1// This file is generated from a similarly-named Perl script in the BoringSSL 2// source tree. Do not edit by hand. 3 4#if !defined(__has_feature) 5#define __has_feature(x) 0 6#endif 7#if __has_feature(memory_sanitizer) && !defined(OPENSSL_NO_ASM) 8#define OPENSSL_NO_ASM 9#endif 10 11#if !defined(OPENSSL_NO_ASM) 12#if defined(__aarch64__) 13#include "ring_core_generated/prefix_symbols_asm.h" 14#include <ring-core/arm_arch.h> 15 16#if __ARM_MAX_ARCH__>=7 17.text 18.arch armv8-a+crypto 19.section .rodata 20.align 5 21.Lrcon: 22.long 0x01,0x01,0x01,0x01 23.long 0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d // rotate-n-splat 24.long 0x1b,0x1b,0x1b,0x1b 25 26.text 27 28.globl aes_hw_set_encrypt_key 29.hidden aes_hw_set_encrypt_key 30.type aes_hw_set_encrypt_key,%function 31.align 5 32aes_hw_set_encrypt_key: 33.Lenc_key: 34 // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later. 35 AARCH64_VALID_CALL_TARGET 36 stp x29,x30,[sp,#-16]! 37 add x29,sp,#0 38 mov x3,#-1 39 cmp x0,#0 40 b.eq .Lenc_key_abort 41 cmp x2,#0 42 b.eq .Lenc_key_abort 43 mov x3,#-2 44 cmp w1,#128 45 b.lt .Lenc_key_abort 46 cmp w1,#256 47 b.gt .Lenc_key_abort 48 tst w1,#0x3f 49 b.ne .Lenc_key_abort 50 51 adrp x3,.Lrcon 52 add x3,x3,:lo12:.Lrcon 53 cmp w1,#192 54 55 eor v0.16b,v0.16b,v0.16b 56 ld1 {v3.16b},[x0],#16 57 mov w1,#8 // reuse w1 58 ld1 {v1.4s,v2.4s},[x3],#32 59 60 b.lt .Loop128 61 // 192-bit key support was removed. 62 b .L256 63 64.align 4 65.Loop128: 66 tbl v6.16b,{v3.16b},v2.16b 67 ext v5.16b,v0.16b,v3.16b,#12 68 st1 {v3.4s},[x2],#16 69 aese v6.16b,v0.16b 70 subs w1,w1,#1 71 72 eor v3.16b,v3.16b,v5.16b 73 ext v5.16b,v0.16b,v5.16b,#12 74 eor v3.16b,v3.16b,v5.16b 75 ext v5.16b,v0.16b,v5.16b,#12 76 eor v6.16b,v6.16b,v1.16b 77 eor v3.16b,v3.16b,v5.16b 78 shl v1.16b,v1.16b,#1 79 eor v3.16b,v3.16b,v6.16b 80 b.ne .Loop128 81 82 ld1 {v1.4s},[x3] 83 84 tbl v6.16b,{v3.16b},v2.16b 85 ext v5.16b,v0.16b,v3.16b,#12 86 st1 {v3.4s},[x2],#16 87 aese v6.16b,v0.16b 88 89 eor v3.16b,v3.16b,v5.16b 90 ext v5.16b,v0.16b,v5.16b,#12 91 eor v3.16b,v3.16b,v5.16b 92 ext v5.16b,v0.16b,v5.16b,#12 93 eor v6.16b,v6.16b,v1.16b 94 eor v3.16b,v3.16b,v5.16b 95 shl v1.16b,v1.16b,#1 96 eor v3.16b,v3.16b,v6.16b 97 98 tbl v6.16b,{v3.16b},v2.16b 99 ext v5.16b,v0.16b,v3.16b,#12 100 st1 {v3.4s},[x2],#16 101 aese v6.16b,v0.16b 102 103 eor v3.16b,v3.16b,v5.16b 104 ext v5.16b,v0.16b,v5.16b,#12 105 eor v3.16b,v3.16b,v5.16b 106 ext v5.16b,v0.16b,v5.16b,#12 107 eor v6.16b,v6.16b,v1.16b 108 eor v3.16b,v3.16b,v5.16b 109 eor v3.16b,v3.16b,v6.16b 110 st1 {v3.4s},[x2] 111 add x2,x2,#0x50 112 113 mov w12,#10 114 b .Ldone 115 116// 192-bit key support was removed. 