xref: /openbmc/linux/arch/powerpc/crypto/aes-spe-modes.S (revision eb3fcf007fffe5830d815e713591f3e858f2a365)
1/*
2 * AES modes (ECB/CBC/CTR/XTS) for PPC AES implementation
3 *
4 * Copyright (c) 2015 Markus Stockhausen <stockhausen@collogia.de>
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the Free
8 * Software Foundation; either version 2 of the License, or (at your option)
9 * any later version.
10 *
11 */
12
13#include <asm/ppc_asm.h>
14#include "aes-spe-regs.h"
15
16#ifdef __BIG_ENDIAN__			/* Macros for big endian builds	*/
17
18#define LOAD_DATA(reg, off) \
19	lwz		reg,off(rSP);	/* load with offset		*/
20#define SAVE_DATA(reg, off) \
21	stw		reg,off(rDP);	/* save with offset		*/
22#define NEXT_BLOCK \
23	addi		rSP,rSP,16;	/* increment pointers per bloc	*/ \
24	addi		rDP,rDP,16;
25#define LOAD_IV(reg, off) \
26	lwz		reg,off(rIP);	/* IV loading with offset	*/
27#define SAVE_IV(reg, off) \
28	stw		reg,off(rIP);	/* IV saving with offset	*/
29#define START_IV			/* nothing to reset		*/
30#define CBC_DEC 16			/* CBC decrement per block	*/
31#define CTR_DEC 1			/* CTR decrement one byte	*/
32
33#else					/* Macros for little endian	*/
34
35#define LOAD_DATA(reg, off) \
36	lwbrx		reg,0,rSP;	/* load reversed		*/ \
37	addi		rSP,rSP,4;	/* and increment pointer	*/
38#define SAVE_DATA(reg, off) \
39	stwbrx		reg,0,rDP;	/* save reversed		*/ \
40	addi		rDP,rDP,4;	/* and increment pointer	*/
41#define NEXT_BLOCK			/* nothing todo			*/
42#define LOAD_IV(reg, off) \
43	lwbrx		reg,0,rIP;	/* load reversed		*/ \
44	addi		rIP,rIP,4;	/* and increment pointer	*/
45#define SAVE_IV(reg, off) \
46	stwbrx		reg,0,rIP;	/* load reversed		*/ \
47	addi		rIP,rIP,4;	/* and increment pointer	*/
48#define START_IV \
49	subi		rIP,rIP,16;	/* must reset pointer		*/
50#define CBC_DEC 32			/* 2 blocks because of incs	*/
51#define CTR_DEC 17			/* 1 block because of incs	*/
52
53#endif
54
55#define SAVE_0_REGS
56#define LOAD_0_REGS
57
58#define SAVE_4_REGS \
59	stw		rI0,96(r1);	/* save 32 bit registers	*/ \
60	stw		rI1,100(r1);					   \
61	stw		rI2,104(r1);					   \
62	stw		rI3,108(r1);
63
64#define LOAD_4_REGS \
65	lwz		rI0,96(r1);	/* restore 32 bit registers	*/ \
66	lwz		rI1,100(r1);					   \
67	lwz		rI2,104(r1);					   \
68	lwz		rI3,108(r1);
69
70#define SAVE_8_REGS \
71	SAVE_4_REGS							   \
72	stw		rG0,112(r1);	/* save 32 bit registers	*/ \
73	stw		rG1,116(r1);					   \
