3 # ====================================================================
4 # Written by Andy Polyakov <appro@openssl.org> for the OpenSSL
5 # project. The module is, however, dual licensed under OpenSSL and
6 # CRYPTOGAMS licenses depending on where you obtain it. For further
7 # details see http://www.openssl.org/~appro/cryptogams/.
8 # ====================================================================
10 # This module implements support for ARMv8 AES instructions. The
11 # module is endian-agnostic in sense that it supports both big- and
12 # little-endian cases. As does it support both 32- and 64-bit modes
13 # of operation. Latter is achieved by limiting amount of utilized
14 # registers to 16, which implies additional NEON load and integer
15 # instructions. This has no effect on mighty Apple A7, where results
16 # are literally equal to the theoretical estimates based on AES
17 # instruction latencies and issue rates. On Cortex-A53, an in-order
18 # execution core, this costs up to 10-15%, which is partially
19 # compensated by implementing dedicated code path for 128-bit
20 # CBC encrypt case. On Cortex-A57 parallelizable mode performance
21 # seems to be limited by sheer amount of NEON instructions...
23 # Performance in cycles per byte processed with 128-bit key:
26 # Apple A7 2.39 1.20 1.20
27 # Cortex-A53 1.32 1.29 1.46
28 # Cortex-A57(*) 1.95 0.85 0.93
29 # Denver 1.96 0.86 0.80
31 # (*) original 3.64/1.34/1.32 results were for r0p0 revision
32 # and are still same even for updated module;
35 open STDOUT,">".shift;
42 #if __ARM_MAX_ARCH__>=7
45 # $code.=".arch armv8-a+crypto\n" if ($flavour =~ /64/);
46 $code.=".arch armv7-a\n.fpu neon\n.code 32\n" if ($flavour !~ /64/);
47 #^^^^^^ this is done to simplify adoption by not depending
50 # Assembler mnemonics are an eclectic mix of 32- and 64-bit syntax,
51 # NEON is mostly 32-bit mnemonics, integer - mostly 64. Goal is to
52 # maintain both 32- and 64-bit codes within single module and
53 # transliterate common code to either flavour with regex vodoo.
56 my ($inp,$bits,$out,$ptr,$rounds)=("x0","w1","x2","x3","w12");
57 my ($zero,$rcon,$mask,$in0,$in1,$tmp,$key)=
58 $flavour=~/64/? map("q$_",(0..6)) : map("q$_",(0..3,8..10));
64 .long 0x01,0x01,0x01,0x01
65 .long 0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d,0x0c0f0e0d // rotate-n-splat
66 .long 0x1b,0x1b,0x1b,0x1b
68 .globl ${prefix}_set_encrypt_key
69 .type ${prefix}_set_encrypt_key,%function
71 ${prefix}_set_encrypt_key:
74 $code.=<<___ if ($flavour =~ /64/);
75 stp x29,x30,[sp,#-16]!
95 veor $zero,$zero,$zero
96 vld1.8 {$in0},[$inp],#16
97 mov $bits,#8 // reuse $bits
98 vld1.32 {$rcon,$mask},[$ptr],#32
106 vtbl.8 $key,{$in0},$mask
107 vext.8 $tmp,$zero,$in0,#12
108 vst1.32 {$in0},[$out],#16
113 vext.8 $tmp,$zero,$tmp,#12
115 vext.8 $tmp,$zero,$tmp,#12
118 vshl.u8 $rcon,$rcon,#1
122 vld1.32 {$rcon},[$ptr]
124 vtbl.8 $key,{$in0},$mask
125 vext.8 $tmp,$zero,$in0,#12
126 vst1.32 {$in0},[$out],#16
130 vext.8 $tmp,$zero,$tmp,#12
132 vext.8 $tmp,$zero,$tmp,#12
135 vshl.u8 $rcon,$rcon,#1
138 vtbl.8 $key,{$in0},$mask
139 vext.8 $tmp,$zero,$in0,#12
