1// This file is generated from a similarly-named Perl script in the BoringSSL 2// source tree. Do not edit by hand. 3 4#include <openssl/asm_base.h> 5 6#if !defined(OPENSSL_NO_ASM) && defined(OPENSSL_ARM) && defined(__APPLE__) 7.syntax unified 8 9 10 11 12#if defined(__thumb2__) 13.thumb 14#else 15.code 32 16#endif 17 18.text 19 20 21.align 7 @ totally strategic alignment 22_vpaes_consts: 23Lk_mc_forward:@ mc_forward 24.quad 0x0407060500030201, 0x0C0F0E0D080B0A09 25.quad 0x080B0A0904070605, 0x000302010C0F0E0D 26.quad 0x0C0F0E0D080B0A09, 0x0407060500030201 27.quad 0x000302010C0F0E0D, 0x080B0A0904070605 28Lk_mc_backward:@ mc_backward 29.quad 0x0605040702010003, 0x0E0D0C0F0A09080B 30.quad 0x020100030E0D0C0F, 0x0A09080B06050407 31.quad 0x0E0D0C0F0A09080B, 0x0605040702010003 32.quad 0x0A09080B06050407, 0x020100030E0D0C0F 33Lk_sr:@ sr 34.quad 0x0706050403020100, 0x0F0E0D0C0B0A0908 35.quad 0x030E09040F0A0500, 0x0B06010C07020D08 36.quad 0x0F060D040B020900, 0x070E050C030A0108 37.quad 0x0B0E0104070A0D00, 0x0306090C0F020508 38 39@ 40@ "Hot" constants 41@ 42Lk_inv:@ inv, inva 43.quad 0x0E05060F0D080180, 0x040703090A0B0C02 44.quad 0x01040A060F0B0780, 0x030D0E0C02050809 45Lk_ipt:@ input transform (lo, hi) 46.quad 0xC2B2E8985A2A7000, 0xCABAE09052227808 47.quad 0x4C01307D317C4D00, 0xCD80B1FCB0FDCC81 48Lk_sbo:@ sbou, sbot 49.quad 0xD0D26D176FBDC700, 0x15AABF7AC502A878 50.quad 0xCFE474A55FBB6A00, 0x8E1E90D1412B35FA 51Lk_sb1:@ sb1u, sb1t 52.quad 0x3618D415FAE22300, 0x3BF7CCC10D2ED9EF 53.quad 0xB19BE18FCB503E00, 0xA5DF7A6E142AF544 54Lk_sb2:@ sb2u, sb2t 55.quad 0x69EB88400AE12900, 0xC2A163C8AB82234A 56.quad 0xE27A93C60B712400, 0x5EB7E955BC982FCD 57 58.byte 86,101,99,116,111,114,32,80,101,114,109,117,116,97,116,105,111,110,32,65,69,83,32,102,111,114,32,65,82,77,118,55,32,78,69,79,78,44,32,77,105,107,101,32,72,97,109,98,117,114,103,32,40,83,116,97,110,102,111,114,100,32,85,110,105,118,101,114,115,105,116,121,41,0 59.align 2 60 61.align 6 62@@ 63@@ _aes_preheat 64@@ 65@@ Fills q9-q15 as specified below. 66@@ 67#ifdef __thumb2__ 68.thumb_func _vpaes_preheat 69#endif 70.align 4 71_vpaes_preheat: 72 adr r10, Lk_inv 73 vmov.i8 q9, #0x0f @ Lk_s0F 74 vld1.64 {q10,q11}, [r10]! @ Lk_inv 75 add r10, r10, #64 @ Skip Lk_ipt, Lk_sbo 76 vld1.64 {q12,q13}, [r10]! @ Lk_sb1 77 vld1.64 {q14,q15}, [r10] @ Lk_sb2 78 bx lr 79 80@@ 81@@ _aes_encrypt_core 82@@ 83@@ AES-encrypt q0. 84@@ 85@@ Inputs: 86@@ q0 = input 87@@ q9-q15 as in _vpaes_preheat 88@@ [r2] = scheduled keys 89@@ 90@@ Output in q0 91@@ Clobbers q1-q5, r8-r11 92@@ Preserves q6-q8 so you get some local vectors 93@@ 94@@ 95#ifdef __thumb2__ 96.thumb_func _vpaes_encrypt_core 97#endif 98.align 4 99_vpaes_encrypt_core: 100 mov r9, r2 101 ldr r8, [r2,#240] @ pull rounds 102 adr r11, Lk_ipt 103 @ vmovdqa .Lk_ipt(%rip), %xmm2 # iptlo 104 @ vmovdqa .Lk_ipt+16(%rip), %xmm3 # ipthi 105 vld1.64 {q2, q3}, [r11] 106 adr r11, Lk_mc_forward+16 107 vld1.64 {q5}, [r9]! @ vmovdqu (%r9), %xmm5 # round0 key 108 vand q1, q0, q9 @ vpand %xmm9, %xmm0, %xmm1 109 vshr.u8 q0, q0, #4 @ vpsrlb $4, %xmm0, %xmm0 110 vtbl.8 d2, {q2}, d2 @ vpshufb %xmm1, %xmm2, %xmm1 111 vtbl.8 d3, {q2}, d3 112 vtbl.8 d4, {q3}, d0 @ vpshufb %xmm0, %xmm3, %xmm2 113 vtbl.8 d5, {q3}, d1 114 veor q0, q1, q5 @ vpxor %xmm5, %xmm1, %xmm0 115 veor q0, q0, q2 @ vpxor %xmm2, %xmm0, %xmm0 116 117 @ .Lenc_entry ends with a bnz instruction which is normally paired with 118 @ subs in .Lenc_loop. 119 tst r8, r8 120 b Lenc_entry 121 122.align 4 123Lenc_loop: 124 @ middle of middle round 125 add r10, r11, #0x40 126 vtbl.8 d8, {q13}, d4 @ vpshufb %xmm2, %xmm13, %xmm4 # 4 = sb1u 127 vtbl.8 d9, {q13}, d5 128 vld1.64 {q1}, [r11]! @ vmovdqa -0x40(%r11,%r10), %xmm1 # Lk_mc_forward[] 129 vtbl.8 d0, {q12}, d6 @ vpshufb %xmm3, %xmm12, %xmm0 # 0 = sb1t 130 vtbl.8 d1, {q12}, d7 131 veor q4, q4, q5 @ vpxor %xmm5, %xmm4, %xmm4 # 4 = sb1u + k 132 vtbl.8 d10, {q15}, d4 @ vpshufb %xmm2, %xmm15, %xmm5 # 4 = sb2u 133 vtbl.8 d11, {q15}, d5 134 veor q0, q0, q4 @ vpxor %xmm4, %xmm0, %xmm0 # 0 = A 135 vtbl.8 d4, {q14}, d6 @ vpshufb %xmm3, %xmm14, %xmm2 # 2 = sb2t 136 vtbl.8 d5, {q14}, d7 137 vld1.64 {q4}, [r10] @ vmovdqa (%r11,%r10), %xmm4 # Lk_mc_backward[] 138 vtbl.8 d6, {q0}, d2 @ vpshufb %xmm1, %xmm0, %xmm3 # 0 = B 139 vtbl.8 d7, {q0}, d3 140 veor q2, q2, q5 @ vpxor %xmm5, %xmm2, %xmm2 # 2 = 2A 141 @ Write to q5 instead of q0, so the table and destination registers do 142 @ not overlap. 143 vtbl.8 d10, {q0}, d8 @ vpshufb %xmm4, %xmm0, %xmm0 # 3 = D 144 vtbl.8 d11, {q0}, d9 145 veor q3, q3, q2 @ vpxor %xmm2, %xmm3, %xmm3 # 0 = 2A+B 146 vtbl.8 d8, {q3}, d2 @ vpshufb %xmm1, %xmm3, %xmm4 # 0 = 2B+C 147 vtbl.8 d9, {q3}, d3 148 @ Here we restore the original q0/q5 usage. 149 veor q0, q5, q3 @ vpxor %xmm3, %xmm0, %xmm0 # 3 = 2A+B+D 150 and r11, r11, #~(1<<6) @ and $0x30, %r11 # ... mod 4 151 veor q0, q0, q4 @ vpxor %xmm4, %xmm0, %xmm0 # 0 = 2A+3B+C+D 152 subs r8, r8, #1 @ nr-- 153 154Lenc_entry: 155 @ top of round 156 vand q1, q0, q9 @ vpand %xmm0, %xmm9, %xmm1 # 0 = k 157 vshr.u8 q0, q0, #4 @ vpsrlb $4, %xmm0, %xmm0 # 1 = i 158 vtbl.8 d10, {q11}, d2 @ vpshufb %xmm1, %xmm11, %xmm5 # 2 = a/k 159 vtbl.8 d11, {q11}, d3 160 veor q1, q1, q0 @ vpxor %xmm0, %xmm1, %xmm1 # 0 = j 161 vtbl.8 d6, {q10}, d0 @ vpshufb %xmm0, %xmm10, %xmm3 # 3 = 1/i 162 vtbl.8 d7, {q10}, d1 163 vtbl.8 d8, {q10}, d2 @ vpshufb %xmm1, %xmm10, %xmm4 # 4 = 1/j 164 vtbl.8 d9, {q10}, d3 165 veor q3, q3, q5 @ vpxor %xmm5, %xmm3, %xmm3 # 3 = iak = 1/i + a/k 166 veor q4, q4, q5 @ vpxor %xmm5, %xmm4, %xmm4 # 4 = jak = 1/j + a/k 167 vtbl.8 d4, {q10}, d6 @ vpshufb %xmm3, %xmm10, %xmm2 # 2 = 1/iak 168 vtbl.8 d5, {q10}, d7 169 vtbl.8 d6, {q10}, d8 @ vpshufb %xmm4, %xmm10, %xmm3 # 3 = 1/jak 170 vtbl.8 d7, {q10}, d9 171 veor q2, q2, q1 @ vpxor %xmm1, %xmm2, %xmm2 # 2 = io 172 veor q3, q3, q0 @ vpxor %xmm0, %xmm3, %xmm3 # 3 = jo 173 vld1.64 {q5}, [r9]! @ vmovdqu (%r9), %xmm5 174 bne Lenc_loop 175 176 @ middle of last round 177 add r10, r11, #0x80 178 179 adr r11, Lk_sbo 180 @ Read to q1 instead of q4, so the vtbl.8 instruction below does not 181 @ overlap table and destination registers. 