74	stw		rG2,120(r1);					   \
75	stw		rG3,124(r1);
76
77#define LOAD_8_REGS \
78	LOAD_4_REGS							   \
79	lwz		rG0,112(r1);	/* restore 32 bit registers	*/ \
80	lwz		rG1,116(r1);					   \
81	lwz		rG2,120(r1);					   \
82	lwz		rG3,124(r1);
83
84#define INITIALIZE_CRYPT(tab,nr32bitregs) \
85	mflr		r0;						   \
86	stwu		r1,-160(r1);	/* create stack frame		*/ \
87	lis		rT0,tab@h;	/* en-/decryption table pointer	*/ \
88	stw		r0,8(r1);	/* save link register		*/ \
89	ori		rT0,rT0,tab@l;					   \
90	evstdw		r14,16(r1);					   \
91	mr		rKS,rKP;					   \
92	evstdw		r15,24(r1);	/* We must save non volatile	*/ \
93	evstdw		r16,32(r1);	/* registers. Take the chance	*/ \
94	evstdw		r17,40(r1);	/* and save the SPE part too	*/ \
95	evstdw		r18,48(r1);					   \
96	evstdw		r19,56(r1);					   \
97	evstdw		r20,64(r1);					   \
98	evstdw		r21,72(r1);					   \
99	evstdw		r22,80(r1);					   \
100	evstdw		r23,88(r1);					   \
101	SAVE_##nr32bitregs##_REGS
102
103#define FINALIZE_CRYPT(nr32bitregs) \
104	lwz		r0,8(r1);					   \
105	evldw		r14,16(r1);	/* restore SPE registers	*/ \
106	evldw		r15,24(r1);					   \
107	evldw		r16,32(r1);					   \
108	evldw		r17,40(r1);					   \
109	evldw		r18,48(r1);					   \
110	evldw		r19,56(r1);					   \
111	evldw		r20,64(r1);					   \
112	evldw		r21,72(r1);					   \
113	evldw		r22,80(r1);					   \
114	evldw		r23,88(r1);					   \
115	LOAD_##nr32bitregs##_REGS					   \
116	mtlr		r0;		/* restore link register	*/ \
117	xor		r0,r0,r0;					   \
118	stw		r0,16(r1);	/* delete sensitive data	*/ \
119	stw		r0,24(r1);	/* that we might have pushed	*/ \
120	stw		r0,32(r1);	/* from other context that runs	*/ \
121	stw		r0,40(r1);	/* the same code		*/ \
122	stw		r0,48(r1);					   \
123	stw		r0,56(r1);					   \
124	stw		r0,64(r1);					   \
125	stw		r0,72(r1);					   \
126	stw		r0,80(r1);					   \
127	stw		r0,88(r1);					   \
128	addi		r1,r1,160;	/* cleanup stack frame		*/
129
130#define ENDIAN_SWAP(t0, t1, s0, s1) \
131	rotrwi		t0,s0,8;	/* swap endianness for 2 GPRs	*/ \
132	rotrwi		t1,s1,8;					   \
133	rlwimi		t0,s0,8,8,15;					   \
134	rlwimi		t1,s1,8,8,15;					   \
135	rlwimi		t0,s0,8,24,31;					   \
136	rlwimi		t1,s1,8,24,31;
137
138#define GF128_MUL(d0, d1, d2, d3, t0) \
139	li		t0,0x87;	/* multiplication in GF128	*/ \
140	cmpwi		d3,-1;						   \
141	iselgt		t0,0,t0;					   \
142	rlwimi		d3,d2,0,0,0;	/* propagate "carry" bits	*/ \