140 vst1.32 {$in0},[$out],#16
144 vext.8 $tmp,$zero,$tmp,#12
146 vext.8 $tmp,$zero,$tmp,#12
150 vst1.32 {$in0},[$out]
158 vld1.8 {$in1},[$inp],#8
159 vmov.i8 $key,#8 // borrow $key
160 vst1.32 {$in0},[$out],#16
161 vsub.i8 $mask,$mask,$key // adjust the mask
164 vtbl.8 $key,{$in1},$mask
165 vext.8 $tmp,$zero,$in0,#12
166 vst1.32 {$in1},[$out],#8
171 vext.8 $tmp,$zero,$tmp,#12
173 vext.8 $tmp,$zero,$tmp,#12
176 vdup.32 $tmp,${in0}[3]
179 vext.8 $in1,$zero,$in1,#12
180 vshl.u8 $rcon,$rcon,#1
184 vst1.32 {$in0},[$out],#16
196 vst1.32 {$in0},[$out],#16
199 vtbl.8 $key,{$in1},$mask
200 vext.8 $tmp,$zero,$in0,#12
201 vst1.32 {$in1},[$out],#16
206 vext.8 $tmp,$zero,$tmp,#12
208 vext.8 $tmp,$zero,$tmp,#12
211 vshl.u8 $rcon,$rcon,#1
213 vst1.32 {$in0},[$out],#16
216 vdup.32 $key,${in0}[3] // just splat
217 vext.8 $tmp,$zero,$in1,#12
221 vext.8 $tmp,$zero,$tmp,#12
223 vext.8 $tmp,$zero,$tmp,#12
234 mov x0,$ptr // return value
235 `"ldr x29,[sp],#16" if ($flavour =~ /64/)`
237 .size ${prefix}_set_encrypt_key,.-${prefix}_set_encrypt_key
239 .globl ${prefix}_set_decrypt_key
240 .type ${prefix}_set_decrypt_key,%function
242 ${prefix}_set_decrypt_key:
244 $code.=<<___ if ($flavour =~ /64/);
245 stp x29,x30,[sp,#-16]!
248 $code.=<<___ if ($flavour !~ /64/);
257 sub $out,$out,#240 // restore original $out
259 add $inp,$out,x12,lsl#4 // end of key schedule
261 vld1.32 {v0.16b},[$out]
262 vld1.32 {v1.16b},[$inp]
263 vst1.32 {v0.16b},[$inp],x4
264 vst1.32 {v1.16b},[$out],#16
267 vld1.32 {v0.16b},[$out]
268 vld1.32 {v1.16b},[$inp]
271 vst1.32 {v0.16b},[$inp],x4
272 vst1.32 {v1.16b},[$out],#16
276 vld1.32 {v0.16b},[$out]
278 vst1.32 {v0.16b},[$inp]
280 eor x0,x0,x0 // return value
283 $code.=<<___ if ($flavour !~ /64/);
286 $code.=<<___ if ($flavour =~ /64/);
291 .size ${prefix}_set_decrypt_key,.-${prefix}_set_decrypt_key
297 my ($e,$mc) = $dir eq "en" ? ("e","mc") : ("d","imc");
298 my ($inp,$out,$key)=map("x$_",(0..2));
300 my ($rndkey0,$rndkey1,$inout)=map("q$_",(0..3));
303 .globl ${prefix}_${dir}crypt
304 .type ${prefix}_${dir}crypt,%function
306 ${prefix}_${dir}crypt:
307 ldr $rounds,[$key,#240]
308 vld1.32 {$rndkey0},[$key],#16
309 vld1.8 {$inout},[$inp]
310 sub $rounds,$rounds,#2
311 vld1.32 {$rndkey1},[$key],#16
314 aes$e $inout,$rndkey0
316 vld1.32 {$rndkey0},[$key],#16
317 subs $rounds,$rounds,#2
318 aes$e $inout,$rndkey1
320 vld1.32 {$rndkey1},[$key],#16
323 aes$e $inout,$rndkey0
325 vld1.32 {$rndkey0},[$key]
326 aes$e $inout,$rndkey1
327 veor $inout,$inout,$rndkey0
329 vst1.8 {$inout},[$out]
331 .size ${prefix}_${dir}crypt,.-${prefix}_${dir}crypt
338 my ($inp,$out,$len,$key,$ivp)=map("x$_",(0..4)); my $enc="w5";
339 my ($rounds,$cnt,$key_,$step,$step1)=($enc,"w6","x7","x8","x12");
340 my ($dat0,$dat1,$in0,$in1,$tmp0,$tmp1,$ivec,$rndlast)=map("q$_",(0..7));
342 my ($dat,$tmp,$rndzero_n_last)=($dat0,$tmp0,$tmp1);
343 my ($key4,$key5,$key6,$key7)=("x6","x12","x14",$key);
345 ### q8-q15 preloaded key schedule
348 .globl ${prefix}_cbc_encrypt
349 .type ${prefix}_cbc_encrypt,%function
351 ${prefix}_cbc_encrypt:
353 $code.=<<___ if ($flavour =~ /64/);
354 stp x29,x30,[sp,#-16]!