182 vld1.64 {q1}, [r11]! @ vmovdqa -0x60(%r10), %xmm4 # 3 : sbou 183 vld1.64 {q0}, [r11] @ vmovdqa -0x50(%r10), %xmm0 # 0 : sbot Lk_sbo+16 184 vtbl.8 d8, {q1}, d4 @ vpshufb %xmm2, %xmm4, %xmm4 # 4 = sbou 185 vtbl.8 d9, {q1}, d5 186 vld1.64 {q1}, [r10] @ vmovdqa 0x40(%r11,%r10), %xmm1 # Lk_sr[] 187 @ Write to q2 instead of q0 below, to avoid overlapping table and 188 @ destination registers. 189 vtbl.8 d4, {q0}, d6 @ vpshufb %xmm3, %xmm0, %xmm0 # 0 = sb1t 190 vtbl.8 d5, {q0}, d7 191 veor q4, q4, q5 @ vpxor %xmm5, %xmm4, %xmm4 # 4 = sb1u + k 192 veor q2, q2, q4 @ vpxor %xmm4, %xmm0, %xmm0 # 0 = A 193 @ Here we restore the original q0/q2 usage. 194 vtbl.8 d0, {q2}, d2 @ vpshufb %xmm1, %xmm0, %xmm0 195 vtbl.8 d1, {q2}, d3 196 bx lr 197 198 199.globl _vpaes_encrypt 200.private_extern _vpaes_encrypt 201#ifdef __thumb2__ 202.thumb_func _vpaes_encrypt 203#endif 204.align 4 205_vpaes_encrypt: 206 @ _vpaes_encrypt_core uses r8-r11. Round up to r7-r11 to maintain stack 207 @ alignment. 208 stmdb sp!, {r7,r8,r9,r10,r11,lr} 209 @ _vpaes_encrypt_core uses q4-q5 (d8-d11), which are callee-saved. 210 vstmdb sp!, {d8,d9,d10,d11} 211 212 vld1.64 {q0}, [r0] 213 bl _vpaes_preheat 214 bl _vpaes_encrypt_core 215 vst1.64 {q0}, [r1] 216 217 vldmia sp!, {d8,d9,d10,d11} 218 ldmia sp!, {r7,r8,r9,r10,r11, pc} @ return 219 220 221@ 222@ Decryption stuff 223@ 224 225.align 4 226_vpaes_decrypt_consts: 227Lk_dipt:@ decryption input transform 228.quad 0x0F505B040B545F00, 0x154A411E114E451A 229.quad 0x86E383E660056500, 0x12771772F491F194 230Lk_dsbo:@ decryption sbox final output 231.quad 0x1387EA537EF94000, 0xC7AA6DB9D4943E2D 232.quad 0x12D7560F93441D00, 0xCA4B8159D8C58E9C 233Lk_dsb9:@ decryption sbox output *9*u, *9*t 234.quad 0x851C03539A86D600, 0xCAD51F504F994CC9 235.quad 0xC03B1789ECD74900, 0x725E2C9EB2FBA565 236Lk_dsbd:@ decryption sbox output *D*u, *D*t 237.quad 0x7D57CCDFE6B1A200, 0xF56E9B13882A4439 238.quad 0x3CE2FAF724C6CB00, 0x2931180D15DEEFD3 239Lk_dsbb:@ decryption sbox output *B*u, *B*t 240.quad 0xD022649296B44200, 0x602646F6B0F2D404 241.quad 0xC19498A6CD596700, 0xF3FF0C3E3255AA6B 242Lk_dsbe:@ decryption sbox output *E*u, *E*t 243.quad 0x46F2929626D4D000, 0x2242600464B4F6B0 244.quad 0x0C55A6CDFFAAC100, 0x9467F36B98593E32 245 246 247@@ 248@@ Decryption core 249@@ 250@@ Same API as encryption core, except it clobbers q12-q15 rather than using 251@@ the values from _vpaes_preheat. q9-q11 must still be set from 252@@ _vpaes_preheat. 253@@ 254#ifdef __thumb2__ 255.thumb_func _vpaes_decrypt_core 256#endif 257.align 4 258_vpaes_decrypt_core: 259 mov r9, r2 260 ldr r8, [r2,#240] @ pull rounds 261 262 @ This function performs shuffles with various constants. The x86_64 263 @ version loads them on-demand into %xmm0-%xmm5. This does not work well 264 @ for ARMv7 because those registers are shuffle destinations. The ARMv8 265 @ version preloads those constants into registers, but ARMv7 has half 266 @ the registers to work with. Instead, we load them on-demand into 267 @ q12-q15, registers normally use for preloaded constants. This is fine 268 @ because decryption doesn't use those constants. The values are 269 @ constant, so this does not interfere with potential 2x optimizations. 270 adr r7, Lk_dipt 271 272 vld1.64 {q12,q13}, [r7] @ vmovdqa Lk_dipt(%rip), %xmm2 # iptlo 273 lsl r11, r8, #4 @ mov %rax, %r11; shl $4, %r11 274 eor r11, r11, #0x30 @ xor $0x30, %r11 275 adr r10, Lk_sr 276 and r11, r11, #0x30 @ and $0x30, %r11 277 add r11, r11, r10 278 adr r10, Lk_mc_forward+48 279 280 vld1.64 {q4}, [r9]! @ vmovdqu (%r9), %xmm4 # round0 key 281 vand q1, q0, q9 @ vpand %xmm9, %xmm0, %xmm1 282 vshr.u8 q0, q0, #4 @ vpsrlb $4, %xmm0, %xmm0 283 vtbl.8 d4, {q12}, d2 @ vpshufb %xmm1, %xmm2, %xmm2 284 vtbl.8 d5, {q12}, d3 285 vld1.64 {q5}, [r10] @ vmovdqa Lk_mc_forward+48(%rip), %xmm5 286 @ vmovdqa .Lk_dipt+16(%rip), %xmm1 # ipthi 287 vtbl.8 d0, {q13}, d0 @ vpshufb %xmm0, %xmm1, %xmm0 288 vtbl.8 d1, {q13}, d1 289 veor q2, q2, q4 @ vpxor %xmm4, %xmm2, %xmm2 290 veor q0, q0, q2 @ vpxor %xmm2, %xmm0, %xmm0 291 292 @ .Ldec_entry ends with a bnz instruction which is normally paired with 293 @ subs in .Ldec_loop. 294 tst r8, r8 295 b Ldec_entry 296 297.align 4 298Ldec_loop: 299@ 300@ Inverse mix columns 301@ 302 303 @ We load .Lk_dsb* into q12-q15 on-demand. See the comment at the top of 304 @ the function. 