143	rotlwi		d3,d3,1;					   \
144	rlwimi		d2,d1,0,0,0;					   \
145	rotlwi		d2,d2,1;					   \
146	rlwimi		d1,d0,0,0,0;					   \
147	slwi		d0,d0,1;	/* shift left 128 bit		*/ \
148	rotlwi		d1,d1,1;					   \
149	xor		d0,d0,t0;
150
151#define START_KEY(d0, d1, d2, d3) \
152	lwz		rW0,0(rKP);					   \
153	mtctr		rRR;						   \
154	lwz		rW1,4(rKP);					   \
155	lwz		rW2,8(rKP);					   \
156	lwz		rW3,12(rKP);					   \
157	xor		rD0,d0,rW0;					   \
158	xor		rD1,d1,rW1;					   \
159	xor		rD2,d2,rW2;					   \
160	xor		rD3,d3,rW3;
161
162/*
163 * ppc_encrypt_aes(u8 *out, const u8 *in, u32 *key_enc,
164 *		   u32 rounds)
165 *
166 * called from glue layer to encrypt a single 16 byte block
167 * round values are AES128 = 4, AES192 = 5, AES256 = 6
168 *
169 */
170_GLOBAL(ppc_encrypt_aes)
171	INITIALIZE_CRYPT(PPC_AES_4K_ENCTAB, 0)
172	LOAD_DATA(rD0, 0)
173	LOAD_DATA(rD1, 4)
174	LOAD_DATA(rD2, 8)
175	LOAD_DATA(rD3, 12)
176	START_KEY(rD0, rD1, rD2, rD3)
177	bl		ppc_encrypt_block
178	xor		rD0,rD0,rW0
179	SAVE_DATA(rD0, 0)
180	xor		rD1,rD1,rW1
181	SAVE_DATA(rD1, 4)
182	xor		rD2,rD2,rW2
183	SAVE_DATA(rD2, 8)
184	xor		rD3,rD3,rW3
185	SAVE_DATA(rD3, 12)
186	FINALIZE_CRYPT(0)
187	blr
188
189/*
190 * ppc_decrypt_aes(u8 *out, const u8 *in, u32 *key_dec,
191 *		   u32 rounds)
192 *
193 * called from glue layer to decrypt a single 16 byte block
194 * round values are AES128 = 4, AES192 = 5, AES256 = 6
195 *
196 */
197_GLOBAL(ppc_decrypt_aes)
198	INITIALIZE_CRYPT(PPC_AES_4K_DECTAB,0)
199	LOAD_DATA(rD0, 0)
200	addi		rT1,rT0,4096
201	LOAD_DATA(rD1, 4)
202	LOAD_DATA(rD2, 8)
203	LOAD_DATA(rD3, 12)
204	START_KEY(rD0, rD1, rD2, rD3)
205	bl		ppc_decrypt_block
206	xor		rD0,rD0,rW0
207	SAVE_DATA(rD0, 0)
208	xor		rD1,rD1,rW1
209	SAVE_DATA(rD1, 4)
210	xor		rD2,rD2,rW2
211	SAVE_DATA(rD2, 8)
212	xor		rD3,rD3,rW3
213	SAVE_DATA(rD3, 12)
214	FINALIZE_CRYPT(0)
215	blr
216
217/*
218 * ppc_encrypt_ecb(u8 *out, const u8 *in, u32 *key_enc,
219 *		   u32 rounds, u32 bytes);
220 *
221 * called from glue layer to encrypt multiple blocks via ECB
222 * Bytes must be larger or equal 16 and only whole blocks are
223 * processed. round values are AES128 = 4, AES192 = 5 and
224 * AES256 = 6
225 *
226 */
227_GLOBAL(ppc_encrypt_ecb)
228	INITIALIZE_CRYPT(PPC_AES_4K_ENCTAB, 0)
229ppc_encrypt_ecb_loop:
230	LOAD_DATA(rD0, 0)
231	mr		rKP,rKS
232	LOAD_DATA(rD1, 4)
233	subi		rLN,rLN,16
234	LOAD_DATA(rD2, 8)
235	cmpwi		rLN,15