357 $code.=<<___ if ($flavour !~ /64/);
360 vstmdb sp!,{d8-d15} @ ABI specification says so
361 ldmia ip,{r4-r5} @ load remaining args
369 cmp $enc,#0 // en- or decrypting?
370 ldr $rounds,[$key,#240]
372 vld1.8 {$ivec},[$ivp]
373 vld1.8 {$dat},[$inp],$step
375 vld1.32 {q8-q9},[$key] // load key schedule...
376 sub $rounds,$rounds,#6
377 add $key_,$key,x5,lsl#4 // pointer to last 7 round keys
378 sub $rounds,$rounds,#2
379 vld1.32 {q10-q11},[$key_],#32
380 vld1.32 {q12-q13},[$key_],#32
381 vld1.32 {q14-q15},[$key_],#32
382 vld1.32 {$rndlast},[$key_]
390 veor $rndzero_n_last,q8,$rndlast
393 vld1.32 {$in0-$in1},[$key_]
407 vst1.8 {$ivec},[$out],#16
439 vld1.8 {q8},[$inp],$step
442 veor q8,q8,$rndzero_n_last
445 vld1.32 {q9},[$key_] // re-pre-load rndkey[1]
449 veor $ivec,$dat,$rndlast
452 vst1.8 {$ivec},[$out],#16
457 vld1.32 {$in0-$in1},[$key_]
464 vst1.8 {$ivec},[$out],#16
478 vld1.8 {q8},[$inp],$step
485 veor q8,q8,$rndzero_n_last
487 veor $ivec,$dat,$rndlast
488 b.hs .Loop_cbc_enc128
490 vst1.8 {$ivec},[$out],#16
494 my ($dat2,$in2,$tmp2)=map("q$_",(10,11,9));
498 vld1.8 {$dat2},[$inp],#16
499 subs $len,$len,#32 // bias
503 vorr $in2,$dat2,$dat2
506 vorr $dat1,$dat2,$dat2
507 vld1.8 {$dat2},[$inp],#16
509 vorr $in1,$dat1,$dat1
510 vorr $in2,$dat2,$dat2
519 vld1.32 {q8},[$key_],#16
527 vld1.32 {q9},[$key_],#16
536 veor $tmp0,$ivec,$rndlast
538 veor $tmp1,$in0,$rndlast
539 mov.lo x6,$len // x6, $cnt, is zero at this point
546 veor $tmp2,$in1,$rndlast
547 add $inp,$inp,x6 // $inp is adjusted in such way that
548 // at exit from the loop $dat1-$dat2
549 // are loaded with last "words"
558 vld1.8 {$in0},[$inp],#16
565 vld1.8 {$in1},[$inp],#16
572 vld1.8 {$in2},[$inp],#16
576 vld1.32 {q8},[$key_],#16 // re-pre-load rndkey[0]
578 veor $tmp0,$tmp0,$dat0
579 veor $tmp1,$tmp1,$dat1
580 veor $dat2,$dat2,$tmp2
581 vld1.32 {q9},[$key_],#16 // re-pre-load rndkey[1]
582 vst1.8 {$tmp0},[$out],#16
584 vst1.8 {$tmp1},[$out],#16
586 vst1.8 {$dat2},[$out],#16
599 vld1.32 {q8},[$key_],#16
605 vld1.32 {q9},[$key_],#16
625 veor $tmp1,$ivec,$rndlast
630 veor $tmp2,$in1,$rndlast
634 veor $tmp1,$tmp1,$dat1
635 veor $tmp2,$tmp2,$dat2
637 vst1.8 {$tmp1},[$out],#16
638 vst1.8 {$tmp2},[$out],#16
642 veor $tmp1,$tmp1,$dat2
644 vst1.8 {$tmp1},[$out],#16
647 vst1.8 {$ivec},[$ivp]
651 $code.=<<___ if ($flavour !~ /64/);
655 $code.=<<___ if ($flavour =~ /64/);
660 .size ${prefix}_cbc_encrypt,.-${prefix}_cbc_encrypt
664 my ($inp,$out,$len,$key,$ivp)=map("x$_",(0..4));
665 my ($rounds,$cnt,$key_)=("w5","w6","x7");
666 my ($ctr,$tctr0,$tctr1,$tctr2)=map("w$_",(8..10,12));
667 my $step="x12"; # aliases with $tctr2
669 my ($dat0,$dat1,$in0,$in1,$tmp0,$tmp1,$ivec,$rndlast)=map("q$_",(0..7));
670 my ($dat2,$in2,$tmp2)=map("q$_",(10,11,9));
672 my ($dat,$tmp)=($dat0,$tmp0);
674 ### q8-q15 preloaded key schedule
677 .globl ${prefix}_ctr32_encrypt_blocks
678 .type ${prefix}_ctr32_encrypt_blocks,%function
680 ${prefix}_ctr32_encrypt_blocks:
682 $code.=<<___ if ($flavour =~ /64/);
683 stp x29,x30,[sp,#-16]!