305 adr r10, Lk_dsb9 306 vld1.64 {q12,q13}, [r10]! @ vmovdqa -0x20(%r10),%xmm4 # 4 : sb9u 307 @ vmovdqa -0x10(%r10),%xmm1 # 0 : sb9t 308 @ Load sbd* ahead of time. 309 vld1.64 {q14,q15}, [r10]! @ vmovdqa 0x00(%r10),%xmm4 # 4 : sbdu 310 @ vmovdqa 0x10(%r10),%xmm1 # 0 : sbdt 311 vtbl.8 d8, {q12}, d4 @ vpshufb %xmm2, %xmm4, %xmm4 # 4 = sb9u 312 vtbl.8 d9, {q12}, d5 313 vtbl.8 d2, {q13}, d6 @ vpshufb %xmm3, %xmm1, %xmm1 # 0 = sb9t 314 vtbl.8 d3, {q13}, d7 315 veor q0, q4, q0 @ vpxor %xmm4, %xmm0, %xmm0 316 317 veor q0, q0, q1 @ vpxor %xmm1, %xmm0, %xmm0 # 0 = ch 318 319 @ Load sbb* ahead of time. 320 vld1.64 {q12,q13}, [r10]! @ vmovdqa 0x20(%r10),%xmm4 # 4 : sbbu 321 @ vmovdqa 0x30(%r10),%xmm1 # 0 : sbbt 322 323 vtbl.8 d8, {q14}, d4 @ vpshufb %xmm2, %xmm4, %xmm4 # 4 = sbdu 324 vtbl.8 d9, {q14}, d5 325 @ Write to q1 instead of q0, so the table and destination registers do 326 @ not overlap. 327 vtbl.8 d2, {q0}, d10 @ vpshufb %xmm5, %xmm0, %xmm0 # MC ch 328 vtbl.8 d3, {q0}, d11 329 @ Here we restore the original q0/q1 usage. This instruction is 330 @ reordered from the ARMv8 version so we do not clobber the vtbl.8 331 @ below. 332 veor q0, q1, q4 @ vpxor %xmm4, %xmm0, %xmm0 # 4 = ch 333 vtbl.8 d2, {q15}, d6 @ vpshufb %xmm3, %xmm1, %xmm1 # 0 = sbdt 334 vtbl.8 d3, {q15}, d7 335 @ vmovdqa 0x20(%r10), %xmm4 # 4 : sbbu 336 veor q0, q0, q1 @ vpxor %xmm1, %xmm0, %xmm0 # 0 = ch 337 @ vmovdqa 0x30(%r10), %xmm1 # 0 : sbbt 338 339 @ Load sbd* ahead of time. 340 vld1.64 {q14,q15}, [r10]! @ vmovdqa 0x40(%r10),%xmm4 # 4 : sbeu 341 @ vmovdqa 0x50(%r10),%xmm1 # 0 : sbet 342 343 vtbl.8 d8, {q12}, d4 @ vpshufb %xmm2, %xmm4, %xmm4 # 4 = sbbu 344 vtbl.8 d9, {q12}, d5 345 @ Write to q1 instead of q0, so the table and destination registers do 346 @ not overlap. 347 vtbl.8 d2, {q0}, d10 @ vpshufb %xmm5, %xmm0, %xmm0 # MC ch 348 vtbl.8 d3, {q0}, d11 349 @ Here we restore the original q0/q1 usage. This instruction is 350 @ reordered from the ARMv8 version so we do not clobber the vtbl.8 351 @ below. 352 veor q0, q1, q4 @ vpxor %xmm4, %xmm0, %xmm0 # 4 = ch 353 vtbl.8 d2, {q13}, d6 @ vpshufb %xmm3, %xmm1, %xmm1 # 0 = sbbt 354 vtbl.8 d3, {q13}, d7 355 veor q0, q0, q1 @ vpxor %xmm1, %xmm0, %xmm0 # 0 = ch 356 357 vtbl.8 d8, {q14}, d4 @ vpshufb %xmm2, %xmm4, %xmm4 # 4 = sbeu 358 vtbl.8 d9, {q14}, d5 359 @ Write to q1 instead of q0, so the table and destination registers do 360 @ not overlap. 361 vtbl.8 d2, {q0}, d10 @ vpshufb %xmm5, %xmm0, %xmm0 # MC ch 362 vtbl.8 d3, {q0}, d11 363 @ Here we restore the original q0/q1 usage. This instruction is 364 @ reordered from the ARMv8 version so we do not clobber the vtbl.8 365 @ below. 366 veor q0, q1, q4 @ vpxor %xmm4, %xmm0, %xmm0 # 4 = ch 367 vtbl.8 d2, {q15}, d6 @ vpshufb %xmm3, %xmm1, %xmm1 # 0 = sbet 368 vtbl.8 d3, {q15}, d7 369 vext.8 q5, q5, q5, #12 @ vpalignr $12, %xmm5, %xmm5, %xmm5 370 veor q0, q0, q1 @ vpxor %xmm1, %xmm0, %xmm0 # 0 = ch 371 subs r8, r8, #1 @ sub $1,%rax # nr-- 372 373Ldec_entry: 374 @ top of round 375 vand q1, q0, q9 @ vpand %xmm9, %xmm0, %xmm1 # 0 = k 376 vshr.u8 q0, q0, #4 @ vpsrlb $4, %xmm0, %xmm0 # 1 = i 377 vtbl.8 d4, {q11}, d2 @ vpshufb %xmm1, %xmm11, %xmm2 # 2 = a/k 378 vtbl.8 d5, {q11}, d3 379 veor q1, q1, q0 @ vpxor %xmm0, %xmm1, %xmm1 # 0 = j 380 vtbl.8 d6, {q10}, d0 @ vpshufb %xmm0, %xmm10, %xmm3 # 3 = 1/i 381 vtbl.8 d7, {q10}, d1 382 vtbl.8 d8, {q10}, d2 @ vpshufb %xmm1, %xmm10, %xmm4 # 4 = 1/j 383 vtbl.8 d9, {q10}, d3 384 veor q3, q3, q2 @ vpxor %xmm2, %xmm3, %xmm3 # 3 = iak = 1/i + a/k 385 veor q4, q4, q2 @ vpxor %xmm2, %xmm4, %xmm4 # 4 = jak = 1/j + a/k 386 vtbl.8 d4, {q10}, d6 @ vpshufb %xmm3, %xmm10, %xmm2 # 2 = 1/iak 387 vtbl.8 d5, {q10}, d7 388 vtbl.8 d6, {q10}, d8 @ vpshufb %xmm4, %xmm10, %xmm3 # 3 = 1/jak 389 vtbl.8 d7, {q10}, d9 390 veor q2, q2, q1 @ vpxor %xmm1, %xmm2, %xmm2 # 2 = io 391 veor q3, q3, q0 @ vpxor %xmm0, %xmm3, %xmm3 # 3 = jo 392 vld1.64 {q0}, [r9]! @ vmovdqu (%r9), %xmm0 393 bne Ldec_loop 394 395 @ middle of last round 396 397 adr r10, Lk_dsbo 398 399 @ Write to q1 rather than q4 to avoid overlapping table and destination. 400 vld1.64 {q1}, [r10]! @ vmovdqa 0x60(%r10), %xmm4 # 3 : sbou 401 vtbl.8 d8, {q1}, d4 @ vpshufb %xmm2, %xmm4, %xmm4 # 4 = sbou 402 vtbl.8 d9, {q1}, d5 403 @ Write to q2 rather than q1 to avoid overlapping table and destination. 404 vld1.64 {q2}, [r10] @ vmovdqa 0x70(%r10), %xmm1 # 0 : sbot 405 vtbl.8 d2, {q2}, d6 @ vpshufb %xmm3, %xmm1, %xmm1 # 0 = sb1t 406 vtbl.8 d3, {q2}, d7 407 vld1.64 {q2}, [r11] @ vmovdqa -0x160(%r11), %xmm2 # Lk_sr-Lk_dsbd=-0x160 408 veor q4, q4, q0 @ vpxor %xmm0, %xmm4, %xmm4 # 4 = sb1u + k 409 @ Write to q1 rather than q0 so the table and destination registers 410 @ below do not overlap. 411 veor q1, q1, q4 @ vpxor %xmm4, %xmm1, %xmm0 # 0 = A 412 vtbl.8 d0, {q1}, d4 @ vpshufb %xmm2, %xmm0, %xmm0 413 vtbl.8 d1, {q1}, d5 414 bx lr 415 416 417.globl _vpaes_decrypt 418.private_extern _vpaes_decrypt 419#ifdef __thumb2__ 420.thumb_func _vpaes_decrypt 421#endif 422.align 4 423_vpaes_decrypt: 424 @ _vpaes_decrypt_core uses r7-r11. 425 stmdb sp!, {r7,r8,r9,r10,r11,lr} 426 @ _vpaes_decrypt_core uses q4-q5 (d8-d11), which are callee-saved. 427 vstmdb sp!, {d8,d9,d10,d11} 428 429 vld1.64 {q0}, [r0] 430 bl _vpaes_preheat 431 bl _vpaes_decrypt_core 432 vst1.64 {q0}, [r1] 433 434 vldmia sp!, {d8,d9,d10,d11} 435 ldmia sp!, {r7,r8,r9,r10,r11, pc} @ return 436 437@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ 438@@ @@ 439@@ AES key schedule @@ 440@@ @@ 441@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ 442 443@ This function diverges from both x86_64 and armv7 in which constants are 444@ pinned. x86_64 has a common preheat function for all operations. aarch64 445@ separates them because it has enough registers to pin nearly all constants. 