236	LOAD_DATA(rD3, 12)
237	START_KEY(rD0, rD1, rD2, rD3)
238	bl		ppc_encrypt_block
239	xor		rD0,rD0,rW0
240	SAVE_DATA(rD0, 0)
241	xor		rD1,rD1,rW1
242	SAVE_DATA(rD1, 4)
243	xor		rD2,rD2,rW2
244	SAVE_DATA(rD2, 8)
245	xor		rD3,rD3,rW3
246	SAVE_DATA(rD3, 12)
247	NEXT_BLOCK
248	bt		gt,ppc_encrypt_ecb_loop
249	FINALIZE_CRYPT(0)
250	blr
251
252/*
253 * ppc_decrypt_ecb(u8 *out, const u8 *in, u32 *key_dec,
254 *		   u32 rounds, u32 bytes);
255 *
256 * called from glue layer to decrypt multiple blocks via ECB
257 * Bytes must be larger or equal 16 and only whole blocks are
258 * processed. round values are AES128 = 4, AES192 = 5 and
259 * AES256 = 6
260 *
261 */
262_GLOBAL(ppc_decrypt_ecb)
263	INITIALIZE_CRYPT(PPC_AES_4K_DECTAB, 0)
264	addi		rT1,rT0,4096
265ppc_decrypt_ecb_loop:
266	LOAD_DATA(rD0, 0)
267	mr		rKP,rKS
268	LOAD_DATA(rD1, 4)
269	subi		rLN,rLN,16
270	LOAD_DATA(rD2, 8)
271	cmpwi		rLN,15
272	LOAD_DATA(rD3, 12)
273	START_KEY(rD0, rD1, rD2, rD3)
274	bl		ppc_decrypt_block
275	xor		rD0,rD0,rW0
276	SAVE_DATA(rD0, 0)
277	xor		rD1,rD1,rW1
278	SAVE_DATA(rD1, 4)
279	xor		rD2,rD2,rW2
280	SAVE_DATA(rD2, 8)
281	xor		rD3,rD3,rW3
282	SAVE_DATA(rD3, 12)
283	NEXT_BLOCK
284	bt		gt,ppc_decrypt_ecb_loop
285	FINALIZE_CRYPT(0)
286	blr
287
288/*
289 * ppc_encrypt_cbc(u8 *out, const u8 *in, u32 *key_enc,
290 *		   32 rounds, u32 bytes, u8 *iv);
291 *
292 * called from glue layer to encrypt multiple blocks via CBC
293 * Bytes must be larger or equal 16 and only whole blocks are
294 * processed. round values are AES128 = 4, AES192 = 5 and
295 * AES256 = 6
296 *
297 */
298_GLOBAL(ppc_encrypt_cbc)
299	INITIALIZE_CRYPT(PPC_AES_4K_ENCTAB, 4)
300	LOAD_IV(rI0, 0)
301	LOAD_IV(rI1, 4)
302	LOAD_IV(rI2, 8)
303	LOAD_IV(rI3, 12)
304ppc_encrypt_cbc_loop:
305	LOAD_DATA(rD0, 0)
306	mr		rKP,rKS
307	LOAD_DATA(rD1, 4)
308	subi		rLN,rLN,16
309	LOAD_DATA(rD2, 8)
310	cmpwi		rLN,15
311	LOAD_DATA(rD3, 12)
312	xor		rD0,rD0,rI0
313	xor		rD1,rD1,rI1
314	xor		rD2,rD2,rI2
315	xor		rD3,rD3,rI3
316	START_KEY(rD0, rD1, rD2, rD3)
317	bl		ppc_encrypt_block
318	xor		rI0,rD0,rW0
319	SAVE_DATA(rI0, 0)
320	xor		rI1,rD1,rW1
321	SAVE_DATA(rI1, 4)
322	xor		rI2,rD2,rW2
323	SAVE_DATA(rI2, 8)
324	xor		rI3,rD3,rW3
325	SAVE_DATA(rI3, 12)
326	NEXT_BLOCK
327	bt		gt,ppc_encrypt_cbc_loop
328	START_IV
329	SAVE_IV(rI0, 0)
330	SAVE_IV(rI1, 4)
331	SAVE_IV(rI2, 8)
332	SAVE_IV(rI3, 12)
333	FINALIZE_CRYPT(4)
334	blr
335