117 118.align 4 119.L256: 120 ld1 {v4.16b},[x0] 121 mov w1,#7 122 mov w12,#14 123 st1 {v3.4s},[x2],#16 124 125.Loop256: 126 tbl v6.16b,{v4.16b},v2.16b 127 ext v5.16b,v0.16b,v3.16b,#12 128 st1 {v4.4s},[x2],#16 129 aese v6.16b,v0.16b 130 subs w1,w1,#1 131 132 eor v3.16b,v3.16b,v5.16b 133 ext v5.16b,v0.16b,v5.16b,#12 134 eor v3.16b,v3.16b,v5.16b 135 ext v5.16b,v0.16b,v5.16b,#12 136 eor v6.16b,v6.16b,v1.16b 137 eor v3.16b,v3.16b,v5.16b 138 shl v1.16b,v1.16b,#1 139 eor v3.16b,v3.16b,v6.16b 140 st1 {v3.4s},[x2],#16 141 b.eq .Ldone 142 143 dup v6.4s,v3.s[3] // just splat 144 ext v5.16b,v0.16b,v4.16b,#12 145 aese v6.16b,v0.16b 146 147 eor v4.16b,v4.16b,v5.16b 148 ext v5.16b,v0.16b,v5.16b,#12 149 eor v4.16b,v4.16b,v5.16b 150 ext v5.16b,v0.16b,v5.16b,#12 151 eor v4.16b,v4.16b,v5.16b 152 153 eor v4.16b,v4.16b,v6.16b 154 b .Loop256 155 156.Ldone: 157 str w12,[x2] 158 mov x3,#0 159 160.Lenc_key_abort: 161 mov x0,x3 // return value 162 ldr x29,[sp],#16 163 ret 164.size aes_hw_set_encrypt_key,.-aes_hw_set_encrypt_key 165.globl aes_hw_encrypt 166.hidden aes_hw_encrypt 167.type aes_hw_encrypt,%function 168.align 5 169aes_hw_encrypt: 170 AARCH64_VALID_CALL_TARGET 171 ldr w3,[x2,#240] 172 ld1 {v0.4s},[x2],#16 173 ld1 {v2.16b},[x0] 174 sub w3,w3,#2 175 ld1 {v1.4s},[x2],#16 176 177.Loop_enc: 178 aese v2.16b,v0.16b 179 aesmc v2.16b,v2.16b 180 ld1 {v0.4s},[x2],#16 181 subs w3,w3,#2 182 aese v2.16b,v1.16b 183 aesmc v2.16b,v2.16b 184 ld1 {v1.4s},[x2],#16 185 b.gt .Loop_enc 186 187 aese v2.16b,v0.16b 188 aesmc v2.16b,v2.16b 189 ld1 {v0.4s},[x2] 190 aese v2.16b,v1.16b 191 eor v2.16b,v2.16b,v0.16b 192 193 st1 {v2.16b},[x1] 194 ret 195.size aes_hw_encrypt,.-aes_hw_encrypt 196.globl aes_hw_ctr32_encrypt_blocks 197.hidden aes_hw_ctr32_encrypt_blocks 198.type aes_hw_ctr32_encrypt_blocks,%function 199.align 5 200aes_hw_ctr32_encrypt_blocks: 201 // Armv8.3-A PAuth: even though x30 is pushed to stack it is not popped later. 202 AARCH64_VALID_CALL_TARGET 203 stp x29,x30,[sp,#-16]! 204 add x29,sp,#0 205 ldr w5,[x3,#240] 206 207 ldr w8, [x4, #12] 208 ld1 {v0.4s},[x4] 209 210 ld1 {v16.4s,v17.4s},[x3] // load key schedule... 