446@ armv7 does not have enough registers, but needing explicit loads and stores 447@ also complicates using x86_64's register allocation directly. 448@ 449@ We pin some constants for convenience and leave q14 and q15 free to load 450@ others on demand. 451 452@ 453@ Key schedule constants 454@ 455 456.align 4 457_vpaes_key_consts: 458Lk_dksd:@ decryption key schedule: invskew x*D 459.quad 0xFEB91A5DA3E44700, 0x0740E3A45A1DBEF9 460.quad 0x41C277F4B5368300, 0x5FDC69EAAB289D1E 461Lk_dksb:@ decryption key schedule: invskew x*B 462.quad 0x9A4FCA1F8550D500, 0x03D653861CC94C99 463.quad 0x115BEDA7B6FC4A00, 0xD993256F7E3482C8 464Lk_dkse:@ decryption key schedule: invskew x*E + 0x63 465.quad 0xD5031CCA1FC9D600, 0x53859A4C994F5086 466.quad 0xA23196054FDC7BE8, 0xCD5EF96A20B31487 467Lk_dks9:@ decryption key schedule: invskew x*9 468.quad 0xB6116FC87ED9A700, 0x4AED933482255BFC 469.quad 0x4576516227143300, 0x8BB89FACE9DAFDCE 470 471Lk_rcon:@ rcon 472.quad 0x1F8391B9AF9DEEB6, 0x702A98084D7C7D81 473 474Lk_opt:@ output transform 475.quad 0xFF9F4929D6B66000, 0xF7974121DEBE6808 476.quad 0x01EDBD5150BCEC00, 0xE10D5DB1B05C0CE0 477Lk_deskew:@ deskew tables: inverts the sbox's "skew" 478.quad 0x07E4A34047A4E300, 0x1DFEB95A5DBEF91A 479.quad 0x5F36B5DC83EA6900, 0x2841C2ABF49D1E77 480 481 482#ifdef __thumb2__ 483.thumb_func _vpaes_key_preheat 484#endif 485.align 4 486_vpaes_key_preheat: 487 adr r11, Lk_rcon 488 vmov.i8 q12, #0x5b @ Lk_s63 489 adr r10, Lk_inv @ Must be aligned to 8 mod 16. 490 vmov.i8 q9, #0x0f @ Lk_s0F 491 vld1.64 {q10,q11}, [r10] @ Lk_inv 492 vld1.64 {q8}, [r11] @ Lk_rcon 493 bx lr 494 495 496#ifdef __thumb2__ 497.thumb_func _vpaes_schedule_core 498#endif 499.align 4 500_vpaes_schedule_core: 501 @ We only need to save lr, but ARM requires an 8-byte stack alignment, 502 @ so save an extra register. 503 stmdb sp!, {r3,lr} 504 505 bl _vpaes_key_preheat @ load the tables 506 507 adr r11, Lk_ipt @ Must be aligned to 8 mod 16. 508 vld1.64 {q0}, [r0]! @ vmovdqu (%rdi), %xmm0 # load key (unaligned) 509 510 @ input transform 511 @ Use q4 here rather than q3 so .Lschedule_am_decrypting does not 512 @ overlap table and destination. 513 vmov q4, q0 @ vmovdqa %xmm0, %xmm3 514 bl _vpaes_schedule_transform 515 adr r10, Lk_sr @ Must be aligned to 8 mod 16. 516 vmov q7, q0 @ vmovdqa %xmm0, %xmm7 517 518 add r8, r8, r10 519 tst r3, r3 520 bne Lschedule_am_decrypting 521 522 @ encrypting, output zeroth round key after transform 523 vst1.64 {q0}, [r2] @ vmovdqu %xmm0, (%rdx) 524 b Lschedule_go 525 526Lschedule_am_decrypting: 527 @ decrypting, output zeroth round key after shiftrows 528 vld1.64 {q1}, [r8] @ vmovdqa (%r8,%r10), %xmm1 529 vtbl.8 d6, {q4}, d2 @ vpshufb %xmm1, %xmm3, %xmm3 530 vtbl.8 d7, {q4}, d3 531 vst1.64 {q3}, [r2] @ vmovdqu %xmm3, (%rdx) 532 eor r8, r8, #0x30 @ xor $0x30, %r8 533 534Lschedule_go: 535 cmp r1, #192 @ cmp $192, %esi 536 bhi Lschedule_256 537 beq Lschedule_192 538 @ 128: fall though 539 540@@ 541@@ .schedule_128 542@@ 543@@ 128-bit specific part of key schedule. 544@@ 545@@ This schedule is really simple, because all its parts 546@@ are accomplished by the subroutines. 547@@ 548Lschedule_128: 549 mov r0, #10 @ mov $10, %esi 550 551Loop_schedule_128: 552 bl _vpaes_schedule_round 553 subs r0, r0, #1 @ dec %esi 554 beq Lschedule_mangle_last 555 bl _vpaes_schedule_mangle @ write output 556 b Loop_schedule_128 557 558@@ 559@@ .aes_schedule_192 560@@ 561@@ 192-bit specific part of key schedule. 562@@ 563@@ The main body of this schedule is the same as the 128-bit 564@@ schedule, but with more smearing. The long, high side is 565@@ stored in q7 as before, and the short, low side is in 566@@ the high bits of q6. 567@@ 568@@ This schedule is somewhat nastier, however, because each 569@@ round produces 192 bits of key material, or 1.5 round keys. 570@@ Therefore, on each cycle we do 2 rounds and produce 3 round 571@@ keys. 572@@ 573.align 4 574Lschedule_192: 575 sub r0, r0, #8 576 vld1.64 {q0}, [r0] @ vmovdqu 8(%rdi),%xmm0 # load key part 2 (very unaligned) 577 bl _vpaes_schedule_transform @ input transform 578 vmov q6, q0 @ vmovdqa %xmm0, %xmm6 # save short part 579 vmov.i8 d12, #0 @ vpxor %xmm4, %xmm4, %xmm4 # clear 4 580 @ vmovhlps %xmm4, %xmm6, %xmm6 # clobber low side with zeros 581 mov r0, #4 @ mov $4, %esi 582 583Loop_schedule_192: 584 bl _vpaes_schedule_round 585 vext.8 q0, q6, q0, #8 @ vpalignr $8,%xmm6,%xmm0,%xmm0 586 bl _vpaes_schedule_mangle @ save key n 587 bl _vpaes_schedule_192_smear 588 bl _vpaes_schedule_mangle @ save key n+1 589 bl _vpaes_schedule_round 590 subs r0, r0, #1 @ dec %esi 591 beq Lschedule_mangle_last 592 bl _vpaes_schedule_mangle @ save key n+2 593 bl _vpaes_schedule_192_smear 594 b Loop_schedule_192 595 596@@ 597@@ .aes_schedule_256 598@@ 599@@ 256-bit specific part of key schedule. 600@@ 601@@ The structure here is very similar to the 128-bit 602@@ schedule, but with an additional "low side" in 603@@ q6. The low side's rounds are the same as the 604@@ high side's, except no rcon and no rotation. 