686 $code.=<<___ if ($flavour !~ /64/);
688 stmdb sp!,{r4-r10,lr}
689 vstmdb sp!,{d8-d15} @ ABI specification says so
690 ldr r4, [ip] @ load remaining arg
693 ldr $rounds,[$key,#240]
695 ldr $ctr, [$ivp, #12]
696 vld1.32 {$dat0},[$ivp]
698 vld1.32 {q8-q9},[$key] // load key schedule...
699 sub $rounds,$rounds,#4
702 add $key_,$key,x5,lsl#4 // pointer to last 5 round keys
703 sub $rounds,$rounds,#2
704 vld1.32 {q12-q13},[$key_],#32
705 vld1.32 {q14-q15},[$key_],#32
706 vld1.32 {$rndlast},[$key_]
713 vorr $dat1,$dat0,$dat0
715 vorr $dat2,$dat0,$dat0
717 vorr $ivec,$dat0,$dat0
719 vmov.32 ${dat1}[3],$tctr1
722 sub $len,$len,#3 // bias
723 vmov.32 ${dat2}[3],$tctr2
734 vld1.32 {q8},[$key_],#16
742 vld1.32 {q9},[$key_],#16
749 vld1.8 {$in0},[$inp],#16
750 vorr $dat0,$ivec,$ivec
753 vld1.8 {$in1},[$inp],#16
754 vorr $dat1,$ivec,$ivec
759 vld1.8 {$in2},[$inp],#16
763 vorr $dat2,$ivec,$ivec
769 veor $in0,$in0,$rndlast
773 veor $in1,$in1,$rndlast
779 veor $in2,$in2,$rndlast
783 vmov.32 ${dat0}[3], $tctr0
789 vmov.32 ${dat1}[3], $tctr1
793 vmov.32 ${dat2}[3], $tctr2
800 vld1.32 {q8},[$key_],#16 // re-pre-load rndkey[0]
801 vst1.8 {$in0},[$out],#16
804 vst1.8 {$in1},[$out],#16
806 vld1.32 {q9},[$key_],#16 // re-pre-load rndkey[1]
807 vst1.8 {$in2},[$out],#16
821 vld1.32 {q8},[$key_],#16
827 vld1.32 {q9},[$key_],#16
838 vld1.8 {$in0},[$inp],$step
848 veor $in0,$in0,$rndlast
853 veor $in1,$in1,$rndlast
860 vst1.8 {$in0},[$out],#16
866 $code.=<<___ if ($flavour !~ /64/);
868 ldmia sp!,{r4-r10,pc}
870 $code.=<<___ if ($flavour =~ /64/);
875 .size ${prefix}_ctr32_encrypt_blocks,.-${prefix}_ctr32_encrypt_blocks
881 ########################################
882 if ($flavour =~ /64/) { ######## 64-bit code
884 "aesd" => 0x4e285800, "aese" => 0x4e284800,
885 "aesimc"=> 0x4e287800, "aesmc" => 0x4e286800 );
888 my ($mnemonic,$arg)=@_;
890 $arg =~ m/[qv]([0-9]+)[^,]*,\s*[qv]([0-9]+)/o &&
891 sprintf ".inst\t0x%08x\t//%s %s",
892 $opcode{$mnemonic}|$1|($2<<5),
896 foreach(split("\n",$code)) {
897 s/\`([^\`]*)\`/eval($1)/geo;
899 s/\bq([0-9]+)\b/"v".($1<8?$1:$1+8).".16b"/geo; # old->new registers
