1#! /usr/bin/env perl 2# Copyright 2005-2016 The OpenSSL Project Authors. All Rights Reserved. 3# 4# Licensed under the OpenSSL license (the "License"). You may not use 5# this file except in compliance with the License. You can obtain a copy 6# in the file LICENSE in the source distribution or at 7# https://www.openssl.org/source/license.html 8 9 10# ==================================================================== 11# Written by Andy Polyakov <appro@openssl.org> for the OpenSSL 12# project. The module is, however, dual licensed under OpenSSL and 13# CRYPTOGAMS licenses depending on where you obtain it. For further 14# details see http://www.openssl.org/~appro/cryptogams/. 15# ==================================================================== 16 17# October 2005 18# 19# This is a "teaser" code, as it can be improved in several ways... 20# First of all non-SSE2 path should be implemented (yes, for now it 21# performs Montgomery multiplication/convolution only on SSE2-capable 22# CPUs such as P4, others fall down to original code). Then inner loop 23# can be unrolled and modulo-scheduled to improve ILP and possibly 24# moved to 128-bit XMM register bank (though it would require input 25# rearrangement and/or increase bus bandwidth utilization). Dedicated 26# squaring procedure should give further performance improvement... 27# Yet, for being draft, the code improves rsa512 *sign* benchmark by 28# 110%(!), rsa1024 one - by 70% and rsa4096 - by 20%:-) 29 30# December 2006 31# 32# Modulo-scheduling SSE2 loops results in further 15-20% improvement. 33# Integer-only code [being equipped with dedicated squaring procedure] 34# gives ~40% on rsa512 sign benchmark... 35 36$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; 37push(@INC,"${dir}","${dir}../../../perlasm"); 38require "x86asm.pl"; 39 40$output = pop; 41open STDOUT,">$output"; 42 43&asm_init($ARGV[0]); 44 45$sse2=0; 46for (@ARGV) { $sse2=1 if (/-DOPENSSL_IA32_SSE2/); } 47 48&external_label("OPENSSL_ia32cap_P") if ($sse2); 49 50&function_begin("bn_mul_mont"); 51 52$i="edx"; 53$j="ecx"; 54$ap="esi"; $tp="esi"; # overlapping variables!!! 55$rp="edi"; $bp="edi"; # overlapping variables!!! 56$np="ebp"; 57$num="ebx"; 58 59$_num=&DWP(4*0,"esp"); # stack top layout 60$_rp=&DWP(4*1,"esp"); 61$_ap=&DWP(4*2,"esp"); 62$_bp=&DWP(4*3,"esp"); 63$_np=&DWP(4*4,"esp"); 64$_n0=&DWP(4*5,"esp"); $_n0q=&QWP(4*5,"esp"); 65$_sp=&DWP(4*6,"esp"); 66$_bpend=&DWP(4*7,"esp"); 67$frame=32; # size of above frame rounded up to 16n 68 69 &xor ("eax","eax"); 70 &mov ("edi",&wparam(5)); # int num 71 72 &lea ("esi",&wparam(0)); # put aside pointer to argument block 73 &lea ("edx",&wparam(1)); # load ap 74 &add ("edi",2); # extra two words on top of tp 75 &neg ("edi"); 76 &lea ("ebp",&DWP(-$frame,"esp","edi",4)); # future alloca($frame+4*(num+2)) 77 &neg ("edi"); 78 79 # minimize cache contention by arranging 2K window between stack 80 # pointer and ap argument [np is also position sensitive vector, 81 # but it's assumed to be near ap, as it's allocated at ~same 82 # time]. 83 &mov ("eax","ebp"); 84 &sub ("eax","edx"); 85 &and ("eax",2047); 86 &sub ("ebp","eax"); # this aligns sp and ap modulo 2048 87 88 &xor ("edx","ebp"); 89 &and ("edx",2048); 90 &xor ("edx",2048); 91 &sub ("ebp","edx"); # this splits them apart modulo 4096 92 93 &and ("ebp",-64); # align to cache line 94 95 # An OS-agnostic version of __chkstk. 