336/*
337 * ppc_decrypt_cbc(u8 *out, const u8 *in, u32 *key_dec,
338 *		   u32 rounds, u32 bytes, u8 *iv);
339 *
340 * called from glue layer to decrypt multiple blocks via CBC
341 * round values are AES128 = 4, AES192 = 5, AES256 = 6
342 *
343 */
344_GLOBAL(ppc_decrypt_cbc)
345	INITIALIZE_CRYPT(PPC_AES_4K_DECTAB, 4)
346	li		rT1,15
347	LOAD_IV(rI0, 0)
348	andc		rLN,rLN,rT1
349	LOAD_IV(rI1, 4)
350	subi		rLN,rLN,16
351	LOAD_IV(rI2, 8)
352	add		rSP,rSP,rLN	/* reverse processing		*/
353	LOAD_IV(rI3, 12)
354	add		rDP,rDP,rLN
355	LOAD_DATA(rD0, 0)
356	addi		rT1,rT0,4096
357	LOAD_DATA(rD1, 4)
358	LOAD_DATA(rD2, 8)
359	LOAD_DATA(rD3, 12)
360	START_IV
361	SAVE_IV(rD0, 0)
362	SAVE_IV(rD1, 4)
363	SAVE_IV(rD2, 8)
364	cmpwi		rLN,16
365	SAVE_IV(rD3, 12)
366	bt		lt,ppc_decrypt_cbc_end
367ppc_decrypt_cbc_loop:
368	mr		rKP,rKS
369	START_KEY(rD0, rD1, rD2, rD3)
370	bl		ppc_decrypt_block
371	subi		rLN,rLN,16
372	subi		rSP,rSP,CBC_DEC
373	xor		rW0,rD0,rW0
374	LOAD_DATA(rD0, 0)
375	xor		rW1,rD1,rW1
376	LOAD_DATA(rD1, 4)
377	xor		rW2,rD2,rW2
378	LOAD_DATA(rD2, 8)
379	xor		rW3,rD3,rW3
380	LOAD_DATA(rD3, 12)
381	xor		rW0,rW0,rD0
382	SAVE_DATA(rW0, 0)
383	xor		rW1,rW1,rD1
384	SAVE_DATA(rW1, 4)
385	xor		rW2,rW2,rD2
386	SAVE_DATA(rW2, 8)
387	xor		rW3,rW3,rD3
388	SAVE_DATA(rW3, 12)
389	cmpwi		rLN,15
390	subi		rDP,rDP,CBC_DEC
391	bt		gt,ppc_decrypt_cbc_loop
392ppc_decrypt_cbc_end:
393	mr		rKP,rKS
394	START_KEY(rD0, rD1, rD2, rD3)
395	bl		ppc_decrypt_block
396	xor		rW0,rW0,rD0
397	xor		rW1,rW1,rD1
398	xor		rW2,rW2,rD2
399	xor		rW3,rW3,rD3
400	xor		rW0,rW0,rI0	/* decrypt with initial IV	*/
401	SAVE_DATA(rW0, 0)
402	xor		rW1,rW1,rI1
403	SAVE_DATA(rW1, 4)
404	xor		rW2,rW2,rI2
405	SAVE_DATA(rW2, 8)
406	xor		rW3,rW3,rI3
407	SAVE_DATA(rW3, 12)
408	FINALIZE_CRYPT(4)
409	blr
410
411/*
412 * ppc_crypt_ctr(u8 *out, const u8 *in, u32 *key_enc,
413 *		 u32 rounds, u32 bytes, u8 *iv);
414 *
415 * called from glue layer to encrypt/decrypt multiple blocks
416 * via CTR. Number of bytes does not need to be a multiple of
417 * 16. Round values are AES128 = 4, AES192 = 5, AES256 = 6
418 *
419 */
420_GLOBAL(ppc_crypt_ctr)
421	INITIALIZE_CRYPT(PPC_AES_4K_ENCTAB, 4)
422	LOAD_IV(rI0, 0)
423	LOAD_IV(rI1, 4)
424	LOAD_IV(rI2, 8)
425	cmpwi		rLN,16
426	LOAD_IV(rI3, 12)
427	START_IV
428	bt		lt,ppc_crypt_ctr_partial
429ppc_crypt_ctr_loop:
430	mr		rKP,rKS
431	START_KEY(rI0, rI1, rI2, rI3)
432	bl		ppc_encrypt_block
