to_bsaes(AES_KEY *bsaes, const AES_KEY *vpaes); 1006.globl vpaes_encrypt_key_to_bsaes 1007.hidden vpaes_encrypt_key_to_bsaes 1008.type vpaes_encrypt_key_to_bsaes,%function 1009.align 4 1010vpaes_encrypt_key_to_bsaes: 1011 stmdb sp!, {r11, lr} 1012 1013 @ See _vpaes_schedule_core for the key schedule logic. In particular, 1014 @ _vpaes_schedule_transform(.Lk_ipt) (section 2.2 of the paper), 1015 @ _vpaes_schedule_mangle (section 4.3), and .Lschedule_mangle_last 1016 @ contain the transformations not in the bsaes representation. This 1017 @ function inverts those transforms. 1018 @ 1019 @ Note also that bsaes-armv7.pl expects aes-armv4.pl's key 1020 @ representation, which does not match the other aes_nohw_* 1021 @ implementations. The ARM aes_nohw_* stores each 32-bit word 1022 @ byteswapped, as a convenience for (unsupported) big-endian ARM, at the 1023 @ cost of extra REV and VREV32 operations in little-endian ARM. 1024 1025 vmov.i8 q9, #0x0f @ Required by _vpaes_schedule_transform 1026 adr r2, .Lk_mc_forward @ Must be aligned to 8 mod 16. 1027 add r3, r2, 0x90 @ .Lk_sr+0x10-.Lk_mc_forward = 0x90 (Apple's toolchain doesn't support the expression) 1028 1029 vld1.64 {q12}, [r2] 1030 vmov.i8 q10, #0x5b @ .Lk_s63 from vpaes-x86_64 1031 adr r11, .Lk_opt @ Must be aligned to 8 mod 16. 1032 vmov.i8 q11, #0x63 @ .LK_s63 without .Lk_ipt applied 1033 1034 @ vpaes stores one fewer round count than bsaes, but the number of keys 1035 @ is the same. 1036 ldr r2, [r1,#240] 1037 add r2, r2, #1 1038 str r2, [r0,#240] 1039 1040 @ The first key is transformed with _vpaes_schedule_transform(.Lk_ipt). 1041 @ Invert this with .Lk_opt. 1042 vld1.64 {q0}, [r1]! 1043 bl _vpaes_schedule_transform 1044 vrev32.8 q0, q0 1045 vst1.64 {q0}, [r0]! 1046 1047 @ The middle keys have _vpaes_schedule_transform(.Lk_ipt) applied, 1048 @ followed by _vpaes_schedule_mangle. _vpaes_schedule_mangle XORs 0x63, 1049 @ multiplies by the circulant 0,1,1,1, then applies ShiftRows. 1050.Loop_enc_key_to_bsaes: 1051 vld1.64 {q0}, [r1]! 1052 1053 @ Invert the ShiftRows step (see .Lschedule_mangle_both). Note we cycle 1054 @ r3 in the opposite direction and start at .Lk_sr+0x10 instead of 0x30. 1055 @ We use r3 rather than r8 to avoid a callee-saved register. 1056 vld1.64 {q1}, [r3] 1057 vtbl.8 d4, {q0}, d2 1058 vtbl.8 d5, {q0}, d3 1059 add r3, r3, #16 1060 and r3, r3, #~(1<<6) 1061 vmov q0, q2 1062 1063 @ Handle the last key differently. 1064 subs r2, r2, #1 1065 beq .Loop_enc_key_to_bsaes_last 1066 1067 @ Multiply by the circulant. This is its own inverse. 1068 vtbl.8 d2, {q0}, d24 1069 vtbl.8 d3, {q0}, d25 1070 vmov q0, q1 1071 vtbl.8 d4, {q1}, d24 1072 vtbl.8 d5, {q1}, d25 1073 veor q0, q0, q2 1074 vtbl.8 d2, {q2}, d24 1075 vtbl.8 d3, {q2}, d25 1076 veor q0, q0, q1 1077 1078 @ XOR and finish. 