605@@ 606.align 4 607Lschedule_256: 608 vld1.64 {q0}, [r0] @ vmovdqu 16(%rdi),%xmm0 # load key part 2 (unaligned) 609 bl _vpaes_schedule_transform @ input transform 610 mov r0, #7 @ mov $7, %esi 611 612Loop_schedule_256: 613 bl _vpaes_schedule_mangle @ output low result 614 vmov q6, q0 @ vmovdqa %xmm0, %xmm6 # save cur_lo in xmm6 615 616 @ high round 617 bl _vpaes_schedule_round 618 subs r0, r0, #1 @ dec %esi 619 beq Lschedule_mangle_last 620 bl _vpaes_schedule_mangle 621 622 @ low round. swap xmm7 and xmm6 623 vdup.32 q0, d1[1] @ vpshufd $0xFF, %xmm0, %xmm0 624 vmov.i8 q4, #0 625 vmov q5, q7 @ vmovdqa %xmm7, %xmm5 626 vmov q7, q6 @ vmovdqa %xmm6, %xmm7 627 bl _vpaes_schedule_low_round 628 vmov q7, q5 @ vmovdqa %xmm5, %xmm7 629 630 b Loop_schedule_256 631 632@@ 633@@ .aes_schedule_mangle_last 634@@ 635@@ Mangler for last round of key schedule 636@@ Mangles q0 637@@ when encrypting, outputs out(q0) ^ 63 638@@ when decrypting, outputs unskew(q0) 639@@ 640@@ Always called right before return... jumps to cleanup and exits 641@@ 642.align 4 643Lschedule_mangle_last: 644 @ schedule last round key from xmm0 645 adr r11, Lk_deskew @ lea Lk_deskew(%rip),%r11 # prepare to deskew 646 tst r3, r3 647 bne Lschedule_mangle_last_dec 648 649 @ encrypting 650 vld1.64 {q1}, [r8] @ vmovdqa (%r8,%r10),%xmm1 651 adr r11, Lk_opt @ lea Lk_opt(%rip), %r11 # prepare to output transform 652 add r2, r2, #32 @ add $32, %rdx 653 vmov q2, q0 654 vtbl.8 d0, {q2}, d2 @ vpshufb %xmm1, %xmm0, %xmm0 # output permute 655 vtbl.8 d1, {q2}, d3 656 657Lschedule_mangle_last_dec: 658 sub r2, r2, #16 @ add $-16, %rdx 659 veor q0, q0, q12 @ vpxor Lk_s63(%rip), %xmm0, %xmm0 660 bl _vpaes_schedule_transform @ output transform 661 vst1.64 {q0}, [r2] @ vmovdqu %xmm0, (%rdx) # save last key 662 663 @ cleanup 664 veor q0, q0, q0 @ vpxor %xmm0, %xmm0, %xmm0 665 veor q1, q1, q1 @ vpxor %xmm1, %xmm1, %xmm1 666 veor q2, q2, q2 @ vpxor %xmm2, %xmm2, %xmm2 667 veor q3, q3, q3 @ vpxor %xmm3, %xmm3, %xmm3 668 veor q4, q4, q4 @ vpxor %xmm4, %xmm4, %xmm4 669 veor q5, q5, q5 @ vpxor %xmm5, %xmm5, %xmm5 670 veor q6, q6, q6 @ vpxor %xmm6, %xmm6, %xmm6 671 veor q7, q7, q7 @ vpxor %xmm7, %xmm7, %xmm7 672 ldmia sp!, {r3,pc} @ return 673 674 675@@ 676@@ .aes_schedule_192_smear 677@@ 678@@ Smear the short, low side in the 192-bit key schedule. 679@@ 680@@ Inputs: 681@@ q7: high side, b a x y 682@@ q6: low side, d c 0 0 683@@ 684@@ Outputs: 685@@ q6: b+c+d b+c 0 0 686@@ q0: b+c+d b+c b a 687@@ 688#ifdef __thumb2__ 689.thumb_func _vpaes_schedule_192_smear 690#endif 691.align 4 692_vpaes_schedule_192_smear: 693 vmov.i8 q1, #0 694 vdup.32 q0, d15[1] 695 vshl.i64 q1, q6, #32 @ vpshufd $0x80, %xmm6, %xmm1 # d c 0 0 -> c 0 0 0 696 vmov d0, d15 @ vpshufd $0xFE, %xmm7, %xmm0 # b a _ _ -> b b b a 697 veor q6, q6, q1 @ vpxor %xmm1, %xmm6, %xmm6 # -> c+d c 0 0 698 veor q1, q1, q1 @ vpxor %xmm1, %xmm1, %xmm1 699 veor q6, q6, q0 @ vpxor %xmm0, %xmm6, %xmm6 # -> b+c+d b+c b a 700 vmov q0, q6 @ vmovdqa %xmm6, %xmm0 701 vmov d12, d2 @ vmovhlps %xmm1, %xmm6, %xmm6 # clobber low side with zeros 702 bx lr 703 704 705@@ 706@@ .aes_schedule_round 707@@ 708@@ Runs one main round of the key schedule on q0, q7 709@@ 710@@ Specifically, runs subbytes on the high dword of q0 711@@ then rotates it by one byte and xors into the low dword of 712@@ q7. 713@@ 714@@ Adds rcon from low byte of q8, then rotates q8 for 715@@ next rcon. 716@@ 717@@ Smears the dwords of q7 by xoring the low into the 718@@ second low, result into third, result into highest. 719@@ 720@@ Returns results in q7 = q0. 721@@ Clobbers q1-q4, r11. 722@@ 723#ifdef __thumb2__ 724.thumb_func _vpaes_schedule_round 725#endif 726.align 4 727_vpaes_schedule_round: 728 @ extract rcon from xmm8 729 vmov.i8 q4, #0 @ vpxor %xmm4, %xmm4, %xmm4 730 vext.8 q1, q8, q4, #15 @ vpalignr $15, %xmm8, %xmm4, %xmm1 731 vext.8 q8, q8, q8, #15 @ vpalignr $15, %xmm8, %xmm8, %xmm8 732 veor q7, q7, q1 @ vpxor %xmm1, %xmm7, %xmm7 733 734 @ rotate 735 vdup.32 q0, d1[1] @ vpshufd $0xFF, %xmm0, %xmm0 736 vext.8 q0, q0, q0, #1 @ vpalignr $1, %xmm0, %xmm0, %xmm0 737 738 @ fall through... 739 740 @ low round: same as high round, but no rotation and no rcon. 741_vpaes_schedule_low_round: 742 @ The x86_64 version pins .Lk_sb1 in %xmm13 and .Lk_sb1+16 in %xmm12. 743 @ We pin other values in _vpaes_key_preheat, so load them now. 744 adr r11, Lk_sb1 745 vld1.64 {q14,q15}, [r11] 746 747 @ smear xmm7 748 vext.8 q1, q4, q7, #12 @ vpslldq $4, %xmm7, %xmm1 749 veor q7, q7, q1 @ vpxor %xmm1, %xmm7, %xmm7 750 vext.8 q4, q4, q7, #8 @ vpslldq $8, %xmm7, %xmm4 751 752 @ subbytes 753 vand q1, q0, q9 @ vpand %xmm9, %xmm0, %xmm1 # 0 = k 754 vshr.u8 q0, q0, #4 @ vpsrlb $4, %xmm0, %xmm0 # 1 = i 755 veor q7, q7, q4 @ vpxor %xmm4, %xmm7, %xmm7 756 vtbl.8 d4, {q11}, d2 @ vpshufb %xmm1, %xmm11, %xmm2 # 2 = a/k 757 vtbl.8 d5, {q11}, d3 758 veor q1, q1, q0 @ vpxor %xmm0, %xmm1, %xmm1 # 0 = j 759 vtbl.8 d6, {q10}, d0 @ vpshufb %xmm0, %xmm10, %xmm3 # 3 = 1/i 760 vtbl.8 d7, {q10}, d1 761 veor q3, q3, q2 @ vpxor %xmm2, %xmm3, %xmm3 # 3 = iak = 1/i + a/k 762 vtbl.8 d8, {q10}, d2 @ vpshufb %xmm1, %xmm10, %xmm4 # 4 = 1/j 763 vtbl.8 d9, {q10}, d3 764 veor q7, q7, q12 @ vpxor Lk_s63(%rip), %xmm7, %xmm7 765 vtbl.8 d6, {q10}, d6 @ vpshufb %xmm3, %xmm10, %xmm3 # 2 = 1/iak 766 vtbl.8 d7, {q10}, d7 767 veor q4, q4, q2 @ vpxor %xmm2, %xmm4, %xmm4 # 4 = jak = 1/j + a/k 768 vtbl.8 d4, {q10}, d8 @ vpshufb %xmm4, %xmm10, %xmm2 # 3 = 1/jak 769 vtbl.8 d5, {q10}, d9 770 veor q3, q3, q1 @ vpxor %xmm1, %xmm3, %xmm3 # 2 = io 771 veor q2, q2, q0 @ vpxor %xmm0, %xmm2, %xmm2 # 3 = jo 772 vtbl.8 d8, {q15}, d6 @ vpshufb %xmm3, %xmm13, %xmm4 # 4 = sbou 773 vtbl.8 d9, {q15}, d7 774 vtbl.8 d2, {q14}, d4 @ vpshufb %xmm2, %xmm12, %xmm1 # 0 = sb1t 775 vtbl.8 d3, {q14}, d5 776 veor q1, q1, q4 @ vpxor %xmm4, %xmm1, %xmm1 # 0 = sbox output 777 778 @ add in smeared stuff 779 veor q0, q1, q7 @ vpxor %xmm7, %xmm1, %xmm0 780 veor q7, q1, q7 @ vmovdqa %xmm0, %xmm7 781 bx lr 782 783 784@@ 785@@ .aes_schedule_transform 786@@ 787@@ Linear-transform q0 according to tables at [r11] 788@@ 789@@ Requires that q9 = 0x0F0F... as in preheat 790@@ Output in q0 791@@ Clobbers q1, q2, q14, q15 792@@ 793#ifdef __thumb2__ 794.thumb_func _vpaes_schedule_transform 795#endif 796.align 4 797_vpaes_schedule_transform: 798 vld1.64 {q14,q15}, [r11] @ vmovdqa (%r11), %xmm2 # lo 799 @ vmovdqa 16(%r11), %xmm1 # hi 800 vand q1, q0, q9 @ vpand %xmm9, %xmm0, %xmm1 801 vshr.u8 q0, q0, #4 @ vpsrlb $4, %xmm0, %xmm0 802 vtbl.8 d4, {q14}, d2 @ vpshufb %xmm1, %xmm2, %xmm2 803 vtbl.8 d5, {q14}, d3 804 vtbl.8 d0, {q15}, d0 @ vpshufb %xmm0, %xmm1, %xmm0 805 vtbl.8 d1, {q15}, d1 806 veor q0, q0, q2 @ vpxor %xmm2, %xmm0, %xmm0 807 bx lr 808 809 810@@ 811@@ .aes_schedule_mangle 812@@ 813@@ Mangles q0 from (basis-transformed) standard version 814@@ to our version. 815@@ 816@@ On encrypt, 817@@ xor with 0x63 818@@ multiply by circulant 0,1,1,1 819@@ apply shiftrows transform 820@@ 821@@ On decrypt, 822@@ xor with 0x63 823@@ multiply by "inverse mixcolumns" circulant E,B,D,9 824@@ deskew 825@@ apply shiftrows transform 826@@ 827@@ 828@@ Writes out to [r2], and increments or decrements it 829@@ Keeps track of round number mod 4 in r8 830@@ Preserves q0 831@@ Clobbers q1-q5 832@@ 833#ifdef __thumb2__ 834.thumb_func _vpaes_schedule_mangle 835#endif 836.align 4 837_vpaes_schedule_mangle: 838 tst r3, r3 839 vmov q4, q0 @ vmovdqa %xmm0, %xmm4 # save xmm0 for later 840 adr r11, Lk_mc_forward @ Must be aligned to 8 mod 16. 841 vld1.64 {q5}, [r11] @ vmovdqa Lk_mc_forward(%rip),%xmm5 842 bne Lschedule_mangle_dec 843 844 @ encrypting 845 @ Write to q2 so we do not overlap table and destination below. 846 veor q2, q0, q12 @ vpxor Lk_s63(%rip), %xmm0, %xmm4 847 add r2, r2, #16 @ add $16, %rdx 848 vtbl.8 d8, {q2}, d10 @ vpshufb %xmm5, %xmm4, %xmm4 849 vtbl.8 d9, {q2}, d11 850 vtbl.8 d2, {q4}, d10 @ vpshufb %xmm5, %xmm4, %xmm1 851 vtbl.8 d3, {q4}, d11 852 vtbl.8 d6, {q1}, d10 @ vpshufb %xmm5, %xmm1, %xmm3 853 vtbl.8 d7, {q1}, d11 854 veor q4, q4, q1 @ vpxor %xmm1, %xmm4, %xmm4 855 vld1.64 {q1}, [r8] @ vmovdqa (%r8,%r10), %xmm1 856 veor q3, q3, q4 @ vpxor %xmm4, %xmm3, %xmm3 857 858 b Lschedule_mangle_both 859.align 4 860Lschedule_mangle_dec: 861 @ inverse mix columns 862 adr r11, Lk_dksd @ lea Lk_dksd(%rip),%r11 863 vshr.u8 q1, q4, #4 @ vpsrlb $4, %xmm4, %xmm1 # 1 = hi 864 vand q4, q4, q9 @ vpand %xmm9, %xmm4, %xmm4 # 4 = lo 865 866 vld1.64 {q14,q15}, [r11]! @ vmovdqa 0x00(%r11), %xmm2 867 @ vmovdqa 0x10(%r11), %xmm3 868 vtbl.8 d4, {q14}, d8 @ vpshufb %xmm4, %xmm2, %xmm2 869 vtbl.8 d5, {q14}, d9 870 vtbl.8 d6, {q15}, d2 @ vpshufb %xmm1, %xmm3, %xmm3 871 vtbl.8 d7, {q15}, d3 872 @ Load .Lk_dksb ahead of time. 873 vld1.64 {q14,q15}, [r11]! @ vmovdqa 0x20(%r11), %xmm2 874 @ vmovdqa 0x30(%r11), %xmm3 875 @ Write to q13 so we do not overlap table and destination. 876 veor q13, q3, q2 @ vpxor %xmm2, %xmm3, %xmm3 877 vtbl.8 d6, {q13}, d10 @ vpshufb %xmm5, %xmm3, %xmm3 878 vtbl.8 d7, {q13}, d11 879 880 vtbl.8 d4, {q14}, d8 @ vpshufb %xmm4, %xmm2, %xmm2 881 vtbl.8 d5, {q14}, d9 882 veor q2, q2, q3 @ vpxor %xmm3, %xmm2, %xmm2 883 vtbl.8 d6, {q15}, d2 @ vpshufb %xmm1, %xmm3, %xmm3 884 vtbl.8 d7, {q15}, d3 885 @ Load .Lk_dkse ahead of time. 886 vld1.64 {q14,q15}, [r11]! @ vmovdqa 0x40(%r11), %xmm2 887 @ vmovdqa 0x50(%r11), %xmm3 888 @ Write to q13 so we do not overlap table and destination. 889 veor q13, q3, q2 @ vpxor %xmm2, %xmm3, %xmm3 890 vtbl.8 d6, {q13}, d10 @ vpshufb %xmm5, %xmm3, %xmm3 891 vtbl.8 d7, {q13}, d11 892 893 vtbl.8 d4, {q14}, d8 @ vpshufb %xmm4, %xmm2, %xmm2 894 vtbl.8 d5, {q14}, d9 895 veor q2, q2, q3 @ vpxor %xmm3, %xmm2, %xmm2 896 vtbl.8 d6, {q15}, d2 @ vpshufb %xmm1, %xmm3, %xmm3 897 vtbl.8 d7, {q15}, d3 898 @ Load .Lk_dkse ahead of time. 899 vld1.64 {q14,q15}, [r11]! @ vmovdqa 0x60(%r11), %xmm2 900 @ vmovdqa 0x70(%r11), %xmm4 901 @ Write to q13 so we do not overlap table and destination. 902 veor q13, q3, q2 @ vpxor %xmm2, %xmm3, %xmm3 903 904 vtbl.8 d4, {q14}, d8 @ vpshufb %xmm4, %xmm2, %xmm2 905 vtbl.8 d5, {q14}, d9 906 vtbl.8 d6, {q13}, d10 @ vpshufb %xmm5, %xmm3, %xmm3 907 vtbl.8 d7, {q13}, d11 908 vtbl.8 d8, {q15}, d2 @ vpshufb %xmm1, %xmm4, %xmm4 909 vtbl.8 d9, {q15}, d3 910 vld1.64 {q1}, [r8] @ vmovdqa (%r8,%r10), %xmm1 911 veor q2, q2, q3 @ vpxor %xmm3, %xmm2, %xmm2 912 veor q3, q4, q2 @ vpxor %xmm2, %xmm4, %xmm3 913 914 sub r2, r2, #16 @ add $-16, %rdx 915 916Lschedule_mangle_both: 917 @ Write to q2 so table and destination do not overlap. 