433	xor		rW0,rD0,rW0
434	xor		rW1,rD1,rW1
435	xor		rW2,rD2,rW2
436	xor		rW3,rD3,rW3
437	LOAD_DATA(rD0, 0)
438	subi		rLN,rLN,16
439	LOAD_DATA(rD1, 4)
440	LOAD_DATA(rD2, 8)
441	LOAD_DATA(rD3, 12)
442	xor		rD0,rD0,rW0
443	SAVE_DATA(rD0, 0)
444	xor		rD1,rD1,rW1
445	SAVE_DATA(rD1, 4)
446	xor		rD2,rD2,rW2
447	SAVE_DATA(rD2, 8)
448	xor		rD3,rD3,rW3
449	SAVE_DATA(rD3, 12)
450	addic		rI3,rI3,1	/* increase counter			*/
451	addze		rI2,rI2
452	addze		rI1,rI1
453	addze		rI0,rI0
454	NEXT_BLOCK
455	cmpwi		rLN,15
456	bt		gt,ppc_crypt_ctr_loop
457ppc_crypt_ctr_partial:
458	cmpwi		rLN,0
459	bt		eq,ppc_crypt_ctr_end
460	mr		rKP,rKS
461	START_KEY(rI0, rI1, rI2, rI3)
462	bl		ppc_encrypt_block
463	xor		rW0,rD0,rW0
464	SAVE_IV(rW0, 0)
465	xor		rW1,rD1,rW1
466	SAVE_IV(rW1, 4)
467	xor		rW2,rD2,rW2
468	SAVE_IV(rW2, 8)
469	xor		rW3,rD3,rW3
470	SAVE_IV(rW3, 12)
471	mtctr		rLN
472	subi		rIP,rIP,CTR_DEC
473	subi		rSP,rSP,1
474	subi		rDP,rDP,1
475ppc_crypt_ctr_xorbyte:
476	lbzu		rW4,1(rIP)	/* bytewise xor for partial block	*/
477	lbzu		rW5,1(rSP)
478	xor		rW4,rW4,rW5
479	stbu		rW4,1(rDP)
480	bdnz		ppc_crypt_ctr_xorbyte
481	subf		rIP,rLN,rIP
482	addi		rIP,rIP,1
483	addic		rI3,rI3,1
484	addze		rI2,rI2
485	addze		rI1,rI1
486	addze		rI0,rI0
487ppc_crypt_ctr_end:
488	SAVE_IV(rI0, 0)
489	SAVE_IV(rI1, 4)
490	SAVE_IV(rI2, 8)
491	SAVE_IV(rI3, 12)
492	FINALIZE_CRYPT(4)
493	blr
494
495/*
496 * ppc_encrypt_xts(u8 *out, const u8 *in, u32 *key_enc,
497 *		   u32 rounds, u32 bytes, u8 *iv, u32 *key_twk);
498 *
499 * called from glue layer to encrypt multiple blocks via XTS
500 * If key_twk is given, the initial IV encryption will be
501 * processed too. Round values are AES128 = 4, AES192 = 5,
502 * AES256 = 6
503 *
504 */
505_GLOBAL(ppc_encrypt_xts)
506	INITIALIZE_CRYPT(PPC_AES_4K_ENCTAB, 8)
507	LOAD_IV(rI0, 0)
508	LOAD_IV(rI1, 4)
509	LOAD_IV(rI2, 8)
510	cmpwi		rKT,0
511	LOAD_IV(rI3, 12)
512	bt		eq,ppc_encrypt_xts_notweak
513	mr		rKP,rKT
514	START_KEY(rI0, rI1, rI2, rI3)
515	bl		ppc_encrypt_block
516	xor		rI0,rD0,rW0
517	xor		rI1,rD1,rW1
518	xor		rI2,rD2,rW2
519	xor		rI3,rD3,rW3
520ppc_encrypt_xts_notweak:
521	ENDIAN_SWAP(rG0, rG1, rI0, rI1)
522	ENDIAN_SWAP(rG2, rG3, rI2, rI3)
523ppc_encrypt_xts_loop:
524	LOAD_DATA(rD0, 0)
525	mr		rKP,rKS
526	LOAD_DATA(rD1, 4)
527	subi		rLN,rLN,16
528	LOAD_DATA(rD2, 8)
529	LOAD_DATA(rD3, 12)
530	xor		rD0,rD0,rI0
531	xor		rD1,rD1,rI1