900 s/@\s/\/\//o; # old->new style commentary
902 #s/[v]?(aes\w+)\s+([qv].*)/unaes($1,$2)/geo or
903 s/cclr\s+([wx])([^,]+),\s*([a-z]+)/csel $1$2,$1zr,$1$2,$3/o or
904 s/mov\.([a-z]+)\s+([wx][0-9]+),\s*([wx][0-9]+)/csel $2,$3,$2,$1/o or
905 s/vmov\.i8/movi/o or # fix up legacy mnemonics
907 s/vrev32\.8/rev32/o or
910 s/^(\s+)v/$1/o or # strip off v prefix
913 # fix up remainig legacy suffixes
915 m/\],#8/o and s/\.16b/\.8b/go;
916 s/\.[ui]?32//o and s/\.16b/\.4s/go;
917 s/\.[ui]?64//o and s/\.16b/\.2d/go;
918 s/\.[42]([sd])\[([0-3])\]/\.$1\[$2\]/o;
922 } else { ######## 32-bit code
924 "aesd" => 0xf3b00340, "aese" => 0xf3b00300,
925 "aesimc"=> 0xf3b003c0, "aesmc" => 0xf3b00380 );
928 my ($mnemonic,$arg)=@_;
930 if ($arg =~ m/[qv]([0-9]+)[^,]*,\s*[qv]([0-9]+)/o) {
931 my $word = $opcode{$mnemonic}|(($1&7)<<13)|(($1&8)<<19)
932 |(($2&7)<<1) |(($2&8)<<2);
933 # since ARMv7 instructions are always encoded little-endian.
934 # correct solution is to use .inst directive, but older
935 # assemblers don't implement it:-(
936 sprintf ".byte\t0x%02x,0x%02x,0x%02x,0x%02x\t@ %s %s",
937 $word&0xff,($word>>8)&0xff,
938 ($word>>16)&0xff,($word>>24)&0xff,
946 $arg =~ m/q([0-9]+),\s*\{q([0-9]+)\},\s*q([0-9]+)/o &&
947 sprintf "vtbl.8 d%d,{q%d},d%d\n\t".
948 "vtbl.8 d%d,{q%d},d%d", 2*$1,$2,2*$3, 2*$1+1,$2,2*$3+1;
954 $arg =~ m/q([0-9]+),\s*q([0-9]+)\[([0-3])\]/o &&
955 sprintf "vdup.32 q%d,d%d[%d]",$1,2*$2+($3>>1),$3&1;
961 $arg =~ m/q([0-9]+)\[([0-3])\],(.*)/o &&
962 sprintf "vmov.32 d%d[%d],%s",2*$1+($2>>1),$2&1,$3;
965 foreach(split("\n",$code)) {
966 s/\`([^\`]*)\`/eval($1)/geo;
968 s/\b[wx]([0-9]+)\b/r$1/go; # new->old registers
969 s/\bv([0-9])\.[12468]+[bsd]\b/q$1/go; # new->old registers
970 s/\/\/\s?/@ /o; # new->old style commentary
972 # fix up remainig new-style suffixes
973 s/\{q([0-9]+)\},\s*\[(.+)\],#8/sprintf "{d%d},[$2]!",2*$1/eo or
976 s/[v]?(aes\w+)\s+([qv].*)/unaes($1,$2)/geo or
977 s/cclr\s+([^,]+),\s*([a-z]+)/mov$2 $1,#0/o or
978 s/vtbl\.8\s+(.*)/unvtbl($1)/geo or
979 s/vdup\.32\s+(.*)/unvdup32($1)/geo or
980 s/vmov\.32\s+(.*)/unvmov32($1)/geo or
982 s/^(\s+)mov\./$1mov/o or
983 s/^(\s+)ret/$1bx\tlr/o;