918 vtbl.8 d4, {q3}, d2 @ vpshufb %xmm1, %xmm3, %xmm3 919 vtbl.8 d5, {q3}, d3 920 add r8, r8, #64-16 @ add $-16, %r8 921 and r8, r8, #~(1<<6) @ and $0x30, %r8 922 vst1.64 {q2}, [r2] @ vmovdqu %xmm3, (%rdx) 923 bx lr 924 925 926.globl _vpaes_set_encrypt_key 927.private_extern _vpaes_set_encrypt_key 928#ifdef __thumb2__ 929.thumb_func _vpaes_set_encrypt_key 930#endif 931.align 4 932_vpaes_set_encrypt_key: 933 stmdb sp!, {r7,r8,r9,r10,r11, lr} 934 vstmdb sp!, {d8,d9,d10,d11,d12,d13,d14,d15} 935 936 lsr r9, r1, #5 @ shr $5,%eax 937 add r9, r9, #5 @ $5,%eax 938 str r9, [r2,#240] @ mov %eax,240(%rdx) # AES_KEY->rounds = nbits/32+5; 939 940 mov r3, #0 @ mov $0,%ecx 941 mov r8, #0x30 @ mov $0x30,%r8d 942 bl _vpaes_schedule_core 943 eor r0, r0, r0 944 945 vldmia sp!, {d8,d9,d10,d11,d12,d13,d14,d15} 946 ldmia sp!, {r7,r8,r9,r10,r11, pc} @ return 947 948 949.globl _vpaes_set_decrypt_key 950.private_extern _vpaes_set_decrypt_key 951#ifdef __thumb2__ 952.thumb_func _vpaes_set_decrypt_key 953#endif 954.align 4 955_vpaes_set_decrypt_key: 956 stmdb sp!, {r7,r8,r9,r10,r11, lr} 957 vstmdb sp!, {d8,d9,d10,d11,d12,d13,d14,d15} 958 959 lsr r9, r1, #5 @ shr $5,%eax 960 add r9, r9, #5 @ $5,%eax 961 str r9, [r2,#240] @ mov %eax,240(%rdx) # AES_KEY->rounds = nbits/32+5; 962 lsl r9, r9, #4 @ shl $4,%eax 963 add r2, r2, #16 @ lea 16(%rdx,%rax),%rdx 964 add r2, r2, r9 965 966 mov r3, #1 @ mov $1,%ecx 967 lsr r8, r1, #1 @ shr $1,%r8d 968 and r8, r8, #32 @ and $32,%r8d 969 eor r8, r8, #32 @ xor $32,%r8d # nbits==192?0:32 970 bl _vpaes_schedule_core 971 972 vldmia sp!, {d8,d9,d10,d11,d12,d13,d14,d15} 973 ldmia sp!, {r7,r8,r9,r10,r11, pc} @ return 974 975 976@ Additional constants for converting to bsaes. 977 978.align 4 979_vpaes_convert_consts: 980@ .Lk_opt_then_skew applies skew(opt(x)) XOR 0x63, where skew is the linear 981@ transform in the AES S-box. 0x63 is incorporated into the low half of the 982@ table. This was computed with the following script: 983@ 984@ def u64s_to_u128(x, y): 985@ return x | (y << 64) 986@ def u128_to_u64s(w): 987@ return w & ((1<<64)-1), w >> 64 988@ def get_byte(w, i): 989@ return (w >> (i*8)) & 0xff 990@ def apply_table(table, b): 991@ lo = b & 0xf 992@ hi = b >> 4 993@ return get_byte(table[0], lo) ^ get_byte(table[1], hi) 994@ def opt(b): 995@ table = [ 996@ u64s_to_u128(0xFF9F4929D6B66000, 0xF7974121DEBE6808), 997@ u64s_to_u128(0x01EDBD5150BCEC00, 0xE10D5DB1B05C0CE0), 998@ ] 999@ return apply_table(table, b) 1000@ def rot_byte(b, n): 1001@ return 0xff & ((b << n) | (b >> (8-n))) 1002@ def skew(x): 1003@ return (x ^ rot_byte(x, 1) ^ rot_byte(x, 2) ^ rot_byte(x, 3) ^ 1004@ rot_byte(x, 4)) 1005@ table = [0, 0] 1006@ for i in range(16): 1007@ table[0] |= (skew(opt(i)) ^ 0x63) << (i*8) 1008@ table[1] |= skew(opt(i<<4)) << (i*8) 1009@ print(" .quad 0x%016x, 0x%016x" % u128_to_u64s(table[0])) 1010@ print(" .quad 0x%016x, 0x%016x" % u128_to_u64s(table[1])) 1011Lk_opt_then_skew: 1012.quad 0x9cb8436798bc4763, 0x6440bb9f6044bf9b 1013.quad 0x1f30062936192f00, 0xb49bad829db284ab 1014 1015@ .Lk_decrypt_transform is a permutation which performs an 8-bit left-rotation 1016@ followed by a byte-swap on each 32-bit word of a vector. E.g., 0x11223344 1017@ becomes 0x22334411 and then 0x11443322. 1018Lk_decrypt_transform: 1019.quad 0x0704050603000102, 0x0f0c0d0e0b08090a 1020 1021 1022@ void vpaes_encrypt_key_to_bsaes(AES_KEY *bsaes, const AES_KEY *vpaes); 1023.globl _vpaes_encrypt_key_to_bsaes 1024.private_extern _vpaes_encrypt_key_to_bsaes 1025#ifdef __thumb2__ 1026.thumb_func _vpaes_encrypt_key_to_bsaes 1027#endif 1028.align 4 1029_vpaes_encrypt_key_to_bsaes: 1030 stmdb sp!, {r11, lr} 1031 1032 @ See _vpaes_schedule_core for the key schedule logic. In particular, 1033 @ _vpaes_schedule_transform(.Lk_ipt) (section 2.2 of the paper), 1034 @ _vpaes_schedule_mangle (section 4.3), and .Lschedule_mangle_last 1035 @ contain the transformations not in the bsaes representation. This 1036 @ function inverts those transforms. 1037 @ 1038 @ Note also that bsaes-armv7.pl expects aes-armv4.pl's key 1039 @ representation, which does not match the other aes_nohw_* 1040 @ implementations. The ARM aes_nohw_* stores each 32-bit word 1041 @ byteswapped, as a convenience for (unsupported) big-endian ARM, at the 1042 @ cost of extra REV and VREV32 operations in little-endian ARM. 1043 1044 vmov.i8 q9, #0x0f @ Required by _vpaes_schedule_transform 1045 adr r2, Lk_mc_forward @ Must be aligned to 8 mod 16. 1046 add r3, r2, 0x90 @ Lk_sr+0x10-Lk_mc_forward = 0x90 (Apple's toolchain doesn't support the expression) 1047 1048 vld1.64 {q12}, [r2] 1049 vmov.i8 q10, #0x5b @ Lk_s63 from vpaes-x86_64 1050 adr r11, Lk_opt @ Must be aligned to 8 mod 16. 1051 vmov.i8 q11, #0x63 @ LK_s63 without Lk_ipt applied 1052 1053 @ vpaes stores one fewer round count than bsaes, but the number of keys 1054 @ is the same. 1055 ldr r2, [r1,#240] 1056 add r2, r2, #1 1057 str r2, [r0,#240] 1058 1059 @ The first key is transformed with _vpaes_schedule_transform(.Lk_ipt). 1060 @ Invert this with .Lk_opt. 1061 vld1.64 {q0}, [r1]! 1062 bl _vpaes_schedule_transform 1063 vrev32.8 q0, q0 1064 vst1.64 {q0}, [r0]! 1065 1066 @ The middle keys have _vpaes_schedule_transform(.Lk_ipt) applied, 1067 @ followed by _vpaes_schedule_mangle. _vpaes_schedule_mangle XORs 0x63, 1068 @ multiplies by the circulant 0,1,1,1, then applies ShiftRows. 1069Loop_enc_key_to_bsaes: 1070 vld1.64 {q0}, [r1]! 1071 1072 @ Invert the ShiftRows step (see .Lschedule_mangle_both). Note we cycle 1073 @ r3 in the opposite direction and start at .Lk_sr+0x10 instead of 0x30. 1074 @ We use r3 rather than r8 to avoid a callee-saved register. 1075 vld1.64 {q1}, [r3] 1076 vtbl.8 d4, {q0}, d2 1077 vtbl.8 d5, {q0}, d3 1078 add r3, r3, #16 1079 and r3, r3, #~(1<<6) 1080 vmov q0, q2 1081 1082 @ Handle the last key differently. 1083 subs r2, r2, #1 1084 beq Loop_enc_key_to_bsaes_last 1085 1086 @ Multiply by the circulant. This is its own inverse. 1087 vtbl.8 d2, {q0}, d24 1088 vtbl.8 d3, {q0}, d25 1089 vmov q0, q1 1090 vtbl.8 d4, {q1}, d24 1091 vtbl.8 d5, {q1}, d25 1092 veor q0, q0, q2 1093 vtbl.8 d2, {q2}, d24 1094 vtbl.8 d3, {q2}, d25 1095 veor q0, q0, q1 1096 1097 @ XOR and finish. 