1079 veor q0, q0, q10 1080 bl _vpaes_schedule_transform 1081 vrev32.8 q0, q0 1082 vst1.64 {q0}, [r0]! 1083 b .Loop_enc_key_to_bsaes 1084 1085.Loop_enc_key_to_bsaes_last: 1086 @ The final key does not have a basis transform (note 1087 @ .Lschedule_mangle_last inverts the original transform). It only XORs 1088 @ 0x63 and applies ShiftRows. The latter was already inverted in the 1089 @ loop. Note that, because we act on the original representation, we use 1090 @ q11, not q10. 1091 veor q0, q0, q11 1092 vrev32.8 q0, q0 1093 vst1.64 {q0}, [r0] 1094 1095 @ Wipe registers which contained key material. 1096 veor q0, q0, q0 1097 veor q1, q1, q1 1098 veor q2, q2, q2 1099 1100 ldmia sp!, {r11, pc} @ return 1101.size vpaes_encrypt_key_to_bsaes,.-vpaes_encrypt_key_to_bsaes 1102 1103@ void vpaes_decrypt_key_to_bsaes(AES_KEY *vpaes, const AES_KEY *bsaes); 1104.globl vpaes_decrypt_key_to_bsaes 1105.hidden vpaes_decrypt_key_to_bsaes 1106.type vpaes_decrypt_key_to_bsaes,%function 1107.align 4 1108vpaes_decrypt_key_to_bsaes: 1109 stmdb sp!, {r11, lr} 1110 1111 @ See _vpaes_schedule_core for the key schedule logic. Note vpaes 1112 @ computes the decryption key schedule in reverse. Additionally, 1113 @ aes-x86_64.pl shares some transformations, so we must only partially 1114 @ invert vpaes's transformations. In general, vpaes computes in a 1115 @ different basis (.Lk_ipt and .Lk_opt) and applies the inverses of 1116 @ MixColumns, ShiftRows, and the affine part of the AES S-box (which is 1117 @ split into a linear skew and XOR of 0x63). We undo all but MixColumns. 1118 @ 1119 @ Note also that bsaes-armv7.pl expects aes-armv4.pl's key 1120 @ representation, which does not match the other aes_nohw_* 1121 @ implementations. The ARM aes_nohw_* stores each 32-bit word 1122 @ byteswapped, as a convenience for (unsupported) big-endian ARM, at the 1123 @ cost of extra REV and VREV32 operations in little-endian ARM. 1124 1125 adr r2, .Lk_decrypt_transform 1126 adr r3, .Lk_sr+0x30 1127 adr r11, .Lk_opt_then_skew @ Input to _vpaes_schedule_transform. 1128 vld1.64 {q12}, [r2] @ Reuse q12 from encryption. 1129 vmov.i8 q9, #0x0f @ Required by _vpaes_schedule_transform 1130 1131 @ vpaes stores one fewer round count than bsaes, but the number of keys 1132 @ is the same. 1133 ldr r2, [r1,#240] 1134 add r2, r2, #1 1135 str r2, [r0,#240] 1136 1137 @ Undo the basis change and reapply the S-box affine transform. See 1138 @ .Lschedule_mangle_last. 1139 vld1.64 {q0}, [r1]! 1140 bl _vpaes_schedule_transform 1141 vrev32.8 q0, q0 1142 vst1.64 {q0}, [r0]! 1143 1144 @ See _vpaes_schedule_mangle for the transform on the middle keys. Note 1145 @ it simultaneously inverts MixColumns and the S-box affine transform. 