157 lines
5.1 KiB
ArmAsm
157 lines
5.1 KiB
ArmAsm
/* SPDX-License-Identifier: Apache-2.0 OR BSD-2-Clause */
|
|
//
|
|
// This file is dual-licensed, meaning that you can use it under your
|
|
// choice of either of the following two licenses:
|
|
//
|
|
// Copyright 2023 The OpenSSL Project Authors. All Rights Reserved.
|
|
//
|
|
// Licensed under the Apache License 2.0 (the "License"). You can obtain
|
|
// a copy in the file LICENSE in the source distribution or at
|
|
// https://www.openssl.org/source/license.html
|
|
//
|
|
// or
|
|
//
|
|
// Copyright (c) 2023, Christoph Müllner <christoph.muellner@vrull.eu>
|
|
// Copyright (c) 2023, Phoebe Chen <phoebe.chen@sifive.com>
|
|
// Copyright (c) 2023, Jerry Shih <jerry.shih@sifive.com>
|
|
// Copyright 2024 Google LLC
|
|
// All rights reserved.
|
|
//
|
|
// Redistribution and use in source and binary forms, with or without
|
|
// modification, are permitted provided that the following conditions
|
|
// are met:
|
|
// 1. Redistributions of source code must retain the above copyright
|
|
// notice, this list of conditions and the following disclaimer.
|
|
// 2. Redistributions in binary form must reproduce the above copyright
|
|
// notice, this list of conditions and the following disclaimer in the
|
|
// documentation and/or other materials provided with the distribution.
|
|
//
|
|
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
|
// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
|
// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
|
// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
|
// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
|
// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
|
// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
|
// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
|
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
// This file contains macros that are shared by the other aes-*.S files. The
|
|
// generated code of these macros depends on the following RISC-V extensions:
|
|
// - RV64I
|
|
// - RISC-V Vector ('V') with VLEN >= 128
|
|
// - RISC-V Vector AES block cipher extension ('Zvkned')
|
|
|
|
// Loads the AES round keys from \keyp into vector registers and jumps to code
|
|
// specific to the length of the key. Specifically:
|
|
// - If AES-128, loads round keys into v1-v11 and jumps to \label128.
|
|
// - If AES-192, loads round keys into v1-v13 and jumps to \label192.
|
|
// - If AES-256, loads round keys into v1-v15 and continues onwards.
|
|
//
|
|
// Also sets vl=4 and vtype=e32,m1,ta,ma. Clobbers t0 and t1.
|
|
.macro aes_begin keyp, label128, label192
|
|
lwu t0, 480(\keyp) // t0 = key length in bytes
|
|
li t1, 24 // t1 = key length for AES-192
|
|
vsetivli zero, 4, e32, m1, ta, ma
|
|
vle32.v v1, (\keyp)
|
|
addi \keyp, \keyp, 16
|
|
vle32.v v2, (\keyp)
|
|
addi \keyp, \keyp, 16
|
|
vle32.v v3, (\keyp)
|
|
addi \keyp, \keyp, 16
|
|
vle32.v v4, (\keyp)
|
|
addi \keyp, \keyp, 16
|
|
vle32.v v5, (\keyp)
|
|
addi \keyp, \keyp, 16
|
|
vle32.v v6, (\keyp)
|
|
addi \keyp, \keyp, 16
|
|
vle32.v v7, (\keyp)
|
|
addi \keyp, \keyp, 16
|
|
vle32.v v8, (\keyp)
|
|
addi \keyp, \keyp, 16
|
|
vle32.v v9, (\keyp)
|
|
addi \keyp, \keyp, 16
|
|
vle32.v v10, (\keyp)
|
|
addi \keyp, \keyp, 16
|
|
vle32.v v11, (\keyp)
|
|
blt t0, t1, \label128 // If AES-128, goto label128.
|
|
addi \keyp, \keyp, 16
|
|
vle32.v v12, (\keyp)
|
|
addi \keyp, \keyp, 16
|
|
vle32.v v13, (\keyp)
|
|
beq t0, t1, \label192 // If AES-192, goto label192.
|
|
// Else, it's AES-256.
|
|
addi \keyp, \keyp, 16
|
|
vle32.v v14, (\keyp)
|
|
addi \keyp, \keyp, 16
|
|
vle32.v v15, (\keyp)
|
|
.endm
|
|
|
|
// Encrypts \data using zvkned instructions, using the round keys loaded into
|
|
// v1-v11 (for AES-128), v1-v13 (for AES-192), or v1-v15 (for AES-256). \keylen
|
|
// is the AES key length in bits. vl and vtype must already be set
|
|
// appropriately. Note that if vl > 4, multiple blocks are encrypted.
|
|
.macro aes_encrypt data, keylen
|
|
vaesz.vs \data, v1
|
|
vaesem.vs \data, v2
|
|
vaesem.vs \data, v3
|
|
vaesem.vs \data, v4
|
|
vaesem.vs \data, v5
|
|
vaesem.vs \data, v6
|
|
vaesem.vs \data, v7
|
|
vaesem.vs \data, v8
|
|
vaesem.vs \data, v9
|
|
vaesem.vs \data, v10
|
|
.if \keylen == 128
|
|
vaesef.vs \data, v11
|
|
.elseif \keylen == 192
|
|
vaesem.vs \data, v11
|
|
vaesem.vs \data, v12
|
|
vaesef.vs \data, v13
|
|
.else
|
|
vaesem.vs \data, v11
|
|
vaesem.vs \data, v12
|
|
vaesem.vs \data, v13
|
|
vaesem.vs \data, v14
|
|
vaesef.vs \data, v15
|
|
.endif
|
|
.endm
|
|
|
|
// Same as aes_encrypt, but decrypts instead of encrypts.
|
|
.macro aes_decrypt data, keylen
|
|
.if \keylen == 128
|
|
vaesz.vs \data, v11
|
|
.elseif \keylen == 192
|
|
vaesz.vs \data, v13
|
|
vaesdm.vs \data, v12
|
|
vaesdm.vs \data, v11
|
|
.else
|
|
vaesz.vs \data, v15
|
|
vaesdm.vs \data, v14
|
|
vaesdm.vs \data, v13
|
|
vaesdm.vs \data, v12
|
|
vaesdm.vs \data, v11
|
|
.endif
|
|
vaesdm.vs \data, v10
|
|
vaesdm.vs \data, v9
|
|
vaesdm.vs \data, v8
|
|
vaesdm.vs \data, v7
|
|
vaesdm.vs \data, v6
|
|
vaesdm.vs \data, v5
|
|
vaesdm.vs \data, v4
|
|
vaesdm.vs \data, v3
|
|
vaesdm.vs \data, v2
|
|
vaesdf.vs \data, v1
|
|
.endm
|
|
|
|
// Expands to aes_encrypt or aes_decrypt according to \enc, which is 1 or 0.
|
|
.macro aes_crypt data, enc, keylen
|
|
.if \enc
|
|
aes_encrypt \data, \keylen
|
|
.else
|
|
aes_decrypt \data, \keylen
|
|
.endif
|
|
.endm
|