1098 veor q0, q0, q10 1099 bl _vpaes_schedule_transform 1100 vrev32.8 q0, q0 1101 vst1.64 {q0}, [r0]! 1102 b Loop_enc_key_to_bsaes 1103 1104Loop_enc_key_to_bsaes_last: 1105 @ The final key does not have a basis transform (note 1106 @ .Lschedule_mangle_last inverts the original transform). It only XORs 1107 @ 0x63 and applies ShiftRows. The latter was already inverted in the 1108 @ loop. Note that, because we act on the original representation, we use 1109 @ q11, not q10. 1110 veor q0, q0, q11 1111 vrev32.8 q0, q0 1112 vst1.64 {q0}, [r0] 1113 1114 @ Wipe registers which contained key material. 1115 veor q0, q0, q0 1116 veor q1, q1, q1 1117 veor q2, q2, q2 1118 1119 ldmia sp!, {r11, pc} @ return 1120 1121 1122@ void vpaes_decrypt_key_to_bsaes(AES_KEY *vpaes, const AES_KEY *bsaes); 1123.globl _vpaes_decrypt_key_to_bsaes 1124.private_extern _vpaes_decrypt_key_to_bsaes 1125#ifdef __thumb2__ 1126.thumb_func _vpaes_decrypt_key_to_bsaes 1127#endif 1128.align 4 1129_vpaes_decrypt_key_to_bsaes: 1130 stmdb sp!, {r11, lr} 1131 1132 @ See _vpaes_schedule_core for the key schedule logic. Note vpaes 1133 @ computes the decryption key schedule in reverse. Additionally, 1134 @ aes-x86_64.pl shares some transformations, so we must only partially 1135 @ invert vpaes's transformations. In general, vpaes computes in a 1136 @ different basis (.Lk_ipt and .Lk_opt) and applies the inverses of 1137 @ MixColumns, ShiftRows, and the affine part of the AES S-box (which is 1138 @ split into a linear skew and XOR of 0x63). We undo all but MixColumns. 1139 @ 1140 @ Note also that bsaes-armv7.pl expects aes-armv4.pl's key 1141 @ representation, which does not match the other aes_nohw_* 1142 @ implementations. The ARM aes_nohw_* stores each 32-bit word 1143 @ byteswapped, as a convenience for (unsupported) big-endian ARM, at the 1144 @ cost of extra REV and VREV32 operations in little-endian ARM. 1145 1146 adr r2, Lk_decrypt_transform 1147 adr r3, Lk_sr+0x30 1148 adr r11, Lk_opt_then_skew @ Input to _vpaes_schedule_transform. 1149 vld1.64 {q12}, [r2] @ Reuse q12 from encryption. 1150 vmov.i8 q9, #0x0f @ Required by _vpaes_schedule_transform 1151 1152 @ vpaes stores one fewer round count than bsaes, but the number of keys 1153 @ is the same. 1154 ldr r2, [r1,#240] 1155 add r2, r2, #1 1156 str r2, [r0,#240] 1157 1158 @ Undo the basis change and reapply the S-box affine transform. See 1159 @ .Lschedule_mangle_last. 1160 vld1.64 {q0}, [r1]! 1161 bl _vpaes_schedule_transform 1162 vrev32.8 q0, q0 1163 vst1.64 {q0}, [r0]! 1164 1165 @ See _vpaes_schedule_mangle for the transform on the middle keys. Note 1166 @ it simultaneously inverts MixColumns and the S-box affine transform. 1167 @ See .Lk_dksd through .Lk_dks9. 1168Loop_dec_key_to_bsaes: 1169 vld1.64 {q0}, [r1]! 1170 1171 @ Invert the ShiftRows step (see .Lschedule_mangle_both). Note going 1172 @ forwards cancels inverting for which direction we cycle r3. We use r3 1173 @ rather than r8 to avoid a callee-saved register. 1174 vld1.64 {q1}, [r3] 1175 vtbl.8 d4, {q0}, d2 1176 vtbl.8 d5, {q0}, d3 1177 add r3, r3, #64-16 1178 and r3, r3, #~(1<<6) 1179 vmov q0, q2 1180 1181 @ Handle the last key differently. 1182 subs r2, r2, #1 1183 beq Loop_dec_key_to_bsaes_last 1184 1185 @ Undo the basis change and reapply the S-box affine transform. 1186 bl _vpaes_schedule_transform 1187 1188 @ Rotate each word by 8 bytes (cycle the rows) and then byte-swap. We 1189 @ combine the two operations in .Lk_decrypt_transform. 1190 @ 1191 @ TODO(davidben): Where does the rotation come from? 1192 vtbl.8 d2, {q0}, d24 1193 vtbl.8 d3, {q0}, d25 1194 1195 vst1.64 {q1}, [r0]! 1196 b Loop_dec_key_to_bsaes 1197 1198Loop_dec_key_to_bsaes_last: 1199 @ The final key only inverts ShiftRows (already done in the loop). See 1200 @ .Lschedule_am_decrypting. Its basis is not transformed. 1201 vrev32.8 q0, q0 1202 vst1.64 {q0}, [r0]! 1203 1204 @ Wipe registers which contained key material. 1205 veor q0, q0, q0 1206 veor q1, q1, q1 1207 veor q2, q2, q2 1208 1209 ldmia sp!, {r11, pc} @ return 1210 1211.globl _vpaes_ctr32_encrypt_blocks 1212.private_extern _vpaes_ctr32_encrypt_blocks 1213#ifdef __thumb2__ 1214.thumb_func _vpaes_ctr32_encrypt_blocks 1215#endif 1216.align 4 1217_vpaes_ctr32_encrypt_blocks: 1218 mov ip, sp 1219 stmdb sp!, {r7,r8,r9,r10,r11, lr} 1220 @ This function uses q4-q7 (d8-d15), which are callee-saved. 1221 vstmdb sp!, {d8,d9,d10,d11,d12,d13,d14,d15} 1222 1223 cmp r2, #0 1224 @ r8 is passed on the stack. 1225 ldr r8, [ip] 1226 beq Lctr32_done 1227 1228 @ _vpaes_encrypt_core expects the key in r2, so swap r2 and r3. 1229 mov r9, r3 1230 mov r3, r2 1231 mov r2, r9 1232 1233 @ Load the IV and counter portion. 1234 ldr r7, [r8, #12] 1235 vld1.8 {q7}, [r8] 1236 1237 bl _vpaes_preheat 1238 rev r7, r7 @ The counter is big-endian. 1239 1240Lctr32_loop: 1241 vmov q0, q7 1242 vld1.8 {q6}, [r0]! @ Load input ahead of time 1243 bl _vpaes_encrypt_core 1244 veor q0, q0, q6 @ XOR input and result 1245 vst1.8 {q0}, [r1]! 1246 subs r3, r3, #1 1247 @ Update the counter. 1248 add r7, r7, #1 1249 rev r9, r7 1250 vmov.32 d15[1], r9 1251 bne Lctr32_loop 1252 1253Lctr32_done: 1254 vldmia sp!, {d8,d9,d10,d11,d12,d13,d14,d15} 1255 ldmia sp!, {r7,r8,r9,r10,r11, pc} @ return 1256 1257#endif // !OPENSSL_NO_ASM && defined(OPENSSL_ARM) && defined(__APPLE__) 1258