1146 @ See .Lk_dksd through .Lk_dks9. 1147.Loop_dec_key_to_bsaes: 1148 vld1.64 {q0}, [r1]! 1149 1150 @ Invert the ShiftRows step (see .Lschedule_mangle_both). Note going 1151 @ forwards cancels inverting for which direction we cycle r3. We use r3 1152 @ rather than r8 to avoid a callee-saved register. 1153 vld1.64 {q1}, [r3] 1154 vtbl.8 d4, {q0}, d2 1155 vtbl.8 d5, {q0}, d3 1156 add r3, r3, #64-16 1157 and r3, r3, #~(1<<6) 1158 vmov q0, q2 1159 1160 @ Handle the last key differently. 1161 subs r2, r2, #1 1162 beq .Loop_dec_key_to_bsaes_last 1163 1164 @ Undo the basis change and reapply the S-box affine transform. 1165 bl _vpaes_schedule_transform 1166 1167 @ Rotate each word by 8 bytes (cycle the rows) and then byte-swap. We 1168 @ combine the two operations in .Lk_decrypt_transform. 1169 @ 1170 @ TODO(davidben): Where does the rotation come from? 1171 vtbl.8 d2, {q0}, d24 1172 vtbl.8 d3, {q0}, d25 1173 1174 vst1.64 {q1}, [r0]! 1175 b .Loop_dec_key_to_bsaes 1176 1177.Loop_dec_key_to_bsaes_last: 1178 @ The final key only inverts ShiftRows (already done in the loop). See 1179 @ .Lschedule_am_decrypting. Its basis is not transformed. 1180 vrev32.8 q0, q0 1181 vst1.64 {q0}, [r0]! 1182 1183 @ Wipe registers which contained key material. 1184 veor q0, q0, q0 1185 veor q1, q1, q1 1186 veor q2, q2, q2 1187 1188 ldmia sp!, {r11, pc} @ return 1189.size vpaes_decrypt_key_to_bsaes,.-vpaes_decrypt_key_to_bsaes 1190.globl vpaes_ctr32_encrypt_blocks 1191.hidden vpaes_ctr32_encrypt_blocks 1192.type vpaes_ctr32_encrypt_blocks,%function 1193.align 4 1194vpaes_ctr32_encrypt_blocks: 1195 mov ip, sp 1196 stmdb sp!, {r7,r8,r9,r10,r11, lr} 1197 @ This function uses q4-q7 (d8-d15), which are callee-saved. 1198 vstmdb sp!, {d8,d9,d10,d11,d12,d13,d14,d15} 1199 1200 cmp r2, #0 1201 @ r8 is passed on the stack. 1202 ldr r8, [ip] 1203 beq .Lctr32_done 1204 1205 @ _vpaes_encrypt_core expects the key in r2, so swap r2 and r3. 1206 mov r9, r3 1207 mov r3, r2 1208 mov r2, r9 1209 1210 @ Load the IV and counter portion. 1211 ldr r7, [r8, #12] 1212 vld1.8 {q7}, [r8] 1213 1214 bl _vpaes_preheat 1215 rev r7, r7 @ The counter is big-endian. 1216 1217.Lctr32_loop: 1218 vmov q0, q7 1219 vld1.8 {q6}, [r0]! @ .Load input ahead of time 1220 bl _vpaes_encrypt_core 1221 veor q0, q0, q6 @ XOR input and result 1222 vst1.8 {q0}, [r1]! 1223 subs r3, r3, #1 1224 @ Update the counter. 1225 add r7, r7, #1 1226 rev r9, r7 1227 vmov.32 d15[1], r9 1228 bne .Lctr32_loop 1229 1230.Lctr32_done: 1231 vldmia sp!, {d8,d9,d10,d11,d12,d13,d14,d15} 1232 ldmia sp!, {r7,r8,r9,r10,r11, pc} @ return 1233.size vpaes_ctr32_encrypt_blocks,.-vpaes_ctr32_encrypt_blocks 1234#endif 1235#endif // !OPENSSL_NO_ASM 1236.section .note.GNU-stack,"",%progbits 1237