211 sub w5,w5,#4 212 mov x12,#16 213 cmp x2,#2 214 add x7,x3,x5,lsl#4 // pointer to last 5 round keys 215 sub w5,w5,#2 216 ld1 {v20.4s,v21.4s},[x7],#32 217 ld1 {v22.4s,v23.4s},[x7],#32 218 ld1 {v7.4s},[x7] 219 add x7,x3,#32 220 mov w6,w5 221 csel x12,xzr,x12,lo 222 223 // ARM Cortex-A57 and Cortex-A72 cores running in 32-bit mode are 224 // affected by silicon errata #1742098 [0] and #1655431 [1], 225 // respectively, where the second instruction of an aese/aesmc 226 // instruction pair may execute twice if an interrupt is taken right 227 // after the first instruction consumes an input register of which a 228 // single 32-bit lane has been updated the last time it was modified. 229 // 230 // This function uses a counter in one 32-bit lane. The vmov lines 231 // could write to v1.16b and v18.16b directly, but that trips this bugs. 232 // We write to v6.16b and copy to the final register as a workaround. 233 // 234 // [0] ARM-EPM-049219 v23 Cortex-A57 MPCore Software Developers Errata Notice 235 // [1] ARM-EPM-012079 v11.0 Cortex-A72 MPCore Software Developers Errata Notice 236#ifndef __ARMEB__ 237 rev w8, w8 238#endif 239 add w10, w8, #1 240 orr v6.16b,v0.16b,v0.16b 241 rev w10, w10 242 mov v6.s[3],w10 243 add w8, w8, #2 244 orr v1.16b,v6.16b,v6.16b 245 b.ls .Lctr32_tail 246 rev w12, w8 247 mov v6.s[3],w12 248 sub x2,x2,#3 // bias 249 orr v18.16b,v6.16b,v6.16b 250 b .Loop3x_ctr32 251 252.align 4 253.Loop3x_ctr32: 254 aese v0.16b,v16.16b 255 aesmc v0.16b,v0.16b 256 aese v1.16b,v16.16b 257 aesmc v1.16b,v1.16b 258 aese v18.16b,v16.16b 259 aesmc v18.16b,v18.16b 260 ld1 {v16.4s},[x7],#16 261 subs w6,w6,#2 262 aese v0.16b,v17.16b 263 aesmc v0.16b,v0.16b 264 aese v1.16b,v17.16b 265 aesmc v1.16b,v1.16b 266 aese v18.16b,v17.16b 267 aesmc v18.16b,v18.16b 268 ld1 {v17.4s},[x7],#16 269 b.gt .Loop3x_ctr32 270 271 aese v0.16b,v16.16b 272 aesmc v4.16b,v0.16b 273 aese v1.16b,v16.16b 274 aesmc v5.16b,v1.16b 275 ld1 {v2.16b},[x0],#16 276 add w9,w8,#1 277 aese v18.16b,v16.16b 278 aesmc v18.16b,v18.16b 279 ld1 {v3.16b},[x0],#16 280 rev w9,w9 281 aese v4.16b,v17.16b 282 aesmc v4.16b,v4.16b 283 aese v5.16b,v17.16b 284 aesmc v5.16b,v5.16b 285 ld1 {v19.16b},[x0],#16 286 mov x7,x3 287 aese v18.16b,v17.16b 288 aesmc v17.16b,v18.16b 289 aese v4.16b,v20.16b 290 aesmc v4.16b,v4.16b 291 aese v5.16b,v20.16b 292 aesmc v5.16b,v5.16b 293 eor v2.16b,v2.16b,v7.16b 294 add w10,w8,#2 295 aese v17.16b,v20.16b 296 aesmc v17.16b,v17.16b 297 eor v3.16b,v3.16b,v7.16b 298 add w8,w8,#3 299 aese v4.16b,v21.16b 300 aesmc v4.16b,v4.16b 301 aese v5.16b,v21.16b 302 aesmc v5.16b,v5.16b 303 // Note the logic to update v0.16b, v1.16b, and v1.16b is written to work 304 // around a bug in ARM Cortex-A57 and Cortex-A72 cores running in 305 // 32-bit mode. See the comment above. 