96 # 97 # Some OSes (Windows) insist on stack being "wired" to 98 # physical memory in strictly sequential manner, i.e. if stack 99 # allocation spans two pages, then reference to farmost one can 100 # be punishable by SEGV. But page walking can do good even on 101 # other OSes, because it guarantees that villain thread hits 102 # the guard page before it can make damage to innocent one... 103 &mov ("eax","esp"); 104 &sub ("eax","ebp"); 105 &and ("eax",-4096); 106 &mov ("edx","esp"); # saved stack pointer! 107 &lea ("esp",&DWP(0,"ebp","eax")); 108 &mov ("eax",&DWP(0,"esp")); 109 &cmp ("esp","ebp"); 110 &ja (&label("page_walk")); 111 &jmp (&label("page_walk_done")); 112 113&set_label("page_walk",16); 114 &lea ("esp",&DWP(-4096,"esp")); 115 &mov ("eax",&DWP(0,"esp")); 116 &cmp ("esp","ebp"); 117 &ja (&label("page_walk")); 118&set_label("page_walk_done"); 119 120 ################################# load argument block... 121 &mov ("eax",&DWP(0*4,"esi"));# BN_ULONG *rp 122 &mov ("ebx",&DWP(1*4,"esi"));# const BN_ULONG *ap 123 &mov ("ecx",&DWP(2*4,"esi"));# const BN_ULONG *bp 124 &mov ("ebp",&DWP(3*4,"esi"));# const BN_ULONG *np 125 &mov ("esi",&DWP(4*4,"esi"));# const BN_ULONG *n0 126 #&mov ("edi",&DWP(5*4,"esi"));# int num 127 128 &mov ("esi",&DWP(0,"esi")); # pull n0[0] 129 &mov ($_rp,"eax"); # ... save a copy of argument block 130 &mov ($_ap,"ebx"); 131 &mov ($_bp,"ecx"); 132 &mov ($_np,"ebp"); 133 &mov ($_n0,"esi"); 134 &lea ($num,&DWP(-3,"edi")); # num=num-1 to assist modulo-scheduling 135 #&mov ($_num,$num); # redundant as $num is not reused 136 &mov ($_sp,"edx"); # saved stack pointer! 137 138if($sse2) { 139$acc0="mm0"; # mmx register bank layout 140$acc1="mm1"; 141$car0="mm2"; 142$car1="mm3"; 143$mul0="mm4"; 144$mul1="mm5"; 145$temp="mm6"; 146$mask="mm7"; 147 148 &picmeup("eax","OPENSSL_ia32cap_P"); 149 &bt (&DWP(0,"eax"),26); 150 # The non-SSE2 code was removed. 151 152 &mov ("eax",-1); 153 &movd ($mask,"eax"); # mask 32 lower bits 154 155 &mov ($ap,$_ap); # load input pointers 156 &mov ($bp,$_bp); 157 &mov ($np,$_np); 158 159 &xor ($i,$i); # i=0 160 &xor ($j,$j); # j=0 161 162 &movd ($mul0,&DWP(0,$bp)); # bp[0] 163 &movd ($mul1,&DWP(0,$ap)); # ap[0] 164 &movd ($car1,&DWP(0,$np)); # np[0] 165 166 &pmuludq($mul1,$mul0); # ap[0]*bp[0] 167 &movq ($car0,$mul1); 168 &movq ($acc0,$mul1); # I wish movd worked for 169 &pand ($acc0,$mask); # inter-register transfers 170 171 &pmuludq($mul1,$_n0q); # *=n0 172 173 &pmuludq($car1,$mul1); # "t[0]"*np[0]*n0 174 &paddq ($car1,$acc0); 175 176 &movd ($acc1,&DWP(4,$np)); # np[1] 177 &movd ($acc0,&DWP(4,$ap)); # ap[1] 178 179 &psrlq ($car0,32); 180 &psrlq ($car1,32); 181 182 &inc ($j); # j++ 183&set_label("1st",16); 184 &pmuludq($acc0,$mul0); # ap[j]*bp[0] 185 &pmuludq($acc1,$mul1); # np[j]*m1 186 &paddq ($car0,$acc0); # +=c0 187 &paddq ($car1,$acc1); # +=c1 188 189 &movq ($acc0,$car0); 190 &pand ($acc0,$mask); 191 &movd ($acc1,&DWP(4,$np,$j,4)); # np[j+1] 192 &paddq ($car1,$acc0); # +=ap[j]*bp[0]; 193 &movd ($acc0,&DWP(4,$ap,$j,4)); # ap[j+1] 194 &psrlq ($car0,32); 195 &movd (&DWP($frame-4,"esp",$j,4),$car1); # tp[j-1]= 196 &psrlq ($car1,32); 197 198 &lea ($j,&DWP(1,$j)); 199 &cmp ($j,$num); 200 &jl (&label("1st")); 201 202 &pmuludq($acc0,$mul0); # ap[num-1]*bp[0] 203 &pmuludq($acc1,$mul1); # np[num-1]*m1 204 &paddq ($car0,$acc0); # +=c0 205 &paddq ($car1,$acc1); # +=c1 206 207 &movq ($acc0,$car0); 208 &pand ($acc0,$mask); 209 &paddq ($car1,$acc0); # +=ap[num-1]*bp[0]; 210 &movd (&DWP($frame-4,"esp",$j,4),$car1); # tp[num-2]= 211 212 &psrlq ($car0,32); 213 &psrlq ($car1,32); 214 215 &paddq ($car1,$car0); 216 &movq (&QWP($frame,"esp",$num,4),$car1); # tp[num].tp[num-1] 217 218 &inc ($i); # i++ 219&set_label("outer"); 220 &xor ($j,$j); # j=0 221 222 &movd ($mul0,&DWP(0,$bp,$i,4)); # bp[i] 223 &movd ($mul1,&DWP(0,$ap)); # ap[0] 224 &movd ($temp,&DWP($frame,"esp")); # tp[0] 225 &movd ($car1,&DWP(0,$np)); # np[0] 226 &pmuludq($mul1,$mul0); # ap[0]*bp[i] 227 228 &paddq ($mul1,$temp); # +=tp[0] 229 &movq ($acc0,$mul1); 230 &movq ($car0,$mul1); 231 &pand ($acc0,$mask); 232 233 &pmuludq($mul1,$_n0q); # *=n0 234 235 &pmuludq($car1,$mul1); 236 &paddq ($car1,$acc0); 237 238 &movd ($temp,&DWP($frame+4,"esp")); # tp[1] 239 &movd ($acc1,&DWP(4,$np)); # np[1] 240 &movd ($acc0,&DWP(4,$ap)); # ap[1] 241 242 &psrlq ($car0,32); 243 &psrlq ($car1,32); 244 &paddq ($car0,$temp); # +=tp[1] 245 246 &inc ($j); # j++ 247 &dec ($num); 248&set_label("inner"); 249 &pmuludq($acc0,$mul0); # ap[j]*bp[i] 250 &pmuludq($acc1,$mul1); # np[j]*m1 251 &paddq ($car0,$acc0); # +=c0 252 &paddq ($car1,$acc1); # +=c1 253 254 &movq ($acc0,$car0); 255 &movd ($temp,&DWP($frame+4,"esp",$j,4));# tp[j+1] 256 &pand ($acc0,$mask); 257 &movd ($acc1,&DWP(4,$np,$j,4)); # np[j+1] 258 &paddq ($car1,$acc0); # +=ap[j]*bp[i]+tp[j] 259 &movd ($acc0,&DWP(4,$ap,$j,4)); # ap[j+1] 260 &psrlq ($car0,32); 261 &movd (&DWP($frame-4,"esp",$j,4),$car1);# tp[j-1]= 262 &psrlq ($car1,32); 263 &paddq ($car0,$temp); # +=tp[j+1] 264 265 &dec ($num); 266 &lea ($j,&DWP(1,$j)); # j++ 267 &jnz (&label("inner")); 268 269 &mov ($num,$j); 270 &pmuludq($acc0,$mul0); # ap[num-1]*bp[i] 271 &pmuludq($acc1,$mul1); # np[num-1]*m1 272 &paddq ($car0,$acc0); # +=c0 273 &paddq ($car1,$acc1); # +=c1 274 275 &movq ($acc0,$car0); 276 &pand ($acc0,$mask); 277 &paddq ($car1,$acc0); # +=ap[num-1]*bp[i]+tp[num-1] 278 &movd (&DWP($frame-4,"esp",$j,4),$car1); # tp[num-2]= 279 &psrlq ($car0,32); 280 &psrlq ($car1,32); 281 282 &movd ($temp,&DWP($frame+4,"esp",$num,4)); # += tp[num] 283 &paddq ($car1,$car0); 284 &paddq ($car1,$temp); 285 &movq (&QWP($frame,"esp",$num,4),$car1); # tp[num].tp[num-1] 286 287 &lea ($i,&DWP(1,$i)); # i++ 288 &cmp ($i,$num); 289 &jle (&label("outer")); 290 291 &emms (); # done with mmx bank 292 293} # The non-SSE2 code was removed. 294 295&set_label("common_tail",16); 296 &mov ($np,$_np); # load modulus pointer 297 &mov ($rp,$_rp); # load result pointer 298 &lea ($tp,&DWP($frame,"esp")); # [$ap and $bp are zapped] 299 300 &mov ("eax",&DWP(0,$tp)); # tp[0] 301 &mov ($j,$num); # j=num-1 302 &xor ($i,$i); # i=0 and clear CF! 303 304&set_label("sub",16); 305 &sbb ("eax",&DWP(0,$np,$i,4)); 306 &mov (&DWP(0,$rp,$i,4),"eax"); # rp[i]=tp[i]-np[i] 307 &dec ($j); # doesn't affect CF! 308 &mov ("eax",&DWP(4,$tp,$i,4)); # tp[i+1] 309 &lea ($i,&DWP(1,$i)); # i++ 310 &jge (&label("sub")); 311 312 &sbb ("eax",0); # handle upmost overflow bit 313 &mov ("edx",-1); 314 &xor ("edx","eax"); 315 &jmp (&label("copy")); 316 317&set_label("copy",16); # conditional copy 318 &mov ($tp,&DWP($frame,"esp",$num,4)); 319 &mov ($np,&DWP(0,$rp,$num,4)); 320 &mov (&DWP($frame,"esp",$num,4),$j); # zap temporary vector 321 &and ($tp,"eax"); 322 &and ($np,"edx"); 323 &or ($np,$tp); 324 &mov (&DWP(0,$rp,$num,4),$np); 325 &dec ($num); 326 &jge (&label("copy")); 327 328 &mov ("esp",$_sp); # pull saved stack pointer 329 &mov ("eax",1); 330&function_end("bn_mul_mont"); 331 332&asciz("Montgomery Multiplication for x86, CRYPTOGAMS by <appro\@openssl.org>"); 333 334&asm_finish(); 335 336close STDOUT or die "error closing STDOUT"; 337