532	xor		rD2,rD2,rI2
533	xor		rD3,rD3,rI3
534	START_KEY(rD0, rD1, rD2, rD3)
535	bl		ppc_encrypt_block
536	xor		rD0,rD0,rW0
537	xor		rD1,rD1,rW1
538	xor		rD2,rD2,rW2
539	xor		rD3,rD3,rW3
540	xor		rD0,rD0,rI0
541	SAVE_DATA(rD0, 0)
542	xor		rD1,rD1,rI1
543	SAVE_DATA(rD1, 4)
544	xor		rD2,rD2,rI2
545	SAVE_DATA(rD2, 8)
546	xor		rD3,rD3,rI3
547	SAVE_DATA(rD3, 12)
548	GF128_MUL(rG0, rG1, rG2, rG3, rW0)
549	ENDIAN_SWAP(rI0, rI1, rG0, rG1)
550	ENDIAN_SWAP(rI2, rI3, rG2, rG3)
551	cmpwi		rLN,0
552	NEXT_BLOCK
553	bt		gt,ppc_encrypt_xts_loop
554	START_IV
555	SAVE_IV(rI0, 0)
556	SAVE_IV(rI1, 4)
557	SAVE_IV(rI2, 8)
558	SAVE_IV(rI3, 12)
559	FINALIZE_CRYPT(8)
560	blr
561
562/*
563 * ppc_decrypt_xts(u8 *out, const u8 *in, u32 *key_dec,
564 *		   u32 rounds, u32 blocks, u8 *iv, u32 *key_twk);
565 *
566 * called from glue layer to decrypt multiple blocks via XTS
567 * If key_twk is given, the initial IV encryption will be
568 * processed too. Round values are AES128 = 4, AES192 = 5,
569 * AES256 = 6
570 *
571 */
572_GLOBAL(ppc_decrypt_xts)
573	INITIALIZE_CRYPT(PPC_AES_4K_DECTAB, 8)
574	LOAD_IV(rI0, 0)
575	addi		rT1,rT0,4096
576	LOAD_IV(rI1, 4)
577	LOAD_IV(rI2, 8)
578	cmpwi		rKT,0
579	LOAD_IV(rI3, 12)
580	bt		eq,ppc_decrypt_xts_notweak
581	subi		rT0,rT0,4096
582	mr		rKP,rKT
583	START_KEY(rI0, rI1, rI2, rI3)
584	bl		ppc_encrypt_block
585	xor		rI0,rD0,rW0
586	xor		rI1,rD1,rW1
587	xor		rI2,rD2,rW2
588	xor		rI3,rD3,rW3
589	addi		rT0,rT0,4096
590ppc_decrypt_xts_notweak:
591	ENDIAN_SWAP(rG0, rG1, rI0, rI1)
592	ENDIAN_SWAP(rG2, rG3, rI2, rI3)
593ppc_decrypt_xts_loop:
594	LOAD_DATA(rD0, 0)
595	mr		rKP,rKS
596	LOAD_DATA(rD1, 4)
597	subi		rLN,rLN,16
598	LOAD_DATA(rD2, 8)
599	LOAD_DATA(rD3, 12)
600	xor		rD0,rD0,rI0
601	xor		rD1,rD1,rI1
602	xor		rD2,rD2,rI2
603	xor		rD3,rD3,rI3
604	START_KEY(rD0, rD1, rD2, rD3)
605	bl		ppc_decrypt_block
606	xor		rD0,rD0,rW0
607	xor		rD1,rD1,rW1
608	xor		rD2,rD2,rW2
609	xor		rD3,rD3,rW3
610	xor		rD0,rD0,rI0
611	SAVE_DATA(rD0, 0)
612	xor		rD1,rD1,rI1
613	SAVE_DATA(rD1, 4)
614	xor		rD2,rD2,rI2
615	SAVE_DATA(rD2, 8)
616	xor		rD3,rD3,rI3
617	SAVE_DATA(rD3, 12)
618	GF128_MUL(rG0, rG1, rG2, rG3, rW0)
619	ENDIAN_SWAP(rI0, rI1, rG0, rG1)
620	ENDIAN_SWAP(rI2, rI3, rG2, rG3)
621	cmpwi		rLN,0
622	NEXT_BLOCK
623	bt		gt,ppc_decrypt_xts_loop
624	START_IV
625	SAVE_IV(rI0, 0)
626	SAVE_IV(rI1, 4)
627	SAVE_IV(rI2, 8)
628	SAVE_IV(rI3, 12)
629	FINALIZE_CRYPT(8)
630	blr
631