306 eor v19.16b,v19.16b,v7.16b 307 mov v6.s[3], w9 308 aese v17.16b,v21.16b 309 aesmc v17.16b,v17.16b 310 orr v0.16b,v6.16b,v6.16b 311 rev w10,w10 312 aese v4.16b,v22.16b 313 aesmc v4.16b,v4.16b 314 mov v6.s[3], w10 315 rev w12,w8 316 aese v5.16b,v22.16b 317 aesmc v5.16b,v5.16b 318 orr v1.16b,v6.16b,v6.16b 319 mov v6.s[3], w12 320 aese v17.16b,v22.16b 321 aesmc v17.16b,v17.16b 322 orr v18.16b,v6.16b,v6.16b 323 subs x2,x2,#3 324 aese v4.16b,v23.16b 325 aese v5.16b,v23.16b 326 aese v17.16b,v23.16b 327 328 eor v2.16b,v2.16b,v4.16b 329 ld1 {v16.4s},[x7],#16 // re-pre-load rndkey[0] 330 st1 {v2.16b},[x1],#16 331 eor v3.16b,v3.16b,v5.16b 332 mov w6,w5 333 st1 {v3.16b},[x1],#16 334 eor v19.16b,v19.16b,v17.16b 335 ld1 {v17.4s},[x7],#16 // re-pre-load rndkey[1] 336 st1 {v19.16b},[x1],#16 337 b.hs .Loop3x_ctr32 338 339 adds x2,x2,#3 340 b.eq .Lctr32_done 341 cmp x2,#1 342 mov x12,#16 343 csel x12,xzr,x12,eq 344 345.Lctr32_tail: 346 aese v0.16b,v16.16b 347 aesmc v0.16b,v0.16b 348 aese v1.16b,v16.16b 349 aesmc v1.16b,v1.16b 350 ld1 {v16.4s},[x7],#16 351 subs w6,w6,#2 352 aese v0.16b,v17.16b 353 aesmc v0.16b,v0.16b 354 aese v1.16b,v17.16b 355 aesmc v1.16b,v1.16b 356 ld1 {v17.4s},[x7],#16 357 b.gt .Lctr32_tail 358 359 aese v0.16b,v16.16b 360 aesmc v0.16b,v0.16b 361 aese v1.16b,v16.16b 362 aesmc v1.16b,v1.16b 363 aese v0.16b,v17.16b 364 aesmc v0.16b,v0.16b 365 aese v1.16b,v17.16b 366 aesmc v1.16b,v1.16b 367 ld1 {v2.16b},[x0],x12 368 aese v0.16b,v20.16b 369 aesmc v0.16b,v0.16b 370 aese v1.16b,v20.16b 371 aesmc v1.16b,v1.16b 372 ld1 {v3.16b},[x0] 373 aese v0.16b,v21.16b 374 aesmc v0.16b,v0.16b 375 aese v1.16b,v21.16b 376 aesmc v1.16b,v1.16b 377 eor v2.16b,v2.16b,v7.16b 378 aese v0.16b,v22.16b 379 aesmc v0.16b,v0.16b 380 aese v1.16b,v22.16b 381 aesmc v1.16b,v1.16b 382 eor v3.16b,v3.16b,v7.16b 383 aese v0.16b,v23.16b 384 aese v1.16b,v23.16b 385 386 cmp x2,#1 387 eor v2.16b,v2.16b,v0.16b 388 eor v3.16b,v3.16b,v1.16b 389 st1 {v2.16b},[x1],#16 390 b.eq .Lctr32_done 391 st1 {v3.16b},[x1] 392 393.Lctr32_done: 394 ldr x29,[sp],#16 395 ret 396.size aes_hw_ctr32_encrypt_blocks,.-aes_hw_ctr32_encrypt_blocks 397#endif 398#endif 399#endif // !OPENSSL_NO_ASM 400.section .note.GNU-stack,"",%progbits 401